Edit tour

Windows Analysis Report
Packing List - SAPPHIRE X.xlsx.scr.exe

Overview

General Information

Sample name:	Packing List - SAPPHIRE X.xlsx.scr.exe
Analysis ID:	1562851
MD5:	de3f3b39af9a5caa1af9bb54f75504fa
SHA1:	18f16a9a90439c61602d3bed2a5e35ddde6e2e48
SHA256:	b3c12cee79f27bba7b9d58c690083d38170fac66c70ab18dd5897bf0268fc114
Tags:	exeuser-threatcat_ch
Infos:

Detection

AgentTesla, PureLog Stealer, zgRAT

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected AgentTesla

Yara detected AntiVM3

Yara detected PureLog Stealer

Yara detected zgRAT

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code contains potential unpacker

AI detected suspicious sample

Adds a directory exclusion to Windows Defender

Contains functionality to log keystrokes (.Net Source)

Injects a PE file into a foreign processes

Loading BitLocker PowerShell Module

Machine Learning detection for sample

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Mail credentials (via file / registry access)

Uses an obfuscated file name to hide its real file extension (double extension)

Yara detected Generic Downloader

Allocates memory with a write watch (potentially for evading sandboxes)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Sigma detected: Powershell Defender Exclusion

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

Packing List - SAPPHIRE X.xlsx.scr.exe (PID: 7056 cmdline: "C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe" MD5: DE3F3B39AF9A5CAA1AF9BB54F75504FA)

powershell.exe (PID: 5224 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 4856 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

Packing List - SAPPHIRE X.xlsx.scr.exe (PID: 3260 cmdline: "C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe" MD5: DE3F3B39AF9A5CAA1AF9BB54F75504FA)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Agent Tesla, AgentTesla	A .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.	SWEED	http://blog.nsfocus.net/sweed-611/ http://l1v1ngc0d3.wordpress.com/2021/11/12/agenttesla-dropped-via-nsis-installer/ http://ropgadget.com/posts/originlogger.html http://www.secureworks.com/research/threat-profiles/gold-galleon https://0xmrmagnezi.github.io/malware%20analysis/AgentTesla/	https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

Name	Description	Attribution	Blogpost URLs	Link
zgRAT	zgRAT is a Remote Access Trojan malware which sometimes drops other malware such as AgentTesla malware. zgRAT has an inforstealer use which targets browser information and cryptowallets.Usually spreads by USB or phishing emails with -zip/-lnk/.bat/.xlsx attachments and so on.	No Attribution	https://bazaar.abuse.ch/browse/signature/zgRAT/ https://kcm.trellix.com/corporate/index?page=content&id=KB96190&locale=en_US https://www.cloudsek.com/blog/threat-actors-abuse-ai-generated-youtube-videos-to-spread-stealer-malware https://www.difesaesicurezza.com/cyber/cybercrime-rfq-dalla-turchia-veicola-agenttesla-e-zgrat/ https://www.fortinet.com/blog/threat-research/smokeloader-using-old-vulnerabilities	https://malpedia.caad.fkie.fraunhofer.de/details/win.zgrat

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "FTP", "Host": "ftp://beirutrest.com", "Username": "belogs@beirutrest.com", "Password": "9yXQ39wz(uL+"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
00000000.00000002.1688614396.00000000059A0000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000004.00000002.4138252675.000000000303C000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000004.00000002.4136293284.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000004.00000002.4136293284.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000000.00000002.1686840751.00000000041F9000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.1686840751.00000000041F9000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000004.00000002.4138252675.0000000003011000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000004.00000002.4138252675.0000000003011000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000000.00000002.1686840751.0000000004235000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.1686840751.0000000004235000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000000.00000002.1686840751.0000000004235000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
Process Memory Space: Packing List - SAPPHIRE X.xlsx.scr.exe PID: 7056	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: Packing List - SAPPHIRE X.xlsx.scr.exe PID: 7056	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: Packing List - SAPPHIRE X.xlsx.scr.exe PID: 7056	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: Packing List - SAPPHIRE X.xlsx.scr.exe PID: 3260	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: Packing List - SAPPHIRE X.xlsx.scr.exe PID: 3260	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Click to see the 11 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.Packing List - SAPPHIRE X.xlsx.scr.exe.59a0000.5.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0.2.Packing List - SAPPHIRE X.xlsx.scr.exe.59a0000.5.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0.2.Packing List - SAPPHIRE X.xlsx.scr.exe.4235828.4.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0.2.Packing List - SAPPHIRE X.xlsx.scr.exe.41f9970.1.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.Packing List - SAPPHIRE X.xlsx.scr.exe.41f9970.1.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.Packing List - SAPPHIRE X.xlsx.scr.exe.41f9970.1.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x312d3:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x31345:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x313cf:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x31461:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x314cb:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x3153d:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x315d3:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x31663:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
0.2.Packing List - SAPPHIRE X.xlsx.scr.exe.41f9970.1.unpack	MALWARE_Win_AgentTeslaV2	AgenetTesla Type 2 Keylogger payload	ditekSHen	0x2e6c6:$s2: GetPrivateProfileString 0x2ddc5:$s3: get_OSFullName 0x2f403:$s5: remove_Key 0x2f592:$s5: remove_Key 0x30473:$s6: FtpWebRequest 0x312b5:$s7: logins 0x31827:$s7: logins 0x3450a:$s7: logins 0x345ea:$s7: logins 0x35ee6:$s7: logins 0x35184:$s9: 1.85 (Hash, version 2, native byte-order)
0.2.Packing List - SAPPHIRE X.xlsx.scr.exe.4458e48.2.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.Packing List - SAPPHIRE X.xlsx.scr.exe.4458e48.2.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.Packing List - SAPPHIRE X.xlsx.scr.exe.4458e48.2.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x312d3:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x31345:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x313cf:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x31461:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x314cb:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x3153d:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x315d3:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x31663:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
0.2.Packing List - SAPPHIRE X.xlsx.scr.exe.4458e48.2.unpack	MALWARE_Win_AgentTeslaV2	AgenetTesla Type 2 Keylogger payload	ditekSHen	0x2e6c6:$s2: GetPrivateProfileString 0x2ddc5:$s3: get_OSFullName 0x2f403:$s5: remove_Key 0x2f592:$s5: remove_Key 0x30473:$s6: FtpWebRequest 0x312b5:$s7: logins 0x31827:$s7: logins 0x3450a:$s7: logins 0x345ea:$s7: logins 0x35ee6:$s7: logins 0x35184:$s9: 1.85 (Hash, version 2, native byte-order)
0.2.Packing List - SAPPHIRE X.xlsx.scr.exe.41f9970.1.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.Packing List - SAPPHIRE X.xlsx.scr.exe.41f9970.1.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.Packing List - SAPPHIRE X.xlsx.scr.exe.41f9970.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x330d3:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x33145:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x331cf:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x33261:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x332cb:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x3333d:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x333d3:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x33463:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
0.2.Packing List - SAPPHIRE X.xlsx.scr.exe.41f9970.1.raw.unpack	MALWARE_Win_AgentTeslaV2	AgenetTesla Type 2 Keylogger payload	ditekSHen	0x304c6:$s2: GetPrivateProfileString 0x2fbc5:$s3: get_OSFullName 0x31203:$s5: remove_Key 0x31392:$s5: remove_Key 0x32273:$s6: FtpWebRequest 0x330b5:$s7: logins 0x33627:$s7: logins 0x3630a:$s7: logins 0x363ea:$s7: logins 0x37ce6:$s7: logins 0x36f84:$s9: 1.85 (Hash, version 2, native byte-order)
4.2.Packing List - SAPPHIRE X.xlsx.scr.exe.400000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
4.2.Packing List - SAPPHIRE X.xlsx.scr.exe.400000.0.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
4.2.Packing List - SAPPHIRE X.xlsx.scr.exe.400000.0.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x330d3:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x33145:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x331cf:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x33261:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x332cb:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x3333d:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x333d3:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x33463:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
4.2.Packing List - SAPPHIRE X.xlsx.scr.exe.400000.0.unpack	MALWARE_Win_AgentTeslaV2	AgenetTesla Type 2 Keylogger payload	ditekSHen	0x304c6:$s2: GetPrivateProfileString 0x2fbc5:$s3: get_OSFullName 0x31203:$s5: remove_Key 0x31392:$s5: remove_Key 0x32273:$s6: FtpWebRequest 0x330b5:$s7: logins 0x33627:$s7: logins 0x3630a:$s7: logins 0x363ea:$s7: logins 0x37ce6:$s7: logins 0x36f84:$s9: 1.85 (Hash, version 2, native byte-order)
0.2.Packing List - SAPPHIRE X.xlsx.scr.exe.4458e48.2.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.Packing List - SAPPHIRE X.xlsx.scr.exe.4458e48.2.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.2.Packing List - SAPPHIRE X.xlsx.scr.exe.4458e48.2.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.Packing List - SAPPHIRE X.xlsx.scr.exe.4458e48.2.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x330d3:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x6d4f3:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x33145:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x6d565:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x331cf:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x6d5ef:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x33261:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x6d681:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x332cb:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x6d6eb:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x3333d:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x6d75d:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x333d3:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x6d7f3:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x33463:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548 0x6d883:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
0.2.Packing List - SAPPHIRE X.xlsx.scr.exe.4458e48.2.raw.unpack	MALWARE_Win_AgentTeslaV2	AgenetTesla Type 2 Keylogger payload	ditekSHen	0x304c6:$s2: GetPrivateProfileString 0x6a8e6:$s2: GetPrivateProfileString 0x2fbc5:$s3: get_OSFullName 0x69fe5:$s3: get_OSFullName 0x31203:$s5: remove_Key 0x31392:$s5: remove_Key 0x6b623:$s5: remove_Key 0x6b7b2:$s5: remove_Key 0x32273:$s6: FtpWebRequest 0x6c693:$s6: FtpWebRequest 0x330b5:$s7: logins 0x33627:$s7: logins 0x3630a:$s7: logins 0x363ea:$s7: logins 0x37ce6:$s7: logins 0x6d4d5:$s7: logins 0x6da47:$s7: logins 0x7072a:$s7: logins 0x7080a:$s7: logins 0x72106:$s7: logins 0x36f84:$s9: 1.85 (Hash, version 2, native byte-order)
0.2.Packing List - SAPPHIRE X.xlsx.scr.exe.4235828.4.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.Packing List - SAPPHIRE X.xlsx.scr.exe.4235828.4.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.2.Packing List - SAPPHIRE X.xlsx.scr.exe.4235828.4.raw.unpack	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
0.2.Packing List - SAPPHIRE X.xlsx.scr.exe.4235828.4.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.Packing List - SAPPHIRE X.xlsx.scr.exe.4235828.4.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0.2.Packing List - SAPPHIRE X.xlsx.scr.exe.4235828.4.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x2566f3:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x290b13:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x256765:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x290b85:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x2567ef:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x290c0f:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x256881:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x290ca1:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x2568eb:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x290d0b:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x25695d:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x290d7d:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x2569f3:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x290e13:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x256a83:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548 0x290ea3:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
0.2.Packing List - SAPPHIRE X.xlsx.scr.exe.4235828.4.raw.unpack	MALWARE_Win_AgentTeslaV2	AgenetTesla Type 2 Keylogger payload	ditekSHen	0x253ae6:$s2: GetPrivateProfileString 0x28df06:$s2: GetPrivateProfileString 0x2531e5:$s3: get_OSFullName 0x28d605:$s3: get_OSFullName 0x254823:$s5: remove_Key 0x2549b2:$s5: remove_Key 0x28ec43:$s5: remove_Key 0x28edd2:$s5: remove_Key 0x255893:$s6: FtpWebRequest 0x28fcb3:$s6: FtpWebRequest 0x2566d5:$s7: logins 0x256c47:$s7: logins 0x25992a:$s7: logins 0x259a0a:$s7: logins 0x25b306:$s7: logins 0x290af5:$s7: logins 0x291067:$s7: logins 0x293d4a:$s7: logins 0x293e2a:$s7: logins 0x295726:$s7: logins 0x25a5a4:$s9: 1.85 (Hash, version 2, native byte-order)
0.2.Packing List - SAPPHIRE X.xlsx.scr.exe.4235828.4.raw.unpack	MALWARE_Win_zgRAT	Detects zgRAT	ditekSHen	0x10e89:$s1: file:/// 0x10de5:$s2: {11111-22222-10009-11112} 0x10e19:$s3: {11111-22222-50001-00000} 0xf1b3:$s4: get_Module 0x253506:$s5: Reverse 0x28d926:$s5: Reverse 0x255ea6:$s6: BlockCopy 0x2902c6:$s6: BlockCopy 0x2d355e:$s6: BlockCopy 0x25376b:$s7: ReadByte 0x28db8b:$s7: ReadByte 0x2d37af:$s7: ReadByte 0x10e9b:$s8: 4C 00 6F 00 63 00 61 00 74 00 69 00 6F 00 6E 00 00 0B 46 00 69 00 6E 00 64 00 20 00 00 13 52 00 65 00 73 00 6F 00 75 00 72 00 63 00 65 00 41 00 00 11 56 00 69 00 72 00 74 00 75 00 61 00 6C 00 ...
Click to see the 27 entries

Sigma Signatures

System Summary

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe", ParentImage: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe, ParentProcessId: 7056, ParentProcessName: Packing List - SAPPHIRE X.xlsx.scr.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe", ProcessId: 5224, ProcessName: powershell.exe

Sigma detected: Powershell Defender Exclusion

Source: Process started

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe", ParentImage: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe, ParentProcessId: 7056, ParentProcessName: Packing List - SAPPHIRE X.xlsx.scr.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe", ProcessId: 5224, ProcessName: powershell.exe

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 0.2.Packing List - SAPPHIRE X.xlsx.scr.exe.41f9970.1.raw.unpack

Malware Configuration Extractor: Agenttesla {"Exfil Mode": "FTP", "Host": "ftp://beirutrest.com", "Username": "belogs@beirutrest.com", "Password": "9yXQ39wz(uL+"}

Multi AV Scanner detection for submitted file

Source: Packing List - SAPPHIRE X.xlsx.scr.exe	ReversingLabs: Detection: 28%
Source: Packing List - SAPPHIRE X.xlsx.scr.exe	Virustotal: Detection: 38%			Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: Packing List - SAPPHIRE X.xlsx.scr.exe

Joe Sandbox ML: detected

Source: Packing List - SAPPHIRE X.xlsx.scr.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown

HTTPS traffic detected: 172.67.74.152:443 -> 192.168.2.4:49732 version: TLS 1.2

Source: Packing List - SAPPHIRE X.xlsx.scr.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe

Code function: 4x nop then jmp 0788B836h

0_2_0788ADE0

Networking

Yara detected Generic Downloader

Source: Yara match	File source: 0.2.Packing List - SAPPHIRE X.xlsx.scr.exe.4458e48.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Packing List - SAPPHIRE X.xlsx.scr.exe.4235828.4.raw.unpack, type: UNPACKEDPE

Source: Joe Sandbox View	IP Address: 50.87.144.157 50.87.144.157
Source: Joe Sandbox View	IP Address: 172.67.74.152 172.67.74.152
Source: Joe Sandbox View	IP Address: 172.67.74.152 172.67.74.152

Source: Joe Sandbox View

JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: unknown	DNS query: name: api.ipify.org
Source: unknown	DNS query: name: api.ipify.org

Source: global traffic

HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: api.ipify.org
Source: global traffic	DNS traffic detected: DNS query: beirutrest.com

Source: Packing List - SAPPHIRE X.xlsx.scr.exe, 00000004.00000002.4138252675.000000000303C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://beirutrest.com
Source: Packing List - SAPPHIRE X.xlsx.scr.exe, 00000000.00000002.1686099657.000000000324B000.00000004.00000800.00020000.00000000.sdmp, Packing List - SAPPHIRE X.xlsx.scr.exe, 00000004.00000002.4138252675.0000000002FC1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: Packing List - SAPPHIRE X.xlsx.scr.exe, 00000000.00000002.1689510902.0000000007322000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: Packing List - SAPPHIRE X.xlsx.scr.exe, 00000000.00000002.1689510902.0000000007322000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: Packing List - SAPPHIRE X.xlsx.scr.exe, 00000000.00000002.1689510902.0000000007322000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: Packing List - SAPPHIRE X.xlsx.scr.exe, 00000000.00000002.1689510902.0000000007322000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: Packing List - SAPPHIRE X.xlsx.scr.exe, 00000000.00000002.1689510902.0000000007322000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: Packing List - SAPPHIRE X.xlsx.scr.exe, 00000000.00000002.1689510902.0000000007322000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: Packing List - SAPPHIRE X.xlsx.scr.exe, 00000000.00000002.1689510902.0000000007322000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
Source: Packing List - SAPPHIRE X.xlsx.scr.exe, 00000000.00000002.1689510902.0000000007322000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: Packing List - SAPPHIRE X.xlsx.scr.exe, 00000000.00000002.1689510902.0000000007322000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: Packing List - SAPPHIRE X.xlsx.scr.exe, 00000000.00000002.1689510902.0000000007322000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: Packing List - SAPPHIRE X.xlsx.scr.exe, 00000000.00000002.1689510902.0000000007322000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fonts.com
Source: Packing List - SAPPHIRE X.xlsx.scr.exe, 00000000.00000002.1689510902.0000000007322000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: Packing List - SAPPHIRE X.xlsx.scr.exe, 00000000.00000002.1689510902.0000000007322000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: Packing List - SAPPHIRE X.xlsx.scr.exe, 00000000.00000002.1689510902.0000000007322000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: Packing List - SAPPHIRE X.xlsx.scr.exe, 00000000.00000002.1689510902.0000000007322000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: Packing List - SAPPHIRE X.xlsx.scr.exe, 00000000.00000002.1689510902.0000000007322000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: Packing List - SAPPHIRE X.xlsx.scr.exe, 00000000.00000002.1689510902.0000000007322000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: Packing List - SAPPHIRE X.xlsx.scr.exe, 00000000.00000002.1689510902.0000000007322000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: Packing List - SAPPHIRE X.xlsx.scr.exe, 00000000.00000002.1689510902.0000000007322000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: Packing List - SAPPHIRE X.xlsx.scr.exe, 00000000.00000002.1689510902.0000000007322000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sakkal.com
Source: Packing List - SAPPHIRE X.xlsx.scr.exe, 00000000.00000002.1689510902.0000000007322000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: Packing List - SAPPHIRE X.xlsx.scr.exe, 00000000.00000002.1689510902.0000000007322000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.tiro.com
Source: Packing List - SAPPHIRE X.xlsx.scr.exe, 00000000.00000002.1689510902.0000000007322000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.typography.netD
Source: Packing List - SAPPHIRE X.xlsx.scr.exe, 00000000.00000002.1689510902.0000000007322000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: Packing List - SAPPHIRE X.xlsx.scr.exe, 00000000.00000002.1689510902.0000000007322000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: Packing List - SAPPHIRE X.xlsx.scr.exe, 00000000.00000002.1686840751.0000000004235000.00000004.00000800.00020000.00000000.sdmp, Packing List - SAPPHIRE X.xlsx.scr.exe, 00000000.00000002.1686840751.00000000041F9000.00000004.00000800.00020000.00000000.sdmp, Packing List - SAPPHIRE X.xlsx.scr.exe, 00000004.00000002.4136293284.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://account.dyn.com/
Source: Packing List - SAPPHIRE X.xlsx.scr.exe, 00000000.00000002.1686840751.0000000004235000.00000004.00000800.00020000.00000000.sdmp, Packing List - SAPPHIRE X.xlsx.scr.exe, 00000000.00000002.1686840751.00000000041F9000.00000004.00000800.00020000.00000000.sdmp, Packing List - SAPPHIRE X.xlsx.scr.exe, 00000004.00000002.4136293284.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Packing List - SAPPHIRE X.xlsx.scr.exe, 00000004.00000002.4138252675.0000000002FC1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org
Source: Packing List - SAPPHIRE X.xlsx.scr.exe, 00000004.00000002.4138252675.0000000002FC1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org/
Source: Packing List - SAPPHIRE X.xlsx.scr.exe, 00000004.00000002.4138252675.0000000002FC1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org/t

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49732
Source: unknown	Network traffic detected: HTTP traffic on port 49732 -> 443

Source: unknown

HTTPS traffic detected: 172.67.74.152:443 -> 192.168.2.4:49732 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality to log keystrokes (.Net Source)

Source: 0.2.Packing List - SAPPHIRE X.xlsx.scr.exe.41f9970.1.raw.unpack, n00.cs	.Net Code: lGCzgIzdr
Source: 0.2.Packing List - SAPPHIRE X.xlsx.scr.exe.4458e48.2.raw.unpack, n00.cs	.Net Code: lGCzgIzdr

System Summary

Malicious sample detected (through community Yara rule)

Source: 0.2.Packing List - SAPPHIRE X.xlsx.scr.exe.41f9970.1.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.Packing List - SAPPHIRE X.xlsx.scr.exe.41f9970.1.unpack, type: UNPACKEDPE	Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 0.2.Packing List - SAPPHIRE X.xlsx.scr.exe.4458e48.2.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.Packing List - SAPPHIRE X.xlsx.scr.exe.4458e48.2.unpack, type: UNPACKEDPE	Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 0.2.Packing List - SAPPHIRE X.xlsx.scr.exe.41f9970.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.Packing List - SAPPHIRE X.xlsx.scr.exe.41f9970.1.raw.unpack, type: UNPACKEDPE	Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 4.2.Packing List - SAPPHIRE X.xlsx.scr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 4.2.Packing List - SAPPHIRE X.xlsx.scr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 0.2.Packing List - SAPPHIRE X.xlsx.scr.exe.4458e48.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.Packing List - SAPPHIRE X.xlsx.scr.exe.4458e48.2.raw.unpack, type: UNPACKEDPE	Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 0.2.Packing List - SAPPHIRE X.xlsx.scr.exe.4235828.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.Packing List - SAPPHIRE X.xlsx.scr.exe.4235828.4.raw.unpack, type: UNPACKEDPE	Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 0.2.Packing List - SAPPHIRE X.xlsx.scr.exe.4235828.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects zgRAT Author: ditekSHen

Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Code function: 0_2_0305DE34	0_2_0305DE34
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Code function: 0_2_062D0460	0_2_062D0460
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Code function: 0_2_062D70A0	0_2_062D70A0
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Code function: 0_2_062D80E8	0_2_062D80E8
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Code function: 0_2_062DBAC8	0_2_062DBAC8
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Code function: 0_2_062D0451	0_2_062D0451
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Code function: 0_2_062DB3C9	0_2_062DB3C9
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Code function: 0_2_062DB3D8	0_2_062DB3D8
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Code function: 0_2_062DBABA	0_2_062DBABA
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Code function: 0_2_078838E8	0_2_078838E8
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Code function: 0_2_07887598	0_2_07887598
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Code function: 0_2_0788D34C	0_2_0788D34C
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Code function: 0_2_07887150	0_2_07887150
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Code function: 0_2_07883030	0_2_07883030
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Code function: 0_2_07886D28	0_2_07886D28
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Code function: 0_2_078838DA	0_2_078838DA
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Code function: 0_2_078868F0	0_2_078868F0
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Code function: 0_2_07888838	0_2_07888838
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Code function: 4_2_0123E5B8	4_2_0123E5B8
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Code function: 4_2_01234A58	4_2_01234A58
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Code function: 4_2_0123DD38	4_2_0123DD38
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Code function: 4_2_01233E40	4_2_01233E40
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Code function: 4_2_01234188	4_2_01234188
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Code function: 4_2_0123A9E0	4_2_0123A9E0
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Code function: 4_2_06B7A4D5	4_2_06B7A4D5
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Code function: 4_2_06B78970	4_2_06B78970
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Code function: 4_2_06B7B5F8	4_2_06B7B5F8
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Code function: 4_2_06B7D3F0	4_2_06B7D3F0
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Code function: 4_2_06B855A0	4_2_06B855A0
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Code function: 4_2_06B865F0	4_2_06B865F0
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Code function: 4_2_06B8B238	4_2_06B8B238
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Code function: 4_2_06B83060	4_2_06B83060
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Code function: 4_2_06B8C190	4_2_06B8C190
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Code function: 4_2_06B87D80	4_2_06B87D80
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Code function: 4_2_06B876A0	4_2_06B876A0
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Code function: 4_2_06B8E3A8	4_2_06B8E3A8
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Code function: 4_2_06B80040	4_2_06B80040
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Code function: 4_2_06B85CE3	4_2_06B85CE3
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Code function: 4_2_06B80317	4_2_06B80317
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Code function: 4_2_06B80006	4_2_06B80006

Source: Packing List - SAPPHIRE X.xlsx.scr.exe, 00000000.00000002.1688614396.00000000059A0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameArthur.dll" vs Packing List - SAPPHIRE X.xlsx.scr.exe
Source: Packing List - SAPPHIRE X.xlsx.scr.exe, 00000000.00000002.1690671452.0000000007AB0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameMontero.dll8 vs Packing List - SAPPHIRE X.xlsx.scr.exe
Source: Packing List - SAPPHIRE X.xlsx.scr.exe, 00000000.00000002.1684091033.000000000125E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs Packing List - SAPPHIRE X.xlsx.scr.exe
Source: Packing List - SAPPHIRE X.xlsx.scr.exe, 00000000.00000002.1686840751.0000000004235000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameArthur.dll" vs Packing List - SAPPHIRE X.xlsx.scr.exe
Source: Packing List - SAPPHIRE X.xlsx.scr.exe, 00000000.00000002.1686840751.0000000004235000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename2ee75d06-d489-4537-90fc-92fe0f559436.exe4 vs Packing List - SAPPHIRE X.xlsx.scr.exe
Source: Packing List - SAPPHIRE X.xlsx.scr.exe, 00000000.00000002.1686840751.0000000004235000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMontero.dll8 vs Packing List - SAPPHIRE X.xlsx.scr.exe
Source: Packing List - SAPPHIRE X.xlsx.scr.exe, 00000000.00000000.1664728035.0000000000D72000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamesEZE.exe" vs Packing List - SAPPHIRE X.xlsx.scr.exe
Source: Packing List - SAPPHIRE X.xlsx.scr.exe, 00000000.00000002.1686099657.000000000324B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename2ee75d06-d489-4537-90fc-92fe0f559436.exe4 vs Packing List - SAPPHIRE X.xlsx.scr.exe
Source: Packing List - SAPPHIRE X.xlsx.scr.exe, 00000000.00000002.1686840751.00000000041F9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename2ee75d06-d489-4537-90fc-92fe0f559436.exe4 vs Packing List - SAPPHIRE X.xlsx.scr.exe
Source: Packing List - SAPPHIRE X.xlsx.scr.exe, 00000004.00000002.4136293284.0000000000402000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: OriginalFilename2ee75d06-d489-4537-90fc-92fe0f559436.exe4 vs Packing List - SAPPHIRE X.xlsx.scr.exe
Source: Packing List - SAPPHIRE X.xlsx.scr.exe, 00000004.00000002.4136470719.0000000000F38000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameUNKNOWN_FILET vs Packing List - SAPPHIRE X.xlsx.scr.exe
Source: Packing List - SAPPHIRE X.xlsx.scr.exe, 00000004.00000002.4137158088.0000000001268000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs Packing List - SAPPHIRE X.xlsx.scr.exe
Source: Packing List - SAPPHIRE X.xlsx.scr.exe	Binary or memory string: OriginalFilenamesEZE.exe" vs Packing List - SAPPHIRE X.xlsx.scr.exe

Source: Packing List - SAPPHIRE X.xlsx.scr.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 0.2.Packing List - SAPPHIRE X.xlsx.scr.exe.41f9970.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.Packing List - SAPPHIRE X.xlsx.scr.exe.41f9970.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 0.2.Packing List - SAPPHIRE X.xlsx.scr.exe.4458e48.2.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.Packing List - SAPPHIRE X.xlsx.scr.exe.4458e48.2.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 0.2.Packing List - SAPPHIRE X.xlsx.scr.exe.41f9970.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.Packing List - SAPPHIRE X.xlsx.scr.exe.41f9970.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 4.2.Packing List - SAPPHIRE X.xlsx.scr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 4.2.Packing List - SAPPHIRE X.xlsx.scr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 0.2.Packing List - SAPPHIRE X.xlsx.scr.exe.4458e48.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.Packing List - SAPPHIRE X.xlsx.scr.exe.4458e48.2.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 0.2.Packing List - SAPPHIRE X.xlsx.scr.exe.4235828.4.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.Packing List - SAPPHIRE X.xlsx.scr.exe.4235828.4.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 0.2.Packing List - SAPPHIRE X.xlsx.scr.exe.4235828.4.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT

Source: Packing List - SAPPHIRE X.xlsx.scr.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 0.2.Packing List - SAPPHIRE X.xlsx.scr.exe.4235828.4.raw.unpack, id.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.Packing List - SAPPHIRE X.xlsx.scr.exe.41f9970.1.raw.unpack, NpXw3kw.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Packing List - SAPPHIRE X.xlsx.scr.exe.41f9970.1.raw.unpack, NpXw3kw.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 0.2.Packing List - SAPPHIRE X.xlsx.scr.exe.41f9970.1.raw.unpack, gyfrCFT5x9I.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Packing List - SAPPHIRE X.xlsx.scr.exe.41f9970.1.raw.unpack, gyfrCFT5x9I.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Packing List - SAPPHIRE X.xlsx.scr.exe.41f9970.1.raw.unpack, gyfrCFT5x9I.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Packing List - SAPPHIRE X.xlsx.scr.exe.41f9970.1.raw.unpack, gyfrCFT5x9I.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Packing List - SAPPHIRE X.xlsx.scr.exe.41f9970.1.raw.unpack, fpnV0Qjz.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Packing List - SAPPHIRE X.xlsx.scr.exe.41f9970.1.raw.unpack, fpnV0Qjz.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: 0.2.Packing List - SAPPHIRE X.xlsx.scr.exe.44d7a68.3.raw.unpack, l26bIgQS75wMDahwwC.cs	Security API names: _0020.SetAccessControl
Source: 0.2.Packing List - SAPPHIRE X.xlsx.scr.exe.44d7a68.3.raw.unpack, l26bIgQS75wMDahwwC.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.Packing List - SAPPHIRE X.xlsx.scr.exe.44d7a68.3.raw.unpack, l26bIgQS75wMDahwwC.cs	Security API names: _0020.AddAccessRule
Source: 0.2.Packing List - SAPPHIRE X.xlsx.scr.exe.7ab0000.6.raw.unpack, hh1LJnqwBQZGh7Abuu.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.Packing List - SAPPHIRE X.xlsx.scr.exe.7ab0000.6.raw.unpack, l26bIgQS75wMDahwwC.cs	Security API names: _0020.SetAccessControl
Source: 0.2.Packing List - SAPPHIRE X.xlsx.scr.exe.7ab0000.6.raw.unpack, l26bIgQS75wMDahwwC.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.Packing List - SAPPHIRE X.xlsx.scr.exe.7ab0000.6.raw.unpack, l26bIgQS75wMDahwwC.cs	Security API names: _0020.AddAccessRule
Source: 0.2.Packing List - SAPPHIRE X.xlsx.scr.exe.44d7a68.3.raw.unpack, hh1LJnqwBQZGh7Abuu.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@6/6@2/2

Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Packing List - SAPPHIRE X.xlsx.scr.exe.log

Jump to behavior

Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4856:120:WilError_03

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_fbxqcxop.gbs.ps1

Jump to behavior

Source: Packing List - SAPPHIRE X.xlsx.scr.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: Packing List - SAPPHIRE X.xlsx.scr.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: Packing List - SAPPHIRE X.xlsx.scr.exe	ReversingLabs: Detection: 28%
Source: Packing List - SAPPHIRE X.xlsx.scr.exe	Virustotal: Detection: 38%

Source: unknown	Process created: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe "C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe"
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Process created: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe "C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe"
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe"	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Process created: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe "C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe"	Jump to behavior

Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Section loaded: iconcodecservice.dll	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Section loaded: wintypes.dll	Jump to behavior

Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\Profiles

Jump to behavior

Source: Packing List - SAPPHIRE X.xlsx.scr.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: Packing List - SAPPHIRE X.xlsx.scr.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Data Obfuscation

.NET source code contains method to dynamically call methods (often used by packers)

Source: 0.2.Packing List - SAPPHIRE X.xlsx.scr.exe.4235828.4.raw.unpack, id.cs	.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
Source: 0.2.Packing List - SAPPHIRE X.xlsx.scr.exe.59a0000.5.raw.unpack, id.cs	.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})

.NET source code contains potential unpacker

Source: 0.2.Packing List - SAPPHIRE X.xlsx.scr.exe.7ab0000.6.raw.unpack, l26bIgQS75wMDahwwC.cs	.Net Code: JOXSAqqhk4 System.Reflection.Assembly.Load(byte[])
Source: 0.2.Packing List - SAPPHIRE X.xlsx.scr.exe.44d7a68.3.raw.unpack, l26bIgQS75wMDahwwC.cs	.Net Code: JOXSAqqhk4 System.Reflection.Assembly.Load(byte[])

Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Code function: 0_2_078843A3 pushfd ; iretd		0_2_078843A4
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Code function: 4_2_01230C6D push edi; retf		4_2_01230C7A

Source: Packing List - SAPPHIRE X.xlsx.scr.exe

Static PE information: section name: .text entropy: 7.73923901021069

Source: 0.2.Packing List - SAPPHIRE X.xlsx.scr.exe.7ab0000.6.raw.unpack, Q9LaWqrkFwkVi4RG73E.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'cPaUT85Aqf', 'RUDUwstDvb', 'HYwUbmYXWY', 'EgiUKnyWZA', 'LsWU3dJ0il', 'yYoUOMEa1o', 'pqrUDcJLY2'
Source: 0.2.Packing List - SAPPHIRE X.xlsx.scr.exe.7ab0000.6.raw.unpack, EGt9sksd8ciMjJNmB4.cs	High entropy of concatenated method names: 'o3a5WAhTMs', 'emp5eDuKow', 'upY51mPD2F', 'O5P5VfdmvB', 'Xar5JxwJDG', 'eOp5lN3WaF', 'Ctc5pZqNN0', 'nDT5fekoDU', 'yuE5HPnhnu', 'yvq5i6hZfW'
Source: 0.2.Packing List - SAPPHIRE X.xlsx.scr.exe.7ab0000.6.raw.unpack, unSWHMu1IKgGwPkk1J.cs	High entropy of concatenated method names: 'bRbyIdT18M', 'GNVytlE9HT', 'dhTyqQJs3k', 'XyiyuNvVaq', 'zc6y4l2N0E', 'xOOyxl70Te', 'DCsyEDZIfV', 'uWhyRhDRwa', 'AKvy5asVQt', 'NOPyUNGpq0'
Source: 0.2.Packing List - SAPPHIRE X.xlsx.scr.exe.7ab0000.6.raw.unpack, zP11H08o6Km2rMwOyl.cs	High entropy of concatenated method names: 'z6oEZ5bvOM', 'j2nE0owRIH', 'DthRk11gyL', 'LjbRroHPel', 'BttETMn6Xa', 'xKPEwowr0p', 'nVmEbPL88A', 'QO0EKgD0Bi', 'I9HE3sHKhk', 'UN5EOc60mu'
Source: 0.2.Packing List - SAPPHIRE X.xlsx.scr.exe.7ab0000.6.raw.unpack, hh1LJnqwBQZGh7Abuu.cs	High entropy of concatenated method names: 'LhZmKcTFyX', 'PSlm38txvk', 'DqxmO6o60E', 'b4vmDJNrxP', 'Wv6mMgcLy1', 'rXmm81ZVJc', 'QkBm9kumqY', 'hF5mZWcDgE', 'TPgms5O71Z', 'q0Tm0JrObW'
Source: 0.2.Packing List - SAPPHIRE X.xlsx.scr.exe.7ab0000.6.raw.unpack, l26bIgQS75wMDahwwC.cs	High entropy of concatenated method names: 'oiZBXgD0J0', 'MpeBjvkjJ5', 'wlhBmnvqZt', 'fIUBykaEeU', 'oidBo1AEST', 'j5wBn5HFmA', 'uTZBLOyc0L', 'wEVBQrPCDV', 'TekB2GldA0', 'TbKBhY2RQq'
Source: 0.2.Packing List - SAPPHIRE X.xlsx.scr.exe.7ab0000.6.raw.unpack, PJQ67DpRPiXi34RkEE.cs	High entropy of concatenated method names: 'HVALjWRtDh', 'jkMLyjx72t', 'leoLnOSPws', 'OGkn0rRu31', 'qgtnzW6exA', 'HyoLkiIFWF', 'c1ILrtqDMv', 'X5aL6NuROZ', 'vQLLBhuU8k', 'p15LSChdO1'
Source: 0.2.Packing List - SAPPHIRE X.xlsx.scr.exe.7ab0000.6.raw.unpack, akHtHHWRoj1KpRJEOM.cs	High entropy of concatenated method names: 'rYinXwSbDO', 'AkHnmC6US1', 'PsWnoYvAS0', 'cxXnLneRlq', 'sFUnQ9fi4T', 'xysoMV2Pvy', 'xWto8q8BZ1', 'ELgo9CcjcX', 'NABoZuPgBP', 'gnTosLFZif'
Source: 0.2.Packing List - SAPPHIRE X.xlsx.scr.exe.7ab0000.6.raw.unpack, ipKb7VSmXFwe4SChaF.cs	High entropy of concatenated method names: 'i0yrLh1LJn', 'PBQrQZGh7A', 'U1IrhKgGwP', 'ak1rNJ2Nh8', 'rVMr43vkkH', 'BHHrxRoj1K', 'BoK2LK2QC9NLjqM0u2', 'rivk2IOq1AXbX4iOXL', 'i7drrN9KKR', 'l35rBZn6sw'
Source: 0.2.Packing List - SAPPHIRE X.xlsx.scr.exe.7ab0000.6.raw.unpack, lNh8eAvo6ccsL5VM3v.cs	High entropy of concatenated method names: 'nYGo7k7edK', 'YKmoCEJMRP', 'Ts8y17w9Wa', 'playVS6EMc', 'nyyyJREvFW', 'M05yl9Lhto', 'YClypAhVj3', 'AuXyfNM4c8', 'DMLyHV7L3e', 'pUvyiVv0Ac'
Source: 0.2.Packing List - SAPPHIRE X.xlsx.scr.exe.7ab0000.6.raw.unpack, fgp6Kr04uLGv6rkGUv.cs	High entropy of concatenated method names: 'HRYUy2DhXC', 'sq7UoVSnIm', 'YsQUnUM9cB', 'tXfULX8Nei', 'n5NU5WgGxL', 'gF1UQqFtg3', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.Packing List - SAPPHIRE X.xlsx.scr.exe.7ab0000.6.raw.unpack, wyDynvrS2UY2eWT9mQT.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'jdUd5t52i8', 'GgcdU0U1I4', 'tSMdYFumnA', 'DgQddfvX7b', 'kb3dGm7XFI', 'XTydgxjf0W', 'xETdaaqsr2'
Source: 0.2.Packing List - SAPPHIRE X.xlsx.scr.exe.7ab0000.6.raw.unpack, yIu8LoORYwJbNH3E7j.cs	High entropy of concatenated method names: 'ToString', 'kJmxTP7njx', 'Agqxey7Vtl', 'wEGx173lPO', 'QrNxVbyEQ5', 'C1IxJlieQw', 'lQKxl8vypb', 'vxnxp8pG9n', 'Lq7xfpBejN', 'f4exHl9mbe'
Source: 0.2.Packing List - SAPPHIRE X.xlsx.scr.exe.7ab0000.6.raw.unpack, pqQAd99VXWAxBjv6k3.cs	High entropy of concatenated method names: 't9W54Feej4', 'Soj5En1wKq', 'Hpb55UZ1Ii', 'O2D5Ywc5F3', 'RWR5GpnLKd', 'EaC5auv7Or', 'Dispose', 'dHlRjbLe8K', 'M6SRmQJ4bl', 'K2DRymVd4M'
Source: 0.2.Packing List - SAPPHIRE X.xlsx.scr.exe.7ab0000.6.raw.unpack, j7lg6vKuNvXN9BBcQb.cs	High entropy of concatenated method names: 'PPU4iQS3nl', 'B944wBtdSg', 'iZ34KHCNCK', 'cD8434GX3r', 'LQm4ebwjsi', 'Vas41LsIA7', 'HVq4Vb8xkm', 'N814JsN6Ad', 'Iw24lYLlOH', 'eSG4pek1Fp'
Source: 0.2.Packing List - SAPPHIRE X.xlsx.scr.exe.7ab0000.6.raw.unpack, GVV0tDHNZe2ilKBndv.cs	High entropy of concatenated method names: 'CQlLFQHf9g', 'oESLcMdbfU', 'LCsLAgEwes', 'MDNLImAKIC', 'XjAL7iZCTf', 'UikLt88Ccn', 'cXXLCHnBVa', 'mbILqvMuEr', 'ybnLu39YRs', 'csFLvODFrT'
Source: 0.2.Packing List - SAPPHIRE X.xlsx.scr.exe.7ab0000.6.raw.unpack, iFGnJ96dQaL1hu8ndn.cs	High entropy of concatenated method names: 'gpwAQ60FG', 'CHmIbrrWx', 'BW3t2TOTi', 'wefCBRtWb', 'loHu3akPM', 'GEavPHDXp', 'g0NJW2DJ8vgd1fS5qi', 'RwEsSHkRfVRIivv2HH', 'dSZRF2MvX', 'GqnUDb3JA'
Source: 0.2.Packing List - SAPPHIRE X.xlsx.scr.exe.7ab0000.6.raw.unpack, fJcWhBzSZjvYnMne5J.cs	High entropy of concatenated method names: 'EYoUtGUVlN', 'wbiUq7GYrs', 'K6oUupj6pD', 'i8vUWkIN1p', 'nFyUewX1eQ', 'N1sUVyYcvb', 'JcHUJY1u1F', 'xFPUaKRuRo', 'mdPUF0QOhq', 'eokUcpb983'
Source: 0.2.Packing List - SAPPHIRE X.xlsx.scr.exe.7ab0000.6.raw.unpack, i3PCudboK1bGMsnppx.cs	High entropy of concatenated method names: 'LQ1PqO9Wmx', 'tmGPuLVkpg', 'ki6PWgpQJa', 'EsTPeJ3iaS', 'NQSPVEedxO', 'cQgPJoHZMD', 'FfFPpQ3kOZ', 'lqLPfgJJSV', 'a5SPifax30', 'IZPPTI1eZv'
Source: 0.2.Packing List - SAPPHIRE X.xlsx.scr.exe.7ab0000.6.raw.unpack, fcfOPjmAdYV5WWfPdT.cs	High entropy of concatenated method names: 'Dispose', 'FAxrsBjv6k', 'VS56ebFn4a', 'cGq3ZW7I4p', 'Rqhr0YJ8mS', 'CCgrznOwfR', 'ProcessDialogKey', 'vPu6kGt9sk', 'u8c6riMjJN', 'gB466jgp6K'
Source: 0.2.Packing List - SAPPHIRE X.xlsx.scr.exe.7ab0000.6.raw.unpack, FnOgjYrrZVImV4S7MPK.cs	High entropy of concatenated method names: 'Lq9U0fqSQ2', 'ru1Uzgp3II', 'xn0YkoISt4', 'h8VYrsGiiL', 'kj4Y6dnqIn', 'Ud4YBsBNTf', 'hCbYSA1a6s', 'LFaYXFXMGm', 'J1gYjtJQ5b', 'NmcYmOwGtP'
Source: 0.2.Packing List - SAPPHIRE X.xlsx.scr.exe.44d7a68.3.raw.unpack, Q9LaWqrkFwkVi4RG73E.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'cPaUT85Aqf', 'RUDUwstDvb', 'HYwUbmYXWY', 'EgiUKnyWZA', 'LsWU3dJ0il', 'yYoUOMEa1o', 'pqrUDcJLY2'
Source: 0.2.Packing List - SAPPHIRE X.xlsx.scr.exe.44d7a68.3.raw.unpack, EGt9sksd8ciMjJNmB4.cs	High entropy of concatenated method names: 'o3a5WAhTMs', 'emp5eDuKow', 'upY51mPD2F', 'O5P5VfdmvB', 'Xar5JxwJDG', 'eOp5lN3WaF', 'Ctc5pZqNN0', 'nDT5fekoDU', 'yuE5HPnhnu', 'yvq5i6hZfW'
Source: 0.2.Packing List - SAPPHIRE X.xlsx.scr.exe.44d7a68.3.raw.unpack, unSWHMu1IKgGwPkk1J.cs	High entropy of concatenated method names: 'bRbyIdT18M', 'GNVytlE9HT', 'dhTyqQJs3k', 'XyiyuNvVaq', 'zc6y4l2N0E', 'xOOyxl70Te', 'DCsyEDZIfV', 'uWhyRhDRwa', 'AKvy5asVQt', 'NOPyUNGpq0'
Source: 0.2.Packing List - SAPPHIRE X.xlsx.scr.exe.44d7a68.3.raw.unpack, zP11H08o6Km2rMwOyl.cs	High entropy of concatenated method names: 'z6oEZ5bvOM', 'j2nE0owRIH', 'DthRk11gyL', 'LjbRroHPel', 'BttETMn6Xa', 'xKPEwowr0p', 'nVmEbPL88A', 'QO0EKgD0Bi', 'I9HE3sHKhk', 'UN5EOc60mu'
Source: 0.2.Packing List - SAPPHIRE X.xlsx.scr.exe.44d7a68.3.raw.unpack, hh1LJnqwBQZGh7Abuu.cs	High entropy of concatenated method names: 'LhZmKcTFyX', 'PSlm38txvk', 'DqxmO6o60E', 'b4vmDJNrxP', 'Wv6mMgcLy1', 'rXmm81ZVJc', 'QkBm9kumqY', 'hF5mZWcDgE', 'TPgms5O71Z', 'q0Tm0JrObW'
Source: 0.2.Packing List - SAPPHIRE X.xlsx.scr.exe.44d7a68.3.raw.unpack, l26bIgQS75wMDahwwC.cs	High entropy of concatenated method names: 'oiZBXgD0J0', 'MpeBjvkjJ5', 'wlhBmnvqZt', 'fIUBykaEeU', 'oidBo1AEST', 'j5wBn5HFmA', 'uTZBLOyc0L', 'wEVBQrPCDV', 'TekB2GldA0', 'TbKBhY2RQq'
Source: 0.2.Packing List - SAPPHIRE X.xlsx.scr.exe.44d7a68.3.raw.unpack, PJQ67DpRPiXi34RkEE.cs	High entropy of concatenated method names: 'HVALjWRtDh', 'jkMLyjx72t', 'leoLnOSPws', 'OGkn0rRu31', 'qgtnzW6exA', 'HyoLkiIFWF', 'c1ILrtqDMv', 'X5aL6NuROZ', 'vQLLBhuU8k', 'p15LSChdO1'
Source: 0.2.Packing List - SAPPHIRE X.xlsx.scr.exe.44d7a68.3.raw.unpack, akHtHHWRoj1KpRJEOM.cs	High entropy of concatenated method names: 'rYinXwSbDO', 'AkHnmC6US1', 'PsWnoYvAS0', 'cxXnLneRlq', 'sFUnQ9fi4T', 'xysoMV2Pvy', 'xWto8q8BZ1', 'ELgo9CcjcX', 'NABoZuPgBP', 'gnTosLFZif'
Source: 0.2.Packing List - SAPPHIRE X.xlsx.scr.exe.44d7a68.3.raw.unpack, ipKb7VSmXFwe4SChaF.cs	High entropy of concatenated method names: 'i0yrLh1LJn', 'PBQrQZGh7A', 'U1IrhKgGwP', 'ak1rNJ2Nh8', 'rVMr43vkkH', 'BHHrxRoj1K', 'BoK2LK2QC9NLjqM0u2', 'rivk2IOq1AXbX4iOXL', 'i7drrN9KKR', 'l35rBZn6sw'
Source: 0.2.Packing List - SAPPHIRE X.xlsx.scr.exe.44d7a68.3.raw.unpack, lNh8eAvo6ccsL5VM3v.cs	High entropy of concatenated method names: 'nYGo7k7edK', 'YKmoCEJMRP', 'Ts8y17w9Wa', 'playVS6EMc', 'nyyyJREvFW', 'M05yl9Lhto', 'YClypAhVj3', 'AuXyfNM4c8', 'DMLyHV7L3e', 'pUvyiVv0Ac'
Source: 0.2.Packing List - SAPPHIRE X.xlsx.scr.exe.44d7a68.3.raw.unpack, fgp6Kr04uLGv6rkGUv.cs	High entropy of concatenated method names: 'HRYUy2DhXC', 'sq7UoVSnIm', 'YsQUnUM9cB', 'tXfULX8Nei', 'n5NU5WgGxL', 'gF1UQqFtg3', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.Packing List - SAPPHIRE X.xlsx.scr.exe.44d7a68.3.raw.unpack, wyDynvrS2UY2eWT9mQT.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'jdUd5t52i8', 'GgcdU0U1I4', 'tSMdYFumnA', 'DgQddfvX7b', 'kb3dGm7XFI', 'XTydgxjf0W', 'xETdaaqsr2'
Source: 0.2.Packing List - SAPPHIRE X.xlsx.scr.exe.44d7a68.3.raw.unpack, yIu8LoORYwJbNH3E7j.cs	High entropy of concatenated method names: 'ToString', 'kJmxTP7njx', 'Agqxey7Vtl', 'wEGx173lPO', 'QrNxVbyEQ5', 'C1IxJlieQw', 'lQKxl8vypb', 'vxnxp8pG9n', 'Lq7xfpBejN', 'f4exHl9mbe'
Source: 0.2.Packing List - SAPPHIRE X.xlsx.scr.exe.44d7a68.3.raw.unpack, pqQAd99VXWAxBjv6k3.cs	High entropy of concatenated method names: 't9W54Feej4', 'Soj5En1wKq', 'Hpb55UZ1Ii', 'O2D5Ywc5F3', 'RWR5GpnLKd', 'EaC5auv7Or', 'Dispose', 'dHlRjbLe8K', 'M6SRmQJ4bl', 'K2DRymVd4M'
Source: 0.2.Packing List - SAPPHIRE X.xlsx.scr.exe.44d7a68.3.raw.unpack, j7lg6vKuNvXN9BBcQb.cs	High entropy of concatenated method names: 'PPU4iQS3nl', 'B944wBtdSg', 'iZ34KHCNCK', 'cD8434GX3r', 'LQm4ebwjsi', 'Vas41LsIA7', 'HVq4Vb8xkm', 'N814JsN6Ad', 'Iw24lYLlOH', 'eSG4pek1Fp'
Source: 0.2.Packing List - SAPPHIRE X.xlsx.scr.exe.44d7a68.3.raw.unpack, GVV0tDHNZe2ilKBndv.cs	High entropy of concatenated method names: 'CQlLFQHf9g', 'oESLcMdbfU', 'LCsLAgEwes', 'MDNLImAKIC', 'XjAL7iZCTf', 'UikLt88Ccn', 'cXXLCHnBVa', 'mbILqvMuEr', 'ybnLu39YRs', 'csFLvODFrT'
Source: 0.2.Packing List - SAPPHIRE X.xlsx.scr.exe.44d7a68.3.raw.unpack, iFGnJ96dQaL1hu8ndn.cs	High entropy of concatenated method names: 'gpwAQ60FG', 'CHmIbrrWx', 'BW3t2TOTi', 'wefCBRtWb', 'loHu3akPM', 'GEavPHDXp', 'g0NJW2DJ8vgd1fS5qi', 'RwEsSHkRfVRIivv2HH', 'dSZRF2MvX', 'GqnUDb3JA'
Source: 0.2.Packing List - SAPPHIRE X.xlsx.scr.exe.44d7a68.3.raw.unpack, fJcWhBzSZjvYnMne5J.cs	High entropy of concatenated method names: 'EYoUtGUVlN', 'wbiUq7GYrs', 'K6oUupj6pD', 'i8vUWkIN1p', 'nFyUewX1eQ', 'N1sUVyYcvb', 'JcHUJY1u1F', 'xFPUaKRuRo', 'mdPUF0QOhq', 'eokUcpb983'
Source: 0.2.Packing List - SAPPHIRE X.xlsx.scr.exe.44d7a68.3.raw.unpack, i3PCudboK1bGMsnppx.cs	High entropy of concatenated method names: 'LQ1PqO9Wmx', 'tmGPuLVkpg', 'ki6PWgpQJa', 'EsTPeJ3iaS', 'NQSPVEedxO', 'cQgPJoHZMD', 'FfFPpQ3kOZ', 'lqLPfgJJSV', 'a5SPifax30', 'IZPPTI1eZv'
Source: 0.2.Packing List - SAPPHIRE X.xlsx.scr.exe.44d7a68.3.raw.unpack, fcfOPjmAdYV5WWfPdT.cs	High entropy of concatenated method names: 'Dispose', 'FAxrsBjv6k', 'VS56ebFn4a', 'cGq3ZW7I4p', 'Rqhr0YJ8mS', 'CCgrznOwfR', 'ProcessDialogKey', 'vPu6kGt9sk', 'u8c6riMjJN', 'gB466jgp6K'
Source: 0.2.Packing List - SAPPHIRE X.xlsx.scr.exe.44d7a68.3.raw.unpack, FnOgjYrrZVImV4S7MPK.cs	High entropy of concatenated method names: 'Lq9U0fqSQ2', 'ru1Uzgp3II', 'xn0YkoISt4', 'h8VYrsGiiL', 'kj4Y6dnqIn', 'Ud4YBsBNTf', 'hCbYSA1a6s', 'LFaYXFXMGm', 'J1gYjtJQ5b', 'NmcYmOwGtP'

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior

Uses an obfuscated file name to hide its real file extension (double extension)

Source: Possible double extension: xlsx.scr

Static PE information: Packing List - SAPPHIRE X.xlsx.scr.exe

Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate			Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot			Jump to behavior

Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match

File source: Process Memory Space: Packing List - SAPPHIRE X.xlsx.scr.exe PID: 7056, type: MEMORYSTR

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration

Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Memory allocated: 2F60000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Memory allocated: 31F0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Memory allocated: 2F60000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Memory allocated: 9360000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Memory allocated: A360000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Memory allocated: A560000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Memory allocated: B560000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Memory allocated: 1230000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Memory allocated: 2FC0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Memory allocated: 2E40000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Thread delayed: delay time: 599875	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Thread delayed: delay time: 599766	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Thread delayed: delay time: 599657	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Thread delayed: delay time: 599532	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Thread delayed: delay time: 599407	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Thread delayed: delay time: 599273	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Thread delayed: delay time: 599172	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Thread delayed: delay time: 599063	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Thread delayed: delay time: 598938	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Thread delayed: delay time: 598794	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Thread delayed: delay time: 598688	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Thread delayed: delay time: 598474	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Thread delayed: delay time: 598358	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Thread delayed: delay time: 598249	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Thread delayed: delay time: 598140	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Thread delayed: delay time: 598032	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Thread delayed: delay time: 597907	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Thread delayed: delay time: 597782	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Thread delayed: delay time: 597657	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Thread delayed: delay time: 597532	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Thread delayed: delay time: 597407	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Thread delayed: delay time: 597282	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Thread delayed: delay time: 597172	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Thread delayed: delay time: 597063	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Thread delayed: delay time: 596943	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Thread delayed: delay time: 596813	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Thread delayed: delay time: 596688	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Thread delayed: delay time: 596563	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Thread delayed: delay time: 596453	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Thread delayed: delay time: 596344	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Thread delayed: delay time: 596219	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Thread delayed: delay time: 596110	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Thread delayed: delay time: 595983	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Thread delayed: delay time: 595875	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Thread delayed: delay time: 595766	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Thread delayed: delay time: 595657	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Thread delayed: delay time: 595532	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Thread delayed: delay time: 595407	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Thread delayed: delay time: 595282	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Thread delayed: delay time: 595166	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Thread delayed: delay time: 595063	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Thread delayed: delay time: 594938	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Thread delayed: delay time: 594813	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Thread delayed: delay time: 594688	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Thread delayed: delay time: 594563	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Thread delayed: delay time: 594453	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Thread delayed: delay time: 594344	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Thread delayed: delay time: 594219	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Thread delayed: delay time: 594110	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Thread delayed: delay time: 593985	Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5724	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3950	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Window / User API: threadDelayed 7259	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Window / User API: threadDelayed 2570	Jump to behavior

Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe TID: 6228	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7208	Thread sleep time: -2767011611056431s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe TID: 7240	Thread sleep count: 35 > 30	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe TID: 7240	Thread sleep time: -32281802128991695s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe TID: 7240	Thread sleep time: -600000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe TID: 7240	Thread sleep time: -599875s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe TID: 7244	Thread sleep count: 7259 > 30	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe TID: 7244	Thread sleep count: 2570 > 30	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe TID: 7240	Thread sleep time: -599766s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe TID: 7240	Thread sleep time: -599657s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe TID: 7240	Thread sleep time: -599532s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe TID: 7240	Thread sleep time: -599407s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe TID: 7240	Thread sleep time: -599273s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe TID: 7240	Thread sleep time: -599172s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe TID: 7240	Thread sleep time: -599063s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe TID: 7240	Thread sleep time: -598938s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe TID: 7240	Thread sleep time: -598794s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe TID: 7240	Thread sleep time: -598688s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe TID: 7240	Thread sleep time: -598474s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe TID: 7240	Thread sleep time: -598358s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe TID: 7240	Thread sleep time: -598249s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe TID: 7240	Thread sleep time: -598140s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe TID: 7240	Thread sleep time: -598032s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe TID: 7240	Thread sleep time: -597907s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe TID: 7240	Thread sleep time: -597782s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe TID: 7240	Thread sleep time: -597657s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe TID: 7240	Thread sleep time: -597532s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe TID: 7240	Thread sleep time: -597407s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe TID: 7240	Thread sleep time: -597282s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe TID: 7240	Thread sleep time: -597172s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe TID: 7240	Thread sleep time: -597063s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe TID: 7240	Thread sleep time: -596943s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe TID: 7240	Thread sleep time: -596813s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe TID: 7240	Thread sleep time: -596688s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe TID: 7240	Thread sleep time: -596563s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe TID: 7240	Thread sleep time: -596453s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe TID: 7240	Thread sleep time: -596344s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe TID: 7240	Thread sleep time: -596219s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe TID: 7240	Thread sleep time: -596110s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe TID: 7240	Thread sleep time: -595983s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe TID: 7240	Thread sleep time: -595875s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe TID: 7240	Thread sleep time: -595766s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe TID: 7240	Thread sleep time: -595657s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe TID: 7240	Thread sleep time: -595532s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe TID: 7240	Thread sleep time: -595407s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe TID: 7240	Thread sleep time: -595282s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe TID: 7240	Thread sleep time: -595166s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe TID: 7240	Thread sleep time: -595063s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe TID: 7240	Thread sleep time: -594938s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe TID: 7240	Thread sleep time: -594813s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe TID: 7240	Thread sleep time: -594688s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe TID: 7240	Thread sleep time: -594563s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe TID: 7240	Thread sleep time: -594453s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe TID: 7240	Thread sleep time: -594344s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe TID: 7240	Thread sleep time: -594219s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe TID: 7240	Thread sleep time: -594110s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe TID: 7240	Thread sleep time: -593985s >= -30000s	Jump to behavior

Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard

Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Thread delayed: delay time: 599875	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Thread delayed: delay time: 599766	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Thread delayed: delay time: 599657	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Thread delayed: delay time: 599532	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Thread delayed: delay time: 599407	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Thread delayed: delay time: 599273	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Thread delayed: delay time: 599172	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Thread delayed: delay time: 599063	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Thread delayed: delay time: 598938	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Thread delayed: delay time: 598794	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Thread delayed: delay time: 598688	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Thread delayed: delay time: 598474	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Thread delayed: delay time: 598358	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Thread delayed: delay time: 598249	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Thread delayed: delay time: 598140	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Thread delayed: delay time: 598032	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Thread delayed: delay time: 597907	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Thread delayed: delay time: 597782	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Thread delayed: delay time: 597657	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Thread delayed: delay time: 597532	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Thread delayed: delay time: 597407	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Thread delayed: delay time: 597282	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Thread delayed: delay time: 597172	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Thread delayed: delay time: 597063	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Thread delayed: delay time: 596943	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Thread delayed: delay time: 596813	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Thread delayed: delay time: 596688	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Thread delayed: delay time: 596563	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Thread delayed: delay time: 596453	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Thread delayed: delay time: 596344	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Thread delayed: delay time: 596219	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Thread delayed: delay time: 596110	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Thread delayed: delay time: 595983	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Thread delayed: delay time: 595875	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Thread delayed: delay time: 595766	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Thread delayed: delay time: 595657	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Thread delayed: delay time: 595532	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Thread delayed: delay time: 595407	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Thread delayed: delay time: 595282	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Thread delayed: delay time: 595166	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Thread delayed: delay time: 595063	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Thread delayed: delay time: 594938	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Thread delayed: delay time: 594813	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Thread delayed: delay time: 594688	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Thread delayed: delay time: 594563	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Thread delayed: delay time: 594453	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Thread delayed: delay time: 594344	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Thread delayed: delay time: 594219	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Thread delayed: delay time: 594110	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Thread delayed: delay time: 593985	Jump to behavior

Source: Packing List - SAPPHIRE X.xlsx.scr.exe, 00000004.00000002.4137158088.00000000012EB000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Adds a directory exclusion to Windows Defender

Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe"
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe"			Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe

Memory written: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe base: 400000 value starts with: 4D5A

Jump to behavior

Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe"			Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Process created: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe "C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe"			Jump to behavior

Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Queries volume information: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Queries volume information: C:\Windows\Fonts\Candaral.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Queries volume information: C:\Windows\Fonts\Candarali.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Queries volume information: C:\Windows\Fonts\corbell.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Queries volume information: C:\Windows\Fonts\corbelli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Queries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Queries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Queries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Queries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Queries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Queries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Queries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Queries volume information: C:\Windows\Fonts\DUBAI-MEDIUM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Queries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Queries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Queries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Queries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Queries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Queries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Queries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Queries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Queries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Queries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Queries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Queries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Queries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Queries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Queries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Queries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Queries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Queries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Queries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Queries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Queries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Queries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Queries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Queries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Queries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Queries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Queries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Queries volume information: C:\Windows\Fonts\OFFSYMXL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Queries volume information: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected AgentTesla

Source: Yara match	File source: 0.2.Packing List - SAPPHIRE X.xlsx.scr.exe.41f9970.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Packing List - SAPPHIRE X.xlsx.scr.exe.4458e48.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Packing List - SAPPHIRE X.xlsx.scr.exe.41f9970.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.Packing List - SAPPHIRE X.xlsx.scr.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Packing List - SAPPHIRE X.xlsx.scr.exe.4458e48.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Packing List - SAPPHIRE X.xlsx.scr.exe.4235828.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000002.4138252675.000000000303C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.4136293284.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1686840751.00000000041F9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.4138252675.0000000003011000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1686840751.0000000004235000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Packing List - SAPPHIRE X.xlsx.scr.exe PID: 7056, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Packing List - SAPPHIRE X.xlsx.scr.exe PID: 3260, type: MEMORYSTR

Yara detected PureLog Stealer

Source: Yara match	File source: 0.2.Packing List - SAPPHIRE X.xlsx.scr.exe.59a0000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Packing List - SAPPHIRE X.xlsx.scr.exe.59a0000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Packing List - SAPPHIRE X.xlsx.scr.exe.4235828.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Packing List - SAPPHIRE X.xlsx.scr.exe.4235828.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1688614396.00000000059A0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1686840751.0000000004235000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Yara detected zgRAT

Source: Yara match

File source: 0.2.Packing List - SAPPHIRE X.xlsx.scr.exe.4235828.4.raw.unpack, type: UNPACKEDPE

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions

Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	File opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	File opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini	Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe

File opened: C:\FTP Navigator\Ftplist.txt

Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles	Jump to behavior
Source: C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities	Jump to behavior

Source: Yara match	File source: 0.2.Packing List - SAPPHIRE X.xlsx.scr.exe.41f9970.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Packing List - SAPPHIRE X.xlsx.scr.exe.4458e48.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Packing List - SAPPHIRE X.xlsx.scr.exe.41f9970.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.Packing List - SAPPHIRE X.xlsx.scr.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Packing List - SAPPHIRE X.xlsx.scr.exe.4458e48.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Packing List - SAPPHIRE X.xlsx.scr.exe.4235828.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000002.4136293284.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1686840751.00000000041F9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.4138252675.0000000003011000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1686840751.0000000004235000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Packing List - SAPPHIRE X.xlsx.scr.exe PID: 7056, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Packing List - SAPPHIRE X.xlsx.scr.exe PID: 3260, type: MEMORYSTR

Remote Access Functionality

Yara detected AgentTesla

Source: Yara match	File source: 0.2.Packing List - SAPPHIRE X.xlsx.scr.exe.41f9970.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Packing List - SAPPHIRE X.xlsx.scr.exe.4458e48.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Packing List - SAPPHIRE X.xlsx.scr.exe.41f9970.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.Packing List - SAPPHIRE X.xlsx.scr.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Packing List - SAPPHIRE X.xlsx.scr.exe.4458e48.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Packing List - SAPPHIRE X.xlsx.scr.exe.4235828.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000002.4138252675.000000000303C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.4136293284.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1686840751.00000000041F9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.4138252675.0000000003011000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1686840751.0000000004235000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Packing List - SAPPHIRE X.xlsx.scr.exe PID: 7056, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Packing List - SAPPHIRE X.xlsx.scr.exe PID: 3260, type: MEMORYSTR

Yara detected PureLog Stealer

Source: Yara match	File source: 0.2.Packing List - SAPPHIRE X.xlsx.scr.exe.59a0000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Packing List - SAPPHIRE X.xlsx.scr.exe.59a0000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Packing List - SAPPHIRE X.xlsx.scr.exe.4235828.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Packing List - SAPPHIRE X.xlsx.scr.exe.4235828.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1688614396.00000000059A0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1686840751.0000000004235000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Yara detected zgRAT

Source: Yara match

File source: 0.2.Packing List - SAPPHIRE X.xlsx.scr.exe.4235828.4.raw.unpack, type: UNPACKEDPE

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	121 Windows Management Instrumentation	1 DLL Side-Loading	1 DLL Side-Loading	11 Disable or Modify Tools	2 OS Credential Dumping	1 File and Directory Discovery	Remote Services	11 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	111 Process Injection	1 Deobfuscate/Decode Files or Information	1 Input Capture	24 System Information Discovery	Remote Desktop Protocol	2 Data from Local System	11 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	13 Obfuscated Files or Information	1 Credentials in Registry	1 Query Registry	SMB/Windows Admin Shares	1 Email Collection	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	22 Software Packing	NTDS	111 Security Software Discovery	Distributed Component Object Model	1 Input Capture	13 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	1 Process Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	11 Masquerading	Cached Domain Credentials	141 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	141 Virtualization/Sandbox Evasion	DCSync	1 Application Window Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	111 Process Injection	Proc Filesystem	1 System Network Configuration Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Link
Packing List - SAPPHIRE X.xlsx.scr.exe	29%	ReversingLabs
Packing List - SAPPHIRE X.xlsx.scr.exe	39%	Virustotal	Browse
Packing List - SAPPHIRE X.xlsx.scr.exe	100%	Joe Sandbox ML

Name	IP	Active	Malicious	Antivirus Detection	Reputation
beirutrest.com	50.87.144.157	true	false		high
api.ipify.org	172.67.74.152	true	false		high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://api.ipify.org/	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Reputation
http://www.apache.org/licenses/LICENSE-2.0	Packing List - SAPPHIRE X.xlsx.scr.exe, 00000000.00000002.1689510902.0000000007322000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.fontbureau.com	Packing List - SAPPHIRE X.xlsx.scr.exe, 00000000.00000002.1689510902.0000000007322000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.fontbureau.com/designersG	Packing List - SAPPHIRE X.xlsx.scr.exe, 00000000.00000002.1689510902.0000000007322000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.fontbureau.com/designers/?	Packing List - SAPPHIRE X.xlsx.scr.exe, 00000000.00000002.1689510902.0000000007322000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.founder.com.cn/cn/bThe	Packing List - SAPPHIRE X.xlsx.scr.exe, 00000000.00000002.1689510902.0000000007322000.00000004.00000800.00020000.00000000.sdmp	false	high
https://account.dyn.com/	Packing List - SAPPHIRE X.xlsx.scr.exe, 00000000.00000002.1686840751.0000000004235000.00000004.00000800.00020000.00000000.sdmp, Packing List - SAPPHIRE X.xlsx.scr.exe, 00000000.00000002.1686840751.00000000041F9000.00000004.00000800.00020000.00000000.sdmp, Packing List - SAPPHIRE X.xlsx.scr.exe, 00000004.00000002.4136293284.0000000000402000.00000040.00000400.00020000.00000000.sdmp	false	high
http://www.fontbureau.com/designers?	Packing List - SAPPHIRE X.xlsx.scr.exe, 00000000.00000002.1689510902.0000000007322000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.tiro.com	Packing List - SAPPHIRE X.xlsx.scr.exe, 00000000.00000002.1689510902.0000000007322000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.fontbureau.com/designers	Packing List - SAPPHIRE X.xlsx.scr.exe, 00000000.00000002.1689510902.0000000007322000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.goodfont.co.kr	Packing List - SAPPHIRE X.xlsx.scr.exe, 00000000.00000002.1689510902.0000000007322000.00000004.00000800.00020000.00000000.sdmp	false	high
https://api.ipify.org/t	Packing List - SAPPHIRE X.xlsx.scr.exe, 00000004.00000002.4138252675.0000000002FC1000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.carterandcone.coml	Packing List - SAPPHIRE X.xlsx.scr.exe, 00000000.00000002.1689510902.0000000007322000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.sajatypeworks.com	Packing List - SAPPHIRE X.xlsx.scr.exe, 00000000.00000002.1689510902.0000000007322000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.typography.netD	Packing List - SAPPHIRE X.xlsx.scr.exe, 00000000.00000002.1689510902.0000000007322000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.fontbureau.com/designers/cabarga.htmlN	Packing List - SAPPHIRE X.xlsx.scr.exe, 00000000.00000002.1689510902.0000000007322000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.founder.com.cn/cn/cThe	Packing List - SAPPHIRE X.xlsx.scr.exe, 00000000.00000002.1689510902.0000000007322000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.galapagosdesign.com/staff/dennis.htm	Packing List - SAPPHIRE X.xlsx.scr.exe, 00000000.00000002.1689510902.0000000007322000.00000004.00000800.00020000.00000000.sdmp	false	high
https://api.ipify.org	Packing List - SAPPHIRE X.xlsx.scr.exe, 00000000.00000002.1686840751.0000000004235000.00000004.00000800.00020000.00000000.sdmp, Packing List - SAPPHIRE X.xlsx.scr.exe, 00000000.00000002.1686840751.00000000041F9000.00000004.00000800.00020000.00000000.sdmp, Packing List - SAPPHIRE X.xlsx.scr.exe, 00000004.00000002.4136293284.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Packing List - SAPPHIRE X.xlsx.scr.exe, 00000004.00000002.4138252675.0000000002FC1000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.founder.com.cn/cn	Packing List - SAPPHIRE X.xlsx.scr.exe, 00000000.00000002.1689510902.0000000007322000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.fontbureau.com/designers/frere-user.html	Packing List - SAPPHIRE X.xlsx.scr.exe, 00000000.00000002.1689510902.0000000007322000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.jiyu-kobo.co.jp/	Packing List - SAPPHIRE X.xlsx.scr.exe, 00000000.00000002.1689510902.0000000007322000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.galapagosdesign.com/DPlease	Packing List - SAPPHIRE X.xlsx.scr.exe, 00000000.00000002.1689510902.0000000007322000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.fontbureau.com/designers8	Packing List - SAPPHIRE X.xlsx.scr.exe, 00000000.00000002.1689510902.0000000007322000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.fonts.com	Packing List - SAPPHIRE X.xlsx.scr.exe, 00000000.00000002.1689510902.0000000007322000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.sandoll.co.kr	Packing List - SAPPHIRE X.xlsx.scr.exe, 00000000.00000002.1689510902.0000000007322000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.urwpp.deDPlease	Packing List - SAPPHIRE X.xlsx.scr.exe, 00000000.00000002.1689510902.0000000007322000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.zhongyicts.com.cn	Packing List - SAPPHIRE X.xlsx.scr.exe, 00000000.00000002.1689510902.0000000007322000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	Packing List - SAPPHIRE X.xlsx.scr.exe, 00000000.00000002.1686099657.000000000324B000.00000004.00000800.00020000.00000000.sdmp, Packing List - SAPPHIRE X.xlsx.scr.exe, 00000004.00000002.4138252675.0000000002FC1000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.sakkal.com	Packing List - SAPPHIRE X.xlsx.scr.exe, 00000000.00000002.1689510902.0000000007322000.00000004.00000800.00020000.00000000.sdmp	false	high
http://beirutrest.com	Packing List - SAPPHIRE X.xlsx.scr.exe, 00000004.00000002.4138252675.000000000303C000.00000004.00000800.00020000.00000000.sdmp	false	high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
50.87.144.157	beirutrest.com	United States		46606	UNIFIEDLAYER-AS-1US	false
172.67.74.152	api.ipify.org	United States		13335	CLOUDFLARENETUS	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1562851
Start date and time:	2024-11-26 07:25:06 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 8m 8s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	9
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	Packing List - SAPPHIRE X.xlsx.scr.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@6/6@2/2
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 93 Number of non-executed functions: 18
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
01:25:57	API Interceptor	12624670x Sleep call for process: Packing List - SAPPHIRE X.xlsx.scr.exe modified
01:25:59	API Interceptor	9x Sleep call for process: powershell.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
50.87.144.157	WOOYANG VENUS PARTICULARS.pdf.scr.exe	Get hash	malicious	AgentTesla, PureLog Stealer, zgRAT	Browse
	CHARIKLIA JUNIOR DETAILS (1) (1).pdf.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse
	MV BBG MUARA Ship's Particulars.pdf.scr.exe	Get hash	malicious	AgentTesla	Browse
	CHARIKLIA JUNIOR DETAILS.pdf.scr.exe	Get hash	malicious	AgentTesla	Browse
	PEACE SHIP PARTICULARS.pdf.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse
	ZHENGHE 3_Q88 20241118.pdf.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse
	01. MT JS JIANGYIN Ship Particulars.xlsx.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse
	ESTEEM ASTRO PARTICULARS.pdf.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse
	Q88.pdf.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse
	TROODOS AIR PARTICULARS.pdf.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse
172.67.74.152	2b7cu0KwZl.exe	Get hash	malicious	Unknown	Browse	api.ipify.org/
	Zc9eO57fgF.elf	Get hash	malicious	Unknown	Browse	api.ipify.org/
	67065b4c84713_Javiles.exe	Get hash	malicious	RDPWrap Tool	Browse	api.ipify.org/
	Yc9hcFC1ux.exe	Get hash	malicious	Unknown	Browse	api.ipify.org/
	4F08j2Rmd9.bin	Get hash	malicious	Xmrig	Browse	api.ipify.org/
	y8tCHz7CwC.bin	Get hash	malicious	Xmrig	Browse	api.ipify.org/
	file.exe	Get hash	malicious	Unknown	Browse	api.ipify.org/
	file.exe	Get hash	malicious	Unknown	Browse	api.ipify.org/
	file.exe	Get hash	malicious	LummaC, PrivateLoader, Stealc, Vidar	Browse	api.ipify.org/
	file.exe	Get hash	malicious	RDPWrap Tool	Browse	api.ipify.org/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
beirutrest.com	WOOYANG VENUS PARTICULARS.pdf.scr.exe	Get hash	malicious	AgentTesla, PureLog Stealer, zgRAT	Browse	50.87.144.157
	CHARIKLIA JUNIOR DETAILS (1) (1).pdf.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	50.87.144.157
	MV BBG MUARA Ship's Particulars.pdf.scr.exe	Get hash	malicious	AgentTesla	Browse	50.87.144.157
	CHARIKLIA JUNIOR DETAILS.pdf.scr.exe	Get hash	malicious	AgentTesla	Browse	50.87.144.157
	PEACE SHIP PARTICULARS.pdf.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	50.87.144.157
	ZHENGHE 3_Q88 20241118.pdf.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	50.87.144.157
	01. MT JS JIANGYIN Ship Particulars.xlsx.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	50.87.144.157
	ESTEEM ASTRO PARTICULARS.pdf.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	50.87.144.157
	Q88.pdf.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	50.87.144.157
	TROODOS AIR PARTICULARS.pdf.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	50.87.144.157
api.ipify.org	WOOYANG VENUS PARTICULARS.pdf.scr.exe	Get hash	malicious	AgentTesla, PureLog Stealer, zgRAT	Browse	172.67.74.152
	https://app.useblocks.io/getemail/48034?secret_hash=d1541dc5be135b2d0f39c0711cecbe46&raw=true	Get hash	malicious	EvilProxy, HTMLPhisher	Browse	104.26.13.205
	Orden de compra HO-PO-376-25.exe	Get hash	malicious	AgentTesla, PureLog Stealer, zgRAT	Browse	172.67.74.152
	RICHIESTA D'OFFERTA.exe	Get hash	malicious	AgentTesla, PureLog Stealer, zgRAT	Browse	104.26.12.205
	DJ5PhUwOsM.exe	Get hash	malicious	AgentTesla, XWorm	Browse	104.26.13.205
	Ref#2056119.exe	Get hash	malicious	AgentTesla, XWorm	Browse	104.26.13.205
	PO#86637.exe	Get hash	malicious	AgentTesla, PureLog Stealer, zgRAT	Browse	104.26.13.205
	CHARIKLIA JUNIOR DETAILS (1) (1).pdf.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	104.26.12.205
	New Purchase Order Document for PO1136908 000 SE.exe	Get hash	malicious	AgentTesla	Browse	172.67.74.152
	DATASHEET.pdf.exe	Get hash	malicious	AgentTesla	Browse	172.67.74.152

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
UNIFIEDLAYER-AS-1US	WOOYANG VENUS PARTICULARS.pdf.scr.exe	Get hash	malicious	AgentTesla, PureLog Stealer, zgRAT	Browse	50.87.144.157
	https://yancesybros.com/WHF9842BVD.html	Get hash	malicious	Unknown	Browse	69.49.245.172
	Invoice-99007553423-protected.pdf	Get hash	malicious	Unknown	Browse	162.241.60.177
	https://clickme.thryv.com/ls/click?upn=u001.dxrPihnXBHUGsddmpkmwUOT9H2uuoftUJgS1ImyDp5PjZ7uor3Bx5LY8846lufrxOd-2B-2FCl5NSKC1v9uXskdIrA-3D-3DPV4X_Uxfyb-2FV90WCSGuHCd77YDe2QH-2FfxD2e5Op8ULStuWwSYUM08QLuqWk0rbdQO8p2GP5XR1Nwn9dFZi5DaOMyz92mdTvaHywQzrJIxcHTOEjrrUNll1a6cdLHKylkZo7LdScnRC-2F7iC6hnMEdduqsWXASxbd-2BZeaoWZvCDaIudlukgt9S3uZsKQeBP86XSjGCyt8CMjRvxL6j1Dyr0eym46qao7knFO6iIo9LZAeoxbyu5E6pzhyc9-2F2VP-2BlZM3Ea-2B-2FiBNpyPNxcoMEQ2om5Ig-2F7RZ8WTAt-2F5MxtsslPlJve5tzpsISP74pi-2B8USUpl-2BAaEmzHGUoeKWRMyxJH35FiSw-3D-3D	Get hash	malicious	Unknown	Browse	192.185.214.89
	AccountDocuments - christinal.docx	Get hash	malicious	Unknown	Browse	192.185.181.6
	https://www.google.com/url?q=https://clickme.thryv.com/ls/click?upn%3Du001.3HlspJ5fg-2BP4CQkV7GSVhvWTpgC6w0k7sA8b2Z9JBYU9BEMXtqHWLHW9PPcpforJszQ3_jzclrAiO28PBUU1ZLf2yC1YJEF5Rt8zDnz4yKbEuFqXf3c0fVOhzL2fXxOYix3CjCrzlLwoIPSXb9PavK50mtpdK-2FWF7thydb3q6E5ptEQiOVUz527Ewi1t813S-2FHejAJLe09fD2VqgM8mtwuQZA9i83VLkCPF4iItCSPXKUpNgWQKWxjEO6jlBp5GYVLghrpKcDuea5GONmLMVlbh4fQe7dtjhTFxxxExxfN1kv5tnx1PPl9DjYIyE468wz1qa1Z-2FWJgZrJbIFEpqhd4o5tGGyUoiPcIot5l2j9dpjy7QKj99ZiCz-2BBLi5dHUIl8gC4RxZBl-2FMaH4IZlQyWpqM-2BtZ9uE3ezFUl2fORMwAp4lQk-3D%23Cjanetrosenbach@imageindustries.com&source=gmail-imap&ust=1733149343000000&usg=AOvVaw1uIAp-JnZbTlkY9Td9ZLJj	Get hash	malicious	HTMLPhisher	Browse	192.185.113.79
	RICHIESTA D'OFFERTA.exe	Get hash	malicious	AgentTesla, PureLog Stealer, zgRAT	Browse	192.254.225.136
	Annual_Q4_Benefits_&_Bonus_for_Ed.riley#IyNURVhUTlVNUkFORE9NNDUjIw==.docx	Get hash	malicious	HTMLPhisher	Browse	108.179.192.137
	fat098765678900.bat.exe	Get hash	malicious	AgentTesla	Browse	162.241.62.63
	3e5cb809-f546-fb3c-b0e3-5de228b453ab.eml	Get hash	malicious	HTMLPhisher	Browse	108.179.192.137
CLOUDFLARENETUS	file.exe	Get hash	malicious	Unknown	Browse	104.21.7.169
	Finish_Agreement_DocuSign.pdf	Get hash	malicious	Unknown	Browse	104.18.95.41
	http://www.btc1yby.blogspot.rs/	Get hash	malicious	GRQ Scam	Browse	172.67.12.83
	WOOYANG VENUS PARTICULARS.pdf.scr.exe	Get hash	malicious	AgentTesla, PureLog Stealer, zgRAT	Browse	172.67.74.152
	file.exe	Get hash	malicious	PureCrypter, Amadey, Credential Flusher, Cryptbot, LummaC Stealer, Stealc, Vidar	Browse	172.64.41.3
	file.exe	Get hash	malicious	LummaC Stealer	Browse	104.21.7.169
	kkEzK284oT.exe	Get hash	malicious	HTMLPhisher	Browse	104.18.11.207
	file.exe	Get hash	malicious	LummaC Stealer	Browse	172.67.187.240
	5QnwxSJVyX.doc	Get hash	malicious	Unknown	Browse	162.159.136.232
	file.exe	Get hash	malicious	Amadey, Stealc, Vidar	Browse	172.64.41.3

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
3b5074b1b5d032e5620f69f9f700ff0e	WOOYANG VENUS PARTICULARS.pdf.scr.exe	Get hash	malicious	AgentTesla, PureLog Stealer, zgRAT	Browse	172.67.74.152
	5QnwxSJVyX.doc	Get hash	malicious	Unknown	Browse	172.67.74.152
	file.exe	Get hash	malicious	Amadey, Stealc, Vidar	Browse	172.67.74.152
	file.exe	Get hash	malicious	Amadey, Stealc, Vidar	Browse	172.67.74.152
	file.exe	Get hash	malicious	FormBook	Browse	172.67.74.152
	file.exe	Get hash	malicious	FormBook	Browse	172.67.74.152
	Orden de compra HO-PO-376-25.exe	Get hash	malicious	AgentTesla, PureLog Stealer, zgRAT	Browse	172.67.74.152
	file.exe	Get hash	malicious	Cryptbot	Browse	172.67.74.152
	INV-0542.pdf.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	172.67.74.152
	Evidence of copyright infringement (2).bat	Get hash	malicious	Unknown	Browse	172.67.74.152

Process:	C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1216
Entropy (8bit):	5.34331486778365
Encrypted:	false
SSDEEP:	24:MLUE4K5E4KH1qE4qXKDE4KhKiKhg84qXKIE4oKNzKoZAE4Kze0E4j:MIHK5HKH1qHiYHKh3ogvitHo6hAHKzea
MD5:	E193AFF55D4BDD9951CB4287A7D79653
SHA1:	F94AD920B9E0EB43B5005D74552AB84EAA38E985
SHA-256:	08DD5825B4EDCC256AEB08525DCBCDA342252A9C9746BE23FBC70A801F5A596E
SHA-512:	86F6ECDB47C1A7FFA460F3BC6038ACAFC9D4DED4D1E8D1FB7B8FE9145D9D384AB4EE7A7C3BE959A25B265AFEDB8FD31BA10073EC116B65BFE3326EF2C53394E6
Malicious:	true
Reputation:	moderate, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	1172
Entropy (8bit):	5.354466045018109
Encrypted:	false
SSDEEP:	24:3gWSKco4KmZjKbm51s4RPzIKod6moUP7mZ9t7J0gt/NKIl9yH7:QWSU4xymI4RW9oUP7mZ9tK8ND2
MD5:	FA22ACDBA17F00D100A509B30B45EBED
SHA1:	565708094DE6C97C9758B1254E034B3BC43F37CA
SHA-256:	DDF248539A36CC42013A0CC8C23845E81FAE8ED63AFB8E122ECA83063F22C891
SHA-512:	98CD36DE2A262767B098405E9A7261FB8CFE82631795B19AA8D4EE2724F9850C520573DFFE9B4893F1E5009B9FC03A9EC47EF8A951E1ECA4DD3A6C1517928302
Malicious:	false
Reputation:	low
Preview:	@...e.................................,..............@..........P................1]...E...........(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..\|f........System.Core.D...............4..7..D.#V.............System.Management.Automation<...............i..VdqF...\|...........System.Configuration4.................%...K... ...........System.Xml..L.................gQ?O.....x5.......#.Microsoft.Management.Infrastructure.4.....................@.[8]'.\........System.Data.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServices8..................1...L..U;V.<}........System.Numerics.H................WY..2.M.&..g(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_43e24mry.5r1.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	high, very likely benign file
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_fbxqcxop.gbs.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_nqjzv3tp.qrv.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xukhuikw.5mf.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.733220394608299
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	Packing List - SAPPHIRE X.xlsx.scr.exe
File size:	724'992 bytes
MD5:	de3f3b39af9a5caa1af9bb54f75504fa
SHA1:	18f16a9a90439c61602d3bed2a5e35ddde6e2e48
SHA256:	b3c12cee79f27bba7b9d58c690083d38170fac66c70ab18dd5897bf0268fc114
SHA512:	1c22903e9de29f9e5de88f5af4260e483014b2221b942bc93f686afd061925d7684342dbfde13c3eadf32549802ad35a8aab18c58bcb297f02d6e368f8c2ac3f
SSDEEP:	12288:YJCb+eCSmPvwDK2FjWwoL/zLXlM3fDp9WGtMly+MyU66hwnQsME2HRWNgj:tC9wDK2FInuP934y+MyU66qnQsH
TLSH:	0DF402996226D917E9D71770A870E3B927785ECDA512C323DBEDFDEB7C223087046281
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....9Eg..............0.................. ........@.. .......................`............@................................

File Icon


Icon Hash:	322e2e3eee6e2697

Static PE Info

General

Entrypoint:	0x4affee
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x67453911 [Tue Nov 26 02:57:21 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add al, 00h
add eax, dword ptr [eax]
add byte ptr [eax], al
xor byte ptr [eax], al
add byte ptr [eax+0000000Eh], al
pushad
add byte ptr [eax], al
adc byte ptr [eax], 00000000h
add byte ptr [eax], al
nop
add byte ptr [eax], al
sbb byte ptr [eax], 00000000h
add byte ptr [eax], al
rol byte ptr [eax], 00000000h
add byte ptr [eax], 00000000h
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add dword ptr [eax], eax
add dword ptr [eax], eax
add byte ptr [eax], al
dec eax
add byte ptr [eax], al
add byte ptr [eax], 00000000h
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add dword ptr [eax], eax
add byte ptr [eax], al
add byte ptr [eax], al
lock add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [ecx], al
add byte ptr [eax], al
jnle 00007FF104E7FB62h
add byte ptr [eax+00h], bh
add byte ptr [eax+00000000h], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add dword ptr [eax], eax
add byte ptr [eax], al
add byte ptr [eax], al
and byte ptr [00000000h], ah
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add dword ptr [eax], eax
add dword ptr [eax], eax
add byte ptr [eax], al
test al, 00h
add byte ptr [eax+00000000h], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xaff9c	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xb0000	0x2a6c	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xb4000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0xadff4	0xae000	6033e6cba3b264ef495b87689e2e3fe8	False	0.9102432426364943	data	7.73923901021069	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0xb0000	0x2a6c	0x2c00	7fd7b24f2bf2975c54e1ba7dbbce6f45	False	0.8669211647727273	data	7.46803723868534	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xb4000	0xc	0x200	d9de5c240dd94dfd18ba6e04b58681fb	False	0.044921875	data	0.09800417566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	ZLIB Complexity
RT_ICON	0xb0100	0x241d	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	0.9700378583017848
RT_GROUP_ICON	0xb2530	0x14	data	1.05
RT_VERSION	0xb2554	0x318	data	0.4444444444444444
RT_MANIFEST	0xb287c	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators	0.5489795918367347

Imports

DLL	Import
mscoree.dll	_CorExeMain

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 26, 2024 07:26:00.358675003 CET	49732	443	192.168.2.4	172.67.74.152
Nov 26, 2024 07:26:00.358707905 CET	443	49732	172.67.74.152	192.168.2.4
Nov 26, 2024 07:26:00.358767986 CET	49732	443	192.168.2.4	172.67.74.152
Nov 26, 2024 07:26:00.366024971 CET	49732	443	192.168.2.4	172.67.74.152
Nov 26, 2024 07:26:00.366038084 CET	443	49732	172.67.74.152	192.168.2.4
Nov 26, 2024 07:26:01.581330061 CET	443	49732	172.67.74.152	192.168.2.4
Nov 26, 2024 07:26:01.581403017 CET	49732	443	192.168.2.4	172.67.74.152
Nov 26, 2024 07:26:01.585297108 CET	49732	443	192.168.2.4	172.67.74.152
Nov 26, 2024 07:26:01.585303068 CET	443	49732	172.67.74.152	192.168.2.4
Nov 26, 2024 07:26:01.585524082 CET	443	49732	172.67.74.152	192.168.2.4
Nov 26, 2024 07:26:01.635859013 CET	49732	443	192.168.2.4	172.67.74.152
Nov 26, 2024 07:26:01.683335066 CET	443	49732	172.67.74.152	192.168.2.4
Nov 26, 2024 07:26:02.020612955 CET	443	49732	172.67.74.152	192.168.2.4
Nov 26, 2024 07:26:02.020675898 CET	443	49732	172.67.74.152	192.168.2.4
Nov 26, 2024 07:26:02.020968914 CET	49732	443	192.168.2.4	172.67.74.152
Nov 26, 2024 07:26:02.029987097 CET	49732	443	192.168.2.4	172.67.74.152
Nov 26, 2024 07:26:03.042969942 CET	49735	21	192.168.2.4	50.87.144.157
Nov 26, 2024 07:26:03.162967920 CET	21	49735	50.87.144.157	192.168.2.4
Nov 26, 2024 07:26:03.163269997 CET	49735	21	192.168.2.4	50.87.144.157
Nov 26, 2024 07:26:03.165901899 CET	49735	21	192.168.2.4	50.87.144.157
Nov 26, 2024 07:26:03.286144972 CET	21	49735	50.87.144.157	192.168.2.4
Nov 26, 2024 07:26:03.286206007 CET	49735	21	192.168.2.4	50.87.144.157

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 26, 2024 07:26:00.208291054 CET	52044	53	192.168.2.4	1.1.1.1
Nov 26, 2024 07:26:00.347224951 CET	53	52044	1.1.1.1	192.168.2.4
Nov 26, 2024 07:26:02.476119041 CET	57085	53	192.168.2.4	1.1.1.1
Nov 26, 2024 07:26:03.040277004 CET	53	57085	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Nov 26, 2024 07:26:00.208291054 CET	192.168.2.4	1.1.1.1	0x8d30	Standard query (0)	api.ipify.org	A (IP address)	IN (0x0001)	false
Nov 26, 2024 07:26:02.476119041 CET	192.168.2.4	1.1.1.1	0x3855	Standard query (0)	beirutrest.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Nov 26, 2024 07:26:00.347224951 CET	1.1.1.1	192.168.2.4	0x8d30	No error (0)	api.ipify.org	172.67.74.152	A (IP address)	IN (0x0001)	false
Nov 26, 2024 07:26:00.347224951 CET	1.1.1.1	192.168.2.4	0x8d30	No error (0)	api.ipify.org	104.26.13.205	A (IP address)	IN (0x0001)	false
Nov 26, 2024 07:26:00.347224951 CET	1.1.1.1	192.168.2.4	0x8d30	No error (0)	api.ipify.org	104.26.12.205	A (IP address)	IN (0x0001)	false
Nov 26, 2024 07:26:03.040277004 CET	1.1.1.1	192.168.2.4	0x3855	No error (0)	beirutrest.com	50.87.144.157	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

api.ipify.org

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49732	172.67.74.152	443	3260	C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-26 06:26:01 UTC	155	OUT	GET / HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0 Host: api.ipify.org Connection: Keep-Alive
2024-11-26 06:26:02 UTC	399	IN	HTTP/1.1 200 OK Date: Tue, 26 Nov 2024 06:26:01 GMT Content-Type: text/plain Content-Length: 11 Connection: close Vary: Origin cf-cache-status: DYNAMIC Server: cloudflare CF-RAY: 8e87cdf99ae80f6f-EWR server-timing: cfL4;desc="?proto=TCP&rtt=1508&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2821&recv_bytes=769&delivery_rate=1954484&cwnd=223&unsent_bytes=0&cid=c4c1776fbcf08aac&ts=449&x=0"
2024-11-26 06:26:02 UTC	11	IN	Data Raw: 38 2e 34 36 2e 31 32 33 2e 37 35 Data Ascii: 8.46.123.75

Target ID:	0
Start time:	01:25:56
Start date:	26/11/2024
Path:	C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe"
Imagebase:	0xd70000
File size:	724'992 bytes
MD5 hash:	DE3F3B39AF9A5CAA1AF9BB54F75504FA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000002.1688614396.00000000059A0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.1686840751.00000000041F9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.1686840751.00000000041F9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.1686840751.0000000004235000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.1686840751.0000000004235000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000002.1686840751.0000000004235000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	01:25:58
Start date:	26/11/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe"
Imagebase:	0xb90000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	01:25:58
Start date:	26/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	01:25:58
Start date:	26/11/2024
Path:	C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Packing List - SAPPHIRE X.xlsx.scr.exe"
Imagebase:	0xae0000
File size:	724'992 bytes
MD5 hash:	DE3F3B39AF9A5CAA1AF9BB54F75504FA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000004.00000002.4138252675.000000000303C000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000004.00000002.4136293284.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000004.00000002.4136293284.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000004.00000002.4138252675.0000000003011000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000004.00000002.4138252675.0000000003011000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	10.9%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	3.9%
Total number of Nodes:	203
Total number of Limit Nodes:	15

Executed Functions

Function 062D80E8 Relevance: 15.1, Strings: 10, Instructions: 2604COMMON

Download Yara Rule

Strings

$kq, xrefs: 062DADA8
4'kq, xrefs: 062D9FB9
4'kq, xrefs: 062DAD86
4'kq, xrefs: 062DACFB
4'kq, xrefs: 062D8F4B
4'kq, xrefs: 062D90D3
4'kq, xrefs: 062DAD56
4|pq, xrefs: 062DAED0
(okq, xrefs: 062D81BE
4|pq, xrefs: 062DAEEB

Memory Dump Source

Source File: 00000000.00000002.1688908278.00000000062D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_62d0000_Packing List - SAPPHIRE X.jbxd

Similarity

API ID:
String ID: (okq$4'kq$4'kq$4'kq$4'kq$4'kq$4'kq$4|pq$4|pq$$kq
API String ID: 0-267164343
Opcode ID: 4b48ae60af8e54209a935d65a66577c752c267c0df23393844ed251be730077b
Instruction ID: 46857b072945f57e634daa783f4ddd3c7e32c1551a8b4015de744e2a6e2ede03
Opcode Fuzzy Hash: 4b48ae60af8e54209a935d65a66577c752c267c0df23393844ed251be730077b
Instruction Fuzzy Hash: 2543EA74E10219CFCBA4DF68C988A9DB7B6BF48310F158595E819AB3A1CB35ED81CF50

Function 062DBAC8 Relevance: 8.5, Strings: 6, Instructions: 1022
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

<ov!, xrefs: 062DBEC4
xbnq, xrefs: 062DBBF8
4'kq, xrefs: 062DC6B9
Tekq, xrefs: 062DC31C
poq, xrefs: 062DC791
TJpq, xrefs: 062DBC6D

Memory Dump Source

Source File: 00000000.00000002.1688908278.00000000062D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_62d0000_Packing List - SAPPHIRE X.jbxd

Similarity

API ID:
String ID: 4'kq$<ov!$TJpq$Tekq$poq$xbnq
API String ID: 0-2107662943
Opcode ID: 304a1f65fd639d9b8a73c44868215aa9dc13dfa96ab9d085a6cb22c234e31242
Instruction ID: c397aff87402b75b37a2abb58a816848468bd4aa87dccf7d7cdc359a5e05e9e0
Opcode Fuzzy Hash: 304a1f65fd639d9b8a73c44868215aa9dc13dfa96ab9d085a6cb22c234e31242
Instruction Fuzzy Hash: 68B2D675E00228DFDB54CF69C984AD9BBB2FF89304F1581E9D509AB265DB319E81CF40

Function 062D70A0 Relevance: 7.0, Strings: 5, Instructions: 719COMMON

Download Yara Rule

Strings

,oq, xrefs: 062D76C7
(okq, xrefs: 062D7933
Hoq, xrefs: 062D79A0
(okq, xrefs: 062D7929
,oq, xrefs: 062D76B7

Memory Dump Source

Source File: 00000000.00000002.1688908278.00000000062D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_62d0000_Packing List - SAPPHIRE X.jbxd

Similarity

API ID:
String ID: (okq$(okq$,oq$,oq$Hoq
API String ID: 0-811331273
Opcode ID: 594c20d973f7076033c0c2f7c99fa257ee003ef26f43c828b63174519958c1d5
Instruction ID: f810fe77ddadfb7b7b118481ab5e850d9751392adf95e74ff15034ab48f8c258
Opcode Fuzzy Hash: 594c20d973f7076033c0c2f7c99fa257ee003ef26f43c828b63174519958c1d5
Instruction Fuzzy Hash: D4528F31A10116DFDB58DF69C884AAEBBB2FF88350B158169EC15DB3A4DB34EC41CB90

Function 062D0460 Relevance: 6.9, Strings: 5, Instructions: 614
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Hoq, xrefs: 062D0AB4
Hoq, xrefs: 062D0B3B
Hoq, xrefs: 062D0C83
Hoq, xrefs: 062D0BC5
Hoq, xrefs: 062D0A21

Memory Dump Source

Source File: 00000000.00000002.1688908278.00000000062D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_62d0000_Packing List - SAPPHIRE X.jbxd

Similarity

API ID:
String ID: Hoq$Hoq$Hoq$Hoq$Hoq
API String ID: 0-1079488684
Opcode ID: 53afadbfe8330a7a8802138b2f469c03a9ba1cd5b5f0f5bbb03cff433833e567
Instruction ID: a863f44a116db0877862e76d78b5728c2b24f64231e2030e8a578f6a7a678cbe
Opcode Fuzzy Hash: 53afadbfe8330a7a8802138b2f469c03a9ba1cd5b5f0f5bbb03cff433833e567
Instruction Fuzzy Hash: 96328C70E102588FDB54DFA9C9507AEBBF2BF88300F1485AAD409AB395DB349D81CF95

Function 062D0451 Relevance: .3, Instructions: 277COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1688908278.00000000062D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_62d0000_Packing List - SAPPHIRE X.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1433a0ea8ea953217f012fc2440bcd5ccb2a27228c68046225976eb17adb079d
Instruction ID: 87eb8d102c609bccc7e6ea309eb50b11c0d5a2ad568736061db9e3577a5bfeb6
Opcode Fuzzy Hash: 1433a0ea8ea953217f012fc2440bcd5ccb2a27228c68046225976eb17adb079d
Instruction Fuzzy Hash: A3C16D71E112598FDF54CFA9C98079DBBF2AF88300F14C1A9D809AB265DB70D985CF91

Function 07883030 Relevance: .1, Instructions: 113COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1690594385.0000000007880000.00000040.00000800.00020000.00000000.sdmp, Offset: 07880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7880000_Packing List - SAPPHIRE X.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b7a345c8372ce98fc766adf6703ccb3eaece5e68d122a7a2fbaf32fa0c5fae05
Instruction ID: 4df422e23a45538301d3deec13991d1344c5639aa3518de8a0e7bda99c0f273a
Opcode Fuzzy Hash: b7a345c8372ce98fc766adf6703ccb3eaece5e68d122a7a2fbaf32fa0c5fae05
Instruction Fuzzy Hash: D34156B4E08209CFCB48DFAAD8446EEBFF6AF9E710F14D06AE429A7251D7344941CB54

Function 078838DA Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1690594385.0000000007880000.00000040.00000800.00020000.00000000.sdmp, Offset: 07880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7880000_Packing List - SAPPHIRE X.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6416e9f44d8a7ea65324c3ef203bfb4ac287816ea4919f31536089566d0a1689
Instruction ID: 7a6f13a6327acbec467ff0bee0238f202f223d7d89778ca436b54a17e6b283de
Opcode Fuzzy Hash: 6416e9f44d8a7ea65324c3ef203bfb4ac287816ea4919f31536089566d0a1689
Instruction Fuzzy Hash: AC2104B1D046588BEB18CFAAC8053DEFFF6AFD9300F14C06AD408A6264DB7409458F90

Function 078838E8 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1690594385.0000000007880000.00000040.00000800.00020000.00000000.sdmp, Offset: 07880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7880000_Packing List - SAPPHIRE X.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0e2bbf7cba6007cf3b0733823a5c6d946f941f6274ee486ebd96e34d9ee39a8b
Instruction ID: fc18d83f11cacc023c9c0b2404bfba022a6cfc24d36daf96677982ff25c0f332
Opcode Fuzzy Hash: 0e2bbf7cba6007cf3b0733823a5c6d946f941f6274ee486ebd96e34d9ee39a8b
Instruction Fuzzy Hash: 7F21D3B1D106599BEB18CF9BC8453DEFEF7AFC9300F14C06AD408A6264DB7409458F90

Function 0305D2D0 Relevance: 6.1, APIs: 4, Instructions: 131
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 0305D35E
GetCurrentThread.KERNEL32 ref: 0305D39B
GetCurrentProcess.KERNEL32 ref: 0305D3D8
GetCurrentThreadId.KERNEL32 ref: 0305D431

Memory Dump Source

Source File: 00000000.00000002.1685549426.0000000003050000.00000040.00000800.00020000.00000000.sdmp, Offset: 03050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3050000_Packing List - SAPPHIRE X.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 4a5886a810879370d1deb2a25f3039f24dc49e9d5639ac80bbd3bfe5814cff7a
Instruction ID: 7807a354f8c13d11b84f3d84988387a6227629e32b0b78b4b320e8c0455e53e5
Opcode Fuzzy Hash: 4a5886a810879370d1deb2a25f3039f24dc49e9d5639ac80bbd3bfe5814cff7a
Instruction Fuzzy Hash: 015165B09022498FDB44DFAAD548BDEBBF1EF48314F24C45AE449A7360D7349884CF65

Function 0305D2E0 Relevance: 6.1, APIs: 4, Instructions: 128
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 0305D35E
GetCurrentThread.KERNEL32 ref: 0305D39B
GetCurrentProcess.KERNEL32 ref: 0305D3D8
GetCurrentThreadId.KERNEL32 ref: 0305D431

Memory Dump Source

Source File: 00000000.00000002.1685549426.0000000003050000.00000040.00000800.00020000.00000000.sdmp, Offset: 03050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3050000_Packing List - SAPPHIRE X.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 75726e607c14a63d09e144d8aa0259d5d7328e075466d0d513a5b7808c5c132a
Instruction ID: 4d99d3079147049e2bee0cf4099aeb1de7651fb639de0f14940c30224cb21242
Opcode Fuzzy Hash: 75726e607c14a63d09e144d8aa0259d5d7328e075466d0d513a5b7808c5c132a
Instruction Fuzzy Hash: DB5165B09022498FDB54DFAAD548BDEBBF1EF88314F24C459E449A7360D734A884CF66

Function 07889530 Relevance: 1.7, APIs: 1, Instructions: 243
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 07889766

Memory Dump Source

Source File: 00000000.00000002.1690594385.0000000007880000.00000040.00000800.00020000.00000000.sdmp, Offset: 07880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7880000_Packing List - SAPPHIRE X.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: bbb75059adbc02fb5f40683330e58365be9729996e6081758afb980b94688caa
Instruction ID: e069537384323f67b6199e935472d5d79a3788dfb3ca5808e2b0da797496ed30
Opcode Fuzzy Hash: bbb75059adbc02fb5f40683330e58365be9729996e6081758afb980b94688caa
Instruction Fuzzy Hash: 7C915EB1D0021ADFDB50DF68C9417EEBBB2BF48310F1485A9E809E7254DB74A985CF91

Function 0305B048 Relevance: 1.7, APIs: 1, Instructions: 195
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 0305B29E

Memory Dump Source

Source File: 00000000.00000002.1685549426.0000000003050000.00000040.00000800.00020000.00000000.sdmp, Offset: 03050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3050000_Packing List - SAPPHIRE X.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: e2e68aa9012ab0813fbecbb1b00b5968210ada47a791566aafe57ee61f945693
Instruction ID: d52ff4456987dbc81b2772ae58357812fdff9dc589e968c64fb170fa7032afbc
Opcode Fuzzy Hash: e2e68aa9012ab0813fbecbb1b00b5968210ada47a791566aafe57ee61f945693
Instruction Fuzzy Hash: C27154B0A01B048FDBA4DF29C54579BBBF1FF88300F048A2DE44A97A40D735E845CB94

Function 030558ED Relevance: 1.6, APIs: 1, Instructions: 98
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 030559A9

Memory Dump Source

Source File: 00000000.00000002.1685549426.0000000003050000.00000040.00000800.00020000.00000000.sdmp, Offset: 03050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3050000_Packing List - SAPPHIRE X.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 3223821fc50c08f953f8a62ebfa87a5c3c6adc013165570cdc4daea426841321
Instruction ID: 3a943f4034b73f6f892c6ae62f099eaec6f4345f7cf88a2404645611f1b68178
Opcode Fuzzy Hash: 3223821fc50c08f953f8a62ebfa87a5c3c6adc013165570cdc4daea426841321
Instruction Fuzzy Hash: 4341D0B0C01619CFDB24DFA9C884BCEBBF6BF49304F24806AD419AB255DB756945CF90

Function 030544B4 Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 030559A9

Memory Dump Source

Source File: 00000000.00000002.1685549426.0000000003050000.00000040.00000800.00020000.00000000.sdmp, Offset: 03050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3050000_Packing List - SAPPHIRE X.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: d050278d351a55a7e50f459be33a71b577e409d246c7da840b49d46533b0e9d4
Instruction ID: a35f20f73b2eae2c1d4e7ea73a417dff7a4be1730d1203e73beaf816f656f7c2
Opcode Fuzzy Hash: d050278d351a55a7e50f459be33a71b577e409d246c7da840b49d46533b0e9d4
Instruction Fuzzy Hash: AC41EEB0C0161DCFDB24CFA9C884B9EBBF6BF49304F24806AE419AB255DB756945CF90

Function 062D0D88 Relevance: 1.6, APIs: 1, Instructions: 81
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateIconFromResourceEx.USER32(?,?,?,?,?,?,?), ref: 062D0E47

Memory Dump Source

Source File: 00000000.00000002.1688908278.00000000062D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_62d0000_Packing List - SAPPHIRE X.jbxd

Similarity

API ID: CreateFromIconResource
String ID:
API String ID: 3668623891-0
Opcode ID: d81b950f3add99d5ebe88e35e625a36bfa078252067f20a22be0f46e4189516f
Instruction ID: b71eeaa53c76ebcb266cefdde9398c789f70b853235c8023a2b925db9e745cee
Opcode Fuzzy Hash: d81b950f3add99d5ebe88e35e625a36bfa078252067f20a22be0f46e4189516f
Instruction Fuzzy Hash: CD3187729013899FCB11CFA9C804AEEBFF8EF09310F14845AE954AB221C335E950DFA5

Function 078892A1 Relevance: 1.6, APIs: 1, Instructions: 72
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 07889338

Memory Dump Source

Source File: 00000000.00000002.1690594385.0000000007880000.00000040.00000800.00020000.00000000.sdmp, Offset: 07880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7880000_Packing List - SAPPHIRE X.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 2e512c5cd75cfddc86462299d4c08541e060006a13c43a9be7bf0b39ba1567f7
Instruction ID: 3af0964aee97aad6785884b296aee3e3b05416b7942f6a96c24b31d65237252e
Opcode Fuzzy Hash: 2e512c5cd75cfddc86462299d4c08541e060006a13c43a9be7bf0b39ba1567f7
Instruction Fuzzy Hash: 94212AB1900359DFCB10DFA9C985BEEBBF5FF48320F10842AE959A7250C778A544CBA4

Function 078892A8 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 07889338

Memory Dump Source

Source File: 00000000.00000002.1690594385.0000000007880000.00000040.00000800.00020000.00000000.sdmp, Offset: 07880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7880000_Packing List - SAPPHIRE X.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 0e5901bfccbd5fa839af6edf172b908474b6cc63d87f1396ef59506c7c2f4d59
Instruction ID: 59d7c205308257e2d6a3f12c80d59c8dbb1d1b048a47f9d5198b6fef172f4c31
Opcode Fuzzy Hash: 0e5901bfccbd5fa839af6edf172b908474b6cc63d87f1396ef59506c7c2f4d59
Instruction Fuzzy Hash: 412139B1900359DFCB10DFA9C985BEEBBF5FF48310F108429E959A7250C778A944CBA4

Function 07889108 Relevance: 1.6, APIs: 1, Instructions: 66threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 0788918E

Memory Dump Source

Source File: 00000000.00000002.1690594385.0000000007880000.00000040.00000800.00020000.00000000.sdmp, Offset: 07880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7880000_Packing List - SAPPHIRE X.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 9e4e9ad5830da01317b3267e26a2c03099207aa2f5927d8c9e822a0f5dcd40b5
Instruction ID: 5488adff0e33baff821267fb2833e279e398b471d4b13e87ff951bd4e8fbc630
Opcode Fuzzy Hash: 9e4e9ad5830da01317b3267e26a2c03099207aa2f5927d8c9e822a0f5dcd40b5
Instruction Fuzzy Hash: 592165B19003098FDB10DFAAC5847EEBBF4EF89324F14842AD459A7240CB78A944CFA4

Function 062D4690 Relevance: 1.6, APIs: 1, Instructions: 64COMMON

Download Yara Rule

APIs

MonitorFromPoint.USER32(?,?,00000002), ref: 062D470F

Memory Dump Source

Source File: 00000000.00000002.1688908278.00000000062D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_62d0000_Packing List - SAPPHIRE X.jbxd

Similarity

API ID: FromMonitorPoint
String ID:
API String ID: 1566494148-0
Opcode ID: 414764f99a9450b42a81e05a7b6e30ae4ea5317ae016dc500108949b6c44f8c7
Instruction ID: e41aaa57d1d154aa8098a30fbdb7eb0ba0d7a9c2e0d5bbb35a44a6bb32905af2
Opcode Fuzzy Hash: 414764f99a9450b42a81e05a7b6e30ae4ea5317ae016dc500108949b6c44f8c7
Instruction Fuzzy Hash: 352166B5E002089FDB10EF99D445BAEFBF5FB49320F148419E856AB340CB74A905CFA5

Function 07889396 Relevance: 1.6, APIs: 1, Instructions: 64COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 07889418

Memory Dump Source

Source File: 00000000.00000002.1690594385.0000000007880000.00000040.00000800.00020000.00000000.sdmp, Offset: 07880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7880000_Packing List - SAPPHIRE X.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: c987182fcb3d34df7d096d3e8bd81ec6bd0900b5e80f42f37fdae6b56f059d8d
Instruction ID: 721851b5a2fa82d6f16c365578a8922ddcde8956034117388f4077577badad08
Opcode Fuzzy Hash: c987182fcb3d34df7d096d3e8bd81ec6bd0900b5e80f42f37fdae6b56f059d8d
Instruction Fuzzy Hash: 3D2139B1900359DFCB10DFAAC844AEEFBF5FF48320F148429E559A7250C774A544CBA5

Function 07889398 Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 07889418

Memory Dump Source

Source File: 00000000.00000002.1690594385.0000000007880000.00000040.00000800.00020000.00000000.sdmp, Offset: 07880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7880000_Packing List - SAPPHIRE X.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: f0f7316f749917bc0e62759f8ef09748003a4bb76783772a373f7e188e905b10
Instruction ID: a1801499824c9424bd45e9053955ec775866405de0b95bc4fe34e6a0bdddda57
Opcode Fuzzy Hash: f0f7316f749917bc0e62759f8ef09748003a4bb76783772a373f7e188e905b10
Instruction Fuzzy Hash: 632139B18003599FCB10DFAAC844AEEFBF5FF48320F108429E559A7250C774A544CBA4

Function 07889110 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 0788918E

Memory Dump Source

Source File: 00000000.00000002.1690594385.0000000007880000.00000040.00000800.00020000.00000000.sdmp, Offset: 07880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7880000_Packing List - SAPPHIRE X.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 07fa6434be563525120bdcf84fdcd47990619a2ca7667f854d4f329b45a1cfbf
Instruction ID: 5025e6495c9cbd8edc7bdff726d3954335e18475b9afc9c5feea6b140d8c124f
Opcode Fuzzy Hash: 07fa6434be563525120bdcf84fdcd47990619a2ca7667f854d4f329b45a1cfbf
Instruction Fuzzy Hash: E62158B1D003098FDB10DFAAC4857EEBBF4EF88324F10842AD459A7240CB78A944CFA4

Function 0305D520 Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0305D5AF

Memory Dump Source

Source File: 00000000.00000002.1685549426.0000000003050000.00000040.00000800.00020000.00000000.sdmp, Offset: 03050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3050000_Packing List - SAPPHIRE X.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: b3629e1c3c7c8edb5fcd3f860ef91e416532b94ce2bd788e1a2d6b02875b38d4
Instruction ID: 1b200d108debb9e59930ae989d331724f0a715f62c7dc511dc01d8121803d578
Opcode Fuzzy Hash: b3629e1c3c7c8edb5fcd3f860ef91e416532b94ce2bd788e1a2d6b02875b38d4
Instruction Fuzzy Hash: 4021E2B5D01208AFDB10CFA9D984ADEBBF8EB08310F14841AE918A7320D374A940CFA5

Function 0305D528 Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0305D5AF

Memory Dump Source

Source File: 00000000.00000002.1685549426.0000000003050000.00000040.00000800.00020000.00000000.sdmp, Offset: 03050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3050000_Packing List - SAPPHIRE X.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 6b63e44238cc19956279f7a12682e9db95fdfe598dd965bcc68a32ce05d21649
Instruction ID: 02cd47efb5edb36029bd7e9c4c3d029b76b7d3a3131744a8548a712a9a24f744
Opcode Fuzzy Hash: 6b63e44238cc19956279f7a12682e9db95fdfe598dd965bcc68a32ce05d21649
Instruction Fuzzy Hash: 7A21E2B59012489FDB10CFAAD984ADEFBF8EB48320F14841AE918A3310D374A940CFA5

Function 062D4680 Relevance: 1.6, APIs: 1, Instructions: 59COMMON

Download Yara Rule

APIs

MonitorFromPoint.USER32(?,?,00000002), ref: 062D470F

Memory Dump Source

Source File: 00000000.00000002.1688908278.00000000062D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_62d0000_Packing List - SAPPHIRE X.jbxd

Similarity

API ID: FromMonitorPoint
String ID:
API String ID: 1566494148-0
Opcode ID: bd7488f44ffa23a8a0d7d0d912835d9a3af87bdf37f6dcbecb26a16ac717b0b2
Instruction ID: 87adef7163ef7ebdbbd7500cab48af09f661438bebc9c744288ffbf0eb70bf72
Opcode Fuzzy Hash: bd7488f44ffa23a8a0d7d0d912835d9a3af87bdf37f6dcbecb26a16ac717b0b2
Instruction Fuzzy Hash: F32143B5D002489FDB10EF99D849BEEBBF0EB09310F148419E869BB284D3346905CFA5

Function 078891E0 Relevance: 1.6, APIs: 1, Instructions: 57memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 07889256

Memory Dump Source

Source File: 00000000.00000002.1690594385.0000000007880000.00000040.00000800.00020000.00000000.sdmp, Offset: 07880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7880000_Packing List - SAPPHIRE X.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: bbb2808cbbfbf21d66a60576421ae4030a8367a625b416b0ef4a26329b4baabb
Instruction ID: 7a65c0bd40c97bd23c82723f55e479a30dbdbb23e7acf5e0e058d9d2e20ca795
Opcode Fuzzy Hash: bbb2808cbbfbf21d66a60576421ae4030a8367a625b416b0ef4a26329b4baabb
Instruction Fuzzy Hash: 8D115CB58002499FCB10DFA9C8447DEBFF5EF48320F108419D565A7250C775A544CFA0

Function 078891E8 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 07889256

Memory Dump Source

Source File: 00000000.00000002.1690594385.0000000007880000.00000040.00000800.00020000.00000000.sdmp, Offset: 07880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7880000_Packing List - SAPPHIRE X.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 5c4ea02c1d15f581b2d570e21edeb43f5b0562cf6118adcf3eaba90f34232675
Instruction ID: 630ca4b174c78de96429207f9e92a2d729e299eba59510ba609148eb2dce432e
Opcode Fuzzy Hash: 5c4ea02c1d15f581b2d570e21edeb43f5b0562cf6118adcf3eaba90f34232675
Instruction Fuzzy Hash: 1E1137B19002499FCB10DFAAC844BEFBFF5EF88320F108819E569A7250C775A544CFA4

Function 07889059 Relevance: 1.6, APIs: 1, Instructions: 53threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 078890C2

Memory Dump Source

Source File: 00000000.00000002.1690594385.0000000007880000.00000040.00000800.00020000.00000000.sdmp, Offset: 07880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7880000_Packing List - SAPPHIRE X.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 6ba01ab37e81c3111e757d0c06f55b978012f159c5049751f6066770576cdfac
Instruction ID: aaac4c0e7a9e7f4ba5ce8a4df3623f6e49ba115f28a059eb6f8f546af8cefb9b
Opcode Fuzzy Hash: 6ba01ab37e81c3111e757d0c06f55b978012f159c5049751f6066770576cdfac
Instruction Fuzzy Hash: 1E1149B1900259CBDB20DFAAC4457EEFBF8EB88324F20881AD559A7250C735A544CB94

Function 07889060 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 078890C2

Memory Dump Source

Source File: 00000000.00000002.1690594385.0000000007880000.00000040.00000800.00020000.00000000.sdmp, Offset: 07880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7880000_Packing List - SAPPHIRE X.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 3c27b5d978baed052c88fa9ed7bd0ec1bfa10e5a192e89516037c62c36613b62
Instruction ID: 3edd21bf59904b3b0f099de9552f5c1699a7a207b6559fd558cbe84a0390897a
Opcode Fuzzy Hash: 3c27b5d978baed052c88fa9ed7bd0ec1bfa10e5a192e89516037c62c36613b62
Instruction Fuzzy Hash: EA113AB19003498FDB20DFAAC4457EEFBF8EB88324F208819D559A7250C775A544CF94

Function 0788BD08 Relevance: 1.5, APIs: 1, Instructions: 48windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 0788BD6D

Memory Dump Source

Source File: 00000000.00000002.1690594385.0000000007880000.00000040.00000800.00020000.00000000.sdmp, Offset: 07880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7880000_Packing List - SAPPHIRE X.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: f7c78160ac60e30a3b3d0161c4eb3c80816fc983f0cfa53e1889b61becd98a3b
Instruction ID: 4834613a49f1a5e34fdac2c7edcdcb861c28036b507709f81d8740848ea50d28
Opcode Fuzzy Hash: f7c78160ac60e30a3b3d0161c4eb3c80816fc983f0cfa53e1889b61becd98a3b
Instruction Fuzzy Hash: 2F11E3B5800249AFDB10DF99D448BDEBFF8EB59324F108419E558A7210C375A544CFA5

Function 07885E18 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 0788BD6D

Memory Dump Source

Source File: 00000000.00000002.1690594385.0000000007880000.00000040.00000800.00020000.00000000.sdmp, Offset: 07880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7880000_Packing List - SAPPHIRE X.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 471d453a7aeb0b351798d698f9ca940a5789d4565ce7b06497c6ad846cfe4db6
Instruction ID: e8259eeb628ed98959a9bfbfefd33cdaae0c28c066323bd0b8c96ccaa9f4390a
Opcode Fuzzy Hash: 471d453a7aeb0b351798d698f9ca940a5789d4565ce7b06497c6ad846cfe4db6
Instruction Fuzzy Hash: 1E11F2B58003499FDB60DF9AD448BDEBFF8EB49320F10881AE559A7210C375A944CFA5

Function 0305B238 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 0305B29E

Memory Dump Source

Source File: 00000000.00000002.1685549426.0000000003050000.00000040.00000800.00020000.00000000.sdmp, Offset: 03050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3050000_Packing List - SAPPHIRE X.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 40e800a66844d6cd71b03464377338b0cef68d5ad3aba4b75ac0f66027cdc860
Instruction ID: 783d941a7e03992d6f34c0fe2d1a4ca9fdf645c8f53535b67fac5caab62a60b0
Opcode Fuzzy Hash: 40e800a66844d6cd71b03464377338b0cef68d5ad3aba4b75ac0f66027cdc860
Instruction Fuzzy Hash: 1211EDB6C013498FDB10CF9AC444ADFFBF4AB88324F14842AE869A7610C379A545CFA5

Function 02ECD4C4 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1684833962.0000000002ECD000.00000040.00000800.00020000.00000000.sdmp, Offset: 02ECD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2ecd000_Packing List - SAPPHIRE X.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d194a94b9b52d0602678b45e3dc720b0f7a41a0e2ce06d1e9d3e362db91bd5fb
Instruction ID: f05ca96c29845b29efd6d8885d72c3e9818a7b24564ed033173d47e3a60bd614
Opcode Fuzzy Hash: d194a94b9b52d0602678b45e3dc720b0f7a41a0e2ce06d1e9d3e362db91bd5fb
Instruction Fuzzy Hash: 0321FF72580240DFDB05DF54DAC0B2ABF65FB88328F30C57DE9094A256C336D457CAA2

Function 02EDD01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1684897338.0000000002EDD000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EDD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2edd000_Packing List - SAPPHIRE X.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 434247544a238bcf8e12a236690f7240a0ba91905e4ed8dd671bf2fec03932bb
Instruction ID: dfd94ae3bbadd75421e4f6dbb59e5155ee0333d6bb880dc4a13cc364154fb19c
Opcode Fuzzy Hash: 434247544a238bcf8e12a236690f7240a0ba91905e4ed8dd671bf2fec03932bb
Instruction Fuzzy Hash: 1D21F272684200DFDB14DF24D984B26BBA6EBC8318F64C569D80A4B296C33AD847CA61

Function 02EDD1D4 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1684897338.0000000002EDD000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EDD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2edd000_Packing List - SAPPHIRE X.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a2edd98738100a7a03704a3304fc28b0d1f52b4ce0a405f320ddff39a7e4d966
Instruction ID: 540fef84fd115893b86aed7cb2a93ab03dfa7b46dbc738994681ee67afd06308
Opcode Fuzzy Hash: a2edd98738100a7a03704a3304fc28b0d1f52b4ce0a405f320ddff39a7e4d966
Instruction Fuzzy Hash: 3B210472584204EFDB05DF54DEC0B26BBA5FB88318F20C66DE84D4B256C336D447CA61

Function 02EDD005 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1684897338.0000000002EDD000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EDD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2edd000_Packing List - SAPPHIRE X.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5b67fe1c08b3260a5344a596bae627c3af40be86ccfb4a3161978cbeca6c2e32
Instruction ID: ed95641841b7d7bc7c9521a7cb3944e6ae38297f2c54217fa6cde6eda36021a7
Opcode Fuzzy Hash: 5b67fe1c08b3260a5344a596bae627c3af40be86ccfb4a3161978cbeca6c2e32
Instruction Fuzzy Hash: 0221A7755493C08FD712CF24D994715BF71EB46218F28C5DAD8498F6A7C33A940BCB62

Function 02ECD4BF Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1684833962.0000000002ECD000.00000040.00000800.00020000.00000000.sdmp, Offset: 02ECD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2ecd000_Packing List - SAPPHIRE X.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
Instruction ID: 741b47af13cb06f812abe3bcbbc64143abc58bc5cc806200695a71246bca0a47
Opcode Fuzzy Hash: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
Instruction Fuzzy Hash: CA11AF76544280CFCB16CF54DAC4B16BF71FB84328F24C6ADD8494B656C336D45ACBA1

Function 02EDD1CF Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1684897338.0000000002EDD000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EDD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2edd000_Packing List - SAPPHIRE X.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
Instruction ID: 4a47c855e11d5758072e9ef7fdee7a51fe8c17414088f66795e1fc967d64c756
Opcode Fuzzy Hash: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
Instruction Fuzzy Hash: BB11BB76544280DFCB02CF50C9C4B15BBB1FB84218F24C6AAD8494B696C33AD41ACB61

Non-executed Functions

Function 062DBABA Relevance: 4.0, Strings: 3, Instructions: 234COMMON

Download Yara Rule

Strings

xbnq, xrefs: 062DBBF8
Tekq, xrefs: 062DC31C
TJpq, xrefs: 062DBC6D

Memory Dump Source

Source File: 00000000.00000002.1688908278.00000000062D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_62d0000_Packing List - SAPPHIRE X.jbxd

Similarity

API ID:
String ID: TJpq$Tekq$xbnq
API String ID: 0-3321955333
Opcode ID: 9fed39dc94db3d0ba0999fa9804de119b1d97d5a9d4cb2bb89f24678a3a30579
Instruction ID: 539cef79db3d54cc5c6fc45dfea136a7f8d8c2c277c44daa213515c067110b8f
Opcode Fuzzy Hash: 9fed39dc94db3d0ba0999fa9804de119b1d97d5a9d4cb2bb89f24678a3a30579
Instruction Fuzzy Hash: E0B161B5E016588FDB58CF6AD9446DDBBF2BF88301F14C1AAD809AB364DB305A85CF50

Function 062DB3C9 Relevance: 1.4, Strings: 1, Instructions: 161COMMON

Download Yara Rule

Strings

4'kq, xrefs: 062DB4AA

Memory Dump Source

Source File: 00000000.00000002.1688908278.00000000062D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_62d0000_Packing List - SAPPHIRE X.jbxd

Similarity

API ID:
String ID: 4'kq
API String ID: 0-3255046985
Opcode ID: 34e5b5f11be40b9b355109618a0fde6a2ed9ed2e17cc8a84e62d2813e8cf62b0
Instruction ID: 3d70e59cfed966fc180f70d01c5941a33487ecba41aa94f2fcb08ab28f2f92c4
Opcode Fuzzy Hash: 34e5b5f11be40b9b355109618a0fde6a2ed9ed2e17cc8a84e62d2813e8cf62b0
Instruction Fuzzy Hash: 02611C71E116098FD708DF6BE94569ABFF3FB88300F14D669E0189B2A8DB346946CB50

Function 062DB3D8 Relevance: 1.4, Strings: 1, Instructions: 159COMMON

Download Yara Rule

Strings

4'kq, xrefs: 062DB4AA

Memory Dump Source

Source File: 00000000.00000002.1688908278.00000000062D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_62d0000_Packing List - SAPPHIRE X.jbxd

Similarity

API ID:
String ID: 4'kq
API String ID: 0-3255046985
Opcode ID: 363c3af6eb19b7d6f1c4c0468a797c21571c9b8842dcef5e0950dd0be8b3e400
Instruction ID: 06120887bfbc7b90b5b1cc3d618356797dc2dac6b95197c0d6790fb6f0392076
Opcode Fuzzy Hash: 363c3af6eb19b7d6f1c4c0468a797c21571c9b8842dcef5e0950dd0be8b3e400
Instruction Fuzzy Hash: 5761FB70E116098FD748DF6BE94569ABFF3FB88300F14D669E0189B2A8DF746846CB50

Function 0788D34C Relevance: .7, Instructions: 704COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1690594385.0000000007880000.00000040.00000800.00020000.00000000.sdmp, Offset: 07880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7880000_Packing List - SAPPHIRE X.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 180ad458bcf3e4d0a76182041eace3196c03d3442b8c0b3d9ce58c192391a96d
Instruction ID: 2237d746923f5e86318b6df1b21a4c1b89ba549e91ccc1c4292cca0fee13dbc4
Opcode Fuzzy Hash: 180ad458bcf3e4d0a76182041eace3196c03d3442b8c0b3d9ce58c192391a96d
Instruction Fuzzy Hash: C7D1ACB17027058FDB56EF79C450BAEBBF6AF89300F1484A9D546CB291CB35E801CB62

Function 07887150 Relevance: .3, Instructions: 321COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1690594385.0000000007880000.00000040.00000800.00020000.00000000.sdmp, Offset: 07880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7880000_Packing List - SAPPHIRE X.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 981cbdc9ba2fbb265f38c174aac4d4a330301654d765e5519d3076b58d53d534
Instruction ID: 370b3cc102e5919169cac62531de6a1e938ffb3c536e73e68c461da1c2559d3d
Opcode Fuzzy Hash: 981cbdc9ba2fbb265f38c174aac4d4a330301654d765e5519d3076b58d53d534
Instruction Fuzzy Hash: BFE10AB4E101198FDB14DFA9C5809AEFBB2FF89304F248169E419AB356D734AD42CF61

Function 07887598 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1690594385.0000000007880000.00000040.00000800.00020000.00000000.sdmp, Offset: 07880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7880000_Packing List - SAPPHIRE X.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3b13f9457edb9f74e55c456d1ad841ccd169e5db2d84a5022c78bec678ec95dc
Instruction ID: a1c4cdf3c8798db21c70ddcfcfe8ddfc62aef4d045a9f779e6f8e7a14cb111cb
Opcode Fuzzy Hash: 3b13f9457edb9f74e55c456d1ad841ccd169e5db2d84a5022c78bec678ec95dc
Instruction Fuzzy Hash: B9E1F9B4E101198FDB14DFA9C5809AEFBB2FF89304F248169E415AB356D734AD42CFA4

Function 07886D28 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1690594385.0000000007880000.00000040.00000800.00020000.00000000.sdmp, Offset: 07880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7880000_Packing List - SAPPHIRE X.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 42caa119fb9953b6be48c75cbe5a1a77e09a30cf4a121e35684102fab0df84b7
Instruction ID: 5ae488563acac2ed2a3f0bff7f50e4d7cbb5d26c2a203d5a7166db084a021f19
Opcode Fuzzy Hash: 42caa119fb9953b6be48c75cbe5a1a77e09a30cf4a121e35684102fab0df84b7
Instruction Fuzzy Hash: 90E1F9B4E101198FDB14DFA9C5809AEFBB2FF89304F248169E415AB356D735AD42CFA0

Function 078868F0 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1690594385.0000000007880000.00000040.00000800.00020000.00000000.sdmp, Offset: 07880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7880000_Packing List - SAPPHIRE X.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 332189a54336b613ad9b2ef56596e38554d8bfa01bff24a1b9c1e155fd0aac53
Instruction ID: e3052eda09644d4390eed5d394bfb9b57361813f31138e12f9d0984647d0cd36
Opcode Fuzzy Hash: 332189a54336b613ad9b2ef56596e38554d8bfa01bff24a1b9c1e155fd0aac53
Instruction Fuzzy Hash: 1EE107B4E101198FDB14DFA9C580AAEFBB2FF89304F248169E415AB356D731AD42CF60

Function 07888838 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1690594385.0000000007880000.00000040.00000800.00020000.00000000.sdmp, Offset: 07880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7880000_Packing List - SAPPHIRE X.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: baa5f64f1024dbbec1e4457dc94fc04cfe5399e27d89461fe375cd13b766b9d0
Instruction ID: 3e8c1378663455bdbb60f88caedf7fff4ac6200bc46e686edd17a4ea23716ace
Opcode Fuzzy Hash: baa5f64f1024dbbec1e4457dc94fc04cfe5399e27d89461fe375cd13b766b9d0
Instruction Fuzzy Hash: F7E10AB4E101198FDB54DFA9C580AAEFBB2FF89304F248169D419AB356D730AD42CF61

Function 0305DE34 Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1685549426.0000000003050000.00000040.00000800.00020000.00000000.sdmp, Offset: 03050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3050000_Packing List - SAPPHIRE X.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0f52e81ae3392c4659797c98dd482f90c9996ba80c65fc3bc9f60f9723445f95
Instruction ID: b60e7de92de1b8d48a7404f867168a9aefcc422e3bdb7c848634b17cdffb2755
Opcode Fuzzy Hash: 0f52e81ae3392c4659797c98dd482f90c9996ba80c65fc3bc9f60f9723445f95
Instruction Fuzzy Hash: D1A14C36E0121ACFCF05EFB4C8445DEBBB6FF84300B2545AAE905AB265DB75E945CB80

Function 0788ADE0 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1690594385.0000000007880000.00000040.00000800.00020000.00000000.sdmp, Offset: 07880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7880000_Packing List - SAPPHIRE X.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0035ed0a0629072d505fa339c0e3ea71244d71ebce4f91fbfe3bbe4c983d5011
Instruction ID: a1dffd54da5205d27734ab3924e93497829ce0ecc70d4b29d303fead6c6bb78e
Opcode Fuzzy Hash: 0035ed0a0629072d505fa339c0e3ea71244d71ebce4f91fbfe3bbe4c983d5011
Instruction Fuzzy Hash: 6CD017F0D4D018CBCB90AE48A0402F8FB78EBAB366F002096D58DE3601C3309A948A04

Analysis Process: Packing List - SAPPHIRE X.xlsx.scr.exePID: 3260, Parent PID: 7056COMMON

Execution Graph

Execution Coverage:	10.7%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	151
Total number of Limit Nodes:	16

Executed Functions

Function 06B83060 Relevance: 8.0, Strings: 6, Instructions: 545
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$kq, xrefs: 06B8376B
$kq, xrefs: 06B83794
$kq, xrefs: 06B8375F
$kq, xrefs: 06B837AC
$kq, xrefs: 06B837B8
$kq, xrefs: 06B83788

Memory Dump Source

Source File: 00000004.00000002.4142557053.0000000006B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6b80000_Packing List - SAPPHIRE X.jbxd

Similarity

API ID:
String ID: $kq$$kq$$kq$$kq$$kq$$kq
API String ID: 0-1342094364
Opcode ID: 35fe0e2b3f7d0dabe22d086c8f77e263c2f97e47ad1dae6b88277a89921a27ea
Instruction ID: 9c98aabb60bf9d041dff3e249c071c1939c33fc4fc2adbcd2e7bdf326f68723a
Opcode Fuzzy Hash: 35fe0e2b3f7d0dabe22d086c8f77e263c2f97e47ad1dae6b88277a89921a27ea
Instruction Fuzzy Hash: 8B324170E1061ACFCB14EFA5D99459DB7B2FFC9300F20D6A9D409A7264EB34E985CB90

Function 06B87D80 Relevance: 3.0, Strings: 2, Instructions: 475
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$kq, xrefs: 06B8831B
$kq, xrefs: 06B88327

Memory Dump Source

Source File: 00000004.00000002.4142557053.0000000006B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6b80000_Packing List - SAPPHIRE X.jbxd

Similarity

API ID:
String ID: $kq$$kq
API String ID: 0-3550614674
Opcode ID: 4a06ac3b9ac3118c5a85cb7de7638e74c9720a577f173b02171e488bc3901a8a
Instruction ID: 27edf62c366b6b2b25df3f1393ce648f051b500589d52157936e2699c0d16567
Opcode Fuzzy Hash: 4a06ac3b9ac3118c5a85cb7de7638e74c9720a577f173b02171e488bc3901a8a
Instruction Fuzzy Hash: 1D02AF70B102098FDB64EF65D650AAEB7E6FF84300F648569D405EB394DB39EC86CB90

Function 06B855A0 Relevance: 1.9, Strings: 1, Instructions: 602COMMON

Download Yara Rule

Strings

$, xrefs: 06B8597B

Memory Dump Source

Source File: 00000004.00000002.4142557053.0000000006B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6b80000_Packing List - SAPPHIRE X.jbxd

Similarity

API ID:
String ID: $
API String ID: 0-3993045852
Opcode ID: b0a82ebaf9496169e604536a4ea57008cbe6d35258f0635efbb7a731b30d9d6d
Instruction ID: 802987f47b3bd985c5d43affc14eebed5d10c09fdea4f60388787100ec45f34c
Opcode Fuzzy Hash: b0a82ebaf9496169e604536a4ea57008cbe6d35258f0635efbb7a731b30d9d6d
Instruction Fuzzy Hash: 8022C3B6E102058FDFB4EBA4C5806AEB7F6FF84320F2484AAD415AB355DA35DC41CB91

Function 06B865F0 Relevance: .8, Instructions: 827COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4142557053.0000000006B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6b80000_Packing List - SAPPHIRE X.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 80af04f6f2fbe1c9a03e8933065ae84359ebd52418c644fcaa9ecc4fc0574901
Instruction ID: 5a4dcd321e2fd76925b5b4493ff4e0cf72ea1bd5696489f7265fce02807579d7
Opcode Fuzzy Hash: 80af04f6f2fbe1c9a03e8933065ae84359ebd52418c644fcaa9ecc4fc0574901
Instruction Fuzzy Hash: 32629E74B002058FDB54EB68D644AADB7F2EF88314F2484A9E415EB395EB35ED42CB90

Function 06B8C190 Relevance: .6, Instructions: 640COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4142557053.0000000006B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6b80000_Packing List - SAPPHIRE X.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 64fd391d5199961bf6b8978447679b7c81c2c36c4c5902ba043a271885027da0
Instruction ID: fe8713efae1877a856b95f67399760d2cd4c8434969366bbae00900bd351075a
Opcode Fuzzy Hash: 64fd391d5199961bf6b8978447679b7c81c2c36c4c5902ba043a271885027da0
Instruction Fuzzy Hash: 013281B4B102098FDF64EF68D590AAEBBB2FB88310F109565D505E7395DB35EC42CBA0

Function 06B8B238 Relevance: .6, Instructions: 572COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4142557053.0000000006B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6b80000_Packing List - SAPPHIRE X.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 142c4bcfab8430fa7ade5a742b430dbdf8ae9bddd5b74f3cdd657536c2fc616f
Instruction ID: 76cab4d77694bd43f3abf6d317925d5c7e3a1d56ef8d0d311d64a64793c8bce2
Opcode Fuzzy Hash: 142c4bcfab8430fa7ade5a742b430dbdf8ae9bddd5b74f3cdd657536c2fc616f
Instruction Fuzzy Hash: 5B22A0B0E002098FDF64EB68D5907AEB7B2FB45310F249566E415EB395CA39DC81CB91

Function 06B8ACE0 Relevance: 10.4, Strings: 8, Instructions: 402
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$kq, xrefs: 06B8AEB8
$kq, xrefs: 06B8AE0D
$kq, xrefs: 06B8AE01
$kq, xrefs: 06B8AEAC
$kq, xrefs: 06B8AE60
$kq, xrefs: 06B8AE54
$kq, xrefs: 06B8AE83
$kq, xrefs: 06B8AE8F

Memory Dump Source

Source File: 00000004.00000002.4142557053.0000000006B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6b80000_Packing List - SAPPHIRE X.jbxd

Similarity

API ID:
String ID: $kq$$kq$$kq$$kq$$kq$$kq$$kq$$kq
API String ID: 0-1078448309
Opcode ID: f22c1da8bb1e39ef2abad702963762d633bdc0cb66131979197885844d564c50
Instruction ID: c0fc966c444ee2ab2905a4093bd636a10939bcdc4b40e165b5bfb6bd65dd1b22
Opcode Fuzzy Hash: f22c1da8bb1e39ef2abad702963762d633bdc0cb66131979197885844d564c50
Instruction Fuzzy Hash: BDE17170E202098FDB65EF69D5906AEB7B2EF85300F20896AD405EB354DB35EC46CB91

Function 06B8B658 Relevance: 8.0, Strings: 6, Instructions: 473
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$kq, xrefs: 06B8BBE9
$kq, xrefs: 06B8BC11
$kq, xrefs: 06B8BC1D
$kq, xrefs: 06B8BBB5
$kq, xrefs: 06B8BBDD
$kq, xrefs: 06B8BBA9

Memory Dump Source

Source File: 00000004.00000002.4142557053.0000000006B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6b80000_Packing List - SAPPHIRE X.jbxd

Similarity

API ID:
String ID: $kq$$kq$$kq$$kq$$kq$$kq
API String ID: 0-1342094364
Opcode ID: 201016ad171f0d3b703f7904d1fc59fa99d224e62a922874d4a53f036c913704
Instruction ID: e1893430bfdd2b16ecf683368625581b6c94f4ef913b5ecec9174edcf2c5b608
Opcode Fuzzy Hash: 201016ad171f0d3b703f7904d1fc59fa99d224e62a922874d4a53f036c913704
Instruction Fuzzy Hash: 44027DB0E1020A8FDB64EF68D5806ADB7B2FB45310F2095AAD415DB355DB35EC81CB91

Function 06B72873 Relevance: 6.1, APIs: 4, Instructions: 130
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 06B728F6
GetCurrentThread.KERNEL32 ref: 06B72933
GetCurrentProcess.KERNEL32 ref: 06B72970
GetCurrentThreadId.KERNEL32 ref: 06B729C9

Memory Dump Source

Source File: 00000004.00000002.4142505190.0000000006B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6b70000_Packing List - SAPPHIRE X.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 356e6c26be7deeaab0fd6f2550e9fee1455c1ce615d144a24c1b7e9277081a0d
Instruction ID: fcb05200c78325f0230e2a43cd9951ab916a69f3b4d1536eda774599a12277df
Opcode Fuzzy Hash: 356e6c26be7deeaab0fd6f2550e9fee1455c1ce615d144a24c1b7e9277081a0d
Instruction Fuzzy Hash: 9E5145B0900249CFDB54DFAAD948BDEBBF1EF48304F248469E419A73A0D7359984CF65

Function 06B72878 Relevance: 6.1, APIs: 4, Instructions: 128
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 06B728F6
GetCurrentThread.KERNEL32 ref: 06B72933
GetCurrentProcess.KERNEL32 ref: 06B72970
GetCurrentThreadId.KERNEL32 ref: 06B729C9

Memory Dump Source

Source File: 00000004.00000002.4142505190.0000000006B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6b70000_Packing List - SAPPHIRE X.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 3e674d3afb2f57532d7443f5c45621e56b02f4193463d4e1c7969a0adf1eb79e
Instruction ID: b3ddaec3218dea69713aaec014c733f3b5777867a36d81e48b6fd97a07d579c9
Opcode Fuzzy Hash: 3e674d3afb2f57532d7443f5c45621e56b02f4193463d4e1c7969a0adf1eb79e
Instruction Fuzzy Hash: 405154B0900249CFDB54DFAAD948B9EBBF1EB48304F248469E419A73A0D7359984CF65

Function 06B89158 Relevance: 5.2, Strings: 4, Instructions: 231
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$kq, xrefs: 06B891C8
$kq, xrefs: 06B891D4
$kq, xrefs: 06B8920F
$kq, xrefs: 06B89203

Memory Dump Source

Source File: 00000004.00000002.4142557053.0000000006B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6b80000_Packing List - SAPPHIRE X.jbxd

Similarity

API ID:
String ID: $kq$$kq$$kq$$kq
API String ID: 0-2881790790
Opcode ID: 86373f3a2fb85e6d13e0d67b9ca73fb2eeab1d3f53463f449e0737f3a322bf87
Instruction ID: 1863a54a394f53f375d0b1007b66b04f2c82764619f051f167e9c25257f4070a
Opcode Fuzzy Hash: 86373f3a2fb85e6d13e0d67b9ca73fb2eeab1d3f53463f449e0737f3a322bf87
Instruction Fuzzy Hash: A4914370F1021A8FDF64EF69D9507AE73F6EF84240F148569D809A7398EA35DC41CB90

Function 06B8CF48 Relevance: 4.5, Strings: 3, Instructions: 797
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$kq, xrefs: 06B8D353
$kq, xrefs: 06B8D347
$kq, xrefs: 06B8D33F

Memory Dump Source

Source File: 00000004.00000002.4142557053.0000000006B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6b80000_Packing List - SAPPHIRE X.jbxd

Similarity

API ID:
String ID: $kq$$kq$$kq
API String ID: 0-2086306503
Opcode ID: 554ff6e0ef726b9edf3f284719e164788cff7ecf1be944c9274f387f677c19e4
Instruction ID: a9686b1c579ad7041320455c7cf8ea99f64020dd58321ebae06a7a94f47f3526
Opcode Fuzzy Hash: 554ff6e0ef726b9edf3f284719e164788cff7ecf1be944c9274f387f677c19e4
Instruction Fuzzy Hash: 6A624430A5020A8FCB55EF68D690A5EB7F2FF84304F248969D4159F369DB75EC86CB80

Function 06B84B70 Relevance: 3.9, Strings: 3, Instructions: 186
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

\Opq, xrefs: 06B84D27
XPpq, xrefs: 06B84C9D
fpq, xrefs: 06B8527D

Memory Dump Source

Source File: 00000004.00000002.4142557053.0000000006B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6b80000_Packing List - SAPPHIRE X.jbxd

Similarity

API ID:
String ID: fpq$XPpq$\Opq
API String ID: 0-2571271785
Opcode ID: 5f58dc1e3f2dc3a554c5930aaf5c935a6e3111f9139819c367a35c6ffe5fcbf4
Instruction ID: 9138091ea81ee584b330dfc606932d746952eec9c3d5658d4e6972cecd7bf66c
Opcode Fuzzy Hash: 5f58dc1e3f2dc3a554c5930aaf5c935a6e3111f9139819c367a35c6ffe5fcbf4
Instruction Fuzzy Hash: EA617F70F102199FEB54AFA5C914BAEBAF6FF88700F208429D106AB394DE758C45CB90

Function 06B89149 Relevance: 2.7, Strings: 2, Instructions: 169
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$kq, xrefs: 06B891C8
$kq, xrefs: 06B89203

Memory Dump Source

Source File: 00000004.00000002.4142557053.0000000006B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6b80000_Packing List - SAPPHIRE X.jbxd

Similarity

API ID:
String ID: $kq$$kq
API String ID: 0-3550614674
Opcode ID: 5c09532d45cf253b4566fb0333d2aa04048ea83c54454a7e5f21b64cfc9430aa
Instruction ID: 894224e65c4bbc0cd124b4ae71186962ebc838780e9d3affd9e4eecabc8e984d
Opcode Fuzzy Hash: 5c09532d45cf253b4566fb0333d2aa04048ea83c54454a7e5f21b64cfc9430aa
Instruction Fuzzy Hash: B5516270B001068FDF64EF78DA607AE73F6EB88640F148469D809E7398EA35EC51CB90

Function 06B7AF10 Relevance: 1.7, APIs: 1, Instructions: 209COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 06B7B176

Memory Dump Source

Source File: 00000004.00000002.4142505190.0000000006B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6b70000_Packing List - SAPPHIRE X.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: e5e45f01a666749fa199b9feca2bd96dee9eb951bac79dc442b36d880a90af9a
Instruction ID: 4652b2d480fe35c9aef10cbca3bf425568955769bee911634d9a6e27352afbce
Opcode Fuzzy Hash: e5e45f01a666749fa199b9feca2bd96dee9eb951bac79dc442b36d880a90af9a
Instruction Fuzzy Hash: DE8156B0A00B058FD7A4DF2AD54479ABBF1FF88300F108969D4AAD7A50D775E849CF90

Function 0123EA51 Relevance: 1.6, APIs: 1, Instructions: 135COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4137041283.0000000001230000.00000040.00000800.00020000.00000000.sdmp, Offset: 01230000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1230000_Packing List - SAPPHIRE X.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ef9379248c0dd8dac3cb1edb90f3abcaada601ed2ccb64783f1d09ce87d6d882
Instruction ID: 8db5e846fd4561669dd08e8a2672373a0908a3065f272584fb00eb219098bc5e
Opcode Fuzzy Hash: ef9379248c0dd8dac3cb1edb90f3abcaada601ed2ccb64783f1d09ce87d6d882
Instruction Fuzzy Hash: A64124B2D103968FCB14DF79D8042EEBFB2EF89210F15856AD904E7241EB749885CBE1

Function 06B7D0F0 Relevance: 1.6, APIs: 1, Instructions: 113COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 06B7D202

Memory Dump Source

Source File: 00000004.00000002.4142505190.0000000006B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6b70000_Packing List - SAPPHIRE X.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: b67ba38c45a392aa93720fd5ae7b184676b6d8aaaeda7c2165931c0470e12049
Instruction ID: a88b0659322c7a19b50b776700740d0f47d7032c995f01a704d6da63479e64e4
Opcode Fuzzy Hash: b67ba38c45a392aa93720fd5ae7b184676b6d8aaaeda7c2165931c0470e12049
Instruction Fuzzy Hash: 3C41AEB1D003599FDB14CF99C984ADEBFB5FF88350F24816AE819AB210D7719985CF90

Function 06B7A5EC Relevance: 1.6, APIs: 1, Instructions: 97COMMON

Download Yara Rule

APIs

CallWindowProcW.USER32(?,?,?,?,?), ref: 06B7F8F1

Memory Dump Source

Source File: 00000004.00000002.4142505190.0000000006B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6b70000_Packing List - SAPPHIRE X.jbxd

Similarity

API ID: CallProcWindow
String ID:
API String ID: 2714655100-0
Opcode ID: 173fe57e46e0b8d349f938a07d425a2e0dae2804fc5962be25aafdcde7b1760b
Instruction ID: 089a024e64e93fe98c98c6e4e6d71d81778406af34068bc867978ef7ccfbd241
Opcode Fuzzy Hash: 173fe57e46e0b8d349f938a07d425a2e0dae2804fc5962be25aafdcde7b1760b
Instruction Fuzzy Hash: 5C415DB5900309DFDB54CF99C888AAABBF5FF88314F14C499D529AB321D734A841CFA4

Function 06B72AB8 Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 06B72B47

Memory Dump Source

Source File: 00000004.00000002.4142505190.0000000006B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6b70000_Packing List - SAPPHIRE X.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 08e6fafbc3fe0e4a7c65fffe1b8197f4156cd1c4796a014ceb9b8aecf747169b
Instruction ID: bd06b9380ae58a9a0d1cda8665ab74b48a50a1b6f79180e46655414da440ba98
Opcode Fuzzy Hash: 08e6fafbc3fe0e4a7c65fffe1b8197f4156cd1c4796a014ceb9b8aecf747169b
Instruction Fuzzy Hash: 5721E3B5D00249DFDB10CFAAD984ADEBFF5EB48310F14805AE958A7310C374AA44CFA4

Function 06B72AC0 Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 06B72B47

Memory Dump Source

Source File: 00000004.00000002.4142505190.0000000006B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6b70000_Packing List - SAPPHIRE X.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: d3be09787bd7dfbf325324e0e9a8f8b9815f76f25dcb1530506bf17859a9384d
Instruction ID: 624e1df36740195f3cb2b63ee845dbb402145102c233e3373d41e861a8f40985
Opcode Fuzzy Hash: d3be09787bd7dfbf325324e0e9a8f8b9815f76f25dcb1530506bf17859a9384d
Instruction Fuzzy Hash: 4121E3B59002499FDB10CFAAD984ADEBFF4EB48310F14801AE918A7310C374AA44CFA4

Function 0123EB38 Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

GlobalMemoryStatusEx.KERNELBASE ref: 0123EB9F

Memory Dump Source

Source File: 00000004.00000002.4137041283.0000000001230000.00000040.00000800.00020000.00000000.sdmp, Offset: 01230000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1230000_Packing List - SAPPHIRE X.jbxd

Similarity

API ID: GlobalMemoryStatus
String ID:
API String ID: 1890195054-0
Opcode ID: 47c8772120127b28e3088cdf223b6d0f5d34ced9377ce3ff876ef87241c2d758
Instruction ID: 2452984a2a817572e239ba237578a0588fc98f70db2b4c756358d8c8577348e0
Opcode Fuzzy Hash: 47c8772120127b28e3088cdf223b6d0f5d34ced9377ce3ff876ef87241c2d758
Instruction Fuzzy Hash: 6D1120B1C0026A9BCB10CFAAC444BDEFBF5BF48320F11816AD918A7240D378A944CFA5

Function 06B7B110 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 06B7B176

Memory Dump Source

Source File: 00000004.00000002.4142505190.0000000006B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6b70000_Packing List - SAPPHIRE X.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: d2cd5bad643f1aa35174b4f46732ead14fd05095655c0235b464bfc5c9dfb484
Instruction ID: 3ba07f7f4923b6d91c95ced350eb99a3b8139abeba0cd2fb35e00c18289313ac
Opcode Fuzzy Hash: d2cd5bad643f1aa35174b4f46732ead14fd05095655c0235b464bfc5c9dfb484
Instruction Fuzzy Hash: 2A11DFB6C002598FCB10DF9AC844ADEFBF4EB89324F10846AD569B7610C375A545CFA5

Function 06B84B60 Relevance: 1.4, Strings: 1, Instructions: 134COMMON

Download Yara Rule

Strings

XPpq, xrefs: 06B84C9D

Memory Dump Source

Source File: 00000004.00000002.4142557053.0000000006B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6b80000_Packing List - SAPPHIRE X.jbxd

Similarity

API ID:
String ID: XPpq
API String ID: 0-1266478781
Opcode ID: 8081e4ba8a3626a3de9dd0a412c290fb26d95a1deed71acec57b3da6b5ac1fec
Instruction ID: f9a8474044f6487ebd4b4e8411909adb0cfb331e7e4f8f0d4a807c1576feb305
Opcode Fuzzy Hash: 8081e4ba8a3626a3de9dd0a412c290fb26d95a1deed71acec57b3da6b5ac1fec
Instruction Fuzzy Hash: A3519F70A102099FDB54AFA9C914B9EBBF6FF88700F208169D106AB3A4DA749C41CF91

Function 06B8DABD Relevance: 1.4, Strings: 1, Instructions: 125COMMON

Download Yara Rule

Strings

PHkq, xrefs: 06B8DC19

Memory Dump Source

Source File: 00000004.00000002.4142557053.0000000006B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6b80000_Packing List - SAPPHIRE X.jbxd

Similarity

API ID:
String ID: PHkq
API String ID: 0-902561536
Opcode ID: 83aea565eba4b3e4cd671aea695c7d2dab5ea6a74fc20e260b6e836c8b3d9bb5
Instruction ID: c665b403b5325158b66f77e029b372e46242acd55a78d09611bb8d7c520b1448
Opcode Fuzzy Hash: 83aea565eba4b3e4cd671aea695c7d2dab5ea6a74fc20e260b6e836c8b3d9bb5
Instruction Fuzzy Hash: 8D41D370E0030A9FDF64EF65C59469EBBB6FF85300F20456AE412E7284DB70D882CB80

Function 06B821C8 Relevance: 1.4, Strings: 1, Instructions: 105COMMON

Download Yara Rule

Strings

PHkq, xrefs: 06B82303

Memory Dump Source

Source File: 00000004.00000002.4142557053.0000000006B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6b80000_Packing List - SAPPHIRE X.jbxd

Similarity

API ID:
String ID: PHkq
API String ID: 0-902561536
Opcode ID: d9cfa532300e0fe274bc324de52823c2ff2095d5de6326349c167ee93b93f46c
Instruction ID: 24f75f1f87f7bd50a0d56097e51eab6a7f340f0d1230267da9dcceec2a6c0020
Opcode Fuzzy Hash: d9cfa532300e0fe274bc324de52823c2ff2095d5de6326349c167ee93b93f46c
Instruction Fuzzy Hash: AB31CD70B002058FDB68AF74D65466E7BE6EB89200F249478E406DB399DF3ADD42CBD1

Function 06B882D0 Relevance: 1.3, Strings: 1, Instructions: 40COMMON

Download Yara Rule

Strings

$kq, xrefs: 06B8831B

Memory Dump Source

Source File: 00000004.00000002.4142557053.0000000006B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6b80000_Packing List - SAPPHIRE X.jbxd

Similarity

API ID:
String ID: $kq
API String ID: 0-3037731980
Opcode ID: 56814b8b8eb3486920fbc8c1de30e1af23b97f62f72ff31e444ef60494ee8580
Instruction ID: 70663f2edc063a75b13b099e31cdf7d91ca2d78fba373bf16ec6cfc472d8f6b4
Opcode Fuzzy Hash: 56814b8b8eb3486920fbc8c1de30e1af23b97f62f72ff31e444ef60494ee8580
Instruction Fuzzy Hash: B6F0C2B1B10205DFDF78AE55EA906AC77A9EB50310F9844B5E809DB294C739DE02CB91

Function 06B82340 Relevance: 1.0, Instructions: 1023COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4142557053.0000000006B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6b80000_Packing List - SAPPHIRE X.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4eccd59a55fcc6b342801e3b20f45972e2ff282607731549d8f0a3ebec36b583
Instruction ID: c66bda3569bfc1e4949921f066f0b091f12441f1782ae1d1950471f1034417da
Opcode Fuzzy Hash: 4eccd59a55fcc6b342801e3b20f45972e2ff282607731549d8f0a3ebec36b583
Instruction Fuzzy Hash: 6B923574E002048FDB64EF68C584B5DBBF2EF45314F6494A9D819AB365DB35EE82CB80

Function 06B861F0 Relevance: .2, Instructions: 229COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4142557053.0000000006B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6b80000_Packing List - SAPPHIRE X.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: de1306d7a07eaf46317b975f949db7fdf0e05d6eac9405e767a6df136d4d812a
Instruction ID: a8f4db528957672b7663860cc4f5a57d0c1cb639fc8db060c8c490c23a556f9d
Opcode Fuzzy Hash: de1306d7a07eaf46317b975f949db7fdf0e05d6eac9405e767a6df136d4d812a
Instruction Fuzzy Hash: 3B61C2B2F001114FCF55AA7DC98066EBADBEFD4620B154479E40ADB375EE69DC02C781

Function 06B842A1 Relevance: .2, Instructions: 220COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4142557053.0000000006B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6b80000_Packing List - SAPPHIRE X.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0acf5fa102dd819359485a6a4a97d9cc9c5f3419a6d5169dbde71452e4e6ae46
Instruction ID: 7a7886eab33fbad484af584e96c33befc26e4930967b7ee1a03feaae42ff6855
Opcode Fuzzy Hash: 0acf5fa102dd819359485a6a4a97d9cc9c5f3419a6d5169dbde71452e4e6ae46
Instruction Fuzzy Hash: 3E815B70B1020A8FDF54EFA8C5546AEB7F2EB88300F108569D50AEB398EB35DC46CB41

Function 06B845C4 Relevance: .2, Instructions: 220COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4142557053.0000000006B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6b80000_Packing List - SAPPHIRE X.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 20a3931f5995f8bf87c249bca9dd2cda7c76c11c715843eff0404161ce3b696e
Instruction ID: d36e05ed62cecc4899ad6443c92667ebe94f144af68dfb4f1a0b0369a988a28a
Opcode Fuzzy Hash: 20a3931f5995f8bf87c249bca9dd2cda7c76c11c715843eff0404161ce3b696e
Instruction Fuzzy Hash: 6A915D74E1021A8FDF60DF68C890B9DB7B1FF89310F208599D549AB395DB70AA85CF90

Function 06B845D8 Relevance: .2, Instructions: 210COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4142557053.0000000006B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6b80000_Packing List - SAPPHIRE X.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 22066edb9d674562c1746f716c6daf0ef8114ea9e2b19ebf0af6540e3eaea116
Instruction ID: a359b4b25d5a6fa81a19c6edbaf573c186e9ee8f0bd440b62799ff3556bdcc54
Opcode Fuzzy Hash: 22066edb9d674562c1746f716c6daf0ef8114ea9e2b19ebf0af6540e3eaea116
Instruction Fuzzy Hash: FC915B74E1021A8FDF60DF68C880B9DB7B1FF89310F208599D549AB394DB70AA85CF90

Function 06B8FBB8 Relevance: .2, Instructions: 206COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4142557053.0000000006B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6b80000_Packing List - SAPPHIRE X.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: da538cde85911339b8e26cfeb8cf6fe7ac56ace1f582bc9436d4d14e7d372583
Instruction ID: 83753147fa84acf18175765e85773ff5efd091c67963b7ccf2d8ced5430b9712
Opcode Fuzzy Hash: da538cde85911339b8e26cfeb8cf6fe7ac56ace1f582bc9436d4d14e7d372583
Instruction Fuzzy Hash: E56137B1F10109DFCF54BB78E8542BEBBBAEB84351F1088B9E506D7255DB318955CB80

Function 06B8EB1A Relevance: .2, Instructions: 202COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4142557053.0000000006B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6b80000_Packing List - SAPPHIRE X.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 865ab36ce0bd04023a0dfdd154cb5783b8c50fcb0004132f1df0802fe217e478
Instruction ID: 2b7e0106c858e31ec22ab1dc3ee9ae23af0daf4d9c6f2be43fe3a2e31bce5708
Opcode Fuzzy Hash: 865ab36ce0bd04023a0dfdd154cb5783b8c50fcb0004132f1df0802fe217e478
Instruction Fuzzy Hash: 8E712AB0A102099FDB54EBA9D990A9EBBF6FF84304F24C469D415EB355DB30EC46CB50

Function 06B8EB28 Relevance: .2, Instructions: 201COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4142557053.0000000006B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6b80000_Packing List - SAPPHIRE X.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4a850882db91d61d9190b322e055d9c4ec7487a1fd0b5e9af28b39b47bee7f72
Instruction ID: cbe286fa7b4efeb30badc1e42638be16692559e3e23472273a7b23b15a8df767
Opcode Fuzzy Hash: 4a850882db91d61d9190b322e055d9c4ec7487a1fd0b5e9af28b39b47bee7f72
Instruction Fuzzy Hash: 65711AB0A102099FDB54EFA9D990A9EBBF6FF84304F248469D415EB355DB30EC46CB50

Function 06B8F968 Relevance: .2, Instructions: 172COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4142557053.0000000006B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6b80000_Packing List - SAPPHIRE X.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ad092c16159afa36f0b3f24eecc6980d83af3032749fd7d379be9bdf8a74e8d2
Instruction ID: e9a1168404105927cef848d60ed9d3307f005de12878f5ba58b27afe57066ffd
Opcode Fuzzy Hash: ad092c16159afa36f0b3f24eecc6980d83af3032749fd7d379be9bdf8a74e8d2
Instruction Fuzzy Hash: 5251EA70B602049FEF64766CD96473F366ED789390F20486AD10AD33E9CA79CC45D7A2

Function 06B8F978 Relevance: .2, Instructions: 163COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4142557053.0000000006B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6b80000_Packing List - SAPPHIRE X.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 50342b8d34cdf46ac94ac289b38d872fab21670e856bb185b45b65597ab8c9db
Instruction ID: 021d60b5e670e3be7e83f5c2e767d63c0fa998f78da6b11de5fa0a82755af696
Opcode Fuzzy Hash: 50342b8d34cdf46ac94ac289b38d872fab21670e856bb185b45b65597ab8c9db
Instruction Fuzzy Hash: ED519770B602089FEF64766CDA6473F365ED789390F20486AD10AD33E9CA79CC45D7A2

Function 06B85419 Relevance: .1, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4142557053.0000000006B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6b80000_Packing List - SAPPHIRE X.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 80a6f9db4a8e21233fb62f9e0be9d8c869717538ef8a08a2c2f6bb87692f9476
Instruction ID: 0d1e0a138f68f7785807a4fe34f7cf3d960cae6134d00e111459a395a8612c64
Opcode Fuzzy Hash: 80a6f9db4a8e21233fb62f9e0be9d8c869717538ef8a08a2c2f6bb87692f9476
Instruction Fuzzy Hash: 7D415EB2E006098FCFB0DEA9D880AAFF7B6FB84310F14496AD216D7654D330E955CB91

Function 06B8207B Relevance: .1, Instructions: 99COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4142557053.0000000006B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6b80000_Packing List - SAPPHIRE X.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 195c13d37e3c7f04d68f289a2643a815f507ee13e605a457f7782ecbff60c7d9
Instruction ID: 23d7813301947929290dc3e2013944ba2a0cf558d432743449f4b1e6f4ee1f30
Opcode Fuzzy Hash: 195c13d37e3c7f04d68f289a2643a815f507ee13e605a457f7782ecbff60c7d9
Instruction Fuzzy Hash: 1F318070E1020A8FDB54EFA4D95469EBBB2FFC9300F208569E916E7354DB71AD42CB81

Function 06B8D970 Relevance: .1, Instructions: 97COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4142557053.0000000006B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6b80000_Packing List - SAPPHIRE X.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e1e8de0a803f6eeab11788098e929f610bed7da8133f1b673ece874aee9598b6
Instruction ID: 4a5b5dda081f0f4e2a64ae039e99bc808965e37037d1aff259f1c647f9987911
Opcode Fuzzy Hash: e1e8de0a803f6eeab11788098e929f610bed7da8133f1b673ece874aee9598b6
Instruction Fuzzy Hash: 8131A670E1030A8FCF64EF64D99069EB7B5FF85304F208966D505AB355EB70E946CB80

Function 06B82088 Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4142557053.0000000006B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6b80000_Packing List - SAPPHIRE X.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 196649daf6a0bd6ac9f7a808c49e68e819a22225f68de5c84e4b07f9af4fd14d
Instruction ID: 671322d255f1727b64685679223c3ae5a79f07320840f083e58389a2f7767f04
Opcode Fuzzy Hash: 196649daf6a0bd6ac9f7a808c49e68e819a22225f68de5c84e4b07f9af4fd14d
Instruction Fuzzy Hash: 97317E70E102198FDB19EFA4D99469EB7B2EF89300F20C529E906E7354DB71ED42CB91

Function 06B83AB0 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4142557053.0000000006B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6b80000_Packing List - SAPPHIRE X.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8456171ebaaee0ed331e62a63519b9945874b32cbd16be4159a588a55f52e221
Instruction ID: 554eee02d398d861e8cb06c330fffce8f38b0564ea54aa65a832de073d8e129b
Opcode Fuzzy Hash: 8456171ebaaee0ed331e62a63519b9945874b32cbd16be4159a588a55f52e221
Instruction Fuzzy Hash: DE21ABB1F00A058FDB50DFA9DA80AAEB7F5EB48610F148079E905E7390E735D840CB90

Function 06B83AAF Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4142557053.0000000006B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6b80000_Packing List - SAPPHIRE X.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 47fef63245d8dd2e99601f0175ad91612893fa3c10c194c21babe89348c39efd
Instruction ID: 68acbdf6006f9cd82c37780e3adbfa0e6b6c761bf8013c088724a14b1ce07ff1
Opcode Fuzzy Hash: 47fef63245d8dd2e99601f0175ad91612893fa3c10c194c21babe89348c39efd
Instruction Fuzzy Hash: D2219AB1F006059FDF50DFA9DA80AAEBBF5EB48610F148065E905E7390E735D841CB80

Function 0119D030 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4136779832.000000000119D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0119D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_119d000_Packing List - SAPPHIRE X.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 37240a26b8b93031dfc5386d1fc825bb61d6f595aa47ec058099768a74abae42
Instruction ID: 33b60bb57dd0f5ce1a9b9501f67c4c1b79be7e4991908ee59fbd5207dcd62a9d
Opcode Fuzzy Hash: 37240a26b8b93031dfc5386d1fc825bb61d6f595aa47ec058099768a74abae42
Instruction Fuzzy Hash: 8321F271604204DFDF19DF98E9C4B26BBA5FB84314F28C56DD9094B256C33AD446CA62

Function 06B83BC0 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4142557053.0000000006B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6b80000_Packing List - SAPPHIRE X.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cdb3755e68d5f0247b7a7e568296cffe958acc0705cf873a5426bd6c52bbc290
Instruction ID: 93e59e953829bf92b8728752fe644e80e9f56271384af09b9b39084895844857
Opcode Fuzzy Hash: cdb3755e68d5f0247b7a7e568296cffe958acc0705cf873a5426bd6c52bbc290
Instruction Fuzzy Hash: 5B11A571B041284FCF54AAB8C9146AE73EAEBC8750F008575C406E7354EE79DC02CB91

Function 06B84200 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4142557053.0000000006B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6b80000_Packing List - SAPPHIRE X.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b60b8df48b0258460fe75a3614750751f6ccfc4ef26afcff16bd916932cbf2d1
Instruction ID: 5a3de776a113e337d6c7831b815328776964c05b4c43b65771ac67273c9fc1d2
Opcode Fuzzy Hash: b60b8df48b0258460fe75a3614750751f6ccfc4ef26afcff16bd916932cbf2d1
Instruction Fuzzy Hash: 9701B131B141120FDB64EABDD818B6FB7DBEBCA610F148879E10AC7355E959DC42C3A2

Function 06B8A311 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4142557053.0000000006B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6b80000_Packing List - SAPPHIRE X.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 400d972bd47f3e7499ef87c03623f21a278a85880358a4793eae899167045cb2
Instruction ID: 3a3668eab3dab0aba5a6ff89749e6bba0bc766e054e5dac5cf6ded3036a201ad
Opcode Fuzzy Hash: 400d972bd47f3e7499ef87c03623f21a278a85880358a4793eae899167045cb2
Instruction Fuzzy Hash: 5801D870B016114FC761EA7CE950B5EB7E5EB87650F1088BAE40AD7395EA16EC02C791

Function 06B83878 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4142557053.0000000006B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6b80000_Packing List - SAPPHIRE X.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 435072ab70d39af68747c3652915a5cebe906276bf988263f5c54521c31fd751
Instruction ID: 9f39ede5cb76ab0999b98e59978118588ec048211c685bb098523a5062023d2a
Opcode Fuzzy Hash: 435072ab70d39af68747c3652915a5cebe906276bf988263f5c54521c31fd751
Instruction Fuzzy Hash: BF21C3B5D01259EFCB10DF9AD884ADEFFB8FB49710F10816AE918A7200C375A554CFA5

Function 0119D02B Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4136779832.000000000119D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0119D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_119d000_Packing List - SAPPHIRE X.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
Instruction ID: 1f3edfbe6e0a10c8d4f393511e536c6c88514bc2a3edaa6020e8d687f69a4395
Opcode Fuzzy Hash: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
Instruction Fuzzy Hash: BB11BB75504280CFDF16CF58E5C4B15BFA1FB84314F28C6AAD8494B656C33AD44ACB62

Function 06B83BAF Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4142557053.0000000006B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6b80000_Packing List - SAPPHIRE X.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 638ca206dec0cc07e443ab1145848dbc4f9083118d0d3ba2dedf1b2db55f5cd4
Instruction ID: b1fec3e7bb45fb3971c333039ebb2803e06c62f6daef4e7281489f1afa573106
Opcode Fuzzy Hash: 638ca206dec0cc07e443ab1145848dbc4f9083118d0d3ba2dedf1b2db55f5cd4
Instruction Fuzzy Hash: DB01D4B1B141184FDFA4AEB89D146EF76EBEBC8A50F10417AD40AD3284EE65CC028BD1

Function 06B8ED99 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4142557053.0000000006B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6b80000_Packing List - SAPPHIRE X.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a242a5c72d579cbcec69936a95ca793c2d7be7dd976b4c5c56b4dc07db10dfda
Instruction ID: 78924232fad359e8e7b3235e2512dd6f27af996e0d39a92964d3939e69e8ee2b
Opcode Fuzzy Hash: a242a5c72d579cbcec69936a95ca793c2d7be7dd976b4c5c56b4dc07db10dfda
Instruction Fuzzy Hash: 4B018432B100115FCB65EA7CE454B2A77E6DBCA610F108579E50ACB345EA62EC03C792

Function 06B83880 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4142557053.0000000006B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6b80000_Packing List - SAPPHIRE X.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 702e3a8e1aa6d0e8da7267c7d2f220c31c51fbb7384b7b78ec5881aaa2976ec9
Instruction ID: 8ea18cdb6645dfae48838bb9928beac5154e759c6eaec8be09eb3174e332ca5d
Opcode Fuzzy Hash: 702e3a8e1aa6d0e8da7267c7d2f220c31c51fbb7384b7b78ec5881aaa2976ec9
Instruction Fuzzy Hash: 6311AFB5D01259AFCB00DF9AD884ADEFFB4FB49720F10816AE918A7240C375A954CFA5

Function 06B84210 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4142557053.0000000006B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6b80000_Packing List - SAPPHIRE X.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c96f9fa664d225fdb4edc7d01214aad2720015fb209c8ba6a3df22c9e852fe5b
Instruction ID: f0ef1a7b13bf4b81382c8c078ffb95abd76eaa33bb46292f677500ce175ae429
Opcode Fuzzy Hash: c96f9fa664d225fdb4edc7d01214aad2720015fb209c8ba6a3df22c9e852fe5b
Instruction Fuzzy Hash: 7A016231B141110FDB64BABDD454B2FB3DAEBC9A50F108839E50AC7744ED65DC428391

Function 06B8EDA8 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4142557053.0000000006B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6b80000_Packing List - SAPPHIRE X.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 822cf575701a9ad5647146b635db68f103257d3bed33bdc6292896bf1e7a8377
Instruction ID: 539b28cec424105f857864d2ffbeff6e157ed34fc75d1ed8c9c4742d7381b6c4
Opcode Fuzzy Hash: 822cf575701a9ad5647146b635db68f103257d3bed33bdc6292896bf1e7a8377
Instruction Fuzzy Hash: C1018131B500114FCB64AA7DD45072E77DADBC9A61F10C839E50AC7344EE65DC03C782

Function 06B8A320 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4142557053.0000000006B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6b80000_Packing List - SAPPHIRE X.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1a5bb0baaeef67de6d2be5b851ac76112f360873f14588b89172a476775257bf
Instruction ID: 145df5fce1f626cffceda52e9282c4d51cba50780aed0fdd6839c4232da6bd8d
Opcode Fuzzy Hash: 1a5bb0baaeef67de6d2be5b851ac76112f360873f14588b89172a476775257bf
Instruction Fuzzy Hash: EF01A970B101114FCB70EABCD550B2EB3D5EB8A650F108879E50AD7354EA16EC02C785

Function 06B86470 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4142557053.0000000006B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6b80000_Packing List - SAPPHIRE X.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3aa4604e36f4e53934fe8abf9403d062fe36460527b18a4ba7539c74cdc66124
Instruction ID: 7bee7c7eb32e7ca2187bdec3d6af188e68f64c2c9057543ba106d8f30fde3b17
Opcode Fuzzy Hash: 3aa4604e36f4e53934fe8abf9403d062fe36460527b18a4ba7539c74cdc66124
Instruction Fuzzy Hash: 1AE0D8F1E151895FEF50EEB0CD6578F7BAADB85204F1449D5D405C7142F232C945C740

Non-executed Functions

Function 06B876A0 Relevance: 13.0, Strings: 10, Instructions: 468COMMON

Download Yara Rule

Strings

$kq, xrefs: 06B87C3C
$kq, xrefs: 06B877E0
$kq, xrefs: 06B87C30
$kq, xrefs: 06B87B91
$kq, xrefs: 06B87811
$kq, xrefs: 06B877D4
$kq, xrefs: 06B87C52
$kq, xrefs: 06B87B9D
$kq, xrefs: 06B87C46
$kq, xrefs: 06B87805

Memory Dump Source

Source File: 00000004.00000002.4142557053.0000000006B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6b80000_Packing List - SAPPHIRE X.jbxd

Similarity

API ID:
String ID: $kq$$kq$$kq$$kq$$kq$$kq$$kq$$kq$$kq$$kq
API String ID: 0-1324371161
Opcode ID: efce426d0743d84f81dc60214d5a6675e31f4f210d0cf6ba67b708b56f16e01a
Instruction ID: e428a4e9da0d32483c3c2c1ca56cc7f6db8087fa25310cb25acadabc068db5b4
Opcode Fuzzy Hash: efce426d0743d84f81dc60214d5a6675e31f4f210d0cf6ba67b708b56f16e01a
Instruction Fuzzy Hash: D5123A70A102198FDB64EF65C944AAEB7B2FF84304F2085B9D409AB365DF359D85CF90

Function 06B8A948 Relevance: 10.2, Strings: 8, Instructions: 229COMMON

Download Yara Rule

Strings

$kq, xrefs: 06B8AAFA
$kq, xrefs: 06B8AB06
$kq, xrefs: 06B8AA3E
$kq, xrefs: 06B8AAD0
$kq, xrefs: 06B8AA4A
$kq, xrefs: 06B8AAA5
$kq, xrefs: 06B8AA99
$kq, xrefs: 06B8AAC4

Memory Dump Source

Source File: 00000004.00000002.4142557053.0000000006B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6b80000_Packing List - SAPPHIRE X.jbxd

Similarity

API ID:
String ID: $kq$$kq$$kq$$kq$$kq$$kq$$kq$$kq
API String ID: 0-1078448309
Opcode ID: fa1dd89f7f4e6e32ce4b82a20b442106d07c5012397c3de2613749aab2cd3856
Instruction ID: e7c1a364f4fe3477e91a5f303c13d137939e8edb4132bd009ea35606b30f968c
Opcode Fuzzy Hash: fa1dd89f7f4e6e32ce4b82a20b442106d07c5012397c3de2613749aab2cd3856
Instruction Fuzzy Hash: 6D9170B0A10209DFDB68EF64DA5476EBBF6FF84300F20856AE401A7395DB799C41CB90

Function 06B870A0 Relevance: 7.9, Strings: 6, Instructions: 405COMMON

Download Yara Rule

Strings

$kq, xrefs: 06B8753C
$kq, xrefs: 06B87382
$kq, xrefs: 06B875A8
$kq, xrefs: 06B875B4
$kq, xrefs: 06B873DC
$kq, xrefs: 06B873E8

Memory Dump Source

Source File: 00000004.00000002.4142557053.0000000006B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6b80000_Packing List - SAPPHIRE X.jbxd

Similarity

API ID:
String ID: $kq$$kq$$kq$$kq$$kq$$kq
API String ID: 0-1342094364
Opcode ID: e5ff6aacc26ad32896e158d33dad752da20d6cc9c66f63f91152f51897a9def9
Instruction ID: 68d8b5539c943c0300b662ddd8d72c49f3f242539ff25742ba189780b587f532
Opcode Fuzzy Hash: e5ff6aacc26ad32896e158d33dad752da20d6cc9c66f63f91152f51897a9def9
Instruction Fuzzy Hash: CDF11EB0B10209CFDB54EF64D554A6EB7B2FB84304F248579D815AB3A8DB39EC46CB90

Function 06B883D8 Relevance: 5.3, Strings: 4, Instructions: 282COMMON

Download Yara Rule

Strings

$kq, xrefs: 06B88632
$kq, xrefs: 06B886A3
$kq, xrefs: 06B88697
$kq, xrefs: 06B8863E

Memory Dump Source

Source File: 00000004.00000002.4142557053.0000000006B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6b80000_Packing List - SAPPHIRE X.jbxd

Similarity

API ID:
String ID: $kq$$kq$$kq$$kq
API String ID: 0-2881790790
Opcode ID: 7bfdf61c3be196f86bee0ccc3532dfb239a4163aad26c069d948057008994fc3
Instruction ID: 765868611e4ed70bad1fae6a9b2e8feb9f6fdbba63404ec5e7b29ba6918c92e4
Opcode Fuzzy Hash: 7bfdf61c3be196f86bee0ccc3532dfb239a4163aad26c069d948057008994fc3
Instruction Fuzzy Hash: F1B13BB4B102098FDB68EFB4D5506AEB7B2FF84300F648569D405AB395DB35DC82CB90

Function 06B8ACD0 Relevance: 5.2, Strings: 4, Instructions: 181COMMON

Download Yara Rule

Strings

$kq, xrefs: 06B8AE01
$kq, xrefs: 06B8AEAC
$kq, xrefs: 06B8AE54
$kq, xrefs: 06B8AE83

Memory Dump Source

Source File: 00000004.00000002.4142557053.0000000006B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6b80000_Packing List - SAPPHIRE X.jbxd

Similarity

API ID:
String ID: $kq$$kq$$kq$$kq
API String ID: 0-2881790790
Opcode ID: 301862ca83341798b7acf4fd23c652fc0df17fdfd87e8f887cd23401b6c7e7af
Instruction ID: af5937be5593c66170a621420203d0f8132275866bbce6503186c63166fbdcb6
Opcode Fuzzy Hash: 301862ca83341798b7acf4fd23c652fc0df17fdfd87e8f887cd23401b6c7e7af
Instruction Fuzzy Hash: CB51C4B0A202049FCF65FB64D9806AEB7B2EB84311F2499AAD805D7395DB35DC42CB91

Function 06B887F0 Relevance: 5.2, Strings: 4, Instructions: 168COMMON

Download Yara Rule

Strings

LRkq, xrefs: 06B888E3
$kq, xrefs: 06B8886F
LRkq, xrefs: 06B88932
$kq, xrefs: 06B8887B

Memory Dump Source

Source File: 00000004.00000002.4142557053.0000000006B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6b80000_Packing List - SAPPHIRE X.jbxd

Similarity

API ID:
String ID: LRkq$LRkq$$kq$$kq
API String ID: 0-2392252538
Opcode ID: 6aeaf1ac447d1dd52b76574f61f6b9f930e7338a04a706bacdc12e6efef2f4ac
Instruction ID: 6311f4838e80a17652c476e75023dda02cdf738f31eccf86cd3b7fc35d2ccff3
Opcode Fuzzy Hash: 6aeaf1ac447d1dd52b76574f61f6b9f930e7338a04a706bacdc12e6efef2f4ac
Instruction Fuzzy Hash: 2E51E270B102059FDB68FF78DA50A6AB7E6FF88304F1485A8D4159B3A5DB35EC41CB90

Function 06B8AD5C Relevance: 5.1, Strings: 4, Instructions: 115COMMON

Download Yara Rule

Strings

$kq, xrefs: 06B8AE01
$kq, xrefs: 06B8AEAC
$kq, xrefs: 06B8AE54
$kq, xrefs: 06B8AE83

Memory Dump Source

Source File: 00000004.00000002.4142557053.0000000006B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6b80000_Packing List - SAPPHIRE X.jbxd

Similarity

API ID:
String ID: $kq$$kq$$kq$$kq
API String ID: 0-2881790790
Opcode ID: 66bffa642af35991da6a6708914d1857297456afedd2600318e8c841dabd52e8
Instruction ID: 5830d4c6ac360592c00dd04f537448c16f8fe8a41207c1b9f18a7380c0b450ed
Opcode Fuzzy Hash: 66bffa642af35991da6a6708914d1857297456afedd2600318e8c841dabd52e8
Instruction Fuzzy Hash: 51419170B202058FCF65FF68D5805AEB3B2FF84211F2499AAD8159B355DB39EC42CB91

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search the Registry on compromised systems for insecurely stored credentials. The Windows Registry stores configuration information that can be used by the system or other programs. Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services. Sometimes these credentials are used for automatic logons.
Tactics:	Credential Access
Data Sources:	Command: Command Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Packing List - SAPPHIRE X.xlsx.scr.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Agenttesla

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Packing List - SAPPHIRE X.xlsx.scr.exe.log

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_43e24mry.5r1.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_fbxqcxop.gbs.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_nqjzv3tp.qrv.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xukhuikw.5mf.psm1

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Windows Analysis Report
Packing List - SAPPHIRE X.xlsx.scr.exe

Function 062DBAC8 Relevance: 8.5, Strings: 6, Instructions: 1022
COMMON

Function 062D0460 Relevance: 6.9, Strings: 5, Instructions: 614
COMMON

Function 0305D2D0 Relevance: 6.1, APIs: 4, Instructions: 131
threadCOMMON

Function 0305D2E0 Relevance: 6.1, APIs: 4, Instructions: 128
threadCOMMON

Function 07889530 Relevance: 1.7, APIs: 1, Instructions: 243
processCOMMON

Function 0305B048 Relevance: 1.7, APIs: 1, Instructions: 195
COMMON

Function 030558ED Relevance: 1.6, APIs: 1, Instructions: 98
COMMON

Function 030544B4 Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Function 062D0D88 Relevance: 1.6, APIs: 1, Instructions: 81
windowCOMMON

Function 078892A1 Relevance: 1.6, APIs: 1, Instructions: 72
injectionCOMMON

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre