Edit tour

Windows Analysis Report
Payslip_October_2024.pdf.exe

Overview

General Information

Sample name:	Payslip_October_2024.pdf.exe
Analysis ID:	1546724
MD5:	098efb8818e822cb79893620a8db1cd0
SHA1:	3d8adf42847ecaddf9865c4460f61e210a6a267f
SHA256:	a674d532150b92874dc954bb8349b6e66a006f1f7dd9381f751237cc98d38dc2
Tags:	AgentTeslaexeuser-threatcat_ch
Infos:

Detection

AgentTesla

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Sigma detected: Suspicious Double Extension File Execution

Yara detected AgentTesla

AI detected suspicious sample

Binary is likely a compiled AutoIt script file

Connects to many ports of the same IP (likely port scanning)

Hides that the sample has been downloaded from the Internet (zone.identifier)

Initial sample is a PE file and has a suspicious name

Installs a global keyboard hook

Machine Learning detection for sample

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Switches to a custom stack to bypass stack traces

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Mail credentials (via file / registry access)

Uses an obfuscated file name to hide its real file extension (double extension)

Allocates memory with a write watch (potentially for evading sandboxes)

Contains long sleeps (>= 3 min)

Creates a window with clipboard capturing capabilities

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sigma detected: CurrentVersion Autorun Keys Modification

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses FTP

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

Payslip_October_2024.pdf.exe (PID: 6352 cmdline: "C:\Users\user\Desktop\Payslip_October_2024.pdf.exe" MD5: 098EFB8818E822CB79893620A8DB1CD0)

RegSvcs.exe (PID: 7548 cmdline: "C:\Users\user\Desktop\Payslip_October_2024.pdf.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)

sgxIb.exe (PID: 7748 cmdline: "C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)

conhost.exe (PID: 7760 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

sgxIb.exe (PID: 7932 cmdline: "C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)

conhost.exe (PID: 7940 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Agent Tesla, AgentTesla	A .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.	SWEED	http://blog.nsfocus.net/sweed-611/ http://l1v1ngc0d3.wordpress.com/2021/11/12/agenttesla-dropped-via-nsis-installer/ http://ropgadget.com/posts/originlogger.html http://www.secureworks.com/research/threat-profiles/gold-galleon https://0xmrmagnezi.github.io/malware%20analysis/AgentTesla/	https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "FTP", "Host": "ftp://ftp.haliza.com.my", "Username": "origin@haliza.com.my", "Password": "JesusChrist007$"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
0000000B.00000002.2497169089.0000000003091000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000B.00000002.2497169089.0000000003091000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0000000B.00000002.2497169089.00000000030BC000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0000000B.00000002.2494522964.0000000000402000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000B.00000002.2494522964.0000000000402000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: RegSvcs.exe PID: 7548	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: RegSvcs.exe PID: 7548	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Click to see the 2 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
11.2.RegSvcs.exe.400000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
11.2.RegSvcs.exe.400000.0.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
11.2.RegSvcs.exe.400000.0.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x34f7c:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x34fee:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x35078:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x3510a:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x35174:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x351e6:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x3527c:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x3530c:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
11.2.RegSvcs.exe.400000.0.unpack	MALWARE_Win_AgentTeslaV2	AgenetTesla Type 2 Keylogger payload	ditekSHen	0x32170:$s2: GetPrivateProfileString 0x317fa:$s3: get_OSFullName 0x32f6b:$s5: remove_Key 0x33157:$s5: remove_Key 0x34075:$s6: FtpWebRequest 0x34f5e:$s7: logins 0x354d0:$s7: logins 0x38227:$s7: logins 0x38293:$s7: logins 0x39d12:$s7: logins 0x38e2d:$s9: 1.85 (Hash, version 2, native byte-order)

Sigma Signatures

System Summary

Sigma detected: Suspicious Double Extension File Execution

Source: Process started

Author: Florian Roth (Nextron Systems), @blu3_team (idea), Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Users\user\Desktop\Payslip_October_2024.pdf.exe", CommandLine: "C:\Users\user\Desktop\Payslip_October_2024.pdf.exe", CommandLine|base64offset|contains: , Image: C:\Users\user\Desktop\Payslip_October_2024.pdf.exe, NewProcessName: C:\Users\user\Desktop\Payslip_October_2024.pdf.exe, OriginalFileName: C:\Users\user\Desktop\Payslip_October_2024.pdf.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4056, ProcessCommandLine: "C:\Users\user\Desktop\Payslip_October_2024.pdf.exe", ProcessId: 6352, ProcessName: Payslip_October_2024.pdf.exe

Sigma detected: CurrentVersion Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe, EventID: 13, EventType: SetValue, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, ProcessId: 7548, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sgxIb

Suricata Signatures

ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-01T14:35:24.051829+0100	2022930	1	A Network Trojan was detected	20.12.23.50	443	192.168.2.7	49741	TCP
2024-11-01T14:35:45.466037+0100	2022930	1	A Network Trojan was detected	172.202.163.200	443	192.168.2.7	52659	TCP
2024-11-01T14:35:46.941600+0100	2022930	1	A Network Trojan was detected	172.202.163.200	443	192.168.2.7	52669	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: Payslip_October_2024.pdf.exe

Avira: detected

Found malware configuration

Source: 11.2.RegSvcs.exe.400000.0.unpack

Malware Configuration Extractor: Agenttesla {"Exfil Mode": "FTP", "Host": "ftp://ftp.haliza.com.my", "Username": "origin@haliza.com.my", "Password": "JesusChrist007$"}

Multi AV Scanner detection for submitted file

Source: Payslip_October_2024.pdf.exe

ReversingLabs: Detection: 57%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: Payslip_October_2024.pdf.exe

Joe Sandbox ML: detected

Source: Payslip_October_2024.pdf.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: unknown

HTTPS traffic detected: 104.26.12.205:443 -> 192.168.2.7:52711 version: TLS 1.2

Source:	Binary string: RegSvcs.pdb, source: sgxIb.exe, 0000000C.00000000.1829557659.0000000000212000.00000002.00000001.01000000.00000006.sdmp, sgxIb.exe.11.dr
Source:	Binary string: RegSvcs.pdb source: sgxIb.exe, 0000000C.00000000.1829557659.0000000000212000.00000002.00000001.01000000.00000006.sdmp, sgxIb.exe.11.dr

Networking

Connects to many ports of the same IP (likely port scanning)

Source: global traffic

TCP traffic: 110.4.45.197 ports 1,2,56562,53313,56795,21

Source: global traffic

TCP traffic: 192.168.2.7:52739 -> 110.4.45.197:56795

Source: Joe Sandbox View	IP Address: 104.26.12.205 104.26.12.205
Source: Joe Sandbox View	IP Address: 104.26.12.205 104.26.12.205
Source: Joe Sandbox View	IP Address: 110.4.45.197 110.4.45.197

Source: Joe Sandbox View

ASN Name: EXABYTES-AS-APExaBytesNetworkSdnBhdMY EXABYTES-AS-APExaBytesNetworkSdnBhdMY

Source: Joe Sandbox View

JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: unknown	DNS query: name: api.ipify.org
Source: unknown	DNS query: name: api.ipify.org

Source: Network traffic	Suricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 20.12.23.50:443 -> 192.168.2.7:49741
Source: Network traffic	Suricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 172.202.163.200:443 -> 192.168.2.7:52659
Source: Network traffic	Suricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 172.202.163.200:443 -> 192.168.2.7:52669

Source: unknown

FTP traffic detected: 110.4.45.197:21 -> 192.168.2.7:52722 220---------- Welcome to Pure-FTPd [privsep] [TLS] ---------- 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 7 of 50 allowed. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 7 of 50 allowed.220-Local time is now 21:35. Server port: 21. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 7 of 50 allowed.220-Local time is now 21:35. Server port: 21.220-This is a private system - No anonymous login 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 7 of 50 allowed.220-Local time is now 21:35. Server port: 21.220-This is a private system - No anonymous login220-IPv6 connections are also welcome on this server. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 7 of 50 allowed.220-Local time is now 21:35. Server port: 21.220-This is a private system - No anonymous login220-IPv6 connections are also welcome on this server.220 You will be disconnected after 15 minutes of inactivity.

Source: global traffic

HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: 241.42.69.40.in-addr.arpa
Source: global traffic	DNS traffic detected: DNS query: api.ipify.org
Source: global traffic	DNS traffic detected: DNS query: ftp.haliza.com.my

Source: RegSvcs.exe, 0000000B.00000002.2497169089.000000000312E000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.2497169089.00000000030BC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ftp.haliza.com.my
Source: RegSvcs.exe, 0000000B.00000002.2497169089.0000000003041000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: RegSvcs.exe, 0000000B.00000002.2494522964.0000000000402000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: https://account.dyn.com/
Source: RegSvcs.exe, 0000000B.00000002.2497169089.0000000003041000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.2494522964.0000000000402000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: https://api.ipify.org
Source: RegSvcs.exe, 0000000B.00000002.2497169089.0000000003041000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org/
Source: RegSvcs.exe, 0000000B.00000002.2497169089.0000000003041000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org/t

Source: unknown	Network traffic detected: HTTP traffic on port 52711 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 52711

Source: unknown

HTTPS traffic detected: 104.26.12.205:443 -> 192.168.2.7:52711 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing

Installs a global keyboard hook

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Windows user hook set: 0 keyboard low level C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Window created: window name: CLIPBRDWNDCLASS

Jump to behavior

System Summary

Malicious sample detected (through community Yara rule)

Source: 11.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 11.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen

Binary is likely a compiled AutoIt script file

Source: Payslip_October_2024.pdf.exe, 00000000.00000000.1247280441.0000000000882000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_3b54aa9a-7
Source: Payslip_October_2024.pdf.exe, 00000000.00000000.1247280441.0000000000882000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_b14c2a57-0
Source: Payslip_October_2024.pdf.exe	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_b722361e-8
Source: Payslip_October_2024.pdf.exe	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_fc01259f-0

Initial sample is a PE file and has a suspicious name

Source: initial sample

Static PE information: Filename: Payslip_October_2024.pdf.exe

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_02ED4A68	11_2_02ED4A68
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_02EDE915	11_2_02EDE915
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_02ED3E50	11_2_02ED3E50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_02EDAD90	11_2_02EDAD90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_02ED4198	11_2_02ED4198
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_0696C4AC	11_2_0696C4AC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_06963924	11_2_06963924
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_06966037	11_2_06966037
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_06965343	11_2_06965343
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_06965348	11_2_06965348
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_06961C68	11_2_06961C68
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_06963918	11_2_06963918
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_069856B0	11_2_069856B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_06986708	11_2_06986708
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_06983580	11_2_06983580
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_06987E98	11_2_06987E98
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_069877B8	11_2_069877B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_0698E4D0	11_2_0698E4D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_06980040	11_2_06980040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_06985DFF	11_2_06985DFF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_0698003F	11_2_0698003F

Source: Payslip_October_2024.pdf.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: 11.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 11.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@6/5@3/2

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

File created: C:\Users\user\AppData\Roaming\sgxIb

Jump to behavior

Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7760:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7940:120:WilError_03

Source: C:\Users\user\Desktop\Payslip_October_2024.pdf.exe

File created: C:\Users\user~1\AppData\Local\Temp\buncal

Jump to behavior

Source: Payslip_October_2024.pdf.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

File read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini

Jump to behavior

Source: C:\Users\user\Desktop\Payslip_October_2024.pdf.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: Payslip_October_2024.pdf.exe

ReversingLabs: Detection: 57%

Source: unknown	Process created: C:\Users\user\Desktop\Payslip_October_2024.pdf.exe "C:\Users\user\Desktop\Payslip_October_2024.pdf.exe"
Source: C:\Users\user\Desktop\Payslip_October_2024.pdf.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\Payslip_October_2024.pdf.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe "C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe"
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe "C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe"
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

Source: C:\Users\user\Desktop\Payslip_October_2024.pdf.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payslip_October_2024.pdf.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payslip_October_2024.pdf.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payslip_October_2024.pdf.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payslip_October_2024.pdf.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payslip_October_2024.pdf.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payslip_October_2024.pdf.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payslip_October_2024.pdf.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payslip_October_2024.pdf.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32

Jump to behavior

Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\Profiles

Jump to behavior

Source: Payslip_October_2024.pdf.exe

Static file information: File size 1409024 > 1048576

Source: Payslip_October_2024.pdf.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: Payslip_October_2024.pdf.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: Payslip_October_2024.pdf.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: Payslip_October_2024.pdf.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Payslip_October_2024.pdf.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: Payslip_October_2024.pdf.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: Payslip_October_2024.pdf.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: RegSvcs.pdb, source: sgxIb.exe, 0000000C.00000000.1829557659.0000000000212000.00000002.00000001.01000000.00000006.sdmp, sgxIb.exe.11.dr
Source:	Binary string: RegSvcs.pdb source: sgxIb.exe, 0000000C.00000000.1829557659.0000000000212000.00000002.00000001.01000000.00000006.sdmp, sgxIb.exe.11.dr

Source: Payslip_October_2024.pdf.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: Payslip_October_2024.pdf.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: Payslip_October_2024.pdf.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: Payslip_October_2024.pdf.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: Payslip_October_2024.pdf.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_02ED0C6D push edi; retf		11_2_02ED0C7A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_02ED0C45 push ebx; retf		11_2_02ED0C52

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

File created: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe

Jump to dropped file

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run sgxIb			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run sgxIb			Jump to behavior

Hooking and other Techniques for Hiding and Protection

Hides that the sample has been downloaded from the Internet (zone.identifier)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

File opened: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe:Zone.Identifier read attributes | delete

Jump to behavior

Uses an obfuscated file name to hide its real file extension (double extension)

Source: Possible double extension: pdf.exe

Static PE information: Payslip_October_2024.pdf.exe

Source: C:\Users\user\Desktop\Payslip_October_2024.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration

Switches to a custom stack to bypass stack traces

Source: C:\Users\user\Desktop\Payslip_October_2024.pdf.exe

API/Special instruction interceptor: Address: 132B38C

Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Memory allocated: 2330000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Memory allocated: 2510000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Memory allocated: 2330000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Memory allocated: BB0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Memory allocated: 2A20000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Memory allocated: DC0000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599875	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599765	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599656	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599547	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599437	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599328	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599219	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599109	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598998	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598890	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598779	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598672	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598562	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598451	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598344	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598234	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598125	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598015	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597906	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597797	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597687	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597578	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597282	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597151	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597047	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596927	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596797	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596672	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596562	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596453	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596344	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596219	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596109	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595890	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595781	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595672	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595562	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595453	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595343	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595234	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595125	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595001	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594875	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594691	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594570	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594452	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594312	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594203	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594094	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 593984	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 593875	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Window / User API: threadDelayed 2809			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Window / User API: threadDelayed 7032			Jump to behavior

Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 7808	Thread sleep time: -922337203685477s >= -30000s			Jump to behavior
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 7988	Thread sleep time: -922337203685477s >= -30000s			Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599875	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599765	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599656	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599547	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599437	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599328	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599219	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599109	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598998	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598890	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598779	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598672	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598562	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598451	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598344	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598234	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598125	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598015	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597906	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597797	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597687	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597578	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597282	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597151	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597047	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596927	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596797	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596672	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596562	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596453	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596344	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596219	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596109	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595890	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595781	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595672	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595562	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595453	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595343	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595234	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595125	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595001	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594875	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594691	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594570	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594452	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594312	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594203	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594094	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 593984	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 593875	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: RegSvcs.exe, 0000000B.00000002.2500067814.000000000639A000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dlle

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: Payslip_October_2024.pdf.exe	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: RegSvcs.exe, 0000000B.00000002.2497169089.0000000003148000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR
Source: RegSvcs.exe, 0000000B.00000002.2497169089.0000000003148000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Manager
Source: RegSvcs.exe, 0000000B.00000002.2497169089.0000000003148000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: q9<b>[ Program Manager]</b> (01/11/2024 23:20:03)<br>{Win}rTH
Source: RegSvcs.exe, 0000000B.00000002.2497169089.0000000003148000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: q3<b>[ Program Manager]</b> (01/11/2024 23:20:03)<br>
Source: RegSvcs.exe, 0000000B.00000002.2497169089.0000000003148000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: q8<b>[ Program Manager]</b> (01/11/2024 23:20:03)<br>{Win}TH

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Queries volume information: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Queries volume information: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected AgentTesla

Source: Yara match	File source: 11.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000B.00000002.2497169089.0000000003091000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2497169089.00000000030BC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2494522964.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 7548, type: MEMORYSTR

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions

Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\cookies.sqlite	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

File opened: C:\FTP Navigator\Ftplist.txt

Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities	Jump to behavior

Source: Yara match	File source: 11.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000B.00000002.2497169089.0000000003091000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2494522964.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 7548, type: MEMORYSTR

Remote Access Functionality

Yara detected AgentTesla

Source: Yara match	File source: 11.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000B.00000002.2497169089.0000000003091000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2497169089.00000000030BC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2494522964.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 7548, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	121 Windows Management Instrumentation	1 DLL Side-Loading	1 DLL Side-Loading	1 Disable or Modify Tools	2 OS Credential Dumping	1 File and Directory Discovery	Remote Services	1 Archive Collected Data	1 Ingress Tool Transfer	1 Exfiltration Over Alternative Protocol	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 Registry Run Keys / Startup Folder	2 Process Injection	11 Obfuscated Files or Information	11 Input Capture	124 System Information Discovery	Remote Desktop Protocol	2 Data from Local System	11 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 Registry Run Keys / Startup Folder	1 DLL Side-Loading	1 Credentials in Registry	211 Security Software Discovery	SMB/Windows Admin Shares	1 Email Collection	1 Non-Standard Port	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	11 Masquerading	NTDS	1 Process Discovery	Distributed Component Object Model	11 Input Capture	2 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	141 Virtualization/Sandbox Evasion	LSA Secrets	141 Virtualization/Sandbox Evasion	SSH	1 Clipboard Data	23 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	2 Process Injection	Cached Domain Credentials	1 Application Window Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 Hidden Files and Directories	DCSync	1 System Network Configuration Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label
Payslip_October_2024.pdf.exe	58%	ReversingLabs	Win32.Trojan.AutoitInject
Payslip_October_2024.pdf.exe	100%	Avira	DR/AutoIt.Gen8
Payslip_October_2024.pdf.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	0%	ReversingLabs

Source	Detection	Scanner	Label
https://api.ipify.org/	0%	URL Reputation	safe
https://api.ipify.org	0%	URL Reputation	safe
https://account.dyn.com/	0%	URL Reputation	safe
https://api.ipify.org/t	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
api.ipify.org	104.26.12.205	true	false	unknown
ftp.haliza.com.my	110.4.45.197	true	true	unknown
241.42.69.40.in-addr.arpa	unknown	unknown	false	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://api.ipify.org/	false	URL Reputation: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://api.ipify.org	RegSvcs.exe, 0000000B.00000002.2497169089.0000000003041000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.2494522964.0000000000402000.00000040.80000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://account.dyn.com/	RegSvcs.exe, 0000000B.00000002.2494522964.0000000000402000.00000040.80000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
http://ftp.haliza.com.my	RegSvcs.exe, 0000000B.00000002.2497169089.000000000312E000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.2497169089.00000000030BC000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://api.ipify.org/t	RegSvcs.exe, 0000000B.00000002.2497169089.0000000003041000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	RegSvcs.exe, 0000000B.00000002.2497169089.0000000003041000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
104.26.12.205	api.ipify.org	United States		13335	CLOUDFLARENETUS	false
110.4.45.197	ftp.haliza.com.my	Malaysia		46015	EXABYTES-AS-APExaBytesNetworkSdnBhdMY	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1546724
Start date and time:	2024-11-01 14:34:10 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 31s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	19
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	Payslip_October_2024.pdf.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@6/5@3/2
EGA Information:	Successful, ratio: 33.3%
HCA Information:	Successful, ratio: 100% Number of executed functions: 101 Number of non-executed functions: 14
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Behavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information.
Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, SgrmBroker.exe, conhost.exe, svchost.exe
Excluded domains from analysis (whitelisted): otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, time.windows.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target sgxIb.exe, PID 7748 because it is empty
Execution Graph export aborted for target sgxIb.exe, PID 7932 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
VT rate limit hit for: Payslip_October_2024.pdf.exe

Simulations

Behavior and APIs

Time	Type	Description
10:45:34	API Interceptor	192927x Sleep call for process: RegSvcs.exe modified
15:45:35	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run sgxIb C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe
15:45:43	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run sgxIb C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
104.26.12.205	Yc9hcFC1ux.exe	Get hash	malicious	Unknown	Browse	api.ipify.org/
	6706e721f2c06.exe	Get hash	malicious	Remcos	Browse	api.ipify.org/
	perfcc.elf	Get hash	malicious	Xmrig	Browse	api.ipify.org/
	SecuriteInfo.com.Win32.MalwareX-gen.16395.23732.exe	Get hash	malicious	RDPWrap Tool	Browse	api.ipify.org/
	SecuriteInfo.com.Win32.MalwareX-gen.16395.23732.exe	Get hash	malicious	RDPWrap Tool	Browse	api.ipify.org/
	hloRQZmlfg.exe	Get hash	malicious	RDPWrap Tool	Browse	api.ipify.org/
	file.exe	Get hash	malicious	RDPWrap Tool	Browse	api.ipify.org/
	file.exe	Get hash	malicious	Unknown	Browse	api.ipify.org/
	file.exe	Get hash	malicious	Unknown	Browse	api.ipify.org/
	file.exe	Get hash	malicious	Unknown	Browse	api.ipify.org/
110.4.45.197	rMT103_126021720924.exe	Get hash	malicious	AgentTesla	Browse
	z1Transaction_ID_REF2418_cmd.bat	Get hash	malicious	AgentTesla, DBatLoader, PureLog Stealer	Browse
	z20SWIFT_MT103_Payment_552016_pdf.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse
	Order Specifications for Materials.docx.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse
	z14Employee_Contract_pdf.exe	Get hash	malicious	AgentTesla	Browse
	Order Specifications for Materials.docx.exe	Get hash	malicious	AgentTesla	Browse
	DHL_Shipment_Details_8th_October.pdf.exe	Get hash	malicious	AgentTesla	Browse
	z92BankPayment38_735.exe	Get hash	malicious	AgentTesla	Browse
	Bank Payment $38,735.exe	Get hash	malicious	AgentTesla	Browse
	rQuotation3200025006.exe	Get hash	malicious	AgentTesla	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
api.ipify.org	ae713827-e32c-f66b-fbdb-5405db450711.eml	Get hash	malicious	Unknown	Browse	104.26.13.205
	kill.exe	Get hash	malicious	Unknown	Browse	104.26.13.205
	rMT103_126021720924.exe	Get hash	malicious	AgentTesla	Browse	104.26.12.205
	u9aPQQIwhj.exe	Get hash	malicious	AgentTesla, GuLoader	Browse	172.67.74.152
	Shipping documents 000293994900.exe	Get hash	malicious	AgentTesla, GuLoader	Browse	172.67.74.152
	file.exe	Get hash	malicious	CredGrabber, Meduza Stealer	Browse	104.26.13.205
	Proforma Invoice.scr.exe	Get hash	malicious	AgentTesla	Browse	104.26.13.205
	file.exe	Get hash	malicious	CredGrabber, Meduza Stealer	Browse	104.26.12.205
	#Uad6c#Ub9e4 #Uc8fc#Ubb38 658749 #Ubc0f 658752..exe	Get hash	malicious	AgentTesla	Browse	172.67.74.152
	Quotation.exe	Get hash	malicious	AgentTesla, GuLoader	Browse	172.67.74.152
ftp.haliza.com.my	rMT103_126021720924.exe	Get hash	malicious	AgentTesla	Browse	110.4.45.197
	z1Transaction_ID_REF2418_cmd.bat	Get hash	malicious	AgentTesla, DBatLoader, PureLog Stealer	Browse	110.4.45.197
	z20SWIFT_MT103_Payment_552016_pdf.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	110.4.45.197
	Order Specifications for Materials.docx.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	110.4.45.197
	z14Employee_Contract_pdf.exe	Get hash	malicious	AgentTesla	Browse	110.4.45.197
	Order Specifications for Materials.docx.exe	Get hash	malicious	AgentTesla	Browse	110.4.45.197
	DHL_Shipment_Details_8th_October.pdf.exe	Get hash	malicious	AgentTesla	Browse	110.4.45.197
	z92BankPayment38_735.exe	Get hash	malicious	AgentTesla	Browse	110.4.45.197
	Bank Payment $38,735.exe	Get hash	malicious	AgentTesla	Browse	110.4.45.197
	rQuotation3200025006.exe	Get hash	malicious	AgentTesla	Browse	110.4.45.197

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	https://u7990385.ct.sendgrid.net/ls/click?upn=u001.oZ6GXC16Ztdw1ob-2F3C5yow-2FsK2YC4S8s269h9OLgp-2FGcQesCtXDXKgCEAF90Sa3OUL2ncGoAKstQjRhddelr-2Bx3frrehyL8aaBbhAx-2Fm3uQTToUZwzw9vU-2BHl4N8-2FbXNrXNM8F2aafYGXvb9twEoQeHC7ZwjccAi1SjLazzmL714x6k-2BjB-2FYwt496nNWzarkpA5xghtVvgqYssmknAftbQJOVkiDX5sql0puMOlG6Ca2eid008YPu-2FJJAayp-2BNXls84A_lhEpvcamcm95WhC017PRgRonrgi5omZ3brQwNa5yLk0xxDl3uLY9zV0ZhBwsp9AfIBgWj8srFe156S5Zns8ZjIc0B22GBm-2FhZ3msRvLKzUyGIuCFlA1E-2FK-2F4jc3IgU8qM5k5KxMmIwIRDSCQDvTZvmwB5zeTeqWWEJR7CvWSpeaqIj3hj5IgcRcoPBdptLYrUK3YLUsGuU0Nn50M3ArOROvseGYqZul0QkeqtDR41-2FsPFt-2Bw0YWW2P5gsCDH4XINxncIhICPIqlacC1ih-2B-2BRAhsouCrf5nolEyzWx0VnR2OrLuGwvR4-2BmBTgXGq5SQJ3CbNvM-2FaB5BLerpFqmqjPC-2FBlK6th1iVrhfmtBEFKLash-2FnkPpQ9qFxGwWTexJMh100AS4PilK2-2BJDfvjssuxk2jP-2BTagNOazV2F1Jk9Mugr3y7E9SivEGWyUbzdMThmnpVydb1qOFwMiocztErv1WWaB8B20Oa2SLt-2BLBsMdusfLwd3NNzPre6el-2F-2BIwBxDAqBb9JLV6vOLzfaD2L4-2BEuPbgzcrscVtaCNyARGoPUKi03imhTbJEcig8L4weEiABND5vwKtA-2FhKo5AjxecXMO22Vq7Og2y7v-2BJNgFB9rr-2Bm4W45XZxFP39Dqi18SUPOKX4pHFrdACciPinuj2QtBtIGNjV46-2Bve9hu0g1-2FpG1tOVv9Ebn32k-2Bl6CF6b6jzS3aTQvZkWKNIwLx5CoGs9uomn9yZPi6QaiSTeQkZ1uHupSYpVxbBCb-2FUyo6kMlbB0P27ShEzUFVY-2FpfPcfFofTKD4p7rklaM-2FIuG8-2F3ytR7SJ7I8GmSP8NTWs4vu3NTpV5MkgHfjeFoK-2BDQh6M7S2ys2qIf8m3qiLtFMHY6p7m4ep8JZqbC0axloFSX-2Fzbz51ZW-2BsyQEEbRqwx0S1i4lo9NhRXrfXOvn0A83bBDk31g9QfoWTGhHCjSEfuca9KJwe0GCABYAuqYeYHMc5qXhPv86r0l0ldRpwe39V9LJ5m6Go-3D	Get hash	malicious	Unknown	Browse	1.1.1.1
	https://hotmail.cdisaomiguel.com.br	Get hash	malicious	Unknown	Browse	104.17.25.14
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse	188.114.97.3
	https://tas-pe.com/ahowe@europait.net#ahowe@europait.net	Get hash	malicious	HTMLPhisher	Browse	172.67.72.186
	https://cbb8e45a.9a6a27135394413fbc39df5b.workers.dev	Get hash	malicious	HTMLPhisher	Browse	188.114.96.3
	https://www.google.co.th/url?q=jODz3y3HOSozuuQiApLh&rct=5CHARyytTPSJ3J3wDcT&sa=t&esrc=sf_rand_string_mixed(5)FgECA0xys8Em2FL&source=&cd=HXUursu8uEcr4eTiw9XH&cad=XpPkDfJ6CHARlDJVS0Y&ved=xjnktlqryYWwZIBRrgvK&uact=&url=amp%2Fir.nbaikp3.sa.com%2Fdelaw%2Flawn%2Fkoo%2Fsf_rand_string_mixed(24)/bill.wafford@qurateretail.com	Get hash	malicious	HTMLPhisher	Browse	104.21.8.81
	ae713827-e32c-f66b-fbdb-5405db450711.eml	Get hash	malicious	Unknown	Browse	104.16.103.112
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse	188.114.96.3
	http://mailsystem.clubreadymail.com/ls/click?upn=u001.dtlwkBC06DNvwxOIDozee7JfaEFoikK29eANg7C1JNJcXhZ5gVX-2FXngetD1DVBofJAdCxJYPz79KkHjQ4a88CWk3uwk0LHTd-2BQuqz7QlX5FT8W9oRLmLCtzSTX4k0IZqtxXd_tqQENWc9xFqnCCp3iHBun6Ny8Hr4S4LXflP5eWCRCPqMvoWfGV9u-2FwKqzOzsMAx2mMZTD10t6F-2Fa-2BzGZBzV05lc-2BTr9aqg9-2BqytIbVadpFenaHQ0v-2BIdTTiMe-2F-2BfHHsBDK3wAuPgwhtkcw4b5gAaeO6jGph7EzccXK6qZ9q3RXZcEXV8nVUtJyrcSCDmB-2Bn3qJnRr0-2BMlZvtkB3QnuJkj-2BigNgcTK7oh9PPlXl-2FakX6q-2BsTqF4DIEpeEYAXLd3sT	Get hash	malicious	Unknown	Browse	104.16.123.96
	file.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, Stealc, Vidar	Browse	162.159.134.233
EXABYTES-AS-APExaBytesNetworkSdnBhdMY	rMT103_126021720924.exe	Get hash	malicious	AgentTesla	Browse	110.4.45.197
	z1Transaction_ID_REF2418_cmd.bat	Get hash	malicious	AgentTesla, DBatLoader, PureLog Stealer	Browse	110.4.45.197
	z20SWIFT_MT103_Payment_552016_pdf.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	110.4.45.197
	Order Specifications for Materials.docx.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	110.4.45.197
	z14Employee_Contract_pdf.exe	Get hash	malicious	AgentTesla	Browse	110.4.45.197
	Order Specifications for Materials.docx.exe	Get hash	malicious	AgentTesla	Browse	110.4.45.197
	na.elf	Get hash	malicious	Mirai	Browse	203.142.6.25
	05NN8zSK04.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	103.6.198.178
	file.exe	Get hash	malicious	Clipboard Hijacker, Stealc, Vidar	Browse	103.6.198.219
	DHL_Shipment_Details_8th_October.pdf.exe	Get hash	malicious	AgentTesla	Browse	110.4.45.197

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
3b5074b1b5d032e5620f69f9f700ff0e	Gu#U00eda de carga de DHL_pdf.exe	Get hash	malicious	Snake Keylogger	Browse	104.26.12.205
	SecuriteInfo.com.Win32.MalwareX-gen.12338.1741.exe	Get hash	malicious	Unknown	Browse	104.26.12.205
	file.exe	Get hash	malicious	WhiteSnake Stealer	Browse	104.26.12.205
	Savyi.js	Get hash	malicious	Unknown	Browse	104.26.12.205
	ciuNW.js	Get hash	malicious	Unknown	Browse	104.26.12.205
	https://send-space.s3.eu-north-1.amazonaws.com/de.html	Get hash	malicious	Unknown	Browse	104.26.12.205
	SecuriteInfo.com.Trojan.Inject4.56087.24588.10142.exe	Get hash	malicious	Xmrig	Browse	104.26.12.205
	2Lzx7LMDWV.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.26.12.205
	Quotation Document.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	104.26.12.205
	file.exe	Get hash	malicious	Unknown	Browse	104.26.12.205

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Massive.exe	Get hash	malicious	AgentTesla	Browse
	z20SWIFT_MT103_Payment_552016_pdf.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse
	Order Specifications for Materials.docx.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse
	9348000 EDT8 EDQ-905.pdf.exe	Get hash	malicious	PureLog Stealer, XWorm	Browse
	New_Order_568330_Material_Specifications.exe	Get hash	malicious	AgentTesla, MassLogger RAT, Phoenix Stealer, RedLine, SugarDump, XWorm	Browse
	Dokument_2024-10-24_135211.exe	Get hash	malicious	XWorm	Browse
	z14Employee_Contract_pdf.exe	Get hash	malicious	AgentTesla	Browse
	purchase order.exe	Get hash	malicious	XWorm	Browse
	M.BL CSLEBKK2311030B.exe	Get hash	malicious	AgentTesla	Browse
	PO #89230.exe	Get hash	malicious	AgentTesla	Browse

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\sgxIb.exe.log

Download File

Process:	C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	142
Entropy (8bit):	5.090621108356562
Encrypted:	false
SSDEEP:	3:QHXMKa/xwwUC7WglAFXMWA2yTMGfsbNRLFS9Am12MFuAvOAsDeieVyn:Q3La/xwczlAFXMWTyAGCDLIP12MUAvvw
MD5:	8C0458BB9EA02D50565175E38D577E35
SHA1:	F0B50702CD6470F3C17D637908F83212FDBDB2F2
SHA-256:	C578E86DB701B9AFA3626E804CF434F9D32272FF59FB32FA9A51835E5A148B53
SHA-512:	804A47494D9A462FFA6F39759480700ECBE5A7F3A15EC3A6330176ED9C04695D2684BF6BF85AB86286D52E7B727436D0BB2E8DA96E20D47740B5CE3F856B5D0F
Malicious:	false
Reputation:	high, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.EnterpriseServices, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..

C:\Users\user\AppData\Local\Temp\buncal

Download File

Process:	C:\Users\user\Desktop\Payslip_October_2024.pdf.exe
File Type:	data
Category:	modified
Size (bytes):	247808
Entropy (8bit):	6.688645964532768
Encrypted:	false
SSDEEP:	6144:Fxr6iPujRodi/PYsRZrbDbhPU6IrMcQsJEr:r6iPOIHsRdbDb2Brdm
MD5:	C7C18DC0F391B34ECE4987A63A031A08
SHA1:	CD76B007375F6EBA456A2E73961DB94EACD5FE8B
SHA-256:	BA4278FDEEE89C2F5D094040F81B6EFB5369442CD493ED7ADC4C4F490FFA6895
SHA-512:	898565AFA3EDCAB3E139A91AE8EC40E931615FBA96132746AE8656A9A8B223E9FD3E2650489493BF121EA6436D1E3BF96B00ED8E0C2B86C557A2BC5281465BDF
Malicious:	false
Reputation:	low
Preview:	.c.O3NQQ^9VG.ZE.M6U98O0.QQZ9VG6IZEHM6U98O0NQQZ9VG6IZEHM6U98.0NQ_E.XG.@.d.Lz..l'Y=q!(V15W$z&)#X:M.-Un#$4.?)....h Y1\.B=DuQZ9VG6I..HMzT:8p:&7QZ9VG6IZ.HO7^83O0.RQZ1VG6IZEv.5U9.O0N.RZ9V.6IzEHM4U9<O0NQQZ9RG6IZEHM6u=8O2NQQZ9VE6..EH]6U)8O0NAQZ)VG6IZEXM6U98O0NQQZ.D6.ZEHM.V9~J0NQQZ9VG6IZEHM6U98O0JQ]Z9VG6IZEHM6U98O0NQQZ9VG6IZEHM6U98O0NQQZ9VG6IZEHM6U98o0NYQZ9VG6IZEHM>u98.0NQQZ9VG6IZk<(N!98Ot.RQZ.VG6.YEHO6U98O0NQQZ9VG6iZE(cD&K[O0N.TZ9V.5IZCHM6.:8O0NQQZ9VG6IZ.HMv{K]#_-QQV9VG6I^EHO6U9.L0NQQZ9VG6IZEH.6U{8O0NQQZ9VG6IZEHM..:8O0NQ.Z9VE6LZ..O6a.9O3NQQ[9VA6IZEHM6U98O0NQQZ9VG6IZEHM6U98O0NQQZ9VG6IZEHM6U98R...qh.KwP'O...^.L..B..@..9.O.3Y..r~B......#A..Z.G}...1....$.1S>7.....52IAX.&~UX.Z....ulB.r.I^.+..(u.'\a.d....l...UM........Y8.Y?@"4..X0&D .G.L6U98........N..hKB(a+@....n+.....6M6U]8O0<QQZXVG6.ZEH"6U9VO0N/QZ9(G6I.EHMvU98x0NQtZ9V*6IZaHM6+98O.3^^...E.EHM6U.....<........~<.+bZw.5.r..3..J .A.u...@.1u.Pd"\f..1T?<J2IURV.X...dJI2P;?K3Bl_.....\|.t...I..+.EVG6IZE.M6.98O..Q.Z9V.6.Z..M6U..O.N.Q..G

C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	modified
Size (bytes):	45984
Entropy (8bit):	6.16795797263964
Encrypted:	false
SSDEEP:	768:4BbSoy+SdIBf0k2dsjYg6Iq8S1GYqWH8BR:noOIBf0ddsjY/ZGyc7
MD5:	9D352BC46709F0CB5EC974633A0C3C94
SHA1:	1969771B2F022F9A86D77AC4D4D239BECDF08D07
SHA-256:	2C1EEB7097023C784C2BD040A2005A5070ED6F3A4ABF13929377A9E39FAB1390
SHA-512:	13C714244EC56BEEB202279E4109D59C2A43C3CF29F90A374A751C04FD472B45228CA5A0178F41109ED863DBD34E0879E4A21F5E38AE3D89559C57E6BE990A9B
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: Massive.exe, Detection: malicious, Browse Filename: z20SWIFT_MT103_Payment_552016_pdf.exe, Detection: malicious, Browse Filename: Order Specifications for Materials.docx.exe, Detection: malicious, Browse Filename: 9348000 EDT8 EDQ-905.pdf.exe, Detection: malicious, Browse Filename: New_Order_568330_Material_Specifications.exe, Detection: malicious, Browse Filename: Dokument_2024-10-24_135211.exe, Detection: malicious, Browse Filename: z14Employee_Contract_pdf.exe, Detection: malicious, Browse Filename: purchase order.exe, Detection: malicious, Browse Filename: M.BL CSLEBKK2311030B.exe, Detection: malicious, Browse Filename: PO #89230.exe, Detection: malicious, Browse
Reputation:	moderate, very likely benign file
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....<.]..............0..d..........V.... ........@.. ..............................s.....`.....................................O.......8............r...A.......................................................... ............... ..H............text...\c... ...d.................. ..`.rsrc...8............f..............@..@.reloc...............p..............@..B................8.......H........+...S..........\|...P...........................................r...p(....2.(....(....z..r...p(....(....(......}......{.....s..........0..{...........Q.-.s.....+i~....o....(.....s.......o.....r!..p..(....Q.P,:.P.....(....o....o ........(....o!...o".....,..o#...t........0..(....... ....s$........o%....X..(....-...o&....0...........('......&.........................0...........(.......&.....*.................0............(.....(....~....,.(....~....o....9]...

\Device\ConDrv

Download File

Process:	C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1141
Entropy (8bit):	4.442398121585593
Encrypted:	false
SSDEEP:	24:zKLXkhDObntKlglUEnfQtvNuNpKOK5aM9YJC:zKL0hDQntKKH1MqJC
MD5:	6FB4D27A716A8851BC0505666E7C7A10
SHA1:	AD2A232C6E709223532C4D1AB892303273D8C814
SHA-256:	1DC36F296CE49BDF1D560B527DB06E1E9791C10263459A67EACE706C6DDCDEAE
SHA-512:	3192095C68C6B7AD94212B7BCA0563F2058BCE00C0C439B90F0E96EA2F029A37C2F2B69487591B494C1BA54697FE891E214582E392127CB8C90AB682E0D81ADB
Malicious:	false
Preview:	Microsoft (R) .NET Framework Services Installation Utility Version 4.8.4084.0..Copyright (C) Microsoft Corporation. All rights reserved.....USAGE: regsvcs.exe [options] AssemblyName..Options:.. /? or /help Display this usage message... /fc Find or create target application (default)... /c Create target application, error if it already exists... /exapp Expect an existing application... /tlb:<tlbfile> Filename for the exported type library... /appname:<name> Use the specified name for the target application... /parname:<name> Use the specified name or id for the target partition... /extlb Use an existing type library... /reconfig Reconfigure existing target application (default)... /noreconfig Don't reconfigure existing target application... /u Uninstall target application... /nologo Suppress logo output... /quiet Suppress logo output and success output... /c

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.284926599808178
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	Payslip_October_2024.pdf.exe
File size:	1'409'024 bytes
MD5:	098efb8818e822cb79893620a8db1cd0
SHA1:	3d8adf42847ecaddf9865c4460f61e210a6a267f
SHA256:	a674d532150b92874dc954bb8349b6e66a006f1f7dd9381f751237cc98d38dc2
SHA512:	122f9c2951c10d2c7edbca02db71dd5b1095c9f064018d2252657e2235614134d01bfba69a130971cde922d3b39f9a693173f8b0e5e02d45d4057c92c352d969
SSDEEP:	24576:LqDEvCTbMWu7rQYlBQcBiT6rprG8aaNE8GbvRgE8Js8RBAVcqDp:LTvC/MTQYxsWR7aaNyRghi8sV
TLSH:	2F65D0027391C062FF9B92334F5AF6514ABC7A660123B61F13A81D79BE701B1563E7A3
File Content Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......................j:......j:..C...j:......@.*...............................n.......~.............{.......{.......{.........z....

File Icon


Icon Hash:	aaf3e3e3938382a0

Static PE Info

General

Entrypoint:	0x420577
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, TERMINAL_SERVER_AWARE
Time Stamp:	0x6723676F [Thu Oct 31 11:18:07 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	948cc502fe9226992dce9417f952fce3

Entrypoint Preview

Instruction
call 00007FCF3D331083h
jmp 00007FCF3D33098Fh
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007FCF3D330B6Dh
mov dword ptr [esi], 0049FDF0h
mov eax, esi
pop esi
pop ebp
retn 0004h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 0049FDF8h
mov dword ptr [ecx], 0049FDF0h
ret
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007FCF3D330B3Ah
mov dword ptr [esi], 0049FE0Ch
mov eax, esi
pop esi
pop ebp
retn 0004h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 0049FE14h
mov dword ptr [ecx], 0049FE0Ch
ret
push ebp
mov ebp, esp
push esi
mov esi, ecx
lea eax, dword ptr [esi+04h]
mov dword ptr [esi], 0049FDD0h
and dword ptr [eax], 00000000h
and dword ptr [eax+04h], 00000000h
push eax
mov eax, dword ptr [ebp+08h]
add eax, 04h
push eax
call 00007FCF3D33372Dh
pop ecx
pop ecx
mov eax, esi
pop esi
pop ebp
retn 0004h
lea eax, dword ptr [ecx+04h]
mov dword ptr [ecx], 0049FDD0h
push eax
call 00007FCF3D333778h
pop ecx
ret
push ebp
mov ebp, esp
push esi
mov esi, ecx
lea eax, dword ptr [esi+04h]
mov dword ptr [esi], 0049FDD0h
push eax
call 00007FCF3D333761h
test byte ptr [ebp+08h], 00000001h
pop ecx

Rich Headers

Programming Language:

[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xc8e64	0x17c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xd4000	0x81470	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x156000	0x7594	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0xb0ff0	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0xc3400	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0xb1010	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x9c000	0x894	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x9ab1d	0x9ac00	0a1473f3064dcbc32ef93c5c8a90f3a6	False	0.565500681542811	data	6.668273581389308	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x9c000	0x2fb82	0x2fc00	c9cf2468b60bf4f80f136ed54b3989fb	False	0.35289185209424084	data	5.691811547483722	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xcc000	0x706c	0x4800	53b9025d545d65e23295e30afdbd16d9	False	0.04356553819444445	DOS executable (block device driver @\273\)	0.5846666986982398	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0xd4000	0x81470	0x81600	ad75d7d6313a81b7012261eeb35da91a	False	0.9503868508454106	data	7.941236105394739	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x156000	0x7594	0x7600	c68ee8931a32d45eb82dc450ee40efc3	False	0.7628111758474576	data	6.7972128181359786	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0xd44a0	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.3885135135135135
RT_ICON	0xd45c8	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 0	English	Great Britain	0.3333333333333333
RT_ICON	0xd48b0	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 0	English	Great Britain	0.5
RT_ICON	0xd49d8	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	English	Great Britain	0.2835820895522388
RT_ICON	0xd5880	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	English	Great Britain	0.37906137184115524
RT_ICON	0xd6128	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	English	Great Britain	0.23699421965317918
RT_ICON	0xd6690	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	English	Great Britain	0.13858921161825727
RT_ICON	0xd8c38	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	English	Great Britain	0.25070356472795496
RT_ICON	0xd9ce0	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	English	Great Britain	0.3173758865248227
RT_STRING	0xda148	0x594	data	English	Great Britain	0.3333333333333333
RT_STRING	0xda6dc	0x68a	data	English	Great Britain	0.2735961768219833
RT_STRING	0xdad68	0x490	data	English	Great Britain	0.3715753424657534
RT_STRING	0xdb1f8	0x5fc	data	English	Great Britain	0.3087467362924282
RT_STRING	0xdb7f4	0x65c	data	English	Great Britain	0.34336609336609336
RT_STRING	0xdbe50	0x466	data	English	Great Britain	0.3605683836589698
RT_STRING	0xdc2b8	0x158	Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0	English	Great Britain	0.502906976744186
RT_RCDATA	0xdc410	0x78b08	data			1.00032568413898
RT_GROUP_ICON	0x154f18	0x76	data	English	Great Britain	0.6610169491525424
RT_GROUP_ICON	0x154f90	0x14	data	English	Great Britain	1.15
RT_VERSION	0x154fa4	0xdc	data	English	Great Britain	0.6181818181818182
RT_MANIFEST	0x155080	0x3ef	ASCII text, with CRLF line terminators	English	Great Britain	0.5074478649453823

Imports

DLL	Import
WSOCK32.dll	gethostbyname, recv, send, socket, inet_ntoa, setsockopt, ntohs, WSACleanup, WSAStartup, sendto, htons, __WSAFDIsSet, select, accept, listen, bind, inet_addr, ioctlsocket, recvfrom, WSAGetLastError, closesocket, gethostname, connect
VERSION.dll	GetFileVersionInfoW, VerQueryValueW, GetFileVersionInfoSizeW
WINMM.dll	timeGetTime, waveOutSetVolume, mciSendStringW
COMCTL32.dll	ImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
MPR.dll	WNetGetConnectionW, WNetCancelConnection2W, WNetUseConnectionW, WNetAddConnection2W
WININET.dll	HttpOpenRequestW, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, InternetConnectW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetQueryDataAvailable
PSAPI.DLL	GetProcessMemoryInfo
IPHLPAPI.DLL	IcmpSendEcho, IcmpCloseHandle, IcmpCreateFile
USERENV.dll	DestroyEnvironmentBlock, LoadUserProfileW, CreateEnvironmentBlock, UnloadUserProfile
UxTheme.dll	IsThemeActive
KERNEL32.dll	DuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, FindClose, GetLongPathNameW, GetShortPathNameW, DeleteFileW, IsDebuggerPresent, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, LoadResource, LockResource, SizeofResource, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, LoadLibraryW, GetLocalTime, CompareStringW, GetCurrentThread, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, VirtualAlloc, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, ResetEvent, WaitForSingleObjectEx, IsProcessorFeaturePresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCurrentProcess, CloseHandle, GetFullPathNameW, GetStartupInfoW, GetSystemTimeAsFileTime, InitializeSListHead, RtlUnwind, SetLastError, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, ResumeThread, FreeLibraryAndExitThread, GetACP, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetStringTypeW, GetFileType, SetStdHandle, GetConsoleCP, GetConsoleMode, ReadConsoleW, GetTimeZoneInformation, FindFirstFileExW, IsValidCodePage, GetOEMCP, GetCPInfo, GetCommandLineA, GetCommandLineW, GetEnvironmentStringsW, FreeEnvironmentStringsW, SetEnvironmentVariableA, SetCurrentDirectoryW, FindNextFileW, WriteConsoleW
USER32.dll	GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, PeekMessageW, GetInputState, UnregisterHotKey, CharLowerBuffW, MonitorFromPoint, MonitorFromRect, LoadImageW, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, ClientToScreen, GetCursorPos, DeleteMenu, CheckMenuRadioItem, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, SystemParametersInfoW, LockWindowUpdate, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetClassNameW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, RegisterHotKey, GetCursorInfo, SetWindowPos, CopyImage, AdjustWindowRectEx, SetRect, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, TrackPopupMenuEx, GetMessageW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, DispatchMessageW, keybd_event, TranslateMessage, ScreenToClient
GDI32.dll	EndPath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, StrokeAndFillPath, GetDeviceCaps, SetPixel, CloseFigure, LineTo, AngleArc, MoveToEx, Ellipse, CreateCompatibleBitmap, CreateCompatibleDC, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, SelectObject, StretchBlt, CreateSolidBrush, SetTextColor, CreateFontW, GetTextFaceW, GetStockObject, CreateDCW, GetPixel, DeleteDC, GetDIBits, StrokePath
COMDLG32.dll	GetSaveFileNameW, GetOpenFileNameW
ADVAPI32.dll	GetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, FreeSid, GetTokenInformation, RegCreateKeyExW, GetSecurityDescriptorDacl, GetAclInformation, GetUserNameW, AddAce, SetSecurityDescriptorDacl, InitiateSystemShutdownExW
SHELL32.dll	DragFinish, DragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW
ole32.dll	CoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoInitializeSecurity, CoCreateInstanceEx, CoSetProxyBlanket
OLEAUT32.dll	CreateStdDispatch, CreateDispTypeInfo, UnRegisterTypeLib, UnRegisterTypeLibForUser, RegisterTypeLibForUser, RegisterTypeLib, LoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, VariantChangeType, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, SysStringLen, QueryPathOfRegTypeLib, SysAllocString, VariantInit, VariantClear, DispCallFunc, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, SafeArrayDestroyDescriptor, VariantCopy, OleLoadPicture

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	Great Britain

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-11-01T14:35:24.051829+0100	2022930	ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow	1	20.12.23.50	443	192.168.2.7	49741	TCP
2024-11-01T14:35:45.466037+0100	2022930	ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow	1	172.202.163.200	443	192.168.2.7	52659	TCP
2024-11-01T14:35:46.941600+0100	2022930	ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow	1	172.202.163.200	443	192.168.2.7	52669	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 1, 2024 14:35:53.138907909 CET	52711	443	192.168.2.7	104.26.12.205
Nov 1, 2024 14:35:53.138953924 CET	443	52711	104.26.12.205	192.168.2.7
Nov 1, 2024 14:35:53.139102936 CET	52711	443	192.168.2.7	104.26.12.205
Nov 1, 2024 14:35:53.150716066 CET	52711	443	192.168.2.7	104.26.12.205
Nov 1, 2024 14:35:53.150754929 CET	443	52711	104.26.12.205	192.168.2.7
Nov 1, 2024 14:35:53.771029949 CET	443	52711	104.26.12.205	192.168.2.7
Nov 1, 2024 14:35:53.771126032 CET	52711	443	192.168.2.7	104.26.12.205
Nov 1, 2024 14:35:53.773005009 CET	52711	443	192.168.2.7	104.26.12.205
Nov 1, 2024 14:35:53.773015022 CET	443	52711	104.26.12.205	192.168.2.7
Nov 1, 2024 14:35:53.773268938 CET	443	52711	104.26.12.205	192.168.2.7
Nov 1, 2024 14:35:53.815798998 CET	52711	443	192.168.2.7	104.26.12.205
Nov 1, 2024 14:35:53.826056004 CET	52711	443	192.168.2.7	104.26.12.205
Nov 1, 2024 14:35:53.871324062 CET	443	52711	104.26.12.205	192.168.2.7
Nov 1, 2024 14:35:53.996181011 CET	443	52711	104.26.12.205	192.168.2.7
Nov 1, 2024 14:35:53.996267080 CET	443	52711	104.26.12.205	192.168.2.7
Nov 1, 2024 14:35:53.996357918 CET	52711	443	192.168.2.7	104.26.12.205
Nov 1, 2024 14:35:54.002499104 CET	52711	443	192.168.2.7	104.26.12.205
Nov 1, 2024 14:35:54.808423996 CET	52721	21	192.168.2.7	110.4.45.197
Nov 1, 2024 14:35:54.816014051 CET	21	52721	110.4.45.197	192.168.2.7
Nov 1, 2024 14:35:54.816085100 CET	52721	21	192.168.2.7	110.4.45.197
Nov 1, 2024 14:35:54.822882891 CET	52721	21	192.168.2.7	110.4.45.197
Nov 1, 2024 14:35:54.828915119 CET	21	52721	110.4.45.197	192.168.2.7
Nov 1, 2024 14:35:54.831105947 CET	52721	21	192.168.2.7	110.4.45.197
Nov 1, 2024 14:35:54.849984884 CET	52722	21	192.168.2.7	110.4.45.197
Nov 1, 2024 14:35:54.855227947 CET	21	52722	110.4.45.197	192.168.2.7
Nov 1, 2024 14:35:54.855551958 CET	52722	21	192.168.2.7	110.4.45.197
Nov 1, 2024 14:35:55.795501947 CET	21	52722	110.4.45.197	192.168.2.7
Nov 1, 2024 14:35:55.799395084 CET	52722	21	192.168.2.7	110.4.45.197
Nov 1, 2024 14:35:55.809097052 CET	21	52722	110.4.45.197	192.168.2.7
Nov 1, 2024 14:35:56.164942980 CET	21	52722	110.4.45.197	192.168.2.7
Nov 1, 2024 14:35:56.165081024 CET	52722	21	192.168.2.7	110.4.45.197
Nov 1, 2024 14:35:56.170015097 CET	21	52722	110.4.45.197	192.168.2.7
Nov 1, 2024 14:35:56.540608883 CET	21	52722	110.4.45.197	192.168.2.7
Nov 1, 2024 14:35:56.540750027 CET	52722	21	192.168.2.7	110.4.45.197
Nov 1, 2024 14:35:56.545821905 CET	21	52722	110.4.45.197	192.168.2.7
Nov 1, 2024 14:35:56.885194063 CET	21	52722	110.4.45.197	192.168.2.7
Nov 1, 2024 14:35:56.887203932 CET	52722	21	192.168.2.7	110.4.45.197
Nov 1, 2024 14:35:56.893676996 CET	21	52722	110.4.45.197	192.168.2.7
Nov 1, 2024 14:35:57.235086918 CET	21	52722	110.4.45.197	192.168.2.7
Nov 1, 2024 14:35:57.239813089 CET	52722	21	192.168.2.7	110.4.45.197
Nov 1, 2024 14:35:57.246642113 CET	21	52722	110.4.45.197	192.168.2.7
Nov 1, 2024 14:35:57.592338085 CET	21	52722	110.4.45.197	192.168.2.7
Nov 1, 2024 14:35:57.593094110 CET	52722	21	192.168.2.7	110.4.45.197
Nov 1, 2024 14:35:57.605645895 CET	21	52722	110.4.45.197	192.168.2.7
Nov 1, 2024 14:35:57.946265936 CET	21	52722	110.4.45.197	192.168.2.7
Nov 1, 2024 14:35:57.946836948 CET	52739	56795	192.168.2.7	110.4.45.197
Nov 1, 2024 14:35:57.951738119 CET	56795	52739	110.4.45.197	192.168.2.7
Nov 1, 2024 14:35:57.951822996 CET	52739	56795	192.168.2.7	110.4.45.197
Nov 1, 2024 14:35:57.951869011 CET	52722	21	192.168.2.7	110.4.45.197
Nov 1, 2024 14:35:57.956975937 CET	21	52722	110.4.45.197	192.168.2.7
Nov 1, 2024 14:35:58.892055988 CET	21	52722	110.4.45.197	192.168.2.7
Nov 1, 2024 14:35:58.892273903 CET	52739	56795	192.168.2.7	110.4.45.197
Nov 1, 2024 14:35:58.892349958 CET	52739	56795	192.168.2.7	110.4.45.197
Nov 1, 2024 14:35:58.897216082 CET	56795	52739	110.4.45.197	192.168.2.7
Nov 1, 2024 14:35:58.898149014 CET	56795	52739	110.4.45.197	192.168.2.7
Nov 1, 2024 14:35:58.898205042 CET	52739	56795	192.168.2.7	110.4.45.197
Nov 1, 2024 14:35:58.940849066 CET	52722	21	192.168.2.7	110.4.45.197
Nov 1, 2024 14:35:59.253014088 CET	21	52722	110.4.45.197	192.168.2.7
Nov 1, 2024 14:35:59.253554106 CET	52722	21	192.168.2.7	110.4.45.197
Nov 1, 2024 14:35:59.259005070 CET	21	52722	110.4.45.197	192.168.2.7
Nov 1, 2024 14:35:59.597810030 CET	21	52722	110.4.45.197	192.168.2.7
Nov 1, 2024 14:35:59.598344088 CET	52750	56562	192.168.2.7	110.4.45.197
Nov 1, 2024 14:35:59.603415966 CET	56562	52750	110.4.45.197	192.168.2.7
Nov 1, 2024 14:35:59.603494883 CET	52750	56562	192.168.2.7	110.4.45.197
Nov 1, 2024 14:35:59.603569031 CET	52722	21	192.168.2.7	110.4.45.197
Nov 1, 2024 14:35:59.608730078 CET	21	52722	110.4.45.197	192.168.2.7
Nov 1, 2024 14:36:00.541033983 CET	21	52722	110.4.45.197	192.168.2.7
Nov 1, 2024 14:36:00.541256905 CET	52750	56562	192.168.2.7	110.4.45.197
Nov 1, 2024 14:36:00.546787024 CET	56562	52750	110.4.45.197	192.168.2.7
Nov 1, 2024 14:36:00.546855927 CET	52750	56562	192.168.2.7	110.4.45.197
Nov 1, 2024 14:36:00.581496954 CET	52722	21	192.168.2.7	110.4.45.197
Nov 1, 2024 14:36:00.901818991 CET	21	52722	110.4.45.197	192.168.2.7
Nov 1, 2024 14:36:00.902148962 CET	52722	21	192.168.2.7	110.4.45.197
Nov 1, 2024 14:36:00.907463074 CET	21	52722	110.4.45.197	192.168.2.7
Nov 1, 2024 14:36:01.248248100 CET	21	52722	110.4.45.197	192.168.2.7
Nov 1, 2024 14:36:01.248698950 CET	52761	53313	192.168.2.7	110.4.45.197
Nov 1, 2024 14:36:01.253807068 CET	53313	52761	110.4.45.197	192.168.2.7
Nov 1, 2024 14:36:01.253882885 CET	52761	53313	192.168.2.7	110.4.45.197
Nov 1, 2024 14:36:01.253945112 CET	52722	21	192.168.2.7	110.4.45.197
Nov 1, 2024 14:36:01.259016037 CET	21	52722	110.4.45.197	192.168.2.7
Nov 1, 2024 14:36:02.184326887 CET	21	52722	110.4.45.197	192.168.2.7
Nov 1, 2024 14:36:02.184568882 CET	52761	53313	192.168.2.7	110.4.45.197
Nov 1, 2024 14:36:02.189631939 CET	53313	52761	110.4.45.197	192.168.2.7
Nov 1, 2024 14:36:02.190325022 CET	53313	52761	110.4.45.197	192.168.2.7
Nov 1, 2024 14:36:02.190375090 CET	52761	53313	192.168.2.7	110.4.45.197
Nov 1, 2024 14:36:02.237860918 CET	52722	21	192.168.2.7	110.4.45.197
Nov 1, 2024 14:36:02.531008005 CET	21	52722	110.4.45.197	192.168.2.7
Nov 1, 2024 14:36:02.581593037 CET	52722	21	192.168.2.7	110.4.45.197

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 1, 2024 14:35:26.354660988 CET	53	59650	1.1.1.1	192.168.2.7
Nov 1, 2024 14:35:40.041595936 CET	53	50231	162.159.36.2	192.168.2.7
Nov 1, 2024 14:35:40.865683079 CET	64156	53	192.168.2.7	1.1.1.1
Nov 1, 2024 14:35:40.873207092 CET	53	64156	1.1.1.1	192.168.2.7
Nov 1, 2024 14:35:53.119293928 CET	64781	53	192.168.2.7	1.1.1.1
Nov 1, 2024 14:35:53.126646996 CET	53	64781	1.1.1.1	192.168.2.7
Nov 1, 2024 14:35:54.550822020 CET	54029	53	192.168.2.7	1.1.1.1
Nov 1, 2024 14:35:54.807604074 CET	53	54029	1.1.1.1	192.168.2.7

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Nov 1, 2024 14:35:40.865683079 CET	192.168.2.7	1.1.1.1	0x2a61	Standard query (0)	241.42.69.40.in-addr.arpa	PTR (Pointer record)	IN (0x0001)	false
Nov 1, 2024 14:35:53.119293928 CET	192.168.2.7	1.1.1.1	0xd5ac	Standard query (0)	api.ipify.org	A (IP address)	IN (0x0001)	false
Nov 1, 2024 14:35:54.550822020 CET	192.168.2.7	1.1.1.1	0xafe1	Standard query (0)	ftp.haliza.com.my	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Nov 1, 2024 14:35:40.873207092 CET	1.1.1.1	192.168.2.7	0x2a61	Name error (3)	241.42.69.40.in-addr.arpa	none	none	PTR (Pointer record)	IN (0x0001)	false
Nov 1, 2024 14:35:53.126646996 CET	1.1.1.1	192.168.2.7	0xd5ac	No error (0)	api.ipify.org		104.26.12.205	A (IP address)	IN (0x0001)	false
Nov 1, 2024 14:35:53.126646996 CET	1.1.1.1	192.168.2.7	0xd5ac	No error (0)	api.ipify.org		104.26.13.205	A (IP address)	IN (0x0001)	false
Nov 1, 2024 14:35:53.126646996 CET	1.1.1.1	192.168.2.7	0xd5ac	No error (0)	api.ipify.org		172.67.74.152	A (IP address)	IN (0x0001)	false
Nov 1, 2024 14:35:54.807604074 CET	1.1.1.1	192.168.2.7	0xafe1	No error (0)	ftp.haliza.com.my		110.4.45.197	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

api.ipify.org

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.7	52711	104.26.12.205	443	7548	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-01 13:35:53 UTC	155	OUT	GET / HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0 Host: api.ipify.org Connection: Keep-Alive
2024-11-01 13:35:53 UTC	211	IN	HTTP/1.1 200 OK Date: Fri, 01 Nov 2024 13:35:53 GMT Content-Type: text/plain Content-Length: 14 Connection: close Vary: Origin cf-cache-status: DYNAMIC Server: cloudflare CF-RAY: 8dbc4549dc22cb75-DFW
2024-11-01 13:35:53 UTC	14	IN	Data Raw: 31 37 33 2e 32 35 34 2e 32 35 30 2e 38 32 Data Ascii: 173.254.250.82

FTP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP	Commands
Nov 1, 2024 14:35:55.795501947 CET	21	52722	110.4.45.197	192.168.2.7	220---------- Welcome to Pure-FTPd [privsep] [TLS] ---------- 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 7 of 50 allowed. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 7 of 50 allowed.220-Local time is now 21:35. Server port: 21. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 7 of 50 allowed.220-Local time is now 21:35. Server port: 21.220-This is a private system - No anonymous login 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 7 of 50 allowed.220-Local time is now 21:35. Server port: 21.220-This is a private system - No anonymous login220-IPv6 connections are also welcome on this server. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 7 of 50 allowed.220-Local time is now 21:35. Server port: 21.220-This is a private system - No anonymous login220-IPv6 connections are also welcome on this server.220 You will be disconnected after 15 minutes of inactivity.
Nov 1, 2024 14:35:55.799395084 CET	52722	21	192.168.2.7	110.4.45.197	USER origin@haliza.com.my
Nov 1, 2024 14:35:56.164942980 CET	21	52722	110.4.45.197	192.168.2.7	331 User origin@haliza.com.my OK. Password required
Nov 1, 2024 14:35:56.165081024 CET	52722	21	192.168.2.7	110.4.45.197	PASS JesusChrist007$
Nov 1, 2024 14:35:56.540608883 CET	21	52722	110.4.45.197	192.168.2.7	230 OK. Current restricted directory is /
Nov 1, 2024 14:35:56.885194063 CET	21	52722	110.4.45.197	192.168.2.7	504 Unknown command
Nov 1, 2024 14:35:56.887203932 CET	52722	21	192.168.2.7	110.4.45.197	PWD
Nov 1, 2024 14:35:57.235086918 CET	21	52722	110.4.45.197	192.168.2.7	257 "/" is your current location
Nov 1, 2024 14:35:57.239813089 CET	52722	21	192.168.2.7	110.4.45.197	TYPE I
Nov 1, 2024 14:35:57.592338085 CET	21	52722	110.4.45.197	192.168.2.7	200 TYPE is now 8-bit binary
Nov 1, 2024 14:35:57.593094110 CET	52722	21	192.168.2.7	110.4.45.197	PASV
Nov 1, 2024 14:35:57.946265936 CET	21	52722	110.4.45.197	192.168.2.7	227 Entering Passive Mode (110,4,45,197,221,219)
Nov 1, 2024 14:35:57.951869011 CET	52722	21	192.168.2.7	110.4.45.197	STOR CO_Chrome_Default.txt_user-818225_2024_11_01_11_05_34.txt
Nov 1, 2024 14:35:58.892055988 CET	21	52722	110.4.45.197	192.168.2.7	150 Accepted data connection
Nov 1, 2024 14:35:59.253014088 CET	21	52722	110.4.45.197	192.168.2.7	226-File successfully transferred 226-File successfully transferred226 0.361 seconds (measured here), 0.78 Kbytes per second
Nov 1, 2024 14:35:59.253554106 CET	52722	21	192.168.2.7	110.4.45.197	PASV
Nov 1, 2024 14:35:59.597810030 CET	21	52722	110.4.45.197	192.168.2.7	227 Entering Passive Mode (110,4,45,197,220,242)
Nov 1, 2024 14:35:59.603569031 CET	52722	21	192.168.2.7	110.4.45.197	STOR CO_Edge Chromium_Default.txt_user-818225_2024_11_01_17_24_05.txt
Nov 1, 2024 14:36:00.541033983 CET	21	52722	110.4.45.197	192.168.2.7	150 Accepted data connection
Nov 1, 2024 14:36:00.901818991 CET	21	52722	110.4.45.197	192.168.2.7	226 File successfully transferred
Nov 1, 2024 14:36:00.902148962 CET	52722	21	192.168.2.7	110.4.45.197	PASV
Nov 1, 2024 14:36:01.248248100 CET	21	52722	110.4.45.197	192.168.2.7	227 Entering Passive Mode (110,4,45,197,208,65)
Nov 1, 2024 14:36:01.253945112 CET	52722	21	192.168.2.7	110.4.45.197	STOR CO_Firefox_fu7wner3.default-release.txt_user-818225_2024_11_01_19_42_48.txt
Nov 1, 2024 14:36:02.184326887 CET	21	52722	110.4.45.197	192.168.2.7	150 Accepted data connection
Nov 1, 2024 14:36:02.531008005 CET	21	52722	110.4.45.197	192.168.2.7	226 File successfully transferred

Target ID:	0
Start time:	09:35:04
Start date:	01/11/2024
Path:	C:\Users\user\Desktop\Payslip_October_2024.pdf.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Payslip_October_2024.pdf.exe"
Imagebase:	0x7c0000
File size:	1'409'024 bytes
MD5 hash:	098EFB8818E822CB79893620A8DB1CD0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	10:45:32
Start date:	01/11/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Payslip_October_2024.pdf.exe"
Imagebase:	0xc10000
File size:	45'984 bytes
MD5 hash:	9D352BC46709F0CB5EC974633A0C3C94
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000B.00000002.2497169089.0000000003091000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000B.00000002.2497169089.0000000003091000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000B.00000002.2497169089.00000000030BC000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000B.00000002.2494522964.0000000000402000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000B.00000002.2494522964.0000000000402000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	12
Start time:	10:45:43
Start date:	01/11/2024
Path:	C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe"
Imagebase:	0x210000
File size:	45'984 bytes
MD5 hash:	9D352BC46709F0CB5EC974633A0C3C94
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 0%, ReversingLabs
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	10:45:43
Start date:	01/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff75da10000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	16
Start time:	10:45:51
Start date:	01/11/2024
Path:	C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe"
Imagebase:	0x550000
File size:	45'984 bytes
MD5 hash:	9D352BC46709F0CB5EC974633A0C3C94
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	17
Start time:	10:45:51
Start date:	01/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff75da10000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	12.7%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	2.6%
Total number of Nodes:	154
Total number of Limit Nodes:	18

Executed Functions

Function 06983580 Relevance: 8.0, Strings: 6, Instructions: 545
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$q, xrefs: 06983C7F
$q, xrefs: 06983CA3
$q, xrefs: 06983C62
$q, xrefs: 06983CAF
$q, xrefs: 06983C56
$q, xrefs: 06983C8B

Memory Dump Source

Source File: 0000000B.00000002.2500821577.0000000006980000.00000040.00000800.00020000.00000000.sdmp, Offset: 06980000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_6980000_RegSvcs.jbxd

Similarity

API ID:
String ID: $q$$q$$q$$q$$q$$q
API String ID: 0-2069967915
Opcode ID: ade2de8f767094662413a74dab5409e0e18dd10d26b7878562d015dbae210e8e
Instruction ID: dffbc4a7e4832a6953eedd08524db1132b014db12886107208ffb654c7c7f28d
Opcode Fuzzy Hash: ade2de8f767094662413a74dab5409e0e18dd10d26b7878562d015dbae210e8e
Instruction Fuzzy Hash: 48320E31E107198FDB14EFB5D85069DF7B6FF89300F2196AAD409AB214EB34AD85CB90

Function 06987E98 Relevance: 3.0, Strings: 2, Instructions: 477
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$q, xrefs: 0698843F
$q, xrefs: 06988433

Memory Dump Source

Source File: 0000000B.00000002.2500821577.0000000006980000.00000040.00000800.00020000.00000000.sdmp, Offset: 06980000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_6980000_RegSvcs.jbxd

Similarity

API ID:
String ID: $q$$q
API String ID: 0-3126353813
Opcode ID: 12ef6c3b182d7852c9e24869fe88e81841b62b42b57dde4c22661a4dce10aa06
Instruction ID: 67267c1095114923da5b18b9d64c5cf3ba0fef37b582e8841241cc68aeab2e06
Opcode Fuzzy Hash: 12ef6c3b182d7852c9e24869fe88e81841b62b42b57dde4c22661a4dce10aa06
Instruction Fuzzy Hash: 4302AD30B002159FDB64EF78D990AAEBBE6FF84310F648529D415AB794DB35EC42CB90

Function 02EDE915 Relevance: 2.9, Strings: 2, Instructions: 413
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Xq, xrefs: 02EDEB0F
$q, xrefs: 02EDEAF6

Memory Dump Source

Source File: 0000000B.00000002.2496921504.0000000002ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2ed0000_RegSvcs.jbxd

Similarity

API ID:
String ID: Xq$$q
API String ID: 0-855381642
Opcode ID: aaa281ef34242d4d4f2dbf5d921f4ee09dd44190cd30b30a0785d21b6410161e
Instruction ID: 4ece33de79abd473bfc7aa0438640d64032f4897d43db128f503d7b01adde2e8
Opcode Fuzzy Hash: aaa281ef34242d4d4f2dbf5d921f4ee09dd44190cd30b30a0785d21b6410161e
Instruction Fuzzy Hash: 24D1E430B452149FDB58AB789C5866E7BA3BFC9200B09956EE446DF398DE348C07C7A1

Function 02EDAD90 Relevance: 2.8, Instructions: 2830COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2496921504.0000000002ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2ed0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 022f875297b67ca68c53a0747137df6f8aaad040886b83deb3594d560591dd6c
Instruction ID: a9bd058d680ae352ac2c0cc5a12f16046c90ec66e5694e0a3b5232742e4cdfd9
Opcode Fuzzy Hash: 022f875297b67ca68c53a0747137df6f8aaad040886b83deb3594d560591dd6c
Instruction Fuzzy Hash: 6953F931C10B1A8ADB51EF68C880699F7B1FF99300F15D79AE4587B121FB70AAD5CB81

Function 069856B0 Relevance: 1.8, Strings: 1, Instructions: 597COMMON

Download Yara Rule

Strings

$, xrefs: 06985A03

Memory Dump Source

Source File: 0000000B.00000002.2500821577.0000000006980000.00000040.00000800.00020000.00000000.sdmp, Offset: 06980000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_6980000_RegSvcs.jbxd

Similarity

API ID:
String ID: $
API String ID: 0-3993045852
Opcode ID: 1be32f6b8cffdff91fc8fbcd5bbb3c17c4ec6a5e7493ce412618198696f5baed
Instruction ID: eb838a8c5d5b7b5894b9f12f1c9f7afb48da452e62bff2a2969b398fdb2e0115
Opcode Fuzzy Hash: 1be32f6b8cffdff91fc8fbcd5bbb3c17c4ec6a5e7493ce412618198696f5baed
Instruction Fuzzy Hash: 6022C471F002158FDFA4EB64C4807AEBBB6FF84320F26846AD856AB754DA35DC45CB90

Function 06986708 Relevance: .8, Instructions: 820COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2500821577.0000000006980000.00000040.00000800.00020000.00000000.sdmp, Offset: 06980000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_6980000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c7d17df87fedbb21d4938af5a7ddfcd58c85744793f666e49e8a2ae0bd05ed5d
Instruction ID: f8c158eb3aa9f0f39c8a2b9942145432465fc900341b23088ae19608badbc675
Opcode Fuzzy Hash: c7d17df87fedbb21d4938af5a7ddfcd58c85744793f666e49e8a2ae0bd05ed5d
Instruction Fuzzy Hash: CB628C34A002049FDB64EBA8D994BADBBB6FB85310F248569D406EF754DB35ED42CB80

Function 0696C4AC Relevance: .6, Instructions: 650COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2500720324.0000000006960000.00000040.00000800.00020000.00000000.sdmp, Offset: 06960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_6960000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8654dec563e9e4e9f362e3e6434501214d3d86b583c57ba5e26bce4ada7dc6dc
Instruction ID: 19a8bf4de1f433c8407ead6f19d37a7fbd0eb9e12f80cff3c34b1d4b317bd273
Opcode Fuzzy Hash: 8654dec563e9e4e9f362e3e6434501214d3d86b583c57ba5e26bce4ada7dc6dc
Instruction Fuzzy Hash: 3942B238E04309CFDB94DFA9D584A9DB7B2FF88314F248528E405AB760DB35AC46CB91

Function 02ED4A68 Relevance: .3, Instructions: 266COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2496921504.0000000002ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2ed0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 277fcb33f09ddb2f7891beef59c1afe5c6f5798544d2b18facb9423434fd3021
Instruction ID: c84e644917294cab65a4bdd9723fc5aab9266c21723aae778d9b6469d0d6be46
Opcode Fuzzy Hash: 277fcb33f09ddb2f7891beef59c1afe5c6f5798544d2b18facb9423434fd3021
Instruction Fuzzy Hash: 89B18E70E407098FDB24CFA8C8957EDBBF2AF98318F14D529D415AB294EB749842CF81

Function 06963924 Relevance: .3, Instructions: 253COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2500720324.0000000006960000.00000040.00000800.00020000.00000000.sdmp, Offset: 06960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_6960000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7a10a945a1b3d43bd400afd56126ab621eda262b5c8833624efdac7df50cbfcc
Instruction ID: b9273094fb470c2c5391c2de227a0328246e4c69f3b1a3d4166e657ae852fd24
Opcode Fuzzy Hash: 7a10a945a1b3d43bd400afd56126ab621eda262b5c8833624efdac7df50cbfcc
Instruction Fuzzy Hash: A1A17E74E003198FCB44DFA5D884ADDFBBAFF89300F648615E416AF2A4DB30A845CB91

Function 02ED3E50 Relevance: .2, Instructions: 238COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2496921504.0000000002ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2ed0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c662978b83caa164b6964a42a7d9a0b109ab092b5fd02b40809943cc65d494ce
Instruction ID: 9e3f22606fc9239be6e41537f1be108bf5234076c10815101cc21c474604aa85
Opcode Fuzzy Hash: c662978b83caa164b6964a42a7d9a0b109ab092b5fd02b40809943cc65d494ce
Instruction Fuzzy Hash: 8A913C70E403099FDB24CFA9C9857DEBBF2AF88318F14D129E405A7294DB749846CF92

Function 06963918 Relevance: .2, Instructions: 220COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2500720324.0000000006960000.00000040.00000800.00020000.00000000.sdmp, Offset: 06960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_6960000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b06270ee054282fed84777bbf16a473e7555fd7a51e56d1302e4aeaee25cb512
Instruction ID: f321bfe1acab6b7192c71878f114d5710fbf132b6e1729309339558dbe2cc91c
Opcode Fuzzy Hash: b06270ee054282fed84777bbf16a473e7555fd7a51e56d1302e4aeaee25cb512
Instruction Fuzzy Hash: 47918C75E003199FCB05DFA5D8809DDFBBAFF89310B648615E416AF2A4DB30A845CB91

Function 06966037 Relevance: .2, Instructions: 209COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2500720324.0000000006960000.00000040.00000800.00020000.00000000.sdmp, Offset: 06960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_6960000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 00f76c69fd956db0487d3c112ffb79f09fca05c2f90788f98d1461da7f36da9f
Instruction ID: 3778157fc7d55eb99fb583c6463a61a561ad6edef3f3bc641c2a032adb1e3298
Opcode Fuzzy Hash: 00f76c69fd956db0487d3c112ffb79f09fca05c2f90788f98d1461da7f36da9f
Instruction Fuzzy Hash: 9B917C75E003198FCB05DFA5D8809DDFBBAFF89300B648615F516AF2A4DB30A981CB51

Function 0698ADE8 Relevance: 10.4, Strings: 8, Instructions: 391
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$q, xrefs: 0698AF15
$q, xrefs: 0698AFB4
$q, xrefs: 0698AF8B
$q, xrefs: 0698AF97
$q, xrefs: 0698AF09
$q, xrefs: 0698AFC0
$q, xrefs: 0698AF5C
$q, xrefs: 0698AF68

Memory Dump Source

Source File: 0000000B.00000002.2500821577.0000000006980000.00000040.00000800.00020000.00000000.sdmp, Offset: 06980000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_6980000_RegSvcs.jbxd

Similarity

API ID:
String ID: $q$$q$$q$$q$$q$$q$$q$$q
API String ID: 0-3886557441
Opcode ID: 3c5409ff9f2cb16b3366d61b9d646d426cae24bc58add37a75ece625b19b8eba
Instruction ID: 3b2926feaac3513e361cfc6e1f97c9490d0f83c6b750f7d511b19e60f00dc5bc
Opcode Fuzzy Hash: 3c5409ff9f2cb16b3366d61b9d646d426cae24bc58add37a75ece625b19b8eba
Instruction Fuzzy Hash: E2E17130E002198FDB64EF64D8806AEB7F6FF84300F24892AD415AB759DB35EC46CB91

Function 069699E1 Relevance: 6.1, APIs: 4, Instructions: 137
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 06969A6E
GetCurrentThread.KERNEL32 ref: 06969AAB
GetCurrentProcess.KERNEL32 ref: 06969AE8
GetCurrentThreadId.KERNEL32 ref: 06969B41

Memory Dump Source

Source File: 0000000B.00000002.2500720324.0000000006960000.00000040.00000800.00020000.00000000.sdmp, Offset: 06960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_6960000_RegSvcs.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 18a4f7d26a369e3251d21c1ab541872ed85dd1bbc20e4b804d41cefbbfe6011f
Instruction ID: 75945fbf2e543b164a6cf3d901fb227880a08c8625b37d310a9b76ab295957d6
Opcode Fuzzy Hash: 18a4f7d26a369e3251d21c1ab541872ed85dd1bbc20e4b804d41cefbbfe6011f
Instruction Fuzzy Hash: 255186B0D0034ACFDB54DFAAD948B9EBBF1EF88314F248019E409AB2A0DB345945CF65

Function 069699F0 Relevance: 6.1, APIs: 4, Instructions: 128
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 06969A6E
GetCurrentThread.KERNEL32 ref: 06969AAB
GetCurrentProcess.KERNEL32 ref: 06969AE8
GetCurrentThreadId.KERNEL32 ref: 06969B41

Memory Dump Source

Source File: 0000000B.00000002.2500720324.0000000006960000.00000040.00000800.00020000.00000000.sdmp, Offset: 06960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_6960000_RegSvcs.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: f4ab496a0eb1f20321899b61bd987c553aa155a34e29f6be62b77ade72ae1bfc
Instruction ID: 66fd27d44514d39e34ccdc86e8808f44772e2cf385bd361b71557b60cec1130a
Opcode Fuzzy Hash: f4ab496a0eb1f20321899b61bd987c553aa155a34e29f6be62b77ade72ae1bfc
Instruction Fuzzy Hash: 7B5156B0D0030A8FDB54DFAAD948BAEBBF1EF88314F248419E419A7760D7345945CF65

Function 06989268 Relevance: 5.2, Strings: 4, Instructions: 231
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$q, xrefs: 06989313
$q, xrefs: 069892D8
$q, xrefs: 0698931F
$q, xrefs: 069892E4

Memory Dump Source

Source File: 0000000B.00000002.2500821577.0000000006980000.00000040.00000800.00020000.00000000.sdmp, Offset: 06980000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_6980000_RegSvcs.jbxd

Similarity

API ID:
String ID: $q$$q$$q$$q
API String ID: 0-4102054182
Opcode ID: 9f101b1d721534621d3c1bf014f9fdccd4140c812d7f8879579eeb2d7fa74c17
Instruction ID: 0062baf2f53d7d732d087ae1c623298a79918a18dfabea2222766d2008801602
Opcode Fuzzy Hash: 9f101b1d721534621d3c1bf014f9fdccd4140c812d7f8879579eeb2d7fa74c17
Instruction Fuzzy Hash: 62915B70F006199FDB64DB69D850BAEBBA6FFC8300F108569D819AB744EA74DD42CB90

Function 0698D070 Relevance: 4.6, Strings: 3, Instructions: 801
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$q, xrefs: 0698D467
$q, xrefs: 0698D47B
$q, xrefs: 0698D46F

Memory Dump Source

Source File: 0000000B.00000002.2500821577.0000000006980000.00000040.00000800.00020000.00000000.sdmp, Offset: 06980000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_6980000_RegSvcs.jbxd

Similarity

API ID:
String ID: $q$$q$$q
API String ID: 0-3067366958
Opcode ID: 7ac8e6c29bb2563637a8fcbb7dc38f2bdbafc8f16b9f8abfe530101101ee120b
Instruction ID: 30deac60c169c7e70ea517bcded6b1f1ec324bcd0a84bbde6e75402c0aca5ca6
Opcode Fuzzy Hash: 7ac8e6c29bb2563637a8fcbb7dc38f2bdbafc8f16b9f8abfe530101101ee120b
Instruction Fuzzy Hash: 46625D74A003168FDB65EF68D580A5EBBB2FF84314B248A68D0059F758DB35ED4ACB81

Function 06984C80 Relevance: 3.9, Strings: 3, Instructions: 186
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

\Oq, xrefs: 06984E5B
XPq, xrefs: 06984DD1
fq, xrefs: 06984CAB

Memory Dump Source

Source File: 0000000B.00000002.2500821577.0000000006980000.00000040.00000800.00020000.00000000.sdmp, Offset: 06980000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_6980000_RegSvcs.jbxd

Similarity

API ID:
String ID: fq$XPq$\Oq
API String ID: 0-132346853
Opcode ID: ed6151183cb7336cf37e372bce96ba60d852cc6b848d338b162c8bc58ac3858a
Instruction ID: d0b26b2de1ae80e850f6af4e3c7db29a461e64218241bfdcb9685bc7c9efcb64
Opcode Fuzzy Hash: ed6151183cb7336cf37e372bce96ba60d852cc6b848d338b162c8bc58ac3858a
Instruction Fuzzy Hash: 90617270F002199FEB549FA8C854BAEBBF6FF88700F248529D106AB395DB754C45CB90

Function 0698A4C3 Relevance: 2.7, Strings: 2, Instructions: 241
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

X!@, xrefs: 0698A537
x!@, xrefs: 0698A558

Memory Dump Source

Source File: 0000000B.00000002.2500821577.0000000006980000.00000040.00000800.00020000.00000000.sdmp, Offset: 06980000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_6980000_RegSvcs.jbxd

Similarity

API ID:
String ID: X!@$x!@
API String ID: 0-2527372166
Opcode ID: 425958bb6d6661c5b9a40d9df33332a5952837ae4bbec0100bf6aad33f3527b4
Instruction ID: 2ee5c05e7e217078ba5f71f7c0c81f1be91ad1872b203092e4133507a4b7c89d
Opcode Fuzzy Hash: 425958bb6d6661c5b9a40d9df33332a5952837ae4bbec0100bf6aad33f3527b4
Instruction Fuzzy Hash: 37819E31F002159FDB54EFA8E850AADB7B6FB88310F20856AE506EB754DB35DC46CB80

Function 0698925B Relevance: 2.7, Strings: 2, Instructions: 172
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$q, xrefs: 06989313
$q, xrefs: 069892D8

Memory Dump Source

Source File: 0000000B.00000002.2500821577.0000000006980000.00000040.00000800.00020000.00000000.sdmp, Offset: 06980000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_6980000_RegSvcs.jbxd

Similarity

API ID:
String ID: $q$$q
API String ID: 0-3126353813
Opcode ID: 039c9a7cc3d90f572b23c49fd966c67b43aa6e7fbbd05b0e857a37fb1894043a
Instruction ID: 844610b5b25059b0c66b798867de69e3dec27e83a1ebb248d9d6607cf0229d77
Opcode Fuzzy Hash: 039c9a7cc3d90f572b23c49fd966c67b43aa6e7fbbd05b0e857a37fb1894043a
Instruction Fuzzy Hash: 98513E70B006159FDB64DB78E8A0B6E7BE6FBC8300F108569D819EB754EA34DC42CB91

Function 06984C71 Relevance: 2.6, Strings: 2, Instructions: 143
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

XPq, xrefs: 06984DD1
fq, xrefs: 06984CAB

Memory Dump Source

Source File: 0000000B.00000002.2500821577.0000000006980000.00000040.00000800.00020000.00000000.sdmp, Offset: 06980000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_6980000_RegSvcs.jbxd

Similarity

API ID:
String ID: fq$XPq
API String ID: 0-3167736908
Opcode ID: d197bd6375f111bfeaa95d20dcd895f33479ae2fdb7081bb07fd6eeaf89b2a67
Instruction ID: 59f3ba72772988464e939221149685d45ea7da71f26557b72c3098a7aca44cdd
Opcode Fuzzy Hash: d197bd6375f111bfeaa95d20dcd895f33479ae2fdb7081bb07fd6eeaf89b2a67
Instruction Fuzzy Hash: 0A516070F002199FEB549BA9C815BAEBBF6FFC8700F248529D105AF3A5DA758C01CB90

Function 02EDEE90 Relevance: 1.6, APIs: 1, Instructions: 136
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 0000000B.00000002.2496921504.0000000002ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2ed0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 65aacf72db221398c1e3b1cd4379522b921773bc5fb0aab4698554dea26f047a
Instruction ID: 68c1a5024cfc1e53ada0a28693171e4cb88a6b293b7b85f91b906110d9495799
Opcode Fuzzy Hash: 65aacf72db221398c1e3b1cd4379522b921773bc5fb0aab4698554dea26f047a
Instruction Fuzzy Hash: EA412671D0035A9FCB14DF6AD80879EBBF1EF89310F14856AE509AB241DB749846CBD0

Function 06965D33 Relevance: 1.6, APIs: 1, Instructions: 117COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 06965E4A

Memory Dump Source

Source File: 0000000B.00000002.2500720324.0000000006960000.00000040.00000800.00020000.00000000.sdmp, Offset: 06960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_6960000_RegSvcs.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: f766a2e3aae80eeb1cb7525c2527a5cb18ff5ea899e03f7edf7ec660f887d424
Instruction ID: ab46b111d5467c4a678df753b5d2831aa06347f67155308fc09417d17659c2ac
Opcode Fuzzy Hash: f766a2e3aae80eeb1cb7525c2527a5cb18ff5ea899e03f7edf7ec660f887d424
Instruction Fuzzy Hash: C551CFB1D00309AFDF15CF9AC884ADEBBB5FF88310F65812AE419AB250D7719845CF90

Function 06965D38 Relevance: 1.6, APIs: 1, Instructions: 113COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 06965E4A

Memory Dump Source

Source File: 0000000B.00000002.2500720324.0000000006960000.00000040.00000800.00020000.00000000.sdmp, Offset: 06960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_6960000_RegSvcs.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 266fdf3b8cec48ea7446c667d3bf187eeafd6d1a25d9c68d39c04ca5f082e12a
Instruction ID: 9dd630fa81a13112c8af55de3895c07ced2674ec616430fbf9ce25b81474074b
Opcode Fuzzy Hash: 266fdf3b8cec48ea7446c667d3bf187eeafd6d1a25d9c68d39c04ca5f082e12a
Instruction Fuzzy Hash: E241CFB1D00309AFDF15CF9AC884ADEBBB5BF48310F25812AE819AB250D7759945CF90

Function 069697FC Relevance: 1.6, APIs: 1, Instructions: 97COMMON

Download Yara Rule

APIs

CallWindowProcW.USER32(?,?,?,?,?), ref: 0696AB89

Memory Dump Source

Source File: 0000000B.00000002.2500720324.0000000006960000.00000040.00000800.00020000.00000000.sdmp, Offset: 06960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_6960000_RegSvcs.jbxd

Similarity

API ID: CallProcWindow
String ID:
API String ID: 2714655100-0
Opcode ID: 8475af8e8e71acdd363520a251cbf710d53734b81be3a9342cf97ada8358beda
Instruction ID: 10448269db9f4b1aba9aa184c4a185ceff9c0faa82c16cda1b1cab4b7115395e
Opcode Fuzzy Hash: 8475af8e8e71acdd363520a251cbf710d53734b81be3a9342cf97ada8358beda
Instruction Fuzzy Hash: 0C412AB4D003498FDB54DF9AC888AAAFBF5FF88314F248459E519A7361D774A841CFA0

Function 0696B810 Relevance: 1.6, APIs: 1, Instructions: 71comclipboardCOMMON

Download Yara Rule

APIs

OleGetClipboard.OLE32(?), ref: 0696B898

Memory Dump Source

Source File: 0000000B.00000002.2500720324.0000000006960000.00000040.00000800.00020000.00000000.sdmp, Offset: 06960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_6960000_RegSvcs.jbxd

Similarity

API ID: Clipboard
String ID:
API String ID: 220874293-0
Opcode ID: 0eeb6fba5a83a8825a57bdf6928ba2546760876e8217f677daa121f160388b61
Instruction ID: b095763ce108d44a8aa30358c3f9e81353e11dec028b1eee194911fadf98f318
Opcode Fuzzy Hash: 0eeb6fba5a83a8825a57bdf6928ba2546760876e8217f677daa121f160388b61
Instruction Fuzzy Hash: 0531F1B0D01309DFDB24DF9AC984B9EBBF5AF48304F248069E504AB294DB74A945CF55

Function 0696B812 Relevance: 1.6, APIs: 1, Instructions: 70comclipboardCOMMON

Download Yara Rule

APIs

OleGetClipboard.OLE32(?), ref: 0696B898

Memory Dump Source

Source File: 0000000B.00000002.2500720324.0000000006960000.00000040.00000800.00020000.00000000.sdmp, Offset: 06960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_6960000_RegSvcs.jbxd

Similarity

API ID: Clipboard
String ID:
API String ID: 220874293-0
Opcode ID: df98cfe546f40c2448de5ceb88ca22d1393a98d9c8180ecb31016551e110cd2c
Instruction ID: e92eb0a51ce08b36bc8225c9edc0da75f68574388d82569131f4cee9edc36f34
Opcode Fuzzy Hash: df98cfe546f40c2448de5ceb88ca22d1393a98d9c8180ecb31016551e110cd2c
Instruction Fuzzy Hash: 8231F1B0D01309DFDB24DF9AC984BDEBBF5AF48304F248069E404AB294DB74A945CF55

Function 06969C30 Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 06969CBF

Memory Dump Source

Source File: 0000000B.00000002.2500720324.0000000006960000.00000040.00000800.00020000.00000000.sdmp, Offset: 06960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_6960000_RegSvcs.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: d3b4ea19b4b44add7bb8a2a38cb90d69e16990d47870b9f86881e3e4bb60bffc
Instruction ID: 385cb4759c1fa3bae52a2ae8eb2e70493cb264b2786924dfa58d2a26f47aed25
Opcode Fuzzy Hash: d3b4ea19b4b44add7bb8a2a38cb90d69e16990d47870b9f86881e3e4bb60bffc
Instruction Fuzzy Hash: 512100B5D00349DFDB10CFAAD984AEEBFF4EB48320F14841AE959A3250C378A955CF61

Function 06969C38 Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 06969CBF

Memory Dump Source

Source File: 0000000B.00000002.2500720324.0000000006960000.00000040.00000800.00020000.00000000.sdmp, Offset: 06960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_6960000_RegSvcs.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: ea76aa1efc881c605404060fdcdee3a239da534f32af2e1a28d029aa6a15d686
Instruction ID: d3296291d014e3cf783d6512449ffa1ecbfa4f505466b4fe162b1e6853993e37
Opcode Fuzzy Hash: ea76aa1efc881c605404060fdcdee3a239da534f32af2e1a28d029aa6a15d686
Instruction Fuzzy Hash: FB21E4B5D003499FDB10CF9AD984ADEBFF8EB48320F14841AE919A3350D378A945CF65

Function 0696D348 Relevance: 1.6, APIs: 1, Instructions: 60COMMON

Download Yara Rule

APIs

SetWindowsHookExA.USER32(?,00000000,?,?), ref: 0696D3CB

Memory Dump Source

Source File: 0000000B.00000002.2500720324.0000000006960000.00000040.00000800.00020000.00000000.sdmp, Offset: 06960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_6960000_RegSvcs.jbxd

Similarity

API ID: HookWindows
String ID:
API String ID: 2559412058-0
Opcode ID: 24ecf2214e95d0df526be12d63ca5cfeffd7b1dbfca1e0b2234f9e8cd68f2fd4
Instruction ID: 358b26264062c6430bd545ab456aa6f065a71a83a339a0c875b03870db5d1ea4
Opcode Fuzzy Hash: 24ecf2214e95d0df526be12d63ca5cfeffd7b1dbfca1e0b2234f9e8cd68f2fd4
Instruction Fuzzy Hash: 06213575D002099FDB14DF9AC844BEEBBF5EF88310F10842AE429A7250C775A944CFA1

Function 02ED8038 Relevance: 1.6, APIs: 1, Instructions: 59fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNEL32(00000000), ref: 02ED80B0

Memory Dump Source

Source File: 0000000B.00000002.2496921504.0000000002ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2ed0000_RegSvcs.jbxd

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: 257e6ca4ec999b2da9b599702114268728b18188235b693543d1eb3f626dd672
Instruction ID: 74238f17270701b9ff68fb99b02ede00e1e025b94bb7113239812deba863d807
Opcode Fuzzy Hash: 257e6ca4ec999b2da9b599702114268728b18188235b693543d1eb3f626dd672
Instruction Fuzzy Hash: 352149B1C006598BDB20CFAAC445BEEFBB0AB48320F148219D858A7340D775A946CFA1

Function 0696ADF8 Relevance: 1.6, APIs: 1, Instructions: 57COMMON

Download Yara Rule

APIs

KiUserCallbackDispatcher.NTDLL(?,?,?,?,?,0696ADD5), ref: 0696AE5F

Memory Dump Source

Source File: 0000000B.00000002.2500720324.0000000006960000.00000040.00000800.00020000.00000000.sdmp, Offset: 06960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_6960000_RegSvcs.jbxd

Similarity

API ID: CallbackDispatcherUser
String ID:
API String ID: 2492992576-0
Opcode ID: cc5584c597004923d767183a2252c97b0b7298969efaed0e5351537a8981896f
Instruction ID: 369557615abdbb8e11f60c5c6485163a552922da89c64f8b202748870bc91c39
Opcode Fuzzy Hash: cc5584c597004923d767183a2252c97b0b7298969efaed0e5351537a8981896f
Instruction Fuzzy Hash: A1116AB5C003499FCB21DF9AD845BDEFBF8EB49325F20845AE518A3650C374A945CFA1

Function 0696D350 Relevance: 1.6, APIs: 1, Instructions: 57COMMON

Download Yara Rule

APIs

SetWindowsHookExA.USER32(?,00000000,?,?), ref: 0696D3CB

Memory Dump Source

Source File: 0000000B.00000002.2500720324.0000000006960000.00000040.00000800.00020000.00000000.sdmp, Offset: 06960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_6960000_RegSvcs.jbxd

Similarity

API ID: HookWindows
String ID:
API String ID: 2559412058-0
Opcode ID: 5bd87f7c2117718948eee03a2a090cdb0b7ce49a0051118f85693db12b98502c
Instruction ID: 3e759c31a62b7b0374cc1396c5c849a13a3f26aeac43bcda1ec5d68e82c1df58
Opcode Fuzzy Hash: 5bd87f7c2117718948eee03a2a090cdb0b7ce49a0051118f85693db12b98502c
Instruction Fuzzy Hash: 00211371D002098FDB14DF9AC844BEEBBF5AF88310F10842AE429A7290C775A945CFA1

Function 02ED8040 Relevance: 1.6, APIs: 1, Instructions: 56fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNEL32(00000000), ref: 02ED80B0

Memory Dump Source

Source File: 0000000B.00000002.2496921504.0000000002ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2ed0000_RegSvcs.jbxd

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: 3dcac95f2039fadcaef86f8427155670aebab1b9dae3fe6dbf0104bde2e9b2fb
Instruction ID: e2a377c1f823dadb525a57b529f0d944a5051c5c5d9b129426be8b7f1397234b
Opcode Fuzzy Hash: 3dcac95f2039fadcaef86f8427155670aebab1b9dae3fe6dbf0104bde2e9b2fb
Instruction Fuzzy Hash: DB1138B1C0061A9BDB20DF9AC545B9EFBB4BB48320F148229D818A7240D778A945CFA5

Function 02EDEF78 Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

GlobalMemoryStatusEx.KERNEL32 ref: 02EDEFDF

Memory Dump Source

Source File: 0000000B.00000002.2496921504.0000000002ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2ed0000_RegSvcs.jbxd

Similarity

API ID: GlobalMemoryStatus
String ID:
API String ID: 1890195054-0
Opcode ID: b31308bfc6a961553a474739fe7ca330f369006ec3a8e05a63dbafb7a3e01c17
Instruction ID: ac0937665150fae2614424dea8356fffcf2f904a23bbdc21723ba2fcaf8c63ea
Opcode Fuzzy Hash: b31308bfc6a961553a474739fe7ca330f369006ec3a8e05a63dbafb7a3e01c17
Instruction Fuzzy Hash: 281123B1C0065A9BCB20DF9AC545BDEFBF4AF48320F14812AE818A7240D778A945CFA5

Function 069637C8 Relevance: 1.6, APIs: 1, Instructions: 50COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000), ref: 06964CF6

Memory Dump Source

Source File: 0000000B.00000002.2500720324.0000000006960000.00000040.00000800.00020000.00000000.sdmp, Offset: 06960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_6960000_RegSvcs.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 1fe1c889c2dff68a3489f3fb35f8471424a07b18860ab346049a0400bc7e47d8
Instruction ID: 1a19ee0ed8d15e4edeaa9c73df75131315042ea697f580d2d3d57f922f536717
Opcode Fuzzy Hash: 1fe1c889c2dff68a3489f3fb35f8471424a07b18860ab346049a0400bc7e47d8
Instruction Fuzzy Hash: DF11EFB5C007498BDB20DF9AD844AEEBBF4EB49610F10842AE929A7610C379A545CFA5

Function 06964C8B Relevance: 1.5, APIs: 1, Instructions: 48COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000), ref: 06964CF6

Memory Dump Source

Source File: 0000000B.00000002.2500720324.0000000006960000.00000040.00000800.00020000.00000000.sdmp, Offset: 06960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_6960000_RegSvcs.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: d6aef0eae78506edd4cffa664ac3a3721349557aafa0b4dc2d97633294ed1a04
Instruction ID: 859c0bf0e0d9fdd97925a350014d5a26b86eda32bc0620f90b46645f28dd9d95
Opcode Fuzzy Hash: d6aef0eae78506edd4cffa664ac3a3721349557aafa0b4dc2d97633294ed1a04
Instruction Fuzzy Hash: 151102B5C003498FCB20DF9AC844ADEFBF4EB49610F10841AD869A7710C379A546CFA1

Function 0696B6C1 Relevance: 1.5, APIs: 1, Instructions: 48comCOMMON

Download Yara Rule

APIs

OleInitialize.OLE32(00000000), ref: 0696B71D

Memory Dump Source

Source File: 0000000B.00000002.2500720324.0000000006960000.00000040.00000800.00020000.00000000.sdmp, Offset: 06960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_6960000_RegSvcs.jbxd

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: b2c9ae5f174a51aba6fa693ad03121993eb3a4513fc9bd6cf57e23be8e9b5cd4
Instruction ID: e05beb92db97ad3d0be354ddfbef7d5f7ebf1e3b0837229aaa7f75171f24eb43
Opcode Fuzzy Hash: b2c9ae5f174a51aba6fa693ad03121993eb3a4513fc9bd6cf57e23be8e9b5cd4
Instruction Fuzzy Hash: 021145B4C003488FCB20DF9AD849BDEBFF8EB48320F248419E518A7600C735A545CFA5

Function 0696B0F5 Relevance: 1.5, APIs: 1, Instructions: 46comCOMMON

Download Yara Rule

APIs

OleInitialize.OLE32(00000000), ref: 0696B71D

Memory Dump Source

Source File: 0000000B.00000002.2500720324.0000000006960000.00000040.00000800.00020000.00000000.sdmp, Offset: 06960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_6960000_RegSvcs.jbxd

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: 739060c542ae12c501c93151ba7590c5e2f469def2af3131013d317cce125a2d
Instruction ID: 4671d1ed79250b67d9fd030f6ab384ca2b82be378ad9630d2a4a82212cf276c6
Opcode Fuzzy Hash: 739060c542ae12c501c93151ba7590c5e2f469def2af3131013d317cce125a2d
Instruction Fuzzy Hash: CE1145B5C003488FCB20DF9AC845B9EBBF8EB48320F208419E559A7710D339A945CFA6

Function 0696B0F8 Relevance: 1.5, APIs: 1, Instructions: 46comCOMMON

Download Yara Rule

APIs

OleInitialize.OLE32(00000000), ref: 0696B71D

Memory Dump Source

Source File: 0000000B.00000002.2500720324.0000000006960000.00000040.00000800.00020000.00000000.sdmp, Offset: 06960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_6960000_RegSvcs.jbxd

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: c223b9e11b96e28ef29334a2c71521f637c9603c0ed49d33756be9ba427761c3
Instruction ID: 3643a397f934909c06f219f47960bd8e007319b4904adf0601f6cc0402fe95dd
Opcode Fuzzy Hash: c223b9e11b96e28ef29334a2c71521f637c9603c0ed49d33756be9ba427761c3
Instruction Fuzzy Hash: 991145B4C003088FCB20DF9AC444B9EBBF4EB48320F208419E519A7650D375A945CFA5

Function 06969854 Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

APIs

KiUserCallbackDispatcher.NTDLL(?,?,?,?,?,0696ADD5), ref: 0696AE5F

Memory Dump Source

Source File: 0000000B.00000002.2500720324.0000000006960000.00000040.00000800.00020000.00000000.sdmp, Offset: 06960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_6960000_RegSvcs.jbxd

Similarity

API ID: CallbackDispatcherUser
String ID:
API String ID: 2492992576-0
Opcode ID: 172e62d2d06081cdb0c1656bf0c122960755e74b8f2cfc8c48c4d3ea2f1510fe
Instruction ID: 83e8f7390e3fbed9b9da361495237f5bc3d3b04f47dcf28dc8fb8fd8ada59da9
Opcode Fuzzy Hash: 172e62d2d06081cdb0c1656bf0c122960755e74b8f2cfc8c48c4d3ea2f1510fe
Instruction Fuzzy Hash: CA1133B0C003498FCB20DF9AC848BAEBBF4EB48320F208419E919B3240C374A944CFA5

Function 0698DBE5 Relevance: 1.4, Strings: 1, Instructions: 126COMMON

Download Yara Rule

Strings

PHq, xrefs: 0698DD41

Memory Dump Source

Source File: 0000000B.00000002.2500821577.0000000006980000.00000040.00000800.00020000.00000000.sdmp, Offset: 06980000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_6980000_RegSvcs.jbxd

Similarity

API ID:
String ID: PHq
API String ID: 0-3820536768
Opcode ID: fb5d0ed54e6cae66537376195514c5f4d43232f2f9206dad79051a20438ad394
Instruction ID: 75aef1abb5f54a62dbddfc964c2434964f58516dfd2804274b2a9f189353e1ae
Opcode Fuzzy Hash: fb5d0ed54e6cae66537376195514c5f4d43232f2f9206dad79051a20438ad394
Instruction Fuzzy Hash: 7641C530E0070A9FDF64EF65C8546AEBBB6FF85300F204529E415DB681DB70E84ACB81

Function 069821BD Relevance: 1.4, Strings: 1, Instructions: 108COMMON

Download Yara Rule

Strings

PHq, xrefs: 0698230B

Memory Dump Source

Source File: 0000000B.00000002.2500821577.0000000006980000.00000040.00000800.00020000.00000000.sdmp, Offset: 06980000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_6980000_RegSvcs.jbxd

Similarity

API ID:
String ID: PHq
API String ID: 0-3820536768
Opcode ID: 61ba4be0ae885b96095a1cb627c5d76fb1b0a752f5f1fb0e468f07ed97afdeab
Instruction ID: 8714b9c2bbec4b351380286a4a0ac43a94ba0f72638f3f40a1046ef0a68588ec
Opcode Fuzzy Hash: 61ba4be0ae885b96095a1cb627c5d76fb1b0a752f5f1fb0e468f07ed97afdeab
Instruction Fuzzy Hash: 96310D30B002028FDB69AF38C56466E3BE2BF89310B684569D402DB7A4DF38DD06C7D0

Function 069821D0 Relevance: 1.4, Strings: 1, Instructions: 105COMMON

Download Yara Rule

Strings

PHq, xrefs: 0698230B

Memory Dump Source

Source File: 0000000B.00000002.2500821577.0000000006980000.00000040.00000800.00020000.00000000.sdmp, Offset: 06980000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_6980000_RegSvcs.jbxd

Similarity

API ID:
String ID: PHq
API String ID: 0-3820536768
Opcode ID: 09c262fd081f8d0a7d2ff18115eb2cd718657970a38a2d8adee61b3db2c5b7c1
Instruction ID: 309d21a22b1eceb09e21a429725f7e739eff303f4c0b9e9b48a8f02a4ab5ca39
Opcode Fuzzy Hash: 09c262fd081f8d0a7d2ff18115eb2cd718657970a38a2d8adee61b3db2c5b7c1
Instruction Fuzzy Hash: 7E31EB30B002058FDBA8AB78C86466E3BE7BBC9610B644539D406DB394DE39ED06C7D1

Function 069883E8 Relevance: 1.3, Strings: 1, Instructions: 40COMMON

Download Yara Rule

Strings

$q, xrefs: 06988433

Memory Dump Source

Source File: 0000000B.00000002.2500821577.0000000006980000.00000040.00000800.00020000.00000000.sdmp, Offset: 06980000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_6980000_RegSvcs.jbxd

Similarity

API ID:
String ID: $q
API String ID: 0-1301096350
Opcode ID: f25f06117f644c536015c66ee6060cad40131d4b1a54d5c42f72817a6e5413fe
Instruction ID: 741575e790a8e54cb3dd8babaf9883c2a7173c8dca95b6bfa1b704b64f97541f
Opcode Fuzzy Hash: f25f06117f644c536015c66ee6060cad40131d4b1a54d5c42f72817a6e5413fe
Instruction Fuzzy Hash: 29F0D132F002119FEF64AE64BB40268776DEBC0350FA44575D904EB951C739DD05CBA1

Function 06984B69 Relevance: 1.3, Strings: 1, Instructions: 25COMMON

Download Yara Rule

Strings

\Oq, xrefs: 06984B75

Memory Dump Source

Source File: 0000000B.00000002.2500821577.0000000006980000.00000040.00000800.00020000.00000000.sdmp, Offset: 06980000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_6980000_RegSvcs.jbxd

Similarity

API ID:
String ID: \Oq
API String ID: 0-643489707
Opcode ID: 53d2b41eab5462233b54e16c0502cc0875fcd4c9816407a5c7a645abf1eef6d5
Instruction ID: f4ade535e0835895a81f977d0cdc3ef66d2832d7c803b366184345352a3d035d
Opcode Fuzzy Hash: 53d2b41eab5462233b54e16c0502cc0875fcd4c9816407a5c7a645abf1eef6d5
Instruction Fuzzy Hash: FEF09E30A5422ADFDB54DF95E959BAE7BB2FF84704F200519E402A7694CB745C45CBC0

Function 0698C2B0 Relevance: .6, Instructions: 645COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2500821577.0000000006980000.00000040.00000800.00020000.00000000.sdmp, Offset: 06980000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_6980000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9e71ac94241f7a2d12298679d5f0bc813722d9a23026d4ee27b48f8bae4ea23d
Instruction ID: 8a3d4d777f71d3aa1e9d9e9d35244ee94ecbe81c7515241577f071bf356f4e03
Opcode Fuzzy Hash: 9e71ac94241f7a2d12298679d5f0bc813722d9a23026d4ee27b48f8bae4ea23d
Instruction Fuzzy Hash: 72324074E00209DFDB64EF68D990AADB7B6FB88310F208525D405EB755DB39EC42CBA1

Function 0698B3E7 Relevance: .6, Instructions: 559COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2500821577.0000000006980000.00000040.00000800.00020000.00000000.sdmp, Offset: 06980000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_6980000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bcefa2c880409ff1ff8b1da4d0bab9190bd42087701d509e5cd95381a9a85ac7
Instruction ID: 29a272fc3695c4b7ba7042e70ca5b699fc49acd04612be51b1ac5d7e0fb55eac
Opcode Fuzzy Hash: bcefa2c880409ff1ff8b1da4d0bab9190bd42087701d509e5cd95381a9a85ac7
Instruction Fuzzy Hash: CF224134E102098FEF64EB68D4907ADB7B6FB85310F38842AE415EBB99DA35DC41CB51

Function 06986308 Relevance: .2, Instructions: 229COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2500821577.0000000006980000.00000040.00000800.00020000.00000000.sdmp, Offset: 06980000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_6980000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b84ee7dda35fbfb583e55d9cd4add1bc66a92a3190d6ca5ef7f4777b0f860c4a
Instruction ID: eb9245773781e32514cf3bb0caf863373d995b5dfcbbdb60384639d9a8460ccc
Opcode Fuzzy Hash: b84ee7dda35fbfb583e55d9cd4add1bc66a92a3190d6ca5ef7f4777b0f860c4a
Instruction Fuzzy Hash: 2B61B671F001214FDF54AA7DD84065EBADBAFC4210B29443AD80AEB364DEB5ED4287C2

Function 069843BB Relevance: .2, Instructions: 226COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2500821577.0000000006980000.00000040.00000800.00020000.00000000.sdmp, Offset: 06980000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_6980000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9eea06f6ba928731eeabdc6637a41ecde20fce3fa449490b4bc60a9004b65c3e
Instruction ID: 25a9324ff5f8f2ba9bf9ffb7b18dc191da8422e5509a45957ac7d032544e6162
Opcode Fuzzy Hash: 9eea06f6ba928731eeabdc6637a41ecde20fce3fa449490b4bc60a9004b65c3e
Instruction Fuzzy Hash: 49813C70B006099FDB54EFB9D4507AEBBE6BF89300F248529D50AEB794DA34DC42CB91

Function 069846D4 Relevance: .2, Instructions: 217COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2500821577.0000000006980000.00000040.00000800.00020000.00000000.sdmp, Offset: 06980000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_6980000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a88f67472d586c33e1914dce79bab4133179ca248e4b820c4644ed16d7b0da4c
Instruction ID: aae7f950d55443a87cd36c4d4d69de9f6062196d51efd4d1b76ab72214703b7d
Opcode Fuzzy Hash: a88f67472d586c33e1914dce79bab4133179ca248e4b820c4644ed16d7b0da4c
Instruction Fuzzy Hash: 87915E34E0021A8FDF60DF68C880B9DB7B1FF89300F208699D549BB655DB71A986CF91

Function 069846E8 Relevance: .2, Instructions: 210COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2500821577.0000000006980000.00000040.00000800.00020000.00000000.sdmp, Offset: 06980000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_6980000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e786068035481b97d9684c6c1bfa8788fa59ceb8b0b255b7638a19a3b3395863
Instruction ID: b54c7a333d2258e2cad48770ff06928b8dc306069d6e91be7f44d74d1853ac35
Opcode Fuzzy Hash: e786068035481b97d9684c6c1bfa8788fa59ceb8b0b255b7638a19a3b3395863
Instruction Fuzzy Hash: 18912D34E1021A8FDF60DF68C880B9DB7B1FF89710F208699D549BB254DB71AA85CF90

Function 0698F039 Relevance: .2, Instructions: 206COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2500821577.0000000006980000.00000040.00000800.00020000.00000000.sdmp, Offset: 06980000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_6980000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 71f4e94e06aceaa7ecc9a090f1a52623bbba62c95d227f55eeff5c5de6fc5f85
Instruction ID: f0966358cba20c40bf3a9bc027a618824b935e41b2cf66e72bd65aa5ed053fa6
Opcode Fuzzy Hash: 71f4e94e06aceaa7ecc9a090f1a52623bbba62c95d227f55eeff5c5de6fc5f85
Instruction Fuzzy Hash: 0B713B74A002099FDB54EFA8D980AAEBBF6FF84340F249529D405EB765DB34EC46CB50

Function 0698F048 Relevance: .2, Instructions: 201COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2500821577.0000000006980000.00000040.00000800.00020000.00000000.sdmp, Offset: 06980000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_6980000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 62134f98461a2110920baf2b4c1fe9068d2a0fdd1f8cf2bdf0c7d86696a6995c
Instruction ID: d1b5d379c8e07534c98845a4a425222a633d58fd1ef09018066422d73fbc4424
Opcode Fuzzy Hash: 62134f98461a2110920baf2b4c1fe9068d2a0fdd1f8cf2bdf0c7d86696a6995c
Instruction Fuzzy Hash: F3713874E002099FDB54EFA8D980AAEBBF6FF88340F249529D405EB754DA34EC46CB50

Function 0698FCC9 Relevance: .2, Instructions: 177COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2500821577.0000000006980000.00000040.00000800.00020000.00000000.sdmp, Offset: 06980000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_6980000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2381f90ebc8b9409699b57b37dd44651d5b3471b909b3a34caf17cdc6e2bd52d
Instruction ID: 35af808236e51cb4bff573c1bdb84c21d89f49d6b96ff501308eaf60790f4389
Opcode Fuzzy Hash: 2381f90ebc8b9409699b57b37dd44651d5b3471b909b3a34caf17cdc6e2bd52d
Instruction Fuzzy Hash: 4851DF31E00105DFDF64EF78E4446ADBBB6FB84365F20887AE11ADB692DB358855CB80

Function 0698FA78 Relevance: .2, Instructions: 170COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2500821577.0000000006980000.00000040.00000800.00020000.00000000.sdmp, Offset: 06980000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_6980000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ece162c71e034efbe4c773867455655f37679bad40b5f73b3e72d83604db1f66
Instruction ID: 26068ea7e5d5a66e824a81a1513e1e86480a5f11f40112773c4d64ce3674f3ea
Opcode Fuzzy Hash: ece162c71e034efbe4c773867455655f37679bad40b5f73b3e72d83604db1f66
Instruction Fuzzy Hash: E751B2B4F202044FEFB0AA78D854B2F2A5AD7C9391F30443AE40AD7795DA3DDC429392

Function 0698FA88 Relevance: .2, Instructions: 163COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2500821577.0000000006980000.00000040.00000800.00020000.00000000.sdmp, Offset: 06980000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_6980000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1792c881b16421d90d746a16c02dc424716f4a3de4a675f0c071ea4061ebe0e0
Instruction ID: 7ac69e570d2bd3fc25d377e10e96c7806c8914001f6e128a99363ba8fb8e5d2d
Opcode Fuzzy Hash: 1792c881b16421d90d746a16c02dc424716f4a3de4a675f0c071ea4061ebe0e0
Instruction Fuzzy Hash: 505182B4F102044FEFA4AA78D954B2F265ED7C9391F20443AE40AD7795DA3CDC429391

Function 0698552B Relevance: .1, Instructions: 134COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2500821577.0000000006980000.00000040.00000800.00020000.00000000.sdmp, Offset: 06980000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_6980000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 37f59c7a589160c1d08c26a82cd25eba56da2d633623fd2fc658eda11a2a3f34
Instruction ID: 7ae7e1d6bfe1fbfa66159e970dda97a62dae123bb22cc30be97711342713bd14
Opcode Fuzzy Hash: 37f59c7a589160c1d08c26a82cd25eba56da2d633623fd2fc658eda11a2a3f34
Instruction Fuzzy Hash: 98415E71E003098FDFB0DE99D880AAFF7B6EB85210F21492AE156D7A50D630E949CB91

Function 0698DA98 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2500821577.0000000006980000.00000040.00000800.00020000.00000000.sdmp, Offset: 06980000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_6980000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e8c6e9ccaa5befa3a3f66e38fdc9b5ffd9e2794ddb2b5a88f10e138e86d352f7
Instruction ID: 25a5719dfcbd92b7c65f32e96bc98a20c4aef04c4613222e1be849ea40c5e90d
Opcode Fuzzy Hash: e8c6e9ccaa5befa3a3f66e38fdc9b5ffd9e2794ddb2b5a88f10e138e86d352f7
Instruction Fuzzy Hash: AA31A430E1071A9FDB25EF68C88069EBBB6FF85310F204529E405EF644DB71E94ACB81

Function 06982081 Relevance: .1, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2500821577.0000000006980000.00000040.00000800.00020000.00000000.sdmp, Offset: 06980000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_6980000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c02971580b694e263130e8c67926c7c3108eba4bb23df4d7573b894f0cda6572
Instruction ID: b15a7930c841ef8320c42b9ebdfb35defb9678a8aceb5e94372597aa922c5b94
Opcode Fuzzy Hash: c02971580b694e263130e8c67926c7c3108eba4bb23df4d7573b894f0cda6572
Instruction Fuzzy Hash: D1316F30E106059FCB59DFA4D854A9EB7F6FF89310F208529E906E7650DB31ED42CB90

Function 06982090 Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2500821577.0000000006980000.00000040.00000800.00020000.00000000.sdmp, Offset: 06980000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_6980000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4b806fe9c0fc2cdd0183ce18eee8824e5054f3591b25772422e763ad0b8a2785
Instruction ID: a02f3a1a37fae3899e236df1a055d947f80fe0abb4376de6e667278d7b7d1634
Opcode Fuzzy Hash: 4b806fe9c0fc2cdd0183ce18eee8824e5054f3591b25772422e763ad0b8a2785
Instruction Fuzzy Hash: F4314B30E106059FCB59DFA4D854A9EB7B6FF89300F208529E906EB750EB71ED42CB90

Function 069831A0 Relevance: .1, Instructions: 85COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2500821577.0000000006980000.00000040.00000800.00020000.00000000.sdmp, Offset: 06980000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_6980000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 50631875478d0b4041f0afda03a209316e2de9daa4119f8b6c106024af181293
Instruction ID: a32c6b4f3179ba12465f892fadac4500d07a38738cf350473f0134bafed8ec9e
Opcode Fuzzy Hash: 50631875478d0b4041f0afda03a209316e2de9daa4119f8b6c106024af181293
Instruction Fuzzy Hash: 55318BB1C09399AFCB01EFA9C884ADEFFB4FF0A310F14815AD448AB252C3345915CBA5

Function 06983FC1 Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2500821577.0000000006980000.00000040.00000800.00020000.00000000.sdmp, Offset: 06980000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_6980000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 80e1d5b9a01d92305ce9633b8316907a6bec435da336fd764bd81f46cd664a89
Instruction ID: 1f2145ec96fad523dfa5008d1959f056238f987816fb00ff895a6c1dd84cea83
Opcode Fuzzy Hash: 80e1d5b9a01d92305ce9633b8316907a6bec435da336fd764bd81f46cd664a89
Instruction Fuzzy Hash: E2214876E01219AFDB50DFA9D840AAEBBFAFB48710F108025E905E7350E739DC41CB91

Function 0698A420 Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2500821577.0000000006980000.00000040.00000800.00020000.00000000.sdmp, Offset: 06980000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_6980000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 89947a68d57f85015ff6fc6447dc7aa93f152921e9089ae0d563b703901b458b
Instruction ID: e66d8a23e815eacca10e1e83972fd424c53b5ee8a9d0b9e6e2154be351149b94
Opcode Fuzzy Hash: 89947a68d57f85015ff6fc6447dc7aa93f152921e9089ae0d563b703901b458b
Instruction Fuzzy Hash: 2021D330F001115FDBA4EABCE85076E77E6EBCA310F20457AE20ADBA51DA29DC02C781

Function 06983FD0 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2500821577.0000000006980000.00000040.00000800.00020000.00000000.sdmp, Offset: 06980000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_6980000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2ee2cc9731d57a136f832a35fcddf05b12e20e1124c98821f9f8f4886f24e193
Instruction ID: dfa6b3365cbaf38002173a1d389cfea202a222ec5e8f6fb4ecfa95075ea15900
Opcode Fuzzy Hash: 2ee2cc9731d57a136f832a35fcddf05b12e20e1124c98821f9f8f4886f24e193
Instruction Fuzzy Hash: 54215A75E002199FDB50DFA9D940BAEBBF5FB48710F108029E905E7350E639DD40CB90

Function 0155D030 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2496469499.000000000155D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0155D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_155d000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 36689b0f483eefb8306b2ded44a2af620a74df95d4af2c9c287c5502e6f1b15d
Instruction ID: 6c5b00eb1c999107a7fe36512c6781255f0617274af054d513eef42355933752
Opcode Fuzzy Hash: 36689b0f483eefb8306b2ded44a2af620a74df95d4af2c9c287c5502e6f1b15d
Instruction Fuzzy Hash: 13210076604200DFDB55DF54D990B2ABBB1FB84314F20C96EDC0A4E2A2D33AD847CA62

Function 0155D118 Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2496469499.000000000155D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0155D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_155d000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 83b92ebab608ca221b9a6a698915dd1ddbd836a932ad615b50329cc67e87ee28
Instruction ID: b2346a9771e7bd11c828fc245ae2aa319eae237782c100f775f5cf4b63e0ae18
Opcode Fuzzy Hash: 83b92ebab608ca221b9a6a698915dd1ddbd836a932ad615b50329cc67e87ee28
Instruction Fuzzy Hash: 6B21F272604304DFDB45DF54D9D0B2ABBB5FB84214F20C56EDC094F252C336D846CA62

Function 06986E30 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2500821577.0000000006980000.00000040.00000800.00020000.00000000.sdmp, Offset: 06980000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_6980000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: da97dcb0e4c8ca3840cd6fc7ce544668245bf0e65d6a2f4abe739c1074ad58f4
Instruction ID: cddef09a5e10b3d29ea0fa26cbf40e9986606b475b6e074c17e9cc4d1d2c44fd
Opcode Fuzzy Hash: da97dcb0e4c8ca3840cd6fc7ce544668245bf0e65d6a2f4abe739c1074ad58f4
Instruction Fuzzy Hash: 9A219D31B101189FDF94EAA9ED506AEBBA7EBC4350F248529E405EB741DA34ED51CB80

Function 06984318 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2500821577.0000000006980000.00000040.00000800.00020000.00000000.sdmp, Offset: 06980000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_6980000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5728a053d2858c46514947a9f77c3c72b3b19e5fc84ff98a7aebd76e0e731669
Instruction ID: d9939f5cd836333a18d9f061778ba7c5023345d8a7dfda39e1a07ac7ca403dc5
Opcode Fuzzy Hash: 5728a053d2858c46514947a9f77c3c72b3b19e5fc84ff98a7aebd76e0e731669
Instruction Fuzzy Hash: 0C112234B002210FCB65967C8840B5FBBEADFCA610F20852EF18ACB795D925CC028791

Function 069840E0 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2500821577.0000000006980000.00000040.00000800.00020000.00000000.sdmp, Offset: 06980000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_6980000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 86024f966ca25cbb0c442272ab8fe9795734d4e83dab7a93b3947593b02f9aae
Instruction ID: e6dca9bbacd3297551f86bee72812a38812de0dfcbf7a0177da081d9551be63a
Opcode Fuzzy Hash: 86024f966ca25cbb0c442272ab8fe9795734d4e83dab7a93b3947593b02f9aae
Instruction Fuzzy Hash: 4B118E31B001255FDB94EA68CC20AAE7BEAEBD8710F148439C506E7384EE24DC1287D1

Function 06983570 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2500821577.0000000006980000.00000040.00000800.00020000.00000000.sdmp, Offset: 06980000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_6980000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 549b9dee57f4aaa306497587ada5f39b4d7e7e5703dc81ff68a02f55d608ce5c
Instruction ID: e2a0fa200be09ccc3c71a9d24e95ba94ab99516fedbfd04cb111fe01c44a73ff
Opcode Fuzzy Hash: 549b9dee57f4aaa306497587ada5f39b4d7e7e5703dc81ff68a02f55d608ce5c
Instruction Fuzzy Hash: 7011C671E003185FDB54EBB9C8416DEFBB5EF89710F14456AD509EB600EA31D940CBD0

Function 0698316C Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2500821577.0000000006980000.00000040.00000800.00020000.00000000.sdmp, Offset: 06980000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_6980000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f1d31b9599beba9f67e44264c8f8882d4f3c4ac6fac96b8890a02b53cd9b9f9f
Instruction ID: 462a643bd293a9d7a6b5f685a2204751d33f7fb94c01381ce5db3fab570502d8
Opcode Fuzzy Hash: f1d31b9599beba9f67e44264c8f8882d4f3c4ac6fac96b8890a02b53cd9b9f9f
Instruction Fuzzy Hash: 8721F2B1D01319AFCB10DF9AD884ADEFBB8FB48310F50812AE918B7240C374A954CFA5

Function 069840D1 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2500821577.0000000006980000.00000040.00000800.00020000.00000000.sdmp, Offset: 06980000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_6980000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 010c8c004011978016727b5a73dac4c5377e4479adb046421e0f70c11a23a8db
Instruction ID: 2a062a998bd9ed73ddc3c5ced05bc8ea90b2c0b93a4b0a38b4563784a7efa357
Opcode Fuzzy Hash: 010c8c004011978016727b5a73dac4c5377e4479adb046421e0f70c11a23a8db
Instruction Fuzzy Hash: 5E01B132B100195FDB949A69DC216EF7BEEEBC8711F144135D505E7284DA249C1187D1

Function 0155D02B Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2496469499.000000000155D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0155D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_155d000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4ccb17c466d2e34b86bde66ac975e9cbefd8e24c09005379d072ef0b40a0d1c0
Instruction ID: b6b0a7c06abee9e990ad8811d85c32f7ea188075103bacbd84a0042141b0ceff
Opcode Fuzzy Hash: 4ccb17c466d2e34b86bde66ac975e9cbefd8e24c09005379d072ef0b40a0d1c0
Instruction Fuzzy Hash: 8D11AC76504280CFCB16DF54D590B19BB71FB84314F24C6AADC494B666C33AD44ACB61

Function 0698F2B8 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2500821577.0000000006980000.00000040.00000800.00020000.00000000.sdmp, Offset: 06980000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_6980000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 62707224e04b7491bb27de1e1c44aedebf0b3793932666f94b80f96dda9c6201
Instruction ID: 78e2a76223038674acedfdcda7d98e7f389ae89f2545a4224a8b6dccce6e5274
Opcode Fuzzy Hash: 62707224e04b7491bb27de1e1c44aedebf0b3793932666f94b80f96dda9c6201
Instruction Fuzzy Hash: DD01F135B141500FCBB1A67C949076EABD6EBC9354F24886AE00ACBA40D956CC038782

Function 06983D9B Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2500821577.0000000006980000.00000040.00000800.00020000.00000000.sdmp, Offset: 06980000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_6980000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 906b89fc7753037b7722fd52b691f079fad3aa9dc363ddaa6c9d24f51d1a3b9b
Instruction ID: 94298f283dac4a1594f0a526237a1d113abf4b9bbecfeaa79cadf4943430d828
Opcode Fuzzy Hash: 906b89fc7753037b7722fd52b691f079fad3aa9dc363ddaa6c9d24f51d1a3b9b
Instruction Fuzzy Hash: B82103B1D01219DFCB10DF9AD885ADEFBB4FB48310F10822AE518A7240C374AA54CFA5

Function 0155D113 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2496469499.000000000155D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0155D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_155d000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2e9cca0ddad5a86085491794687953ae07ced3ba403328ac5bf8e948dc3c1e61
Instruction ID: 697a2861974c9a707ec7ad72dcbfe1f4b5e6b06c0b1d938b8c1c2f21591726c4
Opcode Fuzzy Hash: 2e9cca0ddad5a86085491794687953ae07ced3ba403328ac5bf8e948dc3c1e61
Instruction Fuzzy Hash: 7911AC765042848FDB06CF14C5D0B19BF72FB84214F24C6AAD8494B652C33AD44ACB51

Function 06984328 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2500821577.0000000006980000.00000040.00000800.00020000.00000000.sdmp, Offset: 06980000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_6980000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c434c6f966495754ea666bc19e1c9e19a1cda95ef9ca221fe91573e5486547cf
Instruction ID: e7b0857e9dc99e57ba5c12f2eba147d65c75d41c82bc82bd248a27bd2ea07281
Opcode Fuzzy Hash: c434c6f966495754ea666bc19e1c9e19a1cda95ef9ca221fe91573e5486547cf
Instruction Fuzzy Hash: 9E018131B101210FDBA4A66D9554B2FB2DBEFC9B10F20843EE10EC7B94DD66DC028791

Function 0698F2C8 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2500821577.0000000006980000.00000040.00000800.00020000.00000000.sdmp, Offset: 06980000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_6980000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 743e5111619c46b2ed53976a1dc2661f7f3327d5520c198240922d0008cff7ee
Instruction ID: d26decd38cf60f0ad44338504f328a0239b65277bde84f622e85945420417a70
Opcode Fuzzy Hash: 743e5111619c46b2ed53976a1dc2661f7f3327d5520c198240922d0008cff7ee
Instruction Fuzzy Hash: B7018135F101140FDBA5A57DD45072FB2DAEBC97A4F20893AE10AC7744DE65DC038781

Function 0698A430 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2500821577.0000000006980000.00000040.00000800.00020000.00000000.sdmp, Offset: 06980000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_6980000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4441021781f69f8c11714ba0e1bcfa6d865b0a64ae2ea1ccfe9f00c277e34b23
Instruction ID: 58122917a72f9ad7b9350dd97709c79bcaeef0cfe6447c9ae4781b9ba133f0db
Opcode Fuzzy Hash: 4441021781f69f8c11714ba0e1bcfa6d865b0a64ae2ea1ccfe9f00c277e34b23
Instruction Fuzzy Hash: 26018630B101145FDB64EA7DE854B2B73DAEBC9314F608539E10ED7754DE2ADC018780

Function 06986588 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2500821577.0000000006980000.00000040.00000800.00020000.00000000.sdmp, Offset: 06980000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_6980000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ba0b89f9115a46cf8089593e12b5ae77429119bd2b7216bc424d9d1d3a89dc52
Instruction ID: 2214e2d85de2e905c2b21f6aa7af19de0fb987ac004e0dbaf811cbc94f2a2fb6
Opcode Fuzzy Hash: ba0b89f9115a46cf8089593e12b5ae77429119bd2b7216bc424d9d1d3a89dc52
Instruction Fuzzy Hash: 7EE09270D153486FDF60EBB4D90575A7BAD9742208F6044A6D804CF60AF679C941C791

Non-executed Functions

Function 069877B8 Relevance: 13.0, Strings: 10, Instructions: 468COMMON

Download Yara Rule

Strings

$q, xrefs: 069878D9
$q, xrefs: 06987D1A
$q, xrefs: 069878E5
$q, xrefs: 069878A8
$q, xrefs: 06987C71
$q, xrefs: 06987C65
$q, xrefs: 06987D26
$q, xrefs: 069878B4
$q, xrefs: 06987D04
$q, xrefs: 06987D10

Memory Dump Source

Source File: 0000000B.00000002.2500821577.0000000006980000.00000040.00000800.00020000.00000000.sdmp, Offset: 06980000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_6980000_RegSvcs.jbxd

Similarity

API ID:
String ID: $q$$q$$q$$q$$q$$q$$q$$q$$q$$q
API String ID: 0-1298971921
Opcode ID: 0b16f26548ee8f6de66faf4dc811f7764edc0e6b88883aef8785bee78dd5fa60
Instruction ID: 82ed2d63803c7119cc74beb8ed735ef2359615ac0d970cc3d1deffe69ade10c1
Opcode Fuzzy Hash: 0b16f26548ee8f6de66faf4dc811f7764edc0e6b88883aef8785bee78dd5fa60
Instruction Fuzzy Hash: 19121930E002198FDB64EFA5D854BAEB7B6FF89300F248569D40AAB755DB349D41CF90

Function 06985DFF Relevance: 2.9, Strings: 2, Instructions: 427COMMON

Download Yara Rule

Strings

XPq, xrefs: 06985F21
\Oq, xrefs: 06985F75

Memory Dump Source

Source File: 0000000B.00000002.2500821577.0000000006980000.00000040.00000800.00020000.00000000.sdmp, Offset: 06980000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_6980000_RegSvcs.jbxd

Similarity

API ID:
String ID: XPq$\Oq
API String ID: 0-3725437444
Opcode ID: 0c509b252f57e4d0c72f5084ed5556babbc85962c46c1520cc42697cfe438c9e
Instruction ID: c51e4d56ed209fc680f26d8890aa2873daa5f41adc9405899a6f39959d65137c
Opcode Fuzzy Hash: 0c509b252f57e4d0c72f5084ed5556babbc85962c46c1520cc42697cfe438c9e
Instruction Fuzzy Hash: C1E10631B141158FDBA4EB6CD8806AEBBB6FF89310F25846AE406DF761CA31DC05C791

Function 06980040 Relevance: 2.0, Instructions: 1982COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2500821577.0000000006980000.00000040.00000800.00020000.00000000.sdmp, Offset: 06980000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_6980000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9f22823555312dcd52b067b106bb76a40e0d828a7538250e82fc293078be2c41
Instruction ID: db68d1f02f3dabe9e2be2cedcb034e4d48deef50a321dc79d787a34ac8f8590e
Opcode Fuzzy Hash: 9f22823555312dcd52b067b106bb76a40e0d828a7538250e82fc293078be2c41
Instruction Fuzzy Hash: 2B23FA31D10A198ECB11EF68C8945ADF7B1FF99300F15D79AE458B7221EB70AAC5CB81

Function 0698E4D0 Relevance: 1.8, Strings: 1, Instructions: 567COMMON

Download Yara Rule

Strings

PHq, xrefs: 0698E730

Memory Dump Source

Source File: 0000000B.00000002.2500821577.0000000006980000.00000040.00000800.00020000.00000000.sdmp, Offset: 06980000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_6980000_RegSvcs.jbxd

Similarity

API ID:
String ID: PHq
API String ID: 0-3820536768
Opcode ID: 4e4c7e1c448215931961d70b177e7a6115ccbb16cd4661f3ce5c119d88878e1b
Instruction ID: 844dc9e629e9f5f2d0609cdc47db596da3f6de8f1aea2c60570fcccb6071924e
Opcode Fuzzy Hash: 4e4c7e1c448215931961d70b177e7a6115ccbb16cd4661f3ce5c119d88878e1b
Instruction Fuzzy Hash: 2422A134B002058FDBA4EB68C494B6DB7F6FF88310F248569D40ADB7A1DA35EC46CB91

Function 06965348 Relevance: .3, Instructions: 315COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2500720324.0000000006960000.00000040.00000800.00020000.00000000.sdmp, Offset: 06960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_6960000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 21e15f2f2c6d3c5550b77c372bb447822ad7b04a400a912298de2fdec9f9f85b
Instruction ID: 7fedc20375a4e3bb93fae849d9969dd0fec158f583fc1594456dcdee567de350
Opcode Fuzzy Hash: 21e15f2f2c6d3c5550b77c372bb447822ad7b04a400a912298de2fdec9f9f85b
Instruction Fuzzy Hash: C412A8F0C9A7498AE710CF65E9CC189BB61B741394FD08A0AD2622E2D9D7F4156ACF44

Function 02ED4198 Relevance: .3, Instructions: 281COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2496921504.0000000002ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2ed0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c218707c0d44e88d3341bec3c89d370ef7213612408c1131e639b5953c43df8d
Instruction ID: 8317ad5360a6dc3f10ff41d00052905b0f9c46e2f09b175758177d2aa152471e
Opcode Fuzzy Hash: c218707c0d44e88d3341bec3c89d370ef7213612408c1131e639b5953c43df8d
Instruction Fuzzy Hash: B5B15F70E402098FDF24CFA9D8857EDBBF2AF58318F14D129D419A7294EB749882CF81

Function 06961C68 Relevance: .2, Instructions: 235COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2500720324.0000000006960000.00000040.00000800.00020000.00000000.sdmp, Offset: 06960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_6960000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 791c41dec5886bc9a4a4bf75111c55e9d1f421e8213c98d0aec66c6323b8e693
Instruction ID: f6fd8703189bf8638b31c0cb86589517b25a8a1eb2eee64fa45f6046167d4dac
Opcode Fuzzy Hash: 791c41dec5886bc9a4a4bf75111c55e9d1f421e8213c98d0aec66c6323b8e693
Instruction Fuzzy Hash: E2813875E003099FDF61CF9EC880AAEBBB9FB49310F24852AE415E7651D334D991CBA1

Function 06965343 Relevance: .2, Instructions: 221COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2500720324.0000000006960000.00000040.00000800.00020000.00000000.sdmp, Offset: 06960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_6960000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c5196a4623103b8a7a97cf6899a1f6d2fea642d952ea5051a817e12bed4f998a
Instruction ID: b29edba262760fb0c516559cd0ecdfd376fadabf3f6e831d30c05a0c8abfae48
Opcode Fuzzy Hash: c5196a4623103b8a7a97cf6899a1f6d2fea642d952ea5051a817e12bed4f998a
Instruction Fuzzy Hash: 4FC1E8B1C9674D8AD714CF75E88C189BBB1BB85394F908A0AD1622F2D8DBF4146ACF44

Function 0698AA50 Relevance: 10.2, Strings: 8, Instructions: 229COMMON

Download Yara Rule

Strings

$q, xrefs: 0698ABCC
$q, xrefs: 0698AC0E
$q, xrefs: 0698AB52
$q, xrefs: 0698ABA1
$q, xrefs: 0698AC02
$q, xrefs: 0698ABD8
$q, xrefs: 0698AB46
$q, xrefs: 0698ABAD

Memory Dump Source

Source File: 0000000B.00000002.2500821577.0000000006980000.00000040.00000800.00020000.00000000.sdmp, Offset: 06980000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_6980000_RegSvcs.jbxd

Similarity

API ID:
String ID: $q$$q$$q$$q$$q$$q$$q$$q
API String ID: 0-3886557441
Opcode ID: 006ddd1d004fa502032721898377266cb897a03102446747d97ca9de1c074709
Instruction ID: 243ca19f02ec444faf7d89dde0b56c1d8c33441a49046cb016a5f11d1184feb0
Opcode Fuzzy Hash: 006ddd1d004fa502032721898377266cb897a03102446747d97ca9de1c074709
Instruction Fuzzy Hash: 42915230E00209DFEB64EF65D95476E77F6FF84301F24852AE801AB651DB789D42CB91

Function 069871B8 Relevance: 7.9, Strings: 6, Instructions: 405COMMON

Download Yara Rule

Strings

$q, xrefs: 06987654
$q, xrefs: 069874F4
$q, xrefs: 0698749A
$q, xrefs: 069876C0
$q, xrefs: 06987500
$q, xrefs: 069876CC

Memory Dump Source

Source File: 0000000B.00000002.2500821577.0000000006980000.00000040.00000800.00020000.00000000.sdmp, Offset: 06980000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_6980000_RegSvcs.jbxd

Similarity

API ID:
String ID: $q$$q$$q$$q$$q$$q
API String ID: 0-2069967915
Opcode ID: 2a93ed91d10ba63de46b05971b7bde914bff3f371659c7d072fdea52474ef9c9
Instruction ID: 063f797f319c758c6401a0511bf37589e0e14f48000ab94d155852b9654236d9
Opcode Fuzzy Hash: 2a93ed91d10ba63de46b05971b7bde914bff3f371659c7d072fdea52474ef9c9
Instruction Fuzzy Hash: F6F12934A012099FDB58EFA4D954B6EBBB3FF84341F288568D405AF754CB39AC42CB91

Function 0698BB30 Relevance: 7.7, Strings: 6, Instructions: 197COMMON

Download Yara Rule

Strings

$q, xrefs: 0698BCD5
$q, xrefs: 0698BCFD
$q, xrefs: 0698BD09
$q, xrefs: 0698BCC9
$q, xrefs: 0698BD3D
$q, xrefs: 0698BD31

Memory Dump Source

Source File: 0000000B.00000002.2500821577.0000000006980000.00000040.00000800.00020000.00000000.sdmp, Offset: 06980000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_6980000_RegSvcs.jbxd

Similarity

API ID:
String ID: $q$$q$$q$$q$$q$$q
API String ID: 0-2069967915
Opcode ID: d6b38f8b7af2e22e8724a4506b3c36772cf94f1811aa5f9b1503a73349c97d04
Instruction ID: d52596adcd225fd9a6e25010aa9607f28893015218288b941f569e70f0629240
Opcode Fuzzy Hash: d6b38f8b7af2e22e8724a4506b3c36772cf94f1811aa5f9b1503a73349c97d04
Instruction Fuzzy Hash: 5871B270E002099FDB68EF68D45066EB7F6FF85300B28852AD406EF659DB70ED46CB81

Function 069884F0 Relevance: 5.3, Strings: 4, Instructions: 282COMMON

Download Yara Rule

Strings

$q, xrefs: 069887AF
$q, xrefs: 0698874A
$q, xrefs: 06988756
$q, xrefs: 069887BB

Memory Dump Source

Source File: 0000000B.00000002.2500821577.0000000006980000.00000040.00000800.00020000.00000000.sdmp, Offset: 06980000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_6980000_RegSvcs.jbxd

Similarity

API ID:
String ID: $q$$q$$q$$q
API String ID: 0-4102054182
Opcode ID: 6e81f84af8871a3e37687d6349e7ec795a90b32dc957ddce3624a1bf0ae9edb6
Instruction ID: 96a90457709517f20c172075a754d57a9856428e91d2916a01c564e210d9a394
Opcode Fuzzy Hash: 6e81f84af8871a3e37687d6349e7ec795a90b32dc957ddce3624a1bf0ae9edb6
Instruction Fuzzy Hash: 97B13B30E002198FDB64EBA5D984B6EB7B6FF84300F648969D406EB794DB35DC42CB90

Function 0698ADD8 Relevance: 5.2, Strings: 4, Instructions: 170COMMON

Download Yara Rule

Strings

$q, xrefs: 0698AFB4
$q, xrefs: 0698AF8B
$q, xrefs: 0698AF09
$q, xrefs: 0698AF5C

Memory Dump Source

Source File: 0000000B.00000002.2500821577.0000000006980000.00000040.00000800.00020000.00000000.sdmp, Offset: 06980000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_6980000_RegSvcs.jbxd

Similarity

API ID:
String ID: $q$$q$$q$$q
API String ID: 0-4102054182
Opcode ID: 57ea182765f4a60a19542162f52eebfc8d9bec6a08db9ac557ded1b7859b7f25
Instruction ID: 3d7b6b743b1dfa6b0cd6ce7ebfa6484aeadc7e6e912c76d0c10c97d1a499edcd
Opcode Fuzzy Hash: 57ea182765f4a60a19542162f52eebfc8d9bec6a08db9ac557ded1b7859b7f25
Instruction Fuzzy Hash: D551C130E112059FDB65EB64E9806ADB7B6FB84310F24892AE815EB655CB34EC42CB91

Function 06988908 Relevance: 5.2, Strings: 4, Instructions: 168COMMON

Download Yara Rule

Strings

$q, xrefs: 06988987
LRq, xrefs: 06988A4A
$q, xrefs: 06988993
LRq, xrefs: 069889FB

Memory Dump Source

Source File: 0000000B.00000002.2500821577.0000000006980000.00000040.00000800.00020000.00000000.sdmp, Offset: 06980000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_6980000_RegSvcs.jbxd

Similarity

API ID:
String ID: LRq$LRq$$q$$q
API String ID: 0-2204215535
Opcode ID: 49aa8f990ce144d43a8ed84cf85d74de2ccc0e2c23faae667e9cb9eaee32057e
Instruction ID: 8074f019766d7cf23cede4218e38a6683ff91c90eff1ddc97a7d84562717af42
Opcode Fuzzy Hash: 49aa8f990ce144d43a8ed84cf85d74de2ccc0e2c23faae667e9cb9eaee32057e
Instruction Fuzzy Hash: E551B334B002059FDB68EF64DA40A6E77F6FF88310F548569E406AF7A5DA35EC01CBA1

Analysis Process: sgxIb.exePID: 7748, Parent PID: 4056COMMON

Executed Functions

Function 024E1340 Relevance: 3.1, Strings: 2, Instructions: 595COMMON

Download Yara Rule

Strings

8q, xrefs: 024E1B75
xX8snC!, xrefs: 024E1968, 024E19A3, 024E19DB, 024E1A22, 024E1A64, 024E1A9D, 024E1B1D, 024E1B2F

Memory Dump Source

Source File: 0000000C.00000002.1833931634.00000000024E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 024E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_24e0000_sgxIb.jbxd

Similarity

API ID:
String ID: 8q$xX8snC!
API String ID: 0-3185901540
Opcode ID: 2df75e9acb8314bc2eec69932472a65c74f5f85f05bee1ab3f4763e46423338d
Instruction ID: 7ce10bf13e5fe0aae6cdc59eb006384a89708cb95dcd401e6b1ac62826655e1a
Opcode Fuzzy Hash: 2df75e9acb8314bc2eec69932472a65c74f5f85f05bee1ab3f4763e46423338d
Instruction Fuzzy Hash: 84325F74B40601CFEB54EF74D8A4A6A77A2FBC8345B50892DC51B873A8EB35EC46CB50

Function 024E0BC0 Relevance: 1.6, Strings: 1, Instructions: 338COMMON

Download Yara Rule

Strings

xX8snC!, xrefs: 024E0E24

Memory Dump Source

Source File: 0000000C.00000002.1833931634.00000000024E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 024E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_24e0000_sgxIb.jbxd

Similarity

API ID:
String ID: xX8snC!
API String ID: 0-2677660975
Opcode ID: c05944a80f016beb7a12011f777cc2159a014ba47e322f3a5574e6e3f4e39639
Instruction ID: 2742d034df16f7e1e2daf564ac2ed709e7578d07ee0ac82906dde5deeee66468
Opcode Fuzzy Hash: c05944a80f016beb7a12011f777cc2159a014ba47e322f3a5574e6e3f4e39639
Instruction Fuzzy Hash: CB81AF35A00304CFDF25AB74C858B9EBBB2BF88311F15856AD517673A4DB71AC86DB80

Function 024E1230 Relevance: 1.3, Strings: 1, Instructions: 90COMMON

Download Yara Rule

Strings

tPq, xrefs: 024E12F7

Memory Dump Source

Source File: 0000000C.00000002.1833931634.00000000024E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 024E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_24e0000_sgxIb.jbxd

Similarity

API ID:
String ID: tPq
API String ID: 0-789928099
Opcode ID: 4dcde9bf45ee217ebccaa95074f8a3dd61cad1fb6ca14bf0ca096688416bb8cd
Instruction ID: e0573075576748435cccbf5b3e8e384d867f55bf0211c7836ee2777c5cf347f4
Opcode Fuzzy Hash: 4dcde9bf45ee217ebccaa95074f8a3dd61cad1fb6ca14bf0ca096688416bb8cd
Instruction Fuzzy Hash: 54312D74B456108FDB59AB38D85892D3BE2AF8A71635104B9E506CF771DE36DC42CB80

Function 024E1240 Relevance: 1.3, Strings: 1, Instructions: 81COMMON

Download Yara Rule

Strings

tPq, xrefs: 024E12F7

Memory Dump Source

Source File: 0000000C.00000002.1833931634.00000000024E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 024E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_24e0000_sgxIb.jbxd

Similarity

API ID:
String ID: tPq
API String ID: 0-789928099
Opcode ID: 763772640f5c9b79756024828cdddd185f87662b9ca2d0669de9ef71b5cd5310
Instruction ID: bd86426b7f7372fe46a1734593c12a730dc381d9a2ec17b865f53f099274973d
Opcode Fuzzy Hash: 763772640f5c9b79756024828cdddd185f87662b9ca2d0669de9ef71b5cd5310
Instruction Fuzzy Hash: 1921E675B416108FDB58AB38C458E2D7BE6AF8971636208B8E506CF775DE36DC42CB80

Function 024E1C00 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1833931634.00000000024E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 024E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_24e0000_sgxIb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 505387b0b6069fd6f0594643aabbf5d24f8cdf314f055734dfd51f6044d65123
Instruction ID: a3457d8ec161dd41872ed441108b457b83a918abafe185fb0740ef8853dd842b
Opcode Fuzzy Hash: 505387b0b6069fd6f0594643aabbf5d24f8cdf314f055734dfd51f6044d65123
Instruction Fuzzy Hash: AE118E76E002459FCB01EFB8D8809DBFFB1FF89300B1185AAE51997265E7709916CB90

Function 024E1C10 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1833931634.00000000024E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 024E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_24e0000_sgxIb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 172196233cff2c6df178a7df5f44fe4b08c87e75fefd13c8d52917cf0977eb14
Instruction ID: bb9348696213c137cfbdf37663d9a80438838b1a145a643ae060987de86792ed
Opcode Fuzzy Hash: 172196233cff2c6df178a7df5f44fe4b08c87e75fefd13c8d52917cf0977eb14
Instruction Fuzzy Hash: C3014C76E002059FCB40EFB9D884CABFBB5FF89310711866AE51997224EB30A915DB90

Function 024E0880 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1833931634.00000000024E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 024E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_24e0000_sgxIb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 61b4e4f664bd37f63965ca442858f555c6dc6e8a6f5db70654825bdda07958c5
Instruction ID: b9e41daf942349c5e42874d362ea0bb6548c0a8e2f8f647f398289d0a35326a1
Opcode Fuzzy Hash: 61b4e4f664bd37f63965ca442858f555c6dc6e8a6f5db70654825bdda07958c5
Instruction Fuzzy Hash: B5F0F0A4D0F3806FCB1297749C120CE7FB0AE07202B0501E7C4C5E7293EA204A03C7A3

Function 024E0F9D Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1833931634.00000000024E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 024E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_24e0000_sgxIb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0eaa8ec59258617dcf397bdb5aab33181e9f3454f0fd7a16c1cfd309ee5fe6b2
Instruction ID: 374475c18e32d3678d9c7243e7ab571b211aa6ca7bb33415bd46f562927962dd
Opcode Fuzzy Hash: 0eaa8ec59258617dcf397bdb5aab33181e9f3454f0fd7a16c1cfd309ee5fe6b2
Instruction Fuzzy Hash: B7F01CB5980305CFEF15EB74C458BAEBBB0BB48716F250899D417AB360CBB48C84CB51

Function 024E1AE0 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1833931634.00000000024E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 024E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_24e0000_sgxIb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4254518751ce0c0113c51003ae9f41fb2c2b579bb3a746435bf3d8bc7480aaac
Instruction ID: 34fd18da2445fd67b730f9644c8bd032efbcd6b554b6623f8284e0643e2954ba
Opcode Fuzzy Hash: 4254518751ce0c0113c51003ae9f41fb2c2b579bb3a746435bf3d8bc7480aaac
Instruction Fuzzy Hash: 79D012357402149FC710EB69E959A463778AB09611F5140A5E509CB264EB71DC14C7D1

Function 024E08A8 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1833931634.00000000024E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 024E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_24e0000_sgxIb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9284381d4f7d66d1b052eeddbb845a873de7734a417653167560538aa9eca366
Instruction ID: 3b8adb33765cc2735b5d54ae6c792b65f17d3f873af4d79b9a1a8a73c9ce92a9
Opcode Fuzzy Hash: 9284381d4f7d66d1b052eeddbb845a873de7734a417653167560538aa9eca366
Instruction Fuzzy Hash: BFD067B1D01219AF8F80EFB999091DEBBF8FE09251B104566D91AE3200E6705A10CBD1

Analysis Process: sgxIb.exePID: 7932, Parent PID: 4056COMMON

Executed Functions

Function 00BB1AE0 Relevance: 2.6, Strings: 2, Instructions: 66COMMON

Download Yara Rule

Strings

8q, xrefs: 00BB1B75
xX8snCU, xrefs: 00BB1B1D, 00BB1B2F

Memory Dump Source

Source File: 00000010.00000002.1912350089.0000000000BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_bb0000_sgxIb.jbxd

Similarity

API ID:
String ID: 8q$xX8snCU
API String ID: 0-3935062721
Opcode ID: 5e5e2882fbe79da18933db7ed2983c2d484e7e2a1b27da8b595ecbf9159d0c22
Instruction ID: 2a1f62e5993197ee75f6c8b3c43b59935c5dd2645856dca6a805526620ab874a
Opcode Fuzzy Hash: 5e5e2882fbe79da18933db7ed2983c2d484e7e2a1b27da8b595ecbf9159d0c22
Instruction Fuzzy Hash: ED11E131A002045FC714EB78A860BAD3BE6EF89300F5044A9D2099B2A5EE749D43CB95

Function 00BB1340 Relevance: 1.8, Strings: 1, Instructions: 523COMMON

Download Yara Rule

Strings

xX8snCU, xrefs: 00BB1968, 00BB19A3, 00BB19DB, 00BB1A22, 00BB1A64, 00BB1A9D

Memory Dump Source

Source File: 00000010.00000002.1912350089.0000000000BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_bb0000_sgxIb.jbxd

Similarity

API ID:
String ID: xX8snCU
API String ID: 0-3371264010
Opcode ID: 85c168e36568dec47d6f10120485e7b9e7db07557ca4913b0d0d6130a8c2bb0c
Instruction ID: b1b9ac13088d44ab35c00317a7b19558fc589d9516ea12d42e59559280020f14
Opcode Fuzzy Hash: 85c168e36568dec47d6f10120485e7b9e7db07557ca4913b0d0d6130a8c2bb0c
Instruction Fuzzy Hash: FD221B34700601CFDB68EF28D8A0A7A77E2FB98345B608D6DC5568B399DB75EC42CB40

Function 00BB0BC0 Relevance: 1.6, Strings: 1, Instructions: 335COMMON

Download Yara Rule

Strings

xX8snCU, xrefs: 00BB0E24

Memory Dump Source

Source File: 00000010.00000002.1912350089.0000000000BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_bb0000_sgxIb.jbxd

Similarity

API ID:
String ID: xX8snCU
API String ID: 0-3371264010
Opcode ID: f0372f40dfddf5b5dd2aa249ea82e8a364888252894f1399742254df6f29f307
Instruction ID: 4270592be07710785179e42f6d8e221a514c1185150690b9b173611b094549e7
Opcode Fuzzy Hash: f0372f40dfddf5b5dd2aa249ea82e8a364888252894f1399742254df6f29f307
Instruction Fuzzy Hash: DA81A235A00304CFDB25ABB4D4587BEBBF2EF88300F1585A9D4165B6A4DF75AC86CB40

Function 00BB1230 Relevance: 1.3, Strings: 1, Instructions: 85COMMON

Download Yara Rule

Strings

tPq, xrefs: 00BB12F7

Memory Dump Source

Source File: 00000010.00000002.1912350089.0000000000BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_bb0000_sgxIb.jbxd

Similarity

API ID:
String ID: tPq
API String ID: 0-789928099
Opcode ID: e4a9c63c8ffd7f46c9355784fc07b00c7c8ef0b0ffed24e182943c045b0ec11f
Instruction ID: f2942296a0936965f7d1daa68f1c69d3d5d6ca5bc09234dd0978ab57a97ea68b
Opcode Fuzzy Hash: e4a9c63c8ffd7f46c9355784fc07b00c7c8ef0b0ffed24e182943c045b0ec11f
Instruction Fuzzy Hash: 9821F834B406108FC759AB38D458A2D3BE6AF8971639508B8E506CF7B5DE36DC42CB80

Function 00BB1240 Relevance: 1.3, Strings: 1, Instructions: 81COMMON

Download Yara Rule

Strings

tPq, xrefs: 00BB12F7

Memory Dump Source

Source File: 00000010.00000002.1912350089.0000000000BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_bb0000_sgxIb.jbxd

Similarity

API ID:
String ID: tPq
API String ID: 0-789928099
Opcode ID: 09300745d685a0331bc8e083821aec30ac760897b663f69280eb2f02ff384d02
Instruction ID: b6fc5f39062f33851e9cf3f19cd1ce819ab9d86585060006e81e35f791f92f3e
Opcode Fuzzy Hash: 09300745d685a0331bc8e083821aec30ac760897b663f69280eb2f02ff384d02
Instruction Fuzzy Hash: BE21E635B406108FC758AB38C458E2D7BE6AF8A7163A108B8E506CF775DE36DC42CB80

Function 00BB1C00 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1912350089.0000000000BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_bb0000_sgxIb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 83ff58b4ba0e9051e20dcd57e51298ef7f21ab5e9eb56a1f90b71301f341ea9e
Instruction ID: a8a56ee42d655ca61ee5cf5ec997763a1d579fda5c3ba78e1786fc8169eb0ff8
Opcode Fuzzy Hash: 83ff58b4ba0e9051e20dcd57e51298ef7f21ab5e9eb56a1f90b71301f341ea9e
Instruction Fuzzy Hash: D711E136E002059FCB50EFB8D840EEAFBB1FF883007108566E515A7221EB71A906CB90

Function 00BB1C10 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1912350089.0000000000BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_bb0000_sgxIb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 707874d3a948c93a6a428cdaa974696ecc697b34d850406b8dc9e93919c0ca5a
Instruction ID: d48cdf7dd40fce5187656813703cd68f214555d1500ce2b636430742f1704649
Opcode Fuzzy Hash: 707874d3a948c93a6a428cdaa974696ecc697b34d850406b8dc9e93919c0ca5a
Instruction Fuzzy Hash: 1D019E36E002059FCB50EFB8D840DABFBF5FF89310710866AE51997224EB70A905CB90

Function 00BB0880 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1912350089.0000000000BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_bb0000_sgxIb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1ad8a7c281b0ab77f2a54aa9d783e0ed551b3a5f9f96259fbc71f5a9d39e2d2a
Instruction ID: 303ebb5bd587aee79cc740bd8163bbde91890fea000558321942b4a1b1c40923
Opcode Fuzzy Hash: 1ad8a7c281b0ab77f2a54aa9d783e0ed551b3a5f9f96259fbc71f5a9d39e2d2a
Instruction Fuzzy Hash: EBF0E260D09284EFDB02BBB45C061DD7FB4AE89300F4540E7C058F3291EA290A00C7E3

Function 00BB0F9D Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1912350089.0000000000BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_bb0000_sgxIb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 43b258f6cafcdee7d0ff2a4876df807eb1dea92068581800800b23b5adc347ec
Instruction ID: a3b9998f670fced0f19650e61d3f31cc7f85fbcddd4c09d154dd2ec3d979202e
Opcode Fuzzy Hash: 43b258f6cafcdee7d0ff2a4876df807eb1dea92068581800800b23b5adc347ec
Instruction Fuzzy Hash: 11F01575A00305CFDB24EB78C4687BE7BF0AB48B04F250898D412AB3A0CBB48C84CB61

Function 00BB08A8 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1912350089.0000000000BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_bb0000_sgxIb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cc97e987b0c567b514cfd4cf96e61f23f41bdc5975112a4ed24ca4d678e7ea5a
Instruction ID: 4f116c1b0ecda558087c546068013d990d83dbe6d838256df3de858baea03fe1
Opcode Fuzzy Hash: cc97e987b0c567b514cfd4cf96e61f23f41bdc5975112a4ed24ca4d678e7ea5a
Instruction Fuzzy Hash: 16D067B1D01219AF8B50EFB999051EEBBF8FE09250B1145A6D919E3200E7705B108BE1

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search the Registry on compromised systems for insecurely stored credentials. The Windows Registry stores configuration information that can be used by the system or other programs. Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services. Sometimes these credentials are used for automatic logons.
Tactics:	Credential Access
Data Sources:	Command: Command Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Payslip_October_2024.pdf.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Agenttesla

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\sgxIb.exe.log

C:\Users\user\AppData\Local\Temp\buncal

C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe

\Device\ConDrv

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Windows Analysis Report
Payslip_October_2024.pdf.exe

Function 06983580 Relevance: 8.0, Strings: 6, Instructions: 545
COMMON

Function 06987E98 Relevance: 3.0, Strings: 2, Instructions: 477
COMMON

Function 02EDE915 Relevance: 2.9, Strings: 2, Instructions: 413
COMMON

Function 0698ADE8 Relevance: 10.4, Strings: 8, Instructions: 391
COMMON

Function 069699E1 Relevance: 6.1, APIs: 4, Instructions: 137
threadCOMMON

Function 069699F0 Relevance: 6.1, APIs: 4, Instructions: 128
threadCOMMON

Function 06989268 Relevance: 5.2, Strings: 4, Instructions: 231
COMMON

Function 0698D070 Relevance: 4.6, Strings: 3, Instructions: 801
COMMON

Function 06984C80 Relevance: 3.9, Strings: 3, Instructions: 186
COMMON

Function 0698A4C3 Relevance: 2.7, Strings: 2, Instructions: 241
COMMON

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may steal data by exfiltrating it over a different protocol than that of the existing command and control channel. The data may also be sent to an alternate network location from the main command and control server.
Tactics:	Exfiltration
Data Sources:	Application Log: Application Log Content, Cloud Storage: Cloud Storage Access, Command: Command Execution, File: File Access, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre