Edit tour

Windows Analysis Report
PO#86637.exe

Overview

General Information

Sample name:	PO#86637.exe
Analysis ID:	1562332
MD5:	e4ec743be226fdc468010d7c499dcb07
SHA1:	a8974008f7da6e0dcb9941293b6cb6b535f158fe
SHA256:	75fdc92b3101bba09f964b73e7931a7b021442e130e64dcc421d155fa50806b7
Tags:	AgentTeslaexeuser-threatcat_ch
Infos:

Detection

AgentTesla, PureLog Stealer, zgRAT

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected AgentTesla

Yara detected AntiVM3

Yara detected PureLog Stealer

Yara detected zgRAT

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code contains potential unpacker

AI detected suspicious sample

Contains functionality to log keystrokes (.Net Source)

Initial sample is a PE file and has a suspicious name

Injects a PE file into a foreign processes

Installs a global keyboard hook

Machine Learning detection for sample

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Mail credentials (via file / registry access)

Yara detected Generic Downloader

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates a window with clipboard capturing capabilities

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Sigma detected: Suspicious Outbound SMTP Connections

Uses 32bit PE files

Uses SMTP (mail sending)

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

PO#86637.exe (PID: 7628 cmdline: "C:\Users\user\Desktop\PO#86637.exe" MD5: E4EC743BE226FDC468010D7C499DCB07)

PO#86637.exe (PID: 7760 cmdline: "C:\Users\user\Desktop\PO#86637.exe" MD5: E4EC743BE226FDC468010D7C499DCB07)

PO#86637.exe (PID: 7768 cmdline: "C:\Users\user\Desktop\PO#86637.exe" MD5: E4EC743BE226FDC468010D7C499DCB07)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Agent Tesla, AgentTesla	A .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.	SWEED	http://blog.nsfocus.net/sweed-611/ http://l1v1ngc0d3.wordpress.com/2021/11/12/agenttesla-dropped-via-nsis-installer/ http://ropgadget.com/posts/originlogger.html http://www.secureworks.com/research/threat-profiles/gold-galleon https://0xmrmagnezi.github.io/malware%20analysis/AgentTesla/	https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

Name	Description	Attribution	Blogpost URLs	Link
zgRAT	zgRAT is a Remote Access Trojan malware which sometimes drops other malware such as AgentTesla malware. zgRAT has an inforstealer use which targets browser information and cryptowallets.Usually spreads by USB or phishing emails with -zip/-lnk/.bat/.xlsx attachments and so on.	No Attribution	https://bazaar.abuse.ch/browse/signature/zgRAT/ https://kcm.trellix.com/corporate/index?page=content&id=KB96190&locale=en_US https://www.cloudsek.com/blog/threat-actors-abuse-ai-generated-youtube-videos-to-spread-stealer-malware https://www.difesaesicurezza.com/cyber/cybercrime-rfq-dalla-turchia-veicola-agenttesla-e-zgrat/ https://www.fortinet.com/blog/threat-research/smokeloader-using-old-vulnerabilities	https://malpedia.caad.fkie.fraunhofer.de/details/win.zgrat

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Port": "587", "Host": "mail.showpiece.trillennium.biz", "Username": "build@showpiece.trillennium.biz", "Password": "3KJ[T.3]fsSW"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
00000003.00000002.4180525792.000000000339F000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000003.00000002.4180525792.000000000338C000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000003.00000002.4180525792.0000000003394000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000000.00000002.1718149344.0000000007BD0000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000003.00000002.4178485010.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000003.00000002.4178485010.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000003.00000002.4180525792.0000000003361000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000003.00000002.4180525792.0000000003361000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000000.00000002.1714008295.0000000003F41000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.1714008295.0000000003F41000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000000.00000002.1714008295.0000000003F41000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
Process Memory Space: PO#86637.exe PID: 7628	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: PO#86637.exe PID: 7628	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: PO#86637.exe PID: 7628	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: PO#86637.exe PID: 7768	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: PO#86637.exe PID: 7768	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Click to see the 11 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.PO#86637.exe.7bd0000.4.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0.2.PO#86637.exe.3f5e790.1.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0.2.PO#86637.exe.7bd0000.4.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
3.2.PO#86637.exe.400000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
3.2.PO#86637.exe.400000.0.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
3.2.PO#86637.exe.400000.0.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x334f1:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x33563:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x335ed:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x3367f:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x336e9:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x3375b:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x337f1:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x33881:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
0.2.PO#86637.exe.41be0d0.2.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.PO#86637.exe.41be0d0.2.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.PO#86637.exe.41be0d0.2.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x316f1:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x31763:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x317ed:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x3187f:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x318e9:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x3195b:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x319f1:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x31a81:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
0.2.PO#86637.exe.41836b0.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.PO#86637.exe.41836b0.0.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.PO#86637.exe.41836b0.0.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x316f1:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x31763:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x317ed:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x3187f:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x318e9:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x3195b:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x319f1:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x31a81:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
0.2.PO#86637.exe.41be0d0.2.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.PO#86637.exe.41be0d0.2.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.2.PO#86637.exe.41be0d0.2.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.PO#86637.exe.41be0d0.2.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x334f1:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x33563:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x335ed:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x3367f:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x336e9:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x3375b:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x337f1:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x33881:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
0.2.PO#86637.exe.41836b0.0.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.PO#86637.exe.41836b0.0.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.2.PO#86637.exe.41836b0.0.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.PO#86637.exe.41836b0.0.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x334f1:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x6df11:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x33563:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x6df83:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x335ed:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x6e00d:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x3367f:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x6e09f:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x336e9:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x6e109:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x3375b:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x6e17b:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x337f1:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x6e211:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x33881:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548 0x6e2a1:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
0.2.PO#86637.exe.3f5e790.1.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.PO#86637.exe.3f5e790.1.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.2.PO#86637.exe.3f5e790.1.raw.unpack	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
0.2.PO#86637.exe.3f5e790.1.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.PO#86637.exe.3f5e790.1.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0.2.PO#86637.exe.3f5e790.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0xd1151:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x258411:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x292e31:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0xd11c3:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x258483:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x292ea3:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0xd124d:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x25850d:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x292f2d:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0xd12df:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x25859f:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x292fbf:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0xd1349:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x258609:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x293029:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0xd13bb:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x25867b:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x29309b:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0xd1451:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x258711:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x293131:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B
0.2.PO#86637.exe.3f5e790.1.raw.unpack	MALWARE_Win_zgRAT	Detects zgRAT	ditekSHen	0x10e89:$s1: file:/// 0x10de5:$s2: {11111-22222-10009-11112} 0x10e19:$s3: {11111-22222-50001-00000} 0xf1b3:$s4: get_Module 0xcdf79:$s5: Reverse 0x255239:$s5: Reverse 0x28fc59:$s5: Reverse 0xd08ea:$s6: BlockCopy 0x257baa:$s6: BlockCopy 0x2925ca:$s6: BlockCopy 0x2d4c12:$s6: BlockCopy 0xce1de:$s7: ReadByte 0x25549e:$s7: ReadByte 0x28febe:$s7: ReadByte 0x2d4e66:$s7: ReadByte 0x10e9b:$s8: 4C 00 6F 00 63 00 61 00 74 00 69 00 6F 00 6E 00 00 0B 46 00 69 00 6E 00 64 00 20 00 00 13 52 00 65 00 73 00 6F 00 75 00 72 00 63 00 65 00 41 00 00 11 56 00 69 00 72 00 74 00 75 00 61 00 6C 00 ...
Click to see the 22 entries

Sigma Signatures

System Summary

Sigma detected: Suspicious Outbound SMTP Connections

Source: Network Connection

Author: frack113: Data: DestinationIp: 67.23.226.139, DestinationIsIpv6: false, DestinationPort: 587, EventID: 3, Image: C:\Users\user\Desktop\PO#86637.exe, Initiated: true, ProcessId: 7768, Protocol: tcp, SourceIp: 192.168.2.4, SourceIsIpv6: false, SourcePort: 49735

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 3.2.PO#86637.exe.400000.0.unpack

Malware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Port": "587", "Host": "mail.showpiece.trillennium.biz", "Username": "build@showpiece.trillennium.biz", "Password": "3KJ[T.3]fsSW"}

Multi AV Scanner detection for submitted file

Source: PO#86637.exe

ReversingLabs: Detection: 39%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: PO#86637.exe

Joe Sandbox ML: detected

Source: PO#86637.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown

HTTPS traffic detected: 104.26.13.205:443 -> 192.168.2.4:49732 version: TLS 1.2

Source: PO#86637.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: yPaI.pdbSHA256 source: PO#86637.exe
Source:	Binary string: yPaI.pdb source: PO#86637.exe

Networking

Yara detected Generic Downloader

Source: Yara match	File source: 0.2.PO#86637.exe.41be0d0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.PO#86637.exe.41836b0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.PO#86637.exe.3f5e790.1.raw.unpack, type: UNPACKEDPE

Source: global traffic

TCP traffic: 192.168.2.4:49735 -> 67.23.226.139:587

Source: Joe Sandbox View	IP Address: 67.23.226.139 67.23.226.139
Source: Joe Sandbox View	IP Address: 104.26.13.205 104.26.13.205
Source: Joe Sandbox View	IP Address: 104.26.13.205 104.26.13.205

Source: Joe Sandbox View

ASN Name: DIMENOCUS DIMENOCUS

Source: Joe Sandbox View

JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: unknown	DNS query: name: api.ipify.org
Source: unknown	DNS query: name: api.ipify.org

Source: global traffic

TCP traffic: 192.168.2.4:49735 -> 67.23.226.139:587

Source: global traffic

HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: api.ipify.org
Source: global traffic	DNS traffic detected: DNS query: mail.showpiece.trillennium.biz

Source: PO#86637.exe, 00000003.00000002.4180525792.000000000338C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://mail.showpiece.trillennium.biz
Source: PO#86637.exe, 00000003.00000002.4178894976.00000000015DF000.00000004.00000020.00020000.00000000.sdmp, PO#86637.exe, 00000003.00000002.4178894976.00000000015AD000.00000004.00000020.00020000.00000000.sdmp, PO#86637.exe, 00000003.00000002.4180525792.0000000003394000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://r11.i.lencr.org/0
Source: PO#86637.exe, 00000003.00000002.4178894976.00000000015DF000.00000004.00000020.00020000.00000000.sdmp, PO#86637.exe, 00000003.00000002.4178894976.00000000015AD000.00000004.00000020.00020000.00000000.sdmp, PO#86637.exe, 00000003.00000002.4180525792.0000000003394000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://r11.o.lencr.org0#
Source: PO#86637.exe, 00000003.00000002.4180525792.0000000003311000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: PO#86637.exe, 00000003.00000002.4180525792.000000000338C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://showpiece.trillennium.biz
Source: PO#86637.exe	String found in binary or memory: http://tempuri.org/DataSet1.xsd
Source: PO#86637.exe, 00000000.00000002.1717037287.00000000070F2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: PO#86637.exe, 00000000.00000002.1717037287.00000000070F2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: PO#86637.exe, 00000000.00000002.1717037287.00000000070F2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: PO#86637.exe, 00000000.00000002.1717037287.00000000070F2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: PO#86637.exe, 00000000.00000002.1717037287.00000000070F2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: PO#86637.exe, 00000000.00000002.1717037287.00000000070F2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: PO#86637.exe, 00000000.00000002.1717037287.00000000070F2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
Source: PO#86637.exe, 00000000.00000002.1717037287.00000000070F2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: PO#86637.exe, 00000000.00000002.1717037287.00000000070F2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: PO#86637.exe, 00000000.00000002.1717037287.00000000070F2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: PO#86637.exe, 00000000.00000002.1717037287.00000000070F2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fonts.com
Source: PO#86637.exe, 00000000.00000002.1717037287.00000000070F2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: PO#86637.exe, 00000000.00000002.1717037287.00000000070F2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: PO#86637.exe, 00000000.00000002.1717037287.00000000070F2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: PO#86637.exe, 00000000.00000002.1717037287.00000000070F2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: PO#86637.exe, 00000000.00000002.1717037287.00000000070F2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: PO#86637.exe, 00000000.00000002.1717037287.00000000070F2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: PO#86637.exe, 00000000.00000002.1717037287.00000000070F2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: PO#86637.exe, 00000000.00000002.1717037287.00000000070F2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: PO#86637.exe, 00000000.00000002.1717037287.00000000070F2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sakkal.com
Source: PO#86637.exe, 00000000.00000002.1717037287.00000000070F2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: PO#86637.exe, 00000000.00000002.1717037287.00000000070F2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.tiro.com
Source: PO#86637.exe, 00000000.00000002.1717037287.00000000070F2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.typography.netD
Source: PO#86637.exe, 00000000.00000002.1717037287.00000000070F2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: PO#86637.exe, 00000000.00000002.1717037287.00000000070F2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: PO#86637.exe, 00000003.00000002.4178894976.00000000015DF000.00000004.00000020.00020000.00000000.sdmp, PO#86637.exe, 00000003.00000002.4180525792.0000000003394000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://x1.c.lencr.org/0
Source: PO#86637.exe, 00000003.00000002.4178894976.00000000015DF000.00000004.00000020.00020000.00000000.sdmp, PO#86637.exe, 00000003.00000002.4180525792.0000000003394000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://x1.i.lencr.org/0
Source: PO#86637.exe, 00000000.00000002.1714008295.0000000003F41000.00000004.00000800.00020000.00000000.sdmp, PO#86637.exe, 00000003.00000002.4178485010.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://account.dyn.com/
Source: PO#86637.exe, 00000000.00000002.1714008295.0000000003F41000.00000004.00000800.00020000.00000000.sdmp, PO#86637.exe, 00000003.00000002.4180525792.0000000003311000.00000004.00000800.00020000.00000000.sdmp, PO#86637.exe, 00000003.00000002.4178485010.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org
Source: PO#86637.exe, 00000003.00000002.4180525792.0000000003311000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org/
Source: PO#86637.exe, 00000003.00000002.4180525792.0000000003311000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org/t

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49732
Source: unknown	Network traffic detected: HTTP traffic on port 49732 -> 443

Source: unknown

HTTPS traffic detected: 104.26.13.205:443 -> 192.168.2.4:49732 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality to log keystrokes (.Net Source)

Source: 0.2.PO#86637.exe.41be0d0.2.raw.unpack, SKTzxzsJw.cs	.Net Code: pT1h
Source: 0.2.PO#86637.exe.41836b0.0.raw.unpack, SKTzxzsJw.cs	.Net Code: pT1h

Installs a global keyboard hook

Source: C:\Users\user\Desktop\PO#86637.exe

Windows user hook set: 0 keyboard low level C:\Users\user\Desktop\PO#86637.exe

Jump to behavior

Source: C:\Users\user\Desktop\PO#86637.exe

Window created: window name: CLIPBRDWNDCLASS

Jump to behavior

System Summary

Malicious sample detected (through community Yara rule)

Source: 3.2.PO#86637.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.PO#86637.exe.41be0d0.2.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.PO#86637.exe.41836b0.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.PO#86637.exe.41be0d0.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.PO#86637.exe.41836b0.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.PO#86637.exe.3f5e790.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.PO#86637.exe.3f5e790.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects zgRAT Author: ditekSHen

Initial sample is a PE file and has a suspicious name

Source: initial sample

Static PE information: Filename: PO#86637.exe

Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 0_2_0127D344	0_2_0127D344
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 0_2_075FCF50	0_2_075FCF50
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 0_2_075FEE58	0_2_075FEE58
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 0_2_075FB618	0_2_075FB618
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 0_2_075F0559	0_2_075F0559
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 0_2_075F0560	0_2_075F0560
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 0_2_075F9590	0_2_075F9590
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 0_2_075F9158	0_2_075F9158
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 0_2_075FCF40	0_2_075FCF40
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 0_2_075FAC59	0_2_075FAC59
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 0_2_075FAC68	0_2_075FAC68
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 0_2_075F99C8	0_2_075F99C8
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 3_2_0178E298	3_2_0178E298
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 3_2_0178A960	3_2_0178A960
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 3_2_01784A98	3_2_01784A98
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 3_2_01783E80	3_2_01783E80
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 3_2_017841C8	3_2_017841C8
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 3_2_01780C55	3_2_01780C55
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 3_2_07017E20	3_2_07017E20
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 3_2_07015648	3_2_07015648
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 3_2_07016698	3_2_07016698
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 3_2_07012348	3_2_07012348
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 3_2_0701C220	3_2_0701C220
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 3_2_0701B2C8	3_2_0701B2C8
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 3_2_07017740	3_2_07017740
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 3_2_07015D98	3_2_07015D98
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 3_2_0701E440	3_2_0701E440
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 3_2_07010040	3_2_07010040
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 3_2_07101985	3_2_07101985
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 3_2_07101988	3_2_07101988
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 3_2_07010007	3_2_07010007

Source: PO#86637.exe, 00000000.00000002.1713566187.0000000002F41000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename vs PO#86637.exe
Source: PO#86637.exe, 00000000.00000000.1694638261.0000000000C32000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameyPaI.exe@ vs PO#86637.exe
Source: PO#86637.exe, 00000000.00000002.1713081088.000000000128E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs PO#86637.exe
Source: PO#86637.exe, 00000000.00000002.1717963382.0000000007930000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameMontero.dll8 vs PO#86637.exe
Source: PO#86637.exe, 00000000.00000002.1714008295.0000000003F41000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameArthur.dll" vs PO#86637.exe
Source: PO#86637.exe, 00000000.00000002.1714008295.0000000003F41000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename00b93cc8-4625-4c9d-a44d-5996e806c5f9.exe4 vs PO#86637.exe
Source: PO#86637.exe, 00000000.00000002.1714008295.0000000003F41000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMontero.dll8 vs PO#86637.exe
Source: PO#86637.exe, 00000000.00000002.1713566187.0000000002F86000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename00b93cc8-4625-4c9d-a44d-5996e806c5f9.exe4 vs PO#86637.exe
Source: PO#86637.exe, 00000000.00000002.1718149344.0000000007BD0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameArthur.dll" vs PO#86637.exe
Source: PO#86637.exe, 00000003.00000002.4178631715.00000000011B9000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameUNKNOWN_FILET vs PO#86637.exe
Source: PO#86637.exe, 00000003.00000002.4178485010.0000000000402000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: OriginalFilename00b93cc8-4625-4c9d-a44d-5996e806c5f9.exe4 vs PO#86637.exe
Source: PO#86637.exe	Binary or memory string: OriginalFilenameyPaI.exe@ vs PO#86637.exe

Source: PO#86637.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 3.2.PO#86637.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.PO#86637.exe.41be0d0.2.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.PO#86637.exe.41836b0.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.PO#86637.exe.41be0d0.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.PO#86637.exe.41836b0.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.PO#86637.exe.3f5e790.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.PO#86637.exe.3f5e790.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT

Source: PO#86637.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 0.2.PO#86637.exe.3f5e790.1.raw.unpack, id.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.PO#86637.exe.7bd0000.4.raw.unpack, id.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.PO#86637.exe.41be0d0.2.raw.unpack, 4JJG6X.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.PO#86637.exe.41be0d0.2.raw.unpack, 4JJG6X.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.PO#86637.exe.41be0d0.2.raw.unpack, 8C78isHTVco.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.PO#86637.exe.41be0d0.2.raw.unpack, 8C78isHTVco.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.PO#86637.exe.41be0d0.2.raw.unpack, 8C78isHTVco.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.PO#86637.exe.41be0d0.2.raw.unpack, 8C78isHTVco.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.PO#86637.exe.41be0d0.2.raw.unpack, CqSP68Ir.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.PO#86637.exe.41be0d0.2.raw.unpack, CqSP68Ir.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'

Source: 0.2.PO#86637.exe.7930000.3.raw.unpack, euBDb2YNswoOVQLfi2.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.PO#86637.exe.7930000.3.raw.unpack, SmxWyiK5cuNrhuX2qE.cs	Security API names: _0020.SetAccessControl
Source: 0.2.PO#86637.exe.7930000.3.raw.unpack, SmxWyiK5cuNrhuX2qE.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.PO#86637.exe.7930000.3.raw.unpack, SmxWyiK5cuNrhuX2qE.cs	Security API names: _0020.AddAccessRule

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@5/1@3/2

Source: C:\Users\user\Desktop\PO#86637.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\PO#86637.exe.log

Jump to behavior

Source: C:\Users\user\Desktop\PO#86637.exe

Mutant created: NULL

Source: PO#86637.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: PO#86637.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Source: C:\Users\user\Desktop\PO#86637.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\PO#86637.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\PO#86637.exe

File read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini

Jump to behavior

Source: C:\Users\user\Desktop\PO#86637.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: PO#86637.exe

ReversingLabs: Detection: 39%

Source: unknown	Process created: C:\Users\user\Desktop\PO#86637.exe "C:\Users\user\Desktop\PO#86637.exe"
Source: C:\Users\user\Desktop\PO#86637.exe	Process created: C:\Users\user\Desktop\PO#86637.exe "C:\Users\user\Desktop\PO#86637.exe"
Source: C:\Users\user\Desktop\PO#86637.exe	Process created: C:\Users\user\Desktop\PO#86637.exe "C:\Users\user\Desktop\PO#86637.exe"
Source: C:\Users\user\Desktop\PO#86637.exe	Process created: C:\Users\user\Desktop\PO#86637.exe "C:\Users\user\Desktop\PO#86637.exe"	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Process created: C:\Users\user\Desktop\PO#86637.exe "C:\Users\user\Desktop\PO#86637.exe"	Jump to behavior

Source: C:\Users\user\Desktop\PO#86637.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Section loaded: edputil.dll	Jump to behavior

Source: C:\Users\user\Desktop\PO#86637.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: C:\Users\user\Desktop\PO#86637.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Users\user\Desktop\PO#86637.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\Profiles

Jump to behavior

Source: PO#86637.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: PO#86637.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: PO#86637.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: yPaI.pdbSHA256 source: PO#86637.exe
Source:	Binary string: yPaI.pdb source: PO#86637.exe

Data Obfuscation

.NET source code contains method to dynamically call methods (often used by packers)

Source: 0.2.PO#86637.exe.3f5e790.1.raw.unpack, id.cs	.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
Source: 0.2.PO#86637.exe.7bd0000.4.raw.unpack, id.cs	.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})

.NET source code contains potential unpacker

Source: PO#86637.exe, LogInGUI.cs	.Net Code: InitializeComponent contains xor as well as GetObject
Source: 0.2.PO#86637.exe.7930000.3.raw.unpack, SmxWyiK5cuNrhuX2qE.cs	.Net Code: Q3EfsJWjtm System.Reflection.Assembly.Load(byte[])

Source: PO#86637.exe

Static PE information: 0xAD94BC0E [Fri Apr 14 02:03:58 2062 UTC]

Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 0_2_0127F3F0 push esp; iretd	0_2_0127F3F1
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 0_2_075FC2EB push esp; retf	0_2_075FC2EC
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 0_2_075FCE01 push ebx; ret	0_2_075FCE02
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 0_2_075F8EAF push esp; retf	0_2_075F8EB0
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 0_2_075F8B32 pushad ; retf	0_2_075F8B36
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 0_2_075F89CD push eax; retf	0_2_075F89CE
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 3_2_01780C55 push edi; retf	3_2_01780C7A
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 3_2_071076F0 push esp; iretd	3_2_071076F9
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 3_2_07107CA4 push esp; iretd	3_2_07107CAD

Source: PO#86637.exe

Static PE information: section name: .text entropy: 7.937898498926521

Source: 0.2.PO#86637.exe.7930000.3.raw.unpack, JIIrSaM2uqGRmljDqO.cs	High entropy of concatenated method names: 'oyAFvEB3Nw', 'BEVF2T308u', 'z5dFYiFO22', 'UFCFMc24L5', 'IykFPIkxCb', 'sbQFBdgbB5', 'OQ2FVHoRa6', 'mg0FNVrjbh', 'jfeFlhRF80', 'bTfFesGrIt'
Source: 0.2.PO#86637.exe.7930000.3.raw.unpack, oalgrX5dTDWDhaiuS4.cs	High entropy of concatenated method names: 'LXgukLchg6', 'D91u4kbfgx', 'thGusSfm3q', 'd6HuvYGrkw', 'wT5ucoQxME', 'T3Ru2AHwYG', 'fvHunyck4t', 'Hn0uYhQnuX', 'R1cuMxJsYt', 's9auqx94pu'
Source: 0.2.PO#86637.exe.7930000.3.raw.unpack, usliabfa546Rai6tXc.cs	High entropy of concatenated method names: 'DmhDuuBDb2', 'qswDKoOVQL', 'F2uDHqGRml', 'HDqDoOM5uO', 'IXBDP0q7xb', 'GxIDBSA163', 'X58xJoClqdaajefV3T', 't0jrWW9oclhcRLHxXS', 'gX6DDnFSbX', 'OtWDpwUvTD'
Source: 0.2.PO#86637.exe.7930000.3.raw.unpack, ybPUn6X6B8dCLFWHSI.cs	High entropy of concatenated method names: 'eyOsBGNG7', 'FgpvNQQ1U', 'owR2sFCG5', 'xexnV2vVd', 'gwTMPDVCZ', 'WlVqtjgDZ', 'arOFt36BhgRNypLLq8', 'rJ68AqX9Oosy91Bl67', 'itYN5pqZE', 'nKIero2EV'
Source: 0.2.PO#86637.exe.7930000.3.raw.unpack, EoboKuDfbHTCRO7u2mk.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'YkJ9ly6rhW', 'yZB9eI4AQ2', 'C809mrDpwO', 'Mt799E6qt1', 'nbL9b4c3CH', 'b1d9gYw2Mq', 'KyI91DtVTg'
Source: 0.2.PO#86637.exe.7930000.3.raw.unpack, EbtrE6Rnof0x3h0wyf.cs	High entropy of concatenated method names: 'THUlaxMvkL', 'iSblyDbKie', 'zMBljxUXdR', 'eqGlxdoSFG', 'cIAlrbpDav', 'Al1liaHVam', 'Kc0lwXGeyQ', 'dVnldQKMgg', 'Nkml5ecQEh', 'SUTl0sS7Yk'
Source: 0.2.PO#86637.exe.7930000.3.raw.unpack, BB84MDDE3qyOpjIgw3N.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'SOYeLoDFuv', 'xlNeALhhGM', 'gW3eZZrfKF', 'ryFeUIxKn6', 'K8Xe3sOUWj', 'adyeS07xud', 'y3betNT6mk'
Source: 0.2.PO#86637.exe.7930000.3.raw.unpack, TIW5WBFOQZbAubrMXv.cs	High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'Q0DXRqpAFY', 'Yp2XWxrwFc', 'V70XzKlxhT', 'uQjpEEbS68', 'r0BpDBFCkG', 'z5YpXBkdD1', 'X3Jpp0YkXW', 'pas2Pni8bwK3mQkrRqD'
Source: 0.2.PO#86637.exe.7930000.3.raw.unpack, TWMIBqS2fFFr5Mmjdc.cs	High entropy of concatenated method names: 'ToString', 'eSjBLFtQ7b', 'bf3Byx2xXy', 'eaCBjl7tx9', 'pqaBxCdpgO', 'U9kBrXVjTu', 'x7yBiLWu37', 'UOaBwhQvqk', 'c1yBdLiMS9', 'J5yB5goXcZ'
Source: 0.2.PO#86637.exe.7930000.3.raw.unpack, euBDb2YNswoOVQLfi2.cs	High entropy of concatenated method names: 'YfoGUZ0XPh', 'P7VG3ZTiuA', 'WllGSx1K8L', 'R7WGtBt0te', 'ILwGCJAvPx', 'TylG7l6DDt', 'YTVGOPr08P', 'JYFG86OuII', 'mHGGR5cusU', 'LJhGWXrlsU'
Source: 0.2.PO#86637.exe.7930000.3.raw.unpack, j5SLCvGPkLFWTwnCqj.cs	High entropy of concatenated method names: 'Dispose', 'kcyDRhw1Tw', 'GUwXy4Hdvl', 'jLnjXMG1r3', 'Dx6DWcqGAZ', 'ajaDzOxrRL', 'ProcessDialogKey', 'j1MXEbtrE6', 'CofXD0x3h0', 'LyfXX18rau'
Source: 0.2.PO#86637.exe.7930000.3.raw.unpack, u70UkeOoZKcyhw1TwY.cs	High entropy of concatenated method names: 'suTlP7wans', 'aWtlVjhPAl', 'upPlluWu4c', 'pEGlm5mHkf', 'qJMlbWGETJ', 'CTfl1lR1J1', 'Dispose', 'uHENJpLit9', 'exQNGZj0JH', 'yvjNFYwkGR'
Source: 0.2.PO#86637.exe.7930000.3.raw.unpack, SmxWyiK5cuNrhuX2qE.cs	High entropy of concatenated method names: 'F6ephGNA9P', 'vHEpJF88LW', 'IC6pGqML8w', 'qWwpFoe4BN', 'jJ1p6V9AWR', 'XuIpQB96wX', 'tMwpuIieXs', 'l6JpKmF5jY', 'PlypI1K30a', 'bx0pH60cp1'
Source: 0.2.PO#86637.exe.7930000.3.raw.unpack, U5kSdHDDTTDY7aY08kJ.cs	High entropy of concatenated method names: 'aFreWjmtwF', 'GkWezLmIvD', 'SbvmEPslQc', 'y66mD6SWYb', 'u0ImXlMhSg', 'DaDmpFT1q6', 'wg0mfZGbur', 'gNcmhUBlkF', 'EAwmJn2d4O', 'rfOmGrujYo'
Source: 0.2.PO#86637.exe.7930000.3.raw.unpack, Nmy2PhZD4Lc7IeONtt.cs	High entropy of concatenated method names: 'X5gTYd2Kvg', 'dS4TMpf2OV', 'JoxTawojiV', 'xNXTyMfHUa', 'CNxTxGb6Q1', 'jVuTrjgsH3', 'hnpTwty9li', 'k5GTdlHP6K', 'KHST08VYhi', 'i1fTLKpgvx'
Source: 0.2.PO#86637.exe.7930000.3.raw.unpack, VxbyxIaSA163n0L69t.cs	High entropy of concatenated method names: 's8IQhEOxxF', 'RUyQG0mTUF', 'C11Q65pKbH', 'RqZQuCyHe4', 'OFAQK1x8wH', 'r3w6Ccgn3W', 'waQ674vIus', 'KEP6OjToTM', 'zyH685VXGI', 'THr6RisNF0'
Source: 0.2.PO#86637.exe.7930000.3.raw.unpack, E5uObrq2y1sgNxXB0q.cs	High entropy of concatenated method names: 'hHs6cBTF6b', 'GIQ6nKfvg1', 'Yn0FjI9mrv', 'G9iFxDVE8f', 'PVsFr6HqMC', 'tIWFiLOj9M', 'vwtFwqc2tk', 'UmhFd9yREy', 'GkeF5e2WDI', 'b1OF0uUYhl'
Source: 0.2.PO#86637.exe.7930000.3.raw.unpack, TMJ94I7VuQ3LpRpiOB.cs	High entropy of concatenated method names: 'PCaV8QLBFr', 'nyDVWVUHLT', 'PfANEMLKjf', 'TQqNDgF1RW', 'FG6VLIhUsU', 'rDCVAPdNpv', 'mJdVZaCePK', 's79VUk1v8Z', 'rtGV3G0IDW', 'koGVS1mVfj'
Source: 0.2.PO#86637.exe.7930000.3.raw.unpack, g0rLMLwakKyn6iF8Gh.cs	High entropy of concatenated method names: 'cE4uJVPIuN', 'JBvuF7IsoT', 'LV8uQSbDCc', 'SAhQWiA4ij', 'zNfQzEK6Jt', 'cNDuEsillC', 'a6muD6XjJt', 'uSjuXlVNep', 'mCVupwjqL9', 'l7AufXD4Fw'
Source: 0.2.PO#86637.exe.7930000.3.raw.unpack, MisVwAt6iQJ4Vov36i.cs	High entropy of concatenated method names: 'n1gVHSca6F', 'JupVoiBr1T', 'ToString', 'zfaVJdLXxm', 'SFHVGmEeJC', 'UWIVFN49Th', 'jWBV6ExW91', 'D6OVQTQbYd', 'uedVuD43K7', 'jI5VKM90sC'
Source: 0.2.PO#86637.exe.7930000.3.raw.unpack, RYYQBZz3qtb6iugSQM.cs	High entropy of concatenated method names: 'XMpe2OOvZs', 'TN6eYHw78e', 'FmEeMFST2y', 'M5rea2uZxk', 'Ffaey0mxGn', 'rH0exp4xWo', 'lqferiK75W', 'svPe1Pq5Vp', 'ASNekcF53Y', 'wuKe4FLQDs'

Source: C:\Users\user\Desktop\PO#86637.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot	Jump to behavior

Source: C:\Users\user\Desktop\PO#86637.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match

File source: Process Memory Space: PO#86637.exe PID: 7628, type: MEMORYSTR

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Source: C:\Users\user\Desktop\PO#86637.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration

Source: C:\Users\user\Desktop\PO#86637.exe	Memory allocated: 1270000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Memory allocated: 2F40000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Memory allocated: 2D70000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Memory allocated: 7E50000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Memory allocated: 8E50000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Memory allocated: 9000000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Memory allocated: A000000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Memory allocated: 1780000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Memory allocated: 3310000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Memory allocated: 5310000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\PO#86637.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: C:\Users\user\Desktop\PO#86637.exe	Window / User API: threadDelayed 7265			Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Window / User API: threadDelayed 2586			Jump to behavior

Source: C:\Users\user\Desktop\PO#86637.exe TID: 7648	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe TID: 7892	Thread sleep count: 36 > 30	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe TID: 7892	Thread sleep time: -33204139332677172s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe TID: 7892	Thread sleep time: -100000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe TID: 7892	Thread sleep time: -99875s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe TID: 7896	Thread sleep count: 7265 > 30	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe TID: 7896	Thread sleep count: 2586 > 30	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe TID: 7892	Thread sleep time: -99766s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe TID: 7892	Thread sleep time: -99656s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe TID: 7892	Thread sleep time: -99547s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe TID: 7892	Thread sleep time: -99437s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe TID: 7892	Thread sleep time: -99328s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe TID: 7892	Thread sleep time: -99219s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe TID: 7892	Thread sleep time: -99094s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe TID: 7892	Thread sleep time: -98984s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe TID: 7892	Thread sleep time: -98875s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe TID: 7892	Thread sleep time: -98765s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe TID: 7892	Thread sleep time: -98656s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe TID: 7892	Thread sleep time: -98547s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe TID: 7892	Thread sleep time: -98432s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe TID: 7892	Thread sleep time: -98328s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe TID: 7892	Thread sleep time: -98219s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe TID: 7892	Thread sleep time: -98109s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe TID: 7892	Thread sleep time: -98000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe TID: 7892	Thread sleep time: -97891s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe TID: 7892	Thread sleep time: -97766s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe TID: 7892	Thread sleep time: -97641s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe TID: 7892	Thread sleep time: -97531s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe TID: 7892	Thread sleep time: -97422s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe TID: 7892	Thread sleep time: -97312s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe TID: 7892	Thread sleep time: -97203s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe TID: 7892	Thread sleep time: -97094s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe TID: 7892	Thread sleep time: -96984s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe TID: 7892	Thread sleep time: -96875s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe TID: 7892	Thread sleep time: -96759s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe TID: 7892	Thread sleep time: -96641s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe TID: 7892	Thread sleep time: -96516s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe TID: 7892	Thread sleep time: -96406s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe TID: 7892	Thread sleep time: -96297s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe TID: 7892	Thread sleep time: -96187s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe TID: 7892	Thread sleep time: -96078s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe TID: 7892	Thread sleep time: -95926s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe TID: 7892	Thread sleep time: -95797s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe TID: 7892	Thread sleep time: -95687s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe TID: 7892	Thread sleep time: -95578s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe TID: 7892	Thread sleep time: -95469s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe TID: 7892	Thread sleep time: -95359s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe TID: 7892	Thread sleep time: -95250s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe TID: 7892	Thread sleep time: -95141s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe TID: 7892	Thread sleep time: -95031s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe TID: 7892	Thread sleep time: -94922s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe TID: 7892	Thread sleep time: -94812s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe TID: 7892	Thread sleep time: -94703s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe TID: 7892	Thread sleep time: -94594s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe TID: 7892	Thread sleep time: -94484s >= -30000s	Jump to behavior

Source: C:\Users\user\Desktop\PO#86637.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard

Source: C:\Users\user\Desktop\PO#86637.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\PO#86637.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\PO#86637.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Thread delayed: delay time: 100000	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Thread delayed: delay time: 99875	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Thread delayed: delay time: 99766	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Thread delayed: delay time: 99656	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Thread delayed: delay time: 99547	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Thread delayed: delay time: 99437	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Thread delayed: delay time: 99328	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Thread delayed: delay time: 99219	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Thread delayed: delay time: 99094	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Thread delayed: delay time: 98984	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Thread delayed: delay time: 98875	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Thread delayed: delay time: 98765	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Thread delayed: delay time: 98656	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Thread delayed: delay time: 98547	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Thread delayed: delay time: 98432	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Thread delayed: delay time: 98328	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Thread delayed: delay time: 98219	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Thread delayed: delay time: 98109	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Thread delayed: delay time: 98000	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Thread delayed: delay time: 97891	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Thread delayed: delay time: 97766	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Thread delayed: delay time: 97641	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Thread delayed: delay time: 97531	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Thread delayed: delay time: 97422	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Thread delayed: delay time: 97312	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Thread delayed: delay time: 97203	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Thread delayed: delay time: 97094	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Thread delayed: delay time: 96984	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Thread delayed: delay time: 96875	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Thread delayed: delay time: 96759	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Thread delayed: delay time: 96641	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Thread delayed: delay time: 96516	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Thread delayed: delay time: 96406	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Thread delayed: delay time: 96297	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Thread delayed: delay time: 96187	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Thread delayed: delay time: 96078	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Thread delayed: delay time: 95926	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Thread delayed: delay time: 95797	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Thread delayed: delay time: 95687	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Thread delayed: delay time: 95578	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Thread delayed: delay time: 95469	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Thread delayed: delay time: 95359	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Thread delayed: delay time: 95250	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Thread delayed: delay time: 95141	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Thread delayed: delay time: 95031	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Thread delayed: delay time: 94922	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Thread delayed: delay time: 94812	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Thread delayed: delay time: 94703	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Thread delayed: delay time: 94594	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Thread delayed: delay time: 94484	Jump to behavior

Source: PO#86637.exe, 00000003.00000002.4178894976.00000000015DF000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\PO#86637.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\PO#86637.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Users\user\Desktop\PO#86637.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\PO#86637.exe

Memory written: C:\Users\user\Desktop\PO#86637.exe base: 400000 value starts with: 4D5A

Jump to behavior

Source: C:\Users\user\Desktop\PO#86637.exe	Process created: C:\Users\user\Desktop\PO#86637.exe "C:\Users\user\Desktop\PO#86637.exe"			Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Process created: C:\Users\user\Desktop\PO#86637.exe "C:\Users\user\Desktop\PO#86637.exe"			Jump to behavior

Source: C:\Users\user\Desktop\PO#86637.exe	Queries volume information: C:\Users\user\Desktop\PO#86637.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Queries volume information: C:\Windows\Fonts\Candaral.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Queries volume information: C:\Windows\Fonts\Candarali.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Queries volume information: C:\Windows\Fonts\corbell.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Queries volume information: C:\Windows\Fonts\corbelli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Queries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Queries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Queries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Queries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Queries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Queries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Queries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Queries volume information: C:\Windows\Fonts\DUBAI-MEDIUM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Queries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Queries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Queries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Queries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Queries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Queries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Queries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Queries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Queries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Queries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Queries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Queries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Queries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Queries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Queries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Queries volume information: C:\Users\user\Desktop\PO#86637.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\PO#86637.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected AgentTesla

Source: Yara match	File source: 3.2.PO#86637.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.PO#86637.exe.41be0d0.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.PO#86637.exe.41836b0.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.PO#86637.exe.41be0d0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.PO#86637.exe.41836b0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.PO#86637.exe.3f5e790.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.4180525792.000000000339F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.4180525792.000000000338C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.4180525792.0000000003394000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.4178485010.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.4180525792.0000000003361000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1714008295.0000000003F41000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: PO#86637.exe PID: 7628, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: PO#86637.exe PID: 7768, type: MEMORYSTR

Yara detected PureLog Stealer

Source: Yara match	File source: 0.2.PO#86637.exe.7bd0000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.PO#86637.exe.3f5e790.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.PO#86637.exe.7bd0000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.PO#86637.exe.3f5e790.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1718149344.0000000007BD0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1714008295.0000000003F41000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Yara detected zgRAT

Source: Yara match

File source: 0.2.PO#86637.exe.3f5e790.1.raw.unpack, type: UNPACKEDPE

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Source: C:\Users\user\Desktop\PO#86637.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions

Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\PO#86637.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	File opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	File opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini	Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Users\user\Desktop\PO#86637.exe

File opened: C:\FTP Navigator\Ftplist.txt

Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\Desktop\PO#86637.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities	Jump to behavior

Source: Yara match	File source: 3.2.PO#86637.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.PO#86637.exe.41be0d0.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.PO#86637.exe.41836b0.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.PO#86637.exe.41be0d0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.PO#86637.exe.41836b0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.PO#86637.exe.3f5e790.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.4178485010.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.4180525792.0000000003361000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1714008295.0000000003F41000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: PO#86637.exe PID: 7628, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: PO#86637.exe PID: 7768, type: MEMORYSTR

Remote Access Functionality

Yara detected AgentTesla

Source: Yara match	File source: 3.2.PO#86637.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.PO#86637.exe.41be0d0.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.PO#86637.exe.41836b0.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.PO#86637.exe.41be0d0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.PO#86637.exe.41836b0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.PO#86637.exe.3f5e790.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.4180525792.000000000339F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.4180525792.000000000338C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.4180525792.0000000003394000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.4178485010.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.4180525792.0000000003361000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1714008295.0000000003F41000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: PO#86637.exe PID: 7628, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: PO#86637.exe PID: 7768, type: MEMORYSTR

Yara detected PureLog Stealer

Source: Yara match	File source: 0.2.PO#86637.exe.7bd0000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.PO#86637.exe.3f5e790.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.PO#86637.exe.7bd0000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.PO#86637.exe.3f5e790.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1718149344.0000000007BD0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1714008295.0000000003F41000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Yara detected zgRAT

Source: Yara match

File source: 0.2.PO#86637.exe.3f5e790.1.raw.unpack, type: UNPACKEDPE

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	121 Windows Management Instrumentation	1 DLL Side-Loading	1 DLL Side-Loading	1 Disable or Modify Tools	2 OS Credential Dumping	1 File and Directory Discovery	Remote Services	11 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	111 Process Injection	1 Deobfuscate/Decode Files or Information	21 Input Capture	24 System Information Discovery	Remote Desktop Protocol	2 Data from Local System	11 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	2 Obfuscated Files or Information	1 Credentials in Registry	1 Query Registry	SMB/Windows Admin Shares	1 Email Collection	1 Non-Standard Port	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	22 Software Packing	NTDS	111 Security Software Discovery	Distributed Component Object Model	21 Input Capture	2 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Timestomp	LSA Secrets	1 Process Discovery	SSH	1 Clipboard Data	23 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	141 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 Masquerading	DCSync	1 Application Window Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	141 Virtualization/Sandbox Evasion	Proc Filesystem	1 System Network Configuration Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	111 Process Injection	/etc/passwd and /etc/shadow	Network Sniffing	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
PO#86637.exe	39%	ReversingLabs	Win32.Trojan.AgentTesla
PO#86637.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label	Link
http://mail.showpiece.trillennium.biz	0%	Avira URL Cloud	safe
http://showpiece.trillennium.biz	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
api.ipify.org	104.26.13.205	true	false	high
showpiece.trillennium.biz	67.23.226.139	true	true	unknown
mail.showpiece.trillennium.biz	unknown	unknown	true	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://api.ipify.org/	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.apache.org/licenses/LICENSE-2.0	PO#86637.exe, 00000000.00000002.1717037287.00000000070F2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.com	PO#86637.exe, 00000000.00000002.1717037287.00000000070F2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.com/designersG	PO#86637.exe, 00000000.00000002.1717037287.00000000070F2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.com/designers/?	PO#86637.exe, 00000000.00000002.1717037287.00000000070F2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.founder.com.cn/cn/bThe	PO#86637.exe, 00000000.00000002.1717037287.00000000070F2000.00000004.00000800.00020000.00000000.sdmp	false		high
https://account.dyn.com/	PO#86637.exe, 00000000.00000002.1714008295.0000000003F41000.00000004.00000800.00020000.00000000.sdmp, PO#86637.exe, 00000003.00000002.4178485010.0000000000402000.00000040.00000400.00020000.00000000.sdmp	false		high
http://r11.o.lencr.org0#	PO#86637.exe, 00000003.00000002.4178894976.00000000015DF000.00000004.00000020.00020000.00000000.sdmp, PO#86637.exe, 00000003.00000002.4178894976.00000000015AD000.00000004.00000020.00020000.00000000.sdmp, PO#86637.exe, 00000003.00000002.4180525792.0000000003394000.00000004.00000800.00020000.00000000.sdmp	false		high
http://mail.showpiece.trillennium.biz	PO#86637.exe, 00000003.00000002.4180525792.000000000338C000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.com/designers?	PO#86637.exe, 00000000.00000002.1717037287.00000000070F2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://tempuri.org/DataSet1.xsd	PO#86637.exe	false		high
http://www.tiro.com	PO#86637.exe, 00000000.00000002.1717037287.00000000070F2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.com/designers	PO#86637.exe, 00000000.00000002.1717037287.00000000070F2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.goodfont.co.kr	PO#86637.exe, 00000000.00000002.1717037287.00000000070F2000.00000004.00000800.00020000.00000000.sdmp	false		high
https://api.ipify.org/t	PO#86637.exe, 00000003.00000002.4180525792.0000000003311000.00000004.00000800.00020000.00000000.sdmp	false		high
http://r11.i.lencr.org/0	PO#86637.exe, 00000003.00000002.4178894976.00000000015DF000.00000004.00000020.00020000.00000000.sdmp, PO#86637.exe, 00000003.00000002.4178894976.00000000015AD000.00000004.00000020.00020000.00000000.sdmp, PO#86637.exe, 00000003.00000002.4180525792.0000000003394000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.carterandcone.coml	PO#86637.exe, 00000000.00000002.1717037287.00000000070F2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.sajatypeworks.com	PO#86637.exe, 00000000.00000002.1717037287.00000000070F2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://showpiece.trillennium.biz	PO#86637.exe, 00000003.00000002.4180525792.000000000338C000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.typography.netD	PO#86637.exe, 00000000.00000002.1717037287.00000000070F2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.com/designers/cabarga.htmlN	PO#86637.exe, 00000000.00000002.1717037287.00000000070F2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.founder.com.cn/cn/cThe	PO#86637.exe, 00000000.00000002.1717037287.00000000070F2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.galapagosdesign.com/staff/dennis.htm	PO#86637.exe, 00000000.00000002.1717037287.00000000070F2000.00000004.00000800.00020000.00000000.sdmp	false		high
https://api.ipify.org	PO#86637.exe, 00000000.00000002.1714008295.0000000003F41000.00000004.00000800.00020000.00000000.sdmp, PO#86637.exe, 00000003.00000002.4180525792.0000000003311000.00000004.00000800.00020000.00000000.sdmp, PO#86637.exe, 00000003.00000002.4178485010.0000000000402000.00000040.00000400.00020000.00000000.sdmp	false		high
http://www.founder.com.cn/cn	PO#86637.exe, 00000000.00000002.1717037287.00000000070F2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.com/designers/frere-user.html	PO#86637.exe, 00000000.00000002.1717037287.00000000070F2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://x1.c.lencr.org/0	PO#86637.exe, 00000003.00000002.4178894976.00000000015DF000.00000004.00000020.00020000.00000000.sdmp, PO#86637.exe, 00000003.00000002.4180525792.0000000003394000.00000004.00000800.00020000.00000000.sdmp	false		high
http://x1.i.lencr.org/0	PO#86637.exe, 00000003.00000002.4178894976.00000000015DF000.00000004.00000020.00020000.00000000.sdmp, PO#86637.exe, 00000003.00000002.4180525792.0000000003394000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.jiyu-kobo.co.jp/	PO#86637.exe, 00000000.00000002.1717037287.00000000070F2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.galapagosdesign.com/DPlease	PO#86637.exe, 00000000.00000002.1717037287.00000000070F2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.com/designers8	PO#86637.exe, 00000000.00000002.1717037287.00000000070F2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fonts.com	PO#86637.exe, 00000000.00000002.1717037287.00000000070F2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.sandoll.co.kr	PO#86637.exe, 00000000.00000002.1717037287.00000000070F2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.urwpp.deDPlease	PO#86637.exe, 00000000.00000002.1717037287.00000000070F2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.zhongyicts.com.cn	PO#86637.exe, 00000000.00000002.1717037287.00000000070F2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	PO#86637.exe, 00000003.00000002.4180525792.0000000003311000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.sakkal.com	PO#86637.exe, 00000000.00000002.1717037287.00000000070F2000.00000004.00000800.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
67.23.226.139	showpiece.trillennium.biz	United States		33182	DIMENOCUS	true
104.26.13.205	api.ipify.org	United States		13335	CLOUDFLARENETUS	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1562332
Start date and time:	2024-11-25 14:05:30 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 8m 4s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	8
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	PO#86637.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@5/1@3/2
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 99% Number of executed functions: 85 Number of non-executed functions: 16
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
VT rate limit hit for: PO#86637.exe

Simulations

Behavior and APIs

Time	Type	Description
08:06:24	API Interceptor	10786357x Sleep call for process: PO#86637.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
67.23.226.139	Quotation.exe	Get hash	malicious	AgentTesla	Browse
	Quotation.exe	Get hash	malicious	AgentTesla, GuLoader	Browse
	3Pd480eWHA.exe	Get hash	malicious	AgentTesla	Browse
	Quotation.exe	Get hash	malicious	AgentTesla, GuLoader	Browse
	COTIZACION.exe	Get hash	malicious	AgentTesla, GuLoader	Browse
	Quotation.exe	Get hash	malicious	AgentTesla	Browse
	Quotation.exe	Get hash	malicious	AgentTesla, GuLoader	Browse
	Quotation.exe	Get hash	malicious	AgentTesla, GuLoader	Browse
	Revised PI 28 08 2024.exe	Get hash	malicious	AgentTesla	Browse
	PI 22_8_2024.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse
104.26.13.205	2b7cu0KwZl.exe	Get hash	malicious	Unknown	Browse	api.ipify.org/
	file.exe	Get hash	malicious	Unknown	Browse	api.ipify.org/
	file.exe	Get hash	malicious	LummaC, PrivateLoader, Stealc, Vidar	Browse	api.ipify.org/
	file.exe	Get hash	malicious	LummaC, PrivateLoader, Stealc, Vidar	Browse	api.ipify.org/
	file.exe	Get hash	malicious	RDPWrap Tool	Browse	api.ipify.org/
	Prismifyr-Install.exe	Get hash	malicious	Node Stealer	Browse	api.ipify.org/
	file.exe	Get hash	malicious	LummaC, PrivateLoader, Stealc, Vidar	Browse	api.ipify.org/
	file.exe	Get hash	malicious	LummaC, RDPWrap Tool, LummaC Stealer, Vidar	Browse	api.ipify.org/
	file.exe	Get hash	malicious	Unknown	Browse	api.ipify.org/
	file.exe	Get hash	malicious	LummaC, RDPWrap Tool, LummaC Stealer, Stealc, Vidar	Browse	api.ipify.org/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
api.ipify.org	CHARIKLIA JUNIOR DETAILS (1) (1).pdf.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	104.26.12.205
	New Purchase Order Document for PO1136908 000 SE.exe	Get hash	malicious	AgentTesla	Browse	172.67.74.152
	DATASHEET.pdf.exe	Get hash	malicious	AgentTesla	Browse	172.67.74.152
	https://linktr.ee/priyanka662	Get hash	malicious	Gabagool	Browse	172.67.74.152
	mDHwap5GlV.exe	Get hash	malicious	LummaC Stealer	Browse	172.67.74.152
	zapret.exe	Get hash	malicious	Unknown	Browse	104.26.13.205
	313e4225be01a2f968dd52e4e8c0b9fd08c906289779b.exe	Get hash	malicious	Unknown	Browse	104.26.13.205
	unturnedHack.exe	Get hash	malicious	CredGrabber, Meduza Stealer	Browse	104.26.13.205
	https://sendbot.me/seuemprestimogarantido	Get hash	malicious	Unknown	Browse	172.67.74.152
	https://sendbot.me/seuemprestimogarantido	Get hash	malicious	Unknown	Browse	172.67.74.152

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	0Xp3q1l7De.exe	Get hash	malicious	Remcos	Browse	172.64.41.3
	DO-COSU6387686280.pdf.exe	Get hash	malicious	FormBook, PureLog Stealer	Browse	104.21.24.198
	CHARIKLIA JUNIOR DETAILS (1) (1).pdf.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	104.26.12.205
	New Purchase Order Document for PO1136908 000 SE.exe	Get hash	malicious	AgentTesla	Browse	172.67.74.152
	November Quotation.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	172.67.177.134
	packing list G25469.exe	Get hash	malicious	FormBook	Browse	104.21.49.253
	#U06a9#U067e#U06cc #U067e#U0631#U062f#U0627#U062e#U062a - 19112024,jpg.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.67.152
	PO_203-25.exe	Get hash	malicious	Remcos, GuLoader	Browse	172.67.200.96
	F7Xu8bRnXT.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	172.67.177.134
	https://go.jrwcap.com/e/955053/230645595232154/6xyvj/710994189/h/-dwcgo8Jrn520ILsDDgocWZSKLzmmTijUb6c_giV2KA	Get hash	malicious	Phisher	Browse	104.22.72.81
DIMENOCUS	Quotation.exe	Get hash	malicious	AgentTesla	Browse	67.23.226.139
	Quotation.exe	Get hash	malicious	AgentTesla, GuLoader	Browse	67.23.226.139
	hiss.mpsl.elf	Get hash	malicious	Unknown	Browse	198.136.58.114
	Updated Document-9875488675.pdf	Get hash	malicious	Captcha Phish	Browse	67.23.254.53
	3Pd480eWHA.exe	Get hash	malicious	AgentTesla	Browse	67.23.226.139
	Quotation.exe	Get hash	malicious	AgentTesla, GuLoader	Browse	67.23.226.139
	COTIZACION.exe	Get hash	malicious	AgentTesla, GuLoader	Browse	67.23.226.139
	Quotation.exe	Get hash	malicious	AgentTesla	Browse	67.23.226.139
	Quotation.exe	Get hash	malicious	AgentTesla, GuLoader	Browse	67.23.226.139
	Quotation.exe	Get hash	malicious	AgentTesla, GuLoader	Browse	67.23.226.139

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
3b5074b1b5d032e5620f69f9f700ff0e	CHARIKLIA JUNIOR DETAILS (1) (1).pdf.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	104.26.13.205
	New Purchase Order Document for PO1136908 000 SE.exe	Get hash	malicious	AgentTesla	Browse	104.26.13.205
	November Quotation.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	104.26.13.205
	#U06a9#U067e#U06cc #U067e#U0631#U062f#U0627#U062e#U062a - 19112024,jpg.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.26.13.205
	WNIOSEK BUD#U017bETOWY 25-11-2024#U00b7pdf.vbs	Get hash	malicious	Remcos, GuLoader	Browse	104.26.13.205
	dekont 25.11.2024 PDF.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	104.26.13.205
	https://www.e-serviceparts.info/landingpages/cce21bb4-48dd-49da-9e48-d89a21f56454/RtynoRElk6VQIiohoauuXaUdv9Gb4EPJBf3UQg9_Um4	Get hash	malicious	HTMLPhisher	Browse	104.26.13.205
	denizbank 25.11.2024 E80 aspc.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	104.26.13.205
	lcc333.exe	Get hash	malicious	Unknown	Browse	104.26.13.205
	lcc333.exe	Get hash	malicious	Unknown	Browse	104.26.13.205

Process:	C:\Users\user\Desktop\PO#86637.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1216
Entropy (8bit):	5.34331486778365
Encrypted:	false
SSDEEP:	24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
MD5:	1330C80CAAC9A0FB172F202485E9B1E8
SHA1:	86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
SHA-256:	B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
SHA-512:	75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
Malicious:	true
Reputation:	high, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.929624942832564
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	PO#86637.exe
File size:	719'360 bytes
MD5:	e4ec743be226fdc468010d7c499dcb07
SHA1:	a8974008f7da6e0dcb9941293b6cb6b535f158fe
SHA256:	75fdc92b3101bba09f964b73e7931a7b021442e130e64dcc421d155fa50806b7
SHA512:	928a79100e43c7867fd16692f0d1d74b3bd60e3de6567f321809e091a549ae09bc32ae01d5bc47b9bf7c9c6105aceecdbf06e802d1d4a53173c9bac1ccb03869
SSDEEP:	12288:GnB7x3RbeXi6ZwNS9prLXyn9Mo7obw3YTpydLsF3h4Tnkkslp6RiOrKFHYiTz:GB7x35eX59rSSoT3YcehJkkwRiO+eiT
TLSH:	B1E4229033259F2AD6FE0BFA2D58D24407F2926B6172D3084FD77AD71A63B024E21B17
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....................0.............6.... ... ....@.. .......................`............@................................

File Icon


Icon Hash:	90cececece8e8eb0

Static PE Info

General

Entrypoint:	0x4b0d36
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0xAD94BC0E [Fri Apr 14 02:03:58 2062 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xb0ce2	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xb2000	0x628	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xb4000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0xae290	0x70	.text
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0xaed3c	0xaee00	8d478145e563844c0a7459ae76ebb2b7	False	0.9477026000714797	data	7.937898498926521	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0xb2000	0x628	0x800	9ee1dec87f2d49157321b4d8990436d4	False	0.33740234375	data	3.457187407306103	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xb4000	0xc	0x200	cd0efd4c81422a0fe571539ee7a1170d	False	0.044921875	data	0.08153941234324169	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0xb2090	0x398	OpenPGP Public Key			0.4206521739130435
RT_MANIFEST	0xb2438	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators			0.5489795918367347

Imports

DLL	Import
mscoree.dll	_CorExeMain

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 25, 2024 14:06:26.006258965 CET	49732	443	192.168.2.4	104.26.13.205
Nov 25, 2024 14:06:26.006299019 CET	443	49732	104.26.13.205	192.168.2.4
Nov 25, 2024 14:06:26.006403923 CET	49732	443	192.168.2.4	104.26.13.205
Nov 25, 2024 14:06:26.013926983 CET	49732	443	192.168.2.4	104.26.13.205
Nov 25, 2024 14:06:26.013946056 CET	443	49732	104.26.13.205	192.168.2.4
Nov 25, 2024 14:06:27.277591944 CET	443	49732	104.26.13.205	192.168.2.4
Nov 25, 2024 14:06:27.277755022 CET	49732	443	192.168.2.4	104.26.13.205
Nov 25, 2024 14:06:27.282483101 CET	49732	443	192.168.2.4	104.26.13.205
Nov 25, 2024 14:06:27.282497883 CET	443	49732	104.26.13.205	192.168.2.4
Nov 25, 2024 14:06:27.282722950 CET	443	49732	104.26.13.205	192.168.2.4
Nov 25, 2024 14:06:27.336900949 CET	49732	443	192.168.2.4	104.26.13.205
Nov 25, 2024 14:06:27.342212915 CET	49732	443	192.168.2.4	104.26.13.205
Nov 25, 2024 14:06:27.387348890 CET	443	49732	104.26.13.205	192.168.2.4
Nov 25, 2024 14:06:27.733427048 CET	443	49732	104.26.13.205	192.168.2.4
Nov 25, 2024 14:06:27.733638048 CET	443	49732	104.26.13.205	192.168.2.4
Nov 25, 2024 14:06:27.733804941 CET	49732	443	192.168.2.4	104.26.13.205
Nov 25, 2024 14:06:27.740875959 CET	49732	443	192.168.2.4	104.26.13.205
Nov 25, 2024 14:06:29.530159950 CET	49735	587	192.168.2.4	67.23.226.139
Nov 25, 2024 14:06:29.650815010 CET	587	49735	67.23.226.139	192.168.2.4
Nov 25, 2024 14:06:29.650908947 CET	49735	587	192.168.2.4	67.23.226.139
Nov 25, 2024 14:06:30.852713108 CET	587	49735	67.23.226.139	192.168.2.4
Nov 25, 2024 14:06:30.853075027 CET	49735	587	192.168.2.4	67.23.226.139
Nov 25, 2024 14:06:30.973169088 CET	587	49735	67.23.226.139	192.168.2.4
Nov 25, 2024 14:06:31.203322887 CET	587	49735	67.23.226.139	192.168.2.4
Nov 25, 2024 14:06:31.207925081 CET	49735	587	192.168.2.4	67.23.226.139
Nov 25, 2024 14:06:31.420226097 CET	587	49735	67.23.226.139	192.168.2.4
Nov 25, 2024 14:06:31.652548075 CET	587	49735	67.23.226.139	192.168.2.4
Nov 25, 2024 14:06:31.652955055 CET	49735	587	192.168.2.4	67.23.226.139
Nov 25, 2024 14:06:31.774257898 CET	587	49735	67.23.226.139	192.168.2.4
Nov 25, 2024 14:06:32.027574062 CET	587	49735	67.23.226.139	192.168.2.4
Nov 25, 2024 14:06:32.027640104 CET	587	49735	67.23.226.139	192.168.2.4
Nov 25, 2024 14:06:32.027697086 CET	49735	587	192.168.2.4	67.23.226.139
Nov 25, 2024 14:06:32.028615952 CET	587	49735	67.23.226.139	192.168.2.4
Nov 25, 2024 14:06:32.028774023 CET	587	49735	67.23.226.139	192.168.2.4
Nov 25, 2024 14:06:32.028817892 CET	49735	587	192.168.2.4	67.23.226.139
Nov 25, 2024 14:06:32.228945971 CET	587	49735	67.23.226.139	192.168.2.4
Nov 25, 2024 14:06:32.274533033 CET	49735	587	192.168.2.4	67.23.226.139
Nov 25, 2024 14:06:32.331538916 CET	49735	587	192.168.2.4	67.23.226.139
Nov 25, 2024 14:06:32.451595068 CET	587	49735	67.23.226.139	192.168.2.4
Nov 25, 2024 14:06:32.683530092 CET	587	49735	67.23.226.139	192.168.2.4
Nov 25, 2024 14:06:32.686600924 CET	49735	587	192.168.2.4	67.23.226.139
Nov 25, 2024 14:06:32.806839943 CET	587	49735	67.23.226.139	192.168.2.4
Nov 25, 2024 14:06:33.039549112 CET	587	49735	67.23.226.139	192.168.2.4
Nov 25, 2024 14:06:33.059792042 CET	49735	587	192.168.2.4	67.23.226.139
Nov 25, 2024 14:06:33.180695057 CET	587	49735	67.23.226.139	192.168.2.4
Nov 25, 2024 14:06:33.410150051 CET	587	49735	67.23.226.139	192.168.2.4
Nov 25, 2024 14:06:33.410542965 CET	49735	587	192.168.2.4	67.23.226.139
Nov 25, 2024 14:06:33.530611038 CET	587	49735	67.23.226.139	192.168.2.4
Nov 25, 2024 14:06:33.774535894 CET	587	49735	67.23.226.139	192.168.2.4
Nov 25, 2024 14:06:33.776962042 CET	49735	587	192.168.2.4	67.23.226.139
Nov 25, 2024 14:06:33.906107903 CET	587	49735	67.23.226.139	192.168.2.4
Nov 25, 2024 14:06:34.131999016 CET	587	49735	67.23.226.139	192.168.2.4
Nov 25, 2024 14:06:34.132236004 CET	49735	587	192.168.2.4	67.23.226.139
Nov 25, 2024 14:06:34.252423048 CET	587	49735	67.23.226.139	192.168.2.4
Nov 25, 2024 14:06:34.542417049 CET	587	49735	67.23.226.139	192.168.2.4
Nov 25, 2024 14:06:34.542728901 CET	49735	587	192.168.2.4	67.23.226.139
Nov 25, 2024 14:06:34.668773890 CET	587	49735	67.23.226.139	192.168.2.4
Nov 25, 2024 14:06:34.902678967 CET	587	49735	67.23.226.139	192.168.2.4
Nov 25, 2024 14:06:34.905056953 CET	49735	587	192.168.2.4	67.23.226.139
Nov 25, 2024 14:06:34.908483982 CET	49735	587	192.168.2.4	67.23.226.139
Nov 25, 2024 14:06:34.908520937 CET	49735	587	192.168.2.4	67.23.226.139
Nov 25, 2024 14:06:34.908545017 CET	49735	587	192.168.2.4	67.23.226.139
Nov 25, 2024 14:06:35.025226116 CET	587	49735	67.23.226.139	192.168.2.4
Nov 25, 2024 14:06:35.028588057 CET	587	49735	67.23.226.139	192.168.2.4
Nov 25, 2024 14:06:35.028629065 CET	587	49735	67.23.226.139	192.168.2.4
Nov 25, 2024 14:06:35.028642893 CET	587	49735	67.23.226.139	192.168.2.4
Nov 25, 2024 14:06:35.302814960 CET	587	49735	67.23.226.139	192.168.2.4
Nov 25, 2024 14:06:35.352641106 CET	49735	587	192.168.2.4	67.23.226.139
Nov 25, 2024 14:08:08.275937080 CET	49735	587	192.168.2.4	67.23.226.139
Nov 25, 2024 14:08:08.396054029 CET	587	49735	67.23.226.139	192.168.2.4
Nov 25, 2024 14:08:08.657186031 CET	587	49735	67.23.226.139	192.168.2.4
Nov 25, 2024 14:08:08.664032936 CET	49735	587	192.168.2.4	67.23.226.139

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 25, 2024 14:06:25.861022949 CET	55199	53	192.168.2.4	1.1.1.1
Nov 25, 2024 14:06:26.000085115 CET	53	55199	1.1.1.1	192.168.2.4
Nov 25, 2024 14:06:28.243339062 CET	56440	53	192.168.2.4	1.1.1.1
Nov 25, 2024 14:06:29.243290901 CET	56440	53	192.168.2.4	1.1.1.1
Nov 25, 2024 14:06:29.528789043 CET	53	56440	1.1.1.1	192.168.2.4
Nov 25, 2024 14:06:29.528812885 CET	53	56440	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Nov 25, 2024 14:06:25.861022949 CET	192.168.2.4	1.1.1.1	0x8972	Standard query (0)	api.ipify.org	A (IP address)	IN (0x0001)	false
Nov 25, 2024 14:06:28.243339062 CET	192.168.2.4	1.1.1.1	0xe05a	Standard query (0)	mail.showpiece.trillennium.biz	A (IP address)	IN (0x0001)	false
Nov 25, 2024 14:06:29.243290901 CET	192.168.2.4	1.1.1.1	0xe05a	Standard query (0)	mail.showpiece.trillennium.biz	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Nov 25, 2024 14:06:26.000085115 CET	1.1.1.1	192.168.2.4	0x8972	No error (0)	api.ipify.org		104.26.13.205	A (IP address)	IN (0x0001)	false
Nov 25, 2024 14:06:26.000085115 CET	1.1.1.1	192.168.2.4	0x8972	No error (0)	api.ipify.org		172.67.74.152	A (IP address)	IN (0x0001)	false
Nov 25, 2024 14:06:26.000085115 CET	1.1.1.1	192.168.2.4	0x8972	No error (0)	api.ipify.org		104.26.12.205	A (IP address)	IN (0x0001)	false
Nov 25, 2024 14:06:29.528789043 CET	1.1.1.1	192.168.2.4	0xe05a	No error (0)	mail.showpiece.trillennium.biz	showpiece.trillennium.biz		CNAME (Canonical name)	IN (0x0001)	false
Nov 25, 2024 14:06:29.528789043 CET	1.1.1.1	192.168.2.4	0xe05a	No error (0)	showpiece.trillennium.biz		67.23.226.139	A (IP address)	IN (0x0001)	false
Nov 25, 2024 14:06:29.528812885 CET	1.1.1.1	192.168.2.4	0xe05a	No error (0)	mail.showpiece.trillennium.biz	showpiece.trillennium.biz		CNAME (Canonical name)	IN (0x0001)	false
Nov 25, 2024 14:06:29.528812885 CET	1.1.1.1	192.168.2.4	0xe05a	No error (0)	showpiece.trillennium.biz		67.23.226.139	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

api.ipify.org

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49732	104.26.13.205	443	7768	C:\Users\user\Desktop\PO#86637.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-25 13:06:27 UTC	155	OUT	GET / HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0 Host: api.ipify.org Connection: Keep-Alive
2024-11-25 13:06:27 UTC	399	IN	HTTP/1.1 200 OK Date: Mon, 25 Nov 2024 13:06:27 GMT Content-Type: text/plain Content-Length: 11 Connection: close Vary: Origin cf-cache-status: DYNAMIC Server: cloudflare CF-RAY: 8e81db2a2f04c327-EWR server-timing: cfL4;desc="?proto=TCP&rtt=2805&sent=6&recv=7&lost=0&retrans=0&sent_bytes=2819&recv_bytes=769&delivery_rate=1864623&cwnd=189&unsent_bytes=0&cid=7325912dee1fcb1e&ts=465&x=0"
2024-11-25 13:06:27 UTC	11	IN	Data Raw: 38 2e 34 36 2e 31 32 33 2e 37 35 Data Ascii: 8.46.123.75

SMTP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP	Commands
Nov 25, 2024 14:06:30.852713108 CET	587	49735	67.23.226.139	192.168.2.4	220-super.nseasy.com ESMTP Exim 4.96.2 #2 Mon, 25 Nov 2024 08:06:30 -0500 220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail.
Nov 25, 2024 14:06:30.853075027 CET	49735	587	192.168.2.4	67.23.226.139	EHLO 210979
Nov 25, 2024 14:06:31.203322887 CET	587	49735	67.23.226.139	192.168.2.4	250-super.nseasy.com Hello 210979 [8.46.123.75] 250-SIZE 52428800 250-8BITMIME 250-PIPELINING 250-PIPECONNECT 250-STARTTLS 250 HELP
Nov 25, 2024 14:06:31.207925081 CET	49735	587	192.168.2.4	67.23.226.139	STARTTLS
Nov 25, 2024 14:06:31.652548075 CET	587	49735	67.23.226.139	192.168.2.4	220 TLS go ahead

Target ID:	0
Start time:	08:06:22
Start date:	25/11/2024
Path:	C:\Users\user\Desktop\PO#86637.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\PO#86637.exe"
Imagebase:	0xb80000
File size:	719'360 bytes
MD5 hash:	E4EC743BE226FDC468010D7C499DCB07
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000002.1718149344.0000000007BD0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.1714008295.0000000003F41000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.1714008295.0000000003F41000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000002.1714008295.0000000003F41000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	08:06:24
Start date:	25/11/2024
Path:	C:\Users\user\Desktop\PO#86637.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\PO#86637.exe"
Imagebase:	0x230000
File size:	719'360 bytes
MD5 hash:	E4EC743BE226FDC468010D7C499DCB07
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	08:06:24
Start date:	25/11/2024
Path:	C:\Users\user\Desktop\PO#86637.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\PO#86637.exe"
Imagebase:	0xf70000
File size:	719'360 bytes
MD5 hash:	E4EC743BE226FDC468010D7C499DCB07
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000003.00000002.4180525792.000000000339F000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000003.00000002.4180525792.000000000338C000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000003.00000002.4180525792.0000000003394000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000003.00000002.4178485010.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000003.00000002.4178485010.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000003.00000002.4180525792.0000000003361000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000003.00000002.4180525792.0000000003361000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	10.6%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	4.7%
Total number of Nodes:	191
Total number of Limit Nodes:	14

Executed Functions

Function 075FEE58 Relevance: 1.9, Strings: 1, Instructions: 642
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

U, xrefs: 075FF2D6

Memory Dump Source

Source File: 00000000.00000002.1717776579.00000000075F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_75f0000_PO#86637.jbxd

Similarity

API ID:
String ID: U
API String ID: 0-3372436214
Opcode ID: 2b18c4506309224a9d5da495d3922515e77580fcc84a76993d32430ffc22b155
Instruction ID: 6c3df18dc08a0761f198f36a3cae349c9359848355576a63daee16f6d2efbb30
Opcode Fuzzy Hash: 2b18c4506309224a9d5da495d3922515e77580fcc84a76993d32430ffc22b155
Instruction Fuzzy Hash: 1632BDB0B012059FDB18DF68D554BAEBBF6BF89300F24446AE6069B7A4CB35ED01CB51

Function 075FCF50 Relevance: .2, Instructions: 176COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1717776579.00000000075F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_75f0000_PO#86637.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 811b3cd4322fe400de5e16a575ea376c80da22d0f88b0d54201d6840506de182
Instruction ID: 36411854eb6e1a9fc68c86f2726bb85b1f01eb8eeb631ec1a27d9a2253bdb995
Opcode Fuzzy Hash: 811b3cd4322fe400de5e16a575ea376c80da22d0f88b0d54201d6840506de182
Instruction Fuzzy Hash: 9B71F6B1E04329CBEB24CF66C8507E9B7B6BF8A300F1095AAD50DA6240EB745AC5CF40

Function 075FBD97 Relevance: 1.7, APIs: 1, Instructions: 244
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 075FBFCE

Memory Dump Source

Source File: 00000000.00000002.1717776579.00000000075F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_75f0000_PO#86637.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 8c2d74fc1e6337ef50e1e1b01c870a9048189f00d85482c114f84a8a3d9b5871
Instruction ID: eaf886ddeb984be41c60799a6361084ef3296fc891e39fdc1d0909e3e8c41905
Opcode Fuzzy Hash: 8c2d74fc1e6337ef50e1e1b01c870a9048189f00d85482c114f84a8a3d9b5871
Instruction Fuzzy Hash: 8A9160B1D0021ADFDB14CF68CC41BEDBBB6BF44314F1485AAD909A7290DB749985CF92

Function 075FBD98 Relevance: 1.7, APIs: 1, Instructions: 243
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 075FBFCE

Memory Dump Source

Source File: 00000000.00000002.1717776579.00000000075F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_75f0000_PO#86637.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: e9b6188fd7fb753b8f163e0a61de8b09307074841214695ba451e95ddd21ddcd
Instruction ID: 629eb33afa48bc9907d2e415ef2a5c2b3f721653ad701b0cfac32f98b2455a49
Opcode Fuzzy Hash: e9b6188fd7fb753b8f163e0a61de8b09307074841214695ba451e95ddd21ddcd
Instruction Fuzzy Hash: E59160B1D0021ADFDB14CF68CC41BEDBBB6BF44314F1485AAD909A7290DB749985CF92

Function 0127AD88 Relevance: 1.7, APIs: 1, Instructions: 195
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 0127AFDE

Memory Dump Source

Source File: 00000000.00000002.1713056266.0000000001270000.00000040.00000800.00020000.00000000.sdmp, Offset: 01270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1270000_PO#86637.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 432cb87b304647bfc4a0b3eb02cfa7f48b124eb47539fe51fb6f8794e1d4d875
Instruction ID: 39c52baee471d98d570b6b943507c8781b066b636913123ff7915d60434debd4
Opcode Fuzzy Hash: 432cb87b304647bfc4a0b3eb02cfa7f48b124eb47539fe51fb6f8794e1d4d875
Instruction Fuzzy Hash: 96713470A10B068FD725DF29D0557ABBBF1BF88310F048A2DD58AD7A50DB74E849CB91

Function 012744B4 Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 012759C9

Memory Dump Source

Source File: 00000000.00000002.1713056266.0000000001270000.00000040.00000800.00020000.00000000.sdmp, Offset: 01270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1270000_PO#86637.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: e5879ce147d2975f0c81310937cfaee60ba474dd63e02cb6e9412e8876b50992
Instruction ID: abc1e719c8bfb53d32d47f2243d25f74cd00992f7aa320a36b656b10b16c772a
Opcode Fuzzy Hash: e5879ce147d2975f0c81310937cfaee60ba474dd63e02cb6e9412e8876b50992
Instruction Fuzzy Hash: DD41FFB0C00719CBDB24DFA9C884BDEFBB5BF49304F20846AD408AB255DB75694ACF90

Function 0127590C Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 012759C9

Memory Dump Source

Source File: 00000000.00000002.1713056266.0000000001270000.00000040.00000800.00020000.00000000.sdmp, Offset: 01270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1270000_PO#86637.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 680797b78b898ff4c1365bee633eaa1baf7cc7454f76d916052fe753eff3f497
Instruction ID: c10025fd9a783a17899d2c2b7f28d54173ea77fac03bc081d5f438e630f7e8e6
Opcode Fuzzy Hash: 680797b78b898ff4c1365bee633eaa1baf7cc7454f76d916052fe753eff3f497
Instruction Fuzzy Hash: B841FFB1C00719CEDB24DFA9C884BDEBBB5BF49304F24846AD408AB255DB75694ACF90

Function 075FBB08 Relevance: 1.6, APIs: 1, Instructions: 72
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 075FBBA0

Memory Dump Source

Source File: 00000000.00000002.1717776579.00000000075F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_75f0000_PO#86637.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 9050b22b4cea3739a7d10bb87088c660986045a48cf158ba0f05acd4e5583fb1
Instruction ID: 743f49c25df84dc8bc3592b9f2bb1431be251718792cac8859857ed2e8b7d864
Opcode Fuzzy Hash: 9050b22b4cea3739a7d10bb87088c660986045a48cf158ba0f05acd4e5583fb1
Instruction Fuzzy Hash: 6E217CB5900359DFCB10CFA9C881BDEBBF4FF48320F10842AE958A7250C7749940CB64

Function 075FBB10 Relevance: 1.6, APIs: 1, Instructions: 69
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 075FBBA0

Memory Dump Source

Source File: 00000000.00000002.1717776579.00000000075F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_75f0000_PO#86637.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 10d73d0fb2469c0054e70be7b7259c52c0c756029e3d893a685f79cabbbdecb7
Instruction ID: 5daf28c722e03a4145338af5b79bb6e7d210e56e7c4e3bbe424c0d3d2aadf9ad
Opcode Fuzzy Hash: 10d73d0fb2469c0054e70be7b7259c52c0c756029e3d893a685f79cabbbdecb7
Instruction Fuzzy Hash: EF2127B1900359DFCB10DFAAC885BDEBBF5FF48310F10842AE959A7250C7789954CBA4

Function 075FBBF8 Relevance: 1.6, APIs: 1, Instructions: 69
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 075FBC80

Memory Dump Source

Source File: 00000000.00000002.1717776579.00000000075F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_75f0000_PO#86637.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 887ebcb4c7f07007a29224e53c1edab6c4a35948eba3f7deeb545234f087f858
Instruction ID: f071cfdd3a4090a535f14433aba619dcb9b4e2cdc27dfad0578d845027530aee
Opcode Fuzzy Hash: 887ebcb4c7f07007a29224e53c1edab6c4a35948eba3f7deeb545234f087f858
Instruction Fuzzy Hash: A62128B18003599FDB10DFA9D881AEEFBF5FF48310F10842AE558A7251D7349944CBA5

Function 075FB538 Relevance: 1.6, APIs: 1, Instructions: 68
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 075FB5BE

Memory Dump Source

Source File: 00000000.00000002.1717776579.00000000075F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_75f0000_PO#86637.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: a2d7c2a3971d32b2600dbee3f3826ff593c876383bad68732311055cd367d3d9
Instruction ID: c989bbb68b45632f1fed3b0c48ad287429637ae4883641e958ae1a1a39907708
Opcode Fuzzy Hash: a2d7c2a3971d32b2600dbee3f3826ff593c876383bad68732311055cd367d3d9
Instruction Fuzzy Hash: E52159B1900209CFDB10DFAAC4857EEBBF4FF48324F10842AD559A7240DB789985CFA5

Function 0127B770 Relevance: 1.6, APIs: 1, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0127D626,?,?,?,?,?), ref: 0127D6E7

Memory Dump Source

Source File: 00000000.00000002.1713056266.0000000001270000.00000040.00000800.00020000.00000000.sdmp, Offset: 01270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1270000_PO#86637.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 073ff1cad96f606be4b2298436eed377edc8b1311f6532cebaa00e270ed46868
Instruction ID: 309b3b2316c8cee9413118914b6b644b7eabb0e4927d1d284be3d07f51d03a5c
Opcode Fuzzy Hash: 073ff1cad96f606be4b2298436eed377edc8b1311f6532cebaa00e270ed46868
Instruction Fuzzy Hash: 7821E5B590024DDFDB10CFAAD584ADEBBF4EF48310F14841AE918A7311D374A950CFA5

Function 0127D658 Relevance: 1.6, APIs: 1, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0127D626,?,?,?,?,?), ref: 0127D6E7

Memory Dump Source

Source File: 00000000.00000002.1713056266.0000000001270000.00000040.00000800.00020000.00000000.sdmp, Offset: 01270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1270000_PO#86637.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 79b0d424b2969f34212e8273ab722d5a093fa8a88bbde4bea9a1f4d7f917387e
Instruction ID: d53efc0fbba10b7cffec3e679f7d3a93e61357be506c648fd343d32418965b0e
Opcode Fuzzy Hash: 79b0d424b2969f34212e8273ab722d5a093fa8a88bbde4bea9a1f4d7f917387e
Instruction Fuzzy Hash: E221E3B5900219DFDB10CFAAD985ADEBBF4FF48310F14841AE958A7310D374A940CFA5

Function 075FB540 Relevance: 1.6, APIs: 1, Instructions: 63
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 075FB5BE

Memory Dump Source

Source File: 00000000.00000002.1717776579.00000000075F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_75f0000_PO#86637.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 39f21944d85c5dc0311935f4cd1957aa0ed3a52667ac43af2cacd975396253ea
Instruction ID: 05bbaa08a70bf8fb341b6459d4bbe5bfe441a5d7f65c24011ff50cccfff5868e
Opcode Fuzzy Hash: 39f21944d85c5dc0311935f4cd1957aa0ed3a52667ac43af2cacd975396253ea
Instruction Fuzzy Hash: E42118B1900209CFDB10DFAAC4857EEBBF5EF48324F14842AD559A7240DB78A945CFA5

Function 075FBC00 Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 075FBC80

Memory Dump Source

Source File: 00000000.00000002.1717776579.00000000075F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_75f0000_PO#86637.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: b30e4f822a8f36f950e515b572dc2f09640b6a90322944c1981618a842eb83f4
Instruction ID: 9d1223b7300de349de80fb047af917472e04487da458aab516ad1729dd8de072
Opcode Fuzzy Hash: b30e4f822a8f36f950e515b572dc2f09640b6a90322944c1981618a842eb83f4
Instruction Fuzzy Hash: 7F2116B1800259DFDB10DFAAC885AEEBBF5FF48310F10842AE558A7250C7349944CBA5

Function 075FBA49 Relevance: 1.6, APIs: 1, Instructions: 56memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 075FBABE

Memory Dump Source

Source File: 00000000.00000002.1717776579.00000000075F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_75f0000_PO#86637.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 02c5c162ba76fd26015cfd24d2d94dc12df6e83be082eb7b93f05ba078eeda69
Instruction ID: 47cba94aab395d25a24972989ed5dac8120d45c5676e1920a2647965fbe6a1bd
Opcode Fuzzy Hash: 02c5c162ba76fd26015cfd24d2d94dc12df6e83be082eb7b93f05ba078eeda69
Instruction Fuzzy Hash: 64115CB1900249DFCB10DFA9C8456DEBBF5FF48314F14841AE555A7250C7359554CFA4

Function 075FB489 Relevance: 1.6, APIs: 1, Instructions: 54threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 075FB4F2

Memory Dump Source

Source File: 00000000.00000002.1717776579.00000000075F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_75f0000_PO#86637.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 964c1ed8101cd925f06fdedcd3131414846cc3f7c66a702f689b4d3ec5b185fc
Instruction ID: 184951ed18a0dfd0d98aeb6c17e841c648f159be6ec59dc033821743385bf79e
Opcode Fuzzy Hash: 964c1ed8101cd925f06fdedcd3131414846cc3f7c66a702f689b4d3ec5b185fc
Instruction Fuzzy Hash: 71115BB1900359CBDB10DFAAC4457EEFBF4EF88324F20882AD519A7240C734A944CFA5

Function 075FBA50 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 075FBABE

Memory Dump Source

Source File: 00000000.00000002.1717776579.00000000075F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_75f0000_PO#86637.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 59dd58a2de63225e58adc847de1bc3f1e7ca2e6de33a1bace12af250ff051458
Instruction ID: d652e69ef90b10dc0e007a13361b27c919219922ab18db15524be3211748a08d
Opcode Fuzzy Hash: 59dd58a2de63225e58adc847de1bc3f1e7ca2e6de33a1bace12af250ff051458
Instruction Fuzzy Hash: B11156B1800249DFCB10DFAAC844ADEBBF5EF88320F14881AE559A7250CB35A950CFA0

Function 075FB490 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 075FB4F2

Memory Dump Source

Source File: 00000000.00000002.1717776579.00000000075F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_75f0000_PO#86637.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 560f57aa90a24db39f77975b3b4535a5dbd2dbd0264c9d3f9cd2962dcf47be53
Instruction ID: 76dc009c16b1dcc70c72301851e776fe3afb975cb3b4f01c4efaac7b36a95107
Opcode Fuzzy Hash: 560f57aa90a24db39f77975b3b4535a5dbd2dbd0264c9d3f9cd2962dcf47be53
Instruction Fuzzy Hash: 821128B1900249CBDB10DFAAC4457DEFBF5AB88324F20841AD559A7250CA75A944CFA5

Function 075FE199 Relevance: 1.5, APIs: 1, Instructions: 48windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 075FE1FD

Memory Dump Source

Source File: 00000000.00000002.1717776579.00000000075F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_75f0000_PO#86637.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: d61c02a30fc4618d792381b7f5ae9cc3c8a7e2b8189fdd38d1bd1e0edf2b6899
Instruction ID: 430d51c03167abfb2a9df54a2e7698fc1b84dce256213f3c38aa2701012ad8a3
Opcode Fuzzy Hash: d61c02a30fc4618d792381b7f5ae9cc3c8a7e2b8189fdd38d1bd1e0edf2b6899
Instruction Fuzzy Hash: 1E11E0B5800259DFDB10DF9AD885BDEBBF8FB48320F20841AE558A7210D375A984CFA5

Function 075F8718 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 075FE1FD

Memory Dump Source

Source File: 00000000.00000002.1717776579.00000000075F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_75f0000_PO#86637.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 5782a220bbe0c86e8145c56eb0e8dcb527fda1c11f278cd8502018b8611b0d14
Instruction ID: c94c9910a7e43b4a3d302011e69d7b666e11f08eae4a5e03eb3ca55ba773179f
Opcode Fuzzy Hash: 5782a220bbe0c86e8145c56eb0e8dcb527fda1c11f278cd8502018b8611b0d14
Instruction Fuzzy Hash: A31106B5800349DFDB10DF9AD885BDEBBF8FB48320F10845AE558A7211C375A944CFA5

Function 0127AF78 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 0127AFDE

Memory Dump Source

Source File: 00000000.00000002.1713056266.0000000001270000.00000040.00000800.00020000.00000000.sdmp, Offset: 01270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1270000_PO#86637.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: b14d735004896331d6d42641d3f64c2ed2c532b1a8919e378d6184f00fd65acf
Instruction ID: 5e6a9ac709819fa8f4cd395c40626b30c2bbaca88e253679b23ce38d5e61f349
Opcode Fuzzy Hash: b14d735004896331d6d42641d3f64c2ed2c532b1a8919e378d6184f00fd65acf
Instruction Fuzzy Hash: BA1110B5C00249CFDB10CF9AC444ADFFBF4AF88324F14842AD528A7250C379A545CFA1

Function 0120D3D8 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1712808359.000000000120D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0120D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120d000_PO#86637.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e0943751ad644b9da37a256daa475a693b0ea602c41b4aa229d9f6aa6d586700
Instruction ID: b980e69f3b4c1a36cdcef78f8a572ff359f4f21b7d6c2eb04e975f8396537f98
Opcode Fuzzy Hash: e0943751ad644b9da37a256daa475a693b0ea602c41b4aa229d9f6aa6d586700
Instruction Fuzzy Hash: 3F214875110208DFDB02DF88C9C0B66BF65FB84324F20C269E9090B297C336E446CAA2

Function 0121D1D4 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1712850949.000000000121D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0121D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_121d000_PO#86637.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ac0081623674a17cdb93c9659be105f9b045a7e3c040ca24df9e45edde05f86f
Instruction ID: 3cda947aed1426244f47456b58a91ed72638200f0c6f10924145742b4d21c5b2
Opcode Fuzzy Hash: ac0081623674a17cdb93c9659be105f9b045a7e3c040ca24df9e45edde05f86f
Instruction Fuzzy Hash: 0A214671514208EFDB01DF98C9C8B66BBE5FB94324F20C66DE9094B25BC37AD846CA61

Function 0121D01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1712850949.000000000121D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0121D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_121d000_PO#86637.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 272fbeb0be557f59c306564c103786d1567d467a8b70a5ea9924e7b2e015086e
Instruction ID: 1fc3924d0bb3ea5fdc564f9048f46c52451b84ea6a5172852d71a23c347da1e6
Opcode Fuzzy Hash: 272fbeb0be557f59c306564c103786d1567d467a8b70a5ea9924e7b2e015086e
Instruction Fuzzy Hash: 14219470214208DFCB10DF68C9C8B26BFA1FB94314F20C56DD90A0B24AC33BD407CA61

Function 0120D3D3 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1712808359.000000000120D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0120D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120d000_PO#86637.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
Instruction ID: e4c79af271f00b2dcf2c5b83b351b7910ee6248dba91465a23f95a65e2d7072f
Opcode Fuzzy Hash: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
Instruction Fuzzy Hash: 0C110376404284CFDB02CF84D5C4B56BF71FB94324F24C2A9D9090B657C33AE45ACBA1

Function 0121D017 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1712850949.000000000121D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0121D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_121d000_PO#86637.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
Instruction ID: 4fb174348dd7212570402b79bee1c7f223d6f5ad9e3a25dda235edda0ae439fa
Opcode Fuzzy Hash: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
Instruction Fuzzy Hash: 4B11DD75504284CFDB12CF58D5C8B16FFA2FB84314F24C6AAD9094B65AC33BD44ACBA2

Function 0121D1CF Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1712850949.000000000121D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0121D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_121d000_PO#86637.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
Instruction ID: 935bf6f838d1770da38d357dca678a9ccf6a9b6c8d7ec24dcaaba29ec5a56eea
Opcode Fuzzy Hash: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
Instruction Fuzzy Hash: DC11BB75504284DFDB02CF58C5C8B55BFA1FB94224F24C6AAD9494B69BC33AD40ACB61

Function 0120D759 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1712808359.000000000120D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0120D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120d000_PO#86637.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e3376f807ece48c76e4ff43500ae50e939a700bdf152eab5871e50a520a4fc28
Instruction ID: 68c034bdfee74d7e8b3ac1bd661b7797692d69a259e1a578b34be5eeddefe5ca
Opcode Fuzzy Hash: e3376f807ece48c76e4ff43500ae50e939a700bdf152eab5871e50a520a4fc28
Instruction Fuzzy Hash: 770120310153849AE7164AE9CDC4767FFE8DF41320F18C619EE084A2D7C379D840CA71

Function 0120D758 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1712808359.000000000120D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0120D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120d000_PO#86637.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bc1d6d2e920c5ee5fe78e90ee2f6ce7a32bf6e39a54e0719d470de5d7cd41a91
Instruction ID: 6b75df933c989db4287d1355c369955d0d501db24bd2c5443efd1214a40a21c0
Opcode Fuzzy Hash: bc1d6d2e920c5ee5fe78e90ee2f6ce7a32bf6e39a54e0719d470de5d7cd41a91
Instruction Fuzzy Hash: 64F0C2710053849EE7158A5ACCC4B62FFA8EF40734F18C55AEE080E297C2799844CAB0

Non-executed Functions

Function 075FB618 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1717776579.00000000075F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_75f0000_PO#86637.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9d4e49940165ad992f111c4fd2b9e198c2357a5ee90cd31408ae7d9cbf6e0519
Instruction ID: 6f75014962e7f253639f11b5d75374df1964c14cb9374e1cbd9e9562e7c396d7
Opcode Fuzzy Hash: 9d4e49940165ad992f111c4fd2b9e198c2357a5ee90cd31408ae7d9cbf6e0519
Instruction Fuzzy Hash: 03E1F8B4E10119CFCB14DFA9C5809AEFBB2BF89304F24C16AE514AB356DB31A945CF61

Function 075F9590 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1717776579.00000000075F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_75f0000_PO#86637.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4ef0595e243a17d2e3e01422308f75542ab4c9058842740a1dcea9b870220fe9
Instruction ID: 36d21fe366655134b0f7c9cceb3f06d811a93162cf288020e1f6e5597b631cf1
Opcode Fuzzy Hash: 4ef0595e243a17d2e3e01422308f75542ab4c9058842740a1dcea9b870220fe9
Instruction Fuzzy Hash: 7FE11AB4E106198FCB14DFA9C580AAEFBB2FF89304F24C16AD514AB356D730A945CF61

Function 075F9158 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1717776579.00000000075F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_75f0000_PO#86637.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb5f5e0240ba3fc2d426064478dec9e133db41df3ae85512bb78143f9bbd2269
Instruction ID: 7755d863759c50ef4ce211f81d556a3aee8286aa02ddb113e2355c53e80bb813
Opcode Fuzzy Hash: fb5f5e0240ba3fc2d426064478dec9e133db41df3ae85512bb78143f9bbd2269
Instruction Fuzzy Hash: 59E11AB4E005198FCB14DFA9C580AAEFBB2FF89304F24C16AD518AB356D731A945CF61

Function 075FAC68 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1717776579.00000000075F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_75f0000_PO#86637.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f3d907c87e1444646d66a684f571d79bff15ee867b2856b32a5c13312e1f16df
Instruction ID: 0d44550a9e020f1a8c4c4b0aed97e25c75e1cebfea3d845a61c03a980a1e4d90
Opcode Fuzzy Hash: f3d907c87e1444646d66a684f571d79bff15ee867b2856b32a5c13312e1f16df
Instruction Fuzzy Hash: BDE10BB4E101198FCB14DFA9C5809AEFBB2FF89304F24C15AD518AB356D731A945CF61

Function 075F99C8 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1717776579.00000000075F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_75f0000_PO#86637.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bb2376d77e7a72768db55e1bdbd13215afdb1056cd488e8a4f4734d1554d9244
Instruction ID: 5caa7f33775255a7dffe30fb5936264e74ca8c820b7af8a6b9b67df46d570c34
Opcode Fuzzy Hash: bb2376d77e7a72768db55e1bdbd13215afdb1056cd488e8a4f4734d1554d9244
Instruction Fuzzy Hash: FEE10AB4E105198FCB14DFA9C580AAEFBB2BF89304F24C16AD514AB35AD730AD45CF60

Function 075F0559 Relevance: .3, Instructions: 266COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1717776579.00000000075F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_75f0000_PO#86637.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a77a051af53951bba9fd8e36f7b0b798dac83ac468841f864a662035296d4cf2
Instruction ID: b60543e4ce80a76ab9175c846556fc6e89d4511a40a848c419ec488c9947a2d4
Opcode Fuzzy Hash: a77a051af53951bba9fd8e36f7b0b798dac83ac468841f864a662035296d4cf2
Instruction Fuzzy Hash: B2D1173592065A8ECB11EBB4D950A9EF771FFA9300F10C79AD00937615EB70AAC9CF91

Function 075F0560 Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1717776579.00000000075F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_75f0000_PO#86637.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aec012f94e32214f6b8adb63d4ca76628ef8240bc61241f1e3373f77abc748c1
Instruction ID: fbf682fe01fc5872cb18ea0f0703f4475e5d8b6e21a7497585a12b6fcc410603
Opcode Fuzzy Hash: aec012f94e32214f6b8adb63d4ca76628ef8240bc61241f1e3373f77abc748c1
Instruction Fuzzy Hash: DFD1263592065A8ECB10EBB4D950A9EF771FFA9300F10C79AD00937615EB70AAC9CF81

Function 0127D344 Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1713056266.0000000001270000.00000040.00000800.00020000.00000000.sdmp, Offset: 01270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1270000_PO#86637.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 07f7fe4442acc8056c39dba510f4f6b8d2af5d7733abc6730918e6e8f2295497
Instruction ID: bc20f726aba9dc0bf6c30f03536df4b055269ba333006c0ec81a3dc03541e8d4
Opcode Fuzzy Hash: 07f7fe4442acc8056c39dba510f4f6b8d2af5d7733abc6730918e6e8f2295497
Instruction Fuzzy Hash: 5AA1A232E2421ACFCF06DFB4D9405AEBBB2FF85300B15856AE911AB365DB71D906CB40

Function 075FAC59 Relevance: .1, Instructions: 134COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1717776579.00000000075F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_75f0000_PO#86637.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 54256fe3daa62252c9b21e71aeccca587e38b8e8a55d075c70e504055a1c83b0
Instruction ID: 29761f9f9f16d8c8ee40fcba1ddc916ece957fe01cc7e02905d7d0a944bec473
Opcode Fuzzy Hash: 54256fe3daa62252c9b21e71aeccca587e38b8e8a55d075c70e504055a1c83b0
Instruction Fuzzy Hash: 5E511AB4E002198FCB14DFA9C5805AEFBB2FF89304F24C16AD518A7356D7319945CFA1

Function 075FCF40 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1717776579.00000000075F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_75f0000_PO#86637.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 51f1a39f1d6adc449e746d3176dd37501724e86ca2855603f66de985bcde2071
Instruction ID: 6fec08125cd4fef35f54d74ef832702cd102e5bb847b6c377b19c084e9c07579
Opcode Fuzzy Hash: 51f1a39f1d6adc449e746d3176dd37501724e86ca2855603f66de985bcde2071
Instruction Fuzzy Hash: 0931CEB1E05628CBEB28CF67D8143DEBAF6BFC9310F14C4AAC50CA6255D77506868F51

Analysis Process: PO#86637.exePID: 7768, Parent PID: 7628COMMON

Execution Graph

Execution Coverage:	8.5%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	19
Total number of Limit Nodes:	4

Executed Functions

Function 07012348 Relevance: 9.0, Strings: 6, Instructions: 1522COMMON

Download Yara Rule

Strings

$^q, xrefs: 070137DE
$^q, xrefs: 07013813
$^q, xrefs: 07013837
$^q, xrefs: 070137EA
$^q, xrefs: 0701382B
$^q, xrefs: 07013807

Memory Dump Source

Source File: 00000003.00000002.4184764502.0000000007010000.00000040.00000800.00020000.00000000.sdmp, Offset: 07010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7010000_PO#86637.jbxd

Similarity

API ID:
String ID: $^q$$^q$$^q$$^q$$^q$$^q
API String ID: 0-2392861976
Opcode ID: 48274149bad9042491857713d615fc84d7373092c526f9ace876fe53fb9491a1
Instruction ID: cac4be801ef41eaf04e0820f76fcae20d3cef34cf49f938f3d059e15ea73540c
Opcode Fuzzy Hash: 48274149bad9042491857713d615fc84d7373092c526f9ace876fe53fb9491a1
Instruction Fuzzy Hash: BFE25A74A0020A8FCB64DF68C584A9DF7F2FF89314F5486A9D449AB365EB34ED85CB40

Function 0701B2C8 Relevance: 8.3, Strings: 6, Instructions: 764COMMON

Download Yara Rule

Strings

$^q, xrefs: 0701BC39
$^q, xrefs: 0701BC6D
$^q, xrefs: 0701BCA1
$^q, xrefs: 0701BC45
$^q, xrefs: 0701BCAD
$^q, xrefs: 0701BC79

Memory Dump Source

Source File: 00000003.00000002.4184764502.0000000007010000.00000040.00000800.00020000.00000000.sdmp, Offset: 07010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7010000_PO#86637.jbxd

Similarity

API ID:
String ID: $^q$$^q$$^q$$^q$$^q$$^q
API String ID: 0-2392861976
Opcode ID: 63e7584a757e0b10929d33f6d72e958a8fdbcc91cc6090d2fdcd35fcd3a90426
Instruction ID: fd107331564ef3cf4c46cc9dc46e0c59b11d583c4643c64d4d08d3f2ae4027f4
Opcode Fuzzy Hash: 63e7584a757e0b10929d33f6d72e958a8fdbcc91cc6090d2fdcd35fcd3a90426
Instruction Fuzzy Hash: C6526EB0A0020A8FDF64DB68D5907ADB7F6FB89310F208A69E405EB355DB35DC85CB91

Function 07017E20 Relevance: 3.0, Strings: 2, Instructions: 473
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$^q, xrefs: 07018169
$^q, xrefs: 0701815D

Memory Dump Source

Source File: 00000003.00000002.4184764502.0000000007010000.00000040.00000800.00020000.00000000.sdmp, Offset: 07010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7010000_PO#86637.jbxd

Similarity

API ID:
String ID: $^q$$^q
API String ID: 0-355816377
Opcode ID: 4f24a1ff2c4f7db063aec4f4f1ab2df4dbd3e67bc63b07eecf4f05791224bc86
Instruction ID: 9891e6e7094a7ca15ea80e10cc210d3e9ef3a156553779542bb6a62535fa084a
Opcode Fuzzy Hash: 4f24a1ff2c4f7db063aec4f4f1ab2df4dbd3e67bc63b07eecf4f05791224bc86
Instruction Fuzzy Hash: BB02CE70B0020A8FDB54DB64D494AAEB7E6FF88324F14C669D406DB394DB75ED82CB81

Function 07015648 Relevance: 1.8, Strings: 1, Instructions: 593
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$, xrefs: 07015D54

Memory Dump Source

Source File: 00000003.00000002.4184764502.0000000007010000.00000040.00000800.00020000.00000000.sdmp, Offset: 07010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7010000_PO#86637.jbxd

Similarity

API ID:
String ID: $
API String ID: 0-3993045852
Opcode ID: 0485f07080334656ff79992d78a7f0747030f0b7360da3dbe4535d18577711c1
Instruction ID: 825fe3c66ad423d226310a6eedf90faa977380525765dbb116a04b3ac341727d
Opcode Fuzzy Hash: 0485f07080334656ff79992d78a7f0747030f0b7360da3dbe4535d18577711c1
Instruction Fuzzy Hash: A422D0B1E002168FDB60CBA4C8846AEB7F2FF88324F248569D459AF344DA35DD52CB91

Function 07016698 Relevance: .8, Instructions: 834COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4184764502.0000000007010000.00000040.00000800.00020000.00000000.sdmp, Offset: 07010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7010000_PO#86637.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f3cad502db37bf04fae62cbe42074448321587a682308daaaee1341f6f7a6458
Instruction ID: 754a78acd1f21bf04efa158473f38fc0f4ad66f88f1760f5cc6ecb40616b7adc
Opcode Fuzzy Hash: f3cad502db37bf04fae62cbe42074448321587a682308daaaee1341f6f7a6458
Instruction Fuzzy Hash: E5628D74A002058FDB65DB68D994AADB7F2FF88314F148669E406DB394DF36EC46CB80

Function 0701C220 Relevance: .6, Instructions: 642COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4184764502.0000000007010000.00000040.00000800.00020000.00000000.sdmp, Offset: 07010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7010000_PO#86637.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cf7d9d548123c3670ac5368f52573c9dfafa9bd8441596643f861cd97907c6d3
Instruction ID: 75fae57ecb7d27e0e66b6bb3fd134162d476b03fd446bdf57546262a169c619a
Opcode Fuzzy Hash: cf7d9d548123c3670ac5368f52573c9dfafa9bd8441596643f861cd97907c6d3
Instruction Fuzzy Hash: 2C329174B402068FEB54DB68D590BAEBBF6FB88314F109625E405EB394DB74EC41CBA1

Function 0701AD60 Relevance: 10.4, Strings: 8, Instructions: 394
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$^q, xrefs: 0701AF0F
$^q, xrefs: 0701AED4
$^q, xrefs: 0701AF03
$^q, xrefs: 0701AF38
$^q, xrefs: 0701AE81
$^q, xrefs: 0701AF2C
$^q, xrefs: 0701AEE0
$^q, xrefs: 0701AE8D

Memory Dump Source

Source File: 00000003.00000002.4184764502.0000000007010000.00000040.00000800.00020000.00000000.sdmp, Offset: 07010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7010000_PO#86637.jbxd

Similarity

API ID:
String ID: $^q$$^q$$^q$$^q$$^q$$^q$$^q$$^q
API String ID: 0-3823777903
Opcode ID: 5b5985ca9ae488be011ebfcf5ed68283f5b50cb7caed5724751590bacf419f52
Instruction ID: 9eed51ca7b21191e6e904d9979345e0c9aa358768a6af0dcc65ebb4a0f2242ce
Opcode Fuzzy Hash: 5b5985ca9ae488be011ebfcf5ed68283f5b50cb7caed5724751590bacf419f52
Instruction Fuzzy Hash: A5E16DB0B0120A8FCB65DFA8D4946AEB7F2FF89314F108A29E4059B354DB75DC46CB81

Function 070191E8 Relevance: 5.2, Strings: 4, Instructions: 231
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$^q, xrefs: 0701929F
$^q, xrefs: 07019258
$^q, xrefs: 07019293
$^q, xrefs: 07019264

Memory Dump Source

Source File: 00000003.00000002.4184764502.0000000007010000.00000040.00000800.00020000.00000000.sdmp, Offset: 07010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7010000_PO#86637.jbxd

Similarity

API ID:
String ID: $^q$$^q$$^q$$^q
API String ID: 0-2125118731
Opcode ID: d4f7d9435f19da702584ef323d697acdc43c89e4791cbd77cc708a42a298eb3d
Instruction ID: fe010d93229c88ff2415bba78f150dcd6ea3b1267ee271f4e15f8447f12c0c27
Opcode Fuzzy Hash: d4f7d9435f19da702584ef323d697acdc43c89e4791cbd77cc708a42a298eb3d
Instruction Fuzzy Hash: 13916074B1020A8FDB94DB65D8607AEB3F6EFC9314F108569C409EB344EA74AD468B91

Function 0701CFE0 Relevance: 4.5, Strings: 3, Instructions: 799
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$^q, xrefs: 0701D3D7
$^q, xrefs: 0701D3EB
$^q, xrefs: 0701D3DF

Memory Dump Source

Source File: 00000003.00000002.4184764502.0000000007010000.00000040.00000800.00020000.00000000.sdmp, Offset: 07010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7010000_PO#86637.jbxd

Similarity

API ID:
String ID: $^q$$^q$$^q
API String ID: 0-831282457
Opcode ID: 4d59f6e90bbb9274b6af93a630bc3b0e030719fd2e7758d72c8303d144be60e9
Instruction ID: 9167154547186760e1cb509c4e449fa4dbc2da603db1038f61583de4f0def977
Opcode Fuzzy Hash: 4d59f6e90bbb9274b6af93a630bc3b0e030719fd2e7758d72c8303d144be60e9
Instruction Fuzzy Hash: E76271707002068FCB15DB68D590A5DBBF6FF84314F209A68D00A9F369DB75ED8ACB81

Function 07014C10 Relevance: 3.9, Strings: 3, Instructions: 186
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

\Ocq, xrefs: 07014DC7
fcq, xrefs: 0701531D
XPcq, xrefs: 07014D3D

Memory Dump Source

Source File: 00000003.00000002.4184764502.0000000007010000.00000040.00000800.00020000.00000000.sdmp, Offset: 07010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7010000_PO#86637.jbxd

Similarity

API ID:
String ID: fcq$XPcq$\Ocq
API String ID: 0-3575482020
Opcode ID: 4e6c00426733eaa1e0aa8a5c0c14c1b293332918c72f3e14beea6ef33b76c4e2
Instruction ID: ed5383bcc5a140583c0790216878d470e390046c51231ae0535a2acd9640b829
Opcode Fuzzy Hash: 4e6c00426733eaa1e0aa8a5c0c14c1b293332918c72f3e14beea6ef33b76c4e2
Instruction Fuzzy Hash: E8617D70A002099FEF559FA5C8547AEBBF6FFC8310F208529E50AEB394DE754C458B91

Function 070191D8 Relevance: 2.7, Strings: 2, Instructions: 172
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$^q, xrefs: 07019258
$^q, xrefs: 07019293

Memory Dump Source

Source File: 00000003.00000002.4184764502.0000000007010000.00000040.00000800.00020000.00000000.sdmp, Offset: 07010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7010000_PO#86637.jbxd

Similarity

API ID:
String ID: $^q$$^q
API String ID: 0-355816377
Opcode ID: 28e690a24f4ef4dd423b0c513d4cc5d3d9ec2ae508459cae70dd8979f27305a7
Instruction ID: a811c964d1c3f2793fb424daadb06f7f47b11521f853f74b6a88bfd389fa47e4
Opcode Fuzzy Hash: 28e690a24f4ef4dd423b0c513d4cc5d3d9ec2ae508459cae70dd8979f27305a7
Instruction Fuzzy Hash: 3A517474B101069FDB94DB74D9A0BAE77FAEFC8310F148569D409EB384EA74EC428B91

Function 0178EBEF Relevance: 1.6, APIs: 1, Instructions: 59
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GlobalMemoryStatusEx.KERNEL32(?,?,?,?,?,?,?,?,?,0178EB82), ref: 0178EC6F

Memory Dump Source

Source File: 00000003.00000002.4180041377.0000000001780000.00000040.00000800.00020000.00000000.sdmp, Offset: 01780000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1780000_PO#86637.jbxd

Similarity

API ID: GlobalMemoryStatus
String ID:
API String ID: 1890195054-0
Opcode ID: a077431fa760fc5192dd46aa855bc314c5906db810ad65cf2ae36c61ed0d66fa
Instruction ID: 4095345a706ae61afe2c4a4c292540d8a7f8ea953bcd6593e667f433ef1a7bfd
Opcode Fuzzy Hash: a077431fa760fc5192dd46aa855bc314c5906db810ad65cf2ae36c61ed0d66fa
Instruction Fuzzy Hash: 831133B1C00259CFCB10DFAAD5487DEFBB4AF48320F14856AD918B7251D778A944CFA5

Function 0178E720 Relevance: 1.6, APIs: 1, Instructions: 55COMMON

Download Yara Rule

APIs

GlobalMemoryStatusEx.KERNEL32(?,?,?,?,?,?,?,?,?,0178EB82), ref: 0178EC6F

Memory Dump Source

Source File: 00000003.00000002.4180041377.0000000001780000.00000040.00000800.00020000.00000000.sdmp, Offset: 01780000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1780000_PO#86637.jbxd

Similarity

API ID: GlobalMemoryStatus
String ID:
API String ID: 1890195054-0
Opcode ID: 3acac1bdce72ad64d20c81dec38bf3ae2895781ae7e97fc56ec83083c7ff0f1d
Instruction ID: 4e7894cdfcb6b7f3d01fb91940ef1ab551be0a034d547ec93d9440b6efd29793
Opcode Fuzzy Hash: 3acac1bdce72ad64d20c81dec38bf3ae2895781ae7e97fc56ec83083c7ff0f1d
Instruction Fuzzy Hash: F51114B1C00659DBCB10DF9AC5447DEFBF4EB48324F14816AD918A7250D778A940CFE5

Function 07014C01 Relevance: 1.4, Strings: 1, Instructions: 130COMMON

Download Yara Rule

Strings

XPcq, xrefs: 07014D3D

Memory Dump Source

Source File: 00000003.00000002.4184764502.0000000007010000.00000040.00000800.00020000.00000000.sdmp, Offset: 07010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7010000_PO#86637.jbxd

Similarity

API ID:
String ID: XPcq
API String ID: 0-714321711
Opcode ID: c6ef4ad28d4ed0c85e0290dba67086b1748db643bc67a1466a7f8ccb46948923
Instruction ID: 365fec7f0ed70f85dfd517258c8c4b1f58db93c9e8c57d256f6b53ef93f81fbb
Opcode Fuzzy Hash: c6ef4ad28d4ed0c85e0290dba67086b1748db643bc67a1466a7f8ccb46948923
Instruction Fuzzy Hash: C9414D70B102099FEB559FA8C854BAEBBF7FFC8710F20C529E145AB395DA748C058B91

Function 0701DB68 Relevance: 1.4, Strings: 1, Instructions: 117COMMON

Download Yara Rule

Strings

PH^q, xrefs: 0701DCB1

Memory Dump Source

Source File: 00000003.00000002.4184764502.0000000007010000.00000040.00000800.00020000.00000000.sdmp, Offset: 07010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7010000_PO#86637.jbxd

Similarity

API ID:
String ID: PH^q
API String ID: 0-2549759414
Opcode ID: 515683fd11c4566dfb734db2d2e823e70c21351e6f0b05380c029cc411d68117
Instruction ID: 84f5bbc4d20b60a35c69cfca00d9c2a0cc638a1eda6e393d9d68196bc2f16f45
Opcode Fuzzy Hash: 515683fd11c4566dfb734db2d2e823e70c21351e6f0b05380c029cc411d68117
Instruction Fuzzy Hash: 30418DB0B0020ADFDB65DF65C49469EBBE2FF85350F108A2AE406EB344DB719946CB81

Function 0701DB55 Relevance: 1.4, Strings: 1, Instructions: 114COMMON

Download Yara Rule

Strings

PH^q, xrefs: 0701DCB1

Memory Dump Source

Source File: 00000003.00000002.4184764502.0000000007010000.00000040.00000800.00020000.00000000.sdmp, Offset: 07010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7010000_PO#86637.jbxd

Similarity

API ID:
String ID: PH^q
API String ID: 0-2549759414
Opcode ID: f7009b160ff170b8728f64bf47543f83cb0ff2f5805f01bb843959dcbde2abcc
Instruction ID: 864bf5844f9bdeb24a6a7f963d8efbd5fe2c057a5b12c01643654324f5e9aac6
Opcode Fuzzy Hash: f7009b160ff170b8728f64bf47543f83cb0ff2f5805f01bb843959dcbde2abcc
Instruction Fuzzy Hash: 80419DB0B00206DFDB25DF74C49469EBBF2FF85210F148A2AE402EB244EB75D846CB91

Function 070121AD Relevance: 1.4, Strings: 1, Instructions: 106COMMON

Download Yara Rule

Strings

PH^q, xrefs: 070122FB

Memory Dump Source

Source File: 00000003.00000002.4184764502.0000000007010000.00000040.00000800.00020000.00000000.sdmp, Offset: 07010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7010000_PO#86637.jbxd

Similarity

API ID:
String ID: PH^q
API String ID: 0-2549759414
Opcode ID: 245d6c84ae44a1e01cf7d99ff1c10e3af01cd4a9da0d22791e04621ad4453e6d
Instruction ID: 0abcae10832c9ae6b03e81059f81c6be9d918cc2527a38b6f6c4d9c353273a71
Opcode Fuzzy Hash: 245d6c84ae44a1e01cf7d99ff1c10e3af01cd4a9da0d22791e04621ad4453e6d
Instruction Fuzzy Hash: E63112B0B00202DFDB5A9B74C55426E7BE2BF89320F108668D406DB395DF39CD42CBA5

Function 070121C0 Relevance: 1.4, Strings: 1, Instructions: 105COMMON

Download Yara Rule

Strings

PH^q, xrefs: 070122FB

Memory Dump Source

Source File: 00000003.00000002.4184764502.0000000007010000.00000040.00000800.00020000.00000000.sdmp, Offset: 07010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7010000_PO#86637.jbxd

Similarity

API ID:
String ID: PH^q
API String ID: 0-2549759414
Opcode ID: 92d3678d4c239757ff6a1b4b30550d203d7e32378cf256319d53ea2b93d813a9
Instruction ID: dc2431fb2ed52aad82faee998eb833f74d83385bd3aa24df8c84c029bf1e37a7
Opcode Fuzzy Hash: 92d3678d4c239757ff6a1b4b30550d203d7e32378cf256319d53ea2b93d813a9
Instruction Fuzzy Hash: 1131FEB0B002069FDB599B74C51466F7BE2BFC9320F208668D406DB394EE39DD428BA1

Function 0701B2BA Relevance: .3, Instructions: 295COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4184764502.0000000007010000.00000040.00000800.00020000.00000000.sdmp, Offset: 07010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7010000_PO#86637.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1f40ce802514f10388d6c9a9da4e2351d914dde0b0a1c77d9907580ab47d9da0
Instruction ID: cb392ac2174d820d6a2babfec83d06087971c562c4624b03096d3be67b4ac058
Opcode Fuzzy Hash: 1f40ce802514f10388d6c9a9da4e2351d914dde0b0a1c77d9907580ab47d9da0
Instruction Fuzzy Hash: D8A162F0B0020A9FEF649A68C5907BEB7F6FB89310F208929E445E7395CB39DC858751

Function 07016298 Relevance: .2, Instructions: 229COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4184764502.0000000007010000.00000040.00000800.00020000.00000000.sdmp, Offset: 07010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7010000_PO#86637.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 45e33943980bfbcbe57f559d917710941c83c0fdf399d00cc91572e950541522
Instruction ID: 74ed833a2cc3b194a24d7882eb48d22a8704e50f745783d1e4be2eea2940740a
Opcode Fuzzy Hash: 45e33943980bfbcbe57f559d917710941c83c0fdf399d00cc91572e950541522
Instruction Fuzzy Hash: 0961D3B1F000224FCB519A7DCC9466FBADBAFC4620B154439D80EDB360DE66DD0287C2

Function 07014348 Relevance: .2, Instructions: 223COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4184764502.0000000007010000.00000040.00000800.00020000.00000000.sdmp, Offset: 07010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7010000_PO#86637.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4e5c0149b86a6412e4fde038cfeae6c987d350d837024206463c9bac2642b49f
Instruction ID: fb7e3dde54bf8e3a05e575e42add7f610a7973010ece55fcd004c7aa4d81e59a
Opcode Fuzzy Hash: 4e5c0149b86a6412e4fde038cfeae6c987d350d837024206463c9bac2642b49f
Instruction Fuzzy Hash: B2816C70B0024A9FDF44DBA8D4946AEB7F6BF89314F148529E40ADB394EB74EC428B41

Function 07014664 Relevance: .2, Instructions: 220COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4184764502.0000000007010000.00000040.00000800.00020000.00000000.sdmp, Offset: 07010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7010000_PO#86637.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1f64fd229389d3f4ce63c26f0a80732b66f94eaa6f4a788197f3e0d04a5ff5ac
Instruction ID: 9a97a8588da81f3275dca9a94d773b471981e672218013e718ba5a51e61aba59
Opcode Fuzzy Hash: 1f64fd229389d3f4ce63c26f0a80732b66f94eaa6f4a788197f3e0d04a5ff5ac
Instruction Fuzzy Hash: F5915D74E0021A8BDF50DF68C890B9DB7B1FF89310F208695E549AB255EB70AA85CF91

Function 07014358 Relevance: .2, Instructions: 218COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4184764502.0000000007010000.00000040.00000800.00020000.00000000.sdmp, Offset: 07010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7010000_PO#86637.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9eb5a04947e3a7cf6c4baa3c813fbf8a0847fee89fa8ef870d3063892c7b04d7
Instruction ID: 9419a86a754c34fa06a0b4ccbc30d35230fcd33f6ab5db212b9e766f8520c81f
Opcode Fuzzy Hash: 9eb5a04947e3a7cf6c4baa3c813fbf8a0847fee89fa8ef870d3063892c7b04d7
Instruction Fuzzy Hash: 7E815B70B0024A8FDF54DFA9D49466EB7F6BF89314F148529E40ADB394EB74EC428B81

Function 07014678 Relevance: .2, Instructions: 210COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4184764502.0000000007010000.00000040.00000800.00020000.00000000.sdmp, Offset: 07010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7010000_PO#86637.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fc507cf38d40cf9b5cee3de07aa30fffb546b05caa6a9f7b381993fa51167303
Instruction ID: 9630a3e4a6d92f4a8581219a2582ecb6386ca9b2fb0d5956fbea699b6d22c5f1
Opcode Fuzzy Hash: fc507cf38d40cf9b5cee3de07aa30fffb546b05caa6a9f7b381993fa51167303
Instruction Fuzzy Hash: D9914F74E0021A8BDF60DF68C890B9DB7B1FF89314F208695D549BB254EB70AA85CF91

Function 0701EBB1 Relevance: .2, Instructions: 204COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4184764502.0000000007010000.00000040.00000800.00020000.00000000.sdmp, Offset: 07010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7010000_PO#86637.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b2e5b6560fd24a5367e24a9e5d1db6947e4db5d03945414bb0258756d6f50f40
Instruction ID: e2314a4542c5d7f3622b7707aec9e9b168ef46e2329e945ad939cb94012bfeb6
Opcode Fuzzy Hash: b2e5b6560fd24a5367e24a9e5d1db6947e4db5d03945414bb0258756d6f50f40
Instruction Fuzzy Hash: B8712A70A002099FDB55DFA8D990A9DBBF6FF88311F248569E405EB368DB30ED46CB50

Function 0701EBC0 Relevance: .2, Instructions: 201COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4184764502.0000000007010000.00000040.00000800.00020000.00000000.sdmp, Offset: 07010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7010000_PO#86637.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 81063a15a4c81a0ee7d96707a64715fac85e334d2cdf0fe01ed0ba10f864631a
Instruction ID: 161a507cb5ecec3536e52c172369ae3671e150ff1f79449326a0a86ed91304b7
Opcode Fuzzy Hash: 81063a15a4c81a0ee7d96707a64715fac85e334d2cdf0fe01ed0ba10f864631a
Instruction Fuzzy Hash: 89712A70A002099FDB54EFA9D990A9DBBF6FF88310F248569E405EB364DB30ED46CB51

Function 0701FAD8 Relevance: .2, Instructions: 172COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4184764502.0000000007010000.00000040.00000800.00020000.00000000.sdmp, Offset: 07010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7010000_PO#86637.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e960dbe1e08b3189f3dbc6d68ef04d5ff5768935942527da81ace744eb409403
Instruction ID: a43143302b54006ddb5d7f4259578d2500abb99aa8b642b43361f9215352f8c0
Opcode Fuzzy Hash: e960dbe1e08b3189f3dbc6d68ef04d5ff5768935942527da81ace744eb409403
Instruction Fuzzy Hash: 7F51EBB07012079FFF64966CD9A477F269FE78D310F20492AE40AD73A4C92DDC8593A2

Function 0701FD38 Relevance: .2, Instructions: 171COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4184764502.0000000007010000.00000040.00000800.00020000.00000000.sdmp, Offset: 07010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7010000_PO#86637.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0dd2a68f9d141280f8f86d266c1fcd4bf5ad10b134b237e09e92c7c0c833d174
Instruction ID: 4e33b2580e00900d25604581a3f931605c935be8645e9739370451e840b95fec
Opcode Fuzzy Hash: 0dd2a68f9d141280f8f86d266c1fcd4bf5ad10b134b237e09e92c7c0c833d174
Instruction Fuzzy Hash: FF51D3B1A0110BDFDB24EB78E4546ADBBF2FF89325F108969E006D7250DF35A946CB81

Function 0701FAE8 Relevance: .2, Instructions: 163COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4184764502.0000000007010000.00000040.00000800.00020000.00000000.sdmp, Offset: 07010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7010000_PO#86637.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c0ad4ea6d73452f71c0051c703fd9749a77ed55ef1b4e9d777f934640dd53dd7
Instruction ID: eb21f71c784c244bfd4e4e9f2e5d2847182c89182f6a85383b8877d3fc76820b
Opcode Fuzzy Hash: c0ad4ea6d73452f71c0051c703fd9749a77ed55ef1b4e9d777f934640dd53dd7
Instruction Fuzzy Hash: 6851EBB07002079BFF64966CD9A473F269FE78D710F20492AE40AD73A4C96DDC8593A2

Function 07015637 Relevance: .1, Instructions: 146COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4184764502.0000000007010000.00000040.00000800.00020000.00000000.sdmp, Offset: 07010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7010000_PO#86637.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 37ff5aa324ae1d433257461864b7418b419e013494e466bdeccee62451f03c58
Instruction ID: 020eac20daf99c57f6aa7998ca2da539e3bb185f4e5ab692ef1d3771f7c67cf1
Opcode Fuzzy Hash: 37ff5aa324ae1d433257461864b7418b419e013494e466bdeccee62451f03c58
Instruction Fuzzy Hash: D55194B4A002068FDF71DB68D8C177EBBF2EB85310F248A69E056DF681C635D952CB91

Function 070154C8 Relevance: .1, Instructions: 126COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4184764502.0000000007010000.00000040.00000800.00020000.00000000.sdmp, Offset: 07010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7010000_PO#86637.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 849fc7aff62deef7d845ad750d7264ae3ba2c10bfc2ac9f15ac588d27ddcd4c8
Instruction ID: 7a9dee9d135c39a446f90bff593ea5cae5ef4c49368e35b528be771c3bee55b7
Opcode Fuzzy Hash: 849fc7aff62deef7d845ad750d7264ae3ba2c10bfc2ac9f15ac588d27ddcd4c8
Instruction Fuzzy Hash: 96413EB1A0060A8FDB70CE99DC91AAFF7F2FB84310F104A2AE156DB650D730E9558B90

Function 0701DA08 Relevance: .1, Instructions: 99COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4184764502.0000000007010000.00000040.00000800.00020000.00000000.sdmp, Offset: 07010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7010000_PO#86637.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b14112ef5e2e70df43b51136afef294cea9df0b8dd444ffb770cd398fa5bdfae
Instruction ID: ca9cafb328f8b08b38d0a1b2132b25aae0af06908a5547aa2d4a0946a90866e8
Opcode Fuzzy Hash: b14112ef5e2e70df43b51136afef294cea9df0b8dd444ffb770cd398fa5bdfae
Instruction Fuzzy Hash: 06319E71A1030A9FCF15DFA8C99069EBBF6FF85304F548A29E405AB354EB70A946CB40

Function 07012071 Relevance: .1, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4184764502.0000000007010000.00000040.00000800.00020000.00000000.sdmp, Offset: 07010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7010000_PO#86637.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2891a866829134c2a4dd536e841fef885a43426f4b95c7203b60ffef5b0a9022
Instruction ID: a55ba843af4a302005b032624f27fc4a86dfc480ee841ea7e60382111313d703
Opcode Fuzzy Hash: 2891a866829134c2a4dd536e841fef885a43426f4b95c7203b60ffef5b0a9022
Instruction Fuzzy Hash: 26316D75F0060A9FCB15CF64D894A9EB7F2BF89310F149619E806E7390DB75AD46CB40

Function 07012080 Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4184764502.0000000007010000.00000040.00000800.00020000.00000000.sdmp, Offset: 07010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7010000_PO#86637.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9024cd3a99d8c2e5c7211ea922abe20023d33f05c8be46b4c602c3fa18500568
Instruction ID: 3771e5079041c875da7c6f70be76793064b55d1479a6a1bec3e9b16405a5b9df
Opcode Fuzzy Hash: 9024cd3a99d8c2e5c7211ea922abe20023d33f05c8be46b4c602c3fa18500568
Instruction Fuzzy Hash: AC316275F1060A9BCB15CF65D89469EB7F6FF89300F148619E906E7390DB70AC46CB40

Function 07013B48 Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4184764502.0000000007010000.00000040.00000800.00020000.00000000.sdmp, Offset: 07010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7010000_PO#86637.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ee779cc48a51deedcf6c66b7bfc4bdd0482a85293e95cb66f7c72e31e2af5c6f
Instruction ID: 6bf50f4a219d79a7d5b9fecd0bff0035e9e790ccf223b38daecaeac48196c50a
Opcode Fuzzy Hash: ee779cc48a51deedcf6c66b7bfc4bdd0482a85293e95cb66f7c72e31e2af5c6f
Instruction Fuzzy Hash: 63218BB5E002069FDB50CF68E841AEEB7F5FB48310F108125E955E7391E734D9418B95

Function 07013B58 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4184764502.0000000007010000.00000040.00000800.00020000.00000000.sdmp, Offset: 07010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7010000_PO#86637.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c0668c6a64e346318007d796e7e7a6974ff462cfe0aa315f2c1ab7e4532bfbbe
Instruction ID: cd17ee79cd3d2059e47c3692d2f3e9ae750bf85eb636aac447ce93cc614585e2
Opcode Fuzzy Hash: c0668c6a64e346318007d796e7e7a6974ff462cfe0aa315f2c1ab7e4532bfbbe
Instruction Fuzzy Hash: 65214AB5E0021A9FDB50CF69D880AAEBBF5FB88710F148129E945E7390E734DD41CB95

Function 070154B8 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4184764502.0000000007010000.00000040.00000800.00020000.00000000.sdmp, Offset: 07010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7010000_PO#86637.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0b51db317cff2df0ff2dee207780e655cb594939d2de94c3b4a2776dd0b6b92e
Instruction ID: 2758b0dbc3665c21ac966a56ca63a9376036af0d1e1c4632c16943edbf1ff89f
Opcode Fuzzy Hash: 0b51db317cff2df0ff2dee207780e655cb594939d2de94c3b4a2776dd0b6b92e
Instruction Fuzzy Hash: E921B371A007059FCB20CEA9DD85AAFFBF2FB88310F104A2AE1169B650D774A8558BD0

Function 0152D006 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4178878649.000000000152D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0152D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_152d000_PO#86637.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3cba0488a12596e34784fdbfd4619dad0bfc3b7875b63129706dde1e77e14653
Instruction ID: cd736c7a47e278e5d2bb333fb4d0acc39ae2ed4e2bfa27d4665eb19973a8ece0
Opcode Fuzzy Hash: 3cba0488a12596e34784fdbfd4619dad0bfc3b7875b63129706dde1e77e14653
Instruction Fuzzy Hash: 6E310B7550E3C09FD703CB64C994715BF71AB47214F29C5DBD8898F6A3C22A981ACB62

Function 0152D044 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4178878649.000000000152D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0152D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_152d000_PO#86637.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9d3918ccee7f8c9b163be944c855f35a23e25554d7aff7d0a57e00ac3e4d67d5
Instruction ID: 1d73f6a21a9c9944903068b97c29c0994882cccfe4cf1f19dcee18a5414f0a89
Opcode Fuzzy Hash: 9d3918ccee7f8c9b163be944c855f35a23e25554d7aff7d0a57e00ac3e4d67d5
Instruction Fuzzy Hash: 93214672504204DFDB15DF68C9C4B2ABBB5FB85314F20C96DE8494F3A2D73AD846CA61

Function 07016DB8 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4184764502.0000000007010000.00000040.00000800.00020000.00000000.sdmp, Offset: 07010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7010000_PO#86637.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d9ec074e8e522232fb07540716e6235ff81eaabb0868df876503efedf73a6fe5
Instruction ID: 78c04be6b55b3db630ac1d9ee2a31fa950fc0fcb3718b8ab8ee9765824cb7bc8
Opcode Fuzzy Hash: d9ec074e8e522232fb07540716e6235ff81eaabb0868df876503efedf73a6fe5
Instruction Fuzzy Hash: 8221B170B001199FDF54DA69E9506AEB7FAFB88314F149629E405EB390DB32EC418B85

Function 070142A9 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4184764502.0000000007010000.00000040.00000800.00020000.00000000.sdmp, Offset: 07010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7010000_PO#86637.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b6a91b677415d66eb4cbaabe49ad34e9ebce646186c5c5244bf3859b08756915
Instruction ID: feced1008d45e2bd75bd10b05ca780b09bf8e3c65ad6dc4814e379d94ad301fe
Opcode Fuzzy Hash: b6a91b677415d66eb4cbaabe49ad34e9ebce646186c5c5244bf3859b08756915
Instruction Fuzzy Hash: 0001F1347041511FDB61966EA864B2BBBEAEBCA320F14897AF00AC7361DE55CC4283A5

Function 07013C68 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4184764502.0000000007010000.00000040.00000800.00020000.00000000.sdmp, Offset: 07010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7010000_PO#86637.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2b19453013b6a5e88c4a37dddfd7ea8166295289a3c71f0766b6f6f0c43c31bd
Instruction ID: ff744881f8c7482b7e4c729d6b983e948c8d0c3cc3ea9d2fcc5254a1dfa7d2b6
Opcode Fuzzy Hash: 2b19453013b6a5e88c4a37dddfd7ea8166295289a3c71f0766b6f6f0c43c31bd
Instruction Fuzzy Hash: 0A116D32B101295BDF549A79D814AAEB3EAEBCC311F14453AD40AE7344EE79DC028BD2

Function 0701EE31 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4184764502.0000000007010000.00000040.00000800.00020000.00000000.sdmp, Offset: 07010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7010000_PO#86637.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0f08d3a0caebd3ec34e0379ee27e8621d3a4c8b8d8a141ed4f0d8f0936030491
Instruction ID: 0fd1e9fbd9c37c7357a656c5fe0fd90c43ae50ed24b2208d5dd3098537b20deb
Opcode Fuzzy Hash: 0f08d3a0caebd3ec34e0379ee27e8621d3a4c8b8d8a141ed4f0d8f0936030491
Instruction Fuzzy Hash: AF01DF757001121FDB6A863CD854B3E77EAEBC9615F188939F90ACB381DE28CC0203D5

Function 07013921 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4184764502.0000000007010000.00000040.00000800.00020000.00000000.sdmp, Offset: 07010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7010000_PO#86637.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5dd32cc9069d189a5f420b8c4be7352fab034a95ae6a7e7b8a3463282072aa6b
Instruction ID: fb2bf4e063d96abb53e931297ad67e3d6b7ba550a659b80f01ee6f0720591dbb
Opcode Fuzzy Hash: 5dd32cc9069d189a5f420b8c4be7352fab034a95ae6a7e7b8a3463282072aa6b
Instruction Fuzzy Hash: 022110B5D01219EFCB00CF9AD989ADEFBB4FB48324F10862AE518B7250C374A544CFA4

Function 0701A399 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4184764502.0000000007010000.00000040.00000800.00020000.00000000.sdmp, Offset: 07010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7010000_PO#86637.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f8ba887201bdb7f9ab8ed7d613a492d8616adb9addc06986719c9e767e7916d9
Instruction ID: cd6c351501f063b5c46e029909b7ff699b0eb42bfd6b0da9eaee8820a3474590
Opcode Fuzzy Hash: f8ba887201bdb7f9ab8ed7d613a492d8616adb9addc06986719c9e767e7916d9
Instruction Fuzzy Hash: FB0184747011114FDB62D678E86472E7BEAEB8A320F14D579F10EC7391DE29DC024395

Function 07013108 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4184764502.0000000007010000.00000040.00000800.00020000.00000000.sdmp, Offset: 07010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7010000_PO#86637.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 68b7451a28950a9b47ed55792e2841f66f2383ac7683e223e491c29e0b961328
Instruction ID: 3e91879dce16322cb75c48999a8c973cb1a9c1a46e8eba2095aca2330f168850
Opcode Fuzzy Hash: 68b7451a28950a9b47ed55792e2841f66f2383ac7683e223e491c29e0b961328
Instruction Fuzzy Hash: BD01C0B1E002198BCF68DBB9C8405DEF7F6EF89310F00866AD40AE7300EA30DA41CB91

Function 07013C57 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4184764502.0000000007010000.00000040.00000800.00020000.00000000.sdmp, Offset: 07010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7010000_PO#86637.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9ccc47052d48d8223c727cb0d9b84755bb197bb2bda8a39264fc772186f30288
Instruction ID: 9322b372678a49ea54614050c41249c1b0df5192e5d2b37ceb9e88310f9ab52e
Opcode Fuzzy Hash: 9ccc47052d48d8223c727cb0d9b84755bb197bb2bda8a39264fc772186f30288
Instruction Fuzzy Hash: 9D01D472B040165BDB94D6B99C147EFB7EFABC8610F04057AD40AE3280EE649C0687D2

Function 07013928 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4184764502.0000000007010000.00000040.00000800.00020000.00000000.sdmp, Offset: 07010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7010000_PO#86637.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 23df4eaed9e2ae4f483582b1222751ae1764d8a036740c0724f5a23b7c819db1
Instruction ID: dc2448d2329ae316070cd3386a46c2e00f594b23e99d4d2a60fcff1d81faf4c2
Opcode Fuzzy Hash: 23df4eaed9e2ae4f483582b1222751ae1764d8a036740c0724f5a23b7c819db1
Instruction Fuzzy Hash: D011D3B5D01219EFCB00CF9AD884ADEFBB4FB48314F10812AE918A7200C374A554CFA5

Function 070142B8 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4184764502.0000000007010000.00000040.00000800.00020000.00000000.sdmp, Offset: 07010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7010000_PO#86637.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d5e5e88ced32d9357abff2b32070e36e8c38430fd0171741967aae1996b6a5c6
Instruction ID: cc77985e1abeec036c20425f509a0f1ed2a879470c62e68c126f0a3f8309e9b4
Opcode Fuzzy Hash: d5e5e88ced32d9357abff2b32070e36e8c38430fd0171741967aae1996b6a5c6
Instruction Fuzzy Hash: A301D1347000160BDB60966ED454B2FB7DAEBC9720F14893AF10EC7364DE65DC424395

Function 0701EE40 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4184764502.0000000007010000.00000040.00000800.00020000.00000000.sdmp, Offset: 07010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7010000_PO#86637.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1db7aa172f6f47dd0e2246592f506580175a8fb7f641e62c7673912e195825e1
Instruction ID: 92ee2fe2aed3275e10e805923a09c7e4ffd0a33046978f1bba30ba96dc3d26bb
Opcode Fuzzy Hash: 1db7aa172f6f47dd0e2246592f506580175a8fb7f641e62c7673912e195825e1
Instruction Fuzzy Hash: 51018C357000165BDF65962DD494B2FB7EAEBC9729F188939FA0ACB380DE25DC024395

Function 0701A3A8 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4184764502.0000000007010000.00000040.00000800.00020000.00000000.sdmp, Offset: 07010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7010000_PO#86637.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a414f31eb204372d2de9904fedeea26d5d38e1dc89305d17d1b4dc38e1e7833f
Instruction ID: 30770a3487051e1befeffd83da8a42b0c270e45607b0aa7352472480ec8b0e30
Opcode Fuzzy Hash: a414f31eb204372d2de9904fedeea26d5d38e1dc89305d17d1b4dc38e1e7833f
Instruction Fuzzy Hash: 9A018CB47000164FDBA59A68E464B2EB7EAEB89720F14D939F10AC7390EE25EC024795

Function 0701C878 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4184764502.0000000007010000.00000040.00000800.00020000.00000000.sdmp, Offset: 07010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7010000_PO#86637.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7fcd0290940434f67f547a84b81d9cec8a3298ff5abc61b94777f0732badda22
Instruction ID: f35122df8ed59b16682e400480a49b87d574f32d1fa5c48a95b84585aab3822f
Opcode Fuzzy Hash: 7fcd0290940434f67f547a84b81d9cec8a3298ff5abc61b94777f0732badda22
Instruction Fuzzy Hash: 3B01C871F102259BDF64DA79E890AAEB7B9FB89314F004539E901EB344DB36EC0487D0

Function 0701AFB0 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4184764502.0000000007010000.00000040.00000800.00020000.00000000.sdmp, Offset: 07010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7010000_PO#86637.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bcff947229b1bd2348f1b65802cfc9e6226dca4891402466aa9a7fc65b3f7257
Instruction ID: 14534f4d246bac07a524be231e2c5526cd84ca9ad3989232d6ab1e8904bd5303
Opcode Fuzzy Hash: bcff947229b1bd2348f1b65802cfc9e6226dca4891402466aa9a7fc65b3f7257
Instruction Fuzzy Hash: FEF0E5F6F0021D8BDF309AA9D844B8EBBE9E745361F10453BE91AE7240D671AC45C782

Function 07016519 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4184764502.0000000007010000.00000040.00000800.00020000.00000000.sdmp, Offset: 07010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7010000_PO#86637.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0472f17e3f70958d92a01d4350475406696a18b83da85ec07212b7f00daf47be
Instruction ID: 4906f1fb57be68ebdc092327f2fc3213ef9b63f72ccdd16dfc643f715eddbae4
Opcode Fuzzy Hash: 0472f17e3f70958d92a01d4350475406696a18b83da85ec07212b7f00daf47be
Instruction Fuzzy Hash: 24E086F2E091469FEF50CAB0CA153AA76E5EB42308F604AF6C408DB345F577C9418740

Function 07016528 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4184764502.0000000007010000.00000040.00000800.00020000.00000000.sdmp, Offset: 07010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7010000_PO#86637.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a3f40778c56a94cb1829351910999078a94cedfe7366333d70a95a28b265ea9a
Instruction ID: a04202fa182a1604b084833072cc26a98dd1a270474cac532f1bd0aa1afd2126
Opcode Fuzzy Hash: a3f40778c56a94cb1829351910999078a94cedfe7366333d70a95a28b265ea9a
Instruction Fuzzy Hash: D6E0C2B2A00209ABDF10CEB0CD0575EB7ECE702208F6086A4D408C7305F973CA418780

Non-executed Functions

Function 07017740 Relevance: 13.0, Strings: 10, Instructions: 468COMMON

Download Yara Rule

Strings

$^q, xrefs: 07017CE6
$^q, xrefs: 07017C31
$^q, xrefs: 070178A5
$^q, xrefs: 07017CD0
$^q, xrefs: 07017CF2
$^q, xrefs: 07017874
$^q, xrefs: 07017880
$^q, xrefs: 07017C3D
$^q, xrefs: 07017CDC
$^q, xrefs: 070178B1

Memory Dump Source

Source File: 00000003.00000002.4184764502.0000000007010000.00000040.00000800.00020000.00000000.sdmp, Offset: 07010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7010000_PO#86637.jbxd

Similarity

API ID:
String ID: $^q$$^q$$^q$$^q$$^q$$^q$$^q$$^q$$^q$$^q
API String ID: 0-2222239885
Opcode ID: ef4a44cc0fd2ce29bf348f9f71bcea04db24478657428697fc2bf294a1f4b832
Instruction ID: 6d7239427af3e58165a90299d5dea3d55c9c4f57a6a0e00f5b82db63186d3fde
Opcode Fuzzy Hash: ef4a44cc0fd2ce29bf348f9f71bcea04db24478657428697fc2bf294a1f4b832
Instruction Fuzzy Hash: 6D123E70E0021ACFDB68DF65C954AADB7F6BF88314F2096A9D409AB354DB309D85CF81

Function 0701A9C8 Relevance: 10.2, Strings: 8, Instructions: 229COMMON

Download Yara Rule

Strings

$^q, xrefs: 0701AB19
$^q, xrefs: 0701AB50
$^q, xrefs: 0701AB7A
$^q, xrefs: 0701AB44
$^q, xrefs: 0701AB25
$^q, xrefs: 0701AB86
$^q, xrefs: 0701AACA
$^q, xrefs: 0701AABE

Memory Dump Source

Source File: 00000003.00000002.4184764502.0000000007010000.00000040.00000800.00020000.00000000.sdmp, Offset: 07010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7010000_PO#86637.jbxd

Similarity

API ID:
String ID: $^q$$^q$$^q$$^q$$^q$$^q$$^q$$^q
API String ID: 0-3823777903
Opcode ID: 5bca6f7fa13cefcf87adb819127b653e235323516c7ec5f8ed7cfd6bd9cd3b6c
Instruction ID: d1a87b3581dfd775adfe8d77b15797c8da2747cd78f389fc17d83626a6f5920c
Opcode Fuzzy Hash: 5bca6f7fa13cefcf87adb819127b653e235323516c7ec5f8ed7cfd6bd9cd3b6c
Instruction Fuzzy Hash: 12914DF0B0120A9FDB24DB64D698BAEBBF6BF88310F108629E4119B354DB749D45CB90

Function 07017140 Relevance: 9.2, Strings: 7, Instructions: 405COMMON

Download Yara Rule

Strings

.5vq, xrefs: 0701719B
$^q, xrefs: 07017422
$^q, xrefs: 07017488
$^q, xrefs: 07017654
$^q, xrefs: 07017648
$^q, xrefs: 0701747C
$^q, xrefs: 070175DC

Memory Dump Source

Source File: 00000003.00000002.4184764502.0000000007010000.00000040.00000800.00020000.00000000.sdmp, Offset: 07010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7010000_PO#86637.jbxd

Similarity

API ID:
String ID: .5vq$$^q$$^q$$^q$$^q$$^q$$^q
API String ID: 0-390881366
Opcode ID: e84f3025af0efee0769acaeb61b8850c38e9405041a6427621c9d9b13e5b4d2d
Instruction ID: 5c190b72fd39e3c1dc12dacef688b2d93863265b346ad47f505ef908b7eac610
Opcode Fuzzy Hash: e84f3025af0efee0769acaeb61b8850c38e9405041a6427621c9d9b13e5b4d2d
Instruction Fuzzy Hash: B6F15C70A00209CFDB59EF68C594A6EB7F6FF88310F249568D4069B368DB35EC46CB80

Function 07018470 Relevance: 5.3, Strings: 4, Instructions: 282COMMON

Download Yara Rule

Strings

$^q, xrefs: 0701873B
$^q, xrefs: 0701872F
$^q, xrefs: 070186D6
$^q, xrefs: 070186CA

Memory Dump Source

Source File: 00000003.00000002.4184764502.0000000007010000.00000040.00000800.00020000.00000000.sdmp, Offset: 07010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7010000_PO#86637.jbxd

Similarity

API ID:
String ID: $^q$$^q$$^q$$^q
API String ID: 0-2125118731
Opcode ID: 320894de8e31f4d65eaa569936cdc85064b828a77890eb166f2fc4e009e0c966
Instruction ID: a5e1d42eef4464e0f7d83b74e407adb489751caae4f6af166947f8199aac8abd
Opcode Fuzzy Hash: 320894de8e31f4d65eaa569936cdc85064b828a77890eb166f2fc4e009e0c966
Instruction Fuzzy Hash: 63B14D70A002098FDB64EF69D59466EB7F2FF88310F24C569D0069B394DB75DD86CB81

Function 07018888 Relevance: 5.2, Strings: 4, Instructions: 168COMMON

Download Yara Rule

Strings

$^q, xrefs: 07018913
LR^q, xrefs: 070189CA
LR^q, xrefs: 0701897B
$^q, xrefs: 07018907

Memory Dump Source

Source File: 00000003.00000002.4184764502.0000000007010000.00000040.00000800.00020000.00000000.sdmp, Offset: 07010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7010000_PO#86637.jbxd

Similarity

API ID:
String ID: LR^q$LR^q$$^q$$^q
API String ID: 0-2454687669
Opcode ID: 0d789e779c74a47944f456fc9f3f6d2a93135664112082adb64b3fbc5d93a339
Instruction ID: 0f9ab8d84f9e2e9e35fc9c8b3e4f2cce3554f649d805ee23e49208fe93d6fb4c
Opcode Fuzzy Hash: 0d789e779c74a47944f456fc9f3f6d2a93135664112082adb64b3fbc5d93a339
Instruction Fuzzy Hash: 6D51D370B002069FDB58DB28C994A6EB7F6FF88324F148A68E5059F3A5DB30ED44CB51

Function 0701AD50 Relevance: 5.2, Strings: 4, Instructions: 164COMMON

Download Yara Rule

Strings

$^q, xrefs: 0701AED4
$^q, xrefs: 0701AF03
$^q, xrefs: 0701AE81
$^q, xrefs: 0701AF2C

Memory Dump Source

Source File: 00000003.00000002.4184764502.0000000007010000.00000040.00000800.00020000.00000000.sdmp, Offset: 07010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7010000_PO#86637.jbxd

Similarity

API ID:
String ID: $^q$$^q$$^q$$^q
API String ID: 0-2125118731
Opcode ID: b6adb0286ae0d9daaf1354f415f582ba5cc8dd6378c65f214351f422a70e17e1
Instruction ID: b45265643d9722e9a19c242407154019dc4d0dc130ece9618ba50b2aea153f9b
Opcode Fuzzy Hash: b6adb0286ae0d9daaf1354f415f582ba5cc8dd6378c65f214351f422a70e17e1
Instruction Fuzzy Hash: 7B5168F0B022068FCF65DAA8D584AAEB7F2EF88315F14C62AE4069B254DB35DC45CB51

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata, File: File Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search the Registry on compromised systems for insecurely stored credentials. The Windows Registry stores configuration information that can be used by the system or other programs. Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services. Sometimes these credentials are used for automatic logons.
Tactics:	Credential Access
Data Sources:	Command: Command Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report PO#86637.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Agenttesla

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\PO#86637.exe.log

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

Windows Analysis Report
PO#86637.exe

Function 075FEE58 Relevance: 1.9, Strings: 1, Instructions: 642
COMMON

Function 075FBD97 Relevance: 1.7, APIs: 1, Instructions: 244
processCOMMON

Function 075FBD98 Relevance: 1.7, APIs: 1, Instructions: 243
processCOMMON

Function 0127AD88 Relevance: 1.7, APIs: 1, Instructions: 195
COMMON

Function 012744B4 Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Function 0127590C Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Function 075FBB08 Relevance: 1.6, APIs: 1, Instructions: 72
injectionCOMMON

Function 075FBB10 Relevance: 1.6, APIs: 1, Instructions: 69
injectionCOMMON

Function 075FBBF8 Relevance: 1.6, APIs: 1, Instructions: 69
COMMON

Function 075FB538 Relevance: 1.6, APIs: 1, Instructions: 68
threadCOMMON

Function 0127B770 Relevance: 1.6, APIs: 1, Instructions: 65
COMMON

Function 0127D658 Relevance: 1.6, APIs: 1, Instructions: 65
COMMON

Function 075FB540 Relevance: 1.6, APIs: 1, Instructions: 63
threadCOMMON

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre