Edit tour

Windows Analysis Report
PO82200487.exe

Overview

General Information

Sample name:	PO82200487.exe
Analysis ID:	1569124
MD5:	9af88888e3c54e3a62bc409ea5de349e
SHA1:	6ba1ed216e4b1003d7bf0445b8a0bde4d7dc4694
SHA256:	2abceffc33aa61d03182eeed898d402dcbfb1ddca4d1e6ee4b0b0482aa4f3b8a
Tags:	exeuser-TeamDreier
Infos:

Detection

AgentTesla

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected AgentTesla

Yara detected AntiVM3

.NET source code contains potential unpacker

AI detected suspicious sample

Adds a directory exclusion to Windows Defender

Injects a PE file into a foreign processes

Loading BitLocker PowerShell Module

Machine Learning detection for sample

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Sample uses string decryption to hide its real strings

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Mail credentials (via file / registry access)

Allocates memory with a write watch (potentially for evading sandboxes)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

IP address seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Sigma detected: Powershell Defender Exclusion

Sigma detected: Suspicious Outbound SMTP Connections

Uses 32bit PE files

Uses SMTP (mail sending)

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Classification

Process Tree

System is w10x64

PO82200487.exe (PID: 7580 cmdline: "C:\Users\user\Desktop\PO82200487.exe" MD5: 9AF88888E3C54E3A62BC409EA5DE349E)

powershell.exe (PID: 7760 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PO82200487.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 7788 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WmiPrvSE.exe (PID: 8036 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)

PO82200487.exe (PID: 7780 cmdline: "C:\Users\user\Desktop\PO82200487.exe" MD5: 9AF88888E3C54E3A62BC409EA5DE349E)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Agent Tesla, AgentTesla	A .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.	SWEED	http://blog.nsfocus.net/sweed-611/ http://l1v1ngc0d3.wordpress.com/2021/11/12/agenttesla-dropped-via-nsis-installer/ http://ropgadget.com/posts/originlogger.html http://www.secureworks.com/research/threat-profiles/gold-galleon https://0xmrmagnezi.github.io/malware%20analysis/AgentTesla/	https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Host": "mail.mbarieservicesltd.com", "Username": "saless@mbarieservicesltd.com", "Password": "     *o9H+18Q4%;M     "}

Yara Signatures

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
dump.pcap	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security

Memory Dumps

Source	Rule	Description	Author
00000004.00000002.2568941236.000000000321A000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000004.00000002.2567205281.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
00000004.00000002.2568941236.00000000031C1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000004.00000002.2568941236.00000000031C1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000000.00000002.1350373878.0000000004172000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
Process Memory Space: PO82200487.exe PID: 7580	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: PO82200487.exe PID: 7780	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: PO82200487.exe PID: 7780	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
decrypted.memstr	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
decrypted.memstr	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Click to see the 5 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
4.2.PO82200487.exe.400000.0.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
0.2.PO82200487.exe.4339620.1.raw.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security

Sigma Signatures

System Summary

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PO82200487.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PO82200487.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\PO82200487.exe", ParentImage: C:\Users\user\Desktop\PO82200487.exe, ParentProcessId: 7580, ParentProcessName: PO82200487.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PO82200487.exe", ProcessId: 7760, ProcessName: powershell.exe

Sigma detected: Powershell Defender Exclusion

Source: Process started

Sigma detected: Suspicious Outbound SMTP Connections

Source: Network Connection

Author: frack113: Data: DesusertionIp: 199.79.62.115, DesusertionIsIpv6: false, DesusertionPort: 587, EventID: 3, Image: C:\Users\user\Desktop\PO82200487.exe, Initiated: true, ProcessId: 7780, Protocol: tcp, SourceIp: 192.168.2.9, SourceIsIpv6: false, SourcePort: 49721

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PO82200487.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PO82200487.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\PO82200487.exe", ParentImage: C:\Users\user\Desktop\PO82200487.exe, ParentProcessId: 7580, ParentProcessName: PO82200487.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PO82200487.exe", ProcessId: 7760, ProcessName: powershell.exe

Suricata Signatures

ET MALWARE AgentTesla Exfil Via SMTP

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-05T14:03:44.666475+0100	2030171	1	A Network Trojan was detected	192.168.2.9	49721	199.79.62.115	587	TCP

ETPRO MALWARE Agent Tesla CnC Exfil Activity

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-05T14:02:10.944038+0100	2855542	1	A Network Trojan was detected	192.168.2.9	49721	199.79.62.115	587	TCP

ETPRO MALWARE Agent Tesla Exfil via SMTP

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-05T14:02:10.944038+0100	2855245	1	A Network Trojan was detected	192.168.2.9	49721	199.79.62.115	587	TCP

ETPRO MALWARE Win32/Agent Tesla SMTP Activity

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-05T14:03:44.666475+0100	2839723	1	Malware Command and Control Activity Detected	192.168.2.9	49721	199.79.62.115	587	TCP

ETPRO MALWARE Win32/AgentTesla/OriginLogger Data Exfil via SMTP M2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-05T14:03:44.666475+0100	2840032	1	A Network Trojan was detected	192.168.2.9	49721	199.79.62.115	587	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 0.2.PO82200487.exe.4339620.1.raw.unpack

Malware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Host": "mail.mbarieservicesltd.com", "Username": "saless@mbarieservicesltd.com", "Password": " *o9H+18Q4%;M "}

Multi AV Scanner detection for submitted file

Source: PO82200487.exe

ReversingLabs: Detection: 55%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: PO82200487.exe

Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: 0.2.PO82200487.exe.4339620.1.raw.unpack	String decryptor: /log.tmp
Source: 0.2.PO82200487.exe.4339620.1.raw.unpack	String decryptor: <br>[
Source: 0.2.PO82200487.exe.4339620.1.raw.unpack	String decryptor: yyyy-MM-dd HH:mm:ss
Source: 0.2.PO82200487.exe.4339620.1.raw.unpack	String decryptor: ]<br>
Source: 0.2.PO82200487.exe.4339620.1.raw.unpack	String decryptor: <br>
Source: 0.2.PO82200487.exe.4339620.1.raw.unpack	String decryptor: Time:
Source: 0.2.PO82200487.exe.4339620.1.raw.unpack	String decryptor: MM/dd/yyyy HH:mm:ss
Source: 0.2.PO82200487.exe.4339620.1.raw.unpack	String decryptor: <br>User Name:
Source: 0.2.PO82200487.exe.4339620.1.raw.unpack	String decryptor: <br>Computer Name:
Source: 0.2.PO82200487.exe.4339620.1.raw.unpack	String decryptor: <br>OSFullName:
Source: 0.2.PO82200487.exe.4339620.1.raw.unpack	String decryptor: <br>CPU:
Source: 0.2.PO82200487.exe.4339620.1.raw.unpack	String decryptor: <br>RAM:
Source: 0.2.PO82200487.exe.4339620.1.raw.unpack	String decryptor: <br>
Source: 0.2.PO82200487.exe.4339620.1.raw.unpack	String decryptor: IP Address:
Source: 0.2.PO82200487.exe.4339620.1.raw.unpack	String decryptor: <br>
Source: 0.2.PO82200487.exe.4339620.1.raw.unpack	String decryptor: <hr>
Source: 0.2.PO82200487.exe.4339620.1.raw.unpack	String decryptor: New
Source: 0.2.PO82200487.exe.4339620.1.raw.unpack	String decryptor: MM/dd/yyyy HH:mm:ss
Source: 0.2.PO82200487.exe.4339620.1.raw.unpack	String decryptor: IP Address:
Source: 0.2.PO82200487.exe.4339620.1.raw.unpack	String decryptor: false
Source: 0.2.PO82200487.exe.4339620.1.raw.unpack	String decryptor: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0
Source: 0.2.PO82200487.exe.4339620.1.raw.unpack	String decryptor: false
Source: 0.2.PO82200487.exe.4339620.1.raw.unpack	String decryptor: false
Source: 0.2.PO82200487.exe.4339620.1.raw.unpack	String decryptor: false
Source: 0.2.PO82200487.exe.4339620.1.raw.unpack	String decryptor: false
Source: 0.2.PO82200487.exe.4339620.1.raw.unpack	String decryptor: false
Source: 0.2.PO82200487.exe.4339620.1.raw.unpack	String decryptor: false
Source: 0.2.PO82200487.exe.4339620.1.raw.unpack	String decryptor: false
Source: 0.2.PO82200487.exe.4339620.1.raw.unpack	String decryptor: false
Source: 0.2.PO82200487.exe.4339620.1.raw.unpack	String decryptor: mail.mbarieservicesltd.com
Source: 0.2.PO82200487.exe.4339620.1.raw.unpack	String decryptor: saless@mbarieservicesltd.com
Source: 0.2.PO82200487.exe.4339620.1.raw.unpack	String decryptor: *o9H+18Q4%;M
Source: 0.2.PO82200487.exe.4339620.1.raw.unpack	String decryptor: iinfo@mbarieservicesltd.com
Source: 0.2.PO82200487.exe.4339620.1.raw.unpack	String decryptor: false
Source: 0.2.PO82200487.exe.4339620.1.raw.unpack	String decryptor: false
Source: 0.2.PO82200487.exe.4339620.1.raw.unpack	String decryptor: appdata
Source: 0.2.PO82200487.exe.4339620.1.raw.unpack	String decryptor: KTvkzEc
Source: 0.2.PO82200487.exe.4339620.1.raw.unpack	String decryptor: KTvkzEc.exe
Source: 0.2.PO82200487.exe.4339620.1.raw.unpack	String decryptor: KTvkzEc
Source: 0.2.PO82200487.exe.4339620.1.raw.unpack	String decryptor: Type
Source: 0.2.PO82200487.exe.4339620.1.raw.unpack	String decryptor: <br>
Source: 0.2.PO82200487.exe.4339620.1.raw.unpack	String decryptor: <hr>
Source: 0.2.PO82200487.exe.4339620.1.raw.unpack	String decryptor: <br>
Source: 0.2.PO82200487.exe.4339620.1.raw.unpack	String decryptor: <b>[
Source: 0.2.PO82200487.exe.4339620.1.raw.unpack	String decryptor: ]</b> (
Source: 0.2.PO82200487.exe.4339620.1.raw.unpack	String decryptor: )<br>
Source: 0.2.PO82200487.exe.4339620.1.raw.unpack	String decryptor: {BACK}
Source: 0.2.PO82200487.exe.4339620.1.raw.unpack	String decryptor: {ALT+TAB}
Source: 0.2.PO82200487.exe.4339620.1.raw.unpack	String decryptor: {ALT+F4}
Source: 0.2.PO82200487.exe.4339620.1.raw.unpack	String decryptor: {TAB}
Source: 0.2.PO82200487.exe.4339620.1.raw.unpack	String decryptor: {ESC}
Source: 0.2.PO82200487.exe.4339620.1.raw.unpack	String decryptor: {Win}
Source: 0.2.PO82200487.exe.4339620.1.raw.unpack	String decryptor: {CAPSLOCK}
Source: 0.2.PO82200487.exe.4339620.1.raw.unpack	String decryptor: {KEYUP}
Source: 0.2.PO82200487.exe.4339620.1.raw.unpack	String decryptor: {KEYDOWN}
Source: 0.2.PO82200487.exe.4339620.1.raw.unpack	String decryptor: {KEYLEFT}
Source: 0.2.PO82200487.exe.4339620.1.raw.unpack	String decryptor: {KEYRIGHT}
Source: 0.2.PO82200487.exe.4339620.1.raw.unpack	String decryptor: {DEL}
Source: 0.2.PO82200487.exe.4339620.1.raw.unpack	String decryptor: {END}
Source: 0.2.PO82200487.exe.4339620.1.raw.unpack	String decryptor: {HOME}
Source: 0.2.PO82200487.exe.4339620.1.raw.unpack	String decryptor: {Insert}
Source: 0.2.PO82200487.exe.4339620.1.raw.unpack	String decryptor: {NumLock}
Source: 0.2.PO82200487.exe.4339620.1.raw.unpack	String decryptor: {PageDown}
Source: 0.2.PO82200487.exe.4339620.1.raw.unpack	String decryptor: {PageUp}
Source: 0.2.PO82200487.exe.4339620.1.raw.unpack	String decryptor: {ENTER}
Source: 0.2.PO82200487.exe.4339620.1.raw.unpack	String decryptor: {F1}
Source: 0.2.PO82200487.exe.4339620.1.raw.unpack	String decryptor: {F2}
Source: 0.2.PO82200487.exe.4339620.1.raw.unpack	String decryptor: {F3}
Source: 0.2.PO82200487.exe.4339620.1.raw.unpack	String decryptor: {F4}
Source: 0.2.PO82200487.exe.4339620.1.raw.unpack	String decryptor: {F5}
Source: 0.2.PO82200487.exe.4339620.1.raw.unpack	String decryptor: {F6}
Source: 0.2.PO82200487.exe.4339620.1.raw.unpack	String decryptor: {F7}
Source: 0.2.PO82200487.exe.4339620.1.raw.unpack	String decryptor: {F8}
Source: 0.2.PO82200487.exe.4339620.1.raw.unpack	String decryptor: {F9}
Source: 0.2.PO82200487.exe.4339620.1.raw.unpack	String decryptor: {F10}
Source: 0.2.PO82200487.exe.4339620.1.raw.unpack	String decryptor: {F11}
Source: 0.2.PO82200487.exe.4339620.1.raw.unpack	String decryptor: {F12}
Source: 0.2.PO82200487.exe.4339620.1.raw.unpack	String decryptor: control
Source: 0.2.PO82200487.exe.4339620.1.raw.unpack	String decryptor: {CTRL}
Source: 0.2.PO82200487.exe.4339620.1.raw.unpack	String decryptor: &
Source: 0.2.PO82200487.exe.4339620.1.raw.unpack	String decryptor: <
Source: 0.2.PO82200487.exe.4339620.1.raw.unpack	String decryptor: >
Source: 0.2.PO82200487.exe.4339620.1.raw.unpack	String decryptor: "
Source: 0.2.PO82200487.exe.4339620.1.raw.unpack	String decryptor: <br><hr>Copied Text: <br>
Source: 0.2.PO82200487.exe.4339620.1.raw.unpack	String decryptor: <hr>
Source: 0.2.PO82200487.exe.4339620.1.raw.unpack	String decryptor: logins
Source: 0.2.PO82200487.exe.4339620.1.raw.unpack	String decryptor: IE/Edge
Source: 0.2.PO82200487.exe.4339620.1.raw.unpack	String decryptor: 2F1A6504-0641-44CF-8BB5-3612D865F2E5
Source: 0.2.PO82200487.exe.4339620.1.raw.unpack	String decryptor: Windows Secure Note
Source: 0.2.PO82200487.exe.4339620.1.raw.unpack	String decryptor: 3CCD5499-87A8-4B10-A215-608888DD3B55
Source: 0.2.PO82200487.exe.4339620.1.raw.unpack	String decryptor: Windows Web Password Credential
Source: 0.2.PO82200487.exe.4339620.1.raw.unpack	String decryptor: 154E23D0-C644-4E6F-8CE6-5069272F999F
Source: 0.2.PO82200487.exe.4339620.1.raw.unpack	String decryptor: Windows Credential Picker Protector
Source: 0.2.PO82200487.exe.4339620.1.raw.unpack	String decryptor: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28
Source: 0.2.PO82200487.exe.4339620.1.raw.unpack	String decryptor: Web Credentials
Source: 0.2.PO82200487.exe.4339620.1.raw.unpack	String decryptor: 77BC582B-F0A6-4E15-4E80-61736B6F3B29
Source: 0.2.PO82200487.exe.4339620.1.raw.unpack	String decryptor: Windows Credentials
Source: 0.2.PO82200487.exe.4339620.1.raw.unpack	String decryptor: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC
Source: 0.2.PO82200487.exe.4339620.1.raw.unpack	String decryptor: Windows Domain Certificate Credential
Source: 0.2.PO82200487.exe.4339620.1.raw.unpack	String decryptor: 3E0E35BE-1B77-43E7-B873-AED901B6275B
Source: 0.2.PO82200487.exe.4339620.1.raw.unpack	String decryptor: Windows Domain Password Credential
Source: 0.2.PO82200487.exe.4339620.1.raw.unpack	String decryptor: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
Source: 0.2.PO82200487.exe.4339620.1.raw.unpack	String decryptor: Windows Extended Credential
Source: 0.2.PO82200487.exe.4339620.1.raw.unpack	String decryptor: 00000000-0000-0000-0000-000000000000
Source: 0.2.PO82200487.exe.4339620.1.raw.unpack	String decryptor: SchemaId
Source: 0.2.PO82200487.exe.4339620.1.raw.unpack	String decryptor: pResourceElement
Source: 0.2.PO82200487.exe.4339620.1.raw.unpack	String decryptor: pIdentityElement
Source: 0.2.PO82200487.exe.4339620.1.raw.unpack	String decryptor: pPackageSid
Source: 0.2.PO82200487.exe.4339620.1.raw.unpack	String decryptor: pAuthenticatorElement
Source: 0.2.PO82200487.exe.4339620.1.raw.unpack	String decryptor: IE/Edge
Source: 0.2.PO82200487.exe.4339620.1.raw.unpack	String decryptor: UC Browser
Source: 0.2.PO82200487.exe.4339620.1.raw.unpack	String decryptor: UCBrowser\
Source: 0.2.PO82200487.exe.4339620.1.raw.unpack	String decryptor: Login Data
Source: 0.2.PO82200487.exe.4339620.1.raw.unpack	String decryptor: journal
Source: 0.2.PO82200487.exe.4339620.1.raw.unpack	String decryptor: wow_logins
Source: 0.2.PO82200487.exe.4339620.1.raw.unpack	String decryptor: Safari for Windows
Source: 0.2.PO82200487.exe.4339620.1.raw.unpack	String decryptor: \Common Files\Apple\Apple Application Support\plutil.exe
Source: 0.2.PO82200487.exe.4339620.1.raw.unpack	String decryptor: \Apple Computer\Preferences\keychain.plist
Source: 0.2.PO82200487.exe.4339620.1.raw.unpack	String decryptor: <array>
Source: 0.2.PO82200487.exe.4339620.1.raw.unpack	String decryptor: <dict>
Source: 0.2.PO82200487.exe.4339620.1.raw.unpack	String decryptor: <string>
Source: 0.2.PO82200487.exe.4339620.1.raw.unpack	String decryptor: </string>
Source: 0.2.PO82200487.exe.4339620.1.raw.unpack	String decryptor: <string>
Source: 0.2.PO82200487.exe.4339620.1.raw.unpack	String decryptor: </string>
Source: 0.2.PO82200487.exe.4339620.1.raw.unpack	String decryptor: <data>
Source: 0.2.PO82200487.exe.4339620.1.raw.unpack	String decryptor: </data>
Source: 0.2.PO82200487.exe.4339620.1.raw.unpack	String decryptor: -convert xml1 -s -o "
Source: 0.2.PO82200487.exe.4339620.1.raw.unpack	String decryptor: \fixed_keychain.xml"
Source: 0.2.PO82200487.exe.4339620.1.raw.unpack	String decryptor: \Microsoft\Credentials\
Source: 0.2.PO82200487.exe.4339620.1.raw.unpack	String decryptor: \Microsoft\Credentials\
Source: 0.2.PO82200487.exe.4339620.1.raw.unpack	String decryptor: \Microsoft\Credentials\
Source: 0.2.PO82200487.exe.4339620.1.raw.unpack	String decryptor: \Microsoft\Credentials\
Source: 0.2.PO82200487.exe.4339620.1.raw.unpack	String decryptor: \Microsoft\Protect\
Source: 0.2.PO82200487.exe.4339620.1.raw.unpack	String decryptor: credential
Source: 0.2.PO82200487.exe.4339620.1.raw.unpack	String decryptor: QQ Browser
Source: 0.2.PO82200487.exe.4339620.1.raw.unpack	String decryptor: Tencent\QQBrowser\User Data
Source: 0.2.PO82200487.exe.4339620.1.raw.unpack	String decryptor: \Default\EncryptedStorage
Source: 0.2.PO82200487.exe.4339620.1.raw.unpack	String decryptor: Profile
Source: 0.2.PO82200487.exe.4339620.1.raw.unpack	String decryptor: \EncryptedStorage
Source: 0.2.PO82200487.exe.4339620.1.raw.unpack	String decryptor: entries
Source: 0.2.PO82200487.exe.4339620.1.raw.unpack	String decryptor: category
Source: 0.2.PO82200487.exe.4339620.1.raw.unpack	String decryptor: Password
Source: 0.2.PO82200487.exe.4339620.1.raw.unpack	String decryptor: str3
Source: 0.2.PO82200487.exe.4339620.1.raw.unpack	String decryptor: str2
Source: 0.2.PO82200487.exe.4339620.1.raw.unpack	String decryptor: blob0
Source: 0.2.PO82200487.exe.4339620.1.raw.unpack	String decryptor: password_value
Source: 0.2.PO82200487.exe.4339620.1.raw.unpack	String decryptor: IncrediMail
Source: 0.2.PO82200487.exe.4339620.1.raw.unpack	String decryptor: PopPassword
Source: 0.2.PO82200487.exe.4339620.1.raw.unpack	String decryptor: SmtpPassword
Source: 0.2.PO82200487.exe.4339620.1.raw.unpack	String decryptor: Software\IncrediMail\Identities\
Source: 0.2.PO82200487.exe.4339620.1.raw.unpack	String decryptor: \Accounts_New
Source: 0.2.PO82200487.exe.4339620.1.raw.unpack	String decryptor: PopPassword
Source: 0.2.PO82200487.exe.4339620.1.raw.unpack	String decryptor: SmtpPassword
Source: 0.2.PO82200487.exe.4339620.1.raw.unpack	String decryptor: SmtpServer
Source: 0.2.PO82200487.exe.4339620.1.raw.unpack	String decryptor: EmailAddress
Source: 0.2.PO82200487.exe.4339620.1.raw.unpack	String decryptor: Eudora
Source: 0.2.PO82200487.exe.4339620.1.raw.unpack	String decryptor: Software\Qualcomm\Eudora\CommandLine\
Source: 0.2.PO82200487.exe.4339620.1.raw.unpack	String decryptor: current
Source: 0.2.PO82200487.exe.4339620.1.raw.unpack	String decryptor: Settings
Source: 0.2.PO82200487.exe.4339620.1.raw.unpack	String decryptor: SavePasswordText
Source: 0.2.PO82200487.exe.4339620.1.raw.unpack	String decryptor: Settings
Source: 0.2.PO82200487.exe.4339620.1.raw.unpack	String decryptor: ReturnAddress
Source: 0.2.PO82200487.exe.4339620.1.raw.unpack	String decryptor: Falkon Browser
Source: 0.2.PO82200487.exe.4339620.1.raw.unpack	String decryptor: \falkon\profiles\
Source: 0.2.PO82200487.exe.4339620.1.raw.unpack	String decryptor: profiles.ini
Source: 0.2.PO82200487.exe.4339620.1.raw.unpack	String decryptor: startProfile=([A-z0-9\/\.\"]+)
Source: 0.2.PO82200487.exe.4339620.1.raw.unpack	String decryptor: profiles.ini
Source: 0.2.PO82200487.exe.4339620.1.raw.unpack	String decryptor: \browsedata.db
Source: 0.2.PO82200487.exe.4339620.1.raw.unpack	String decryptor: autofill
Source: 0.2.PO82200487.exe.4339620.1.raw.unpack	String decryptor: ClawsMail
Source: 0.2.PO82200487.exe.4339620.1.raw.unpack	String decryptor: \Claws-mail
Source: 0.2.PO82200487.exe.4339620.1.raw.unpack	String decryptor: \clawsrc
Source: 0.2.PO82200487.exe.4339620.1.raw.unpack	String decryptor: \clawsrc
Source: 0.2.PO82200487.exe.4339620.1.raw.unpack	String decryptor: passkey0
Source: 0.2.PO82200487.exe.4339620.1.raw.unpack	String decryptor: master_passphrase_salt=(.+)
Source: 0.2.PO82200487.exe.4339620.1.raw.unpack	String decryptor: master_passphrase_pbkdf2_rounds=(.+)
Source: 0.2.PO82200487.exe.4339620.1.raw.unpack	String decryptor: \accountrc
Source: 0.2.PO82200487.exe.4339620.1.raw.unpack	String decryptor: smtp_server
Source: 0.2.PO82200487.exe.4339620.1.raw.unpack	String decryptor: address
Source: 0.2.PO82200487.exe.4339620.1.raw.unpack	String decryptor: account
Source: 0.2.PO82200487.exe.4339620.1.raw.unpack	String decryptor: \passwordstorerc
Source: 0.2.PO82200487.exe.4339620.1.raw.unpack	String decryptor: {(.),(.)}(.*)
Source: 0.2.PO82200487.exe.4339620.1.raw.unpack	String decryptor: Flock Browser
Source: 0.2.PO82200487.exe.4339620.1.raw.unpack	String decryptor: APPDATA
Source: 0.2.PO82200487.exe.4339620.1.raw.unpack	String decryptor: \Flock\Browser\
Source: 0.2.PO82200487.exe.4339620.1.raw.unpack	String decryptor: signons3.txt
Source: 0.2.PO82200487.exe.4339620.1.raw.unpack	String decryptor: DynDns
Source: 0.2.PO82200487.exe.4339620.1.raw.unpack	String decryptor: ALLUSERSPROFILE
Source: 0.2.PO82200487.exe.4339620.1.raw.unpack	String decryptor: Dyn\Updater\config.dyndns
Source: 0.2.PO82200487.exe.4339620.1.raw.unpack	String decryptor: username=
Source: 0.2.PO82200487.exe.4339620.1.raw.unpack	String decryptor: password=
Source: 0.2.PO82200487.exe.4339620.1.raw.unpack	String decryptor: https://account.dyn.com/
Source: 0.2.PO82200487.exe.4339620.1.raw.unpack	String decryptor: t6KzXhCh
Source: 0.2.PO82200487.exe.4339620.1.raw.unpack	String decryptor: ALLUSERSPROFILE
Source: 0.2.PO82200487.exe.4339620.1.raw.unpack	String decryptor: Dyn\Updater\daemon.cfg
Source: 0.2.PO82200487.exe.4339620.1.raw.unpack	String decryptor: global
Source: 0.2.PO82200487.exe.4339620.1.raw.unpack	String decryptor: accounts
Source: 0.2.PO82200487.exe.4339620.1.raw.unpack	String decryptor: account.
Source: 0.2.PO82200487.exe.4339620.1.raw.unpack	String decryptor: username
Source: 0.2.PO82200487.exe.4339620.1.raw.unpack	String decryptor: account.
Source: 0.2.PO82200487.exe.4339620.1.raw.unpack	String decryptor: password
Source: 0.2.PO82200487.exe.4339620.1.raw.unpack	String decryptor: Psi/Psi+
Source: 0.2.PO82200487.exe.4339620.1.raw.unpack	String decryptor: name
Source: 0.2.PO82200487.exe.4339620.1.raw.unpack	String decryptor: password
Source: 0.2.PO82200487.exe.4339620.1.raw.unpack	String decryptor: Psi/Psi+
Source: 0.2.PO82200487.exe.4339620.1.raw.unpack	String decryptor: APPDATA
Source: 0.2.PO82200487.exe.4339620.1.raw.unpack	String decryptor: \Psi\profiles
Source: 0.2.PO82200487.exe.4339620.1.raw.unpack	String decryptor: APPDATA
Source: 0.2.PO82200487.exe.4339620.1.raw.unpack	String decryptor: \Psi+\profiles
Source: 0.2.PO82200487.exe.4339620.1.raw.unpack	String decryptor: \accounts.xml
Source: 0.2.PO82200487.exe.4339620.1.raw.unpack	String decryptor: \accounts.xml
Source: 0.2.PO82200487.exe.4339620.1.raw.unpack	String decryptor: OpenVPN
Source: 0.2.PO82200487.exe.4339620.1.raw.unpack	String decryptor: Software\OpenVPN-GUI\configs
Source: 0.2.PO82200487.exe.4339620.1.raw.unpack	String decryptor: Software\OpenVPN-GUI\configs
Source: 0.2.PO82200487.exe.4339620.1.raw.unpack	String decryptor: Software\OpenVPN-GUI\configs\
Source: 0.2.PO82200487.exe.4339620.1.raw.unpack	String decryptor: username
Source: 0.2.PO82200487.exe.4339620.1.raw.unpack	String decryptor: auth-data
Source: 0.2.PO82200487.exe.4339620.1.raw.unpack	String decryptor: entropy
Source: 0.2.PO82200487.exe.4339620.1.raw.unpack	String decryptor: USERPROFILE
Source: 0.2.PO82200487.exe.4339620.1.raw.unpack	String decryptor: \OpenVPN\config\
Source: 0.2.PO82200487.exe.4339620.1.raw.unpack	String decryptor: remote
Source: 0.2.PO82200487.exe.4339620.1.raw.unpack	String decryptor: remote
Source: 0.2.PO82200487.exe.4339620.1.raw.unpack	String decryptor: NordVPN
Source: 0.2.PO82200487.exe.4339620.1.raw.unpack	String decryptor: NordVPN
Source: 0.2.PO82200487.exe.4339620.1.raw.unpack	String decryptor: NordVpn.exe*
Source: 0.2.PO82200487.exe.4339620.1.raw.unpack	String decryptor: user.config
Source: 0.2.PO82200487.exe.4339620.1.raw.unpack	String decryptor: //setting[@name='Username']/value
Source: 0.2.PO82200487.exe.4339620.1.raw.unpack	String decryptor: //setting[@name='Password']/value
Source: 0.2.PO82200487.exe.4339620.1.raw.unpack	String decryptor: NordVPN
Source: 0.2.PO82200487.exe.4339620.1.raw.unpack	String decryptor: Private Internet Access
Source: 0.2.PO82200487.exe.4339620.1.raw.unpack	String decryptor: %ProgramW6432%
Source: 0.2.PO82200487.exe.4339620.1.raw.unpack	String decryptor: Private Internet Access\data
Source: 0.2.PO82200487.exe.4339620.1.raw.unpack	String decryptor: ProgramFiles(x86)
Source: 0.2.PO82200487.exe.4339620.1.raw.unpack	String decryptor: \Private Internet Access\data
Source: 0.2.PO82200487.exe.4339620.1.raw.unpack	String decryptor: \account.json
Source: 0.2.PO82200487.exe.4339620.1.raw.unpack	String decryptor: ."username":"(.?)"
Source: 0.2.PO82200487.exe.4339620.1.raw.unpack	String decryptor: ."password":"(.?)"
Source: 0.2.PO82200487.exe.4339620.1.raw.unpack	String decryptor: Private Internet Access
Source: 0.2.PO82200487.exe.4339620.1.raw.unpack	String decryptor: privateinternetaccess.com
Source: 0.2.PO82200487.exe.4339620.1.raw.unpack	String decryptor: FileZilla
Source: 0.2.PO82200487.exe.4339620.1.raw.unpack	String decryptor: APPDATA
Source: 0.2.PO82200487.exe.4339620.1.raw.unpack	String decryptor: \FileZilla\recentservers.xml
Source: 0.2.PO82200487.exe.4339620.1.raw.unpack	String decryptor: APPDATA
Source: 0.2.PO82200487.exe.4339620.1.raw.unpack	String decryptor: \FileZilla\recentservers.xml
Source: 0.2.PO82200487.exe.4339620.1.raw.unpack	String decryptor: <Server>
Source: 0.2.PO82200487.exe.4339620.1.raw.unpack	String decryptor: <Host>
Source: 0.2.PO82200487.exe.4339620.1.raw.unpack	String decryptor: <Host>
Source: 0.2.PO82200487.exe.4339620.1.raw.unpack	String decryptor: </Host>
Source: 0.2.PO82200487.exe.4339620.1.raw.unpack	String decryptor: <Port>
Source: 0.2.PO82200487.exe.4339620.1.raw.unpack	String decryptor: </Port>
Source: 0.2.PO82200487.exe.4339620.1.raw.unpack	String decryptor: <User>
Source: 0.2.PO82200487.exe.4339620.1.raw.unpack	String decryptor: <User>
Source: 0.2.PO82200487.exe.4339620.1.raw.unpack	String decryptor: </User>
Source: 0.2.PO82200487.exe.4339620.1.raw.unpack	String decryptor: <Pass encoding="base64">
Source: 0.2.PO82200487.exe.4339620.1.raw.unpack	String decryptor: <Pass encoding="base64">
Source: 0.2.PO82200487.exe.4339620.1.raw.unpack	String decryptor: </Pass>
Source: 0.2.PO82200487.exe.4339620.1.raw.unpack	String decryptor: <Pass>
Source: 0.2.PO82200487.exe.4339620.1.raw.unpack	String decryptor: <Pass encoding="base64">
Source: 0.2.PO82200487.exe.4339620.1.raw.unpack	String decryptor: </Pass>
Source: 0.2.PO82200487.exe.4339620.1.raw.unpack	String decryptor: CoreFTP
Source: 0.2.PO82200487.exe.4339620.1.raw.unpack	String decryptor: SOFTWARE\FTPWare\COREFTP\Sites
Source: 0.2.PO82200487.exe.4339620.1.raw.unpack	String decryptor: User
Source: 0.2.PO82200487.exe.4339620.1.raw.unpack	String decryptor: Host
Source: 0.2.PO82200487.exe.4339620.1.raw.unpack	String decryptor: Port
Source: 0.2.PO82200487.exe.4339620.1.raw.unpack	String decryptor: hdfzpysvpzimorhk
Source: 0.2.PO82200487.exe.4339620.1.raw.unpack	String decryptor: WinSCP
Source: 0.2.PO82200487.exe.4339620.1.raw.unpack	String decryptor: SOFTWARE\Martin Prikryl\WinSCP 2\Sessions
Source: 0.2.PO82200487.exe.4339620.1.raw.unpack	String decryptor: HostName
Source: 0.2.PO82200487.exe.4339620.1.raw.unpack	String decryptor: UserName
Source: 0.2.PO82200487.exe.4339620.1.raw.unpack	String decryptor: Password
Source: 0.2.PO82200487.exe.4339620.1.raw.unpack	String decryptor: PublicKeyFile
Source: 0.2.PO82200487.exe.4339620.1.raw.unpack	String decryptor: PortNumber
Source: 0.2.PO82200487.exe.4339620.1.raw.unpack	String decryptor: [PRIVATE KEY LOCATION: "{0}"]
Source: 0.2.PO82200487.exe.4339620.1.raw.unpack	String decryptor: WinSCP
Source: 0.2.PO82200487.exe.4339620.1.raw.unpack	String decryptor: ABCDEF
Source: 0.2.PO82200487.exe.4339620.1.raw.unpack	String decryptor: Flash FXP
Source: 0.2.PO82200487.exe.4339620.1.raw.unpack	String decryptor: port
Source: 0.2.PO82200487.exe.4339620.1.raw.unpack	String decryptor: user
Source: 0.2.PO82200487.exe.4339620.1.raw.unpack	String decryptor: pass
Source: 0.2.PO82200487.exe.4339620.1.raw.unpack	String decryptor: quick.dat
Source: 0.2.PO82200487.exe.4339620.1.raw.unpack	String decryptor: Sites.dat
Source: 0.2.PO82200487.exe.4339620.1.raw.unpack	String decryptor: \FlashFXP\
Source: 0.2.PO82200487.exe.4339620.1.raw.unpack	String decryptor: \FlashFXP\
Source: 0.2.PO82200487.exe.4339620.1.raw.unpack	String decryptor: yA36zA48dEhfrvghGRg57h5UlDv3
Source: 0.2.PO82200487.exe.4339620.1.raw.unpack	String decryptor: FTP Navigator
Source: 0.2.PO82200487.exe.4339620.1.raw.unpack	String decryptor: SystemDrive
Source: 0.2.PO82200487.exe.4339620.1.raw.unpack	String decryptor: \FTP Navigator\Ftplist.txt
Source: 0.2.PO82200487.exe.4339620.1.raw.unpack	String decryptor: Server
Source: 0.2.PO82200487.exe.4339620.1.raw.unpack	String decryptor: Password
Source: 0.2.PO82200487.exe.4339620.1.raw.unpack	String decryptor: No Password
Source: 0.2.PO82200487.exe.4339620.1.raw.unpack	String decryptor: User
Source: 0.2.PO82200487.exe.4339620.1.raw.unpack	String decryptor: SmartFTP
Source: 0.2.PO82200487.exe.4339620.1.raw.unpack	String decryptor: APPDATA
Source: 0.2.PO82200487.exe.4339620.1.raw.unpack	String decryptor: SmartFTP\Client 2.0\Favorites\Quick Connect
Source: 0.2.PO82200487.exe.4339620.1.raw.unpack	String decryptor: WS_FTP
Source: 0.2.PO82200487.exe.4339620.1.raw.unpack	String decryptor: appdata
Source: 0.2.PO82200487.exe.4339620.1.raw.unpack	String decryptor: Ipswitch\WS_FTP\Sites\ws_ftp.ini
Source: 0.2.PO82200487.exe.4339620.1.raw.unpack	String decryptor: HOST
Source: 0.2.PO82200487.exe.4339620.1.raw.unpack	String decryptor: PWD=
Source: 0.2.PO82200487.exe.4339620.1.raw.unpack	String decryptor: PWD=
Source: 0.2.PO82200487.exe.4339620.1.raw.unpack	String decryptor: FtpCommander
Source: 0.2.PO82200487.exe.4339620.1.raw.unpack	String decryptor: SystemDrive
Source: 0.2.PO82200487.exe.4339620.1.raw.unpack	String decryptor: \Program Files (x86)\FTP Commander Deluxe\Ftplist.txt
Source: 0.2.PO82200487.exe.4339620.1.raw.unpack	String decryptor: SystemDrive
Source: 0.2.PO82200487.exe.4339620.1.raw.unpack	String decryptor: \Program Files (x86)\FTP Commander\Ftplist.txt
Source: 0.2.PO82200487.exe.4339620.1.raw.unpack	String decryptor: SystemDrive
Source: 0.2.PO82200487.exe.4339620.1.raw.unpack	String decryptor: \cftp\Ftplist.txt
Source: 0.2.PO82200487.exe.4339620.1.raw.unpack	String decryptor: \VirtualStore\Program Files (x86)\FTP Commander\Ftplist.txt
Source: 0.2.PO82200487.exe.4339620.1.raw.unpack	String decryptor: \VirtualStore\Program Files (x86)\FTP Commander Deluxe\Ftplist.txt
Source: 0.2.PO82200487.exe.4339620.1.raw.unpack	String decryptor: ;Password=
Source: 0.2.PO82200487.exe.4339620.1.raw.unpack	String decryptor: ;User=
Source: 0.2.PO82200487.exe.4339620.1.raw.unpack	String decryptor: ;Server=
Source: 0.2.PO82200487.exe.4339620.1.raw.unpack	String decryptor: ;Port=
Source: 0.2.PO82200487.exe.4339620.1.raw.unpack	String decryptor: ;Port=
Source: 0.2.PO82200487.exe.4339620.1.raw.unpack	String decryptor: ;Password=
Source: 0.2.PO82200487.exe.4339620.1.raw.unpack	String decryptor: ;User=
Source: 0.2.PO82200487.exe.4339620.1.raw.unpack	String decryptor: ;Anonymous=
Source: 0.2.PO82200487.exe.4339620.1.raw.unpack	String decryptor: FTPGetter
Source: 0.2.PO82200487.exe.4339620.1.raw.unpack	String decryptor: \FTPGetter\servers.xml
Source: 0.2.PO82200487.exe.4339620.1.raw.unpack	String decryptor: <server>
Source: 0.2.PO82200487.exe.4339620.1.raw.unpack	String decryptor: <server_ip>
Source: 0.2.PO82200487.exe.4339620.1.raw.unpack	String decryptor: <server_ip>
Source: 0.2.PO82200487.exe.4339620.1.raw.unpack	String decryptor: </server_ip>
Source: 0.2.PO82200487.exe.4339620.1.raw.unpack	String decryptor: <server_port>
Source: 0.2.PO82200487.exe.4339620.1.raw.unpack	String decryptor: </server_port>
Source: 0.2.PO82200487.exe.4339620.1.raw.unpack	String decryptor: <server_user_name>
Source: 0.2.PO82200487.exe.4339620.1.raw.unpack	String decryptor: <server_user_name>
Source: 0.2.PO82200487.exe.4339620.1.raw.unpack	String decryptor: </server_user_name>
Source: 0.2.PO82200487.exe.4339620.1.raw.unpack	String decryptor: <server_user_password>
Source: 0.2.PO82200487.exe.4339620.1.raw.unpack	String decryptor: <server_user_password>
Source: 0.2.PO82200487.exe.4339620.1.raw.unpack	String decryptor: </server_user_password>
Source: 0.2.PO82200487.exe.4339620.1.raw.unpack	String decryptor: FTPGetter
Source: 0.2.PO82200487.exe.4339620.1.raw.unpack	String decryptor: The Bat!
Source: 0.2.PO82200487.exe.4339620.1.raw.unpack	String decryptor: appdata
Source: 0.2.PO82200487.exe.4339620.1.raw.unpack	String decryptor: \The Bat!
Source: 0.2.PO82200487.exe.4339620.1.raw.unpack	String decryptor: \Account.CFN
Source: 0.2.PO82200487.exe.4339620.1.raw.unpack	String decryptor: \Account.CFN
Source: 0.2.PO82200487.exe.4339620.1.raw.unpack	String decryptor: =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Source: 0.2.PO82200487.exe.4339620.1.raw.unpack	String decryptor: +-0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz
Source: 0.2.PO82200487.exe.4339620.1.raw.unpack	String decryptor: Becky!
Source: 0.2.PO82200487.exe.4339620.1.raw.unpack	String decryptor: HKEY_CURRENT_USER\Software\RimArts\B2\Settings
Source: 0.2.PO82200487.exe.4339620.1.raw.unpack	String decryptor: DataDir
Source: 0.2.PO82200487.exe.4339620.1.raw.unpack	String decryptor: Folder.lst
Source: 0.2.PO82200487.exe.4339620.1.raw.unpack	String decryptor: \Mailbox.ini
Source: 0.2.PO82200487.exe.4339620.1.raw.unpack	String decryptor: Account
Source: 0.2.PO82200487.exe.4339620.1.raw.unpack	String decryptor: PassWd
Source: 0.2.PO82200487.exe.4339620.1.raw.unpack	String decryptor: Account
Source: 0.2.PO82200487.exe.4339620.1.raw.unpack	String decryptor: SMTPServer
Source: 0.2.PO82200487.exe.4339620.1.raw.unpack	String decryptor: Account
Source: 0.2.PO82200487.exe.4339620.1.raw.unpack	String decryptor: MailAddress
Source: 0.2.PO82200487.exe.4339620.1.raw.unpack	String decryptor: Becky!
Source: 0.2.PO82200487.exe.4339620.1.raw.unpack	String decryptor: Outlook
Source: 0.2.PO82200487.exe.4339620.1.raw.unpack	String decryptor: Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
Source: 0.2.PO82200487.exe.4339620.1.raw.unpack	String decryptor: Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
Source: 0.2.PO82200487.exe.4339620.1.raw.unpack	String decryptor: Software\Microsoft\Windows Messaging Subsystem\Profiles\9375CFF0413111d3B88A00104B2A6676
Source: 0.2.PO82200487.exe.4339620.1.raw.unpack	String decryptor: Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
Source: 0.2.PO82200487.exe.4339620.1.raw.unpack	String decryptor: Email
Source: 0.2.PO82200487.exe.4339620.1.raw.unpack	String decryptor: IMAP Password
Source: 0.2.PO82200487.exe.4339620.1.raw.unpack	String decryptor: POP3 Password
Source: 0.2.PO82200487.exe.4339620.1.raw.unpack	String decryptor: HTTP Password
Source: 0.2.PO82200487.exe.4339620.1.raw.unpack	String decryptor: SMTP Password
Source: 0.2.PO82200487.exe.4339620.1.raw.unpack	String decryptor: Email
Source: 0.2.PO82200487.exe.4339620.1.raw.unpack	String decryptor: Email
Source: 0.2.PO82200487.exe.4339620.1.raw.unpack	String decryptor: Email
Source: 0.2.PO82200487.exe.4339620.1.raw.unpack	String decryptor: IMAP Password
Source: 0.2.PO82200487.exe.4339620.1.raw.unpack	String decryptor: POP3 Password
Source: 0.2.PO82200487.exe.4339620.1.raw.unpack	String decryptor: HTTP Password
Source: 0.2.PO82200487.exe.4339620.1.raw.unpack	String decryptor: SMTP Password
Source: 0.2.PO82200487.exe.4339620.1.raw.unpack	String decryptor: Server
Source: 0.2.PO82200487.exe.4339620.1.raw.unpack	String decryptor: Windows Mail App
Source: 0.2.PO82200487.exe.4339620.1.raw.unpack	String decryptor: COMPlus_legacyCorruptedStateExceptionsPolicy
Source: 0.2.PO82200487.exe.4339620.1.raw.unpack	String decryptor: Software\Microsoft\ActiveSync\Partners
Source: 0.2.PO82200487.exe.4339620.1.raw.unpack	String decryptor: Email
Source: 0.2.PO82200487.exe.4339620.1.raw.unpack	String decryptor: Server
Source: 0.2.PO82200487.exe.4339620.1.raw.unpack	String decryptor: SchemaId
Source: 0.2.PO82200487.exe.4339620.1.raw.unpack	String decryptor: pResourceElement
Source: 0.2.PO82200487.exe.4339620.1.raw.unpack	String decryptor: pIdentityElement
Source: 0.2.PO82200487.exe.4339620.1.raw.unpack	String decryptor: pPackageSid
Source: 0.2.PO82200487.exe.4339620.1.raw.unpack	String decryptor: pAuthenticatorElement
Source: 0.2.PO82200487.exe.4339620.1.raw.unpack	String decryptor: syncpassword
Source: 0.2.PO82200487.exe.4339620.1.raw.unpack	String decryptor: mailoutgoing
Source: 0.2.PO82200487.exe.4339620.1.raw.unpack	String decryptor: FoxMail
Source: 0.2.PO82200487.exe.4339620.1.raw.unpack	String decryptor: HKEY_CURRENT_USER\Software\Aerofox\FoxmailPreview
Source: 0.2.PO82200487.exe.4339620.1.raw.unpack	String decryptor: Executable
Source: 0.2.PO82200487.exe.4339620.1.raw.unpack	String decryptor: HKEY_CURRENT_USER\Software\Aerofox\Foxmail\V3.1
Source: 0.2.PO82200487.exe.4339620.1.raw.unpack	String decryptor: FoxmailPath
Source: 0.2.PO82200487.exe.4339620.1.raw.unpack	String decryptor: \Storage\
Source: 0.2.PO82200487.exe.4339620.1.raw.unpack	String decryptor: \Storage\
Source: 0.2.PO82200487.exe.4339620.1.raw.unpack	String decryptor: \mail
Source: 0.2.PO82200487.exe.4339620.1.raw.unpack	String decryptor: \mail
Source: 0.2.PO82200487.exe.4339620.1.raw.unpack	String decryptor: \VirtualStore\Program Files\Foxmail\mail
Source: 0.2.PO82200487.exe.4339620.1.raw.unpack	String decryptor: \VirtualStore\Program Files\Foxmail\mail
Source: 0.2.PO82200487.exe.4339620.1.raw.unpack	String decryptor: \VirtualStore\Program Files (x86)\Foxmail\mail
Source: 0.2.PO82200487.exe.4339620.1.raw.unpack	String decryptor: \VirtualStore\Program Files (x86)\Foxmail\mail
Source: 0.2.PO82200487.exe.4339620.1.raw.unpack	String decryptor: \Accounts\Account.rec0
Source: 0.2.PO82200487.exe.4339620.1.raw.unpack	String decryptor: \Accounts\Account.rec0
Source: 0.2.PO82200487.exe.4339620.1.raw.unpack	String decryptor: \Account.stg
Source: 0.2.PO82200487.exe.4339620.1.raw.unpack	String decryptor: \Account.stg
Source: 0.2.PO82200487.exe.4339620.1.raw.unpack	String decryptor: POP3Host
Source: 0.2.PO82200487.exe.4339620.1.raw.unpack	String decryptor: SMTPHost
Source: 0.2.PO82200487.exe.4339620.1.raw.unpack	String decryptor: IncomingServer
Source: 0.2.PO82200487.exe.4339620.1.raw.unpack	String decryptor: Account
Source: 0.2.PO82200487.exe.4339620.1.raw.unpack	String decryptor: MailAddress
Source: 0.2.PO82200487.exe.4339620.1.raw.unpack	String decryptor: Password
Source: 0.2.PO82200487.exe.4339620.1.raw.unpack	String decryptor: POP3Password
Source: 0.2.PO82200487.exe.4339620.1.raw.unpack	String decryptor: Opera Mail
Source: 0.2.PO82200487.exe.4339620.1.raw.unpack	String decryptor: \Opera Mail\Opera Mail\wand.dat
Source: 0.2.PO82200487.exe.4339620.1.raw.unpack	String decryptor: \Opera Mail\Opera Mail\wand.dat
Source: 0.2.PO82200487.exe.4339620.1.raw.unpack	String decryptor: opera:
Source: 0.2.PO82200487.exe.4339620.1.raw.unpack	String decryptor: abcdefghijklmnopqrstuvwxyz1234567890_-.~!@#$%^&*()[{]}\\|';:,<>/?+=
Source: 0.2.PO82200487.exe.4339620.1.raw.unpack	String decryptor: PocoMail
Source: 0.2.PO82200487.exe.4339620.1.raw.unpack	String decryptor: appdata
Source: 0.2.PO82200487.exe.4339620.1.raw.unpack	String decryptor: \Pocomail\accounts.ini
Source: 0.2.PO82200487.exe.4339620.1.raw.unpack	String decryptor: Email
Source: 0.2.PO82200487.exe.4339620.1.raw.unpack	String decryptor: POPPass
Source: 0.2.PO82200487.exe.4339620.1.raw.unpack	String decryptor: SMTPPass
Source: 0.2.PO82200487.exe.4339620.1.raw.unpack	String decryptor: SMTP
Source: 0.2.PO82200487.exe.4339620.1.raw.unpack	String decryptor: eM Client
Source: 0.2.PO82200487.exe.4339620.1.raw.unpack	String decryptor: eM Client\accounts.dat
Source: 0.2.PO82200487.exe.4339620.1.raw.unpack	String decryptor: eM Client
Source: 0.2.PO82200487.exe.4339620.1.raw.unpack	String decryptor: Accounts
Source: 0.2.PO82200487.exe.4339620.1.raw.unpack	String decryptor: "Username":"
Source: 0.2.PO82200487.exe.4339620.1.raw.unpack	String decryptor: "Secret":"
Source: 0.2.PO82200487.exe.4339620.1.raw.unpack	String decryptor: 72905C47-F4FD-4CF7-A489-4E8121A155BD
Source: 0.2.PO82200487.exe.4339620.1.raw.unpack	String decryptor: "ProviderName":"
Source: 0.2.PO82200487.exe.4339620.1.raw.unpack	String decryptor: o6806642kbM7c5
Source: 0.2.PO82200487.exe.4339620.1.raw.unpack	String decryptor: Mailbird
Source: 0.2.PO82200487.exe.4339620.1.raw.unpack	String decryptor: SenderIdentities
Source: 0.2.PO82200487.exe.4339620.1.raw.unpack	String decryptor: Accounts
Source: 0.2.PO82200487.exe.4339620.1.raw.unpack	String decryptor: \Mailbird\Store\Store.db
Source: 0.2.PO82200487.exe.4339620.1.raw.unpack	String decryptor: Server_Host
Source: 0.2.PO82200487.exe.4339620.1.raw.unpack	String decryptor: Accounts
Source: 0.2.PO82200487.exe.4339620.1.raw.unpack	String decryptor: Email
Source: 0.2.PO82200487.exe.4339620.1.raw.unpack	String decryptor: Username
Source: 0.2.PO82200487.exe.4339620.1.raw.unpack	String decryptor: EncryptedPassword
Source: 0.2.PO82200487.exe.4339620.1.raw.unpack	String decryptor: Mailbird
Source: 0.2.PO82200487.exe.4339620.1.raw.unpack	String decryptor: RealVNC 4.x
Source: 0.2.PO82200487.exe.4339620.1.raw.unpack	String decryptor: SOFTWARE\Wow6432Node\RealVNC\WinVNC4
Source: 0.2.PO82200487.exe.4339620.1.raw.unpack	String decryptor: Password
Source: 0.2.PO82200487.exe.4339620.1.raw.unpack	String decryptor: RealVNC 3.x
Source: 0.2.PO82200487.exe.4339620.1.raw.unpack	String decryptor: SOFTWARE\RealVNC\vncserver
Source: 0.2.PO82200487.exe.4339620.1.raw.unpack	String decryptor: Password
Source: 0.2.PO82200487.exe.4339620.1.raw.unpack	String decryptor: RealVNC 4.x
Source: 0.2.PO82200487.exe.4339620.1.raw.unpack	String decryptor: SOFTWARE\RealVNC\WinVNC4
Source: 0.2.PO82200487.exe.4339620.1.raw.unpack	String decryptor: Password
Source: 0.2.PO82200487.exe.4339620.1.raw.unpack	String decryptor: RealVNC 3.x
Source: 0.2.PO82200487.exe.4339620.1.raw.unpack	String decryptor: Software\ORL\WinVNC3
Source: 0.2.PO82200487.exe.4339620.1.raw.unpack	String decryptor: Password
Source: 0.2.PO82200487.exe.4339620.1.raw.unpack	String decryptor: TightVNC
Source: 0.2.PO82200487.exe.4339620.1.raw.unpack	String decryptor: Software\TightVNC\Server
Source: 0.2.PO82200487.exe.4339620.1.raw.unpack	String decryptor: Password
Source: 0.2.PO82200487.exe.4339620.1.raw.unpack	String decryptor: TightVNC
Source: 0.2.PO82200487.exe.4339620.1.raw.unpack	String decryptor: Software\TightVNC\Server
Source: 0.2.PO82200487.exe.4339620.1.raw.unpack	String decryptor: PasswordViewOnly
Source: 0.2.PO82200487.exe.4339620.1.raw.unpack	String decryptor: TightVNC ControlPassword
Source: 0.2.PO82200487.exe.4339620.1.raw.unpack	String decryptor: Software\TightVNC\Server
Source: 0.2.PO82200487.exe.4339620.1.raw.unpack	String decryptor: ControlPassword
Source: 0.2.PO82200487.exe.4339620.1.raw.unpack	String decryptor: TigerVNC
Source: 0.2.PO82200487.exe.4339620.1.raw.unpack	String decryptor: Software\TigerVNC\Server
Source: 0.2.PO82200487.exe.4339620.1.raw.unpack	String decryptor: Password
Source: 0.2.PO82200487.exe.4339620.1.raw.unpack	String decryptor: UltraVNC
Source: 0.2.PO82200487.exe.4339620.1.raw.unpack	String decryptor: ProgramFiles(x86)
Source: 0.2.PO82200487.exe.4339620.1.raw.unpack	String decryptor: \uvnc bvba\UltraVNC\ultravnc.ini
Source: 0.2.PO82200487.exe.4339620.1.raw.unpack	String decryptor: passwd
Source: 0.2.PO82200487.exe.4339620.1.raw.unpack	String decryptor: UltraVNC
Source: 0.2.PO82200487.exe.4339620.1.raw.unpack	String decryptor: ProgramFiles(x86)
Source: 0.2.PO82200487.exe.4339620.1.raw.unpack	String decryptor: \uvnc bvba\UltraVNC\ultravnc.ini
Source: 0.2.PO82200487.exe.4339620.1.raw.unpack	String decryptor: passwd2
Source: 0.2.PO82200487.exe.4339620.1.raw.unpack	String decryptor: UltraVNC
Source: 0.2.PO82200487.exe.4339620.1.raw.unpack	String decryptor: ProgramFiles
Source: 0.2.PO82200487.exe.4339620.1.raw.unpack	String decryptor: \uvnc bvba\UltraVNC\ultravnc.ini
Source: 0.2.PO82200487.exe.4339620.1.raw.unpack	String decryptor: passwd
Source: 0.2.PO82200487.exe.4339620.1.raw.unpack	String decryptor: UltraVNC
Source: 0.2.PO82200487.exe.4339620.1.raw.unpack	String decryptor: ProgramFiles
Source: 0.2.PO82200487.exe.4339620.1.raw.unpack	String decryptor: \uvnc bvba\UltraVNC\ultravnc.ini
Source: 0.2.PO82200487.exe.4339620.1.raw.unpack	String decryptor: passwd2
Source: 0.2.PO82200487.exe.4339620.1.raw.unpack	String decryptor: UltraVNC
Source: 0.2.PO82200487.exe.4339620.1.raw.unpack	String decryptor: ProgramFiles
Source: 0.2.PO82200487.exe.4339620.1.raw.unpack	String decryptor: \UltraVNC\ultravnc.ini
Source: 0.2.PO82200487.exe.4339620.1.raw.unpack	String decryptor: passwd
Source: 0.2.PO82200487.exe.4339620.1.raw.unpack	String decryptor: UltraVNC
Source: 0.2.PO82200487.exe.4339620.1.raw.unpack	String decryptor: ProgramFiles
Source: 0.2.PO82200487.exe.4339620.1.raw.unpack	String decryptor: \UltraVNC\ultravnc.ini
Source: 0.2.PO82200487.exe.4339620.1.raw.unpack	String decryptor: passwd2
Source: 0.2.PO82200487.exe.4339620.1.raw.unpack	String decryptor: UltraVNC
Source: 0.2.PO82200487.exe.4339620.1.raw.unpack	String decryptor: ProgramFiles(x86)
Source: 0.2.PO82200487.exe.4339620.1.raw.unpack	String decryptor: \UltraVNC\ultravnc.ini
Source: 0.2.PO82200487.exe.4339620.1.raw.unpack	String decryptor: passwd
Source: 0.2.PO82200487.exe.4339620.1.raw.unpack	String decryptor: UltraVNC
Source: 0.2.PO82200487.exe.4339620.1.raw.unpack	String decryptor: ProgramFiles(x86)
Source: 0.2.PO82200487.exe.4339620.1.raw.unpack	String decryptor: \UltraVNC\ultravnc.ini
Source: 0.2.PO82200487.exe.4339620.1.raw.unpack	String decryptor: passwd2
Source: 0.2.PO82200487.exe.4339620.1.raw.unpack	String decryptor: JDownloader 2.0
Source: 0.2.PO82200487.exe.4339620.1.raw.unpack	String decryptor: JDownloader 2.0\cfg
Source: 0.2.PO82200487.exe.4339620.1.raw.unpack	String decryptor: org.jdownloader.settings.AccountSettings.accounts.ejs
Source: 0.2.PO82200487.exe.4339620.1.raw.unpack	String decryptor: JDownloader 2.0\cfg
Source: 0.2.PO82200487.exe.4339620.1.raw.unpack	String decryptor: jd.controlling.authentication.AuthenticationControllerSettings.list.ejs
Source: 0.2.PO82200487.exe.4339620.1.raw.unpack	String decryptor: Paltalk
Source: 0.2.PO82200487.exe.4339620.1.raw.unpack	String decryptor: Software\A.V.M.\Paltalk NG\common_settings\core\users\creds\
Source: 0.2.PO82200487.exe.4339620.1.raw.unpack	String decryptor: nickname

Source: PO82200487.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: PO82200487.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2855245 - Severity 1 - ETPRO MALWARE Agent Tesla Exfil via SMTP : 192.168.2.9:49721 -> 199.79.62.115:587
Source: Network traffic	Suricata IDS: 2855542 - Severity 1 - ETPRO MALWARE Agent Tesla CnC Exfil Activity : 192.168.2.9:49721 -> 199.79.62.115:587
Source: Network traffic	Suricata IDS: 2030171 - Severity 1 - ET MALWARE AgentTesla Exfil Via SMTP : 192.168.2.9:49721 -> 199.79.62.115:587
Source: Network traffic	Suricata IDS: 2839723 - Severity 1 - ETPRO MALWARE Win32/Agent Tesla SMTP Activity : 192.168.2.9:49721 -> 199.79.62.115:587
Source: Network traffic	Suricata IDS: 2840032 - Severity 1 - ETPRO MALWARE Win32/AgentTesla/OriginLogger Data Exfil via SMTP M2 : 192.168.2.9:49721 -> 199.79.62.115:587

Source: global traffic

TCP traffic: 192.168.2.9:49721 -> 199.79.62.115:587

Source: Joe Sandbox View

IP Address: 199.79.62.115 199.79.62.115

Source: global traffic

TCP traffic: 192.168.2.9:49721 -> 199.79.62.115:587

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

DNS traffic detected: DNS query: mail.mbarieservicesltd.com

Source: PO82200487.exe, 00000004.00000002.2568941236.000000000321A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://mail.mbarieservicesltd.com
Source: PO82200487.exe, 00000000.00000002.1348848708.0000000002C88000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: PO82200487.exe	String found in binary or memory: http://www.elderscrolls.com/skyrim/character
Source: PO82200487.exe	String found in binary or memory: http://www.elderscrolls.com/skyrim/characterT
Source: PO82200487.exe, 00000000.00000002.1348848708.000000000293A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.elderscrolls.com/skyrim/player

Source: C:\Users\user\Desktop\PO82200487.exe	Code function: 0_2_00C325B9	0_2_00C325B9
Source: C:\Users\user\Desktop\PO82200487.exe	Code function: 0_2_00C313F0	0_2_00C313F0
Source: C:\Users\user\Desktop\PO82200487.exe	Code function: 0_2_00C33430	0_2_00C33430
Source: C:\Users\user\Desktop\PO82200487.exe	Code function: 0_2_00C31B81	0_2_00C31B81
Source: C:\Users\user\Desktop\PO82200487.exe	Code function: 0_2_00C39C0C	0_2_00C39C0C
Source: C:\Users\user\Desktop\PO82200487.exe	Code function: 0_2_00C39D88	0_2_00C39D88
Source: C:\Users\user\Desktop\PO82200487.exe	Code function: 0_2_00C3A389	0_2_00C3A389
Source: C:\Users\user\Desktop\PO82200487.exe	Code function: 0_2_00C34388	0_2_00C34388
Source: C:\Users\user\Desktop\PO82200487.exe	Code function: 0_2_00C34378	0_2_00C34378
Source: C:\Users\user\Desktop\PO82200487.exe	Code function: 0_2_00C30871	0_2_00C30871
Source: C:\Users\user\Desktop\PO82200487.exe	Code function: 0_2_00C34FC8	0_2_00C34FC8
Source: C:\Users\user\Desktop\PO82200487.exe	Code function: 0_2_00C34FD8	0_2_00C34FD8
Source: C:\Users\user\Desktop\PO82200487.exe	Code function: 0_2_00C313CF	0_2_00C313CF
Source: C:\Users\user\Desktop\PO82200487.exe	Code function: 0_2_00C33418	0_2_00C33418
Source: C:\Users\user\Desktop\PO82200487.exe	Code function: 0_2_00C35680	0_2_00C35680
Source: C:\Users\user\Desktop\PO82200487.exe	Code function: 0_2_00C35670	0_2_00C35670
Source: C:\Users\user\Desktop\PO82200487.exe	Code function: 0_2_00C35860	0_2_00C35860
Source: C:\Users\user\Desktop\PO82200487.exe	Code function: 0_2_00C35870	0_2_00C35870
Source: C:\Users\user\Desktop\PO82200487.exe	Code function: 0_2_00C35AF0	0_2_00C35AF0
Source: C:\Users\user\Desktop\PO82200487.exe	Code function: 0_2_00C35B00	0_2_00C35B00
Source: C:\Users\user\Desktop\PO82200487.exe	Code function: 0_2_00C39D78	0_2_00C39D78
Source: C:\Users\user\Desktop\PO82200487.exe	Code function: 0_2_07EFB320	0_2_07EFB320
Source: C:\Users\user\Desktop\PO82200487.exe	Code function: 0_2_07EF9250	0_2_07EF9250
Source: C:\Users\user\Desktop\PO82200487.exe	Code function: 4_2_015C4140	4_2_015C4140
Source: C:\Users\user\Desktop\PO82200487.exe	Code function: 4_2_015C4D58	4_2_015C4D58
Source: C:\Users\user\Desktop\PO82200487.exe	Code function: 4_2_015C4488	4_2_015C4488
Source: C:\Users\user\Desktop\PO82200487.exe	Code function: 4_2_069EA738	4_2_069EA738
Source: C:\Users\user\Desktop\PO82200487.exe	Code function: 4_2_069E5568	4_2_069E5568
Source: C:\Users\user\Desktop\PO82200487.exe	Code function: 4_2_069E1A30	4_2_069E1A30
Source: C:\Users\user\Desktop\PO82200487.exe	Code function: 4_2_069E2220	4_2_069E2220
Source: C:\Users\user\Desktop\PO82200487.exe	Code function: 4_2_069EF4F0	4_2_069EF4F0
Source: C:\Users\user\Desktop\PO82200487.exe	Code function: 4_2_069ECD00	4_2_069ECD00
Source: C:\Users\user\Desktop\PO82200487.exe	Code function: 4_2_06AF7FA8	4_2_06AF7FA8
Source: C:\Users\user\Desktop\PO82200487.exe	Code function: 4_2_06AF8FE8	4_2_06AF8FE8
Source: C:\Users\user\Desktop\PO82200487.exe	Code function: 4_2_06AF5D90	4_2_06AF5D90
Source: C:\Users\user\Desktop\PO82200487.exe	Code function: 4_2_06AFF208	4_2_06AFF208
Source: C:\Users\user\Desktop\PO82200487.exe	Code function: 4_2_06AFE248	4_2_06AFE248
Source: C:\Users\user\Desktop\PO82200487.exe	Code function: 4_2_06AFA910	4_2_06AFA910
Source: C:\Users\user\Desktop\PO82200487.exe	Code function: 4_2_06AF8730	4_2_06AF8730

Source: PO82200487.exe, 00000000.00000002.1348848708.000000000298E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameArthur.dll" vs PO82200487.exe
Source: PO82200487.exe, 00000000.00000000.1315838734.00000000005AE000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameOhuYA.exeL vs PO82200487.exe
Source: PO82200487.exe, 00000000.00000002.1357504923.0000000009AC0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameMontero.dll8 vs PO82200487.exe
Source: PO82200487.exe, 00000000.00000002.1350373878.0000000004172000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMontero.dll8 vs PO82200487.exe
Source: PO82200487.exe, 00000000.00000002.1350373878.0000000004172000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename7b99aba2-3c62-4861-97de-170caa2c3039.exe4 vs PO82200487.exe
Source: PO82200487.exe, 00000000.00000002.1348848708.0000000002C90000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename7b99aba2-3c62-4861-97de-170caa2c3039.exe4 vs PO82200487.exe
Source: PO82200487.exe, 00000000.00000002.1344826980.0000000000C5E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs PO82200487.exe
Source: PO82200487.exe, 00000000.00000002.1350373878.0000000004139000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameArthur.dll" vs PO82200487.exe
Source: PO82200487.exe, 00000000.00000002.1354931417.0000000007780000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameArthur.dll" vs PO82200487.exe
Source: PO82200487.exe, 00000004.00000002.2567205281.000000000042C000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: OriginalFilename7b99aba2-3c62-4861-97de-170caa2c3039.exe4 vs PO82200487.exe
Source: PO82200487.exe, 00000004.00000002.2567371249.0000000001388000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameUNKNOWN_FILET vs PO82200487.exe
Source: PO82200487.exe	Binary or memory string: OriginalFilenameOhuYA.exeL vs PO82200487.exe

Source: PO82200487.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: PO82200487.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 0.2.PO82200487.exe.9ac0000.3.raw.unpack, u9228RTFi7Xn9pJ5U5.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.PO82200487.exe.4339620.1.raw.unpack, u9228RTFi7Xn9pJ5U5.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.PO82200487.exe.9ac0000.3.raw.unpack, QLCIsDidBMb0vV5IRO.cs	Security API names: _0020.SetAccessControl
Source: 0.2.PO82200487.exe.9ac0000.3.raw.unpack, QLCIsDidBMb0vV5IRO.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.PO82200487.exe.9ac0000.3.raw.unpack, QLCIsDidBMb0vV5IRO.cs	Security API names: _0020.AddAccessRule
Source: 0.2.PO82200487.exe.4339620.1.raw.unpack, QLCIsDidBMb0vV5IRO.cs	Security API names: _0020.SetAccessControl
Source: 0.2.PO82200487.exe.4339620.1.raw.unpack, QLCIsDidBMb0vV5IRO.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.PO82200487.exe.4339620.1.raw.unpack, QLCIsDidBMb0vV5IRO.cs	Security API names: _0020.AddAccessRule

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@7/6@3/1

Source: C:\Users\user\Desktop\PO82200487.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\PO82200487.exe.log

Jump to behavior

Source: C:\Users\user\Desktop\PO82200487.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7788:120:WilError_03

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_nmjdok4u.wrt.ps1

Jump to behavior

Source: PO82200487.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: PO82200487.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%

Source: C:\Users\user\Desktop\PO82200487.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\PO82200487.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\PO82200487.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\PO82200487.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: PO82200487.exe

ReversingLabs: Detection: 55%

Source: unknown	Process created: C:\Users\user\Desktop\PO82200487.exe "C:\Users\user\Desktop\PO82200487.exe"
Source: C:\Users\user\Desktop\PO82200487.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PO82200487.exe"
Source: C:\Users\user\Desktop\PO82200487.exe	Process created: C:\Users\user\Desktop\PO82200487.exe "C:\Users\user\Desktop\PO82200487.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: C:\Users\user\Desktop\PO82200487.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PO82200487.exe"	Jump to behavior
Source: C:\Users\user\Desktop\PO82200487.exe	Process created: C:\Users\user\Desktop\PO82200487.exe "C:\Users\user\Desktop\PO82200487.exe"	Jump to behavior

Source: C:\Users\user\Desktop\PO82200487.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO82200487.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO82200487.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO82200487.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO82200487.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO82200487.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO82200487.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO82200487.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO82200487.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO82200487.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO82200487.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO82200487.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO82200487.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO82200487.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO82200487.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO82200487.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO82200487.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO82200487.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO82200487.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO82200487.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO82200487.exe	Section loaded: iconcodecservice.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO82200487.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO82200487.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO82200487.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO82200487.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO82200487.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO82200487.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO82200487.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO82200487.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO82200487.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO82200487.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO82200487.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO82200487.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO82200487.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO82200487.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO82200487.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO82200487.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO82200487.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO82200487.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO82200487.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO82200487.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO82200487.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO82200487.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO82200487.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO82200487.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO82200487.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO82200487.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO82200487.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO82200487.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO82200487.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO82200487.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO82200487.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO82200487.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO82200487.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO82200487.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO82200487.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO82200487.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO82200487.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO82200487.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO82200487.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO82200487.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO82200487.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO82200487.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: fastprox.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: ncobjapi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mpclient.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wmitomi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: gpapi.dll	Jump to behavior

Source: C:\Users\user\Desktop\PO82200487.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\PO82200487.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Users\user\Desktop\PO82200487.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: PO82200487.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: PO82200487.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Data Obfuscation

.NET source code contains potential unpacker

Source: 0.2.PO82200487.exe.9ac0000.3.raw.unpack, QLCIsDidBMb0vV5IRO.cs	.Net Code: qHlL8Bd7l6 System.Reflection.Assembly.Load(byte[])
Source: 0.2.PO82200487.exe.7780000.2.raw.unpack, L2.cs	.Net Code: System.Reflection.Assembly.Load(byte[])
Source: 0.2.PO82200487.exe.4339620.1.raw.unpack, QLCIsDidBMb0vV5IRO.cs	.Net Code: qHlL8Bd7l6 System.Reflection.Assembly.Load(byte[])
Source: 0.2.PO82200487.exe.4152270.0.raw.unpack, L2.cs	.Net Code: System.Reflection.Assembly.Load(byte[])

Source: C:\Users\user\Desktop\PO82200487.exe	Code function: 0_2_00C313B1 push cs; ret		0_2_00C313B2
Source: C:\Users\user\Desktop\PO82200487.exe	Code function: 4_2_06AF1610 push esp; ret		4_2_06AF1611

Source: PO82200487.exe

Static PE information: section name: .text entropy: 7.671418587267901

Source: 0.2.PO82200487.exe.9ac0000.3.raw.unpack, LcJlpYHgsuedxhJLcL.cs	High entropy of concatenated method names: 'IysJKxc7bm', 'GNqJEtHrxH', 'ToString', 'nqLJkK6SsW', 'XDrJYXsQmR', 'NXUJSPa6yP', 'PykJlFT0Lx', 'rPeJeIfGRe', 'olrJ9K8I6L', 'sxsJipFZ5J'
Source: 0.2.PO82200487.exe.9ac0000.3.raw.unpack, l1y3cbwLxvxoymGwTX.cs	High entropy of concatenated method names: 'kvhenfpAPt', 'xkxeYxMVsn', 'ULUelvMGtU', 'Vd1e9uYVAg', 'wAVeip0QhE', 'FAtlUG5qKt', 'eaEl34G5Ti', 'RhqlNpAcH4', 'JKjlDk7u8B', 'NNeloS8kuB'
Source: 0.2.PO82200487.exe.9ac0000.3.raw.unpack, Mot5ucIb1v0EBSaoC4.cs	High entropy of concatenated method names: 'JPJ82XXSu', 'nOlcp6usP', 'zwh0DTQxW', 'pADbCX2IY', 'Hhxg8lZl8', 'AnStdblXP', 'px9U0rMS582hqpWuEQ', 'vmpMLv2GpGtrhTXGIL', 'eNV6Nfv39', 'Ek7RxTOMa'
Source: 0.2.PO82200487.exe.9ac0000.3.raw.unpack, L1Mu1S31jbxL2VO3ty.cs	High entropy of concatenated method names: 'SuiJDsTtZJ', 'sHAJ5Nkipl', 'Csi6ZULiAl', 'msZ61E09ym', 'IPrJ41N4xv', 'SyDJOBPDkp', 'FpTJ24qqLS', 'mMZJpjVWHF', 'Tq7J7tCj7M', 'AqrJdNI7FU'
Source: 0.2.PO82200487.exe.9ac0000.3.raw.unpack, PTgl33xswMxgXWTFCE.cs	High entropy of concatenated method names: 'hGS9XeyBL9', 'MhV9FaSnNi', 'JHm98peSu2', 'VTn9cL6Pml', 'O8m9WCWbnC', 'vYt90xNJp2', 'mZV9bS3Z8h', 'CAQ9T2Piwc', 'vtg9gmUD73', 'Ace9tDRNGC'
Source: 0.2.PO82200487.exe.9ac0000.3.raw.unpack, ex5GLDYDPTZW9AOQkk.cs	High entropy of concatenated method names: 'Dispose', 'gWW1o8MQj5', 'vL5IGCDgUS', 'rCVwWeHCIO', 'iZu15tCcTC', 'MLX1zfITYX', 'ProcessDialogKey', 's3kIZ7rquq', 'nOmI1qLeaM', 'gi1IIUaZJg'
Source: 0.2.PO82200487.exe.9ac0000.3.raw.unpack, I89XDPAG2y4SodpBGj.cs	High entropy of concatenated method names: 'pdg9kXKu1u', 'sZ29S4eXWL', 'ufj9eRV9Hf', 'NZae5WKuFE', 'zOvezYsfqN', 'PA79ZwMQnw', 'uCb911h5v5', 'qNY9IZ0dDN', 'omf9f1tHkV', 'vhB9LQ5oBa'
Source: 0.2.PO82200487.exe.9ac0000.3.raw.unpack, x5iJJpLb7EC3FK5pqT.cs	High entropy of concatenated method names: 'peh199228R', 'zi71iXn9pJ', 'FMe1KBSd06', 'm1I1EXlF7n', 'jpm1yA4K1y', 'Vcb1CLxvxo', 'FeHKJ9iJZ9pGXELN0O', 'OXet4LOPeCbu4DwoIp', 'sWW11KEXgi', 'pOY1fBEvB8'
Source: 0.2.PO82200487.exe.9ac0000.3.raw.unpack, lSSRSyzsnJwErZmQi8.cs	High entropy of concatenated method names: 'dHlR0RnC8e', 'tvtRTZiDT3', 'mXbRgMxX1D', 'X8TRwIAo0v', 'FWJRGhcfgd', 'RbMRPMw6SX', 'YWyRjh64NX', 'c2NRs4dwmw', 'PVFRXxpblY', 'yqsRFPGkcX'
Source: 0.2.PO82200487.exe.9ac0000.3.raw.unpack, ODkjB9ppukJOQXQfdx.cs	High entropy of concatenated method names: 'dixyu1EKUU', 'S4dyOo2uuY', 'miwyp6d3Ne', 'jQBy7rFyMT', 'BblyGFVGP0', 'j4KyV4L4ds', 'IOYyPbkfQi', 'QyiyjIhd9C', 'YOHyqQFaXW', 'XfByA4rtqd'
Source: 0.2.PO82200487.exe.9ac0000.3.raw.unpack, u9228RTFi7Xn9pJ5U5.cs	High entropy of concatenated method names: 'tSCYpwK4Bw', 'Cg3Y7h4lhU', 'mLUYdeE1MJ', 'teGYHXSdEs', 'G3FYUwTSdH', 'I5sY398yDR', 'aG0YNSv5qn', 'H8fYDvfVfa', 'SDtYoJKAVw', 'UpuY5yTktr'
Source: 0.2.PO82200487.exe.9ac0000.3.raw.unpack, IRMb2PSPU11708aH29.cs	High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'tjhIobEZNx', 'MOyI5VpKXv', 'UgeIzhCmGJ', 'SSBfZGpQph', 'Jksf1t84oZ', 'TXJfI1WihA', 'cMPff07e6b', 'vFfGi5okKuZawqdC4df'
Source: 0.2.PO82200487.exe.9ac0000.3.raw.unpack, f7rquqoQOmqLeaMYi1.cs	High entropy of concatenated method names: 'VycBwUHWaX', 'uGUBGqJev5', 'yfCBVjlPB1', 'bsWBPSBbdk', 'K9mBjCOdZ1', 'D8UBqwIhlj', 'xb1BALY93a', 'tWPBm8dBZp', 'jxEBxLaL7n', 'oLHBuAPDiV'
Source: 0.2.PO82200487.exe.9ac0000.3.raw.unpack, yNWGmh11eGhmN0lpo9J.cs	High entropy of concatenated method names: 'shGR5jtxaD', 'y9qRzr5j07', 'fA7MZ8QCdc', 'zqGM1htKux', 'GGqMIQIUVF', 'TFpMfbc8wY', 'RMeMLHpefK', 'cdMMn8WSSS', 'UPhMkx3EGi', 'OGWMYDRENX'
Source: 0.2.PO82200487.exe.9ac0000.3.raw.unpack, DHidhtgMeBSd06E1IX.cs	High entropy of concatenated method names: 'GhtSc3B4J2', 'x2LS0Q2m8q', 'FgjSTBYREB', 'rJtSgYFgj6', 'IB6Syqt49c', 'ieOSCZPv8I', 'wM4SJaIET3', 'oVqS6CAa2a', 'SyUSBHLnsZ', 'Xc0SRQc8lf'
Source: 0.2.PO82200487.exe.9ac0000.3.raw.unpack, dDTjvl1LsKstwierwex.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'SMYhBd446n', 'bWphRsdiQL', 'vJFhMZ9BV0', 'DOdhh4rZos', 'MsIhrUIn8r', 'qKBhacKJHv', 'C5PhsDaXBO'
Source: 0.2.PO82200487.exe.9ac0000.3.raw.unpack, QLCIsDidBMb0vV5IRO.cs	High entropy of concatenated method names: 'yexfnYUJ1y', 'D3AfkFwl7v', 'IAdfYsghEI', 'xWpfSubo5V', 'BDjflyilbZ', 'tnHfekmZs2', 'UrVf947SiY', 'EMQfihitsr', 'enufvkmsvf', 'PTefKvCKFV'
Source: 0.2.PO82200487.exe.9ac0000.3.raw.unpack, nbLgsh1ZVB0wtQ0N8io.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'VLSR4hOW0Y', 'IAYROpSGgf', 'JShR2rP6uF', 'TXbRpjyjKN', 'rHqR7toaex', 'IZoRdAKQXv', 'SOiRHKhV4M'
Source: 0.2.PO82200487.exe.9ac0000.3.raw.unpack, h0XUNd1IDDeKoUySk39.cs	High entropy of concatenated method names: 'ToString', 'yvEMTnbEdW', 'YsDMg1qhZy', 'l6EMtFaBqg', 'cDiMweKZdR', 'PlxMGb5Q3P', 'q8IMV6rXxm', 'M0CMPvLaKM', 'DqTZU21sfaEq0JW9IaA', 'MSwH9t18aBy78vdUkhW'
Source: 0.2.PO82200487.exe.9ac0000.3.raw.unpack, UaZJgk5c46dCdoKWPT.cs	High entropy of concatenated method names: 'yf9RSwV51w', 'fTIRlH16qy', 'XZbRe2b97U', 'OJpR9GTYeu', 'qVtRBaw54M', 'TUcRilbGrt', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.PO82200487.exe.9ac0000.3.raw.unpack, f9m3FINrLSWW8MQj5l.cs	High entropy of concatenated method names: 'zIMBy0ugjR', 'VYVBJ61Xbd', 'hYeBBcj9Wy', 'nrZBM7YaJr', 'uAXBrBcOON', 'UM8BscVbDt', 'Dispose', 'TYE6kKd4YI', 'urq6Y91EDb', 'nR66SCN5UY'
Source: 0.2.PO82200487.exe.9ac0000.3.raw.unpack, WIZg4G2lgXltoMSuKO.cs	High entropy of concatenated method names: 'RpyQTkfv7A', 'XQLQgFPxZq', 'S4IQwb9Gf4', 'TC6QGg6i5L', 'plRQPkuBY3', 'NkiQja7koB', 'C30QAgFKBu', 'Ov8QmE3Hki', 'ugiQuR1tXj', 'yBLQ4TCgbZ'
Source: 0.2.PO82200487.exe.4339620.1.raw.unpack, LcJlpYHgsuedxhJLcL.cs	High entropy of concatenated method names: 'IysJKxc7bm', 'GNqJEtHrxH', 'ToString', 'nqLJkK6SsW', 'XDrJYXsQmR', 'NXUJSPa6yP', 'PykJlFT0Lx', 'rPeJeIfGRe', 'olrJ9K8I6L', 'sxsJipFZ5J'
Source: 0.2.PO82200487.exe.4339620.1.raw.unpack, l1y3cbwLxvxoymGwTX.cs	High entropy of concatenated method names: 'kvhenfpAPt', 'xkxeYxMVsn', 'ULUelvMGtU', 'Vd1e9uYVAg', 'wAVeip0QhE', 'FAtlUG5qKt', 'eaEl34G5Ti', 'RhqlNpAcH4', 'JKjlDk7u8B', 'NNeloS8kuB'
Source: 0.2.PO82200487.exe.4339620.1.raw.unpack, Mot5ucIb1v0EBSaoC4.cs	High entropy of concatenated method names: 'JPJ82XXSu', 'nOlcp6usP', 'zwh0DTQxW', 'pADbCX2IY', 'Hhxg8lZl8', 'AnStdblXP', 'px9U0rMS582hqpWuEQ', 'vmpMLv2GpGtrhTXGIL', 'eNV6Nfv39', 'Ek7RxTOMa'
Source: 0.2.PO82200487.exe.4339620.1.raw.unpack, L1Mu1S31jbxL2VO3ty.cs	High entropy of concatenated method names: 'SuiJDsTtZJ', 'sHAJ5Nkipl', 'Csi6ZULiAl', 'msZ61E09ym', 'IPrJ41N4xv', 'SyDJOBPDkp', 'FpTJ24qqLS', 'mMZJpjVWHF', 'Tq7J7tCj7M', 'AqrJdNI7FU'
Source: 0.2.PO82200487.exe.4339620.1.raw.unpack, PTgl33xswMxgXWTFCE.cs	High entropy of concatenated method names: 'hGS9XeyBL9', 'MhV9FaSnNi', 'JHm98peSu2', 'VTn9cL6Pml', 'O8m9WCWbnC', 'vYt90xNJp2', 'mZV9bS3Z8h', 'CAQ9T2Piwc', 'vtg9gmUD73', 'Ace9tDRNGC'
Source: 0.2.PO82200487.exe.4339620.1.raw.unpack, ex5GLDYDPTZW9AOQkk.cs	High entropy of concatenated method names: 'Dispose', 'gWW1o8MQj5', 'vL5IGCDgUS', 'rCVwWeHCIO', 'iZu15tCcTC', 'MLX1zfITYX', 'ProcessDialogKey', 's3kIZ7rquq', 'nOmI1qLeaM', 'gi1IIUaZJg'
Source: 0.2.PO82200487.exe.4339620.1.raw.unpack, I89XDPAG2y4SodpBGj.cs	High entropy of concatenated method names: 'pdg9kXKu1u', 'sZ29S4eXWL', 'ufj9eRV9Hf', 'NZae5WKuFE', 'zOvezYsfqN', 'PA79ZwMQnw', 'uCb911h5v5', 'qNY9IZ0dDN', 'omf9f1tHkV', 'vhB9LQ5oBa'
Source: 0.2.PO82200487.exe.4339620.1.raw.unpack, x5iJJpLb7EC3FK5pqT.cs	High entropy of concatenated method names: 'peh199228R', 'zi71iXn9pJ', 'FMe1KBSd06', 'm1I1EXlF7n', 'jpm1yA4K1y', 'Vcb1CLxvxo', 'FeHKJ9iJZ9pGXELN0O', 'OXet4LOPeCbu4DwoIp', 'sWW11KEXgi', 'pOY1fBEvB8'
Source: 0.2.PO82200487.exe.4339620.1.raw.unpack, lSSRSyzsnJwErZmQi8.cs	High entropy of concatenated method names: 'dHlR0RnC8e', 'tvtRTZiDT3', 'mXbRgMxX1D', 'X8TRwIAo0v', 'FWJRGhcfgd', 'RbMRPMw6SX', 'YWyRjh64NX', 'c2NRs4dwmw', 'PVFRXxpblY', 'yqsRFPGkcX'
Source: 0.2.PO82200487.exe.4339620.1.raw.unpack, ODkjB9ppukJOQXQfdx.cs	High entropy of concatenated method names: 'dixyu1EKUU', 'S4dyOo2uuY', 'miwyp6d3Ne', 'jQBy7rFyMT', 'BblyGFVGP0', 'j4KyV4L4ds', 'IOYyPbkfQi', 'QyiyjIhd9C', 'YOHyqQFaXW', 'XfByA4rtqd'
Source: 0.2.PO82200487.exe.4339620.1.raw.unpack, u9228RTFi7Xn9pJ5U5.cs	High entropy of concatenated method names: 'tSCYpwK4Bw', 'Cg3Y7h4lhU', 'mLUYdeE1MJ', 'teGYHXSdEs', 'G3FYUwTSdH', 'I5sY398yDR', 'aG0YNSv5qn', 'H8fYDvfVfa', 'SDtYoJKAVw', 'UpuY5yTktr'
Source: 0.2.PO82200487.exe.4339620.1.raw.unpack, IRMb2PSPU11708aH29.cs	High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'tjhIobEZNx', 'MOyI5VpKXv', 'UgeIzhCmGJ', 'SSBfZGpQph', 'Jksf1t84oZ', 'TXJfI1WihA', 'cMPff07e6b', 'vFfGi5okKuZawqdC4df'
Source: 0.2.PO82200487.exe.4339620.1.raw.unpack, f7rquqoQOmqLeaMYi1.cs	High entropy of concatenated method names: 'VycBwUHWaX', 'uGUBGqJev5', 'yfCBVjlPB1', 'bsWBPSBbdk', 'K9mBjCOdZ1', 'D8UBqwIhlj', 'xb1BALY93a', 'tWPBm8dBZp', 'jxEBxLaL7n', 'oLHBuAPDiV'
Source: 0.2.PO82200487.exe.4339620.1.raw.unpack, yNWGmh11eGhmN0lpo9J.cs	High entropy of concatenated method names: 'shGR5jtxaD', 'y9qRzr5j07', 'fA7MZ8QCdc', 'zqGM1htKux', 'GGqMIQIUVF', 'TFpMfbc8wY', 'RMeMLHpefK', 'cdMMn8WSSS', 'UPhMkx3EGi', 'OGWMYDRENX'
Source: 0.2.PO82200487.exe.4339620.1.raw.unpack, DHidhtgMeBSd06E1IX.cs	High entropy of concatenated method names: 'GhtSc3B4J2', 'x2LS0Q2m8q', 'FgjSTBYREB', 'rJtSgYFgj6', 'IB6Syqt49c', 'ieOSCZPv8I', 'wM4SJaIET3', 'oVqS6CAa2a', 'SyUSBHLnsZ', 'Xc0SRQc8lf'
Source: 0.2.PO82200487.exe.4339620.1.raw.unpack, dDTjvl1LsKstwierwex.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'SMYhBd446n', 'bWphRsdiQL', 'vJFhMZ9BV0', 'DOdhh4rZos', 'MsIhrUIn8r', 'qKBhacKJHv', 'C5PhsDaXBO'
Source: 0.2.PO82200487.exe.4339620.1.raw.unpack, QLCIsDidBMb0vV5IRO.cs	High entropy of concatenated method names: 'yexfnYUJ1y', 'D3AfkFwl7v', 'IAdfYsghEI', 'xWpfSubo5V', 'BDjflyilbZ', 'tnHfekmZs2', 'UrVf947SiY', 'EMQfihitsr', 'enufvkmsvf', 'PTefKvCKFV'
Source: 0.2.PO82200487.exe.4339620.1.raw.unpack, nbLgsh1ZVB0wtQ0N8io.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'VLSR4hOW0Y', 'IAYROpSGgf', 'JShR2rP6uF', 'TXbRpjyjKN', 'rHqR7toaex', 'IZoRdAKQXv', 'SOiRHKhV4M'
Source: 0.2.PO82200487.exe.4339620.1.raw.unpack, h0XUNd1IDDeKoUySk39.cs	High entropy of concatenated method names: 'ToString', 'yvEMTnbEdW', 'YsDMg1qhZy', 'l6EMtFaBqg', 'cDiMweKZdR', 'PlxMGb5Q3P', 'q8IMV6rXxm', 'M0CMPvLaKM', 'DqTZU21sfaEq0JW9IaA', 'MSwH9t18aBy78vdUkhW'
Source: 0.2.PO82200487.exe.4339620.1.raw.unpack, UaZJgk5c46dCdoKWPT.cs	High entropy of concatenated method names: 'yf9RSwV51w', 'fTIRlH16qy', 'XZbRe2b97U', 'OJpR9GTYeu', 'qVtRBaw54M', 'TUcRilbGrt', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.PO82200487.exe.4339620.1.raw.unpack, f9m3FINrLSWW8MQj5l.cs	High entropy of concatenated method names: 'zIMBy0ugjR', 'VYVBJ61Xbd', 'hYeBBcj9Wy', 'nrZBM7YaJr', 'uAXBrBcOON', 'UM8BscVbDt', 'Dispose', 'TYE6kKd4YI', 'urq6Y91EDb', 'nR66SCN5UY'
Source: 0.2.PO82200487.exe.4339620.1.raw.unpack, WIZg4G2lgXltoMSuKO.cs	High entropy of concatenated method names: 'RpyQTkfv7A', 'XQLQgFPxZq', 'S4IQwb9Gf4', 'TC6QGg6i5L', 'plRQPkuBY3', 'NkiQja7koB', 'C30QAgFKBu', 'Ov8QmE3Hki', 'ugiQuR1tXj', 'yBLQ4TCgbZ'

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior

Source: C:\Users\user\Desktop\PO82200487.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO82200487.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO82200487.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO82200487.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO82200487.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO82200487.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO82200487.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO82200487.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO82200487.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO82200487.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO82200487.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO82200487.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO82200487.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO82200487.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO82200487.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO82200487.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO82200487.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO82200487.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO82200487.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO82200487.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO82200487.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO82200487.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO82200487.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO82200487.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO82200487.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO82200487.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO82200487.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO82200487.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO82200487.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO82200487.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO82200487.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO82200487.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO82200487.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO82200487.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO82200487.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO82200487.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO82200487.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO82200487.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO82200487.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO82200487.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO82200487.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO82200487.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO82200487.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO82200487.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO82200487.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO82200487.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO82200487.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO82200487.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO82200487.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO82200487.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO82200487.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO82200487.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO82200487.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO82200487.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO82200487.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO82200487.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO82200487.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO82200487.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO82200487.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO82200487.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO82200487.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO82200487.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO82200487.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO82200487.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO82200487.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO82200487.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO82200487.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO82200487.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO82200487.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO82200487.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO82200487.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO82200487.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO82200487.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO82200487.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO82200487.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO82200487.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO82200487.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO82200487.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO82200487.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO82200487.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO82200487.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO82200487.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO82200487.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO82200487.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO82200487.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO82200487.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO82200487.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO82200487.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO82200487.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO82200487.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO82200487.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO82200487.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO82200487.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO82200487.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO82200487.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO82200487.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match

File source: Process Memory Space: PO82200487.exe PID: 7580, type: MEMORYSTR

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Source: C:\Users\user\Desktop\PO82200487.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration

Source: C:\Users\user\Desktop\PO82200487.exe	Memory allocated: C30000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PO82200487.exe	Memory allocated: 2930000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PO82200487.exe	Memory allocated: F50000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PO82200487.exe	Memory allocated: 4EF0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PO82200487.exe	Memory allocated: 5EF0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PO82200487.exe	Memory allocated: 6020000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PO82200487.exe	Memory allocated: 7020000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PO82200487.exe	Memory allocated: A380000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PO82200487.exe	Memory allocated: 9B30000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PO82200487.exe	Memory allocated: B380000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PO82200487.exe	Memory allocated: C380000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PO82200487.exe	Memory allocated: 15C0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PO82200487.exe	Memory allocated: 31C0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PO82200487.exe	Memory allocated: 51C0000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\PO82200487.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\PO82200487.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6634	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2998	Jump to behavior
Source: C:\Users\user\Desktop\PO82200487.exe	Window / User API: threadDelayed 2832	Jump to behavior
Source: C:\Users\user\Desktop\PO82200487.exe	Window / User API: threadDelayed 6948	Jump to behavior

Source: C:\Users\user\Desktop\PO82200487.exe TID: 7600	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8012	Thread sleep time: -4611686018427385s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO82200487.exe TID: 8004	Thread sleep count: 2832 > 30	Jump to behavior
Source: C:\Users\user\Desktop\PO82200487.exe TID: 8020	Thread sleep count: 34 > 30	Jump to behavior
Source: C:\Users\user\Desktop\PO82200487.exe TID: 8020	Thread sleep time: -31359464925306218s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO82200487.exe TID: 8020	Thread sleep time: -100000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO82200487.exe TID: 8020	Thread sleep time: -99871s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO82200487.exe TID: 8004	Thread sleep count: 6948 > 30	Jump to behavior
Source: C:\Users\user\Desktop\PO82200487.exe TID: 8020	Thread sleep time: -99766s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO82200487.exe TID: 8020	Thread sleep time: -99657s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO82200487.exe TID: 8020	Thread sleep time: -99532s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO82200487.exe TID: 8020	Thread sleep time: -99407s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO82200487.exe TID: 8020	Thread sleep time: -99282s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO82200487.exe TID: 8020	Thread sleep time: -99129s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO82200487.exe TID: 8020	Thread sleep time: -98860s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO82200487.exe TID: 8020	Thread sleep time: -98732s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO82200487.exe TID: 8020	Thread sleep time: -98583s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO82200487.exe TID: 8020	Thread sleep time: -98438s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO82200487.exe TID: 8020	Thread sleep time: -98328s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO82200487.exe TID: 8020	Thread sleep time: -98219s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO82200487.exe TID: 8020	Thread sleep time: -98110s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO82200487.exe TID: 8020	Thread sleep time: -97985s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO82200487.exe TID: 8020	Thread sleep time: -97860s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO82200487.exe TID: 8020	Thread sleep time: -97735s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO82200487.exe TID: 8020	Thread sleep time: -97610s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO82200487.exe TID: 8020	Thread sleep time: -97485s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO82200487.exe TID: 8020	Thread sleep time: -97360s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO82200487.exe TID: 8020	Thread sleep time: -97235s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO82200487.exe TID: 8020	Thread sleep time: -97110s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO82200487.exe TID: 8020	Thread sleep time: -96985s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO82200487.exe TID: 8020	Thread sleep time: -96860s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO82200487.exe TID: 8020	Thread sleep time: -96735s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO82200487.exe TID: 8020	Thread sleep time: -96610s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO82200487.exe TID: 8020	Thread sleep time: -96485s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO82200487.exe TID: 8020	Thread sleep time: -96360s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO82200487.exe TID: 8020	Thread sleep time: -96235s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO82200487.exe TID: 8020	Thread sleep time: -96113s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO82200487.exe TID: 8020	Thread sleep time: -95955s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO82200487.exe TID: 8020	Thread sleep time: -95829s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO82200487.exe TID: 8020	Thread sleep time: -95704s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO82200487.exe TID: 8020	Thread sleep time: -95579s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO82200487.exe TID: 8020	Thread sleep time: -95454s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO82200487.exe TID: 8020	Thread sleep time: -95329s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO82200487.exe TID: 8020	Thread sleep time: -95204s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO82200487.exe TID: 8020	Thread sleep time: -95079s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO82200487.exe TID: 8020	Thread sleep time: -94953s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO82200487.exe TID: 8020	Thread sleep time: -94844s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO82200487.exe TID: 8020	Thread sleep time: -94735s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO82200487.exe TID: 8020	Thread sleep time: -94610s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO82200487.exe TID: 8020	Thread sleep time: -94485s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO82200487.exe TID: 8020	Thread sleep time: -94360s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO82200487.exe TID: 8020	Thread sleep time: -94235s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO82200487.exe TID: 8020	Thread sleep time: -94110s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO82200487.exe TID: 8020	Thread sleep time: -93985s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO82200487.exe TID: 8020	Thread sleep time: -93860s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO82200487.exe TID: 8020	Thread sleep time: -93735s >= -30000s	Jump to behavior

Source: C:\Users\user\Desktop\PO82200487.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard

Source: C:\Users\user\Desktop\PO82200487.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\PO82200487.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\PO82200487.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\PO82200487.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\PO82200487.exe	Thread delayed: delay time: 100000	Jump to behavior
Source: C:\Users\user\Desktop\PO82200487.exe	Thread delayed: delay time: 99871	Jump to behavior
Source: C:\Users\user\Desktop\PO82200487.exe	Thread delayed: delay time: 99766	Jump to behavior
Source: C:\Users\user\Desktop\PO82200487.exe	Thread delayed: delay time: 99657	Jump to behavior
Source: C:\Users\user\Desktop\PO82200487.exe	Thread delayed: delay time: 99532	Jump to behavior
Source: C:\Users\user\Desktop\PO82200487.exe	Thread delayed: delay time: 99407	Jump to behavior
Source: C:\Users\user\Desktop\PO82200487.exe	Thread delayed: delay time: 99282	Jump to behavior
Source: C:\Users\user\Desktop\PO82200487.exe	Thread delayed: delay time: 99129	Jump to behavior
Source: C:\Users\user\Desktop\PO82200487.exe	Thread delayed: delay time: 98860	Jump to behavior
Source: C:\Users\user\Desktop\PO82200487.exe	Thread delayed: delay time: 98732	Jump to behavior
Source: C:\Users\user\Desktop\PO82200487.exe	Thread delayed: delay time: 98583	Jump to behavior
Source: C:\Users\user\Desktop\PO82200487.exe	Thread delayed: delay time: 98438	Jump to behavior
Source: C:\Users\user\Desktop\PO82200487.exe	Thread delayed: delay time: 98328	Jump to behavior
Source: C:\Users\user\Desktop\PO82200487.exe	Thread delayed: delay time: 98219	Jump to behavior
Source: C:\Users\user\Desktop\PO82200487.exe	Thread delayed: delay time: 98110	Jump to behavior
Source: C:\Users\user\Desktop\PO82200487.exe	Thread delayed: delay time: 97985	Jump to behavior
Source: C:\Users\user\Desktop\PO82200487.exe	Thread delayed: delay time: 97860	Jump to behavior
Source: C:\Users\user\Desktop\PO82200487.exe	Thread delayed: delay time: 97735	Jump to behavior
Source: C:\Users\user\Desktop\PO82200487.exe	Thread delayed: delay time: 97610	Jump to behavior
Source: C:\Users\user\Desktop\PO82200487.exe	Thread delayed: delay time: 97485	Jump to behavior
Source: C:\Users\user\Desktop\PO82200487.exe	Thread delayed: delay time: 97360	Jump to behavior
Source: C:\Users\user\Desktop\PO82200487.exe	Thread delayed: delay time: 97235	Jump to behavior
Source: C:\Users\user\Desktop\PO82200487.exe	Thread delayed: delay time: 97110	Jump to behavior
Source: C:\Users\user\Desktop\PO82200487.exe	Thread delayed: delay time: 96985	Jump to behavior
Source: C:\Users\user\Desktop\PO82200487.exe	Thread delayed: delay time: 96860	Jump to behavior
Source: C:\Users\user\Desktop\PO82200487.exe	Thread delayed: delay time: 96735	Jump to behavior
Source: C:\Users\user\Desktop\PO82200487.exe	Thread delayed: delay time: 96610	Jump to behavior
Source: C:\Users\user\Desktop\PO82200487.exe	Thread delayed: delay time: 96485	Jump to behavior
Source: C:\Users\user\Desktop\PO82200487.exe	Thread delayed: delay time: 96360	Jump to behavior
Source: C:\Users\user\Desktop\PO82200487.exe	Thread delayed: delay time: 96235	Jump to behavior
Source: C:\Users\user\Desktop\PO82200487.exe	Thread delayed: delay time: 96113	Jump to behavior
Source: C:\Users\user\Desktop\PO82200487.exe	Thread delayed: delay time: 95955	Jump to behavior
Source: C:\Users\user\Desktop\PO82200487.exe	Thread delayed: delay time: 95829	Jump to behavior
Source: C:\Users\user\Desktop\PO82200487.exe	Thread delayed: delay time: 95704	Jump to behavior
Source: C:\Users\user\Desktop\PO82200487.exe	Thread delayed: delay time: 95579	Jump to behavior
Source: C:\Users\user\Desktop\PO82200487.exe	Thread delayed: delay time: 95454	Jump to behavior
Source: C:\Users\user\Desktop\PO82200487.exe	Thread delayed: delay time: 95329	Jump to behavior
Source: C:\Users\user\Desktop\PO82200487.exe	Thread delayed: delay time: 95204	Jump to behavior
Source: C:\Users\user\Desktop\PO82200487.exe	Thread delayed: delay time: 95079	Jump to behavior
Source: C:\Users\user\Desktop\PO82200487.exe	Thread delayed: delay time: 94953	Jump to behavior
Source: C:\Users\user\Desktop\PO82200487.exe	Thread delayed: delay time: 94844	Jump to behavior
Source: C:\Users\user\Desktop\PO82200487.exe	Thread delayed: delay time: 94735	Jump to behavior
Source: C:\Users\user\Desktop\PO82200487.exe	Thread delayed: delay time: 94610	Jump to behavior
Source: C:\Users\user\Desktop\PO82200487.exe	Thread delayed: delay time: 94485	Jump to behavior
Source: C:\Users\user\Desktop\PO82200487.exe	Thread delayed: delay time: 94360	Jump to behavior
Source: C:\Users\user\Desktop\PO82200487.exe	Thread delayed: delay time: 94235	Jump to behavior
Source: C:\Users\user\Desktop\PO82200487.exe	Thread delayed: delay time: 94110	Jump to behavior
Source: C:\Users\user\Desktop\PO82200487.exe	Thread delayed: delay time: 93985	Jump to behavior
Source: C:\Users\user\Desktop\PO82200487.exe	Thread delayed: delay time: 93860	Jump to behavior
Source: C:\Users\user\Desktop\PO82200487.exe	Thread delayed: delay time: 93735	Jump to behavior

Source: PO82200487.exe, 00000004.00000002.2568057140.00000000016C3000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Users\user\Desktop\PO82200487.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Users\user\Desktop\PO82200487.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Adds a directory exclusion to Windows Defender

Source: C:\Users\user\Desktop\PO82200487.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PO82200487.exe"
Source: C:\Users\user\Desktop\PO82200487.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PO82200487.exe"			Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\PO82200487.exe

Memory written: C:\Users\user\Desktop\PO82200487.exe base: 400000 value starts with: 4D5A

Jump to behavior

Source: C:\Users\user\Desktop\PO82200487.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PO82200487.exe"			Jump to behavior
Source: C:\Users\user\Desktop\PO82200487.exe	Process created: C:\Users\user\Desktop\PO82200487.exe "C:\Users\user\Desktop\PO82200487.exe"			Jump to behavior

Source: C:\Users\user\Desktop\PO82200487.exe	Queries volume information: C:\Users\user\Desktop\PO82200487.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO82200487.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO82200487.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO82200487.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO82200487.exe	Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO82200487.exe	Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO82200487.exe	Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO82200487.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO82200487.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO82200487.exe	Queries volume information: C:\Users\user\Desktop\PO82200487.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO82200487.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO82200487.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO82200487.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO82200487.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO82200487.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO82200487.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\PO82200487.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected AgentTesla

Source: Yara match	File source: 4.2.PO82200487.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.PO82200487.exe.4339620.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000002.2567205281.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1350373878.0000000004172000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: dump.pcap, type: PCAP
Source: Yara match	File source: 00000004.00000002.2568941236.000000000321A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2568941236.00000000031C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: PO82200487.exe PID: 7780, type: MEMORYSTR
Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Source: C:\Users\user\Desktop\PO82200487.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions

Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\PO82200487.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\PO82200487.exe	File opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\PO82200487.exe	File opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\PO82200487.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\PO82200487.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Users\user\Desktop\PO82200487.exe

File opened: C:\FTP Navigator\Ftplist.txt

Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\Desktop\PO82200487.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\PO82200487.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\PO82200487.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Jump to behavior
Source: C:\Users\user\Desktop\PO82200487.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities	Jump to behavior

Source: Yara match	File source: 00000004.00000002.2568941236.00000000031C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: PO82200487.exe PID: 7780, type: MEMORYSTR
Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR

Remote Access Functionality

Yara detected AgentTesla

Source: Yara match	File source: 4.2.PO82200487.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.PO82200487.exe.4339620.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000002.2567205281.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1350373878.0000000004172000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: dump.pcap, type: PCAP
Source: Yara match	File source: 00000004.00000002.2568941236.000000000321A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2568941236.00000000031C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: PO82200487.exe PID: 7780, type: MEMORYSTR
Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	121 Windows Management Instrumentation	1 DLL Side-Loading	111 Process Injection	1 Masquerading	2 OS Credential Dumping	111 Security Software Discovery	Remote Services	1 Email Collection	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	11 Disable or Modify Tools	1 Credentials in Registry	1 Process Discovery	Remote Desktop Protocol	1 Archive Collected Data	1 Non-Standard Port	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	141 Virtualization/Sandbox Evasion	Security Account Manager	141 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	2 Data from Local System	1 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	111 Process Injection	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	11 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	2 Obfuscated Files or Information	LSA Secrets	1 File and Directory Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	12 Software Packing	Cached Domain Credentials	24 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 DLL Side-Loading	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
PO82200487.exe	55%	ReversingLabs	Win32.Trojan.Leonem
PO82200487.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label
http://www.elderscrolls.com/skyrim/character	0%	Avira URL Cloud	safe
http://www.elderscrolls.com/skyrim/characterT	0%	Avira URL Cloud	safe
http://www.elderscrolls.com/skyrim/player	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
mail.mbarieservicesltd.com	199.79.62.115	true	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.elderscrolls.com/skyrim/character	PO82200487.exe	false	Avira URL Cloud: safe	unknown
http://www.elderscrolls.com/skyrim/characterT	PO82200487.exe	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	PO82200487.exe, 00000000.00000002.1348848708.0000000002C88000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.elderscrolls.com/skyrim/player	PO82200487.exe, 00000000.00000002.1348848708.000000000293A000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://mail.mbarieservicesltd.com	PO82200487.exe, 00000004.00000002.2568941236.000000000321A000.00000004.00000800.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
199.79.62.115	mail.mbarieservicesltd.com	United States		394695	PUBLIC-DOMAIN-REGISTRYUS	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1569124
Start date and time:	2024-12-05 14:01:08 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 12s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	11
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	PO82200487.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@7/6@3/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 92% Number of executed functions: 64 Number of non-executed functions: 13
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
VT rate limit hit for: PO82200487.exe

Simulations

Behavior and APIs

Time	Type	Description
08:02:00	API Interceptor	59x Sleep call for process: PO82200487.exe modified
08:02:02	API Interceptor	15x Sleep call for process: powershell.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
199.79.62.115	ORDER#023_2024.exe	Get hash	malicious	AgentTesla	Browse
	QFEWElNtpn.exe	Get hash	malicious	AgentTesla	Browse
	SoA_14000048_002.exe	Get hash	malicious	AgentTesla	Browse
	Quote 000002320.exe	Get hash	malicious	AgentTesla	Browse
	LPO-2024-357.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse
	Quote5000AFC.exe	Get hash	malicious	AgentTesla, PureLog Stealer, zgRAT	Browse
	Quote1000AFC.exe	Get hash	malicious	AgentTesla, PureLog Stealer, zgRAT	Browse
	Quote 40240333-REV2.exe	Get hash	malicious	AgentTesla	Browse
	PO ALJAT-5804-2024.exe	Get hash	malicious	AgentTesla	Browse
	INQ#84790.exe	Get hash	malicious	AgentTesla	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
mail.mbarieservicesltd.com	ORDER#023_2024.exe	Get hash	malicious	AgentTesla	Browse	199.79.62.115
	QFEWElNtpn.exe	Get hash	malicious	AgentTesla	Browse	199.79.62.115
	SoA_14000048_002.exe	Get hash	malicious	AgentTesla	Browse	199.79.62.115
	Quote 000002320.exe	Get hash	malicious	AgentTesla	Browse	199.79.62.115
	LPO-2024-357.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	199.79.62.115
	Quote5000AFC.exe	Get hash	malicious	AgentTesla, PureLog Stealer, zgRAT	Browse	199.79.62.115
	Quote1000AFC.exe	Get hash	malicious	AgentTesla, PureLog Stealer, zgRAT	Browse	199.79.62.115
	Quote 40240333-REV2.exe	Get hash	malicious	AgentTesla	Browse	199.79.62.115
	PO ALJAT-5804-2024.exe	Get hash	malicious	AgentTesla	Browse	199.79.62.115

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
PUBLIC-DOMAIN-REGISTRYUS	ORDER#023_2024.exe	Get hash	malicious	AgentTesla	Browse	199.79.62.115
	QFEWElNtpn.exe	Get hash	malicious	AgentTesla	Browse	199.79.62.115
	SoA_14000048_002.exe	Get hash	malicious	AgentTesla	Browse	199.79.62.115
	Quote 000002320.exe	Get hash	malicious	AgentTesla	Browse	199.79.62.115
	new booking 9086432659087.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	162.251.80.30
	rAttached_updat.vbs	Get hash	malicious	GuLoader, Remcos	Browse	103.76.231.42
	LPO-2024-357.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	199.79.62.115
	RFQ.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	162.251.80.30
	Quote5000AFC.exe	Get hash	malicious	AgentTesla, PureLog Stealer, zgRAT	Browse	199.79.62.115
	Quote1000AFC.exe	Get hash	malicious	AgentTesla, PureLog Stealer, zgRAT	Browse	199.79.62.115

Process:	C:\Users\user\Desktop\PO82200487.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1216
Entropy (8bit):	5.34331486778365
Encrypted:	false
SSDEEP:	24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
MD5:	1330C80CAAC9A0FB172F202485E9B1E8
SHA1:	86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
SHA-256:	B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
SHA-512:	75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
Malicious:	true
Reputation:	high, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	2232
Entropy (8bit):	5.380192968514367
Encrypted:	false
SSDEEP:	48:+WSU4y4RQmFoUeWmfgZ9tK8NPZHUm7u1iMuge//8PUyus:+LHyIFKL3IZ2KRH9Oug8s
MD5:	2E16D2F2BF61526793175AF057C80E38
SHA1:	C646E8FE846DE9B54BF04679A5A9F5216DD5C7B9
SHA-256:	BA86B69C37F37E218D33B2643466FD3C5D2551C0215ABC36883C7A2D75C9848C
SHA-512:	3E95DF7756044BB4CAFE391CB8860B551621923B795B80FE6753DD5B1D11B9DCB5F41938B65761D6D7EE5689471A0AA7CE3EAF38A03A50399FA29704294AD34E
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	@...e................................................@..........P................1]...E.....j.....(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..\|f........System.Core.D...............4..7..D.#V.............System.Management.AutomationL.................gQ?O.....x5.......#.Microsoft.Management.Infrastructure.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServices4.................%...K... ...........System.Xml..8..................1...L..U;V.<}........System.Numerics.4.....................@.[8]'.\........System.Data.<...............i..VdqF...\|...........System.ConfigurationH................WY..2.M.&..g(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_34ti2whq.w5r.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	high, very likely benign file
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_nmjdok4u.wrt.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_r4wpzcwy.0cy.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ylhtpzcc.qdw.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.666077073376279
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.80% Win32 Executable (generic) a (10002005/4) 49.75% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Windows Screen Saver (13104/52) 0.07% Generic Win/DOS Executable (2004/3) 0.01%
File name:	PO82200487.exe
File size:	707'584 bytes
MD5:	9af88888e3c54e3a62bc409ea5de349e
SHA1:	6ba1ed216e4b1003d7bf0445b8a0bde4d7dc4694
SHA256:	2abceffc33aa61d03182eeed898d402dcbfb1ddca4d1e6ee4b0b0482aa4f3b8a
SHA512:	b1e236d3fa6f0fe62df9feff646d7d6803aaf61923c3e3afcf1175801c03ea7da53ebc7821300137b5141ae5ee2dc63d15be1abaa5b05b0ad25f33f9eef93768
SSDEEP:	12288:L2TpWXt5SikpewQZmIAtBZ60K3rlx1Puzi25T/dns593Tsmni1AObnpu/D5EChK3:LtSSwQXAtBZ606Ppki2xnU
TLSH:	C3E4C09C3640F44EC443CE358EA4FD74A9646DAA5307D3039ADB6EEFF91E8568E041E2
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....Qg..............0.................. ........@.. ....................... ............@................................

File Icon


Icon Hash:	0697f0b9b0b1d827

Static PE Info

General

Entrypoint:	0x4aca1e
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x67511A97 [Thu Dec 5 03:14:31 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xac9c4	0x57	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xae000	0x1bb0	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xb0000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0xaaa24	0xaac00	8b554a36f5f2502e552d50c5f982ec91	False	0.868725979136164	data	7.671418587267901	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0xae000	0x1bb0	0x1c00	34b42d8da9432316e34ba66c8ce7f417	False	0.8684430803571429	data	7.378443986540976	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xb0000	0xc	0x200	484533dc58756a46b9e1764a112ba7b9	False	0.044921875	data	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	ZLIB Complexity
RT_ICON	0xae0e8	0x174e	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	0.9639624539054643
RT_GROUP_ICON	0xaf838	0x14	data	1.05
RT_VERSION	0xaf84c	0x360	data	0.4236111111111111

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-12-05T14:02:10.944038+0100	2855245	ETPRO MALWARE Agent Tesla Exfil via SMTP	1	192.168.2.9	49721	199.79.62.115	587	TCP
2024-12-05T14:02:10.944038+0100	2855542	ETPRO MALWARE Agent Tesla CnC Exfil Activity	1	192.168.2.9	49721	199.79.62.115	587	TCP
2024-12-05T14:03:44.666475+0100	2030171	ET MALWARE AgentTesla Exfil Via SMTP	1	192.168.2.9	49721	199.79.62.115	587	TCP
2024-12-05T14:03:44.666475+0100	2839723	ETPRO MALWARE Win32/Agent Tesla SMTP Activity	1	192.168.2.9	49721	199.79.62.115	587	TCP
2024-12-05T14:03:44.666475+0100	2840032	ETPRO MALWARE Win32/AgentTesla/OriginLogger Data Exfil via SMTP M2	1	192.168.2.9	49721	199.79.62.115	587	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 5, 2024 14:02:07.269608021 CET	49721	587	192.168.2.9	199.79.62.115
Dec 5, 2024 14:02:07.389334917 CET	587	49721	199.79.62.115	192.168.2.9
Dec 5, 2024 14:02:07.389524937 CET	49721	587	192.168.2.9	199.79.62.115
Dec 5, 2024 14:02:08.585016012 CET	587	49721	199.79.62.115	192.168.2.9
Dec 5, 2024 14:02:08.585907936 CET	49721	587	192.168.2.9	199.79.62.115
Dec 5, 2024 14:02:08.705821037 CET	587	49721	199.79.62.115	192.168.2.9
Dec 5, 2024 14:02:08.962306976 CET	587	49721	199.79.62.115	192.168.2.9
Dec 5, 2024 14:02:08.963378906 CET	49721	587	192.168.2.9	199.79.62.115
Dec 5, 2024 14:02:09.083862066 CET	587	49721	199.79.62.115	192.168.2.9
Dec 5, 2024 14:02:09.340709925 CET	587	49721	199.79.62.115	192.168.2.9
Dec 5, 2024 14:02:09.341586113 CET	49721	587	192.168.2.9	199.79.62.115
Dec 5, 2024 14:02:09.463759899 CET	587	49721	199.79.62.115	192.168.2.9
Dec 5, 2024 14:02:09.742033005 CET	587	49721	199.79.62.115	192.168.2.9
Dec 5, 2024 14:02:09.742275953 CET	49721	587	192.168.2.9	199.79.62.115
Dec 5, 2024 14:02:09.861948013 CET	587	49721	199.79.62.115	192.168.2.9
Dec 5, 2024 14:02:10.118119001 CET	587	49721	199.79.62.115	192.168.2.9
Dec 5, 2024 14:02:10.118335962 CET	49721	587	192.168.2.9	199.79.62.115
Dec 5, 2024 14:02:10.238122940 CET	587	49721	199.79.62.115	192.168.2.9
Dec 5, 2024 14:02:10.501981974 CET	587	49721	199.79.62.115	192.168.2.9
Dec 5, 2024 14:02:10.555280924 CET	49721	587	192.168.2.9	199.79.62.115
Dec 5, 2024 14:02:10.564009905 CET	49721	587	192.168.2.9	199.79.62.115
Dec 5, 2024 14:02:10.684432030 CET	587	49721	199.79.62.115	192.168.2.9
Dec 5, 2024 14:02:10.943371058 CET	587	49721	199.79.62.115	192.168.2.9
Dec 5, 2024 14:02:10.943919897 CET	49721	587	192.168.2.9	199.79.62.115
Dec 5, 2024 14:02:10.944037914 CET	49721	587	192.168.2.9	199.79.62.115
Dec 5, 2024 14:02:10.944072008 CET	49721	587	192.168.2.9	199.79.62.115
Dec 5, 2024 14:02:10.944087029 CET	49721	587	192.168.2.9	199.79.62.115
Dec 5, 2024 14:02:11.064579964 CET	587	49721	199.79.62.115	192.168.2.9
Dec 5, 2024 14:02:11.064606905 CET	587	49721	199.79.62.115	192.168.2.9
Dec 5, 2024 14:02:11.064616919 CET	587	49721	199.79.62.115	192.168.2.9
Dec 5, 2024 14:02:11.064625978 CET	587	49721	199.79.62.115	192.168.2.9
Dec 5, 2024 14:02:11.427074909 CET	587	49721	199.79.62.115	192.168.2.9
Dec 5, 2024 14:02:11.468844891 CET	49721	587	192.168.2.9	199.79.62.115
Dec 5, 2024 14:03:44.086952925 CET	49721	587	192.168.2.9	199.79.62.115
Dec 5, 2024 14:03:44.206696033 CET	587	49721	199.79.62.115	192.168.2.9
Dec 5, 2024 14:03:44.666255951 CET	587	49721	199.79.62.115	192.168.2.9
Dec 5, 2024 14:03:44.666475058 CET	49721	587	192.168.2.9	199.79.62.115
Dec 5, 2024 14:03:44.666656017 CET	587	49721	199.79.62.115	192.168.2.9
Dec 5, 2024 14:03:44.666712046 CET	49721	587	192.168.2.9	199.79.62.115
Dec 5, 2024 14:03:44.786185026 CET	587	49721	199.79.62.115	192.168.2.9

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 5, 2024 14:02:04.070524931 CET	62489	53	192.168.2.9	1.1.1.1
Dec 5, 2024 14:02:05.194427013 CET	62489	53	192.168.2.9	1.1.1.1
Dec 5, 2024 14:02:06.180486917 CET	62489	53	192.168.2.9	1.1.1.1
Dec 5, 2024 14:02:07.262506962 CET	53	62489	1.1.1.1	192.168.2.9
Dec 5, 2024 14:02:07.262512922 CET	53	62489	1.1.1.1	192.168.2.9
Dec 5, 2024 14:02:07.262525082 CET	53	62489	1.1.1.1	192.168.2.9

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Dec 5, 2024 14:02:04.070524931 CET	192.168.2.9	1.1.1.1	0xf839	Standard query (0)	mail.mbarieservicesltd.com	A (IP address)	IN (0x0001)	false
Dec 5, 2024 14:02:05.194427013 CET	192.168.2.9	1.1.1.1	0xf839	Standard query (0)	mail.mbarieservicesltd.com	A (IP address)	IN (0x0001)	false
Dec 5, 2024 14:02:06.180486917 CET	192.168.2.9	1.1.1.1	0xf839	Standard query (0)	mail.mbarieservicesltd.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Dec 5, 2024 14:02:07.262506962 CET	1.1.1.1	192.168.2.9	0xf839	No error (0)	mail.mbarieservicesltd.com	199.79.62.115	A (IP address)	IN (0x0001)	false
Dec 5, 2024 14:02:07.262512922 CET	1.1.1.1	192.168.2.9	0xf839	No error (0)	mail.mbarieservicesltd.com	199.79.62.115	A (IP address)	IN (0x0001)	false
Dec 5, 2024 14:02:07.262525082 CET	1.1.1.1	192.168.2.9	0xf839	No error (0)	mail.mbarieservicesltd.com	199.79.62.115	A (IP address)	IN (0x0001)	false

SMTP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP	Commands
Dec 5, 2024 14:02:08.585016012 CET	587	49721	199.79.62.115	192.168.2.9	220-md-54.webhostbox.net ESMTP Exim 4.96.2 #2 Thu, 05 Dec 2024 18:32:08 +0530 220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail.
Dec 5, 2024 14:02:08.585907936 CET	49721	587	192.168.2.9	199.79.62.115	EHLO 284992
Dec 5, 2024 14:02:08.962306976 CET	587	49721	199.79.62.115	192.168.2.9	250-md-54.webhostbox.net Hello 284992 [8.46.123.228] 250-SIZE 52428800 250-8BITMIME 250-PIPELINING 250-PIPECONNECT 250-AUTH PLAIN LOGIN 250-STARTTLS 250 HELP
Dec 5, 2024 14:02:08.963378906 CET	49721	587	192.168.2.9	199.79.62.115	AUTH login c2FsZXNzQG1iYXJpZXNlcnZpY2VzbHRkLmNvbQ==
Dec 5, 2024 14:02:09.340709925 CET	587	49721	199.79.62.115	192.168.2.9	334 UGFzc3dvcmQ6
Dec 5, 2024 14:02:09.742033005 CET	587	49721	199.79.62.115	192.168.2.9	235 Authentication succeeded
Dec 5, 2024 14:02:09.742275953 CET	49721	587	192.168.2.9	199.79.62.115	MAIL FROM:<saless@mbarieservicesltd.com>
Dec 5, 2024 14:02:10.118119001 CET	587	49721	199.79.62.115	192.168.2.9	250 OK
Dec 5, 2024 14:02:10.118335962 CET	49721	587	192.168.2.9	199.79.62.115	RCPT TO:<iinfo@mbarieservicesltd.com>
Dec 5, 2024 14:02:10.501981974 CET	587	49721	199.79.62.115	192.168.2.9	250 Accepted
Dec 5, 2024 14:02:10.564009905 CET	49721	587	192.168.2.9	199.79.62.115	DATA
Dec 5, 2024 14:02:10.943371058 CET	587	49721	199.79.62.115	192.168.2.9	354 Enter message, ending with "." on a line by itself
Dec 5, 2024 14:02:10.944087029 CET	49721	587	192.168.2.9	199.79.62.115	.
Dec 5, 2024 14:02:11.427074909 CET	587	49721	199.79.62.115	192.168.2.9	250 OK id=1tJBUg-001QKK-2P
Dec 5, 2024 14:03:44.086952925 CET	49721	587	192.168.2.9	199.79.62.115	QUIT
Dec 5, 2024 14:03:44.666255951 CET	587	49721	199.79.62.115	192.168.2.9	221 md-54.webhostbox.net closing connection

Target ID:	0
Start time:	08:01:59
Start date:	05/12/2024
Path:	C:\Users\user\Desktop\PO82200487.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\PO82200487.exe"
Imagebase:	0x500000
File size:	707'584 bytes
MD5 hash:	9AF88888E3C54E3A62BC409EA5DE349E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000000.00000002.1350373878.0000000004172000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	08:02:00
Start date:	05/12/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PO82200487.exe"
Imagebase:	0x8c0000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	08:02:01
Start date:	05/12/2024
Path:	C:\Users\user\Desktop\PO82200487.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\PO82200487.exe"
Imagebase:	0xf40000
File size:	707'584 bytes
MD5 hash:	9AF88888E3C54E3A62BC409EA5DE349E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000004.00000002.2568941236.000000000321A000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000004.00000002.2567205281.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000004.00000002.2568941236.00000000031C1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000004.00000002.2568941236.00000000031C1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	5
Start time:	08:02:01
Start date:	05/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff70f010000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	08:02:03
Start date:	05/12/2024
Path:	C:\Windows\System32\wbem\WmiPrvSE.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Imagebase:	0x7ff72d8c0000
File size:	496'640 bytes
MD5 hash:	60FF40CFD7FB8FE41EE4FE9AE5FE1C51
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	10.4%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	24
Total number of Limit Nodes:	0

Executed Functions

Function 00C33430 Relevance: 6.6, Strings: 5, Instructions: 302
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

%}7, xrefs: 00C33673
m' E, xrefs: 00C3375C
-3!, xrefs: 00C334A7
%}7, xrefs: 00C33691
%}7, xrefs: 00C3367A

Memory Dump Source

Source File: 00000000.00000002.1344277122.0000000000C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_PO82200487.jbxd

Similarity

API ID:
String ID: -3!$m' E$%}7$%}7$%}7
API String ID: 0-3499994821
Opcode ID: 3b108306bdd8264d7c0047c8ec094609cfa3ae0c6c4f4e95a3015221119f7660
Instruction ID: 7e82d76464692b05aa21a08b529e824736818351f80c16352ae60ce14ade7dd1
Opcode Fuzzy Hash: 3b108306bdd8264d7c0047c8ec094609cfa3ae0c6c4f4e95a3015221119f7660
Instruction Fuzzy Hash: 41D12870E1024ADFCB18CF9AC6818AEFBB2FF89311F25855AD415AB254D7349A42CF94

Function 00C33418 Relevance: 6.5, Strings: 5, Instructions: 299
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

%}7, xrefs: 00C33673
m' E, xrefs: 00C3375C
-3!, xrefs: 00C334A7
%}7, xrefs: 00C33691
%}7, xrefs: 00C3367A

Memory Dump Source

Source File: 00000000.00000002.1344277122.0000000000C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_PO82200487.jbxd

Similarity

API ID:
String ID: -3!$m' E$%}7$%}7$%}7
API String ID: 0-3499994821
Opcode ID: 16c8a894a85c02b5ef4076c34debd6edba9e56d97f3e72367f4fec0d092eef23
Instruction ID: b633fa26fee3d44e6fa1eac646ea2fb302011a12b4086319038673bd32f3b2a6
Opcode Fuzzy Hash: 16c8a894a85c02b5ef4076c34debd6edba9e56d97f3e72367f4fec0d092eef23
Instruction Fuzzy Hash: 57D13970E1424ADFCB18CFA6C5818AEFBB2FF89311F24845AD416AB354D7349A42CF94

Function 00C313CF Relevance: 2.7, Strings: 2, Instructions: 209
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

3alk, xrefs: 00C31515
$aI, xrefs: 00C3147E

Memory Dump Source

Source File: 00000000.00000002.1344277122.0000000000C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_PO82200487.jbxd

Similarity

API ID:
String ID: $aI$3alk
API String ID: 0-3362859117
Opcode ID: bd74083114a479a8ba2fd83a8cd1f51917f53aefa14a715b50d1c6495fe425b9
Instruction ID: 185558d1f9b391e027a7e5a7c799a097f73ca71ae8b83d454f62f77d93125358
Opcode Fuzzy Hash: bd74083114a479a8ba2fd83a8cd1f51917f53aefa14a715b50d1c6495fe425b9
Instruction Fuzzy Hash: 9191F574E152598FDB04CFEAC884ADEBBF2BF89300F24812AD815BB264D7349906CF55

Function 00C313F0 Relevance: 2.7, Strings: 2, Instructions: 201
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

3alk, xrefs: 00C31515
$aI, xrefs: 00C3147E

Memory Dump Source

Source File: 00000000.00000002.1344277122.0000000000C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_PO82200487.jbxd

Similarity

API ID:
String ID: $aI$3alk
API String ID: 0-3362859117
Opcode ID: df3fd060bcd8ff184d0a4d250aef17fed39af4728b9e2ffcd4d97d2665da8c75
Instruction ID: 8d0d8632989d23628356c5b066e558f90a7f486a95fa1be8a833b89272ab062d
Opcode Fuzzy Hash: df3fd060bcd8ff184d0a4d250aef17fed39af4728b9e2ffcd4d97d2665da8c75
Instruction Fuzzy Hash: DE81B374E152198FDB08CFEAC984ADEBBB2FF88300F24912AD915BB264D7349945CF54

Function 00C31B81 Relevance: 1.4, Strings: 1, Instructions: 148
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

]bw, xrefs: 00C31D52

Memory Dump Source

Source File: 00000000.00000002.1344277122.0000000000C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_PO82200487.jbxd

Similarity

API ID:
String ID: ]bw
API String ID: 0-3599847727
Opcode ID: 00e3b0439d2420c5d252df4839d17ed9c9393a8ceae494649bfb332f17369ae2
Instruction ID: a5c4e0a39f306a34dfedd24010dc0998d3792bd930b531e4d7e7fd4a47659a5f
Opcode Fuzzy Hash: 00e3b0439d2420c5d252df4839d17ed9c9393a8ceae494649bfb332f17369ae2
Instruction Fuzzy Hash: 76512C70E152198FDB08CFAAD9506EEFBF2FF89301F28D56AD815B7254D7344A018B68

Function 00C3A389 Relevance: .2, Instructions: 169COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1344277122.0000000000C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_PO82200487.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 598472aa6dbc17a9713f06edff85dad151b1f2f21bc620a3f222daa1ca28eb6e
Instruction ID: 4067fa08ee59f294849a1a4c04ea31e65dbc644c52addfd109f09b6a0efe4902
Opcode Fuzzy Hash: 598472aa6dbc17a9713f06edff85dad151b1f2f21bc620a3f222daa1ca28eb6e
Instruction Fuzzy Hash: 8C718E78E002089FDB44DFA9D958AEDBBF2FF88300F24816AD919A7365EB315951CF50

Function 00C39C0C Relevance: .2, Instructions: 165COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1344277122.0000000000C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_PO82200487.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9c2ee5e8a0e56f274729a8e9801a958b99954c089f2f52d0dbd5b5fa9d57a60a
Instruction ID: 57a80ff5406ef4e6b8c85e8fa9289b85ec2de7b4aec73d123f1a912eebc81c53
Opcode Fuzzy Hash: 9c2ee5e8a0e56f274729a8e9801a958b99954c089f2f52d0dbd5b5fa9d57a60a
Instruction Fuzzy Hash: 29718F78E00208DFDB44DFA9D958AADBBF2FF88300F248169E919A7364DB315951CF50

Function 00C39D88 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1344277122.0000000000C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_PO82200487.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 32d8719270cca459addee88be29624824cc8eb1f3f64e9f7fc4838067aa3f58b
Instruction ID: 4cbb38ac2bbc76299d6b27e7a8677e929616f8439d274111c53c3c9c274eea2d
Opcode Fuzzy Hash: 32d8719270cca459addee88be29624824cc8eb1f3f64e9f7fc4838067aa3f58b
Instruction Fuzzy Hash: 1D311475E156098BEB48CFABD84069EFBF3AFC9300F14D42AC419AB264EB7449128F55

Function 00C39D78 Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1344277122.0000000000C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_PO82200487.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 80ea3545083e2ea5502b425bae635dbf6d9763843305eaaee6c5cdccddf695a6
Instruction ID: 7c386cac5ed386c2c5c7d1868fde99379b0604fd42c2cee5fade1e306d0aa8da
Opcode Fuzzy Hash: 80ea3545083e2ea5502b425bae635dbf6d9763843305eaaee6c5cdccddf695a6
Instruction Fuzzy Hash: BE313675E016198BEB48CFABD84069EFBF3EFC9300F14C42AC415AB258EB7449068F54

Function 00C325B9 Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1344277122.0000000000C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_PO82200487.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ac4d2eaa8463c7312b7270bbe00aa1bbb2a5b2d2f5a07edb4553ded42b59f8e7
Instruction ID: f8b594c6977669de97166b2a50fa3e60773052f879ca7f2f2c274e1924d2203a
Opcode Fuzzy Hash: ac4d2eaa8463c7312b7270bbe00aa1bbb2a5b2d2f5a07edb4553ded42b59f8e7
Instruction Fuzzy Hash: 5A313C71E016588FDB18CFA6D9446DEBBB3BFC9300F14C0AAD409AB264DB355A46CF50

Function 07EFC450 Relevance: 1.7, APIs: 1, Instructions: 243
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 07EFC686

Memory Dump Source

Source File: 00000000.00000002.1355973314.0000000007EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ef0000_PO82200487.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 7cbcaf8af423354813cfa4616e69fcf336b15dfa99f7457b1e10124e885fe5a6
Instruction ID: 617853242761cd3bdbfa7c80c268f4ca5bf82319c240ed5a9f01a03a327f71a1
Opcode Fuzzy Hash: 7cbcaf8af423354813cfa4616e69fcf336b15dfa99f7457b1e10124e885fe5a6
Instruction Fuzzy Hash: 8C914BB1D0121ECFEB10CF68C8417EDBBB2BF49314F248569E909A7690DB749985CFA1

Function 07EFC1C8 Relevance: 1.6, APIs: 1, Instructions: 69
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 07EFC258

Memory Dump Source

Source File: 00000000.00000002.1355973314.0000000007EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ef0000_PO82200487.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 91a213e2ee53ff40bb233682bab33245ee43bc235fe1249795d7bc7a20fcd905
Instruction ID: b0a40191ba18141a51120b9a9d16986cce3599d06accde9f5e2c395597e7d1fc
Opcode Fuzzy Hash: 91a213e2ee53ff40bb233682bab33245ee43bc235fe1249795d7bc7a20fcd905
Instruction Fuzzy Hash: 5F2126B590030D9FDB10CFA9D885BDEBBF5FF48310F20842AE919A7250D7789944CBA0

Function 07EFC2B8 Relevance: 1.6, APIs: 1, Instructions: 63
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 07EFC338

Memory Dump Source

Source File: 00000000.00000002.1355973314.0000000007EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ef0000_PO82200487.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 80feaad046fd5349f493ae0db5aeaed638963898e98d64fad166f8b8d07ec153
Instruction ID: 6e152b7907c78b0bc9ea399d561384809a86abac2884b5a81385998f32f33d94
Opcode Fuzzy Hash: 80feaad046fd5349f493ae0db5aeaed638963898e98d64fad166f8b8d07ec153
Instruction Fuzzy Hash: D52114B19013499FDB10DFAAC884BEEBBF5FF48310F60842AE519A7250C7789945CBA0

Function 07EFC030 Relevance: 1.6, APIs: 1, Instructions: 63
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 07EFC0AE

Memory Dump Source

Source File: 00000000.00000002.1355973314.0000000007EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ef0000_PO82200487.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: ac8f130b292dbe7f5d5c748a7840facdc1ada126290548094fa3ff236ad5ee55
Instruction ID: 25aa8a43ddd3a5a05f9aeede1ba4b39c31021513c8900054ecf98084111b0ac9
Opcode Fuzzy Hash: ac8f130b292dbe7f5d5c748a7840facdc1ada126290548094fa3ff236ad5ee55
Instruction Fuzzy Hash: 432147B19003098FDB10DFAAC4857EEBBF4FF48318F24842AD559A7640CB789A45CFA1

Function 07EFC108 Relevance: 1.6, APIs: 1, Instructions: 53
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 07EFC176

Memory Dump Source

Source File: 00000000.00000002.1355973314.0000000007EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ef0000_PO82200487.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 406ef59f3065c163743e3295c50701694511a8372606cb511058c6b98a0e15b0
Instruction ID: 6dd7c71a7707bab6ef8d1e5177a9fe7ec279b74d8e0e2a8fb8eab421b8ef410c
Opcode Fuzzy Hash: 406ef59f3065c163743e3295c50701694511a8372606cb511058c6b98a0e15b0
Instruction Fuzzy Hash: 8A1156B28002099FDB10DFAAC844BDEBBF5EF49310F248419E515A7250C7759554CFA0

Function 07EFBF80 Relevance: 1.5, APIs: 1, Instructions: 49
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ResumeThread.KERNELBASE ref: 07EFBFE2

Memory Dump Source

Source File: 00000000.00000002.1355973314.0000000007EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ef0000_PO82200487.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 87d90764dd6931ce9581a10a7e887633f1c9bec6a95f48f97cf3b5e3b350d5ab
Instruction ID: 2f63ab61d78a07f6dadf233450ab993126bc718753956b89e126622049982152
Opcode Fuzzy Hash: 87d90764dd6931ce9581a10a7e887633f1c9bec6a95f48f97cf3b5e3b350d5ab
Instruction Fuzzy Hash: 78113AB19003498FDB10DFAAC4457DEFBF4EF48314F24845AD519A7640C779A544CFA0

Function 07EFD100 Relevance: 1.5, APIs: 1, Instructions: 47
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 07EFEFBD

Memory Dump Source

Source File: 00000000.00000002.1355973314.0000000007EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ef0000_PO82200487.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: c7cd6f0c0f5b8f6a38038db1b33d4f57575bae41655f9e0e97ac0cd4fe879110
Instruction ID: 7e168ed6372b3e26aacd19834392dca0219dd33b0a92f303f0bb0a28d8d51b66
Opcode Fuzzy Hash: c7cd6f0c0f5b8f6a38038db1b33d4f57575bae41655f9e0e97ac0cd4fe879110
Instruction Fuzzy Hash: 7E1125B68003099FDB10DF8AD844BDEFBF8EB48310F108459E614A3610C374A944CFA0

Function 00C33DE9 Relevance: 1.3, Strings: 1, Instructions: 98
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

~]*\, xrefs: 00C33E95

Memory Dump Source

Source File: 00000000.00000002.1344277122.0000000000C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_PO82200487.jbxd

Similarity

API ID:
String ID: ~]*\
API String ID: 0-3279316135
Opcode ID: 60996a3a39f9de9bf75f22f4dd8d7dca60c8c16b1c44eb38d40e1009c2ebd3e4
Instruction ID: bdeb6acbc1f081fbbe37d2a8971b4e2320b5c81b8a723805e496ada1d071199f
Opcode Fuzzy Hash: 60996a3a39f9de9bf75f22f4dd8d7dca60c8c16b1c44eb38d40e1009c2ebd3e4
Instruction Fuzzy Hash: A4413AB0D14649DFCB04CFA9C9405AEFBB2FF89301F2485AAC415AB264D7349A42CF55

Function 00C33E30 Relevance: 1.3, Strings: 1, Instructions: 80
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

~]*\, xrefs: 00C33E95

Memory Dump Source

Source File: 00000000.00000002.1344277122.0000000000C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_PO82200487.jbxd

Similarity

API ID:
String ID: ~]*\
API String ID: 0-3279316135
Opcode ID: 2019f41315a4b3e70f7091ba4255751093d4204788b0998cbff64f9ba32f4fad
Instruction ID: 78fa461faedce4aa45e81077f2c7c47d2d726f24e18fc5250136095c3d699e33
Opcode Fuzzy Hash: 2019f41315a4b3e70f7091ba4255751093d4204788b0998cbff64f9ba32f4fad
Instruction Fuzzy Hash: 7031F6B4E1464ADFCB44CFAAC5405AEFBB2FF88301F24C5AAC415A7264E7349A42DF54

Function 00C3B900 Relevance: .7, Instructions: 688COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1344277122.0000000000C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_PO82200487.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5a7dd89a96f0035b14e57ef5a07f53eb6e17afc4e2008c3d8172eb15a42ea423
Instruction ID: 4cc6311a2d0f9c3731595cec4956c87e927ed3555efd90e53ead141479929320
Opcode Fuzzy Hash: 5a7dd89a96f0035b14e57ef5a07f53eb6e17afc4e2008c3d8172eb15a42ea423
Instruction Fuzzy Hash: 3B7205B4A01209CFDB19FFB4E890ADDBBB1FF44700F1049A99149AB261DB34AE85DF51

Function 00C39C9C Relevance: .2, Instructions: 240COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1344277122.0000000000C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_PO82200487.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 72471e018d484af91fbb9f9ccf2b8f33f15a5b7b96d7185d3d5909855e754704
Instruction ID: a4101b00fcd88a963ab8f4c4a0a5032e1b4805b2e51c6a878497f5984ee70413
Opcode Fuzzy Hash: 72471e018d484af91fbb9f9ccf2b8f33f15a5b7b96d7185d3d5909855e754704
Instruction Fuzzy Hash: 86A18575A10705CFCB04EF69D88499DBBB1FF89310F1186A9E505AB366EB70ED49CB80

Function 00C3D8E0 Relevance: .1, Instructions: 102COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1344277122.0000000000C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_PO82200487.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: da8c943b2fe12bbcc23422f350e2322cb1f141ab6848964550429ee9cdb22d79
Instruction ID: d8a8f228d7e0a89ac86e9505a72300b557e8eec5cc1d45a372e995bf0e4bc9fc
Opcode Fuzzy Hash: da8c943b2fe12bbcc23422f350e2322cb1f141ab6848964550429ee9cdb22d79
Instruction Fuzzy Hash: 83314878B182008FEB01AB69E4147AF7BE5EF49705F144069E602DB382DB75C954C7A1

Function 00C3DB08 Relevance: .1, Instructions: 80COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1344277122.0000000000C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_PO82200487.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ce7893ea4fb0a96e14f259eb79109d76d417b539eb80715a81b91f4f62c01c47
Instruction ID: 1b0d467c9952040d7d700d2e728c454488228ffd6ceda464885b7699709d5df2
Opcode Fuzzy Hash: ce7893ea4fb0a96e14f259eb79109d76d417b539eb80715a81b91f4f62c01c47
Instruction Fuzzy Hash: 8A21A174B243018BDB14EF3AE4406AE77E5AF44B48F118428C81ACB388E735DE06DBD1

Function 00B8D3B4 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1341644212.0000000000B8D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B8D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b8d000_PO82200487.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c8ad58530265c8f7c4182ef14acca903522b384143d5c66f9fbfdaf33c9acbf
Instruction ID: 7c48c14d2ee975872771e384ffd662bd84feeab2d924fdfb94639a6bccace52a
Opcode Fuzzy Hash: 6c8ad58530265c8f7c4182ef14acca903522b384143d5c66f9fbfdaf33c9acbf
Instruction Fuzzy Hash: 00210771504344DFDB05EF10D9C0F26BBA5FB94314F28C5AAE8094B3A6C336E856CBA2

Function 00B8D4A0 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1341644212.0000000000B8D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B8D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b8d000_PO82200487.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4e9f1f53501aea1cd25560c3cbca2d2080b84824431d511518dcb65341214438
Instruction ID: b7e04efdda7ce1454c6c9f9e58eb17e2956e5d33abb0c36a4568c3fa699ca8b2
Opcode Fuzzy Hash: 4e9f1f53501aea1cd25560c3cbca2d2080b84824431d511518dcb65341214438
Instruction Fuzzy Hash: 37212871504340DFDB05EF14D9C0B6ABFA5FB94318F24C1ABD9090B2A6C336D856CBA2

Function 00B9D01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1341873121.0000000000B9D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B9D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b9d000_PO82200487.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 66cc461d6c23740bb817fa407a4e7637fa60e24ef0a1ad112a22cc513d67db1c
Instruction ID: 9030b7ff81cae596ef13c367db6c7f2abe6aa884d38dc6f20a3eeaa5fbeda804
Opcode Fuzzy Hash: 66cc461d6c23740bb817fa407a4e7637fa60e24ef0a1ad112a22cc513d67db1c
Instruction Fuzzy Hash: 4721D071604344DFDF14DF24D9D4B26BBA5FB84314F24C5B9D80A4B296C33AD847CA62

Function 00B9D1D4 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1341873121.0000000000B9D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B9D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b9d000_PO82200487.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bd2456626981190bb2e92a76678c7ff2e1ca0d21814f2f11084cd658becfe628
Instruction ID: 983bcbea1b8e46ec809f47eea1952d92816b027eace8ea0de254fbaff27741e2
Opcode Fuzzy Hash: bd2456626981190bb2e92a76678c7ff2e1ca0d21814f2f11084cd658becfe628
Instruction Fuzzy Hash: 51210171A04344EFDF05DF11D9C0B26BBA5FB88314F24C6BDE80A4B292C336D846CA62

Function 00C3A5EF Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1344277122.0000000000C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_PO82200487.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 610de1c0f9ef50c2ebe4a4c31ec15c4765ee9dcb2c8b913f67df1ec39714e5ca
Instruction ID: b7f9c0c1d23cf2d0d7177e45e0edbaed7ba7b0bc08ef8c6ba4dfab0909f212cb
Opcode Fuzzy Hash: 610de1c0f9ef50c2ebe4a4c31ec15c4765ee9dcb2c8b913f67df1ec39714e5ca
Instruction Fuzzy Hash: 9721CF717042014BDB01EF28D891685FBE2EF89320F1886BDE809DF396E674AC46CB90

Function 00C33A79 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1344277122.0000000000C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_PO82200487.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 79bc481ada3bf4dec24eefa031fee1af8f2685df2c0ab0537fcd0712659c3362
Instruction ID: f1c2ac5738fd8cf027c119ba8bab4670ad5a1b7a21a5d46203e049c62f3b7bcd
Opcode Fuzzy Hash: 79bc481ada3bf4dec24eefa031fee1af8f2685df2c0ab0537fcd0712659c3362
Instruction Fuzzy Hash: 80311E70E15249DFDB44CFA5D541AAEFBB2BF89301F24D5AAC409E7250E7308B41DB51

Function 00C3A7B0 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1344277122.0000000000C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_PO82200487.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7de320f3d2e35963dad34cc0156f9623428ebcbfbe172583cf4fb21c1486811f
Instruction ID: 8fe8ec2bc81062c1b0cd48a70b5a339d52eadcb749de9a96410f16e619501f13
Opcode Fuzzy Hash: 7de320f3d2e35963dad34cc0156f9623428ebcbfbe172583cf4fb21c1486811f
Instruction Fuzzy Hash: 8B219231A147059BDB01AF68C450396B3B1FF86324F1586B6E949BB342EBB1BD85C790

Function 00C39C1C Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1344277122.0000000000C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_PO82200487.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dd9c1973e8728a1bb8f6acc303d3e1f765cf4bed133af57cabfa686b631817ea
Instruction ID: ee774dd553879be81b78ffc16d19b17a26f7a5962bf55091ae3808fa08a70649
Opcode Fuzzy Hash: dd9c1973e8728a1bb8f6acc303d3e1f765cf4bed133af57cabfa686b631817ea
Instruction Fuzzy Hash: 2D218E717002054BDB04AF29D891386F7E6EF89324F18C6B9A909DB346DAB4AC498B90

Function 00C3DDB0 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1344277122.0000000000C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_PO82200487.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dca0280cb4e39308e6653d1c8008514e792abfc87ad1fb17837893b91b9b8d2f
Instruction ID: 5259dd89b3fc6a7e79e8302c6efc4d62f953100b7b88101bbf220e50630727f4
Opcode Fuzzy Hash: dca0280cb4e39308e6653d1c8008514e792abfc87ad1fb17837893b91b9b8d2f
Instruction Fuzzy Hash: 9121AF79B103068BDB14AB7AE85177E3BE6FB84B04F108429D506DB384EB34DA41DBA1

Function 00C39C6C Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1344277122.0000000000C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_PO82200487.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3ef3b1f8499cf840c4ad01220bb516a2a3d35709154efe3a90f73fc1a09848a1
Instruction ID: 2c94d696e7987669ea4db728d4ce8a84b711d2d5804bac2ead767033de89de63
Opcode Fuzzy Hash: 3ef3b1f8499cf840c4ad01220bb516a2a3d35709154efe3a90f73fc1a09848a1
Instruction Fuzzy Hash: 79218135A107059BDB01AF68C450396B3B1FF89324F158679E9497B342EBB17D85C790

Function 00B9D006 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1341873121.0000000000B9D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B9D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b9d000_PO82200487.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 819601913e209711aa205c1089b75b5500a10f39613af139de61c64b2156fc9a
Instruction ID: 890e16853e81c1d407c1159a8311ed8f30a8c21e153a4f375016c199a291d243
Opcode Fuzzy Hash: 819601913e209711aa205c1089b75b5500a10f39613af139de61c64b2156fc9a
Instruction Fuzzy Hash: 7421A4755093808FCB06CF20D5A0715BFB1EB45314F28C5EAD8498B697C33A980ACB62

Function 00C33B91 Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1344277122.0000000000C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_PO82200487.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eed3837e34398a5c034ccb5eea51518fdfc3e080f6aedcd80e9aec6cbe49a572
Instruction ID: 48a1cb02abaef5ec91ca2dd07ba14a03c68b1a58b0e591fca6e3283c98f98ca2
Opcode Fuzzy Hash: eed3837e34398a5c034ccb5eea51518fdfc3e080f6aedcd80e9aec6cbe49a572
Instruction Fuzzy Hash: B821C074E04248DFDB04DFA9CA54A9DBBF2EF89300F25C5AAD419A7365DB309A05CB40

Function 00B8D3AF Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1341644212.0000000000B8D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B8D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b8d000_PO82200487.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f4ddf6aab7a4ec5fdcafc4d9db3305c30ac7726daeb53e4266b93089bec5e780
Instruction ID: 02b86a128ec91f9f93491c4b71b5d1dbd621d2e41b3e9573ae4cf530fc0c3936
Opcode Fuzzy Hash: f4ddf6aab7a4ec5fdcafc4d9db3305c30ac7726daeb53e4266b93089bec5e780
Instruction Fuzzy Hash: DC11B176504280DFCB15DF10D5C4B56BFB1FB94314F28C5EAD8490B6A6C336E856CBA1

Function 00B8D49B Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1341644212.0000000000B8D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B8D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b8d000_PO82200487.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f4ddf6aab7a4ec5fdcafc4d9db3305c30ac7726daeb53e4266b93089bec5e780
Instruction ID: 448499a1c4e74b1181df132039cd11fdeb68b194fe316da6dfa0fe0bf9953d02
Opcode Fuzzy Hash: f4ddf6aab7a4ec5fdcafc4d9db3305c30ac7726daeb53e4266b93089bec5e780
Instruction Fuzzy Hash: ED11B1B6504240CFCB16DF14D5C4B5ABFB2FB94324F24C5AAD9090B6A6C336D856CBA2

Function 00C33BA0 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1344277122.0000000000C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_PO82200487.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f028991ebec651940839a72b9a3ca018745ada4dbbededd73664a2866c397276
Instruction ID: b5f2eebb88f053ddfb042a830715352b6d0ad3b9b30032986ec1c9803e24687e
Opcode Fuzzy Hash: f028991ebec651940839a72b9a3ca018745ada4dbbededd73664a2866c397276
Instruction Fuzzy Hash: 4611F674E04208EFDB04DFAADA54A9DFBF2FB88300F24C5A6D418A7364DB309A01CB40

Function 00B9D1CF Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1341873121.0000000000B9D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B9D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b9d000_PO82200487.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0571d9b095afed8b546122286ae05565a289416437c47d1601190cbee81fcf2c
Instruction ID: 70f026ff656fe66db011a9235f8bf47f1ec76f05076f7eb4b63430368e6d122f
Opcode Fuzzy Hash: 0571d9b095afed8b546122286ae05565a289416437c47d1601190cbee81fcf2c
Instruction Fuzzy Hash: 88118B75504280DFCF15CF50D5C4B15BBA1FB84314F28C6AAD8494B6A6C33AD84ACB61

Function 00B8D745 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1341644212.0000000000B8D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B8D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b8d000_PO82200487.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d02f37af166d278d6e0ad1201a5e8c39b9f04d09adb3f536d87f1af49a320052
Instruction ID: 81c8df3cc539b325100717465ed238f6dbe0c6e3dfba0bdd30fae26bb4d0a4bb
Opcode Fuzzy Hash: d02f37af166d278d6e0ad1201a5e8c39b9f04d09adb3f536d87f1af49a320052
Instruction Fuzzy Hash: CD012675104340ABE710AF22CDC4B2ABBD8EF41320F18C59BED094A2D2D6799C00CBB2

Function 00C3A6F7 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1344277122.0000000000C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_PO82200487.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 47731262cdf0f073075088b86505d45a625d54631c1e7783427232372944d05d
Instruction ID: 8234bf3034d4384b24d3d8c2c631641ad85288a013263ecede1f5db688da3796
Opcode Fuzzy Hash: 47731262cdf0f073075088b86505d45a625d54631c1e7783427232372944d05d
Instruction Fuzzy Hash: D401A7312053015BDB01AF6CD895786B7E5FF89324F1442BAEA089F383DBB45C4587A0

Function 00C3DC80 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1344277122.0000000000C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_PO82200487.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6e2baeba56cbd1fcf0db6a82430aaef64aad7048d60c80ecbf3ad8aa1c0d44e1
Instruction ID: 3e1c89c54c85f0e77723c4e9ba315f1521c96d78e1af5480a7034d6fb98fd9a4
Opcode Fuzzy Hash: 6e2baeba56cbd1fcf0db6a82430aaef64aad7048d60c80ecbf3ad8aa1c0d44e1
Instruction Fuzzy Hash: E40171B4E40308EBDB04FFB9D88175D7BF2EF84700F108069D6059B294EA305A019F92

Function 00C39C3C Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1344277122.0000000000C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_PO82200487.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f6b5e2673db214770fbf0cc291dc3c3a637578cf4a6e97077375e62b3a47ea2
Instruction ID: 282ec0d83bc8d5c97ca1a009e680f7a7e15194dc24867956f20890cad8616ab3
Opcode Fuzzy Hash: 2f6b5e2673db214770fbf0cc291dc3c3a637578cf4a6e97077375e62b3a47ea2
Instruction Fuzzy Hash: F1F0AF3125420057EB10AF69989578673E5FF88320F144679EA09AB382DBB1684983A0

Function 00B8D744 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1341644212.0000000000B8D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B8D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b8d000_PO82200487.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 46592d796def0c53313533a63c8a6a6e5f614691d15d3dc6202a9a3eeff59498
Instruction ID: aac3014abdd78c7c6934d38e40c6de3bf4cf504406bf4ccd43babdb0aa98c539
Opcode Fuzzy Hash: 46592d796def0c53313533a63c8a6a6e5f614691d15d3dc6202a9a3eeff59498
Instruction Fuzzy Hash: 2CF0C275004340AEEB109F16C984B66FBD8EB51734F18C09BED080A2D6C2799C40CBB1

Function 00C3A6E0 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1344277122.0000000000C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_PO82200487.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 72fb34b3497c370e82714e57b1b0744a8ad860e77c08677c580982edf90bd2ab
Instruction ID: 83636b0383e09c90b5bb7f54cbf6b86d0f2821f4a4dbec0e4da433dbfbe5ea24
Opcode Fuzzy Hash: 72fb34b3497c370e82714e57b1b0744a8ad860e77c08677c580982edf90bd2ab
Instruction Fuzzy Hash: F1F02B313482440BDF067B64E4937EA3B61EF81318F1404BDE5494F697D9B65C0E8740

Function 00C3D520 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1344277122.0000000000C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_PO82200487.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4202af8706aba7a0c5f1357edd18e5e8b432907c6adccce33f8ee087ee344943
Instruction ID: 3e5b2677e5041ed3730c7c1a69d8e2359c08b4721a3c0af8419832343987cbc5
Opcode Fuzzy Hash: 4202af8706aba7a0c5f1357edd18e5e8b432907c6adccce33f8ee087ee344943
Instruction Fuzzy Hash: D9F02734E78340CAE313A772F48432A3BC58712700F844C2DD45C866C2C7289A56CB12

Function 00C309A2 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1344277122.0000000000C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_PO82200487.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 65fa56975c6a20f5d57ec85985d6dba56c3d8a6b3149073767a8468cb9acb8ad
Instruction ID: 12efce6660cbd4387dd7408bac9f0cae6f8a8e652101c27a1768294c94ba07a0
Opcode Fuzzy Hash: 65fa56975c6a20f5d57ec85985d6dba56c3d8a6b3149073767a8468cb9acb8ad
Instruction Fuzzy Hash: DDF0F874E21219CFDB84CF69D890A8DB3B6AB8C200F24C6A6D809A3224D73099418F14

Function 00C30A03 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1344277122.0000000000C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_PO82200487.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 16a187dc8c3a6e2e3f32d1f913b239ea9e8d8e73232a25803e20affb1239c618
Instruction ID: 86ea693ace357e43a7e51b7720f2bc9131ddaa66f484530a40ad67f2ff4624d5
Opcode Fuzzy Hash: 16a187dc8c3a6e2e3f32d1f913b239ea9e8d8e73232a25803e20affb1239c618
Instruction Fuzzy Hash: E4E0C271A113188FEB04DFA5C960ACEB7F2BB49310F2081EAD109AB2A0D6308E418F54

Function 00C32C15 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1344277122.0000000000C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_PO82200487.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6f48e19d08bc292ad71805ff80d2ab54204d226a75e1da71881a933d40700690
Instruction ID: e612f869dd162c87cdee05c299e9382a12e8efa93e00b01064da6f43228d6934
Opcode Fuzzy Hash: 6f48e19d08bc292ad71805ff80d2ab54204d226a75e1da71881a933d40700690
Instruction Fuzzy Hash: 4EF02B78A01618CFDB14CFA4CA849DDBBF2AF88311F6451A9D805B7314C735AE89CE10

Function 00C30838 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1344277122.0000000000C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_PO82200487.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fa20d5cdde353843459655e2d56d9d504d50b2b1de4ab841641a2954a002f91e
Instruction ID: fbc9969db502c497cf609987cd8891876655586be9ee5bf503a6fe15139ce9de
Opcode Fuzzy Hash: fa20d5cdde353843459655e2d56d9d504d50b2b1de4ab841641a2954a002f91e
Instruction Fuzzy Hash: EED0A7B25261448FC700DB746F18B553765EB0721AF2601EED40993562DB710552D799

Function 00C30848 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1344277122.0000000000C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_PO82200487.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fc9036bdc03e69e895dc4ab5c4bfa27338d29d481aad0467a8c9c35d07bd305d
Instruction ID: b21493dec4dd28cea6014f5edea75d30ea4412f46971debae6d6ba688b2f389a
Opcode Fuzzy Hash: fc9036bdc03e69e895dc4ab5c4bfa27338d29d481aad0467a8c9c35d07bd305d
Instruction Fuzzy Hash: 15C012B24122089BCB00EBB8A908F5A77ACE70721AF1105AAE81883251EB71094096A6

Non-executed Functions

Function 00C34FD8 Relevance: 2.7, Strings: 2, Instructions: 166COMMON

Download Yara Rule

Strings

m`o, xrefs: 00C351D9
m`o, xrefs: 00C351D2

Memory Dump Source

Source File: 00000000.00000002.1344277122.0000000000C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_PO82200487.jbxd

Similarity

API ID:
String ID: m`o$m`o
API String ID: 0-2332208288
Opcode ID: 2d163591589c03f32a3082b7b04917beea41a2d7b4f572e6c28bf2a1c8b67b65
Instruction ID: e923a9a02f757b7c7404a974a15787e518ee72e579b19d8b668b16c5a301adca
Opcode Fuzzy Hash: 2d163591589c03f32a3082b7b04917beea41a2d7b4f572e6c28bf2a1c8b67b65
Instruction Fuzzy Hash: 567106B4E1461ADFCB08CF99D5809AEFBB2FF88310F24951AD415AB310C735AA42CF95

Function 00C34FC8 Relevance: 2.7, Strings: 2, Instructions: 162COMMON

Download Yara Rule

Strings

m`o, xrefs: 00C351D9
m`o, xrefs: 00C351D2

Memory Dump Source

Source File: 00000000.00000002.1344277122.0000000000C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_PO82200487.jbxd

Similarity

API ID:
String ID: m`o$m`o
API String ID: 0-2332208288
Opcode ID: eaa7ae1ab78a7c1320fc366dced580248772f519357f244392871c1f8ceb5b5b
Instruction ID: 19685ec9238066bae42efb44abb13393826600b82a179cf54d64470891b8e55a
Opcode Fuzzy Hash: eaa7ae1ab78a7c1320fc366dced580248772f519357f244392871c1f8ceb5b5b
Instruction Fuzzy Hash: 706118B4E1460ADFCB08CF99D5809AEFBB2FF88310F24855AD415A7320D335AA42CF95

Function 07EFB320 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1355973314.0000000007EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ef0000_PO82200487.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7c8e3cc20b2bb77f83960257fc0fd55d2c3bd0a55911013c6216f260eda17a88
Instruction ID: e300e21b1d864245bffabfcb4f9bb1eff10a6cab02ef306db609579c9b683977
Opcode Fuzzy Hash: 7c8e3cc20b2bb77f83960257fc0fd55d2c3bd0a55911013c6216f260eda17a88
Instruction Fuzzy Hash: 0CE1F3F4E012198FDB14DFA9C580AAEFBB2FB89305F248169D514AB755D730AD81CF60

Function 07EF9250 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1355973314.0000000007EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ef0000_PO82200487.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3bafc0e8c9c2d7702ed7776d4e5464c270283bca75752a8f32fa873ffcfb6604
Instruction ID: a65ada6afd98aa2c66f4997ce27feb47a6ae45145f6047c8e321db6d46547135
Opcode Fuzzy Hash: 3bafc0e8c9c2d7702ed7776d4e5464c270283bca75752a8f32fa873ffcfb6604
Instruction Fuzzy Hash: 6AE117B4E012198FDB14DFA9C580AAEFBB2FF89305F248169D554AB356D730AD81CF60

Function 00C34388 Relevance: .2, Instructions: 196COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1344277122.0000000000C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_PO82200487.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0fafc5ce5a598eb34f494b6b7311ca828b19651ddeaf211fb914cbddad221ef5
Instruction ID: 0af9c0af17298731c907a02e605c060d8c8cff0cadfaf0be52418d067ba4602c
Opcode Fuzzy Hash: 0fafc5ce5a598eb34f494b6b7311ca828b19651ddeaf211fb914cbddad221ef5
Instruction Fuzzy Hash: E991E274A1521ACFCB48CF99C58499EFBF1FF89310F24956AE415AB224D330AA42CF91

Function 00C34378 Relevance: .2, Instructions: 195COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1344277122.0000000000C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_PO82200487.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fc0d87c02f2a7aebc0b6634bac5af4e67150c8197417946831c0ff2ac7e851ef
Instruction ID: 51e4948dbfacb09cc9654035951bd9e86258a344695438985454fdac998ab950
Opcode Fuzzy Hash: fc0d87c02f2a7aebc0b6634bac5af4e67150c8197417946831c0ff2ac7e851ef
Instruction Fuzzy Hash: 0681E374A1520ACFCB48CFA9C98499EFBF1FF89310F24956AD415AB324D370AA42CF51

Function 00C35870 Relevance: .2, Instructions: 173COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1344277122.0000000000C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_PO82200487.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0295542ed6f13079a5cf47255add4f8c2212e265833ebd2b7eda834ba385ad50
Instruction ID: afefb189b5a4f221f011ca4fbc74bfdb6edaaeff66fb89ab10024bdca7d00b29
Opcode Fuzzy Hash: 0295542ed6f13079a5cf47255add4f8c2212e265833ebd2b7eda834ba385ad50
Instruction Fuzzy Hash: 4071E474E15609CFCB08CFAAC5805EEFBF2FF88310F24952AD415BB264D7309A428B65

Function 00C35860 Relevance: .2, Instructions: 171COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1344277122.0000000000C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_PO82200487.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0c5b1d727e27873ff0448c8f2d675b3ff231ddb7ef67efcc577fae104feba6f5
Instruction ID: e4ab82f5c9e8e9c59998bd39b617c88e3acff554bf9d508060344c1340c5560b
Opcode Fuzzy Hash: 0c5b1d727e27873ff0448c8f2d675b3ff231ddb7ef67efcc577fae104feba6f5
Instruction Fuzzy Hash: B471F474E15609CFCB08CFAAC5805EEFBF2EF89310F24956AD415BB264D7309A428B65

Function 00C35AF0 Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1344277122.0000000000C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_PO82200487.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2d4bb4119649276d940da17483f60116bc142587dc2a6cb5b49ce07015bc34dd
Instruction ID: 05193ba2d43e03bdecbc4833b75badd2987707d524486ccefcf93ea63466a2e5
Opcode Fuzzy Hash: 2d4bb4119649276d940da17483f60116bc142587dc2a6cb5b49ce07015bc34dd
Instruction Fuzzy Hash: 844114B0E156099FCB08CFAAC9415AEFBF2BF89304F24D56AC419B7215D3349A418FA4

Function 00C35B00 Relevance: .1, Instructions: 104COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1344277122.0000000000C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_PO82200487.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: af2afe834490c3cc49b2c10f43b6026f615d06f40cbc5f1b1c0aa3f8b851d484
Instruction ID: 06db63b9b4831f2d6f7ab9df6d7582712283e5fa7d5273a9aa8e3e78b7aa31c5
Opcode Fuzzy Hash: af2afe834490c3cc49b2c10f43b6026f615d06f40cbc5f1b1c0aa3f8b851d484
Instruction Fuzzy Hash: 1241F5B0E14609DBDF08CFAAC9415EEFBF2BB88304F24D56AC419B7214D7349A418FA4

Function 00C35680 Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1344277122.0000000000C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_PO82200487.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eb7dd7f6b883ce3489a0a62797a4aca142cfeb150c18efd5dcd4716a9e194d7b
Instruction ID: f9500402642c3c3eb88afa354412aa5a854dc0cb3e888469e7dea63abc4b029c
Opcode Fuzzy Hash: eb7dd7f6b883ce3489a0a62797a4aca142cfeb150c18efd5dcd4716a9e194d7b
Instruction Fuzzy Hash: F641E2B0E24609CFDB48DFAAC5815AEFBF2BB89300F24C46AD415B7214D7349A418F94

Function 00C35670 Relevance: .1, Instructions: 94COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1344277122.0000000000C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_PO82200487.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 23b6f732ff207a91c3f99039db19af73de13988eb854a3d1ca0b86759e5e912f
Instruction ID: f23c92130c9d1a11f3195b38b137e3e6020d9d633d002057eb0fbd4939d50c23
Opcode Fuzzy Hash: 23b6f732ff207a91c3f99039db19af73de13988eb854a3d1ca0b86759e5e912f
Instruction Fuzzy Hash: A541F6B0E24609CFDB48CFAAC9815AEFBF2BF89300F64C46AD415B7254D7349A419F94

Function 00C30871 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1344277122.0000000000C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_PO82200487.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f4ab478ee53b625795dcc2f910ecea3409e682b00aa538fdf371eeb96fcca70f
Instruction ID: 413b06de179cad3def14020c52269c344521b83002acec429626beaff5c5c628
Opcode Fuzzy Hash: f4ab478ee53b625795dcc2f910ecea3409e682b00aa538fdf371eeb96fcca70f
Instruction Fuzzy Hash: 3321BE71E156188FEB58CF6BDC0069EF6F3ABC8300F18C07AC918A6264DB3405558F55

Analysis Process: PO82200487.exePID: 7780, Parent PID: 7580COMMON

Execution Graph

Execution Coverage:	11.7%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	95
Total number of Limit Nodes:	7

Executed Functions

Function 06AF5D90 Relevance: 1.9, APIs: 1, Instructions: 396
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000004.00000002.2572564108.0000000006AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6af0000_PO82200487.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 24dbf63b8fcdd4e7978857b844e756ff28bcd3e095bb9856cd50b34df546924c
Instruction ID: 6ac72eb90ab7918c62dc7f4f4db93bab7c1825f5cba732b8f8516e65e323659c
Opcode Fuzzy Hash: 24dbf63b8fcdd4e7978857b844e756ff28bcd3e095bb9856cd50b34df546924c
Instruction Fuzzy Hash: 16F15A30E10209CFEB54EFE5C948B9DBBF1BF88304F158168E519AF2A5DB71A845CB81

Function 06AF0F64 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 118
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 06AF1082

Strings

d, xrefs: 06AF0F69

Memory Dump Source

Source File: 00000004.00000002.2572564108.0000000006AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6af0000_PO82200487.jbxd

Similarity

API ID: CreateWindow
String ID: d
API String ID: 716092398-2564639436
Opcode ID: 1fec8f82a24aa8eea5c6d49d1f29c63ed24e4fc36ebb0be2a1b33484fea50f94
Instruction ID: e6df0a9fe24aaa85f507871b0981ed7c49ba3961d47acadda6ca123af9588dd9
Opcode Fuzzy Hash: 1fec8f82a24aa8eea5c6d49d1f29c63ed24e4fc36ebb0be2a1b33484fea50f94
Instruction Fuzzy Hash: 5551C0B1D10349EFDB14DFA9C884ADEBFB6BF48310F24812AE918AB250D7759845CF91

Function 069EE220 Relevance: 1.7, APIs: 1, Instructions: 197
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000004.00000002.2572470309.00000000069E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_69e0000_PO82200487.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 8f571b3c93dc444d45f4d23813f312b4b29cc9134b40d9ecc09698d5b58ab403
Instruction ID: 32687a476ae5eb13cfec88119d21bb778cce34fd6b0136bfae8d2f4a136dd576
Opcode Fuzzy Hash: 8f571b3c93dc444d45f4d23813f312b4b29cc9134b40d9ecc09698d5b58ab403
Instruction Fuzzy Hash: FE714670A00B068FE7A5DF6AD44175ABBF5FF88200F10892ED49AD7B50D774E849CB91

Function 06AF0F70 Relevance: 1.6, APIs: 1, Instructions: 113
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 06AF1082

Memory Dump Source

Source File: 00000004.00000002.2572564108.0000000006AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6af0000_PO82200487.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: d9ff10722965e39b15fa1f3633e8122fc948e141d33f763a8a91fb58b3147112
Instruction ID: 347fd40ddfb7d388eded091724c6623e47cb216688697f4317fd2cce29146b72
Opcode Fuzzy Hash: d9ff10722965e39b15fa1f3633e8122fc948e141d33f763a8a91fb58b3147112
Instruction Fuzzy Hash: 4D41CEB1D10349DFDB14DFAAC884ADEBBB5BF48310F24812AE918AB250D7B59845CF91

Function 06AF3530 Relevance: 1.6, APIs: 1, Instructions: 93
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CallWindowProcW.USER32(?,?,?,?,?), ref: 06AF35F1

Memory Dump Source

Source File: 00000004.00000002.2572564108.0000000006AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6af0000_PO82200487.jbxd

Similarity

API ID: CallProcWindow
String ID:
API String ID: 2714655100-0
Opcode ID: 15542b0f1557e1df47cd20db38dfc1803e8c5e31848274b94f83c0405e810b7e
Instruction ID: 2a0630cea25d0a79594c03141d27dc53895ce10f05a83208a1f362913235d4e2
Opcode Fuzzy Hash: 15542b0f1557e1df47cd20db38dfc1803e8c5e31848274b94f83c0405e810b7e
Instruction Fuzzy Hash: 934157B8910349CFDB54DF99C448AAABBF5FB88314F248459E518AB320C730A841CFA1

Function 015CAE98 Relevance: 1.6, APIs: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 015CAF1F

Memory Dump Source

Source File: 00000004.00000002.2567977141.00000000015C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_15c0000_PO82200487.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 6dffa8e1b3c45ca43a7c6f5380ef1a85c3f234c6e67f457bd90f410ba7794f1c
Instruction ID: 53597adbb122ca8d2eee4740e5d210a363e96113d684f37860351121006e5616
Opcode Fuzzy Hash: 6dffa8e1b3c45ca43a7c6f5380ef1a85c3f234c6e67f457bd90f410ba7794f1c
Instruction Fuzzy Hash: 5921C4B59002499FDB10CF9AD584ADEBFF5FB48310F14841AE918A7350D374A954CF65

Function 015CAE90 Relevance: 1.6, APIs: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 015CAF1F

Memory Dump Source

Source File: 00000004.00000002.2567977141.00000000015C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_15c0000_PO82200487.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 19bbc99b9ae7a0f8630bcad7f70c3f29810485569ae19547413609ec969b1a19
Instruction ID: 0107a05281cf3df7e6f76af67f23952230d16be4c1a63910b99bed42fece6eb4
Opcode Fuzzy Hash: 19bbc99b9ae7a0f8630bcad7f70c3f29810485569ae19547413609ec969b1a19
Instruction Fuzzy Hash: 6821E4B5D002099FDB10CF99D984ADEBFF5FB48320F14841AE958A7350D378A954CF64

Function 069ECE2C Relevance: 1.6, APIs: 1, Instructions: 50
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000,?,?,?,?,?,?,?,069EE23C), ref: 069EE476

Memory Dump Source

Source File: 00000004.00000002.2572470309.00000000069E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_69e0000_PO82200487.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 90a29fbaa7fe8c373a0449189cb1a8d6314c427b37c649d0910e5398f7a9b6b8
Instruction ID: 775cda7ade20eb10613b8e1d716e9c8f5ae95bed4d2a9aadb88f92dd5a733f81
Opcode Fuzzy Hash: 90a29fbaa7fe8c373a0449189cb1a8d6314c427b37c649d0910e5398f7a9b6b8
Instruction Fuzzy Hash: 83110FB5C007498FDB10DF9AC444B9EFBF8EB89224F10842AD829B7650D379A545CFA5

Function 06AF4CD8 Relevance: 1.5, APIs: 1, Instructions: 46comCOMMON

Download Yara Rule

APIs

OleInitialize.OLE32(00000000), ref: 06AF5BCD

Memory Dump Source

Source File: 00000004.00000002.2572564108.0000000006AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6af0000_PO82200487.jbxd

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: ff4bc401d70aa67ac8266488e87ff7e87bc7f523cecf35657a4279d61a8e2e2a
Instruction ID: 1e31648ec6e94e8b78e8f21fe3d085b4d1c8aad5cfa34541797344acb7cd6ff6
Opcode Fuzzy Hash: ff4bc401d70aa67ac8266488e87ff7e87bc7f523cecf35657a4279d61a8e2e2a
Instruction Fuzzy Hash: BB1103B5C043498FDB10DF9AD449B9EBBF4EB48220F108859E519A7340D374A944CFA5

Function 06AF5B71 Relevance: 1.5, APIs: 1, Instructions: 45comCOMMON

Download Yara Rule

APIs

OleInitialize.OLE32(00000000), ref: 06AF5BCD

Memory Dump Source

Source File: 00000004.00000002.2572564108.0000000006AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6af0000_PO82200487.jbxd

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: d6e92c849a213019f4871bbdd6a166f9b6b01a6384977a62ef9409c7d22f6d60
Instruction ID: 67978bfa99e28badaa59bf8b122a59814302dbd0f5b54817d381c5f25399c076
Opcode Fuzzy Hash: d6e92c849a213019f4871bbdd6a166f9b6b01a6384977a62ef9409c7d22f6d60
Instruction Fuzzy Hash: 6E1133B58003498FCB20DF9AD445BCEFFF8AB48220F108859E559A3340D378A544CFA5

Function 0157D01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2567717905.000000000157D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0157D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_157d000_PO82200487.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 41779b7245baa77c38416ff6c0486ac4ad833264150ddd0abb09e3b10959cda8
Instruction ID: 4ffa6a2dbc0314b19512d78ebb671cee1b763d9f8895be76cbe260560ba4a60d
Opcode Fuzzy Hash: 41779b7245baa77c38416ff6c0486ac4ad833264150ddd0abb09e3b10959cda8
Instruction Fuzzy Hash: 7421FF756042449FDB16DF54E980B2ABBA5FF84214F24C969D80A4F282D33AD806CA62

Function 0157D006 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2567717905.000000000157D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0157D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_157d000_PO82200487.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1e2b3b4bed19f7b3c3e70f966347b4342e60bcc4aad68d6de13978df7bd8c30d
Instruction ID: 24f49b157095ad5f6a5fa3755eb0ba7c586c8ebc7dfb608018150a4aabdcfeb7
Opcode Fuzzy Hash: 1e2b3b4bed19f7b3c3e70f966347b4342e60bcc4aad68d6de13978df7bd8c30d
Instruction Fuzzy Hash: E62168755093808FCB03CF64D990B15BF71BF46214F28C5EAD8498F6A7C33A980ACB62

Function 0156D628 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2567669685.000000000156D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0156D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_156d000_PO82200487.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 827ee908721912c4379c07d9a3bad436081c925763c47301ea19c407e627c42b
Instruction ID: 9a4cb1a9cbe3f3f0893b8c6ce7692a681c5912a859eb36c5c1d2ec28b6509216
Opcode Fuzzy Hash: 827ee908721912c4379c07d9a3bad436081c925763c47301ea19c407e627c42b
Instruction Fuzzy Hash: F1F0C2716043409FEB108A0AC9C4B66FFACEB41634F18C45AED4C4F283C2799840CAB1

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search the Registry on compromised systems for insecurely stored credentials. The Windows Registry stores configuration information that can be used by the system or other programs. Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services. Sometimes these credentials are used for automatic logons.
Tactics:	Credential Access
Data Sources:	Command: Command Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report PO82200487.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Agenttesla

Yara Signatures

PCAP (Network Traffic)

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\PO82200487.exe.log

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_34ti2whq.w5r.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_nmjdok4u.wrt.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_r4wpzcwy.0cy.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ylhtpzcc.qdw.ps1

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Network Behavior

Windows Analysis Report
PO82200487.exe

Function 00C33430 Relevance: 6.6, Strings: 5, Instructions: 302
COMMON

Function 00C33418 Relevance: 6.5, Strings: 5, Instructions: 299
COMMON

Function 00C313CF Relevance: 2.7, Strings: 2, Instructions: 209
COMMON

Function 00C313F0 Relevance: 2.7, Strings: 2, Instructions: 201
COMMON

Function 00C31B81 Relevance: 1.4, Strings: 1, Instructions: 148
COMMON

Function 07EFC450 Relevance: 1.7, APIs: 1, Instructions: 243
processCOMMON

Function 07EFC1C8 Relevance: 1.6, APIs: 1, Instructions: 69
injectionCOMMON

Function 07EFC2B8 Relevance: 1.6, APIs: 1, Instructions: 63
COMMON

Function 07EFC030 Relevance: 1.6, APIs: 1, Instructions: 63
threadCOMMON

Function 07EFC108 Relevance: 1.6, APIs: 1, Instructions: 53
memoryCOMMON

Function 07EFBF80 Relevance: 1.5, APIs: 1, Instructions: 49
threadCOMMON

Function 07EFD100 Relevance: 1.5, APIs: 1, Instructions: 47
windowCOMMON

Function 00C33DE9 Relevance: 1.3, Strings: 1, Instructions: 98
COMMON

Function 00C33E30 Relevance: 1.3, Strings: 1, Instructions: 80
COMMON

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre