Edit tour

Windows Analysis Report
OHScaqAPjt.exe

Overview

General Information

Sample name:	OHScaqAPjt.exe renamed because original name is a hash value
Original sample name:	5da381b368562b2c5d9fce29e229c640ea428b3d4519562613f987235bc611b8.exe
Analysis ID:	1569266
MD5:	17536cc0e75198f811e580990a4f56ef
SHA1:	6ce2b12bdc00d37ddbeaed860ec518ca7a4ee9f7
SHA256:	5da381b368562b2c5d9fce29e229c640ea428b3d4519562613f987235bc611b8
Tags:	exeuser-adrian__luca
Infos:

Detection

AgentTesla, PureLog Stealer, zgRAT

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Scheduled temp file as task from temp location

Yara detected AgentTesla

Yara detected AntiVM3

Yara detected PureLog Stealer

Yara detected zgRAT

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code contains potential unpacker

AI detected suspicious sample

Adds a directory exclusion to Windows Defender

Contains functionality to log keystrokes (.Net Source)

Injects a PE file into a foreign processes

Loading BitLocker PowerShell Module

Machine Learning detection for dropped file

Machine Learning detection for sample

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Mail credentials (via file / registry access)

Uses schtasks.exe or at.exe to add and modify task schedules

Yara detected Generic Downloader

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Powershell Defender Exclusion

Sigma detected: Suspicious Add Scheduled Task Parent

Sigma detected: Suspicious Outbound SMTP Connections

Sigma detected: Suspicious Schtasks From Env Var Folder

Uses 32bit PE files

Uses SMTP (mail sending)

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

OHScaqAPjt.exe (PID: 3660 cmdline: "C:\Users\user\Desktop\OHScaqAPjt.exe" MD5: 17536CC0E75198F811E580990A4F56EF)

powershell.exe (PID: 1396 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\OHScaqAPjt.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 1352 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WmiPrvSE.exe (PID: 7288 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)

powershell.exe (PID: 984 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\PZgxeUcXE.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 3116 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

schtasks.exe (PID: 2128 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\PZgxeUcXE" /XML "C:\Users\user\AppData\Local\Temp\tmp9FAF.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 1436 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

OHScaqAPjt.exe (PID: 6576 cmdline: "C:\Users\user\Desktop\OHScaqAPjt.exe" MD5: 17536CC0E75198F811E580990A4F56EF)

PZgxeUcXE.exe (PID: 7256 cmdline: C:\Users\user\AppData\Roaming\PZgxeUcXE.exe MD5: 17536CC0E75198F811E580990A4F56EF)

schtasks.exe (PID: 7468 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\PZgxeUcXE" /XML "C:\Users\user\AppData\Local\Temp\tmpBE05.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 7476 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

PZgxeUcXE.exe (PID: 7512 cmdline: "C:\Users\user\AppData\Roaming\PZgxeUcXE.exe" MD5: 17536CC0E75198F811E580990A4F56EF)

PZgxeUcXE.exe (PID: 7520 cmdline: "C:\Users\user\AppData\Roaming\PZgxeUcXE.exe" MD5: 17536CC0E75198F811E580990A4F56EF)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Agent Tesla, AgentTesla	A .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.	SWEED	http://blog.nsfocus.net/sweed-611/ http://l1v1ngc0d3.wordpress.com/2021/11/12/agenttesla-dropped-via-nsis-installer/ http://ropgadget.com/posts/originlogger.html http://www.secureworks.com/research/threat-profiles/gold-galleon https://0xmrmagnezi.github.io/malware%20analysis/AgentTesla/	https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

Name	Description	Attribution	Blogpost URLs	Link
zgRAT	zgRAT is a Remote Access Trojan malware which sometimes drops other malware such as AgentTesla malware. zgRAT has an inforstealer use which targets browser information and cryptowallets.Usually spreads by USB or phishing emails with -zip/-lnk/.bat/.xlsx attachments and so on.	No Attribution	https://bazaar.abuse.ch/browse/signature/zgRAT/ https://kcm.trellix.com/corporate/index?page=content&id=KB96190&locale=en_US https://www.cloudsek.com/blog/threat-actors-abuse-ai-generated-youtube-videos-to-spread-stealer-malware https://www.difesaesicurezza.com/cyber/cybercrime-rfq-dalla-turchia-veicola-agenttesla-e-zgrat/ https://www.fortinet.com/blog/threat-research/smokeloader-using-old-vulnerabilities	https://malpedia.caad.fkie.fraunhofer.de/details/win.zgrat

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Port": "25", "Host": "mail.iaa-airferight.com", "Username": "web@iaa-airferight.com", "Password": "webmaster"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
0000000F.00000002.3357331249.00000000032EC000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0000000F.00000002.3354443541.0000000000435000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000F.00000002.3354443541.0000000000435000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000009.00000002.3358108714.0000000002CAC000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000000.00000002.2172098106.0000000005750000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0000000F.00000002.3357331249.00000000032C1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000F.00000002.3357331249.00000000032C1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000009.00000002.3358108714.0000000002C81000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000009.00000002.3358108714.0000000002C81000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000000.00000002.2161856213.0000000003C89000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.2161856213.0000000003C89000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000000.00000002.2161856213.0000000003C89000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
Process Memory Space: OHScaqAPjt.exe PID: 3660	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: OHScaqAPjt.exe PID: 3660	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: OHScaqAPjt.exe PID: 3660	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: OHScaqAPjt.exe PID: 6576	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: OHScaqAPjt.exe PID: 6576	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: PZgxeUcXE.exe PID: 7256	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: PZgxeUcXE.exe PID: 7520	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: PZgxeUcXE.exe PID: 7520	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Click to see the 15 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.OHScaqAPjt.exe.5750000.3.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0.2.OHScaqAPjt.exe.5750000.3.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0.2.OHScaqAPjt.exe.3ca5808.2.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0.2.OHScaqAPjt.exe.3cba628.0.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0.2.OHScaqAPjt.exe.3ed6738.1.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.OHScaqAPjt.exe.3ed6738.1.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.OHScaqAPjt.exe.3ed6738.1.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x316ef:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x31761:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x317eb:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x3187d:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x318e7:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x31959:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x319ef:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x31a7f:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
0.2.OHScaqAPjt.exe.3ed6738.1.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.OHScaqAPjt.exe.3ed6738.1.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.2.OHScaqAPjt.exe.3ed6738.1.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.OHScaqAPjt.exe.3ed6738.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x334ef:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x6df0f:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x33561:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x6df81:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x335eb:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x6e00b:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x3367d:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x6e09d:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x336e7:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x6e107:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x33759:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x6e179:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x337ef:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x6e20f:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x3387f:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548 0x6e29f:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
0.2.OHScaqAPjt.exe.3cba628.0.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.OHScaqAPjt.exe.3cba628.0.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.2.OHScaqAPjt.exe.3cba628.0.raw.unpack	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
0.2.OHScaqAPjt.exe.3cba628.0.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.OHScaqAPjt.exe.3cba628.0.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0.2.OHScaqAPjt.exe.3cba628.0.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0xcef1f:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x24f5ff:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x28a01f:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0xcef91:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x24f671:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x28a091:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0xcf01b:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x24f6fb:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x28a11b:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0xcf0ad:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x24f78d:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x28a1ad:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0xcf117:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x24f7f7:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x28a217:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0xcf189:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x24f869:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x28a289:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0xcf21f:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x24f8ff:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x28a31f:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B
0.2.OHScaqAPjt.exe.3cba628.0.raw.unpack	MALWARE_Win_zgRAT	Detects zgRAT	ditekSHen	0x11539:$s1: file:/// 0x11495:$s2: {11111-22222-10009-11112} 0x114c9:$s3: {11111-22222-50001-00000} 0xf17e:$s4: get_Module 0xcbccc:$s5: Reverse 0x24c3ac:$s5: Reverse 0x286dcc:$s5: Reverse 0xce6fa:$s6: BlockCopy 0x24edda:$s6: BlockCopy 0x2897fa:$s6: BlockCopy 0x2c798f:$s6: BlockCopy 0xcbf31:$s7: ReadByte 0x24c611:$s7: ReadByte 0x287031:$s7: ReadByte 0x2c781a:$s7: ReadByte 0x1154b:$s8: 4C 00 6F 00 63 00 61 00 74 00 69 00 6F 00 6E 00 00 0B 46 00 69 00 6E 00 64 00 20 00 00 13 52 00 65 00 73 00 6F 00 75 00 72 00 63 00 65 00 41 00 00 11 56 00 69 00 72 00 74 00 75 00 61 00 6C 00 ...
0.2.OHScaqAPjt.exe.3ca5808.2.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.OHScaqAPjt.exe.3ca5808.2.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.2.OHScaqAPjt.exe.3ca5808.2.raw.unpack	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
0.2.OHScaqAPjt.exe.3ca5808.2.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.OHScaqAPjt.exe.3ca5808.2.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0.2.OHScaqAPjt.exe.3ca5808.2.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0xe3d3f:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x26441f:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x29ee3f:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0xe3db1:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x264491:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x29eeb1:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0xe3e3b:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x26451b:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x29ef3b:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0xe3ecd:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x2645ad:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x29efcd:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0xe3f37:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x264617:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x29f037:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0xe3fa9:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x264689:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x29f0a9:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0xe403f:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x26471f:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x29f13f:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B
0.2.OHScaqAPjt.exe.3ca5808.2.raw.unpack	MALWARE_Win_zgRAT	Detects zgRAT	ditekSHen	0x11539:$s1: file:/// 0x26359:$s1: file:/// 0x11495:$s2: {11111-22222-10009-11112} 0x262b5:$s2: {11111-22222-10009-11112} 0x114c9:$s3: {11111-22222-50001-00000} 0x262e9:$s3: {11111-22222-50001-00000} 0xf17e:$s4: get_Module 0x23f9e:$s4: get_Module 0xe0aec:$s5: Reverse 0x2611cc:$s5: Reverse 0x29bbec:$s5: Reverse 0xe351a:$s6: BlockCopy 0x263bfa:$s6: BlockCopy 0x29e61a:$s6: BlockCopy 0x2dc7af:$s6: BlockCopy 0xe0d51:$s7: ReadByte 0x261431:$s7: ReadByte 0x29be51:$s7: ReadByte 0x2dc63a:$s7: ReadByte 0x1154b:$s8: 4C 00 6F 00 63 00 61 00 74 00 69 00 6F 00 6E 00 00 0B 46 00 69 00 6E 00 64 00 20 00 00 13 52 00 65 00 73 00 6F 00 75 00 72 00 63 00 65 00 41 00 00 11 56 00 69 00 72 00 74 00 75 00 61 00 6C 00 ... 0x2636b:$s8: 4C 00 6F 00 63 00 61 00 74 00 69 00 6F 00 6E 00 00 0B 46 00 69 00 6E 00 64 00 20 00 00 13 52 00 65 00 73 00 6F 00 75 00 72 00 63 00 65 00 41 00 00 11 56 00 69 00 72 00 74 00 75 00 61 00 6C 00 ...
Click to see the 20 entries

Sigma Signatures

System Summary

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\OHScaqAPjt.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\OHScaqAPjt.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\OHScaqAPjt.exe", ParentImage: C:\Users\user\Desktop\OHScaqAPjt.exe, ParentProcessId: 3660, ParentProcessName: OHScaqAPjt.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\OHScaqAPjt.exe", ProcessId: 1396, ProcessName: powershell.exe

Sigma detected: Powershell Defender Exclusion

Source: Process started

Sigma detected: Suspicious Add Scheduled Task Parent

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\PZgxeUcXE" /XML "C:\Users\user\AppData\Local\Temp\tmpBE05.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\PZgxeUcXE" /XML "C:\Users\user\AppData\Local\Temp\tmpBE05.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: C:\Users\user\AppData\Roaming\PZgxeUcXE.exe, ParentImage: C:\Users\user\AppData\Roaming\PZgxeUcXE.exe, ParentProcessId: 7256, ParentProcessName: PZgxeUcXE.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\PZgxeUcXE" /XML "C:\Users\user\AppData\Local\Temp\tmpBE05.tmp", ProcessId: 7468, ProcessName: schtasks.exe

Sigma detected: Suspicious Outbound SMTP Connections

Source: Network Connection

Author: frack113: Data: DestinationIp: 46.175.148.58, DestinationIsIpv6: false, DestinationPort: 25, EventID: 3, Image: C:\Users\user\Desktop\OHScaqAPjt.exe, Initiated: true, ProcessId: 6576, Protocol: tcp, SourceIp: 192.168.2.5, SourceIsIpv6: false, SourcePort: 49710

Sigma detected: Suspicious Schtasks From Env Var Folder

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\PZgxeUcXE" /XML "C:\Users\user\AppData\Local\Temp\tmp9FAF.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\PZgxeUcXE" /XML "C:\Users\user\AppData\Local\Temp\tmp9FAF.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\OHScaqAPjt.exe", ParentImage: C:\Users\user\Desktop\OHScaqAPjt.exe, ParentProcessId: 3660, ParentProcessName: OHScaqAPjt.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\PZgxeUcXE" /XML "C:\Users\user\AppData\Local\Temp\tmp9FAF.tmp", ProcessId: 2128, ProcessName: schtasks.exe

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\OHScaqAPjt.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\OHScaqAPjt.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\OHScaqAPjt.exe", ParentImage: C:\Users\user\Desktop\OHScaqAPjt.exe, ParentProcessId: 3660, ParentProcessName: OHScaqAPjt.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\OHScaqAPjt.exe", ProcessId: 1396, ProcessName: powershell.exe

Persistence and Installation Behavior

Sigma detected: Scheduled temp file as task from temp location

Source: Process started

Author: Joe Security: Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\PZgxeUcXE" /XML "C:\Users\user\AppData\Local\Temp\tmp9FAF.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\PZgxeUcXE" /XML "C:\Users\user\AppData\Local\Temp\tmp9FAF.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\OHScaqAPjt.exe", ParentImage: C:\Users\user\Desktop\OHScaqAPjt.exe, ParentProcessId: 3660, ParentProcessName: OHScaqAPjt.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\PZgxeUcXE" /XML "C:\Users\user\AppData\Local\Temp\tmp9FAF.tmp", ProcessId: 2128, ProcessName: schtasks.exe

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: OHScaqAPjt.exe

Avira: detected

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Roaming\PZgxeUcXE.exe

Avira: detection malicious, Label: HEUR/AGEN.1305452

Found malware configuration

Source: 0.2.OHScaqAPjt.exe.3ed6738.1.raw.unpack

Malware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Port": "25", "Host": "mail.iaa-airferight.com", "Username": "web@iaa-airferight.com", "Password": "webmaster"}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\PZgxeUcXE.exe

ReversingLabs: Detection: 73%

Multi AV Scanner detection for submitted file

Source: OHScaqAPjt.exe

ReversingLabs: Detection: 73%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\PZgxeUcXE.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: OHScaqAPjt.exe

Joe Sandbox ML: detected

Source: OHScaqAPjt.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 172.67.74.152:443 -> 192.168.2.5:49708 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.74.152:443 -> 192.168.2.5:49711 version: TLS 1.2

Source: OHScaqAPjt.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: uIrP.pdb source: OHScaqAPjt.exe, PZgxeUcXE.exe.0.dr
Source:	Binary string: uIrP.pdbSHA256V. source: OHScaqAPjt.exe, PZgxeUcXE.exe.0.dr

Networking

Yara detected Generic Downloader

Source: Yara match	File source: 0.2.OHScaqAPjt.exe.3ed6738.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.OHScaqAPjt.exe.3cba628.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.OHScaqAPjt.exe.3ca5808.2.raw.unpack, type: UNPACKEDPE

Source: Joe Sandbox View	IP Address: 46.175.148.58 46.175.148.58
Source: Joe Sandbox View	IP Address: 172.67.74.152 172.67.74.152
Source: Joe Sandbox View	IP Address: 172.67.74.152 172.67.74.152

Source: Joe Sandbox View

JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: unknown	DNS query: name: api.ipify.org
Source: unknown	DNS query: name: api.ipify.org

Source: global traffic

TCP traffic: 192.168.2.5:49710 -> 46.175.148.58:25

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: api.ipify.org
Source: global traffic	DNS traffic detected: DNS query: mail.iaa-airferight.com

Source: PZgxeUcXE.exe, 0000000F.00000002.3366937334.0000000006B66000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.micro
Source: OHScaqAPjt.exe, 00000009.00000002.3358108714.0000000002CAC000.00000004.00000800.00020000.00000000.sdmp, PZgxeUcXE.exe, 0000000F.00000002.3357331249.00000000032EC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://mail.iaa-airferight.com
Source: OHScaqAPjt.exe, 00000000.00000002.2160350490.0000000002CD5000.00000004.00000800.00020000.00000000.sdmp, OHScaqAPjt.exe, 00000009.00000002.3358108714.0000000002C31000.00000004.00000800.00020000.00000000.sdmp, PZgxeUcXE.exe, 0000000A.00000002.2237847657.0000000002EBA000.00000004.00000800.00020000.00000000.sdmp, PZgxeUcXE.exe, 0000000F.00000002.3357331249.0000000003271000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: OHScaqAPjt.exe, PZgxeUcXE.exe.0.dr	String found in binary or memory: http://tempuri.org/DataSet1.xsd
Source: OHScaqAPjt.exe, 00000000.00000002.2161856213.0000000003C89000.00000004.00000800.00020000.00000000.sdmp, PZgxeUcXE.exe, 0000000F.00000002.3354443541.0000000000435000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://account.dyn.com/
Source: OHScaqAPjt.exe, 00000000.00000002.2161856213.0000000003C89000.00000004.00000800.00020000.00000000.sdmp, OHScaqAPjt.exe, 00000009.00000002.3354438577.0000000000432000.00000040.00000400.00020000.00000000.sdmp, OHScaqAPjt.exe, 00000009.00000002.3358108714.0000000002C31000.00000004.00000800.00020000.00000000.sdmp, PZgxeUcXE.exe, 0000000F.00000002.3357331249.0000000003271000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org
Source: OHScaqAPjt.exe, 00000009.00000002.3358108714.0000000002C31000.00000004.00000800.00020000.00000000.sdmp, PZgxeUcXE.exe, 0000000F.00000002.3357331249.0000000003271000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org/
Source: OHScaqAPjt.exe, 00000009.00000002.3358108714.0000000002C31000.00000004.00000800.00020000.00000000.sdmp, PZgxeUcXE.exe, 0000000F.00000002.3357331249.0000000003271000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org/t

Source: unknown	Network traffic detected: HTTP traffic on port 49708 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49711
Source: unknown	Network traffic detected: HTTP traffic on port 49711 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49708

Source: unknown	HTTPS traffic detected: 172.67.74.152:443 -> 192.168.2.5:49708 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.74.152:443 -> 192.168.2.5:49711 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality to log keystrokes (.Net Source)

Source: 0.2.OHScaqAPjt.exe.3ed6738.1.raw.unpack, abAX9N.cs

.Net Code: OPnJT

System Summary

Malicious sample detected (through community Yara rule)

Source: 0.2.OHScaqAPjt.exe.3ed6738.1.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.OHScaqAPjt.exe.3ed6738.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.OHScaqAPjt.exe.3cba628.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.OHScaqAPjt.exe.3cba628.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects zgRAT Author: ditekSHen
Source: 0.2.OHScaqAPjt.exe.3ca5808.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.OHScaqAPjt.exe.3ca5808.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects zgRAT Author: ditekSHen

Source: C:\Users\user\Desktop\OHScaqAPjt.exe	Code function: 0_2_011DD4A4	0_2_011DD4A4
Source: C:\Users\user\Desktop\OHScaqAPjt.exe	Code function: 0_2_011DD4D8	0_2_011DD4D8
Source: C:\Users\user\Desktop\OHScaqAPjt.exe	Code function: 0_2_074374A0	0_2_074374A0
Source: C:\Users\user\Desktop\OHScaqAPjt.exe	Code function: 0_2_0743A380	0_2_0743A380
Source: C:\Users\user\Desktop\OHScaqAPjt.exe	Code function: 0_2_0743EBE8	0_2_0743EBE8
Source: C:\Users\user\Desktop\OHScaqAPjt.exe	Code function: 0_2_07437492	0_2_07437492
Source: C:\Users\user\Desktop\OHScaqAPjt.exe	Code function: 0_2_0743A370	0_2_0743A370
Source: C:\Users\user\Desktop\OHScaqAPjt.exe	Code function: 0_2_07437160	0_2_07437160
Source: C:\Users\user\Desktop\OHScaqAPjt.exe	Code function: 0_2_07437170	0_2_07437170
Source: C:\Users\user\Desktop\OHScaqAPjt.exe	Code function: 0_2_0743EBD8	0_2_0743EBD8
Source: C:\Users\user\Desktop\OHScaqAPjt.exe	Code function: 0_2_07E79E78	0_2_07E79E78
Source: C:\Users\user\Desktop\OHScaqAPjt.exe	Code function: 0_2_07E71D28	0_2_07E71D28
Source: C:\Users\user\Desktop\OHScaqAPjt.exe	Code function: 0_2_07E71D18	0_2_07E71D18
Source: C:\Users\user\Desktop\OHScaqAPjt.exe	Code function: 0_2_07E74310	0_2_07E74310
Source: C:\Users\user\Desktop\OHScaqAPjt.exe	Code function: 0_2_07E72160	0_2_07E72160
Source: C:\Users\user\Desktop\OHScaqAPjt.exe	Code function: 0_2_07E73960	0_2_07E73960
Source: C:\Users\user\Desktop\OHScaqAPjt.exe	Code function: 0_2_07E72150	0_2_07E72150
Source: C:\Users\user\Desktop\OHScaqAPjt.exe	Code function: 0_2_07E718E0	0_2_07E718E0
Source: C:\Users\user\Desktop\OHScaqAPjt.exe	Code function: 0_2_07E718EE	0_2_07E718EE
Source: C:\Users\user\Desktop\OHScaqAPjt.exe	Code function: 0_2_07E718F0	0_2_07E718F0
Source: C:\Users\user\Desktop\OHScaqAPjt.exe	Code function: 9_2_02A7A198	9_2_02A7A198
Source: C:\Users\user\Desktop\OHScaqAPjt.exe	Code function: 9_2_02A7E6B0	9_2_02A7E6B0
Source: C:\Users\user\Desktop\OHScaqAPjt.exe	Code function: 9_2_02A74A98	9_2_02A74A98
Source: C:\Users\user\Desktop\OHScaqAPjt.exe	Code function: 9_2_02A7A960	9_2_02A7A960
Source: C:\Users\user\Desktop\OHScaqAPjt.exe	Code function: 9_2_02A73E80	9_2_02A73E80
Source: C:\Users\user\Desktop\OHScaqAPjt.exe	Code function: 9_2_02A741C8	9_2_02A741C8
Source: C:\Users\user\Desktop\OHScaqAPjt.exe	Code function: 9_2_068E5588	9_2_068E5588
Source: C:\Users\user\Desktop\OHScaqAPjt.exe	Code function: 9_2_068E65E0	9_2_068E65E0
Source: C:\Users\user\Desktop\OHScaqAPjt.exe	Code function: 9_2_068E7D68	9_2_068E7D68
Source: C:\Users\user\Desktop\OHScaqAPjt.exe	Code function: 9_2_068EB20F	9_2_068EB20F
Source: C:\Users\user\Desktop\OHScaqAPjt.exe	Code function: 9_2_068E2358	9_2_068E2358
Source: C:\Users\user\Desktop\OHScaqAPjt.exe	Code function: 9_2_068E7688	9_2_068E7688
Source: C:\Users\user\Desktop\OHScaqAPjt.exe	Code function: 9_2_068E5CE8	9_2_068E5CE8
Source: C:\Users\user\Desktop\OHScaqAPjt.exe	Code function: 9_2_068EE388	9_2_068EE388
Source: C:\Users\user\Desktop\OHScaqAPjt.exe	Code function: 9_2_068E0040	9_2_068E0040
Source: C:\Users\user\Desktop\OHScaqAPjt.exe	Code function: 9_2_068E02E6	9_2_068E02E6
Source: C:\Users\user\Desktop\OHScaqAPjt.exe	Code function: 9_2_068E0006	9_2_068E0006
Source: C:\Users\user\AppData\Roaming\PZgxeUcXE.exe	Code function: 10_2_0124D4A4	10_2_0124D4A4
Source: C:\Users\user\AppData\Roaming\PZgxeUcXE.exe	Code function: 10_2_07C68DFB	10_2_07C68DFB
Source: C:\Users\user\AppData\Roaming\PZgxeUcXE.exe	Code function: 10_2_07C61D18	10_2_07C61D18
Source: C:\Users\user\AppData\Roaming\PZgxeUcXE.exe	Code function: 10_2_07C61D28	10_2_07C61D28
Source: C:\Users\user\AppData\Roaming\PZgxeUcXE.exe	Code function: 10_2_07C64310	10_2_07C64310
Source: C:\Users\user\AppData\Roaming\PZgxeUcXE.exe	Code function: 10_2_07C62150	10_2_07C62150
Source: C:\Users\user\AppData\Roaming\PZgxeUcXE.exe	Code function: 10_2_07C62160	10_2_07C62160
Source: C:\Users\user\AppData\Roaming\PZgxeUcXE.exe	Code function: 10_2_07C63960	10_2_07C63960
Source: C:\Users\user\AppData\Roaming\PZgxeUcXE.exe	Code function: 10_2_07C618F0	10_2_07C618F0
Source: C:\Users\user\AppData\Roaming\PZgxeUcXE.exe	Code function: 15_2_0192E6A1	15_2_0192E6A1
Source: C:\Users\user\AppData\Roaming\PZgxeUcXE.exe	Code function: 15_2_0192A960	15_2_0192A960
Source: C:\Users\user\AppData\Roaming\PZgxeUcXE.exe	Code function: 15_2_01924A98	15_2_01924A98
Source: C:\Users\user\AppData\Roaming\PZgxeUcXE.exe	Code function: 15_2_01923E80	15_2_01923E80
Source: C:\Users\user\AppData\Roaming\PZgxeUcXE.exe	Code function: 15_2_019241C8	15_2_019241C8
Source: C:\Users\user\AppData\Roaming\PZgxeUcXE.exe	Code function: 15_2_06EE65E0	15_2_06EE65E0
Source: C:\Users\user\AppData\Roaming\PZgxeUcXE.exe	Code function: 15_2_06EE5588	15_2_06EE5588
Source: C:\Users\user\AppData\Roaming\PZgxeUcXE.exe	Code function: 15_2_06EE7D68	15_2_06EE7D68
Source: C:\Users\user\AppData\Roaming\PZgxeUcXE.exe	Code function: 15_2_06EEB20F	15_2_06EEB20F
Source: C:\Users\user\AppData\Roaming\PZgxeUcXE.exe	Code function: 15_2_06EE3040	15_2_06EE3040
Source: C:\Users\user\AppData\Roaming\PZgxeUcXE.exe	Code function: 15_2_06EE7688	15_2_06EE7688
Source: C:\Users\user\AppData\Roaming\PZgxeUcXE.exe	Code function: 15_2_06EE5CD3	15_2_06EE5CD3
Source: C:\Users\user\AppData\Roaming\PZgxeUcXE.exe	Code function: 15_2_06EEE388	15_2_06EEE388
Source: C:\Users\user\AppData\Roaming\PZgxeUcXE.exe	Code function: 15_2_06EE2349	15_2_06EE2349
Source: C:\Users\user\AppData\Roaming\PZgxeUcXE.exe	Code function: 15_2_06EE0040	15_2_06EE0040
Source: C:\Users\user\AppData\Roaming\PZgxeUcXE.exe	Code function: 15_2_06EE0006	15_2_06EE0006

Source: OHScaqAPjt.exe, 00000000.00000002.2172612334.0000000007365000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameschtasks.exej% vs OHScaqAPjt.exe
Source: OHScaqAPjt.exe, 00000000.00000002.2160350490.0000000002CD5000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamec5ea4fda-43b2-4fc0-8a8b-07958574f042.exe4 vs OHScaqAPjt.exe
Source: OHScaqAPjt.exe, 00000000.00000002.2175426498.0000000007CF0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameTyrone.dll8 vs OHScaqAPjt.exe
Source: OHScaqAPjt.exe, 00000000.00000000.2095138664.00000000008DE000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameuIrP.exe* vs OHScaqAPjt.exe
Source: OHScaqAPjt.exe, 00000000.00000002.2161856213.0000000003C89000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamec5ea4fda-43b2-4fc0-8a8b-07958574f042.exe4 vs OHScaqAPjt.exe
Source: OHScaqAPjt.exe, 00000000.00000002.2161856213.0000000003C89000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameTyrone.dll8 vs OHScaqAPjt.exe
Source: OHScaqAPjt.exe, 00000000.00000002.2159641487.0000000000F2E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs OHScaqAPjt.exe
Source: OHScaqAPjt.exe, 00000009.00000002.3354853711.0000000000CF9000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameUNKNOWN_FILET vs OHScaqAPjt.exe
Source: OHScaqAPjt.exe	Binary or memory string: OriginalFilenameuIrP.exe* vs OHScaqAPjt.exe

Source: OHScaqAPjt.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 0.2.OHScaqAPjt.exe.3ed6738.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.OHScaqAPjt.exe.3ed6738.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.OHScaqAPjt.exe.3cba628.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.OHScaqAPjt.exe.3cba628.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
Source: 0.2.OHScaqAPjt.exe.3ca5808.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.OHScaqAPjt.exe.3ca5808.2.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT

Source: OHScaqAPjt.exe	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: PZgxeUcXE.exe.0.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 0.2.OHScaqAPjt.exe.3ed6738.1.raw.unpack, RsYAkkzVoy.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.OHScaqAPjt.exe.3ed6738.1.raw.unpack, Kqqzixk.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.OHScaqAPjt.exe.3ed6738.1.raw.unpack, xROdzGigX.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.OHScaqAPjt.exe.3ed6738.1.raw.unpack, ywes.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.OHScaqAPjt.exe.3ed6738.1.raw.unpack, iPVW0zV.cs	Cryptographic APIs: 'CreateDecryptor', 'TransformBlock'
Source: 0.2.OHScaqAPjt.exe.3ed6738.1.raw.unpack, 1Pi9sgbHwoV.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.OHScaqAPjt.exe.3ed6738.1.raw.unpack, YUgDfWK2g4.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.OHScaqAPjt.exe.3ed6738.1.raw.unpack, YUgDfWK2g4.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 0.2.OHScaqAPjt.exe.3ed6738.1.raw.unpack, MarWtcu.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.OHScaqAPjt.exe.3ed6738.1.raw.unpack, MarWtcu.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.OHScaqAPjt.exe.3ed6738.1.raw.unpack, MarWtcu.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.OHScaqAPjt.exe.3ed6738.1.raw.unpack, MarWtcu.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: 0.2.OHScaqAPjt.exe.7cf0000.4.raw.unpack, qYPY7Ptv9xCkBuL64s.cs	Security API names: _0020.SetAccessControl
Source: 0.2.OHScaqAPjt.exe.7cf0000.4.raw.unpack, qYPY7Ptv9xCkBuL64s.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.OHScaqAPjt.exe.7cf0000.4.raw.unpack, qYPY7Ptv9xCkBuL64s.cs	Security API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
Source: 0.2.OHScaqAPjt.exe.7cf0000.4.raw.unpack, mji3xOZ3fGXcEUUn7t.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 0.2.OHScaqAPjt.exe.7cf0000.4.raw.unpack, mji3xOZ3fGXcEUUn7t.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@21/15@2/2

Source: C:\Users\user\Desktop\OHScaqAPjt.exe

File created: C:\Users\user\AppData\Roaming\PZgxeUcXE.exe

Jump to behavior

Source: C:\Users\user\AppData\Roaming\PZgxeUcXE.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1436:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3116:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7476:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1352:120:WilError_03

Source: C:\Users\user\Desktop\OHScaqAPjt.exe

File created: C:\Users\user\AppData\Local\Temp\tmp9FAF.tmp

Jump to behavior

Source: OHScaqAPjt.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: OHScaqAPjt.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Source: C:\Users\user\Desktop\OHScaqAPjt.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\OHScaqAPjt.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\PZgxeUcXE.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Roaming\PZgxeUcXE.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\OHScaqAPjt.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\OHScaqAPjt.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: OHScaqAPjt.exe

ReversingLabs: Detection: 73%

Source: C:\Users\user\Desktop\OHScaqAPjt.exe

File read: C:\Users\user\Desktop\OHScaqAPjt.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\OHScaqAPjt.exe "C:\Users\user\Desktop\OHScaqAPjt.exe"
Source: C:\Users\user\Desktop\OHScaqAPjt.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\OHScaqAPjt.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\OHScaqAPjt.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\PZgxeUcXE.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\OHScaqAPjt.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\PZgxeUcXE" /XML "C:\Users\user\AppData\Local\Temp\tmp9FAF.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\OHScaqAPjt.exe	Process created: C:\Users\user\Desktop\OHScaqAPjt.exe "C:\Users\user\Desktop\OHScaqAPjt.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\PZgxeUcXE.exe C:\Users\user\AppData\Roaming\PZgxeUcXE.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: C:\Users\user\AppData\Roaming\PZgxeUcXE.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\PZgxeUcXE" /XML "C:\Users\user\AppData\Local\Temp\tmpBE05.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\PZgxeUcXE.exe	Process created: C:\Users\user\AppData\Roaming\PZgxeUcXE.exe "C:\Users\user\AppData\Roaming\PZgxeUcXE.exe"
Source: C:\Users\user\AppData\Roaming\PZgxeUcXE.exe	Process created: C:\Users\user\AppData\Roaming\PZgxeUcXE.exe "C:\Users\user\AppData\Roaming\PZgxeUcXE.exe"
Source: C:\Users\user\Desktop\OHScaqAPjt.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\OHScaqAPjt.exe"	Jump to behavior
Source: C:\Users\user\Desktop\OHScaqAPjt.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\PZgxeUcXE.exe"	Jump to behavior
Source: C:\Users\user\Desktop\OHScaqAPjt.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\PZgxeUcXE" /XML "C:\Users\user\AppData\Local\Temp\tmp9FAF.tmp"	Jump to behavior
Source: C:\Users\user\Desktop\OHScaqAPjt.exe	Process created: C:\Users\user\Desktop\OHScaqAPjt.exe "C:\Users\user\Desktop\OHScaqAPjt.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PZgxeUcXE.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\PZgxeUcXE" /XML "C:\Users\user\AppData\Local\Temp\tmpBE05.tmp"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PZgxeUcXE.exe	Process created: C:\Users\user\AppData\Roaming\PZgxeUcXE.exe "C:\Users\user\AppData\Roaming\PZgxeUcXE.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PZgxeUcXE.exe	Process created: C:\Users\user\AppData\Roaming\PZgxeUcXE.exe "C:\Users\user\AppData\Roaming\PZgxeUcXE.exe"	Jump to behavior

Source: C:\Users\user\Desktop\OHScaqAPjt.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\OHScaqAPjt.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\OHScaqAPjt.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\OHScaqAPjt.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\OHScaqAPjt.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\OHScaqAPjt.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\OHScaqAPjt.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\OHScaqAPjt.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\OHScaqAPjt.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\OHScaqAPjt.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\OHScaqAPjt.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\OHScaqAPjt.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\OHScaqAPjt.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\OHScaqAPjt.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\OHScaqAPjt.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\OHScaqAPjt.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\OHScaqAPjt.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\OHScaqAPjt.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\OHScaqAPjt.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\OHScaqAPjt.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\OHScaqAPjt.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\OHScaqAPjt.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\OHScaqAPjt.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\OHScaqAPjt.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\OHScaqAPjt.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\OHScaqAPjt.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\OHScaqAPjt.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\OHScaqAPjt.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\OHScaqAPjt.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\OHScaqAPjt.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\OHScaqAPjt.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\OHScaqAPjt.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\OHScaqAPjt.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\OHScaqAPjt.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\OHScaqAPjt.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\OHScaqAPjt.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\OHScaqAPjt.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\OHScaqAPjt.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\OHScaqAPjt.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\OHScaqAPjt.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\OHScaqAPjt.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\OHScaqAPjt.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\OHScaqAPjt.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\OHScaqAPjt.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\OHScaqAPjt.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\OHScaqAPjt.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\OHScaqAPjt.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\OHScaqAPjt.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\OHScaqAPjt.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\OHScaqAPjt.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\OHScaqAPjt.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\OHScaqAPjt.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\OHScaqAPjt.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\OHScaqAPjt.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\OHScaqAPjt.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\OHScaqAPjt.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\OHScaqAPjt.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\OHScaqAPjt.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\OHScaqAPjt.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\OHScaqAPjt.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\OHScaqAPjt.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\OHScaqAPjt.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\OHScaqAPjt.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\OHScaqAPjt.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\OHScaqAPjt.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\OHScaqAPjt.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\OHScaqAPjt.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\OHScaqAPjt.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\OHScaqAPjt.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\OHScaqAPjt.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\OHScaqAPjt.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\OHScaqAPjt.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\OHScaqAPjt.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\OHScaqAPjt.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\OHScaqAPjt.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\OHScaqAPjt.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\OHScaqAPjt.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PZgxeUcXE.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PZgxeUcXE.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PZgxeUcXE.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PZgxeUcXE.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PZgxeUcXE.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PZgxeUcXE.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PZgxeUcXE.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PZgxeUcXE.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PZgxeUcXE.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PZgxeUcXE.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PZgxeUcXE.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PZgxeUcXE.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PZgxeUcXE.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PZgxeUcXE.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PZgxeUcXE.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PZgxeUcXE.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PZgxeUcXE.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PZgxeUcXE.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PZgxeUcXE.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PZgxeUcXE.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PZgxeUcXE.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PZgxeUcXE.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PZgxeUcXE.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PZgxeUcXE.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PZgxeUcXE.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PZgxeUcXE.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PZgxeUcXE.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PZgxeUcXE.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PZgxeUcXE.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PZgxeUcXE.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PZgxeUcXE.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PZgxeUcXE.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PZgxeUcXE.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PZgxeUcXE.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PZgxeUcXE.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PZgxeUcXE.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: fastprox.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: ncobjapi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mpclient.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: version.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wmitomi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: gpapi.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\PZgxeUcXE.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\PZgxeUcXE.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\PZgxeUcXE.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\PZgxeUcXE.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\PZgxeUcXE.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\PZgxeUcXE.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\PZgxeUcXE.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\PZgxeUcXE.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\PZgxeUcXE.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\PZgxeUcXE.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\PZgxeUcXE.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\PZgxeUcXE.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\PZgxeUcXE.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\PZgxeUcXE.exe	Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Roaming\PZgxeUcXE.exe	Section loaded: amsi.dll
Source: C:\Users\user\AppData\Roaming\PZgxeUcXE.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Roaming\PZgxeUcXE.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\PZgxeUcXE.exe	Section loaded: rasapi32.dll
Source: C:\Users\user\AppData\Roaming\PZgxeUcXE.exe	Section loaded: rasman.dll
Source: C:\Users\user\AppData\Roaming\PZgxeUcXE.exe	Section loaded: rtutils.dll
Source: C:\Users\user\AppData\Roaming\PZgxeUcXE.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Roaming\PZgxeUcXE.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Roaming\PZgxeUcXE.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Roaming\PZgxeUcXE.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Roaming\PZgxeUcXE.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Users\user\AppData\Roaming\PZgxeUcXE.exe	Section loaded: dhcpcsvc.dll
Source: C:\Users\user\AppData\Roaming\PZgxeUcXE.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Roaming\PZgxeUcXE.exe	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Roaming\PZgxeUcXE.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Roaming\PZgxeUcXE.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Roaming\PZgxeUcXE.exe	Section loaded: secur32.dll
Source: C:\Users\user\AppData\Roaming\PZgxeUcXE.exe	Section loaded: schannel.dll
Source: C:\Users\user\AppData\Roaming\PZgxeUcXE.exe	Section loaded: mskeyprotect.dll
Source: C:\Users\user\AppData\Roaming\PZgxeUcXE.exe	Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Roaming\PZgxeUcXE.exe	Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Roaming\PZgxeUcXE.exe	Section loaded: ncryptsslp.dll
Source: C:\Users\user\AppData\Roaming\PZgxeUcXE.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Roaming\PZgxeUcXE.exe	Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Roaming\PZgxeUcXE.exe	Section loaded: vaultcli.dll
Source: C:\Users\user\AppData\Roaming\PZgxeUcXE.exe	Section loaded: wintypes.dll

Source: C:\Users\user\Desktop\OHScaqAPjt.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\OHScaqAPjt.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Users\user\Desktop\OHScaqAPjt.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\Profiles

Jump to behavior

Source: OHScaqAPjt.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: OHScaqAPjt.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: OHScaqAPjt.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: uIrP.pdb source: OHScaqAPjt.exe, PZgxeUcXE.exe.0.dr
Source:	Binary string: uIrP.pdbSHA256V. source: OHScaqAPjt.exe, PZgxeUcXE.exe.0.dr

Data Obfuscation

.NET source code contains method to dynamically call methods (often used by packers)

Source: 0.2.OHScaqAPjt.exe.3ca5808.2.raw.unpack, at4ONG9F0NYCELN5Tj.cs	.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{cPRyvIfYviaTKciquO(typeof(IntPtr).TypeHandle),cPRyvIfYviaTKciquO(typeof(Type).TypeHandle)})
Source: 0.2.OHScaqAPjt.exe.5750000.3.raw.unpack, at4ONG9F0NYCELN5Tj.cs	.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{cPRyvIfYviaTKciquO(typeof(IntPtr).TypeHandle),cPRyvIfYviaTKciquO(typeof(Type).TypeHandle)})
Source: 0.2.OHScaqAPjt.exe.3cba628.0.raw.unpack, at4ONG9F0NYCELN5Tj.cs	.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{cPRyvIfYviaTKciquO(typeof(IntPtr).TypeHandle),cPRyvIfYviaTKciquO(typeof(Type).TypeHandle)})

.NET source code contains potential unpacker

Source: 0.2.OHScaqAPjt.exe.7cf0000.4.raw.unpack, qYPY7Ptv9xCkBuL64s.cs

.Net Code: bGY5YeN1FY System.Reflection.Assembly.Load(byte[])

Source: OHScaqAPjt.exe

Static PE information: 0xF1F7D0D3 [Fri Aug 22 12:45:07 2098 UTC]

Source: C:\Users\user\Desktop\OHScaqAPjt.exe	Code function: 0_2_07436772 push esp; ret	0_2_07436779
Source: C:\Users\user\Desktop\OHScaqAPjt.exe	Code function: 9_2_02A70C55 push edi; retf	9_2_02A70C7A
Source: C:\Users\user\AppData\Roaming\PZgxeUcXE.exe	Code function: 10_2_0124F4D0 pushfd ; iretd	10_2_0124F4D1
Source: C:\Users\user\AppData\Roaming\PZgxeUcXE.exe	Code function: 15_2_01920C55 push edi; retf	15_2_01920C7A
Source: C:\Users\user\AppData\Roaming\PZgxeUcXE.exe	Code function: 15_2_06EEFFB0 push es; ret	15_2_06EEFFC0

Source: OHScaqAPjt.exe	Static PE information: section name: .text entropy: 7.656357735824942
Source: PZgxeUcXE.exe.0.dr	Static PE information: section name: .text entropy: 7.656357735824942

Source: 0.2.OHScaqAPjt.exe.3ca5808.2.raw.unpack, MainForm.cs	High entropy of concatenated method names: 'YgSHuitkd', 'aiP2N9Y7C', 'gHQx79i6W', 'AGv9PUWi3', 'QMsbTCblb', 'beIGikGSa', 'clTPOt4ON', 'fF0vNYCEL', 'C5TCjFvvv', 'ln3BTm5Rw'
Source: 0.2.OHScaqAPjt.exe.3ca5808.2.raw.unpack, at4ONG9F0NYCELN5Tj.cs	High entropy of concatenated method names: 'nVoxarmF975Urj2p8sJ', 'tIta6WmWAkGE6iVCWgt', 'Y8N2DklRel', 'hpreq0m6Xcu1pidWj9b', 'KFC0XvmT5N8D2LR210h', 'a5foommXYpDAHBV6LjL', 'd3wYgimbV84NAc2fo7p', 'ItvPp5mqvV1adE08UOg', 'KA7rbWmJ0EMRNxYE2Vd', 'PPtPBAmQMyT7QpfjJpI'
Source: 0.2.OHScaqAPjt.exe.5750000.3.raw.unpack, MainForm.cs	High entropy of concatenated method names: 'YgSHuitkd', 'aiP2N9Y7C', 'gHQx79i6W', 'AGv9PUWi3', 'QMsbTCblb', 'beIGikGSa', 'clTPOt4ON', 'fF0vNYCEL', 'C5TCjFvvv', 'ln3BTm5Rw'
Source: 0.2.OHScaqAPjt.exe.5750000.3.raw.unpack, at4ONG9F0NYCELN5Tj.cs	High entropy of concatenated method names: 'nVoxarmF975Urj2p8sJ', 'tIta6WmWAkGE6iVCWgt', 'Y8N2DklRel', 'hpreq0m6Xcu1pidWj9b', 'KFC0XvmT5N8D2LR210h', 'a5foommXYpDAHBV6LjL', 'd3wYgimbV84NAc2fo7p', 'ItvPp5mqvV1adE08UOg', 'KA7rbWmJ0EMRNxYE2Vd', 'PPtPBAmQMyT7QpfjJpI'
Source: 0.2.OHScaqAPjt.exe.7cf0000.4.raw.unpack, kC8ePrINhCFSao7naQM.cs	High entropy of concatenated method names: 'o1wUFdxVjU', 'EjKUXbya7h', 'poFUYrJYjQ', 'HJhUO8DnFm', 'B7cUwj0aK3', 'zgQU6PkuVg', 'mpPU407XI7', 'zS3UTFLhSB', 'hPBUfmTcw9', 'mUwUiCHjwC'
Source: 0.2.OHScaqAPjt.exe.7cf0000.4.raw.unpack, mji3xOZ3fGXcEUUn7t.cs	High entropy of concatenated method names: 'Sx2dapai4t', 'bSndAqdV15', 'dyidgWvvSq', 'UOjdNFoxxf', 'BFvdLPFFhj', 'XlYdttLhoT', 'FbEd7aKRtA', 'o8RdxvP9px', 'uxldkS4jXs', 'CIldRc8I2f'
Source: 0.2.OHScaqAPjt.exe.7cf0000.4.raw.unpack, yjUho3IycgDtBBwJjm6.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'aUK8aSndBA', 'CCC8AGEpKa', 'vO78gZdQLL', 'PKv8NBxHOG', 'Aut8LQcX2R', 'ley8tbLgj3', 'SuF87WZ1Ap'
Source: 0.2.OHScaqAPjt.exe.7cf0000.4.raw.unpack, ybwW26mbrr0yRKVBct.cs	High entropy of concatenated method names: 'fatVFfGadm', 'vyCVXQPBBv', 'lrXVYXDlKS', 'JsFVObmAUS', 'YJ7VwdxUPx', 'tdBV6rVFRl', 'q1ZV4ZUwub', 'nEbVTfBZLT', 'cusVfbhuvG', 'EcwViGXpcN'
Source: 0.2.OHScaqAPjt.exe.7cf0000.4.raw.unpack, mmEGGaQkehAT17s7nk.cs	High entropy of concatenated method names: 'Dispose', 'upYjktVnFZ', 'cBPvmel7xW', 'MArJJ4doC8', 'QfBjRFvJTG', 'dG3jzSAFPK', 'ProcessDialogKey', 'zNGvcmb9jr', 'mvsvjLaAhF', 'IHKvvqabq8'
Source: 0.2.OHScaqAPjt.exe.7cf0000.4.raw.unpack, Ak5MgMJUNQr7dZoPgp.cs	High entropy of concatenated method names: 'okWDqX1O6t', 'kNhDm0lB2f', 'piQDZ3Mp89', 'daaD3B0c74', 'DCvDa4eVuy', 'jg3D2ypZBO', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.OHScaqAPjt.exe.7cf0000.4.raw.unpack, xmtdW29LhhBJobAsjv.cs	High entropy of concatenated method names: 'nQWjVe7RH5', 'PKsjlxYj9m', 'FuGjPYUReT', 'B41j0VGjl2', 'suLjrL4JNc', 'Ft2joFERBM', 'kJUxnV06JpyShAVmCJ', 'W4vb255Ux1nyqZ0gjx', 'XOJjjx0weD', 'YkIjW1gcGg'
Source: 0.2.OHScaqAPjt.exe.7cf0000.4.raw.unpack, gYPgnEBYIS9vV7Gtl3.cs	High entropy of concatenated method names: 'NZAGBx9hsP', 'QX1GdrIdBS', 'GcxGEfKWdu', 'YeeGVv6wqL', 'DWmGlLr96U', 'co0ELHxg5T', 'KcuEtfC71y', 'M5lE7W9ekn', 'di1ExPwuq2', 'kc7Ekrwj4l'
Source: 0.2.OHScaqAPjt.exe.7cf0000.4.raw.unpack, XQxM9jshv8UdfB4Vvr.cs	High entropy of concatenated method names: 'DOEVCyb1QN', 'pJGV9IyApQ', 'SypVG7mfpU', 'FvNGROgDhf', 'C6wGz5Bunx', 'cJPVc6OGqZ', 'r4sVj42pAM', 'iKkVvOyc7c', 'PjtVWaJ6hC', 'h6xV57Baev'
Source: 0.2.OHScaqAPjt.exe.7cf0000.4.raw.unpack, JegwVGPS7M36OZC5N3.cs	High entropy of concatenated method names: 'mn6DCInOVq', 'vEkDdFmGqO', 'l6yD9hJw3j', 'LycDEYt5cM', 'GvgDGPwCqJ', 'yGyDVkPjOr', 'ijSDlCKREa', 'US5DblQHCS', 'qq8DPELqFP', 'vvoD05tjSO'
Source: 0.2.OHScaqAPjt.exe.7cf0000.4.raw.unpack, QaYi6NEURdpQ6mORE6.cs	High entropy of concatenated method names: 'MoWrSxIHsF', 'anrrMsbTLx', 'YT3raQvNw9', 'H2NrAUhXvZ', 'JwarmcIN8o', 'rKMrZsYTi2', 'kllr3vmeU8', 'BeZr2DGTGl', 'WZ0rI3F0wY', 'qB9rhYtn1s'
Source: 0.2.OHScaqAPjt.exe.7cf0000.4.raw.unpack, EafZ0xr5G1xsjugm0k.cs	High entropy of concatenated method names: 'ikPQxhfA3s', 'VgmQRFficN', 'kDiDcypuJo', 'wtTDjcBt7n', 'huxQnLCE8w', 'KfqQMmyFCA', 'IBKQHABY0B', 'goBQaSXpI1', 'FQxQAR8IwT', 'ynjQgxGwME'
Source: 0.2.OHScaqAPjt.exe.7cf0000.4.raw.unpack, IPxjmQ5r4fgreZFDWH.cs	High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'px1vke0199', 'bXZvRHHOya', 'PLAvzPHtGQ', 'h1VWcZdbBm', 'e6bWjE1qno', 'FVHWvUJ1kF', 'vMxWWMy01F', 'zjiqqmVjgnGAOXkwChY'
Source: 0.2.OHScaqAPjt.exe.7cf0000.4.raw.unpack, crKrlWjZeSuGsECpQD.cs	High entropy of concatenated method names: 'jQupTFTPEL', 'j0PpfLGRDN', 'FYlpqLG7xe', 'B8mpmQZteF', 'Yrnp3eiudG', 'x5pp2nDZkI', 'Rmdpho4clk', 'gIIps4SGyf', 'IHrpS63a1h', 'K6FpnyuoZS'
Source: 0.2.OHScaqAPjt.exe.7cf0000.4.raw.unpack, ENk1lg30Ntmgf0jwcF.cs	High entropy of concatenated method names: 'YtCYuKaYh', 'bLuOa98WH', 'Mpf6lFmRP', 'f3D4HkuRL', 'RfQf7Km1p', 'QweinEsjS', 'lcswP4Y0xZoH4M6LAr', 'vU9iXKqZPAdENJtYmX', 'uIr6pcZp1T5fB8l5bg', 'sJeDPLBKe'
Source: 0.2.OHScaqAPjt.exe.7cf0000.4.raw.unpack, LFuWZASq19NXdi2cKY.cs	High entropy of concatenated method names: 'QmaUjOJ2I6', 'i6MUWVeJbj', 'QUdU5oNPCW', 'EViUCQc0pv', 'XfXUddAX0j', 'FZTUExH40F', 'NGpUG1ZCJC', 'i3wD7mBXdy', 'd4yDxbYDXU', 'w7DDkJxfeQ'
Source: 0.2.OHScaqAPjt.exe.7cf0000.4.raw.unpack, O46dmpwj1W9ccbiZdu.cs	High entropy of concatenated method names: 'fBO9O3mrST', 'xrn96Qbxap', 'nev9TyxwFH', 'bdC9fdLQFN', 'bFK9r44CKd', 'Psv9oCw8eu', 'j6i9QytpEJ', 'QWc9DUFUr4', 'gmb9Uc0I8x', 'w7B982Ho9D'
Source: 0.2.OHScaqAPjt.exe.7cf0000.4.raw.unpack, qYPY7Ptv9xCkBuL64s.cs	High entropy of concatenated method names: 'lg9WBbFFQT', 'g1pWCHCs82', 'welWdATYdX', 'G03W9HluPj', 'ApkWEOUsAa', 'l61WG3Mdyh', 'WSIWVjPpgu', 'dfTWlqYgj1', 'P2DWbFYcBh', 'U52WPZ9XGr'
Source: 0.2.OHScaqAPjt.exe.7cf0000.4.raw.unpack, r7BbESK4nVruo5mGNK.cs	High entropy of concatenated method names: 'OhJQP9LN1M', 'nosQ0MAqRQ', 'ToString', 'Jw4QC8vXK1', 'OEVQdRn7d9', 'cQKQ9h8LtW', 'aeHQEVqXPy', 'DZpQGeNsJv', 'euAQV67dYV', 'GyQQl9w9cm'
Source: 0.2.OHScaqAPjt.exe.3cba628.0.raw.unpack, MainForm.cs	High entropy of concatenated method names: 'YgSHuitkd', 'aiP2N9Y7C', 'gHQx79i6W', 'AGv9PUWi3', 'QMsbTCblb', 'beIGikGSa', 'clTPOt4ON', 'fF0vNYCEL', 'C5TCjFvvv', 'ln3BTm5Rw'
Source: 0.2.OHScaqAPjt.exe.3cba628.0.raw.unpack, at4ONG9F0NYCELN5Tj.cs	High entropy of concatenated method names: 'nVoxarmF975Urj2p8sJ', 'tIta6WmWAkGE6iVCWgt', 'Y8N2DklRel', 'hpreq0m6Xcu1pidWj9b', 'KFC0XvmT5N8D2LR210h', 'a5foommXYpDAHBV6LjL', 'd3wYgimbV84NAc2fo7p', 'ItvPp5mqvV1adE08UOg', 'KA7rbWmJ0EMRNxYE2Vd', 'PPtPBAmQMyT7QpfjJpI'

Source: C:\Users\user\Desktop\OHScaqAPjt.exe

File created: C:\Users\user\AppData\Roaming\PZgxeUcXE.exe

Jump to dropped file

Boot Survival

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Users\user\Desktop\OHScaqAPjt.exe

Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\PZgxeUcXE" /XML "C:\Users\user\AppData\Local\Temp\tmp9FAF.tmp"

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior

Source: C:\Users\user\Desktop\OHScaqAPjt.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate	Jump to behavior
Source: C:\Users\user\Desktop\OHScaqAPjt.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PZgxeUcXE.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate
Source: C:\Users\user\AppData\Roaming\PZgxeUcXE.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot

Source: C:\Users\user\Desktop\OHScaqAPjt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OHScaqAPjt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OHScaqAPjt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OHScaqAPjt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OHScaqAPjt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OHScaqAPjt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OHScaqAPjt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OHScaqAPjt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OHScaqAPjt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OHScaqAPjt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OHScaqAPjt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OHScaqAPjt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OHScaqAPjt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OHScaqAPjt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OHScaqAPjt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OHScaqAPjt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OHScaqAPjt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OHScaqAPjt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OHScaqAPjt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OHScaqAPjt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OHScaqAPjt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OHScaqAPjt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OHScaqAPjt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OHScaqAPjt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OHScaqAPjt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OHScaqAPjt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OHScaqAPjt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OHScaqAPjt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OHScaqAPjt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OHScaqAPjt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OHScaqAPjt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OHScaqAPjt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OHScaqAPjt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OHScaqAPjt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OHScaqAPjt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OHScaqAPjt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OHScaqAPjt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OHScaqAPjt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OHScaqAPjt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OHScaqAPjt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OHScaqAPjt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OHScaqAPjt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OHScaqAPjt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OHScaqAPjt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OHScaqAPjt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OHScaqAPjt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OHScaqAPjt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OHScaqAPjt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OHScaqAPjt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OHScaqAPjt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OHScaqAPjt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OHScaqAPjt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OHScaqAPjt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OHScaqAPjt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OHScaqAPjt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OHScaqAPjt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OHScaqAPjt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OHScaqAPjt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OHScaqAPjt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OHScaqAPjt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OHScaqAPjt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OHScaqAPjt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OHScaqAPjt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OHScaqAPjt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OHScaqAPjt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OHScaqAPjt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OHScaqAPjt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OHScaqAPjt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OHScaqAPjt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OHScaqAPjt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OHScaqAPjt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OHScaqAPjt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OHScaqAPjt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OHScaqAPjt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OHScaqAPjt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OHScaqAPjt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OHScaqAPjt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OHScaqAPjt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OHScaqAPjt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OHScaqAPjt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OHScaqAPjt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OHScaqAPjt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OHScaqAPjt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OHScaqAPjt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OHScaqAPjt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OHScaqAPjt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OHScaqAPjt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OHScaqAPjt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OHScaqAPjt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OHScaqAPjt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OHScaqAPjt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OHScaqAPjt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OHScaqAPjt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OHScaqAPjt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OHScaqAPjt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OHScaqAPjt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OHScaqAPjt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OHScaqAPjt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OHScaqAPjt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OHScaqAPjt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OHScaqAPjt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OHScaqAPjt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OHScaqAPjt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OHScaqAPjt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OHScaqAPjt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OHScaqAPjt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OHScaqAPjt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PZgxeUcXE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PZgxeUcXE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PZgxeUcXE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PZgxeUcXE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PZgxeUcXE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PZgxeUcXE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PZgxeUcXE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PZgxeUcXE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PZgxeUcXE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PZgxeUcXE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PZgxeUcXE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PZgxeUcXE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PZgxeUcXE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PZgxeUcXE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PZgxeUcXE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PZgxeUcXE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PZgxeUcXE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PZgxeUcXE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PZgxeUcXE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PZgxeUcXE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PZgxeUcXE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PZgxeUcXE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PZgxeUcXE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PZgxeUcXE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PZgxeUcXE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PZgxeUcXE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PZgxeUcXE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PZgxeUcXE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PZgxeUcXE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PZgxeUcXE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PZgxeUcXE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PZgxeUcXE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PZgxeUcXE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PZgxeUcXE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PZgxeUcXE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PZgxeUcXE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PZgxeUcXE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PZgxeUcXE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PZgxeUcXE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PZgxeUcXE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PZgxeUcXE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PZgxeUcXE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PZgxeUcXE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PZgxeUcXE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PZgxeUcXE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\PZgxeUcXE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\PZgxeUcXE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\PZgxeUcXE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\PZgxeUcXE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\PZgxeUcXE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\PZgxeUcXE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\PZgxeUcXE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\PZgxeUcXE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\PZgxeUcXE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\PZgxeUcXE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\PZgxeUcXE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\PZgxeUcXE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\PZgxeUcXE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\PZgxeUcXE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\PZgxeUcXE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\PZgxeUcXE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\PZgxeUcXE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\PZgxeUcXE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\PZgxeUcXE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\PZgxeUcXE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\PZgxeUcXE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\PZgxeUcXE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\PZgxeUcXE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\PZgxeUcXE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\PZgxeUcXE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\PZgxeUcXE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\PZgxeUcXE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\PZgxeUcXE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\PZgxeUcXE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\PZgxeUcXE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\PZgxeUcXE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\PZgxeUcXE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\PZgxeUcXE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\PZgxeUcXE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\PZgxeUcXE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\PZgxeUcXE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\PZgxeUcXE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\PZgxeUcXE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\PZgxeUcXE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\PZgxeUcXE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\PZgxeUcXE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\PZgxeUcXE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\PZgxeUcXE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\PZgxeUcXE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\PZgxeUcXE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\PZgxeUcXE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\PZgxeUcXE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\PZgxeUcXE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\PZgxeUcXE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\PZgxeUcXE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\PZgxeUcXE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\PZgxeUcXE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\PZgxeUcXE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\PZgxeUcXE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\PZgxeUcXE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\PZgxeUcXE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\PZgxeUcXE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\PZgxeUcXE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\PZgxeUcXE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\PZgxeUcXE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\PZgxeUcXE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\PZgxeUcXE.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match	File source: Process Memory Space: OHScaqAPjt.exe PID: 3660, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: PZgxeUcXE.exe PID: 7256, type: MEMORYSTR

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Source: C:\Users\user\Desktop\OHScaqAPjt.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Source: C:\Users\user\AppData\Roaming\PZgxeUcXE.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration

Source: C:\Users\user\Desktop\OHScaqAPjt.exe	Memory allocated: 1190000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\OHScaqAPjt.exe	Memory allocated: 2C80000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\OHScaqAPjt.exe	Memory allocated: 2AB0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\OHScaqAPjt.exe	Memory allocated: 9120000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\OHScaqAPjt.exe	Memory allocated: A120000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\OHScaqAPjt.exe	Memory allocated: A330000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\OHScaqAPjt.exe	Memory allocated: B330000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\OHScaqAPjt.exe	Memory allocated: 2A30000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\OHScaqAPjt.exe	Memory allocated: 2C30000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\OHScaqAPjt.exe	Memory allocated: 4C30000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PZgxeUcXE.exe	Memory allocated: 1240000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PZgxeUcXE.exe	Memory allocated: 2E60000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PZgxeUcXE.exe	Memory allocated: 4E60000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PZgxeUcXE.exe	Memory allocated: 8F50000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PZgxeUcXE.exe	Memory allocated: 9F50000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PZgxeUcXE.exe	Memory allocated: A150000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PZgxeUcXE.exe	Memory allocated: B150000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PZgxeUcXE.exe	Memory allocated: 1880000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\PZgxeUcXE.exe	Memory allocated: 3270000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\PZgxeUcXE.exe	Memory allocated: 1880000 memory reserve \| memory write watch

Source: C:\Users\user\Desktop\OHScaqAPjt.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\OHScaqAPjt.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PZgxeUcXE.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PZgxeUcXE.exe	Thread delayed: delay time: 922337203685477

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5774	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5734	Jump to behavior
Source: C:\Users\user\Desktop\OHScaqAPjt.exe	Window / User API: threadDelayed 2281	Jump to behavior
Source: C:\Users\user\Desktop\OHScaqAPjt.exe	Window / User API: threadDelayed 7539	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PZgxeUcXE.exe	Window / User API: threadDelayed 2808
Source: C:\Users\user\AppData\Roaming\PZgxeUcXE.exe	Window / User API: threadDelayed 7044

Source: C:\Users\user\Desktop\OHScaqAPjt.exe TID: 2992	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3652	Thread sleep count: 5774 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7192	Thread sleep time: -2767011611056431s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3652	Thread sleep count: 321 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1516	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7212	Thread sleep time: -5534023222112862s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1436	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\OHScaqAPjt.exe TID: 7412	Thread sleep time: -22136092888451448s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\OHScaqAPjt.exe TID: 7412	Thread sleep time: -100000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\OHScaqAPjt.exe TID: 7420	Thread sleep count: 2281 > 30	Jump to behavior
Source: C:\Users\user\Desktop\OHScaqAPjt.exe TID: 7412	Thread sleep time: -99885s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\OHScaqAPjt.exe TID: 7420	Thread sleep count: 7539 > 30	Jump to behavior
Source: C:\Users\user\Desktop\OHScaqAPjt.exe TID: 7412	Thread sleep time: -99766s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\OHScaqAPjt.exe TID: 7412	Thread sleep count: 38 > 30	Jump to behavior
Source: C:\Users\user\Desktop\OHScaqAPjt.exe TID: 7412	Thread sleep time: -99641s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\OHScaqAPjt.exe TID: 7412	Thread sleep time: -99531s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\OHScaqAPjt.exe TID: 7412	Thread sleep time: -99422s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\OHScaqAPjt.exe TID: 7412	Thread sleep time: -99313s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\OHScaqAPjt.exe TID: 7412	Thread sleep time: -99188s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\OHScaqAPjt.exe TID: 7412	Thread sleep time: -99063s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\OHScaqAPjt.exe TID: 7412	Thread sleep time: -98953s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\OHScaqAPjt.exe TID: 7412	Thread sleep time: -98844s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\OHScaqAPjt.exe TID: 7412	Thread sleep time: -98719s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\OHScaqAPjt.exe TID: 7412	Thread sleep time: -98610s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\OHScaqAPjt.exe TID: 7412	Thread sleep time: -98485s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\OHScaqAPjt.exe TID: 7412	Thread sleep time: -98360s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\OHScaqAPjt.exe TID: 7412	Thread sleep time: -98235s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\OHScaqAPjt.exe TID: 7412	Thread sleep time: -98110s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\OHScaqAPjt.exe TID: 7412	Thread sleep time: -97985s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\OHScaqAPjt.exe TID: 7412	Thread sleep time: -97860s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\OHScaqAPjt.exe TID: 7412	Thread sleep time: -97735s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\OHScaqAPjt.exe TID: 7412	Thread sleep time: -97610s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\OHScaqAPjt.exe TID: 7412	Thread sleep time: -97485s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\OHScaqAPjt.exe TID: 7412	Thread sleep time: -97360s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\OHScaqAPjt.exe TID: 7412	Thread sleep time: -97235s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\OHScaqAPjt.exe TID: 7412	Thread sleep time: -97110s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\OHScaqAPjt.exe TID: 7412	Thread sleep time: -96985s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\OHScaqAPjt.exe TID: 7412	Thread sleep time: -96860s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\OHScaqAPjt.exe TID: 7412	Thread sleep time: -96735s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\OHScaqAPjt.exe TID: 7412	Thread sleep time: -96610s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\OHScaqAPjt.exe TID: 7412	Thread sleep time: -96485s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\OHScaqAPjt.exe TID: 7412	Thread sleep time: -96360s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\OHScaqAPjt.exe TID: 7412	Thread sleep time: -96235s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\OHScaqAPjt.exe TID: 7412	Thread sleep time: -96110s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\OHScaqAPjt.exe TID: 7412	Thread sleep time: -95985s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\OHScaqAPjt.exe TID: 7412	Thread sleep time: -95860s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\OHScaqAPjt.exe TID: 7412	Thread sleep time: -95735s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\OHScaqAPjt.exe TID: 7412	Thread sleep time: -95610s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\OHScaqAPjt.exe TID: 7412	Thread sleep time: -95485s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\OHScaqAPjt.exe TID: 7412	Thread sleep time: -95360s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\OHScaqAPjt.exe TID: 7412	Thread sleep time: -95235s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\OHScaqAPjt.exe TID: 7412	Thread sleep time: -95110s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\OHScaqAPjt.exe TID: 7412	Thread sleep time: -94989s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\OHScaqAPjt.exe TID: 7412	Thread sleep time: -94860s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\OHScaqAPjt.exe TID: 7412	Thread sleep time: -94735s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\OHScaqAPjt.exe TID: 7412	Thread sleep time: -94610s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\OHScaqAPjt.exe TID: 7412	Thread sleep time: -94485s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\OHScaqAPjt.exe TID: 7412	Thread sleep time: -94360s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\OHScaqAPjt.exe TID: 7412	Thread sleep time: -94235s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\OHScaqAPjt.exe TID: 7412	Thread sleep time: -94110s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\OHScaqAPjt.exe TID: 7412	Thread sleep time: -93985s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PZgxeUcXE.exe TID: 7312	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PZgxeUcXE.exe TID: 7632	Thread sleep count: 38 > 30
Source: C:\Users\user\AppData\Roaming\PZgxeUcXE.exe TID: 7632	Thread sleep time: -35048813740048126s >= -30000s
Source: C:\Users\user\AppData\Roaming\PZgxeUcXE.exe TID: 7632	Thread sleep time: -100000s >= -30000s
Source: C:\Users\user\AppData\Roaming\PZgxeUcXE.exe TID: 7652	Thread sleep count: 2808 > 30
Source: C:\Users\user\AppData\Roaming\PZgxeUcXE.exe TID: 7632	Thread sleep time: -99875s >= -30000s
Source: C:\Users\user\AppData\Roaming\PZgxeUcXE.exe TID: 7652	Thread sleep count: 7044 > 30
Source: C:\Users\user\AppData\Roaming\PZgxeUcXE.exe TID: 7632	Thread sleep time: -99765s >= -30000s
Source: C:\Users\user\AppData\Roaming\PZgxeUcXE.exe TID: 7632	Thread sleep time: -99656s >= -30000s
Source: C:\Users\user\AppData\Roaming\PZgxeUcXE.exe TID: 7632	Thread sleep time: -99546s >= -30000s
Source: C:\Users\user\AppData\Roaming\PZgxeUcXE.exe TID: 7632	Thread sleep time: -99437s >= -30000s
Source: C:\Users\user\AppData\Roaming\PZgxeUcXE.exe TID: 7632	Thread sleep time: -99325s >= -30000s
Source: C:\Users\user\AppData\Roaming\PZgxeUcXE.exe TID: 7632	Thread sleep time: -99219s >= -30000s
Source: C:\Users\user\AppData\Roaming\PZgxeUcXE.exe TID: 7632	Thread sleep time: -99109s >= -30000s
Source: C:\Users\user\AppData\Roaming\PZgxeUcXE.exe TID: 7632	Thread sleep time: -99000s >= -30000s
Source: C:\Users\user\AppData\Roaming\PZgxeUcXE.exe TID: 7632	Thread sleep time: -98890s >= -30000s
Source: C:\Users\user\AppData\Roaming\PZgxeUcXE.exe TID: 7632	Thread sleep time: -98759s >= -30000s
Source: C:\Users\user\AppData\Roaming\PZgxeUcXE.exe TID: 7632	Thread sleep time: -98485s >= -30000s
Source: C:\Users\user\AppData\Roaming\PZgxeUcXE.exe TID: 7632	Thread sleep time: -98374s >= -30000s
Source: C:\Users\user\AppData\Roaming\PZgxeUcXE.exe TID: 7632	Thread sleep time: -98265s >= -30000s
Source: C:\Users\user\AppData\Roaming\PZgxeUcXE.exe TID: 7632	Thread sleep time: -98156s >= -30000s
Source: C:\Users\user\AppData\Roaming\PZgxeUcXE.exe TID: 7632	Thread sleep time: -98047s >= -30000s
Source: C:\Users\user\AppData\Roaming\PZgxeUcXE.exe TID: 7632	Thread sleep time: -97922s >= -30000s
Source: C:\Users\user\AppData\Roaming\PZgxeUcXE.exe TID: 7632	Thread sleep time: -97799s >= -30000s
Source: C:\Users\user\AppData\Roaming\PZgxeUcXE.exe TID: 7632	Thread sleep time: -97671s >= -30000s
Source: C:\Users\user\AppData\Roaming\PZgxeUcXE.exe TID: 7632	Thread sleep time: -97562s >= -30000s
Source: C:\Users\user\AppData\Roaming\PZgxeUcXE.exe TID: 7632	Thread sleep time: -97453s >= -30000s
Source: C:\Users\user\AppData\Roaming\PZgxeUcXE.exe TID: 7632	Thread sleep time: -97343s >= -30000s
Source: C:\Users\user\AppData\Roaming\PZgxeUcXE.exe TID: 7632	Thread sleep time: -97234s >= -30000s
Source: C:\Users\user\AppData\Roaming\PZgxeUcXE.exe TID: 7632	Thread sleep time: -97120s >= -30000s
Source: C:\Users\user\AppData\Roaming\PZgxeUcXE.exe TID: 7632	Thread sleep time: -97015s >= -30000s
Source: C:\Users\user\AppData\Roaming\PZgxeUcXE.exe TID: 7632	Thread sleep time: -96906s >= -30000s
Source: C:\Users\user\AppData\Roaming\PZgxeUcXE.exe TID: 7632	Thread sleep time: -96796s >= -30000s
Source: C:\Users\user\AppData\Roaming\PZgxeUcXE.exe TID: 7632	Thread sleep time: -96687s >= -30000s
Source: C:\Users\user\AppData\Roaming\PZgxeUcXE.exe TID: 7632	Thread sleep time: -96574s >= -30000s
Source: C:\Users\user\AppData\Roaming\PZgxeUcXE.exe TID: 7632	Thread sleep time: -96206s >= -30000s
Source: C:\Users\user\AppData\Roaming\PZgxeUcXE.exe TID: 7632	Thread sleep time: -95641s >= -30000s
Source: C:\Users\user\AppData\Roaming\PZgxeUcXE.exe TID: 7632	Thread sleep time: -95531s >= -30000s
Source: C:\Users\user\AppData\Roaming\PZgxeUcXE.exe TID: 7632	Thread sleep time: -95421s >= -30000s
Source: C:\Users\user\AppData\Roaming\PZgxeUcXE.exe TID: 7632	Thread sleep time: -95312s >= -30000s
Source: C:\Users\user\AppData\Roaming\PZgxeUcXE.exe TID: 7632	Thread sleep time: -95203s >= -30000s
Source: C:\Users\user\AppData\Roaming\PZgxeUcXE.exe TID: 7632	Thread sleep time: -95094s >= -30000s
Source: C:\Users\user\AppData\Roaming\PZgxeUcXE.exe TID: 7632	Thread sleep time: -94984s >= -30000s
Source: C:\Users\user\AppData\Roaming\PZgxeUcXE.exe TID: 7632	Thread sleep time: -94875s >= -30000s
Source: C:\Users\user\AppData\Roaming\PZgxeUcXE.exe TID: 7632	Thread sleep time: -94765s >= -30000s
Source: C:\Users\user\AppData\Roaming\PZgxeUcXE.exe TID: 7632	Thread sleep time: -94656s >= -30000s
Source: C:\Users\user\AppData\Roaming\PZgxeUcXE.exe TID: 7632	Thread sleep time: -94547s >= -30000s
Source: C:\Users\user\AppData\Roaming\PZgxeUcXE.exe TID: 7632	Thread sleep time: -94437s >= -30000s
Source: C:\Users\user\AppData\Roaming\PZgxeUcXE.exe TID: 7632	Thread sleep time: -94328s >= -30000s
Source: C:\Users\user\AppData\Roaming\PZgxeUcXE.exe TID: 7632	Thread sleep time: -94219s >= -30000s
Source: C:\Users\user\AppData\Roaming\PZgxeUcXE.exe TID: 7632	Thread sleep time: -94109s >= -30000s
Source: C:\Users\user\AppData\Roaming\PZgxeUcXE.exe TID: 7632	Thread sleep time: -94000s >= -30000s
Source: C:\Users\user\AppData\Roaming\PZgxeUcXE.exe TID: 7632	Thread sleep time: -93890s >= -30000s
Source: C:\Users\user\AppData\Roaming\PZgxeUcXE.exe TID: 7632	Thread sleep time: -93781s >= -30000s
Source: C:\Users\user\AppData\Roaming\PZgxeUcXE.exe TID: 7632	Thread sleep time: -93617s >= -30000s

Source: C:\Users\user\Desktop\OHScaqAPjt.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Users\user\AppData\Roaming\PZgxeUcXE.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard

Source: C:\Users\user\Desktop\OHScaqAPjt.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\OHScaqAPjt.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\PZgxeUcXE.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Roaming\PZgxeUcXE.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\OHScaqAPjt.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\OHScaqAPjt.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\OHScaqAPjt.exe	Thread delayed: delay time: 100000	Jump to behavior
Source: C:\Users\user\Desktop\OHScaqAPjt.exe	Thread delayed: delay time: 99885	Jump to behavior
Source: C:\Users\user\Desktop\OHScaqAPjt.exe	Thread delayed: delay time: 99766	Jump to behavior
Source: C:\Users\user\Desktop\OHScaqAPjt.exe	Thread delayed: delay time: 99641	Jump to behavior
Source: C:\Users\user\Desktop\OHScaqAPjt.exe	Thread delayed: delay time: 99531	Jump to behavior
Source: C:\Users\user\Desktop\OHScaqAPjt.exe	Thread delayed: delay time: 99422	Jump to behavior
Source: C:\Users\user\Desktop\OHScaqAPjt.exe	Thread delayed: delay time: 99313	Jump to behavior
Source: C:\Users\user\Desktop\OHScaqAPjt.exe	Thread delayed: delay time: 99188	Jump to behavior
Source: C:\Users\user\Desktop\OHScaqAPjt.exe	Thread delayed: delay time: 99063	Jump to behavior
Source: C:\Users\user\Desktop\OHScaqAPjt.exe	Thread delayed: delay time: 98953	Jump to behavior
Source: C:\Users\user\Desktop\OHScaqAPjt.exe	Thread delayed: delay time: 98844	Jump to behavior
Source: C:\Users\user\Desktop\OHScaqAPjt.exe	Thread delayed: delay time: 98719	Jump to behavior
Source: C:\Users\user\Desktop\OHScaqAPjt.exe	Thread delayed: delay time: 98610	Jump to behavior
Source: C:\Users\user\Desktop\OHScaqAPjt.exe	Thread delayed: delay time: 98485	Jump to behavior
Source: C:\Users\user\Desktop\OHScaqAPjt.exe	Thread delayed: delay time: 98360	Jump to behavior
Source: C:\Users\user\Desktop\OHScaqAPjt.exe	Thread delayed: delay time: 98235	Jump to behavior
Source: C:\Users\user\Desktop\OHScaqAPjt.exe	Thread delayed: delay time: 98110	Jump to behavior
Source: C:\Users\user\Desktop\OHScaqAPjt.exe	Thread delayed: delay time: 97985	Jump to behavior
Source: C:\Users\user\Desktop\OHScaqAPjt.exe	Thread delayed: delay time: 97860	Jump to behavior
Source: C:\Users\user\Desktop\OHScaqAPjt.exe	Thread delayed: delay time: 97735	Jump to behavior
Source: C:\Users\user\Desktop\OHScaqAPjt.exe	Thread delayed: delay time: 97610	Jump to behavior
Source: C:\Users\user\Desktop\OHScaqAPjt.exe	Thread delayed: delay time: 97485	Jump to behavior
Source: C:\Users\user\Desktop\OHScaqAPjt.exe	Thread delayed: delay time: 97360	Jump to behavior
Source: C:\Users\user\Desktop\OHScaqAPjt.exe	Thread delayed: delay time: 97235	Jump to behavior
Source: C:\Users\user\Desktop\OHScaqAPjt.exe	Thread delayed: delay time: 97110	Jump to behavior
Source: C:\Users\user\Desktop\OHScaqAPjt.exe	Thread delayed: delay time: 96985	Jump to behavior
Source: C:\Users\user\Desktop\OHScaqAPjt.exe	Thread delayed: delay time: 96860	Jump to behavior
Source: C:\Users\user\Desktop\OHScaqAPjt.exe	Thread delayed: delay time: 96735	Jump to behavior
Source: C:\Users\user\Desktop\OHScaqAPjt.exe	Thread delayed: delay time: 96610	Jump to behavior
Source: C:\Users\user\Desktop\OHScaqAPjt.exe	Thread delayed: delay time: 96485	Jump to behavior
Source: C:\Users\user\Desktop\OHScaqAPjt.exe	Thread delayed: delay time: 96360	Jump to behavior
Source: C:\Users\user\Desktop\OHScaqAPjt.exe	Thread delayed: delay time: 96235	Jump to behavior
Source: C:\Users\user\Desktop\OHScaqAPjt.exe	Thread delayed: delay time: 96110	Jump to behavior
Source: C:\Users\user\Desktop\OHScaqAPjt.exe	Thread delayed: delay time: 95985	Jump to behavior
Source: C:\Users\user\Desktop\OHScaqAPjt.exe	Thread delayed: delay time: 95860	Jump to behavior
Source: C:\Users\user\Desktop\OHScaqAPjt.exe	Thread delayed: delay time: 95735	Jump to behavior
Source: C:\Users\user\Desktop\OHScaqAPjt.exe	Thread delayed: delay time: 95610	Jump to behavior
Source: C:\Users\user\Desktop\OHScaqAPjt.exe	Thread delayed: delay time: 95485	Jump to behavior
Source: C:\Users\user\Desktop\OHScaqAPjt.exe	Thread delayed: delay time: 95360	Jump to behavior
Source: C:\Users\user\Desktop\OHScaqAPjt.exe	Thread delayed: delay time: 95235	Jump to behavior
Source: C:\Users\user\Desktop\OHScaqAPjt.exe	Thread delayed: delay time: 95110	Jump to behavior
Source: C:\Users\user\Desktop\OHScaqAPjt.exe	Thread delayed: delay time: 94989	Jump to behavior
Source: C:\Users\user\Desktop\OHScaqAPjt.exe	Thread delayed: delay time: 94860	Jump to behavior
Source: C:\Users\user\Desktop\OHScaqAPjt.exe	Thread delayed: delay time: 94735	Jump to behavior
Source: C:\Users\user\Desktop\OHScaqAPjt.exe	Thread delayed: delay time: 94610	Jump to behavior
Source: C:\Users\user\Desktop\OHScaqAPjt.exe	Thread delayed: delay time: 94485	Jump to behavior
Source: C:\Users\user\Desktop\OHScaqAPjt.exe	Thread delayed: delay time: 94360	Jump to behavior
Source: C:\Users\user\Desktop\OHScaqAPjt.exe	Thread delayed: delay time: 94235	Jump to behavior
Source: C:\Users\user\Desktop\OHScaqAPjt.exe	Thread delayed: delay time: 94110	Jump to behavior
Source: C:\Users\user\Desktop\OHScaqAPjt.exe	Thread delayed: delay time: 93985	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PZgxeUcXE.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PZgxeUcXE.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\PZgxeUcXE.exe	Thread delayed: delay time: 100000
Source: C:\Users\user\AppData\Roaming\PZgxeUcXE.exe	Thread delayed: delay time: 99875
Source: C:\Users\user\AppData\Roaming\PZgxeUcXE.exe	Thread delayed: delay time: 99765
Source: C:\Users\user\AppData\Roaming\PZgxeUcXE.exe	Thread delayed: delay time: 99656
Source: C:\Users\user\AppData\Roaming\PZgxeUcXE.exe	Thread delayed: delay time: 99546
Source: C:\Users\user\AppData\Roaming\PZgxeUcXE.exe	Thread delayed: delay time: 99437
Source: C:\Users\user\AppData\Roaming\PZgxeUcXE.exe	Thread delayed: delay time: 99325
Source: C:\Users\user\AppData\Roaming\PZgxeUcXE.exe	Thread delayed: delay time: 99219
Source: C:\Users\user\AppData\Roaming\PZgxeUcXE.exe	Thread delayed: delay time: 99109
Source: C:\Users\user\AppData\Roaming\PZgxeUcXE.exe	Thread delayed: delay time: 99000
Source: C:\Users\user\AppData\Roaming\PZgxeUcXE.exe	Thread delayed: delay time: 98890
Source: C:\Users\user\AppData\Roaming\PZgxeUcXE.exe	Thread delayed: delay time: 98759
Source: C:\Users\user\AppData\Roaming\PZgxeUcXE.exe	Thread delayed: delay time: 98485
Source: C:\Users\user\AppData\Roaming\PZgxeUcXE.exe	Thread delayed: delay time: 98374
Source: C:\Users\user\AppData\Roaming\PZgxeUcXE.exe	Thread delayed: delay time: 98265
Source: C:\Users\user\AppData\Roaming\PZgxeUcXE.exe	Thread delayed: delay time: 98156
Source: C:\Users\user\AppData\Roaming\PZgxeUcXE.exe	Thread delayed: delay time: 98047
Source: C:\Users\user\AppData\Roaming\PZgxeUcXE.exe	Thread delayed: delay time: 97922
Source: C:\Users\user\AppData\Roaming\PZgxeUcXE.exe	Thread delayed: delay time: 97799
Source: C:\Users\user\AppData\Roaming\PZgxeUcXE.exe	Thread delayed: delay time: 97671
Source: C:\Users\user\AppData\Roaming\PZgxeUcXE.exe	Thread delayed: delay time: 97562
Source: C:\Users\user\AppData\Roaming\PZgxeUcXE.exe	Thread delayed: delay time: 97453
Source: C:\Users\user\AppData\Roaming\PZgxeUcXE.exe	Thread delayed: delay time: 97343
Source: C:\Users\user\AppData\Roaming\PZgxeUcXE.exe	Thread delayed: delay time: 97234
Source: C:\Users\user\AppData\Roaming\PZgxeUcXE.exe	Thread delayed: delay time: 97120
Source: C:\Users\user\AppData\Roaming\PZgxeUcXE.exe	Thread delayed: delay time: 97015
Source: C:\Users\user\AppData\Roaming\PZgxeUcXE.exe	Thread delayed: delay time: 96906
Source: C:\Users\user\AppData\Roaming\PZgxeUcXE.exe	Thread delayed: delay time: 96796
Source: C:\Users\user\AppData\Roaming\PZgxeUcXE.exe	Thread delayed: delay time: 96687
Source: C:\Users\user\AppData\Roaming\PZgxeUcXE.exe	Thread delayed: delay time: 96574
Source: C:\Users\user\AppData\Roaming\PZgxeUcXE.exe	Thread delayed: delay time: 96206
Source: C:\Users\user\AppData\Roaming\PZgxeUcXE.exe	Thread delayed: delay time: 95641
Source: C:\Users\user\AppData\Roaming\PZgxeUcXE.exe	Thread delayed: delay time: 95531
Source: C:\Users\user\AppData\Roaming\PZgxeUcXE.exe	Thread delayed: delay time: 95421
Source: C:\Users\user\AppData\Roaming\PZgxeUcXE.exe	Thread delayed: delay time: 95312
Source: C:\Users\user\AppData\Roaming\PZgxeUcXE.exe	Thread delayed: delay time: 95203
Source: C:\Users\user\AppData\Roaming\PZgxeUcXE.exe	Thread delayed: delay time: 95094
Source: C:\Users\user\AppData\Roaming\PZgxeUcXE.exe	Thread delayed: delay time: 94984
Source: C:\Users\user\AppData\Roaming\PZgxeUcXE.exe	Thread delayed: delay time: 94875
Source: C:\Users\user\AppData\Roaming\PZgxeUcXE.exe	Thread delayed: delay time: 94765
Source: C:\Users\user\AppData\Roaming\PZgxeUcXE.exe	Thread delayed: delay time: 94656
Source: C:\Users\user\AppData\Roaming\PZgxeUcXE.exe	Thread delayed: delay time: 94547
Source: C:\Users\user\AppData\Roaming\PZgxeUcXE.exe	Thread delayed: delay time: 94437
Source: C:\Users\user\AppData\Roaming\PZgxeUcXE.exe	Thread delayed: delay time: 94328
Source: C:\Users\user\AppData\Roaming\PZgxeUcXE.exe	Thread delayed: delay time: 94219
Source: C:\Users\user\AppData\Roaming\PZgxeUcXE.exe	Thread delayed: delay time: 94109
Source: C:\Users\user\AppData\Roaming\PZgxeUcXE.exe	Thread delayed: delay time: 94000
Source: C:\Users\user\AppData\Roaming\PZgxeUcXE.exe	Thread delayed: delay time: 93890
Source: C:\Users\user\AppData\Roaming\PZgxeUcXE.exe	Thread delayed: delay time: 93781
Source: C:\Users\user\AppData\Roaming\PZgxeUcXE.exe	Thread delayed: delay time: 93617

Source: PZgxeUcXE.exe, 0000000F.00000002.3355815575.00000000013ED000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllv
Source: OHScaqAPjt.exe, 00000009.00000002.3355955658.0000000000F2D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\Desktop\OHScaqAPjt.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Users\user\Desktop\OHScaqAPjt.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Adds a directory exclusion to Windows Defender

Source: C:\Users\user\Desktop\OHScaqAPjt.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\OHScaqAPjt.exe"
Source: C:\Users\user\Desktop\OHScaqAPjt.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\PZgxeUcXE.exe"
Source: C:\Users\user\Desktop\OHScaqAPjt.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\OHScaqAPjt.exe"	Jump to behavior
Source: C:\Users\user\Desktop\OHScaqAPjt.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\PZgxeUcXE.exe"	Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\OHScaqAPjt.exe	Memory written: C:\Users\user\Desktop\OHScaqAPjt.exe base: 400000 value starts with: 4D5A			Jump to behavior
Source: C:\Users\user\AppData\Roaming\PZgxeUcXE.exe	Memory written: C:\Users\user\AppData\Roaming\PZgxeUcXE.exe base: 400000 value starts with: 4D5A			Jump to behavior

Source: C:\Users\user\Desktop\OHScaqAPjt.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\OHScaqAPjt.exe"	Jump to behavior
Source: C:\Users\user\Desktop\OHScaqAPjt.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\PZgxeUcXE.exe"	Jump to behavior
Source: C:\Users\user\Desktop\OHScaqAPjt.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\PZgxeUcXE" /XML "C:\Users\user\AppData\Local\Temp\tmp9FAF.tmp"	Jump to behavior
Source: C:\Users\user\Desktop\OHScaqAPjt.exe	Process created: C:\Users\user\Desktop\OHScaqAPjt.exe "C:\Users\user\Desktop\OHScaqAPjt.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PZgxeUcXE.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\PZgxeUcXE" /XML "C:\Users\user\AppData\Local\Temp\tmpBE05.tmp"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PZgxeUcXE.exe	Process created: C:\Users\user\AppData\Roaming\PZgxeUcXE.exe "C:\Users\user\AppData\Roaming\PZgxeUcXE.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PZgxeUcXE.exe	Process created: C:\Users\user\AppData\Roaming\PZgxeUcXE.exe "C:\Users\user\AppData\Roaming\PZgxeUcXE.exe"	Jump to behavior

Source: C:\Users\user\Desktop\OHScaqAPjt.exe	Queries volume information: C:\Users\user\Desktop\OHScaqAPjt.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OHScaqAPjt.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OHScaqAPjt.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OHScaqAPjt.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OHScaqAPjt.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OHScaqAPjt.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OHScaqAPjt.exe	Queries volume information: C:\Users\user\Desktop\OHScaqAPjt.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OHScaqAPjt.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OHScaqAPjt.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OHScaqAPjt.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OHScaqAPjt.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OHScaqAPjt.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PZgxeUcXE.exe	Queries volume information: C:\Users\user\AppData\Roaming\PZgxeUcXE.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PZgxeUcXE.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PZgxeUcXE.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PZgxeUcXE.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PZgxeUcXE.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PZgxeUcXE.exe	Queries volume information: C:\Users\user\AppData\Roaming\PZgxeUcXE.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\PZgxeUcXE.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\PZgxeUcXE.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\PZgxeUcXE.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\PZgxeUcXE.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\PZgxeUcXE.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation

Source: C:\Users\user\Desktop\OHScaqAPjt.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected AgentTesla

Source: Yara match	File source: 0.2.OHScaqAPjt.exe.3ed6738.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.OHScaqAPjt.exe.3ed6738.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.OHScaqAPjt.exe.3cba628.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.OHScaqAPjt.exe.3ca5808.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000F.00000002.3357331249.00000000032EC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.3354443541.0000000000435000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.3358108714.0000000002CAC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.3357331249.00000000032C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.3358108714.0000000002C81000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2161856213.0000000003C89000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: OHScaqAPjt.exe PID: 3660, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: OHScaqAPjt.exe PID: 6576, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: PZgxeUcXE.exe PID: 7520, type: MEMORYSTR

Yara detected PureLog Stealer

Source: Yara match	File source: 0.2.OHScaqAPjt.exe.5750000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.OHScaqAPjt.exe.5750000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.OHScaqAPjt.exe.3ca5808.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.OHScaqAPjt.exe.3cba628.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.OHScaqAPjt.exe.3cba628.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.OHScaqAPjt.exe.3ca5808.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2172098106.0000000005750000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2161856213.0000000003C89000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Yara detected zgRAT

Source: Yara match	File source: 0.2.OHScaqAPjt.exe.3cba628.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.OHScaqAPjt.exe.3ca5808.2.raw.unpack, type: UNPACKEDPE

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Source: C:\Users\user\Desktop\OHScaqAPjt.exe	Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions			Jump to behavior
Source: C:\Users\user\AppData\Roaming\PZgxeUcXE.exe	Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\AppData\Roaming\PZgxeUcXE.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
Source: C:\Users\user\AppData\Roaming\PZgxeUcXE.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
Source: C:\Users\user\AppData\Roaming\PZgxeUcXE.exe	File opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini
Source: C:\Users\user\AppData\Roaming\PZgxeUcXE.exe	File opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini
Source: C:\Users\user\AppData\Roaming\PZgxeUcXE.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini

Tries to harvest and steal ftp login credentials

Source: C:\Users\user\AppData\Roaming\PZgxeUcXE.exe

File opened: C:\FTP Navigator\Ftplist.txt

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\Desktop\OHScaqAPjt.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\OHScaqAPjt.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\OHScaqAPjt.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles	Jump to behavior
Source: C:\Users\user\Desktop\OHScaqAPjt.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PZgxeUcXE.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Users\user\AppData\Roaming\PZgxeUcXE.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Users\user\AppData\Roaming\PZgxeUcXE.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles
Source: C:\Users\user\AppData\Roaming\PZgxeUcXE.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities

Source: Yara match	File source: 0.2.OHScaqAPjt.exe.3ed6738.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.OHScaqAPjt.exe.3ed6738.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.OHScaqAPjt.exe.3cba628.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.OHScaqAPjt.exe.3ca5808.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000F.00000002.3354443541.0000000000435000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.3357331249.00000000032C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.3358108714.0000000002C81000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2161856213.0000000003C89000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: OHScaqAPjt.exe PID: 3660, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: OHScaqAPjt.exe PID: 6576, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: PZgxeUcXE.exe PID: 7520, type: MEMORYSTR

Remote Access Functionality

Yara detected AgentTesla

Source: Yara match	File source: 0.2.OHScaqAPjt.exe.3ed6738.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.OHScaqAPjt.exe.3ed6738.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.OHScaqAPjt.exe.3cba628.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.OHScaqAPjt.exe.3ca5808.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000F.00000002.3357331249.00000000032EC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.3354443541.0000000000435000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.3358108714.0000000002CAC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.3357331249.00000000032C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.3358108714.0000000002C81000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2161856213.0000000003C89000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: OHScaqAPjt.exe PID: 3660, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: OHScaqAPjt.exe PID: 6576, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: PZgxeUcXE.exe PID: 7520, type: MEMORYSTR

Yara detected PureLog Stealer

Source: Yara match	File source: 0.2.OHScaqAPjt.exe.5750000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.OHScaqAPjt.exe.5750000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.OHScaqAPjt.exe.3ca5808.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.OHScaqAPjt.exe.3cba628.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.OHScaqAPjt.exe.3cba628.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.OHScaqAPjt.exe.3ca5808.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2172098106.0000000005750000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2161856213.0000000003C89000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Yara detected zgRAT

Source: Yara match	File source: 0.2.OHScaqAPjt.exe.3cba628.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.OHScaqAPjt.exe.3ca5808.2.raw.unpack, type: UNPACKEDPE

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	121 Windows Management Instrumentation	1 DLL Side-Loading	1 DLL Side-Loading	11 Disable or Modify Tools	2 OS Credential Dumping	1 File and Directory Discovery	Remote Services	11 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Scheduled Task/Job	1 Scheduled Task/Job	111 Process Injection	1 Deobfuscate/Decode Files or Information	1 Input Capture	24 System Information Discovery	Remote Desktop Protocol	2 Data from Local System	11 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 Scheduled Task/Job	2 Obfuscated Files or Information	1 Credentials in Registry	1 Query Registry	SMB/Windows Admin Shares	1 Email Collection	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	22 Software Packing	NTDS	211 Security Software Discovery	Distributed Component Object Model	1 Input Capture	23 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Timestomp	LSA Secrets	1 Process Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	141 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 Masquerading	DCSync	1 Application Window Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	141 Virtualization/Sandbox Evasion	Proc Filesystem	1 System Network Configuration Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	111 Process Injection	/etc/passwd and /etc/shadow	Network Sniffing	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label
OHScaqAPjt.exe	74%	ReversingLabs	ByteCode-MSIL.Trojan.AgentTesla
OHScaqAPjt.exe	100%	Avira	HEUR/AGEN.1305452
OHScaqAPjt.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label
C:\Users\user\AppData\Roaming\PZgxeUcXE.exe	100%	Avira	HEUR/AGEN.1305452
C:\Users\user\AppData\Roaming\PZgxeUcXE.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\PZgxeUcXE.exe	74%	ReversingLabs	ByteCode-MSIL.Trojan.AgentTesla

Source	Detection	Scanner	Label	Link
http://crl.micro	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
mail.iaa-airferight.com	46.175.148.58	true	false		high
api.ipify.org	172.67.74.152	true	false		high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://api.ipify.org/	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://api.ipify.org	OHScaqAPjt.exe, 00000000.00000002.2161856213.0000000003C89000.00000004.00000800.00020000.00000000.sdmp, OHScaqAPjt.exe, 00000009.00000002.3354438577.0000000000432000.00000040.00000400.00020000.00000000.sdmp, OHScaqAPjt.exe, 00000009.00000002.3358108714.0000000002C31000.00000004.00000800.00020000.00000000.sdmp, PZgxeUcXE.exe, 0000000F.00000002.3357331249.0000000003271000.00000004.00000800.00020000.00000000.sdmp	false		high
https://account.dyn.com/	OHScaqAPjt.exe, 00000000.00000002.2161856213.0000000003C89000.00000004.00000800.00020000.00000000.sdmp, PZgxeUcXE.exe, 0000000F.00000002.3354443541.0000000000435000.00000040.00000400.00020000.00000000.sdmp	false		high
http://crl.micro	PZgxeUcXE.exe, 0000000F.00000002.3366937334.0000000006B66000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://api.ipify.org/t	OHScaqAPjt.exe, 00000009.00000002.3358108714.0000000002C31000.00000004.00000800.00020000.00000000.sdmp, PZgxeUcXE.exe, 0000000F.00000002.3357331249.0000000003271000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	OHScaqAPjt.exe, 00000000.00000002.2160350490.0000000002CD5000.00000004.00000800.00020000.00000000.sdmp, OHScaqAPjt.exe, 00000009.00000002.3358108714.0000000002C31000.00000004.00000800.00020000.00000000.sdmp, PZgxeUcXE.exe, 0000000A.00000002.2237847657.0000000002EBA000.00000004.00000800.00020000.00000000.sdmp, PZgxeUcXE.exe, 0000000F.00000002.3357331249.0000000003271000.00000004.00000800.00020000.00000000.sdmp	false		high
http://mail.iaa-airferight.com	OHScaqAPjt.exe, 00000009.00000002.3358108714.0000000002CAC000.00000004.00000800.00020000.00000000.sdmp, PZgxeUcXE.exe, 0000000F.00000002.3357331249.00000000032EC000.00000004.00000800.00020000.00000000.sdmp	false		high
http://tempuri.org/DataSet1.xsd	OHScaqAPjt.exe, PZgxeUcXE.exe.0.dr	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
46.175.148.58	mail.iaa-airferight.com	Ukraine		56394	ASLAGIDKOM-NETUA	false
172.67.74.152	api.ipify.org	United States		13335	CLOUDFLARENETUS	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1569266
Start date and time:	2024-12-05 17:01:57 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 7m 44s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	18
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	OHScaqAPjt.exe renamed because original name is a hash value
Original Sample Name:	5da381b368562b2c5d9fce29e229c640ea428b3d4519562613f987235bc611b8.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@21/15@2/2
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 171 Number of non-executed functions: 25
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
VT rate limit hit for: OHScaqAPjt.exe

Simulations

Behavior and APIs

Time	Type	Description
11:03:01	API Interceptor	177x Sleep call for process: OHScaqAPjt.exe modified
11:03:03	API Interceptor	31x Sleep call for process: powershell.exe modified
11:03:09	API Interceptor	171x Sleep call for process: PZgxeUcXE.exe modified
17:03:04	Task Scheduler	Run new task: PZgxeUcXE path: C:\Users\user\AppData\Roaming\PZgxeUcXE.exe

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
46.175.148.58	RFQ ENQ186 OI REQUIRE RATE.exe	Get hash	malicious	AgentTesla	Browse
	v58HgfB8Af.exe	Get hash	malicious	AgentTesla	Browse
	l6F8Xgr0Ov.exe	Get hash	malicious	AgentTesla	Browse
	SPlVyHiGOz.exe	Get hash	malicious	AgentTesla, DarkTortilla	Browse
	2bOizaPPDC.exe	Get hash	malicious	AgentTesla	Browse
	McEdhqMMhs.exe	Get hash	malicious	AgentTesla, DarkTortilla	Browse
	55qIbHIAZi.exe	Get hash	malicious	AgentTesla, DarkTortilla	Browse
	tEEa6j67ss.exe	Get hash	malicious	AgentTesla	Browse
	RXvVlckUyt.exe	Get hash	malicious	AgentTesla	Browse
	LEVER STYLE SEP BUY ORDER & C248SH12.exe	Get hash	malicious	AgentTesla	Browse
172.67.74.152	2b7cu0KwZl.exe	Get hash	malicious	Unknown	Browse	api.ipify.org/
	Zc9eO57fgF.elf	Get hash	malicious	Unknown	Browse	api.ipify.org/
	67065b4c84713_Javiles.exe	Get hash	malicious	RDPWrap Tool	Browse	api.ipify.org/
	Yc9hcFC1ux.exe	Get hash	malicious	Unknown	Browse	api.ipify.org/
	4F08j2Rmd9.bin	Get hash	malicious	Xmrig	Browse	api.ipify.org/
	y8tCHz7CwC.bin	Get hash	malicious	Xmrig	Browse	api.ipify.org/
	file.exe	Get hash	malicious	Unknown	Browse	api.ipify.org/
	file.exe	Get hash	malicious	Unknown	Browse	api.ipify.org/
	file.exe	Get hash	malicious	LummaC, PrivateLoader, Stealc, Vidar	Browse	api.ipify.org/
	file.exe	Get hash	malicious	RDPWrap Tool	Browse	api.ipify.org/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
mail.iaa-airferight.com	RFQ ENQ186 OI REQUIRE RATE.exe	Get hash	malicious	AgentTesla	Browse	46.175.148.58
	v58HgfB8Af.exe	Get hash	malicious	AgentTesla	Browse	46.175.148.58
	l6F8Xgr0Ov.exe	Get hash	malicious	AgentTesla	Browse	46.175.148.58
	SPlVyHiGOz.exe	Get hash	malicious	AgentTesla, DarkTortilla	Browse	46.175.148.58
	2bOizaPPDC.exe	Get hash	malicious	AgentTesla	Browse	46.175.148.58
	McEdhqMMhs.exe	Get hash	malicious	AgentTesla, DarkTortilla	Browse	46.175.148.58
	55qIbHIAZi.exe	Get hash	malicious	AgentTesla, DarkTortilla	Browse	46.175.148.58
	tEEa6j67ss.exe	Get hash	malicious	AgentTesla	Browse	46.175.148.58
	RXvVlckUyt.exe	Get hash	malicious	AgentTesla	Browse	46.175.148.58
	LEVER STYLE SEP BUY ORDER & C248SH12.exe	Get hash	malicious	AgentTesla	Browse	46.175.148.58
api.ipify.org	8JuGuaUaZP.exe	Get hash	malicious	AgentTesla	Browse	104.26.13.205
	lUy4SKlE6A.exe	Get hash	malicious	AgentTesla	Browse	104.26.12.205
	xFHqehx1tb.exe	Get hash	malicious	AgentTesla, DarkTortilla	Browse	104.26.12.205
	https://app.peony.ink/view/902b02a8-11f0-4e28-89b1-5318035c10eb	Get hash	malicious	EvilProxy, HTMLPhisher	Browse	104.26.12.205
	7Gt3icFvQW.exe	Get hash	malicious	AgentTesla	Browse	104.26.12.205
	1AxSwjpyGp.exe	Get hash	malicious	AgentTesla, DarkTortilla	Browse	104.26.12.205
	FPBKcOFjEP.exe	Get hash	malicious	AgentTesla, DarkTortilla	Browse	104.26.12.205
	MerchantDetailedStatement_37063_04122024.exe	Get hash	malicious	AgentTesla	Browse	104.26.13.205
	https://click.pstmrk.it/3s/bmxn8t84vg.gherapilta.shop%2F/ySDk/28y5AQ/AQ/e82f1f59-f734-42be-affb-895d81855fb4/1/pD2JDTOBnb	Get hash	malicious	EvilProxy, HTMLPhisher	Browse	104.26.12.205
	RFQ.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	104.26.12.205

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
ASLAGIDKOM-NETUA	RFQ ENQ186 OI REQUIRE RATE.exe	Get hash	malicious	AgentTesla	Browse	46.175.148.58
	v58HgfB8Af.exe	Get hash	malicious	AgentTesla	Browse	46.175.148.58
	l6F8Xgr0Ov.exe	Get hash	malicious	AgentTesla	Browse	46.175.148.58
	SPlVyHiGOz.exe	Get hash	malicious	AgentTesla, DarkTortilla	Browse	46.175.148.58
	2bOizaPPDC.exe	Get hash	malicious	AgentTesla	Browse	46.175.148.58
	McEdhqMMhs.exe	Get hash	malicious	AgentTesla, DarkTortilla	Browse	46.175.148.58
	55qIbHIAZi.exe	Get hash	malicious	AgentTesla, DarkTortilla	Browse	46.175.148.58
	tEEa6j67ss.exe	Get hash	malicious	AgentTesla	Browse	46.175.148.58
	RXvVlckUyt.exe	Get hash	malicious	AgentTesla	Browse	46.175.148.58
	LEVER STYLE SEP BUY ORDER & C248SH12.exe	Get hash	malicious	AgentTesla	Browse	46.175.148.58
CLOUDFLARENETUS	3D7sM44MQp.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger	Browse	172.67.177.134
	8JuGuaUaZP.exe	Get hash	malicious	AgentTesla	Browse	104.26.13.205
	lUy4SKlE6A.exe	Get hash	malicious	AgentTesla	Browse	104.26.12.205
	http://kitces.emlnk1.com	Get hash	malicious	Unknown	Browse	104.20.0.15
	https://vacilandoblog.wordpress.com/2015/04/22/a-tribute-to-my-mother-in-law-rest-in-peace-april-22-2015/	Get hash	malicious	Unknown	Browse	172.64.150.63
	DX7V71Ro7b.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	172.67.177.134
	xFHqehx1tb.exe	Get hash	malicious	AgentTesla, DarkTortilla	Browse	104.26.12.205
	https://sendgb.com/Aw8gObHpGVR?utm_medium=dZJEAfc2MGnvjBD	Get hash	malicious	HTMLPhisher	Browse	104.21.80.92
	MOV-0903787857-(Jmulvey)MMS0%3A28.mp4.html	Get hash	malicious	HTMLPhisher	Browse	104.17.25.14
	https://sendgb.com/dxukcl49bIj?utm_medium=mvC3BJ1YMhqe8zn	Get hash	malicious	HTMLPhisher	Browse	104.21.80.92

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
3b5074b1b5d032e5620f69f9f700ff0e	8JuGuaUaZP.exe	Get hash	malicious	AgentTesla	Browse	172.67.74.152
	lUy4SKlE6A.exe	Get hash	malicious	AgentTesla	Browse	172.67.74.152
	DX7V71Ro7b.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	172.67.74.152
	xFHqehx1tb.exe	Get hash	malicious	AgentTesla, DarkTortilla	Browse	172.67.74.152
	9KpgpwwGDy.img	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	172.67.74.152
	z43INF_20231205_A1B5C3.msi	Get hash	malicious	Unknown	Browse	172.67.74.152
	9V4TlKwcz3.exe	Get hash	malicious	ScreenConnect Tool	Browse	172.67.74.152
	uC70JKtV2B.exe	Get hash	malicious	ScreenConnect Tool	Browse	172.67.74.152
	cxYwMzCUCd.exe	Get hash	malicious	ScreenConnect Tool	Browse	172.67.74.152
	t4U6b6M0ZH.exe	Get hash	malicious	ScreenConnect Tool	Browse	172.67.74.152

Process:	C:\Users\user\Desktop\OHScaqAPjt.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1216
Entropy (8bit):	5.34331486778365
Encrypted:	false
SSDEEP:	24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
MD5:	1330C80CAAC9A0FB172F202485E9B1E8
SHA1:	86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
SHA-256:	B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
SHA-512:	75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
Malicious:	true
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\PZgxeUcXE.exe.log

Download File

Process:	C:\Users\user\AppData\Roaming\PZgxeUcXE.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1216
Entropy (8bit):	5.34331486778365
Encrypted:	false
SSDEEP:	24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
MD5:	1330C80CAAC9A0FB172F202485E9B1E8
SHA1:	86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
SHA-256:	B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
SHA-512:	75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	2232
Entropy (8bit):	5.380747059108785
Encrypted:	false
SSDEEP:	48:lylWSU4xymI4RfoUeW+gZ9tK8NPZHUxL7u1iMuge//8PUyus:lGLHxvIIwLgZ2KRHWLOug8s
MD5:	CAAF9E85F4215DFF27856092092AD361
SHA1:	F9CDD4D9D1C22BAE6BAAC86BFD85A82AA22D9CA9
SHA-256:	85B3FC09907CF6D617498E0051E9B0C07FB195ADB8478F46082ED71FB8722C04
SHA-512:	DFCA3A002C5C7522DF748DA2632E531AC24D669DFDEE96FF7E9E39B755415672AC608FB80C1CCC9EC059D1EC0E0B43D85BC7DE2FD8218D7CB2CEE26D0C287427
Malicious:	false
Preview:	@...e.................................^..............@..........P................1]...E.....j.....(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..\|f........System.Core.D...............4..7..D.#V.............System.Management.Automation<...............i..VdqF...\|...........System.Configuration4.................%...K... ...........System.Xml..L.................gQ?O.....x5.......#.Microsoft.Management.Infrastructure.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServices8..................1...L..U;V.<}........System.Numerics.4.....................@.[8]'.\........System.Data.H................WY..2.M.&..g(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_2dbxhjlr.o2v.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_2jm1xgbz.vdx.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_44i3bfjv.sqj.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_hwsm5ok3.31r.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_qj5hafjw.pbx.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_uc0tqcgq.kb2.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ue42h2m1.sc5.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ydczs14v.u5d.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\tmp9FAF.tmp

Download File

Process:	C:\Users\user\Desktop\OHScaqAPjt.exe
File Type:	XML 1.0 document, ASCII text
Category:	dropped
Size (bytes):	1582
Entropy (8bit):	5.106382961105342
Encrypted:	false
SSDEEP:	24:2di4+S2qhlZ1Muy1my3UnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtz5xvn:cgergYrFdOFzOzN33ODOiDdKrsuTzvv
MD5:	3A7727BA273444DA1206937EC0710E52
SHA1:	FC591B3469B5B9C5A9B77642054BF5845D437A78
SHA-256:	6B77A4DD15F7344B3928AA861756EC50ADF888FC943F920E89C95CD59453B288
SHA-512:	43B4BE6F845BA5EFC3BECDE6740DDB831521217F5C4D6CAE8E16EA529DF458AA3EA181FDFF934249EDA37038B6CD7E8F6A961B4A64882EA82445DE39A2C14D23
Malicious:	true
Preview:	<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetwor

C:\Users\user\AppData\Local\Temp\tmpBE05.tmp

Download File

Process:	C:\Users\user\AppData\Roaming\PZgxeUcXE.exe
File Type:	XML 1.0 document, ASCII text
Category:	dropped
Size (bytes):	1582
Entropy (8bit):	5.106382961105342
Encrypted:	false
SSDEEP:	24:2di4+S2qhlZ1Muy1my3UnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtz5xvn:cgergYrFdOFzOzN33ODOiDdKrsuTzvv
MD5:	3A7727BA273444DA1206937EC0710E52
SHA1:	FC591B3469B5B9C5A9B77642054BF5845D437A78
SHA-256:	6B77A4DD15F7344B3928AA861756EC50ADF888FC943F920E89C95CD59453B288
SHA-512:	43B4BE6F845BA5EFC3BECDE6740DDB831521217F5C4D6CAE8E16EA529DF458AA3EA181FDFF934249EDA37038B6CD7E8F6A961B4A64882EA82445DE39A2C14D23
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetwor

C:\Users\user\AppData\Roaming\PZgxeUcXE.exe

Download File

Process:	C:\Users\user\Desktop\OHScaqAPjt.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	943104
Entropy (8bit):	7.4091439927512255
Encrypted:	false
SSDEEP:	12288:SHuE6IGxLuyNNf73TysKZndG0zygEQ9z51V63ObdUq77OASBZmKv6ywfIF:z5TysKZdjTFz51VuObOu7OA+fvVFF
MD5:	17536CC0E75198F811E580990A4F56EF
SHA1:	6CE2B12BDC00D37DDBEAED860EC518CA7A4EE9F7
SHA-256:	5DA381B368562B2C5D9FCE29E229C640EA428B3D4519562613F987235BC611B8
SHA-512:	643A023EB3B48E5D2DACF140F157794B25A1558E4401C467A264885AFD3C6F3F02B06DB45BEF8B202F3E723841FAAB0A651517C42D445F4F18E033919E1BAD89
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 74%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....................0.................. ........@.. ....................................@.....................................O.......0...........................@...p............................................ ............... ..H............text....... ...................... ..`.rsrc...0...........................@..@.reloc...............b..............@..B........................H.......................U...4...........................................0............{.....+..&...}.......0............{.....+..&...}.......0............{.....+..&...}.......0............{.....+..&...}....Z..}......}.....(.........0............{.....+..&...}.......0............{.....+..&...}....j.s....}......}.....(.........0............{.....+..&...}.......0............{.....+..&...}....".(.......0............{.....+..&...}.......0............{.....+..

C:\Users\user\AppData\Roaming\PZgxeUcXE.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\OHScaqAPjt.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Preview:	[ZoneTransfer]....ZoneId=0

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.4091439927512255
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Win16/32 Executable Delphi generic (2074/23) 0.01% Generic Win/DOS Executable (2004/3) 0.01%
File name:	OHScaqAPjt.exe
File size:	943'104 bytes
MD5:	17536cc0e75198f811e580990a4f56ef
SHA1:	6ce2b12bdc00d37ddbeaed860ec518ca7a4ee9f7
SHA256:	5da381b368562b2c5d9fce29e229c640ea428b3d4519562613f987235bc611b8
SHA512:	643a023eb3b48e5d2dacf140f157794b25a1558e4401c467a264885afd3c6f3f02b06db45bef8b202f3e723841faab0a651517c42d445f4f18e033919e1bad89
SSDEEP:	12288:SHuE6IGxLuyNNf73TysKZndG0zygEQ9z51V63ObdUq77OASBZmKv6ywfIF:z5TysKZdjTFz51VuObOu7OA+fvVFF
TLSH:	61151403692C89B2EE75633D002089F492F41D9C5599F2164BF8BDBEF83D6215D1FA2E
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....................0.................. ........@.. ....................................@................................

File Icon


Icon Hash:	2946e68e96b3ca4d

Static PE Info

General

Entrypoint:	0x4bc6d6
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0xF1F7D0D3 [Fri Aug 22 12:45:07 2098 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xbc681	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xbe000	0x2b730	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xea000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0xb8a40	0x70	.text
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0xba6dc	0xba800	c5702b63c143a6872e06a54711eaa3bc	False	0.8734618486092494	data	7.656357735824942	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0xbe000	0x2b730	0x2b800	a2d3cdc0adf9702f5aac04bcb22ab819	False	0.2097027658045977	data	5.1321517758216055	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xea000	0xc	0x200	14ce96999f7954b7bc8e57907882aae3	False	0.044921875	data	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	ZLIB Complexity
RT_ICON	0xbe2b0	0x3751	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	0.9929383518113127
RT_ICON	0xc1a04	0x10828	Device independent bitmap graphic, 128 x 256 x 32, image size 67584	0.0891251626641429
RT_ICON	0xd222c	0x94a8	Device independent bitmap graphic, 96 x 192 x 32, image size 38016	0.13335610678999368
RT_ICON	0xdb6d4	0x5488	Device independent bitmap graphic, 72 x 144 x 32, image size 21600	0.16816081330868762
RT_ICON	0xe0b5c	0x4228	Device independent bitmap graphic, 64 x 128 x 32, image size 16896	0.15594000944733113
RT_ICON	0xe4d84	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9600	0.23392116182572614
RT_ICON	0xe732c	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4224	0.274624765478424
RT_ICON	0xe83d4	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 2400	0.41885245901639345
RT_ICON	0xe8d5c	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1088	0.5
RT_GROUP_ICON	0xe91c4	0x84	data	0.7045454545454546
RT_VERSION	0xe9248	0x2fc	data	0.43455497382198954
RT_MANIFEST	0xe9544	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators	0.5489795918367347

Imports

DLL	Import
mscoree.dll	_CorExeMain

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 5, 2024 17:03:04.696907997 CET	49708	443	192.168.2.5	172.67.74.152
Dec 5, 2024 17:03:04.696960926 CET	443	49708	172.67.74.152	192.168.2.5
Dec 5, 2024 17:03:04.697088957 CET	49708	443	192.168.2.5	172.67.74.152
Dec 5, 2024 17:03:04.725742102 CET	49708	443	192.168.2.5	172.67.74.152
Dec 5, 2024 17:03:04.725756884 CET	443	49708	172.67.74.152	192.168.2.5
Dec 5, 2024 17:03:05.944746971 CET	443	49708	172.67.74.152	192.168.2.5
Dec 5, 2024 17:03:05.944848061 CET	49708	443	192.168.2.5	172.67.74.152
Dec 5, 2024 17:03:05.948523045 CET	49708	443	192.168.2.5	172.67.74.152
Dec 5, 2024 17:03:05.948542118 CET	443	49708	172.67.74.152	192.168.2.5
Dec 5, 2024 17:03:05.948843956 CET	443	49708	172.67.74.152	192.168.2.5
Dec 5, 2024 17:03:06.052901983 CET	49708	443	192.168.2.5	172.67.74.152
Dec 5, 2024 17:03:06.099339962 CET	443	49708	172.67.74.152	192.168.2.5
Dec 5, 2024 17:03:06.404412985 CET	443	49708	172.67.74.152	192.168.2.5
Dec 5, 2024 17:03:06.404486895 CET	443	49708	172.67.74.152	192.168.2.5
Dec 5, 2024 17:03:06.404759884 CET	49708	443	192.168.2.5	172.67.74.152
Dec 5, 2024 17:03:06.410366058 CET	49708	443	192.168.2.5	172.67.74.152
Dec 5, 2024 17:03:07.328659058 CET	49710	25	192.168.2.5	46.175.148.58
Dec 5, 2024 17:03:08.355142117 CET	49710	25	192.168.2.5	46.175.148.58
Dec 5, 2024 17:03:10.370773077 CET	49710	25	192.168.2.5	46.175.148.58
Dec 5, 2024 17:03:11.810353041 CET	49711	443	192.168.2.5	172.67.74.152
Dec 5, 2024 17:03:11.810401917 CET	443	49711	172.67.74.152	192.168.2.5
Dec 5, 2024 17:03:11.810491085 CET	49711	443	192.168.2.5	172.67.74.152
Dec 5, 2024 17:03:11.814030886 CET	49711	443	192.168.2.5	172.67.74.152
Dec 5, 2024 17:03:11.814049006 CET	443	49711	172.67.74.152	192.168.2.5
Dec 5, 2024 17:03:13.026391029 CET	443	49711	172.67.74.152	192.168.2.5
Dec 5, 2024 17:03:13.026480913 CET	49711	443	192.168.2.5	172.67.74.152
Dec 5, 2024 17:03:13.028181076 CET	49711	443	192.168.2.5	172.67.74.152
Dec 5, 2024 17:03:13.028192043 CET	443	49711	172.67.74.152	192.168.2.5
Dec 5, 2024 17:03:13.028431892 CET	443	49711	172.67.74.152	192.168.2.5
Dec 5, 2024 17:03:13.073899031 CET	49711	443	192.168.2.5	172.67.74.152
Dec 5, 2024 17:03:13.122505903 CET	49711	443	192.168.2.5	172.67.74.152
Dec 5, 2024 17:03:13.167329073 CET	443	49711	172.67.74.152	192.168.2.5
Dec 5, 2024 17:03:13.474339008 CET	443	49711	172.67.74.152	192.168.2.5
Dec 5, 2024 17:03:13.474406958 CET	443	49711	172.67.74.152	192.168.2.5
Dec 5, 2024 17:03:13.474670887 CET	49711	443	192.168.2.5	172.67.74.152
Dec 5, 2024 17:03:13.477233887 CET	49711	443	192.168.2.5	172.67.74.152
Dec 5, 2024 17:03:13.950073004 CET	49713	25	192.168.2.5	46.175.148.58
Dec 5, 2024 17:03:14.370773077 CET	49710	25	192.168.2.5	46.175.148.58
Dec 5, 2024 17:03:14.964618921 CET	49713	25	192.168.2.5	46.175.148.58
Dec 5, 2024 17:03:16.964529037 CET	49713	25	192.168.2.5	46.175.148.58
Dec 5, 2024 17:03:20.964535952 CET	49713	25	192.168.2.5	46.175.148.58
Dec 5, 2024 17:03:22.370784998 CET	49710	25	192.168.2.5	46.175.148.58
Dec 5, 2024 17:03:28.966506958 CET	49713	25	192.168.2.5	46.175.148.58

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 5, 2024 17:03:04.548903942 CET	60773	53	192.168.2.5	1.1.1.1
Dec 5, 2024 17:03:04.687731028 CET	53	60773	1.1.1.1	192.168.2.5
Dec 5, 2024 17:03:07.022447109 CET	58983	53	192.168.2.5	1.1.1.1
Dec 5, 2024 17:03:07.327903986 CET	53	58983	1.1.1.1	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Dec 5, 2024 17:03:04.548903942 CET	192.168.2.5	1.1.1.1	0xbb8b	Standard query (0)	api.ipify.org	A (IP address)	IN (0x0001)	false
Dec 5, 2024 17:03:07.022447109 CET	192.168.2.5	1.1.1.1	0x798	Standard query (0)	mail.iaa-airferight.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Dec 5, 2024 17:03:04.687731028 CET	1.1.1.1	192.168.2.5	0xbb8b	No error (0)	api.ipify.org	172.67.74.152	A (IP address)	IN (0x0001)	false
Dec 5, 2024 17:03:04.687731028 CET	1.1.1.1	192.168.2.5	0xbb8b	No error (0)	api.ipify.org	104.26.13.205	A (IP address)	IN (0x0001)	false
Dec 5, 2024 17:03:04.687731028 CET	1.1.1.1	192.168.2.5	0xbb8b	No error (0)	api.ipify.org	104.26.12.205	A (IP address)	IN (0x0001)	false
Dec 5, 2024 17:03:07.327903986 CET	1.1.1.1	192.168.2.5	0x798	No error (0)	mail.iaa-airferight.com	46.175.148.58	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

api.ipify.org

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	49708	172.67.74.152	443	6576	C:\Users\user\Desktop\OHScaqAPjt.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-05 16:03:06 UTC	155	OUT	GET / HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0 Host: api.ipify.org Connection: Keep-Alive
2024-12-05 16:03:06 UTC	424	IN	HTTP/1.1 200 OK Date: Thu, 05 Dec 2024 16:03:06 GMT Content-Type: text/plain Content-Length: 12 Connection: close Vary: Origin CF-Cache-Status: DYNAMIC Server: cloudflare CF-RAY: 8ed543abde8f5e7c-EWR server-timing: cfL4;desc="?proto=TCP&rtt=1838&min_rtt=1773&rtt_var=795&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2820&recv_bytes=769&delivery_rate=1272885&cwnd=190&unsent_bytes=0&cid=96c911f8b9103689&ts=473&x=0"
2024-12-05 16:03:06 UTC	12	IN	Data Raw: 38 2e 34 36 2e 31 32 33 2e 32 32 38 Data Ascii: 8.46.123.228

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.5	49711	172.67.74.152	443	7520	C:\Users\user\AppData\Roaming\PZgxeUcXE.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-05 16:03:13 UTC	155	OUT	GET / HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0 Host: api.ipify.org Connection: Keep-Alive
2024-12-05 16:03:13 UTC	424	IN	HTTP/1.1 200 OK Date: Thu, 05 Dec 2024 16:03:13 GMT Content-Type: text/plain Content-Length: 12 Connection: close Vary: Origin CF-Cache-Status: DYNAMIC Server: cloudflare CF-RAY: 8ed543d82e4f423b-EWR server-timing: cfL4;desc="?proto=TCP&rtt=2294&min_rtt=2269&rtt_var=869&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2820&recv_bytes=769&delivery_rate=1286910&cwnd=220&unsent_bytes=0&cid=100d018390abf6aa&ts=452&x=0"
2024-12-05 16:03:13 UTC	12	IN	Data Raw: 38 2e 34 36 2e 31 32 33 2e 32 32 38 Data Ascii: 8.46.123.228

Target ID:	0
Start time:	11:02:56
Start date:	05/12/2024
Path:	C:\Users\user\Desktop\OHScaqAPjt.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\OHScaqAPjt.exe"
Imagebase:	0x820000
File size:	943'104 bytes
MD5 hash:	17536CC0E75198F811E580990A4F56EF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000002.2172098106.0000000005750000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.2161856213.0000000003C89000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.2161856213.0000000003C89000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000002.2161856213.0000000003C89000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	11:03:02
Start date:	05/12/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\OHScaqAPjt.exe"
Imagebase:	0xc10000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	11:03:02
Start date:	05/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	11:03:02
Start date:	05/12/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\PZgxeUcXE.exe"
Imagebase:	0xc10000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	11:03:02
Start date:	05/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	11:03:02
Start date:	05/12/2024
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\PZgxeUcXE" /XML "C:\Users\user\AppData\Local\Temp\tmp9FAF.tmp"
Imagebase:	0xe00000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	11:03:02
Start date:	05/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	11:03:02
Start date:	05/12/2024
Path:	C:\Users\user\Desktop\OHScaqAPjt.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\OHScaqAPjt.exe"
Imagebase:	0x810000
File size:	943'104 bytes
MD5 hash:	17536CC0E75198F811E580990A4F56EF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000009.00000002.3358108714.0000000002CAC000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000009.00000002.3358108714.0000000002C81000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000009.00000002.3358108714.0000000002C81000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	10
Start time:	11:03:04
Start date:	05/12/2024
Path:	C:\Users\user\AppData\Roaming\PZgxeUcXE.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Roaming\PZgxeUcXE.exe
Imagebase:	0xb00000
File size:	943'104 bytes
MD5 hash:	17536CC0E75198F811E580990A4F56EF
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 74%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	11:03:04
Start date:	05/12/2024
Path:	C:\Windows\System32\wbem\WmiPrvSE.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Imagebase:	0x7ff6ef0c0000
File size:	496'640 bytes
MD5 hash:	60FF40CFD7FB8FE41EE4FE9AE5FE1C51
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	11:03:10
Start date:	05/12/2024
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\PZgxeUcXE" /XML "C:\Users\user\AppData\Local\Temp\tmpBE05.tmp"
Imagebase:	0xe00000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	11:03:10
Start date:	05/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	11:03:10
Start date:	05/12/2024
Path:	C:\Users\user\AppData\Roaming\PZgxeUcXE.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\AppData\Roaming\PZgxeUcXE.exe"
Imagebase:	0x2e0000
File size:	943'104 bytes
MD5 hash:	17536CC0E75198F811E580990A4F56EF
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	15
Start time:	11:03:10
Start date:	05/12/2024
Path:	C:\Users\user\AppData\Roaming\PZgxeUcXE.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\PZgxeUcXE.exe"
Imagebase:	0xe10000
File size:	943'104 bytes
MD5 hash:	17536CC0E75198F811E580990A4F56EF
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000F.00000002.3357331249.00000000032EC000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000F.00000002.3354443541.0000000000435000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000F.00000002.3354443541.0000000000435000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000F.00000002.3357331249.00000000032C1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000F.00000002.3357331249.00000000032C1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	12%
Dynamic/Decrypted Code Coverage:	95.8%
Signature Coverage:	1.2%
Total number of Nodes:	260
Total number of Limit Nodes:	18

Executed Functions

Function 074374A0 Relevance: 7.3, Strings: 5, Instructions: 1001
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

4'eq, xrefs: 0743808A
piq, xrefs: 0743815F
TJjq, xrefs: 07437643
xbhq, xrefs: 074375D0
Teeq, xrefs: 07437CEE

Memory Dump Source

Source File: 00000000.00000002.2173195983.0000000007430000.00000040.00000800.00020000.00000000.sdmp, Offset: 07430000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7430000_OHScaqAPjt.jbxd

Similarity

API ID:
String ID: 4'eq$TJjq$Teeq$piq$xbhq
API String ID: 0-2068930973
Opcode ID: 4bf51b94883a143c08dc3dfd9bc8cd3fbb3961e089a46e9edc1e116ef09354d6
Instruction ID: 9c5385af91a06dc7464929f6d8cc18d742c1c950404feaac686f9414f26a03cf
Opcode Fuzzy Hash: 4bf51b94883a143c08dc3dfd9bc8cd3fbb3961e089a46e9edc1e116ef09354d6
Instruction Fuzzy Hash: A0B2C5B5D00228CFDB65CF69C984AD9BBB2BF89304F1581E9E50DA7265DB319E81CF40

Function 07E79E78 Relevance: .6, Instructions: 625COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2176522885.0000000007E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e70000_OHScaqAPjt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4345f0d304a3d6bb5bfc7999a0814126233b282bbd81496bcec5ec8d89547ab7
Instruction ID: ae39d01c8c4ee6afa5a2bdf71c33ff9cb2cc4659d12de0d0fc76acfc85d52549
Opcode Fuzzy Hash: 4345f0d304a3d6bb5bfc7999a0814126233b282bbd81496bcec5ec8d89547ab7
Instruction Fuzzy Hash: 6D32BDB0B022059FDB19DF79D454BAEBBF6AF88308F148469E1069B3A1CB35ED41CB51

Function 011DD4D8 Relevance: .3, Instructions: 324COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2160097967.00000000011D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_11d0000_OHScaqAPjt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 629732c88e0d41d6880f81c1ac81edb207164cabf3c363183b9c15539912fcf1
Instruction ID: a9e205e2543bbf3ea688611a92e4d85df1724d0de122e7568e344c9c7e146910
Opcode Fuzzy Hash: 629732c88e0d41d6880f81c1ac81edb207164cabf3c363183b9c15539912fcf1
Instruction Fuzzy Hash: 7AC1C171A007068FDB18DF69D944BAEBBF6FF88304F148469E506AB3A1DB349D46CB50

Function 0743A370 Relevance: .3, Instructions: 298COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2173195983.0000000007430000.00000040.00000800.00020000.00000000.sdmp, Offset: 07430000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7430000_OHScaqAPjt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 070b9949f79c61e182252c3d85a20af53f156185cd5557f212300497bef87c09
Instruction ID: 09470661a576f1451dcffc00ac64dd90a64d591c7edcf0a67e469ab76f04f818
Opcode Fuzzy Hash: 070b9949f79c61e182252c3d85a20af53f156185cd5557f212300497bef87c09
Instruction Fuzzy Hash: 39D107B0E44228CFEB64DFA5C8487DEBBB1FB49304F1081AAE45DA7241D7781A86CF51

Function 0743A380 Relevance: .3, Instructions: 298COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2173195983.0000000007430000.00000040.00000800.00020000.00000000.sdmp, Offset: 07430000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7430000_OHScaqAPjt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a6cd5ddf594f7d03e800e7892f90c9741320592f81871cb4e4c51174e26f7d85
Instruction ID: 55f14fc775e779f69b5aec414e67624a75383cf8ebcd9d48ec8fcdb6473a3511
Opcode Fuzzy Hash: a6cd5ddf594f7d03e800e7892f90c9741320592f81871cb4e4c51174e26f7d85
Instruction Fuzzy Hash: 0FD108B0E44228CFEB64DFA5C8487DEBBB1FB89304F1091AAE45DA7241D7741A86CF51

Function 0743EBD8 Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2173195983.0000000007430000.00000040.00000800.00020000.00000000.sdmp, Offset: 07430000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7430000_OHScaqAPjt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6bf2ba4de83cb2638a21b158ac50fe4af9037ec6f802741b1635bcf33fbad2b9
Instruction ID: 7a0dc8485f07e2d85f6823d82b79905bd18969e0ab6b2a24e1a41cefa471e2ad
Opcode Fuzzy Hash: 6bf2ba4de83cb2638a21b158ac50fe4af9037ec6f802741b1635bcf33fbad2b9
Instruction Fuzzy Hash: B32113B0D156189BEB18CFABC9457EEFAF6AFC9300F14C02AD40C66264DB74194A8F90

Function 0743EBE8 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2173195983.0000000007430000.00000040.00000800.00020000.00000000.sdmp, Offset: 07430000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7430000_OHScaqAPjt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c6174b7f13fd308cdf642492adf68cc33fb03ce709da472e9a2eca9d7472e4c9
Instruction ID: 696b5c2f15be038e9bab218cc08a31572765130682b11545eb803400c6037396
Opcode Fuzzy Hash: c6174b7f13fd308cdf642492adf68cc33fb03ce709da472e9a2eca9d7472e4c9
Instruction Fuzzy Hash: E221C6B0D156188BEB18CF9BC9457EEFAF6AFCD300F14C02AD50D66264DB74094A8F90

Function 07E74A84 Relevance: 1.7, APIs: 1, Instructions: 248
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 07E74CC6

Memory Dump Source

Source File: 00000000.00000002.2176522885.0000000007E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e70000_OHScaqAPjt.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 0c28db9976f3d95ddb787089153d3f0bddcba5b824efed88185cc726c0615057
Instruction ID: fde2b5a7d93bd515a8de2f6ebab77e70d40e538564c412a036ad4934f0bc3121
Opcode Fuzzy Hash: 0c28db9976f3d95ddb787089153d3f0bddcba5b824efed88185cc726c0615057
Instruction Fuzzy Hash: 1FA16BB1D0165ACFDB20CFA8C881BEDBBB2FF49314F148169D818A7290DB749985CF91

Function 07E74A90 Relevance: 1.7, APIs: 1, Instructions: 243
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 07E74CC6

Memory Dump Source

Source File: 00000000.00000002.2176522885.0000000007E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e70000_OHScaqAPjt.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: f8005520471ff71199146c3ad6b26817b9e9eed10df358dfca1e71b1a45f0146
Instruction ID: 5a1acd93e288233e3621e4486f4fef3f0f0c293bee87e30dd684afec59618557
Opcode Fuzzy Hash: f8005520471ff71199146c3ad6b26817b9e9eed10df358dfca1e71b1a45f0146
Instruction Fuzzy Hash: 72916CB1D0165ACFDB24CFA8C880BEDBBB2FF49314F148169D858A7290DB749985CF91

Function 011DAE38 Relevance: 1.7, APIs: 1, Instructions: 199
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 011DB09E

Memory Dump Source

Source File: 00000000.00000002.2160097967.00000000011D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_11d0000_OHScaqAPjt.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 119feee119eccd2e3fb08d04e84291b9addb203775bd98e060b69f9f692b1b0c
Instruction ID: 7d30d7a108d45930cf9dafb12b27df88e20253713fe38ab4d3ca3f76d70cf9ef
Opcode Fuzzy Hash: 119feee119eccd2e3fb08d04e84291b9addb203775bd98e060b69f9f692b1b0c
Instruction Fuzzy Hash: EA8166B0A00B058FE728DF29D44475ABBF1FF88304F008A6DE49AD7A80D774E945CB95

Function 011D44D4 Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 011D59C9

Memory Dump Source

Source File: 00000000.00000002.2160097967.00000000011D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_11d0000_OHScaqAPjt.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 4bd4c2026eac89650822615bd32e8fd7f9fd2017fe03d3b4adad943cdbc41a6f
Instruction ID: b8289ff36fe2e3b0d2d1606c46164de1db9d752be2457d8d3bada6bf6d74be4f
Opcode Fuzzy Hash: 4bd4c2026eac89650822615bd32e8fd7f9fd2017fe03d3b4adad943cdbc41a6f
Instruction Fuzzy Hash: 8C41E2B0C0071DCBDB28CFA9C884B9DBBF6BF49304F60816AD508AB251DB756949CF91

Function 011D590C Relevance: 1.6, APIs: 1, Instructions: 95
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 011D59C9

Memory Dump Source

Source File: 00000000.00000002.2160097967.00000000011D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_11d0000_OHScaqAPjt.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: c2fd6fe98265cc52836336ce5ee4585c59f140c12b4b08e06985b0ee88569cbb
Instruction ID: 2fd43ea43c482124426ad43dcb475ec51fee97a0ac745ba84f5b308321debc7d
Opcode Fuzzy Hash: c2fd6fe98265cc52836336ce5ee4585c59f140c12b4b08e06985b0ee88569cbb
Instruction Fuzzy Hash: 4341DFB4C00719CFDB28CFA9C984B9DBBF2BF49304F24816AD408AB251DB756949CF50

Function 07E74801 Relevance: 1.6, APIs: 1, Instructions: 72
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 07E74898

Memory Dump Source

Source File: 00000000.00000002.2176522885.0000000007E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e70000_OHScaqAPjt.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 1e94fa5ea87469189115d2762b2051980bf43bfd0d9948765346ccfd29baa4e2
Instruction ID: 37c9ede2653e4a5800cb611e0c3260c8f734d172435a9dc8a00402ce79e377ad
Opcode Fuzzy Hash: 1e94fa5ea87469189115d2762b2051980bf43bfd0d9948765346ccfd29baa4e2
Instruction Fuzzy Hash: EE214BB59003599FDB10CFA9C9857DEBBF5FF48320F10882AE918A7280C7749544CBA4

Function 07430C19 Relevance: 1.6, APIs: 1, Instructions: 71
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DrawTextExW.USER32(?,?,?,?,?,?), ref: 07430CB7

Memory Dump Source

Source File: 00000000.00000002.2173195983.0000000007430000.00000040.00000800.00020000.00000000.sdmp, Offset: 07430000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7430000_OHScaqAPjt.jbxd

Similarity

API ID: DrawText
String ID:
API String ID: 2175133113-0
Opcode ID: 0680fa2722619927ac5efe803fe22c9a72e34425547be3543dd1e72a277f1fd3
Instruction ID: aafefb98a21a7726df9005c9fc7758d08e9ab066d4529dadcfc0e8f549ccfc46
Opcode Fuzzy Hash: 0680fa2722619927ac5efe803fe22c9a72e34425547be3543dd1e72a277f1fd3
Instruction Fuzzy Hash: 6231E2B590024A9FDB14CF99D884ADEFBF5EB48320F14852AE819A7350C374A544CFA0

Function 07E74808 Relevance: 1.6, APIs: 1, Instructions: 69
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 07E74898

Memory Dump Source

Source File: 00000000.00000002.2176522885.0000000007E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e70000_OHScaqAPjt.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: da69ab4f0590df5ea322782776f275513a31c9b640a219e37a9db0f37dc237db
Instruction ID: b30818c161deac038c0174fcc53f5687caac5d718cac2dde876e368a4aefc973
Opcode Fuzzy Hash: da69ab4f0590df5ea322782776f275513a31c9b640a219e37a9db0f37dc237db
Instruction Fuzzy Hash: E3212AB190035D9FDB10CFA9C985BDEBBF5FF49310F10842AE919A7241D7749944DBA0

Function 07430C20 Relevance: 1.6, APIs: 1, Instructions: 69
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DrawTextExW.USER32(?,?,?,?,?,?), ref: 07430CB7

Memory Dump Source

Source File: 00000000.00000002.2173195983.0000000007430000.00000040.00000800.00020000.00000000.sdmp, Offset: 07430000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7430000_OHScaqAPjt.jbxd

Similarity

API ID: DrawText
String ID:
API String ID: 2175133113-0
Opcode ID: 59c42dc640f6bad2236c2ff954ee047d3c88e1b8387561c795fe6255f592df2d
Instruction ID: 93b60a49f46bd7a1dce07b4e193704926de32c60c46280780bf6bdcd425cd5b7
Opcode Fuzzy Hash: 59c42dc640f6bad2236c2ff954ee047d3c88e1b8387561c795fe6255f592df2d
Instruction Fuzzy Hash: CC21EEB590024A9FDB10CF9AD884ADEFBF5EB48320F14842AE819A7310C375A944CFA0

Function 07E748F1 Relevance: 1.6, APIs: 1, Instructions: 66
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 07E74978

Memory Dump Source

Source File: 00000000.00000002.2176522885.0000000007E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e70000_OHScaqAPjt.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 2e9f21be845da796392ba7ca28a7e9cf9bbd76754b3cc79cfec764ddf3dc086e
Instruction ID: 870e0636ab1500c71cce6faef8c8cc311878a2e1a7f12a00078fbfd50c228356
Opcode Fuzzy Hash: 2e9f21be845da796392ba7ca28a7e9cf9bbd76754b3cc79cfec764ddf3dc086e
Instruction Fuzzy Hash: B5215EB1C003599FCB10CFA9C881ADEFBF5FF48320F50842AE518A7250C7349540DBA5

Function 011DBBC0 Relevance: 1.6, APIs: 1, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,011DD6F6,?,?,?,?,?), ref: 011DD7B7

Memory Dump Source

Source File: 00000000.00000002.2160097967.00000000011D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_11d0000_OHScaqAPjt.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 5bbe98829fea73a413df9682936a34c978af1a6c0715874a6b3d694b3c53a33a
Instruction ID: 0de66eb5c5bbde597722ad68ac63fedd6bb181c779f5530894a0d07bc9f5bcf7
Opcode Fuzzy Hash: 5bbe98829fea73a413df9682936a34c978af1a6c0715874a6b3d694b3c53a33a
Instruction Fuzzy Hash: 8A2114B5900248EFDB10CF9AD984ADEBFF8EB48320F14845AE918B7350C374A940CFA4

Function 07E74230 Relevance: 1.6, APIs: 1, Instructions: 64threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 07E742B6

Memory Dump Source

Source File: 00000000.00000002.2176522885.0000000007E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e70000_OHScaqAPjt.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 490ed253cd556ba22eafac71f1388694f27a460936a808b38fd1e161090eeb02
Instruction ID: 2a01a59cd6b3d6cc6d2776998db90d28ad11529016a69d33b43ef8f15beb2a7c
Opcode Fuzzy Hash: 490ed253cd556ba22eafac71f1388694f27a460936a808b38fd1e161090eeb02
Instruction Fuzzy Hash: AE2168B5D002498FDB10CFAAC5847EEBFF5EF49324F54842AD519A7241CB789944CFA0

Function 07E74238 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 07E742B6

Memory Dump Source

Source File: 00000000.00000002.2176522885.0000000007E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e70000_OHScaqAPjt.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 8f437027db00466bfc1e9b696cd4e7ea1f227bc61e61b967006badbea66aaf4c
Instruction ID: 2df5884a4d8dfc121d6b9595f56f31c0e117c5a99b0230feee1bfffa19c66b7a
Opcode Fuzzy Hash: 8f437027db00466bfc1e9b696cd4e7ea1f227bc61e61b967006badbea66aaf4c
Instruction Fuzzy Hash: 4F2138B1D003498FDB10DFAAC4857AEBBF4EF49324F54842AD419A7241DB789944CFA0

Function 07E748F8 Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 07E74978

Memory Dump Source

Source File: 00000000.00000002.2176522885.0000000007E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e70000_OHScaqAPjt.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 442dee7b6c957d6026a79bcf0a8115e3f4dc93a29055e63370d216ad77f2dbc5
Instruction ID: 1ffa2ba327c0e96284a98e0a26784af972f043527984080740829fab2e82004e
Opcode Fuzzy Hash: 442dee7b6c957d6026a79bcf0a8115e3f4dc93a29055e63370d216ad77f2dbc5
Instruction Fuzzy Hash: E12139B1C003599FCB10CFAAC885AEEFBF5FF48320F50842AE519A7250C7399944DBA0

Function 011DD728 Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,011DD6F6,?,?,?,?,?), ref: 011DD7B7

Memory Dump Source

Source File: 00000000.00000002.2160097967.00000000011D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_11d0000_OHScaqAPjt.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: b233b5d264f8cdafa0b6a5b645451974af4c0d6aea45991841c15d86d72d6554
Instruction ID: d1756d58e244ef5019d6d685177a1f933c096fe3c715687853b1288e27b16244
Opcode Fuzzy Hash: b233b5d264f8cdafa0b6a5b645451974af4c0d6aea45991841c15d86d72d6554
Instruction Fuzzy Hash: A621E3B59002499FDB10CF99D984ADEBBF5FB48314F15845AE918A7350D374A944CF60

Function 07E78DC0 Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2176522885.0000000007E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e70000_OHScaqAPjt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7001b07aa4750810e441c81e39a3aec8c249c8bcd4e017f516a8de19faa94b3c
Instruction ID: 518992134f023a9484b3bbc6a91bd7ce4d245c25e51e23a9cdd918eec62bc325
Opcode Fuzzy Hash: 7001b07aa4750810e441c81e39a3aec8c249c8bcd4e017f516a8de19faa94b3c
Instruction Fuzzy Hash: A721E1B29062298FDB24DBA9D9487EEBBF5AF64314F148459C545F7280CB396D80CBA0

Function 07E74740 Relevance: 1.6, APIs: 1, Instructions: 54memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 07E747B6

Memory Dump Source

Source File: 00000000.00000002.2176522885.0000000007E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e70000_OHScaqAPjt.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: de9829184503cdbce208c1b6f5f6dbe57ce846520c5944702a5b6a4d10406829
Instruction ID: 63785170505a988dd8574561c951811343ca124b399a7849b1ef220dce33acbb
Opcode Fuzzy Hash: de9829184503cdbce208c1b6f5f6dbe57ce846520c5944702a5b6a4d10406829
Instruction Fuzzy Hash: 80117C76D002899FCB10CFA9C944ADEBFF5EF49324F148419D919A7250CB759544DFA0

Function 07E74748 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 07E747B6

Memory Dump Source

Source File: 00000000.00000002.2176522885.0000000007E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e70000_OHScaqAPjt.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 7a382d5235c93e511ce5e748b539e4694034d7c66bba6204a757eadce22c9972
Instruction ID: e64d3e7649e6c22488b6ef92b45a1a66f5b7cf960d16828897e1541f260ebe59
Opcode Fuzzy Hash: 7a382d5235c93e511ce5e748b539e4694034d7c66bba6204a757eadce22c9972
Instruction Fuzzy Hash: 631179728002499FCB10DFAAC844ADFBFF9EF89320F148819E519A7250CB35A940CFA0

Function 07E74181 Relevance: 1.6, APIs: 1, Instructions: 52threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 07E741EA

Memory Dump Source

Source File: 00000000.00000002.2176522885.0000000007E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e70000_OHScaqAPjt.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 39af48ef40ea522a11b233bcd41fb01b8808ef8ece1b785f4bf3b159b51ca611
Instruction ID: 06922f50aca224280d28e14f5263f168685ea515a104f9634c02ed4e00377bb9
Opcode Fuzzy Hash: 39af48ef40ea522a11b233bcd41fb01b8808ef8ece1b785f4bf3b159b51ca611
Instruction Fuzzy Hash: FA115BB59003498FDB20DFAAD8457DEFBF4EF89324F248419D429A7280CB756544CBA5

Function 07E74188 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 07E741EA

Memory Dump Source

Source File: 00000000.00000002.2176522885.0000000007E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e70000_OHScaqAPjt.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 8b55674a3507118c0155cfd33af200e4f276c0bcf6fb58919114f851ad228432
Instruction ID: a428609dedd2d7698f7d87e8364b5a3be8ef7bf742c862c1f798f9b4c3eedf74
Opcode Fuzzy Hash: 8b55674a3507118c0155cfd33af200e4f276c0bcf6fb58919114f851ad228432
Instruction Fuzzy Hash: 82113AB5D003498FDB20DFAAD84579EFBF8EF89324F248419D519A7240CB756944CBA4

Function 011DB038 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 011DB09E

Memory Dump Source

Source File: 00000000.00000002.2160097967.00000000011D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_11d0000_OHScaqAPjt.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 7e2fd726c26550b4be59f97d0f37caf5c5741a8d34a60f6d5efb923be47eb82b
Instruction ID: 2472050f0bd18c2d13c3b09ac3ec2a2538e9eb5a2d86dfe287dc750479a76256
Opcode Fuzzy Hash: 7e2fd726c26550b4be59f97d0f37caf5c5741a8d34a60f6d5efb923be47eb82b
Instruction Fuzzy Hash: 7E110FB6C002498FDB24CF9AC844A9EFBF4EB89324F10841AD929A7200D379A545CFA5

Function 07E78D28 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 07E78D8D

Memory Dump Source

Source File: 00000000.00000002.2176522885.0000000007E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e70000_OHScaqAPjt.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 3f897e158b64ca66d754988353b94f941e57daabdc04d5c095fe41bdce9c94ef
Instruction ID: dacd96940892a9198a1cbd562b84442413dd93870ff70c95b27bd48677125350
Opcode Fuzzy Hash: 3f897e158b64ca66d754988353b94f941e57daabdc04d5c095fe41bdce9c94ef
Instruction Fuzzy Hash: 31110AB58003499FDB20DF9AD889BDEFBF8EB58320F108519D524A7640C375A944CFA1

Function 07E73134 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 07E78D8D

Memory Dump Source

Source File: 00000000.00000002.2176522885.0000000007E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e70000_OHScaqAPjt.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 5bd75704d04430082ad5e43eff3b1596e236c20412ff173c21572a39b536bf64
Instruction ID: 184fda121c231161b7149b0fd3dab9b275690d037268ce2cb5621caed418f9b8
Opcode Fuzzy Hash: 5bd75704d04430082ad5e43eff3b1596e236c20412ff173c21572a39b536bf64
Instruction Fuzzy Hash: 5F1106B5801349DFCB10DF9AC989BDEBBF8EB58320F108459E518A7600C375A944CFA5

Function 00EED3D8 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2159296127.0000000000EED000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EED000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_eed000_OHScaqAPjt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cf5b08422b039d04b8fc5e138025357b2f592260d121214a20139be364e41896
Instruction ID: 4429155d54b31b20a82fb25d0bdad91d9e7f3dd2525cfee71792ed98c92edb2c
Opcode Fuzzy Hash: cf5b08422b039d04b8fc5e138025357b2f592260d121214a20139be364e41896
Instruction Fuzzy Hash: 5A216A71108288DFCB01DF04DDC0B16BF65FBA8324F20C56CE8095B28AC336E816C7A2

Function 00F0D1D4 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2159421527.0000000000F0D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F0D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f0d000_OHScaqAPjt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e925596b220839b4d75fe1bcc308466a75aff52a34d29bf8e808ad80e6e08382
Instruction ID: 5f8302427b4e4f9135fbc53b953fc2b91318b4fd6166a5efe107237456669533
Opcode Fuzzy Hash: e925596b220839b4d75fe1bcc308466a75aff52a34d29bf8e808ad80e6e08382
Instruction Fuzzy Hash: 79212671904304EFDB05DF94D9C0B26BBA5FB88324F24C96DE8094B2D6C33AD806EA61

Function 00F0D01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2159421527.0000000000F0D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F0D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f0d000_OHScaqAPjt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 306187569f7cad9192f69e452667f631978d45445f6b5e67032073dc7e56909c
Instruction ID: 72e10be67f1676629d519f053a993eafe643f0a4466201431729c18e84809e9c
Opcode Fuzzy Hash: 306187569f7cad9192f69e452667f631978d45445f6b5e67032073dc7e56909c
Instruction Fuzzy Hash: 46210476604200DFDB15DF54D9C4B26BB65FB88324F24C96DD80E4B28AC33BD807EA62

Function 00F0D005 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2159421527.0000000000F0D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F0D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f0d000_OHScaqAPjt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c6ef284407e3d481e15d79cb7b0e53cef32d94cd8a4bf519fc78f3e5d38e81c9
Instruction ID: 67b88f0ca31a91501acd77cc5712d4e46ebab9a61791edf446d4ac77fb4c6667
Opcode Fuzzy Hash: c6ef284407e3d481e15d79cb7b0e53cef32d94cd8a4bf519fc78f3e5d38e81c9
Instruction Fuzzy Hash: D3218E755093808FCB02CF24D994715BF71EB46324F28C5EAD8498B6A7C33A980ADB62

Function 00EED3D3 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2159296127.0000000000EED000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EED000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_eed000_OHScaqAPjt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a42a10f79047cfc5a8dfbea04f5877e4b045e58f4eb555799dbe40d0299e0d1
Instruction ID: f1b1ba54512cc6ae6a225f7b169ef77fd25da10ae8dbbdce98a461b21c9c2bb9
Opcode Fuzzy Hash: 2a42a10f79047cfc5a8dfbea04f5877e4b045e58f4eb555799dbe40d0299e0d1
Instruction Fuzzy Hash: D4112676404284CFCB12CF00D9C4B16BF71FBA4324F24C2A9D8091B256C33AE85ACBA1

Function 00F0D1CF Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2159421527.0000000000F0D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F0D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f0d000_OHScaqAPjt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c74efafe6a787794d2e52374dfad20fc7a218ab120a23d42f416259975cce95d
Instruction ID: 220e6cfd2a83e522874b8c060c47f9fafa3ba9ded99eb9cd5873e37f05b043aa
Opcode Fuzzy Hash: c74efafe6a787794d2e52374dfad20fc7a218ab120a23d42f416259975cce95d
Instruction Fuzzy Hash: 1B11DD75904280DFCB16CF54C9C4B15FBB1FB84324F24C6ADD8494B696C33AD80AEB61

Function 00EED745 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2159296127.0000000000EED000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EED000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_eed000_OHScaqAPjt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d1cbcfc9e80233109596cab265e70fdf063c093637b922b9b627ba9382e0aa78
Instruction ID: 3c5d93191b9ac9bf098b112fa746fd6525691919d6e0ff79a1d24a205ce37656
Opcode Fuzzy Hash: d1cbcfc9e80233109596cab265e70fdf063c093637b922b9b627ba9382e0aa78
Instruction Fuzzy Hash: D0012B7100C3889AE7108F16CDC4BA6BF98DF41374F18D51BFD091A286D2399840C6B1

Function 00EED744 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2159296127.0000000000EED000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EED000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_eed000_OHScaqAPjt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c59ca9129d44ff765df43de58a6e51c5df5ed03f7167308d78b875ac1b7939be
Instruction ID: 00233dcaf4a1c9e7764294820aef0cb154a2a3a83c174b7aed2bf0ae90ee818b
Opcode Fuzzy Hash: c59ca9129d44ff765df43de58a6e51c5df5ed03f7167308d78b875ac1b7939be
Instruction Fuzzy Hash: E6F062724093849AE7108F16CD88B62FF98EB91778F18C45AFD485A286C2799844CAB1

Non-executed Functions

Function 07437492 Relevance: 4.0, Strings: 3, Instructions: 247COMMON

Download Yara Rule

Strings

TJjq, xrefs: 07437643
xbhq, xrefs: 074375D0
Teeq, xrefs: 07437CEE

Memory Dump Source

Source File: 00000000.00000002.2173195983.0000000007430000.00000040.00000800.00020000.00000000.sdmp, Offset: 07430000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7430000_OHScaqAPjt.jbxd

Similarity

API ID:
String ID: TJjq$Teeq$xbhq
API String ID: 0-642506051
Opcode ID: ccfee6cbc32371d094ed8382649fbb8c974dd12856991b6fba001ebca1aec795
Instruction ID: 1510c5e3bacd4b8121243d3e7194b004585ab92255c5ebb782c08df0f4af7a25
Opcode Fuzzy Hash: ccfee6cbc32371d094ed8382649fbb8c974dd12856991b6fba001ebca1aec795
Instruction Fuzzy Hash: 5EB1A0B5E006588FDB59DF6AD9846DDBBF2AF89301F14C0AAD809AB354DB305E858F40

Function 07437160 Relevance: 1.4, Strings: 1, Instructions: 169COMMON

Download Yara Rule

Strings

4'eq, xrefs: 07437242

Memory Dump Source

Source File: 00000000.00000002.2173195983.0000000007430000.00000040.00000800.00020000.00000000.sdmp, Offset: 07430000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7430000_OHScaqAPjt.jbxd

Similarity

API ID:
String ID: 4'eq
API String ID: 0-1552367303
Opcode ID: 045ce80f7a5c5345652640c0f7b7bf6f1c00411138c0d1877f57918d87a7311a
Instruction ID: db05c62e718cde8c7a16c10daa1d8d1eb5d1ad1268abaae87650094a78d22ffe
Opcode Fuzzy Hash: 045ce80f7a5c5345652640c0f7b7bf6f1c00411138c0d1877f57918d87a7311a
Instruction Fuzzy Hash: E9613EB1A046498FD70AEF7AE94579E7FF2FF88300F14C529E015E72A9EB305A458B50

Function 07437170 Relevance: 1.4, Strings: 1, Instructions: 159COMMON

Download Yara Rule

Strings

4'eq, xrefs: 07437242

Memory Dump Source

Source File: 00000000.00000002.2173195983.0000000007430000.00000040.00000800.00020000.00000000.sdmp, Offset: 07430000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7430000_OHScaqAPjt.jbxd

Similarity

API ID:
String ID: 4'eq
API String ID: 0-1552367303
Opcode ID: 9375495c5522435bd26fa0fb7e276d34ad6d9fdec97f82e584c82c435ad3f551
Instruction ID: 5285037253a7d1f84c7bcef91da994f81452e091b7cf8382eace5107cf0fabd5
Opcode Fuzzy Hash: 9375495c5522435bd26fa0fb7e276d34ad6d9fdec97f82e584c82c435ad3f551
Instruction Fuzzy Hash: 63612FB0A046498FD70AEF7AE94569E7FF2FF88300F14C529E014E72A9EB301A458B50

Function 07E71D28 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2176522885.0000000007E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e70000_OHScaqAPjt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7842723aa2a84b2b76a1092741af4239a914fd58b7d6425db7c9ca1228b3e0de
Instruction ID: 434917121f19a86e862c9ec5940c2921bd7e8328b77df3bb91ff80a989cc563e
Opcode Fuzzy Hash: 7842723aa2a84b2b76a1092741af4239a914fd58b7d6425db7c9ca1228b3e0de
Instruction Fuzzy Hash: 1EE1F7B4E012198FCB14DFA9C580AAEFBB2FF89304F249169D514AB355D735AD81CFA0

Function 07E74310 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2176522885.0000000007E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e70000_OHScaqAPjt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 66643628ca09cc59bab340fde1127af2a0e673200f0781115ab6799214d8a4d3
Instruction ID: 871810ed649acda9daa37b1c0961f13aca9499e1813a45dee39277f59f98debc
Opcode Fuzzy Hash: 66643628ca09cc59bab340fde1127af2a0e673200f0781115ab6799214d8a4d3
Instruction Fuzzy Hash: FDE1F6B4E011598FCB14DFA9C580AAEFBF2BF89304F249169D814AB355D735AE81CF60

Function 07E72160 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2176522885.0000000007E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e70000_OHScaqAPjt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a765a988fc091b5f44ea92e338060ced433bda16145fcc254e6c768c2226e7dd
Instruction ID: a7fe07080c045c9eedd9b557d791e6db5d18c6318f945e24f6cc28ef787db2a5
Opcode Fuzzy Hash: a765a988fc091b5f44ea92e338060ced433bda16145fcc254e6c768c2226e7dd
Instruction Fuzzy Hash: 1BE118B4E011198FCB14DFA8C580AAEFBB6FF89304F249169D514AB356D735AE81CF60

Function 07E73960 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2176522885.0000000007E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e70000_OHScaqAPjt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fcdec5424a6e442647ac71cc6c87f93725c314f113c5ab1bd38eabca69f48933
Instruction ID: 1f9ba9e8223faf8dfc57f3c5bf26c74b34bf7ca85c62b2de7011060bb50182d7
Opcode Fuzzy Hash: fcdec5424a6e442647ac71cc6c87f93725c314f113c5ab1bd38eabca69f48933
Instruction Fuzzy Hash: 91E117B4E051598FCB14DFA8C580AAEFBB2FF89304F249169D414AB359D735AE81CF60

Function 07E718F0 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2176522885.0000000007E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e70000_OHScaqAPjt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bc048af2970d5769028c56b727e5f356fb255d487fd369fcf638bf470fe0bc41
Instruction ID: 5c405d03976e59d2f7360462d0e0365f9ef57ad12d57c5c735dd27ecfd6b2a4e
Opcode Fuzzy Hash: bc048af2970d5769028c56b727e5f356fb255d487fd369fcf638bf470fe0bc41
Instruction Fuzzy Hash: E1E1F6B4E012198FCB14DFA9C580AAEFBB2FF89305F249169D414AB355D735AE81CF60

Function 011DD4A4 Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2160097967.00000000011D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_11d0000_OHScaqAPjt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c09eaef1fe8421abdd1672cd433cee30de527a1f648c41c817ed83e8f0479e59
Instruction ID: c9b84af30589eb7991228a24367d71f2050e67701ae811e3d2785feefd1a118b
Opcode Fuzzy Hash: c09eaef1fe8421abdd1672cd433cee30de527a1f648c41c817ed83e8f0479e59
Instruction Fuzzy Hash: FFA17132E006178FCF09DFB4D84059EBBB2FF85304B15856AE906AB265DB71EA57CB40

Function 07E71D18 Relevance: .1, Instructions: 135COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2176522885.0000000007E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e70000_OHScaqAPjt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fe638e67be54b8c0c69778b26222620de192b92a960c0dd970e3332ddc27b209
Instruction ID: d47f54891ad6e967ca6106ed22d60a8b9c345bb44a149a815b5a11979a09565c
Opcode Fuzzy Hash: fe638e67be54b8c0c69778b26222620de192b92a960c0dd970e3332ddc27b209
Instruction Fuzzy Hash: E4511AB4E052198FCB14CFA9C5809AEFBF2FF89304F24916AD418AB355D7359A41CFA1

Function 07E72150 Relevance: .1, Instructions: 132COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2176522885.0000000007E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e70000_OHScaqAPjt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7ea47e6125d5e5c94459cebdd5c3302a232bcefffc26e8c1395864c7f4458fb9
Instruction ID: 4acf7e9e63cafef7dc7b4286a50f4be8145718ece0dbcfd2bb10c09e5ca29f25
Opcode Fuzzy Hash: 7ea47e6125d5e5c94459cebdd5c3302a232bcefffc26e8c1395864c7f4458fb9
Instruction Fuzzy Hash: EF5138B0E012198FCB14CFA9C5809AEBBF6BF89304F24D16AD518A7215D7349A41CFA0

Function 07E718E0 Relevance: .1, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2176522885.0000000007E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e70000_OHScaqAPjt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0b742f9b824e09404388dfa968b1a74e370615f626289bdeb8ed7e2c2f378f9b
Instruction ID: bbee9a17d1b9c4eba481f823722aca3758d3093e0297a568bc9e3c57ea6600d6
Opcode Fuzzy Hash: 0b742f9b824e09404388dfa968b1a74e370615f626289bdeb8ed7e2c2f378f9b
Instruction Fuzzy Hash: AA5129B4E052198FCB14DFA9C5805EEFBF2BF89304F24D16AD418AB215D7349A42CFA1

Function 07E718EE Relevance: .1, Instructions: 126COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2176522885.0000000007E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e70000_OHScaqAPjt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 063c076390380b6bfc3853be11ca5d47e004227c732ed68e409bd134226cef51
Instruction ID: 8b890d88b1c9b0fe2f0f7d70faee0b8aa2b895d17aba220a6cef52d5483acc84
Opcode Fuzzy Hash: 063c076390380b6bfc3853be11ca5d47e004227c732ed68e409bd134226cef51
Instruction Fuzzy Hash: A051F9B4E012198FCB14DFA9C5809AEFBF2BF89304F24D169D418A7255D7359E42CF60

Analysis Process: OHScaqAPjt.exePID: 6576, Parent PID: 3660COMMON

Execution Graph

Execution Coverage:	11.4%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	28
Total number of Limit Nodes:	5

Executed Functions

Function 068E2358 Relevance: 9.0, Strings: 6, Instructions: 1482COMMON

Download Yara Rule

Strings

$eq, xrefs: 068E3763
$eq, xrefs: 068E373F
$eq, xrefs: 068E3716
$eq, xrefs: 068E3722
$eq, xrefs: 068E376F
$eq, xrefs: 068E374B

Memory Dump Source

Source File: 00000009.00000002.3368667683.00000000068E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_68e0000_OHScaqAPjt.jbxd

Similarity

API ID:
String ID: $eq$$eq$$eq$$eq$$eq$$eq
API String ID: 0-220072568
Opcode ID: 46785e335cd894076cda9afbcd728d4f152b2b6b9e705b3f808dd04e3202141b
Instruction ID: 254b1023cc48c9fc471b2b8f3c043fb077e486888b19a4f215c1c85184dbcba0
Opcode Fuzzy Hash: 46785e335cd894076cda9afbcd728d4f152b2b6b9e705b3f808dd04e3202141b
Instruction Fuzzy Hash: ECD25A34E00205CFDB64DF68C594A9DB7B6FF8A310F5485AAD509EB265EB34ED81CB80

Function 068E7D68 Relevance: 3.0, Strings: 2, Instructions: 471
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$eq, xrefs: 068E8303
$eq, xrefs: 068E830F

Memory Dump Source

Source File: 00000009.00000002.3368667683.00000000068E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_68e0000_OHScaqAPjt.jbxd

Similarity

API ID:
String ID: $eq$$eq
API String ID: 0-2246304398
Opcode ID: 368acacb268b6c2d6c58b08d2600279dfccb6f65bf69369f2b352d899f7da04c
Instruction ID: 6bb856242977637354dbab354449a333a119565ab095d6efe6592fb69ef6f0af
Opcode Fuzzy Hash: 368acacb268b6c2d6c58b08d2600279dfccb6f65bf69369f2b352d899f7da04c
Instruction Fuzzy Hash: 7202AF70B006058FDB54DB68D994BAEB7B2FF85310F148969D905DB399EB35EC82CB80

Function 068E65E0 Relevance: .8, Instructions: 805COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3368667683.00000000068E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_68e0000_OHScaqAPjt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f27cdcc128c5991f7aca48afa2685c2680c10a67dcd6858a4ad6e413590fed7a
Instruction ID: 7ea05c446c7afcf7c00e9a72a011482fb7a514d10106c969197ed8cb5968b3d5
Opcode Fuzzy Hash: f27cdcc128c5991f7aca48afa2685c2680c10a67dcd6858a4ad6e413590fed7a
Instruction Fuzzy Hash: 16627B34F002058FDB54EB68D584BADB7B2EF89314F148969E906DB395EB35EC81CB80

Function 068E5588 Relevance: .6, Instructions: 597COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3368667683.00000000068E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_68e0000_OHScaqAPjt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e25520b1680357a481e46669b083753a4e80d985e46860acdd74738034fd1006
Instruction ID: 1e1330edf7100e58cd4d6d192bf97786f8ec8453b6e89e83d97820e88a938406
Opcode Fuzzy Hash: e25520b1680357a481e46669b083753a4e80d985e46860acdd74738034fd1006
Instruction Fuzzy Hash: 6B22D235F042158FDF60DBA4C5806AEBBB2EF86324F248469D915EB354DB36EC41CB92

Function 068EB20F Relevance: .6, Instructions: 581COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3368667683.00000000068E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_68e0000_OHScaqAPjt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 653efc23014439a69f54b095bde6ab9a41de0d4d68996b37621411d06161b243
Instruction ID: b1f0056f8ae2b3d39bfceb711ee15bb33d30078275d89a1cb70bb30ed57d9cdc
Opcode Fuzzy Hash: 653efc23014439a69f54b095bde6ab9a41de0d4d68996b37621411d06161b243
Instruction Fuzzy Hash: CF226174E101098FDF64DBA8D6847AEB7F2EB86310F648426E609DB395DB34DC818B91

Function 068EACB8 Relevance: 10.4, Strings: 8, Instructions: 391
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$eq, xrefs: 068EAE84
$eq, xrefs: 068EAE5B
$eq, xrefs: 068EAE38
$eq, xrefs: 068EAE2C
$eq, xrefs: 068EADE5
$eq, xrefs: 068EADD9
$eq, xrefs: 068EAE90
$eq, xrefs: 068EAE67

Memory Dump Source

Source File: 00000009.00000002.3368667683.00000000068E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_68e0000_OHScaqAPjt.jbxd

Similarity

API ID:
String ID: $eq$$eq$$eq$$eq$$eq$$eq$$eq$$eq
API String ID: 0-1110479544
Opcode ID: 8a7a20570ae5ba181a2dd4e747c484fbecdf239e1706fff36012762254730a96
Instruction ID: a9a2a9714b60f4f130ccd9df3686cc7df166d70ff3cb29c78b04805c5d5b4891
Opcode Fuzzy Hash: 8a7a20570ae5ba181a2dd4e747c484fbecdf239e1706fff36012762254730a96
Instruction Fuzzy Hash: FFE17030F1020A8FCF69DBA9D5806AEB7B2EF86310F108529E505DB355EB35DC46CB91

Function 068EB630 Relevance: 8.0, Strings: 6, Instructions: 471
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$eq, xrefs: 068EBB6F
$eq, xrefs: 068EBBD7
$eq, xrefs: 068EBB63
$eq, xrefs: 068EBBCB
$eq, xrefs: 068EBB97
$eq, xrefs: 068EBBA3

Memory Dump Source

Source File: 00000009.00000002.3368667683.00000000068E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_68e0000_OHScaqAPjt.jbxd

Similarity

API ID:
String ID: $eq$$eq$$eq$$eq$$eq$$eq
API String ID: 0-220072568
Opcode ID: d9cb7a8b2da1eae13b18e6541e7af8522e24021cf0b2a8a31389662120e06192
Instruction ID: 9a31ffd91b3adecc41030029972d4dc2fca666f78b144224e66ce0eda158b06e
Opcode Fuzzy Hash: d9cb7a8b2da1eae13b18e6541e7af8522e24021cf0b2a8a31389662120e06192
Instruction Fuzzy Hash: 4D026E30E142098FDBA4DF68D6807AEB7B2EF86310F20856AE555DB355DB31EC81CB81

Function 068E9138 Relevance: 5.2, Strings: 4, Instructions: 230
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$eq, xrefs: 068E917F
$eq, xrefs: 068E91BA
$eq, xrefs: 068E91C6
$eq, xrefs: 068E918B

Memory Dump Source

Source File: 00000009.00000002.3368667683.00000000068E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_68e0000_OHScaqAPjt.jbxd

Similarity

API ID:
String ID: $eq$$eq$$eq$$eq
API String ID: 0-812946093
Opcode ID: 7a416221a13e0fab2d00f9d83c59752caeac2e401ce54697c9b372e56a990fe2
Instruction ID: 325c0050e262a1b967bd3af8b7854f345971e808c135f3527a72d8ca59f2ecd4
Opcode Fuzzy Hash: 7a416221a13e0fab2d00f9d83c59752caeac2e401ce54697c9b372e56a990fe2
Instruction Fuzzy Hash: D4915070F0060A9FDF54DF74D9947AE77F6AF89300F118469D519EB398EA70AC418B90

Function 068ECF28 Relevance: 4.5, Strings: 3, Instructions: 798
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$eq, xrefs: 068ED31F
$eq, xrefs: 068ED327
$eq, xrefs: 068ED333

Memory Dump Source

Source File: 00000009.00000002.3368667683.00000000068E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_68e0000_OHScaqAPjt.jbxd

Similarity

API ID:
String ID: $eq$$eq$$eq
API String ID: 0-177832560
Opcode ID: b75b8116e3cb8ad71c30133834ff03b5fe010f73ffac7f073336e03935553341
Instruction ID: 776da14dabafbdf49942e1eb556f5e8967ae3acb2a9f97a5139d90483dd0a84b
Opcode Fuzzy Hash: b75b8116e3cb8ad71c30133834ff03b5fe010f73ffac7f073336e03935553341
Instruction Fuzzy Hash: 53624030A006068FCB55EF68D990A5EB7F2FF85314B608A69D415DF369DB71EC86CB80

Function 068E4B50 Relevance: 3.9, Strings: 3, Instructions: 186
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

XPjq, xrefs: 068E4C7D
\Ojq, xrefs: 068E4D07
fjq, xrefs: 068E525D

Memory Dump Source

Source File: 00000009.00000002.3368667683.00000000068E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_68e0000_OHScaqAPjt.jbxd

Similarity

API ID:
String ID: fjq$XPjq$\Ojq
API String ID: 0-216941231
Opcode ID: e880db659dce0cc4780f4c9464b15d8fc46196c6b2ccf1759b561e063b17ae48
Instruction ID: 605ec7f4838e51cba470581afa9542ade6d4f8b246aec7fd3f607962006bf9e8
Opcode Fuzzy Hash: e880db659dce0cc4780f4c9464b15d8fc46196c6b2ccf1759b561e063b17ae48
Instruction Fuzzy Hash: 42615074F002189FEB549FA9C8547AEBAF6FF88310F20842AE505EB394DF759C458B91

Function 02A7EB48 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 134
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

_, xrefs: 02A7EB9B

Memory Dump Source

Source File: 00000009.00000002.3356984869.0000000002A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2a70000_OHScaqAPjt.jbxd

Similarity

API ID:
String ID: _
API String ID: 0-701932520
Opcode ID: 8b48e336ad2f55fd834f0395d11299a0d33269519af77e4896c658b1bd552fd5
Instruction ID: 7fbc95786f94675ff0f42c6cf96cc27566d9563ee0877a26dd33e108b53a41a7
Opcode Fuzzy Hash: 8b48e336ad2f55fd834f0395d11299a0d33269519af77e4896c658b1bd552fd5
Instruction Fuzzy Hash: 93415672E043998FCB11DF79D8446AEBFF4AF89220F1485AAD544E7241DB349988CBD1

Function 068E9127 Relevance: 2.7, Strings: 2, Instructions: 155
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$eq, xrefs: 068E917F
$eq, xrefs: 068E91BA

Memory Dump Source

Source File: 00000009.00000002.3368667683.00000000068E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_68e0000_OHScaqAPjt.jbxd

Similarity

API ID:
String ID: $eq$$eq
API String ID: 0-2246304398
Opcode ID: dd69e32381efbadb0b4284b7a4403ef90d5833e7af66435a0ce590b3024cf2ba
Instruction ID: 15f7a7282803b05e5dfb8c7269e41c099aa63ed3eeec22085de0e7e5ebce52f1
Opcode Fuzzy Hash: dd69e32381efbadb0b4284b7a4403ef90d5833e7af66435a0ce590b3024cf2ba
Instruction Fuzzy Hash: 1F515170F006059FDF54EB74E994B6E73F6AF89300F118469C519EB398EA70EC418B90

Function 02A7EC18 Relevance: 1.6, APIs: 1, Instructions: 54
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GlobalMemoryStatusEx.KERNELBASE ref: 02A7EC87

Memory Dump Source

Source File: 00000009.00000002.3356984869.0000000002A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2a70000_OHScaqAPjt.jbxd

Similarity

API ID: GlobalMemoryStatus
String ID:
API String ID: 1890195054-0
Opcode ID: b53e50a85cc38bec0b245b6ef610d5f8e3b2d2c4a5f2ff65293a2966f961ac1d
Instruction ID: 67bca87930f531c914456f496d49b48bb35482acb663da75e5e7da7947ee5bc7
Opcode Fuzzy Hash: b53e50a85cc38bec0b245b6ef610d5f8e3b2d2c4a5f2ff65293a2966f961ac1d
Instruction Fuzzy Hash: 351106B5D0025A9FCB10CFAAC544BDEFBF4BF48320F14816AD418A7241D7796944CFA5

Function 068E4B40 Relevance: 1.4, Strings: 1, Instructions: 126
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

XPjq, xrefs: 068E4C7D

Memory Dump Source

Source File: 00000009.00000002.3368667683.00000000068E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_68e0000_OHScaqAPjt.jbxd

Similarity

API ID:
String ID: XPjq
API String ID: 0-4216394854
Opcode ID: b542b4a1d7e1631b9a7a382177ed6c4e352bfde581b1660afd1e161a6984a90f
Instruction ID: 80428fba6854db5dc2883cba03f9f189d97077031ed67f11465000f3f5ca9a80
Opcode Fuzzy Hash: b542b4a1d7e1631b9a7a382177ed6c4e352bfde581b1660afd1e161a6984a90f
Instruction Fuzzy Hash: D9414D74F002099FDB55DFA9C854BAEBAF6EF88300F20852AE505EB395DE759C058B90

Function 068EDAB0 Relevance: 1.4, Strings: 1, Instructions: 117
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

PHeq, xrefs: 068EDBF9

Memory Dump Source

Source File: 00000009.00000002.3368667683.00000000068E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_68e0000_OHScaqAPjt.jbxd

Similarity

API ID:
String ID: PHeq
API String ID: 0-2873676430
Opcode ID: b0d2b4e56e78b29596823d6357fa4d678d372a89007be8a5bb033070bf90d74c
Instruction ID: 5a0a630cb9ffb6465ae0ed22532dc045e8931184534b84df4817dda087f6b8ee
Opcode Fuzzy Hash: b0d2b4e56e78b29596823d6357fa4d678d372a89007be8a5bb033070bf90d74c
Instruction Fuzzy Hash: 31419170E042099FDB61DF65C5446AFBBB2FF86340F204829D906EB340EB71D849CB80

Function 068EDA9D Relevance: 1.4, Strings: 1, Instructions: 113
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

PHeq, xrefs: 068EDBF9

Memory Dump Source

Source File: 00000009.00000002.3368667683.00000000068E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_68e0000_OHScaqAPjt.jbxd

Similarity

API ID:
String ID: PHeq
API String ID: 0-2873676430
Opcode ID: bda0fb638c3c461ee3a942d585d25cc97b24b0e7ebf4d7bc50352b960e7a85ba
Instruction ID: dad2f1754b87fe558d9c4537522211500cb3868fbd6dbc692b833c5e38a9761e
Opcode Fuzzy Hash: bda0fb638c3c461ee3a942d585d25cc97b24b0e7ebf4d7bc50352b960e7a85ba
Instruction Fuzzy Hash: F1416E70E046099FDB55DF64C5846AEBBB2FF86340F10492AE906EB340EB71D84ACB81

Function 068E21BD Relevance: 1.4, Strings: 1, Instructions: 107COMMON

Download Yara Rule

Strings

PHeq, xrefs: 068E230B

Memory Dump Source

Source File: 00000009.00000002.3368667683.00000000068E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_68e0000_OHScaqAPjt.jbxd

Similarity

API ID:
String ID: PHeq
API String ID: 0-2873676430
Opcode ID: 2c42be8f56da590a52c9c2f2c5ba084df96cd7ea490e30828396a21a715f1050
Instruction ID: 05b4d0ca92a40f38ce42aaa89d712d22a113bfacf25dfa927cfdae22872dc661
Opcode Fuzzy Hash: 2c42be8f56da590a52c9c2f2c5ba084df96cd7ea490e30828396a21a715f1050
Instruction Fuzzy Hash: 2231ED30F002058FDB56AF74966476F7BA7AF8A300F244869C406DB395EE35CE42CBA4

Function 068E21D0 Relevance: 1.4, Strings: 1, Instructions: 105COMMON

Download Yara Rule

Strings

PHeq, xrefs: 068E230B

Memory Dump Source

Source File: 00000009.00000002.3368667683.00000000068E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_68e0000_OHScaqAPjt.jbxd

Similarity

API ID:
String ID: PHeq
API String ID: 0-2873676430
Opcode ID: ff47c16a9fad8d08acb69b2d6150d20a95279fd1639685e24759e50b520ec709
Instruction ID: 2840ff48c2db9df25c5faecee8e667a0799b3fbd3a5a772d7fbb7a1b2e2e942a
Opcode Fuzzy Hash: ff47c16a9fad8d08acb69b2d6150d20a95279fd1639685e24759e50b520ec709
Instruction Fuzzy Hash: 1531BE30F102058FDB55AB78D56476F7BA7AF8A300F204868D506DB395EE35DD41CB94

Function 068E82DE Relevance: 1.3, Strings: 1, Instructions: 30COMMON

Download Yara Rule

Strings

$eq, xrefs: 068E8303

Memory Dump Source

Source File: 00000009.00000002.3368667683.00000000068E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_68e0000_OHScaqAPjt.jbxd

Similarity

API ID:
String ID: $eq
API String ID: 0-731066626
Opcode ID: 7a400fe3fcfc810dbcc0ca56bffd396fa2f479deaaf3a15c0bdec80ec91658ea
Instruction ID: da156bd228508f30e00efb17cc9f72f6ee9774cde0e8a8064bf13355daf67a19
Opcode Fuzzy Hash: 7a400fe3fcfc810dbcc0ca56bffd396fa2f479deaaf3a15c0bdec80ec91658ea
Instruction Fuzzy Hash: E8F0EDBAF04205CFEFA49E86E9812ACB3A9AB02215F040066CF00C3198D330CA10C691

Function 068EC170 Relevance: .6, Instructions: 637COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3368667683.00000000068E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_68e0000_OHScaqAPjt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b40ff9615a6e3213e877ffcaf13bf57d62672f9fbd98399cb17045c395e95df7
Instruction ID: 2686fb0dd236faa3f3438796504adfdda315b06fc87b385a13996c366dc39ee9
Opcode Fuzzy Hash: b40ff9615a6e3213e877ffcaf13bf57d62672f9fbd98399cb17045c395e95df7
Instruction Fuzzy Hash: 22328034F102099FDF54DB68E984BAEB7B2FB8A310F10852AE916D7355DB35EC418B90

Function 068E61E0 Relevance: .2, Instructions: 229COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3368667683.00000000068E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_68e0000_OHScaqAPjt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2929fba97b8b024c44517f53ededae9e5cdbadb8366117e1cf65a22d65e66472
Instruction ID: 72b47d77cea9435ef2163bc32e49e64c0e6c232f7097631c8f93274cd39660e8
Opcode Fuzzy Hash: 2929fba97b8b024c44517f53ededae9e5cdbadb8366117e1cf65a22d65e66472
Instruction Fuzzy Hash: 6061C071F004114FCF519A6EC88066FBADBAFE5220B254439D90EDB364EE69EC4287C1

Function 068E4280 Relevance: .2, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3368667683.00000000068E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_68e0000_OHScaqAPjt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4df0b6cacddf84470153c14603378b9dce2a82c57334c00579fba6b4dbe20ecf
Instruction ID: 6aeb750a32152e120b56ea81581133f297416240dc4199867bf4f65c87afa7f0
Opcode Fuzzy Hash: 4df0b6cacddf84470153c14603378b9dce2a82c57334c00579fba6b4dbe20ecf
Instruction Fuzzy Hash: 61814B34F106098FDB54DBA8D5547AEB7F6AF89304F118429D50ADB398EE75EC428B80

Function 068E45A0 Relevance: .2, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3368667683.00000000068E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_68e0000_OHScaqAPjt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e447f46566356c39ef453508337cd9bf96241929be1734598a48f282e9144574
Instruction ID: 6fd2e7ecaacbe8c1bce713c91b73712a34721c1292eddee69f0a739f1db00a3d
Opcode Fuzzy Hash: e447f46566356c39ef453508337cd9bf96241929be1734598a48f282e9144574
Instruction Fuzzy Hash: D3913D74E006198BDF60DF68C880B9DB7B1FF8A310F208599D54DEB295DB70AA85CF90

Function 068E4290 Relevance: .2, Instructions: 218COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3368667683.00000000068E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_68e0000_OHScaqAPjt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f58fcd9e63e377ab4311721568e086c24be6ae6619cbf52c18a6a02cd5c92a40
Instruction ID: 9f7a17d3707f43a07fe400dce98d2162e6e1741391daf615e633a7eefd220080
Opcode Fuzzy Hash: f58fcd9e63e377ab4311721568e086c24be6ae6619cbf52c18a6a02cd5c92a40
Instruction Fuzzy Hash: 43815B34F106098FDB54DFA8D5547AEB7F6AF89300F108429D50ADB398EE75EC428B81

Function 068E45B8 Relevance: .2, Instructions: 210COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3368667683.00000000068E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_68e0000_OHScaqAPjt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0eec1255d6a03f4e9e923cf63f22bb9fca71f4e1222766d97cc58353cb0eb053
Instruction ID: 8b298af0f814379f79319abcf04b83a822f64221d85b49c2c8f857abc0de42b4
Opcode Fuzzy Hash: 0eec1255d6a03f4e9e923cf63f22bb9fca71f4e1222766d97cc58353cb0eb053
Instruction Fuzzy Hash: 7F911C74E106198BDF60DF68C880B9DB7B1FF89310F208699D54DEB295DB70AA85CF90

Function 068EEEF0 Relevance: .2, Instructions: 204COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3368667683.00000000068E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_68e0000_OHScaqAPjt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a42e03bed647c1f09a5e857d49e80fc9ccad4d1ec9a1e38a41732bbb1d0ea59e
Instruction ID: c2cc00abdde8ac29afb1354eed819b9d465b96db3bcdab7736e77674d442cc47
Opcode Fuzzy Hash: a42e03bed647c1f09a5e857d49e80fc9ccad4d1ec9a1e38a41732bbb1d0ea59e
Instruction Fuzzy Hash: 10715A70A002499FCB55DFA8D980AAEBBF6FF89300F248469E515EB355DB30ED46CB40

Function 068EEF00 Relevance: .2, Instructions: 201COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3368667683.00000000068E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_68e0000_OHScaqAPjt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2ac821912f40298bcdd45989b05f9e39cc9b4d799dd90d57c73cdf35e0d51ed9
Instruction ID: 078e650118b214532468a74e19261f32765b0cdbb08bdd0473e78ff749d3db06
Opcode Fuzzy Hash: 2ac821912f40298bcdd45989b05f9e39cc9b4d799dd90d57c73cdf35e0d51ed9
Instruction Fuzzy Hash: B9714B70A002489FCB55DFA8D980AAEBBF6FF89300F148469E515EB355DB70EC45CB40

Function 068EFC68 Relevance: .2, Instructions: 171COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3368667683.00000000068E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_68e0000_OHScaqAPjt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7570df638ef129dfeac7d385b9ec765dafe7dee000a9d3d8e2102c9ce5992a0a
Instruction ID: 97d76d55fffa462ef62701d8b53df55fb685606313376df27a471daf8cc37085
Opcode Fuzzy Hash: 7570df638ef129dfeac7d385b9ec765dafe7dee000a9d3d8e2102c9ce5992a0a
Instruction Fuzzy Hash: 2751DF31F00109DFCB54ABB8E5446AEBBB2FB8A311F208869E606DB250DB359D55CB80

Function 068EFA0B Relevance: .2, Instructions: 168COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3368667683.00000000068E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_68e0000_OHScaqAPjt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 134c44005a0cc259c5f263abf3f13212bd2e75347d551bc7cc2788a24c5da80a
Instruction ID: a843f15e70baba3648433d2dbede166002b84f3a66625bcfdee95a8b5184636e
Opcode Fuzzy Hash: 134c44005a0cc259c5f263abf3f13212bd2e75347d551bc7cc2788a24c5da80a
Instruction Fuzzy Hash: 1351E974F602148FEFA16A6CD85472F366AD7CA350F20442AE70AD73D9CB78CC418792

Function 068EFA18 Relevance: .2, Instructions: 163COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3368667683.00000000068E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_68e0000_OHScaqAPjt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 68ae5507b82fa9cb85edba32bc3b8c52b5ce0e4fb3e3db8cde80c97aad716557
Instruction ID: d0f061e9329e432c56992b434769773112e080568c5d6730104978d107f1e2c6
Opcode Fuzzy Hash: 68ae5507b82fa9cb85edba32bc3b8c52b5ce0e4fb3e3db8cde80c97aad716557
Instruction Fuzzy Hash: 8651E674F605148BEFA1666CD854B2F366AE7CA710F60442AE70AD73D9CF78CC8147A2

Function 068E5408 Relevance: .1, Instructions: 126COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3368667683.00000000068E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_68e0000_OHScaqAPjt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b9b1915cd7eb1055e3cf6817622757819706bde56bf7669082dee7f09b3df053
Instruction ID: 6d19674d532d3300c93051339d69e8fef2eec7aa838f21b123854d3aa99ff7a7
Opcode Fuzzy Hash: b9b1915cd7eb1055e3cf6817622757819706bde56bf7669082dee7f09b3df053
Instruction Fuzzy Hash: 19415171E006098BDF70CE99D880AAFF7F6FB85318F10492AD215D7650D731E9558B92

Function 068EFC58 Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3368667683.00000000068E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_68e0000_OHScaqAPjt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e3cf22cec0cbe680ad217b4da761fe9f29ddc01e0fe270c1a064ed768d7071e1
Instruction ID: 870b1a1c7627dae6f83a59abbe885906b6147a4cdbbf9f9f8fc233ef38ed520f
Opcode Fuzzy Hash: e3cf22cec0cbe680ad217b4da761fe9f29ddc01e0fe270c1a064ed768d7071e1
Instruction Fuzzy Hash: 4131E131F005159FCB14ABB8E5142AEBBB2EB85301F108C69E606DB251DF359865C790

Function 068ED950 Relevance: .1, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3368667683.00000000068E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_68e0000_OHScaqAPjt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f2960a015a5c87f7df94bfb42ebfa2559865c504c8a97468e1dd1c03e64ce781
Instruction ID: cba046cde6b84ce6f34dac291a06d7e9fb1d10fc3f0e9bcb85ac1d6ccd7da94e
Opcode Fuzzy Hash: f2960a015a5c87f7df94bfb42ebfa2559865c504c8a97468e1dd1c03e64ce781
Instruction Fuzzy Hash: 0531A670E1460A8FCF55DF68D99069EBBF2FF85300F104929E505EB245EB71A946CB80

Function 068E208B Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3368667683.00000000068E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_68e0000_OHScaqAPjt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d8ad3b05909260fc85a38b08d0b34abeb5804cb5a41d32014c9b7b060d872337
Instruction ID: 38534ff028007b34a400d9eef716c3ea6f6662ae4da93a15d83216ec341f39c4
Opcode Fuzzy Hash: d8ad3b05909260fc85a38b08d0b34abeb5804cb5a41d32014c9b7b060d872337
Instruction Fuzzy Hash: 28318F34E142069BCB59DFA4D8A46AEB7B6FF8A310F108529E906E7354DB71ED42CB40

Function 068E2090 Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3368667683.00000000068E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_68e0000_OHScaqAPjt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: abfc0c863c1e3cef3836f485ec65ca298449fe3ce321ea5c7355d089614ac764
Instruction ID: 74513680ff32774d6ee03029d807c5d23509445e6281d20cb34e22e4531cc248
Opcode Fuzzy Hash: abfc0c863c1e3cef3836f485ec65ca298449fe3ce321ea5c7355d089614ac764
Instruction Fuzzy Hash: 2631B034E1020A9BCB18DFA4D8A469EB7B6FF8A300F108429E906E7350DB71FD41CB40

Function 068E3A80 Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3368667683.00000000068E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_68e0000_OHScaqAPjt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b35be554c54202d0b80d3d85609c60cdcfb0741a73f414dca1aef59dfebf4e3b
Instruction ID: 68f92a07393b4583e0ca8d219cc569b3974af0270d5d696064ca20fd0a35b611
Opcode Fuzzy Hash: b35be554c54202d0b80d3d85609c60cdcfb0741a73f414dca1aef59dfebf4e3b
Instruction Fuzzy Hash: 62218E76F006199FDB40DFA9D980BAEBBF5EB89710F148026EA05E7394E730DD418B94

Function 068E3A90 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3368667683.00000000068E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_68e0000_OHScaqAPjt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7f91cf566f02e64732febd6454cfff4b3d75cd866480b98c7529b21133320e1e
Instruction ID: 271447665d85429952ff3b4e6db5faa8f69eb7a527bfa1111bcc0bc7ebaeeb52
Opcode Fuzzy Hash: 7f91cf566f02e64732febd6454cfff4b3d75cd866480b98c7529b21133320e1e
Instruction Fuzzy Hash: 71218C75F006199FDB40DFA9D980BAEB7F5EB88710F14802AEA05E7394E770DD408B94

Function 029AD006 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3356452996.00000000029AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 029AD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_29ad000_OHScaqAPjt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fea701f0f060635e40da0ee9ce89a84d22f27c4cf6606ced293e838fb846ff84
Instruction ID: d551dd7477dec5481bb42f6bf76bbcaec86d2921bcc8e197f446d26819cfa6b9
Opcode Fuzzy Hash: fea701f0f060635e40da0ee9ce89a84d22f27c4cf6606ced293e838fb846ff84
Instruction Fuzzy Hash: 352191755093C08FC703CB24C9A4711BF75EB46214F28C1DBD8888B6A3C33A980ACBA2

Function 029AD030 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3356452996.00000000029AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 029AD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_29ad000_OHScaqAPjt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 28bdce6c83c0afc691b784774605ffe9c05a741c496f22207d1e22f7d2ea664c
Instruction ID: d9e5d669f9d4dab0be0d9ec209880cea55e07103d0ebefc6c76931434e0a4091
Opcode Fuzzy Hash: 28bdce6c83c0afc691b784774605ffe9c05a741c496f22207d1e22f7d2ea664c
Instruction Fuzzy Hash: 242134B1508300DFDB15DF14D9D0B26BBA5FB88314F24C96DD80A0B686C33AD847CAB2

Function 068E53F8 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3368667683.00000000068E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_68e0000_OHScaqAPjt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c3f572cf5d0fb8a647d292c3502af490a33e5556331e8f2700d2971e56a1479d
Instruction ID: 74653cc0b346f68a9910826d6370ea0e94e1c6f4ef9bfaf49179d6abbed04019
Opcode Fuzzy Hash: c3f572cf5d0fb8a647d292c3502af490a33e5556331e8f2700d2971e56a1479d
Instruction Fuzzy Hash: AA218E71A00B099BCB20CFA9CCC1AAFFBB6FF85304F108929E215D7651D731E8558B91

Function 068E6D00 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3368667683.00000000068E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_68e0000_OHScaqAPjt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f59f2728379f7f4d73f9f65493784877290a8b2f9584253b594676af5597496
Instruction ID: 5035fd52e88407693a463c4936cc351866a07de71da0922b7d5522e09765be26
Opcode Fuzzy Hash: 4f59f2728379f7f4d73f9f65493784877290a8b2f9584253b594676af5597496
Instruction Fuzzy Hash: D921A534F101189FCF54DBA9E55479DB7B7EB85310F648425D505D7354EB32AC818B84

Function 068E3BA0 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3368667683.00000000068E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_68e0000_OHScaqAPjt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e3e2f81889b1d79103e903185b098e53368077699174961e11bb049591dec209
Instruction ID: e68de0c517e05eac521747483750c787f30d24a02cbec83b492c2c0d1b72f340
Opcode Fuzzy Hash: e3e2f81889b1d79103e903185b098e53368077699174961e11bb049591dec209
Instruction Fuzzy Hash: 0511A131F145299FDF549668D8186AE73BAABC9310F01443AD506E7398EE74DC028BD4

Function 068E41E3 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3368667683.00000000068E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_68e0000_OHScaqAPjt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 67aa32d035f3fffd8904543259d795df152d5258f3f0d573861baac2382e5512
Instruction ID: d76e4064707beee3a13c270c3338fe94a07140838f351f5ec35dbbc92ef0c8ec
Opcode Fuzzy Hash: 67aa32d035f3fffd8904543259d795df152d5258f3f0d573861baac2382e5512
Instruction Fuzzy Hash: B301DB30B041105FDBA296BDE44472FB6DADBCA720F20843AE60ECB394ED65EC424399

Function 068EF171 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3368667683.00000000068E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_68e0000_OHScaqAPjt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0deb3d5d6a85f1cf4634fb5f7f0017be30fefac1736204ea690f2181d21b5cbc
Instruction ID: 77dddcda320ef68ae749f6bbbcc0963e7bf9a11f57d1ecc1715381aeb2b8a83e
Opcode Fuzzy Hash: 0deb3d5d6a85f1cf4634fb5f7f0017be30fefac1736204ea690f2181d21b5cbc
Instruction Fuzzy Hash: B6018471B144145FCBA6D6BCD89076E67D6EBCA720F208829E70AC7341DE25DC134785

Function 068E3040 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3368667683.00000000068E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_68e0000_OHScaqAPjt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f3b24555b619908f602150bf73b05cc2414a947b397568e14bc0c1c5e2183d75
Instruction ID: 7ebbdc0112b8e4a8b3e1a374656df4790506730acb61f867f08d7c49b1e497e3
Opcode Fuzzy Hash: f3b24555b619908f602150bf73b05cc2414a947b397568e14bc0c1c5e2183d75
Instruction Fuzzy Hash: 71016D71E002289BCB98DBB9D9405DEF7B5EF8A310F10856AD606E7304EA31DE44CB91

Function 068E3860 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3368667683.00000000068E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_68e0000_OHScaqAPjt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8ae11950cb99dd46df9bbc0c1b4fe647ac3a7c8c2c911a64e67dd9492eb8aa1a
Instruction ID: 3678811a5d80bf92dbb01c09f9444a187dd125558d543f0b6225973ca89dc197
Opcode Fuzzy Hash: 8ae11950cb99dd46df9bbc0c1b4fe647ac3a7c8c2c911a64e67dd9492eb8aa1a
Instruction Fuzzy Hash: 2111D0B5D00219AFCB10CF9AD984ADEFFB8FB49310F50812AE918A7201C375A944CFA5

Function 068EA2F0 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3368667683.00000000068E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_68e0000_OHScaqAPjt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40c38199139e1b7f41c043394ac80849ff608239f93261a20abda4aba2611dcd
Instruction ID: 6619101fef41006f9856df4a0e79bafdb1d869dcbfd61cb79e96239e42c35188
Opcode Fuzzy Hash: 40c38199139e1b7f41c043394ac80849ff608239f93261a20abda4aba2611dcd
Instruction Fuzzy Hash: F0014F70B045105FDBA5DABCE46472EB3D9EB86B14F11882AE70ACB794DE25DC0287C1

Function 068E3859 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3368667683.00000000068E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_68e0000_OHScaqAPjt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f29e1da29888e79855d216825d775dec13071dc5c7d42f62af7309b6c497277f
Instruction ID: e253a51e9dd8bb055f1cbc97971d8efa82ca04cf855fa1db418dad29c536d737
Opcode Fuzzy Hash: f29e1da29888e79855d216825d775dec13071dc5c7d42f62af7309b6c497277f
Instruction Fuzzy Hash: AD21CFB5D01219AFCB00CF9AD985ADEFBB8FF49310F50812AE518B7201C375AA54CFA4

Function 068E41F0 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3368667683.00000000068E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_68e0000_OHScaqAPjt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 07d76f340115ed574232e954e823f4ec877511193bb5237b39cb4e6491946839
Instruction ID: db95aefadd78b778dbfc7a2789ace6e48ee836512b8e15800cd352dc99fc0742
Opcode Fuzzy Hash: 07d76f340115ed574232e954e823f4ec877511193bb5237b39cb4e6491946839
Instruction Fuzzy Hash: 1E018C31B101114BDBA595BDA45472FB2DADBCA720F208839E60EC7394ED66EC424399

Function 068EF180 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3368667683.00000000068E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_68e0000_OHScaqAPjt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 43221ce502fa0bef948b661a459ea1203b1a183705b8b2baf42c7c411a65d8f5
Instruction ID: 5ec3199468747cf28f193219b08456af6c0095143a27bc04a88a98d2d5914fe8
Opcode Fuzzy Hash: 43221ce502fa0bef948b661a459ea1203b1a183705b8b2baf42c7c411a65d8f5
Instruction Fuzzy Hash: A2018C71B004144FDBA696ACD89072F62DAEBCA720F208829E70AC7380DE26DC024385

Function 068E3B8F Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3368667683.00000000068E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_68e0000_OHScaqAPjt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: df2ebf089d2eb8222eb8ede5da92b7b703cbf53495010a9b658dde91b1e112c1
Instruction ID: 3d8e44775735bfa386247ed78aac6b9d6e7c55ad62fcfa62eebcf5f5e20f18c8
Opcode Fuzzy Hash: df2ebf089d2eb8222eb8ede5da92b7b703cbf53495010a9b658dde91b1e112c1
Instruction Fuzzy Hash: 5801F236F145294FDF45D678E9183AF37BA9BC9200F05003AD90AD7384EEA5DC128BD1

Function 068EA300 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3368667683.00000000068E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_68e0000_OHScaqAPjt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f5ba59136c305e9471913dab4c6c8db15dd45e321ee03feb25508242b2515ee6
Instruction ID: baf3030d41fb33ef4379be8012cf8c61a093adcfe53e2d37de8da032d0660694
Opcode Fuzzy Hash: f5ba59136c305e9471913dab4c6c8db15dd45e321ee03feb25508242b2515ee6
Instruction Fuzzy Hash: 9D014470B041105FDBA4D6BCE45471FB3D9EB86B14F11883AE70AC7794DD26DC028784

Function 068E6461 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3368667683.00000000068E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_68e0000_OHScaqAPjt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f9c36fe7c488ccd05e891e67573d2df8d5e18d586caf8427e1b1378a7adba659
Instruction ID: 0474c2134f3440eeea973a4ba1d035f0432ad8cdb13b4cf409acef51535100cd
Opcode Fuzzy Hash: f9c36fe7c488ccd05e891e67573d2df8d5e18d586caf8427e1b1378a7adba659
Instruction Fuzzy Hash: 0CE0D871E142099FDFB0CE74C95176E77A9EB03208F2048A6D904DB141FA33ED418781

Function 068E6470 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3368667683.00000000068E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_68e0000_OHScaqAPjt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aa976699a50b98a0a6b50c08d3026a88d70fc42e5459dfcadbf44bb0d2ea6d04
Instruction ID: 619c72e17d21bb0db57261e002215a11ca2c5287e01b1a9ff7a0af64bb56eae3
Opcode Fuzzy Hash: aa976699a50b98a0a6b50c08d3026a88d70fc42e5459dfcadbf44bb0d2ea6d04
Instruction Fuzzy Hash: F6E01271E10109ABDFA0DEB4C95576E77ADD702218F2088A6D909DB201F576DE414781

Non-executed Functions

Function 068E7688 Relevance: 13.0, Strings: 10, Instructions: 468COMMON

Download Yara Rule

Strings

$eq, xrefs: 068E77ED
$eq, xrefs: 068E77F9
$eq, xrefs: 068E7C2E
$eq, xrefs: 068E7C24
$eq, xrefs: 068E77BC
$eq, xrefs: 068E77C8
$eq, xrefs: 068E7B79
$eq, xrefs: 068E7B85
$eq, xrefs: 068E7C18
$eq, xrefs: 068E7C3A

Memory Dump Source

Source File: 00000009.00000002.3368667683.00000000068E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_68e0000_OHScaqAPjt.jbxd

Similarity

API ID:
String ID: $eq$$eq$$eq$$eq$$eq$$eq$$eq$$eq$$eq$$eq
API String ID: 0-2049195972
Opcode ID: 1e12c161ba83b79350b41e3bfe43080028e74d61b9f078520e20c3500d0d8d40
Instruction ID: 5750fc88e05729c81e2c4f064b1656a797b971e20bb1cd5b925c2169f3a8d977
Opcode Fuzzy Hash: 1e12c161ba83b79350b41e3bfe43080028e74d61b9f078520e20c3500d0d8d40
Instruction Fuzzy Hash: D1120974E00219CFDB64DF69C954AAEB7B6FF89300F2085A9D50AEB255DB309D85CF80

Function 068EA920 Relevance: 10.2, Strings: 8, Instructions: 229COMMON

Download Yara Rule

Strings

$eq, xrefs: 068EAA71
$eq, xrefs: 068EAA9C
$eq, xrefs: 068EAAA8
$eq, xrefs: 068EAA7D
$eq, xrefs: 068EAADE
$eq, xrefs: 068EAAD2
$eq, xrefs: 068EAA16
$eq, xrefs: 068EAA22

Memory Dump Source

Source File: 00000009.00000002.3368667683.00000000068E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_68e0000_OHScaqAPjt.jbxd

Similarity

API ID:
String ID: $eq$$eq$$eq$$eq$$eq$$eq$$eq$$eq
API String ID: 0-1110479544
Opcode ID: ca2c21d4b5e1cddae14eaad3574eafccb63496cf6838552dd0d1f72ce45abca0
Instruction ID: d5e68e7d78f158e4fee208a96f318834335f88a538033eae9fc9d21e66f0a957
Opcode Fuzzy Hash: ca2c21d4b5e1cddae14eaad3574eafccb63496cf6838552dd0d1f72ce45abca0
Instruction Fuzzy Hash: 7E918F70E00209DFDBA8EF64DA95B6EBBB2FF85700F108529E411EB294DB759C45CB90

Function 068E7088 Relevance: 9.2, Strings: 7, Instructions: 405COMMON

Download Yara Rule

Strings

$eq, xrefs: 068E73D0
$eq, xrefs: 068E736A
.5}q, xrefs: 068E70E3
$eq, xrefs: 068E7590
$eq, xrefs: 068E7524
$eq, xrefs: 068E73C4
$eq, xrefs: 068E759C

Memory Dump Source

Source File: 00000009.00000002.3368667683.00000000068E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_68e0000_OHScaqAPjt.jbxd

Similarity

API ID:
String ID: .5}q$$eq$$eq$$eq$$eq$$eq$$eq
API String ID: 0-1622854337
Opcode ID: e71b703a4452c9846ebc7f499d2c12e6edd37421f144ca7e0f1a460dfb4a235a
Instruction ID: c2ff25342713e20a40f27c9e7f2b60edfcb70502c5fc77034c650fed32ffafc2
Opcode Fuzzy Hash: e71b703a4452c9846ebc7f499d2c12e6edd37421f144ca7e0f1a460dfb4a235a
Instruction Fuzzy Hash: BCF12874A00208CFDB55EBA8C954B6EB7B2FF85304F648569D505DB3A9DB31EC42CB90

Function 068E83C0 Relevance: 5.3, Strings: 4, Instructions: 282COMMON

Download Yara Rule

Strings

$eq, xrefs: 068E861A
$eq, xrefs: 068E868B
$eq, xrefs: 068E8626
$eq, xrefs: 068E867F

Memory Dump Source

Source File: 00000009.00000002.3368667683.00000000068E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_68e0000_OHScaqAPjt.jbxd

Similarity

API ID:
String ID: $eq$$eq$$eq$$eq
API String ID: 0-812946093
Opcode ID: 1a5a1ce518b2b6493fd55dc2ba6ebf2f743fde236edc897e28935b770ccfe45e
Instruction ID: 034dd2e3f13cbfa57dbf86163f28452f55754267b4208af88b1e7e24b004d5af
Opcode Fuzzy Hash: 1a5a1ce518b2b6493fd55dc2ba6ebf2f743fde236edc897e28935b770ccfe45e
Instruction Fuzzy Hash: 85B139B0B10208CFDB64EFA8C99466EB7B2EF85304F248569D506DB395DB75DC82CB84

Function 068E87D8 Relevance: 5.2, Strings: 4, Instructions: 168COMMON

Download Yara Rule

Strings

LReq, xrefs: 068E88CB
$eq, xrefs: 068E8857
$eq, xrefs: 068E8863
LReq, xrefs: 068E891A

Memory Dump Source

Source File: 00000009.00000002.3368667683.00000000068E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_68e0000_OHScaqAPjt.jbxd

Similarity

API ID:
String ID: LReq$LReq$$eq$$eq
API String ID: 0-731573373
Opcode ID: c98031b7ff0fefd2cb38f1f0583ff7238f12dc47f55077986eb12baa1917c15b
Instruction ID: ee5470ecf2778096fd3e497375b47dbb66ea58d61b2c7f16c188811265149433
Opcode Fuzzy Hash: c98031b7ff0fefd2cb38f1f0583ff7238f12dc47f55077986eb12baa1917c15b
Instruction Fuzzy Hash: 4A51AE70B002059FDB94EB78D981B6EB7A6FF89300F148569E506DB3A9DB31EC40CB91

Function 068EACA8 Relevance: 5.2, Strings: 4, Instructions: 160COMMON

Download Yara Rule

Strings

$eq, xrefs: 068EAE84
$eq, xrefs: 068EAE5B
$eq, xrefs: 068EAE2C
$eq, xrefs: 068EADD9

Memory Dump Source

Source File: 00000009.00000002.3368667683.00000000068E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_68e0000_OHScaqAPjt.jbxd

Similarity

API ID:
String ID: $eq$$eq$$eq$$eq
API String ID: 0-812946093
Opcode ID: 17269bd41000f575e8d0294f07358776760f6a83e4921a7620816c43b45382c3
Instruction ID: 0beb0db9bd3e3b089b2271d9c7d26b4f296ecabe1cebf1bac1f1215a678cba27
Opcode Fuzzy Hash: 17269bd41000f575e8d0294f07358776760f6a83e4921a7620816c43b45382c3
Instruction Fuzzy Hash: F951A034F102058FCFA9EB64D9806AEB7B6EF86701F14852AE916D7354DB31EC41CB91

Analysis Process: PZgxeUcXE.exePID: 7256, Parent PID: 1068COMMON

Execution Graph

Execution Coverage:	10.7%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	244
Total number of Limit Nodes:	15

Executed Functions

Function 0124D4D8 Relevance: 6.3, APIs: 4, Instructions: 264
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 0124D566
GetCurrentThread.KERNEL32 ref: 0124D5A3
GetCurrentProcess.KERNEL32 ref: 0124D5E0
GetCurrentThreadId.KERNEL32 ref: 0124D639

Memory Dump Source

Source File: 0000000A.00000002.2236210399.0000000001240000.00000040.00000800.00020000.00000000.sdmp, Offset: 01240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1240000_PZgxeUcXE.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 269b9c8b339cb1a7abe379cb059e8356cfe9f2f7045a0a50d97cf2e5e2eb5201
Instruction ID: 5f1b60d06aab553059984329be56322e0d0d4c865899b9d700b415cca1b689ac
Opcode Fuzzy Hash: 269b9c8b339cb1a7abe379cb059e8356cfe9f2f7045a0a50d97cf2e5e2eb5201
Instruction Fuzzy Hash: E9B1A075A102098FDB18DFADD944BAEBBF1FF88304F248469E509AB361DB319945CF60

Function 0124D4E8 Relevance: 6.1, APIs: 4, Instructions: 128
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 0124D566
GetCurrentThread.KERNEL32 ref: 0124D5A3
GetCurrentProcess.KERNEL32 ref: 0124D5E0
GetCurrentThreadId.KERNEL32 ref: 0124D639

Memory Dump Source

Source File: 0000000A.00000002.2236210399.0000000001240000.00000040.00000800.00020000.00000000.sdmp, Offset: 01240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1240000_PZgxeUcXE.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 5d0e2885207ee5e52b6e59e3e86d257ffad1044e8d9f65d6f1a91818d14557a7
Instruction ID: b1b6900e72fb78d4b231690a317b30f247f920712d8c671a54cd33b3a02996b4
Opcode Fuzzy Hash: 5d0e2885207ee5e52b6e59e3e86d257ffad1044e8d9f65d6f1a91818d14557a7
Instruction Fuzzy Hash: 5D5156B19103098FDB18CFAAD948B9EBFF5EF98314F208459E119A7360DB349944CF65

Function 07C64A84 Relevance: 1.7, APIs: 1, Instructions: 247
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 07C64CC6

Memory Dump Source

Source File: 0000000A.00000002.2242727785.0000000007C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7c60000_PZgxeUcXE.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 18aafdd9f251d11de3b70af7078d5f1b5118ae07186345c4707e80cdb354f8ff
Instruction ID: 1da6831786f6e3646c7064e5d2ee1bbd00ef2091f37a1014aa61440e5db3bc88
Opcode Fuzzy Hash: 18aafdd9f251d11de3b70af7078d5f1b5118ae07186345c4707e80cdb354f8ff
Instruction Fuzzy Hash: 9FA13BB1D0065ADFDB18CFA8C8C5BEDBBB2BF48310F148569D818A7250DB749A85CF91

Function 07C64A90 Relevance: 1.7, APIs: 1, Instructions: 243
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 07C64CC6

Memory Dump Source

Source File: 0000000A.00000002.2242727785.0000000007C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7c60000_PZgxeUcXE.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: cd8d77788f67a75bee8fd496e98da9534eca41d601d0588dad8c47586b386b30
Instruction ID: 1ee9cb67c9fd612b8ad471c95fbaebd526e2521d195150e21d1c05fa223d9a7b
Opcode Fuzzy Hash: cd8d77788f67a75bee8fd496e98da9534eca41d601d0588dad8c47586b386b30
Instruction Fuzzy Hash: 0E913CB1D0065ADFDB18CFA8C8C5BADBBB2BF48310F148569D818A7250DB749B85CF91

Function 0124AE38 Relevance: 1.7, APIs: 1, Instructions: 200
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 0124B09E

Memory Dump Source

Source File: 0000000A.00000002.2236210399.0000000001240000.00000040.00000800.00020000.00000000.sdmp, Offset: 01240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1240000_PZgxeUcXE.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: d3a4836600476e297df8ce9d5c8807f749df5c5e4eae1a530083d6c0ef0321e8
Instruction ID: 2c80bb69b2e95e27622c4bd1428a85f4d2adefe9a24e38f57c3d1c9f9ad2b51f
Opcode Fuzzy Hash: d3a4836600476e297df8ce9d5c8807f749df5c5e4eae1a530083d6c0ef0321e8
Instruction Fuzzy Hash: 1D8168B0A10B068FE728DF29C44575ABBF5FF88304F00892DE69AD7A40DB75E845CB91

Function 012444D4 Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 012459C9

Memory Dump Source

Source File: 0000000A.00000002.2236210399.0000000001240000.00000040.00000800.00020000.00000000.sdmp, Offset: 01240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1240000_PZgxeUcXE.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 35b06c4614a58f589f63066843327f5709cb121f07c38aa1339316797f889731
Instruction ID: 0c60b27e90ba9fabdf61059995b8a39da18c48818a8bcab0608f59cfa97ba04c
Opcode Fuzzy Hash: 35b06c4614a58f589f63066843327f5709cb121f07c38aa1339316797f889731
Instruction Fuzzy Hash: 1341F0B1C1071DCBDB28CFA9C884B8DBBF5BF49304F20816AD548AB251DBB16949CF90

Function 0124590C Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 012459C9

Memory Dump Source

Source File: 0000000A.00000002.2236210399.0000000001240000.00000040.00000800.00020000.00000000.sdmp, Offset: 01240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1240000_PZgxeUcXE.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 2a832b0367bb08fdae1e112ef604ef1045239414f4e35d3438e4b6c4dfddd8b4
Instruction ID: 9dc4ab20cda7b354b7e8e7f17cc7e47e51ddecc7becd2bd53b00b72a824cbc1a
Opcode Fuzzy Hash: 2a832b0367bb08fdae1e112ef604ef1045239414f4e35d3438e4b6c4dfddd8b4
Instruction Fuzzy Hash: EF4110B5C1071DCBDB28CFA9C984B8DBBF1BF48304F20816AD548AB251DB71694ACF90

Function 07C64801 Relevance: 1.6, APIs: 1, Instructions: 71
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 07C64898

Memory Dump Source

Source File: 0000000A.00000002.2242727785.0000000007C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7c60000_PZgxeUcXE.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: c7bc19df3eeb9865ba3479ef8026792a9575c61ed74a6d4160ffcf1528fe050d
Instruction ID: 96988ce67789b2e785d1b5f7c6b5d16567b1551107846f1071a6a7d919600a52
Opcode Fuzzy Hash: c7bc19df3eeb9865ba3479ef8026792a9575c61ed74a6d4160ffcf1528fe050d
Instruction Fuzzy Hash: EE215AB1D003599FCB10CFA9C984BDEBBF5FF48310F10882AE918A7241D7749A44CBA0

Function 07C64808 Relevance: 1.6, APIs: 1, Instructions: 69
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 07C64898

Memory Dump Source

Source File: 0000000A.00000002.2242727785.0000000007C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7c60000_PZgxeUcXE.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 00e209bcec6937f8a0fbc55de59f560129a5104db299e8b4da332061e5b82766
Instruction ID: 51a46568fab3a01fed7dcd055e020ed3e07044eec554964fc38434eb532bfe92
Opcode Fuzzy Hash: 00e209bcec6937f8a0fbc55de59f560129a5104db299e8b4da332061e5b82766
Instruction Fuzzy Hash: 72213BB1D003599FCB14CFA9C985BDEBBF5FF48310F108429E918A7240D7749A44DB60

Function 07C64230 Relevance: 1.6, APIs: 1, Instructions: 66
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 07C642B6

Memory Dump Source

Source File: 0000000A.00000002.2242727785.0000000007C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7c60000_PZgxeUcXE.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 84c35716e17a97d5f964ef6a729b73a77ab1e4d76a6cbee9c5732cd6376083ae
Instruction ID: a50ea8004accb721a2663206b5094eb6730a4b4ea64e75794e5f06ea3e0e406c
Opcode Fuzzy Hash: 84c35716e17a97d5f964ef6a729b73a77ab1e4d76a6cbee9c5732cd6376083ae
Instruction Fuzzy Hash: 63216AB1D003499FDB14CFAAC4847AEBFF5EF48324F14842AD558A7241DB789A44CFA0

Function 07C648F1 Relevance: 1.6, APIs: 1, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 07C64978

Memory Dump Source

Source File: 0000000A.00000002.2242727785.0000000007C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7c60000_PZgxeUcXE.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: c176d787d812306731e2809f8e4a2439544307ca409688f49a090bb3799792b1
Instruction ID: 9491afab2dae4fd4c49ab3db628801d5884d2fa77e264ae92ac1832aa4cd622d
Opcode Fuzzy Hash: c176d787d812306731e2809f8e4a2439544307ca409688f49a090bb3799792b1
Instruction Fuzzy Hash: 732119B19003599FCB10DF99C884ADEFBF5FF48310F10842AE558A7250D7749544DBA4

Function 0124D728 Relevance: 1.6, APIs: 1, Instructions: 63
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0124D7B7

Memory Dump Source

Source File: 0000000A.00000002.2236210399.0000000001240000.00000040.00000800.00020000.00000000.sdmp, Offset: 01240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1240000_PZgxeUcXE.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 4c760d023ae93d37103bfc585f636d7ed2ff743671c4a0aef43dbf17666e669e
Instruction ID: 2609b1a9488898735177a60a8bfd061572a2f6b3fee2f3022126022d41544ef6
Opcode Fuzzy Hash: 4c760d023ae93d37103bfc585f636d7ed2ff743671c4a0aef43dbf17666e669e
Instruction Fuzzy Hash: F121E0B5D00249DFDB14CFA9D985ADEBBF4EB48320F14841AE958A3351D378A944DF60

Function 07C64238 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 07C642B6

Memory Dump Source

Source File: 0000000A.00000002.2242727785.0000000007C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7c60000_PZgxeUcXE.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: f5ffce0894882b7d21db045280a4701408d36866a38ed7c4c9d7c1c1d1f3a4fd
Instruction ID: 399a5cbde7af44fe7b9c75966f0fea07c7793818d23a5a0218fbce4621c36a6b
Opcode Fuzzy Hash: f5ffce0894882b7d21db045280a4701408d36866a38ed7c4c9d7c1c1d1f3a4fd
Instruction Fuzzy Hash: 92215BB1D003098FDB14DFAAC4857EEBBF5EF48324F14842AD559A7241DB789A44CFA0

Function 07C648F8 Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 07C64978

Memory Dump Source

Source File: 0000000A.00000002.2242727785.0000000007C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7c60000_PZgxeUcXE.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 5bd124f068a2d1c536522b25ea5efed32866391832763c3a5042816442237b6d
Instruction ID: 4a599b67a397cd4cb674d04cddaa5a99b28f362d7dc90fee5565ba321ae59433
Opcode Fuzzy Hash: 5bd124f068a2d1c536522b25ea5efed32866391832763c3a5042816442237b6d
Instruction Fuzzy Hash: 2F2139B1C003599FCB10CFAAC884AEEFBF5FF48320F10842AE558A7250D7749944DBA0

Function 0124D730 Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0124D7B7

Memory Dump Source

Source File: 0000000A.00000002.2236210399.0000000001240000.00000040.00000800.00020000.00000000.sdmp, Offset: 01240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1240000_PZgxeUcXE.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: e4c293b1fd29e70222eb9b905da8288ea45b3d0fd44933c7c0b5339f902013bc
Instruction ID: 8f6e52d279b697c7b40669809cec9b9b371c885f18a26cb78de184599aa1d9fd
Opcode Fuzzy Hash: e4c293b1fd29e70222eb9b905da8288ea45b3d0fd44933c7c0b5339f902013bc
Instruction Fuzzy Hash: 9D21E4B5900249DFDB10CF9AD984ADEBFF8EB48310F14841AE914A3311D374A944DFA0

Function 07C64740 Relevance: 1.6, APIs: 1, Instructions: 56memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 07C647B6

Memory Dump Source

Source File: 0000000A.00000002.2242727785.0000000007C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7c60000_PZgxeUcXE.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 1f6c4249ff1fdfd196d9a13e126f8107a0b12306c18daefde2285ec25990ea3d
Instruction ID: 374e8f5abe4bc4b565b07ce4cfdbb882c8fc4e5ee9cde2bd0ece47bd4903f9db
Opcode Fuzzy Hash: 1f6c4249ff1fdfd196d9a13e126f8107a0b12306c18daefde2285ec25990ea3d
Instruction Fuzzy Hash: F5116AB1C002499FCB14DFA9C884ADEBFF5EF89320F14841AE955A7250CB759A54DFA0

Function 07C64748 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 07C647B6

Memory Dump Source

Source File: 0000000A.00000002.2242727785.0000000007C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7c60000_PZgxeUcXE.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 1ddb9beb2e533f7d0ec8968d11312212448c694302e17d07acfc73b490f3a4ac
Instruction ID: d7c3be9495e2a997c71bbca3690531d2b6b9120718fe3a073cb607975ca09e76
Opcode Fuzzy Hash: 1ddb9beb2e533f7d0ec8968d11312212448c694302e17d07acfc73b490f3a4ac
Instruction Fuzzy Hash: FA117C718002499FCB10DFA9C884ADFBFF5EF48320F148419E515A7250C7759540CFA0

Function 07C64181 Relevance: 1.6, APIs: 1, Instructions: 51threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 07C641EA

Memory Dump Source

Source File: 0000000A.00000002.2242727785.0000000007C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7c60000_PZgxeUcXE.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: d03de64587ab992012366e02d7e5d4a77b77b6726041c2f2391dfa4b8d796277
Instruction ID: ac5cb288ec4cf5378380798c13f6c13617d53dd81ee377ae2f4a8b2656d38394
Opcode Fuzzy Hash: d03de64587ab992012366e02d7e5d4a77b77b6726041c2f2391dfa4b8d796277
Instruction Fuzzy Hash: 0B1149B19003498BDB14DFAAC88579EFBF4EB88320F248819D559A7240DB756944CB94

Function 07C64188 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 07C641EA

Memory Dump Source

Source File: 0000000A.00000002.2242727785.0000000007C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7c60000_PZgxeUcXE.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 3271bb28fa15c342f86e6e638869c87e40146d21cd57b461168920af6420a794
Instruction ID: 4d86eaefb93b081a96925ae9336cc9d41660ea7e1e9a17282584c2833dde344d
Opcode Fuzzy Hash: 3271bb28fa15c342f86e6e638869c87e40146d21cd57b461168920af6420a794
Instruction Fuzzy Hash: 3F116AB1D003498FDB24DFAAC88479EFBF8EF88320F248419D519A7240DB756A44CFA4

Function 0124B038 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 0124B09E

Memory Dump Source

Source File: 0000000A.00000002.2236210399.0000000001240000.00000040.00000800.00020000.00000000.sdmp, Offset: 01240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1240000_PZgxeUcXE.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 3ca2eb37c4b912397d36a618f1a4a71eb040dc1a51dea540e2417a4def1ace54
Instruction ID: 762f61c18bb2de29cb63baec958af047b7369eac8486b560df8a5c3d4a208d29
Opcode Fuzzy Hash: 3ca2eb37c4b912397d36a618f1a4a71eb040dc1a51dea540e2417a4def1ace54
Instruction Fuzzy Hash: 7211E3B6C003498FDB14CF9AC444BDEFBF4EB88314F14841AD569A7610D375A545CFA1

Function 07C67538 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 07C67CD5

Memory Dump Source

Source File: 0000000A.00000002.2242727785.0000000007C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7c60000_PZgxeUcXE.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 858a9df3ac8e8991335ed54b431196aaad95d45c6ad13bf1b7386f69372e7ed8
Instruction ID: 72da3cc27ed0dfd348bb382e5250db072bddd74a5d4cc6c95ac52980bc8f6add
Opcode Fuzzy Hash: 858a9df3ac8e8991335ed54b431196aaad95d45c6ad13bf1b7386f69372e7ed8
Instruction Fuzzy Hash: 321106B5800349DFCB10CF9AC989BDEBBF8EB48324F108819E558A7600D375A944CFA1

Function 07C67C71 Relevance: 1.5, APIs: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 07C67CD5

Memory Dump Source

Source File: 0000000A.00000002.2242727785.0000000007C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7c60000_PZgxeUcXE.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 0f48af71d968e162e069bc46fcf86e36bfbf8cad49820d186950640d8b0611c4
Instruction ID: 9c392f43fa8037030055eb43af0cd4333889413c9781d4453d78c69f9170e1f1
Opcode Fuzzy Hash: 0f48af71d968e162e069bc46fcf86e36bfbf8cad49820d186950640d8b0611c4
Instruction Fuzzy Hash: 721106B5800349DFCB10CF99D985BDEBFF8EB48324F10881AE554A7610C375A544CFA1

Function 011DD1FC Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2235446364.00000000011DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 011DD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_11dd000_PZgxeUcXE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 95525aa473e9c5f1dca1b3e54918c19d4b3b7a0240b73b96c72910e542355144
Instruction ID: a25e157dc887597052e2b72531d62eb71d559d4995fcf8390e0d6d714790472e
Opcode Fuzzy Hash: 95525aa473e9c5f1dca1b3e54918c19d4b3b7a0240b73b96c72910e542355144
Instruction Fuzzy Hash: C221D671504240DFDF0ADF98E9C4B27BF65FB88320F24C569E9050B286C336D416CBA2

Function 011DD3D8 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2235446364.00000000011DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 011DD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_11dd000_PZgxeUcXE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 667d0a771fe2491f742e962a94765d6d45f2fa856c012f71484b98421cea63d4
Instruction ID: 69976dce29c57228bc9ebfaa0bd3f5aecda7616301139ea20c58859579633481
Opcode Fuzzy Hash: 667d0a771fe2491f742e962a94765d6d45f2fa856c012f71484b98421cea63d4
Instruction Fuzzy Hash: B82148B1104200DFDF09DF98E9C0B66BF65FB88324F20C56CD9090B686C33AE406C7A2

Function 011ED01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2235558639.00000000011ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 011ED000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_11ed000_PZgxeUcXE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1ae947de019c0659230127ffef3c08870dbae38f33a6c5f26018b67dc7d9d7cc
Instruction ID: 57917534552fbb3929cdbb7ef2db8e30f9f102fa6f8dc8ed04a3e122b3082409
Opcode Fuzzy Hash: 1ae947de019c0659230127ffef3c08870dbae38f33a6c5f26018b67dc7d9d7cc
Instruction Fuzzy Hash: 04212571504600DFCF19DF98E988B16BFA5FB84314F28C56DD80A0B246C33BD407CA62

Function 011ED1D4 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2235558639.00000000011ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 011ED000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_11ed000_PZgxeUcXE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be171510977ec1416a6757345c87bcf62dbba954ce30cde9d8a8de959415a72c
Instruction ID: 82a4fcad552ab605bfad7ee7a3aa1b6ccfce15824e7ee994bdd404defe7f6e86
Opcode Fuzzy Hash: be171510977ec1416a6757345c87bcf62dbba954ce30cde9d8a8de959415a72c
Instruction Fuzzy Hash: F2210775504601DFDF0ADFD8E9C8B26BBA5FB84324F24C56DE9094B296C336D406CA62

Function 011ED006 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2235558639.00000000011ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 011ED000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_11ed000_PZgxeUcXE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6e87145bbafae1019b0436db4176336d11707141dd36d8d580334fa0c2ba4626
Instruction ID: d59680bdde0e9e0f0c7611eb1c91c75b346a467d15861869674911729eade90a
Opcode Fuzzy Hash: 6e87145bbafae1019b0436db4176336d11707141dd36d8d580334fa0c2ba4626
Instruction Fuzzy Hash: D221C2355093808FCB07CF64D994715BFB1EB46214F28C1DAD8498F2A7C33A980ACB62

Function 011DD1F7 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2235446364.00000000011DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 011DD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_11dd000_PZgxeUcXE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9b7ddd7a086731bdfc3d36347521231777b7f6d018e947c39a7212cc8184ef59
Instruction ID: 36ffe30b8dda9b24d4667cca2b50546cb7e63bd3f1934bbc8e9a81d4d902ed0d
Opcode Fuzzy Hash: 9b7ddd7a086731bdfc3d36347521231777b7f6d018e947c39a7212cc8184ef59
Instruction Fuzzy Hash: 16219D76504240DFDF06CF54D9C4B16BF72FB84324F24C5A9DD090A69AC33AD42ACBA2

Function 011DD3D3 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2235446364.00000000011DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 011DD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_11dd000_PZgxeUcXE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a42a10f79047cfc5a8dfbea04f5877e4b045e58f4eb555799dbe40d0299e0d1
Instruction ID: f04f73c4d8db5fca505025726fc550b16f5a9065be44d590512d97da703ab4ad
Opcode Fuzzy Hash: 2a42a10f79047cfc5a8dfbea04f5877e4b045e58f4eb555799dbe40d0299e0d1
Instruction Fuzzy Hash: 2E11DF76404240DFDF16CF44D5C4B56BF71FB84324F24C2A9D9090B656C33AE45ACBA2

Function 011ED1CF Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2235558639.00000000011ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 011ED000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_11ed000_PZgxeUcXE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c74efafe6a787794d2e52374dfad20fc7a218ab120a23d42f416259975cce95d
Instruction ID: a995314aecd9b6d39c89b36b857a92ebf2d6df1e2824b30e214c14f4e852c175
Opcode Fuzzy Hash: c74efafe6a787794d2e52374dfad20fc7a218ab120a23d42f416259975cce95d
Instruction Fuzzy Hash: 5D11BB79504680DFDB06CF94D6C8B15FBA1FB84324F24C6ADD8494B296C33AD40ACB62

Function 011DD745 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2235446364.00000000011DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 011DD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_11dd000_PZgxeUcXE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 25d9566b776817da954356dfb994757aac94312209b469c3c30a54170c11f008
Instruction ID: c31ff5be8888c4dc139d3044eeb3cf28b798d7bfbfcf413b491393bdc60b2bab
Opcode Fuzzy Hash: 25d9566b776817da954356dfb994757aac94312209b469c3c30a54170c11f008
Instruction Fuzzy Hash: CD012B710047849AEB298F99DDC4B27BFD8DF41338F19C59AED080A2C7D3799840C6B2

Function 011DD744 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2235446364.00000000011DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 011DD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_11dd000_PZgxeUcXE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ca55508794143190c1328d4af95222529820f53ba44a9c4963fa2131be16b4f3
Instruction ID: f3efe72e49e34c498e01b09a5b388decf96c05d65031f770b25286818bf453e1
Opcode Fuzzy Hash: ca55508794143190c1328d4af95222529820f53ba44a9c4963fa2131be16b4f3
Instruction Fuzzy Hash: 89F0C272404384AAEB258E59D9C8B63FFD8EB51634F18C45AED084A28AC3799840CBB1

Analysis Process: PZgxeUcXE.exePID: 7520, Parent PID: 7256COMMON

Execution Graph

Execution Coverage:	11.8%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	17
Total number of Limit Nodes:	4

Executed Functions

Function 06EE3040 Relevance: 8.0, Strings: 6, Instructions: 545
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$eq, xrefs: 06EE3722
$eq, xrefs: 06EE3763
$eq, xrefs: 06EE376F
$eq, xrefs: 06EE373F
$eq, xrefs: 06EE3716
$eq, xrefs: 06EE374B

Memory Dump Source

Source File: 0000000F.00000002.3368240467.0000000006EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6ee0000_PZgxeUcXE.jbxd

Similarity

API ID:
String ID: $eq$$eq$$eq$$eq$$eq$$eq
API String ID: 0-220072568
Opcode ID: 25dc54bf4459d41b028c6a52caa5728fa22562698633916c7ce182086e03bbc1
Instruction ID: 70219f60bb6ddf020f90ff9fd6e5f231ef2661740f90492785941f7e31b5aba2
Opcode Fuzzy Hash: 25dc54bf4459d41b028c6a52caa5728fa22562698633916c7ce182086e03bbc1
Instruction Fuzzy Hash: F6321C30E1071ACBCB15DF79D89459DF7B2FFC9300F6096AAD409A7264EB30A985CB90

Function 06EE7D68 Relevance: 3.0, Strings: 2, Instructions: 476
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$eq, xrefs: 06EE830F
$eq, xrefs: 06EE8303

Memory Dump Source

Source File: 0000000F.00000002.3368240467.0000000006EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6ee0000_PZgxeUcXE.jbxd

Similarity

API ID:
String ID: $eq$$eq
API String ID: 0-2246304398
Opcode ID: 33aaea5280ddb6d0bdffd3b0050b87b70fca59ff5654d05324407b6f0055f41e
Instruction ID: 0de6c2a7dc0b6117590a226070a12cbdc39c8685960c4934cccb4f11fda17cb4
Opcode Fuzzy Hash: 33aaea5280ddb6d0bdffd3b0050b87b70fca59ff5654d05324407b6f0055f41e
Instruction Fuzzy Hash: B702AE30B017068FDB54DB68E954AAEB7E2FF84314F148969D805DB395EB35EC82CB90

Function 06EE2349 Relevance: 1.0, Instructions: 1010COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.3368240467.0000000006EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6ee0000_PZgxeUcXE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2fa919ad0d30615251403fda6edaf29338e79daca79aab59880be9f5cd8159a1
Instruction ID: 823a212ceb0e22cad4415d79367e9865f4721b08e20e98e60b88004a4451f3aa
Opcode Fuzzy Hash: 2fa919ad0d30615251403fda6edaf29338e79daca79aab59880be9f5cd8159a1
Instruction Fuzzy Hash: EB922334E003048FDB64CF68C588A5DBBB6FF49318F5498A9D50AAB365DB35ED85CB80

Function 06EE65E0 Relevance: .8, Instructions: 812COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.3368240467.0000000006EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6ee0000_PZgxeUcXE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 21e076954c2a1a4b6e1a87eea042eb51a876dfc28b8d8a3f97767b66ee1195dc
Instruction ID: 64a7fcf01ab94154856a44dfd4773662b4374234d04dc6ec445954ca890c921a
Opcode Fuzzy Hash: 21e076954c2a1a4b6e1a87eea042eb51a876dfc28b8d8a3f97767b66ee1195dc
Instruction Fuzzy Hash: 50625A34F002058FDB54DB68D594AADB7F2EF88314F249469E80ADB395EB35ED81CB90

Function 06EE5588 Relevance: .6, Instructions: 607COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.3368240467.0000000006EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6ee0000_PZgxeUcXE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1347a3939598307462d39641a21092303e0b3a4825562bc123666062abf536d0
Instruction ID: 408595a44580ca3b8a530d06d838b16787ffec89f5ed9c0d6552e6eb2cd37a0c
Opcode Fuzzy Hash: 1347a3939598307462d39641a21092303e0b3a4825562bc123666062abf536d0
Instruction Fuzzy Hash: 4E22CF75F003058FDF64CBA8C5806AEBBB2EF85318F248469D416AB395DB36DC45CB91

Function 06EEB20F Relevance: .6, Instructions: 582COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.3368240467.0000000006EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6ee0000_PZgxeUcXE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 202b0866eeda835f7ab6bd093ec2c3335d3ff83ffd7b5a73274d839b052e88c8
Instruction ID: 2faccb709e556d0562578c1c1e92fa1c0db222b01d629665390ddce018805c9f
Opcode Fuzzy Hash: 202b0866eeda835f7ab6bd093ec2c3335d3ff83ffd7b5a73274d839b052e88c8
Instruction Fuzzy Hash: 0D227F70F1020A8FDFA4CB6CD684BAEB7B2EB85314F609526E405DB395DB35DC818B91

Function 06EEACB8 Relevance: 10.4, Strings: 8, Instructions: 396
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$eq, xrefs: 06EEADD9
$eq, xrefs: 06EEAE90
$eq, xrefs: 06EEAE38
$eq, xrefs: 06EEAE84
$eq, xrefs: 06EEADE5
$eq, xrefs: 06EEAE2C
$eq, xrefs: 06EEAE67
$eq, xrefs: 06EEAE5B

Memory Dump Source

Source File: 0000000F.00000002.3368240467.0000000006EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6ee0000_PZgxeUcXE.jbxd

Similarity

API ID:
String ID: $eq$$eq$$eq$$eq$$eq$$eq$$eq$$eq
API String ID: 0-1110479544
Opcode ID: 1d7e1272b18eebcde63ba9ec662ec187e398c141ceb14b84808c70a83078c844
Instruction ID: 6bb0aa70bdb346e9b777721b36c13ac26a5c249a2e1b0d26d33ecd9dc3b3f0a6
Opcode Fuzzy Hash: 1d7e1272b18eebcde63ba9ec662ec187e398c141ceb14b84808c70a83078c844
Instruction Fuzzy Hash: 23E16D30F1030A8FDB65DBA8D5906AEB7B2FF85304F609529E405DB355DB349C86CB91

Function 06EEB630 Relevance: 8.0, Strings: 6, Instructions: 476
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$eq, xrefs: 06EEBB97
$eq, xrefs: 06EEBBD7
$eq, xrefs: 06EEBBCB
$eq, xrefs: 06EEBB63
$eq, xrefs: 06EEBBA3
$eq, xrefs: 06EEBB6F

Memory Dump Source

Source File: 0000000F.00000002.3368240467.0000000006EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6ee0000_PZgxeUcXE.jbxd

Similarity

API ID:
String ID: $eq$$eq$$eq$$eq$$eq$$eq
API String ID: 0-220072568
Opcode ID: 63be8afb5ad8ee656a7504ee12f26ae4ee74425c99054f7c0f0665c3e81ba88d
Instruction ID: 373e27af5beb74125de37ff3c2a5f2154f63ca603c03cc415cca0087c7ca1cb2
Opcode Fuzzy Hash: 63be8afb5ad8ee656a7504ee12f26ae4ee74425c99054f7c0f0665c3e81ba88d
Instruction Fuzzy Hash: F5027D30F1030A8FDBA4CF68D6846AEB7B2FB85314F20956AE405DB295DB35DC81CB91

Function 06EE9138 Relevance: 5.2, Strings: 4, Instructions: 230
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$eq, xrefs: 06EE918B
$eq, xrefs: 06EE91C6
$eq, xrefs: 06EE91BA
$eq, xrefs: 06EE917F

Memory Dump Source

Source File: 0000000F.00000002.3368240467.0000000006EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6ee0000_PZgxeUcXE.jbxd

Similarity

API ID:
String ID: $eq$$eq$$eq$$eq
API String ID: 0-812946093
Opcode ID: d066a51af0a17a7289d47f51fed77a7c0edb94b7557acc2a14cd7f88687baa39
Instruction ID: 3f73d4d52966f658f027a9b74285e93fea14e4057fea1c9ed987195703f5a651
Opcode Fuzzy Hash: d066a51af0a17a7289d47f51fed77a7c0edb94b7557acc2a14cd7f88687baa39
Instruction Fuzzy Hash: D8915270F0060A8FDB54DF68E9947AEB7F6EF84200F109469C509EB399EB349C818B91

Function 06EECF28 Relevance: 4.5, Strings: 3, Instructions: 798
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$eq, xrefs: 06EED327
$eq, xrefs: 06EED31F
$eq, xrefs: 06EED333

Memory Dump Source

Source File: 0000000F.00000002.3368240467.0000000006EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6ee0000_PZgxeUcXE.jbxd

Similarity

API ID:
String ID: $eq$$eq$$eq
API String ID: 0-177832560
Opcode ID: f2cd08916204393c9042166c8a7bd2cccb2a9918fd18072cbf7e90f04aec4a20
Instruction ID: b166ab1402d9d3ba68ea4fd5e57777b9e4610f8ce0fd250ad1f177d2c35d1a81
Opcode Fuzzy Hash: f2cd08916204393c9042166c8a7bd2cccb2a9918fd18072cbf7e90f04aec4a20
Instruction Fuzzy Hash: C1626E70B007168FCB55DB68E994A5EB7F2FF85304B608A68D0059F365EB75EC86CB80

Function 06EE4B50 Relevance: 3.9, Strings: 3, Instructions: 186
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

XPjq, xrefs: 06EE4C7D
fjq, xrefs: 06EE525D
\Ojq, xrefs: 06EE4D07

Memory Dump Source

Source File: 0000000F.00000002.3368240467.0000000006EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6ee0000_PZgxeUcXE.jbxd

Similarity

API ID:
String ID: fjq$XPjq$\Ojq
API String ID: 0-216941231
Opcode ID: 026ed0d010ede8ed04a41a85f5bb26a99c1d3000df94354bd29d1fb5f431ce2b
Instruction ID: fa890fd19017fba2a3b04be84ec190b1f000a710aac2bb0e7dc8742d99a0e9ab
Opcode Fuzzy Hash: 026ed0d010ede8ed04a41a85f5bb26a99c1d3000df94354bd29d1fb5f431ce2b
Instruction Fuzzy Hash: CE615F70F002199FEB549BA9C8147AEBBF6FF88340F20842AD506EB395DB758D458B91

Function 06EE9127 Relevance: 2.7, Strings: 2, Instructions: 162
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$eq, xrefs: 06EE91BA
$eq, xrefs: 06EE917F

Memory Dump Source

Source File: 0000000F.00000002.3368240467.0000000006EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6ee0000_PZgxeUcXE.jbxd

Similarity

API ID:
String ID: $eq$$eq
API String ID: 0-2246304398
Opcode ID: 5ae22ea0b6a5693ba9aa13804ea9b77fdc5700ddb8e7d7375bfd1b93dea9dcdb
Instruction ID: 32196e94086eb928625953095fc013f2bc719a67e6c5e71d7bd03a0cc933c91f
Opcode Fuzzy Hash: 5ae22ea0b6a5693ba9aa13804ea9b77fdc5700ddb8e7d7375bfd1b93dea9dcdb
Instruction Fuzzy Hash: 3A516270F006069FDB54DB78E994BAE73F6EF88200F108469D909DB399EE34AC41CB91

Function 0192EB38 Relevance: 1.7, APIs: 1, Instructions: 155
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 0000000F.00000002.3356756424.0000000001920000.00000040.00000800.00020000.00000000.sdmp, Offset: 01920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1920000_PZgxeUcXE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2de59ba93e76da9334e548364b6fe3974e529628d995e8026c6ece6548c11665
Instruction ID: 15dc4e7fe61f599bc09be742eabe6d578aa7ebe61810cbd1f78ac68546a94ecd
Opcode Fuzzy Hash: 2de59ba93e76da9334e548364b6fe3974e529628d995e8026c6ece6548c11665
Instruction Fuzzy Hash: A5514772D043999FCB14DF7AD8446DEBFF5EF8A210F04856AD40AE7241DB389845CBA0

Function 0192EC20 Relevance: 1.6, APIs: 1, Instructions: 52
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GlobalMemoryStatusEx.KERNELBASE ref: 0192EC87

Memory Dump Source

Source File: 0000000F.00000002.3356756424.0000000001920000.00000040.00000800.00020000.00000000.sdmp, Offset: 01920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1920000_PZgxeUcXE.jbxd

Similarity

API ID: GlobalMemoryStatus
String ID:
API String ID: 1890195054-0
Opcode ID: b2bfcaba153ad0760097b9c4b182dc6699f86408bbedf1dafacd57ffb6c6dc89
Instruction ID: 3c9f675c01b4063297dc9fa3855ae1ba938556ca000f9f0fcd7384b84cb83265
Opcode Fuzzy Hash: b2bfcaba153ad0760097b9c4b182dc6699f86408bbedf1dafacd57ffb6c6dc89
Instruction Fuzzy Hash: C311F3B1C006699BDB10CF9AC944BDEFBF8EF48320F14816AD918B7241D779A944CFA5

Function 06EE4B40 Relevance: 1.4, Strings: 1, Instructions: 133
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

XPjq, xrefs: 06EE4C7D

Memory Dump Source

Source File: 0000000F.00000002.3368240467.0000000006EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6ee0000_PZgxeUcXE.jbxd

Similarity

API ID:
String ID: XPjq
API String ID: 0-4216394854
Opcode ID: 6ea9e26e4600acac17a082ec49206b93e838be20ea39e663d8a8cf66c3975484
Instruction ID: 84ee70f914c214b1b49ab0c28e38dc6c05c375bebcede77f76a93159a4a8f771
Opcode Fuzzy Hash: 6ea9e26e4600acac17a082ec49206b93e838be20ea39e663d8a8cf66c3975484
Instruction Fuzzy Hash: 50416070F002199FDB559FA9C814BAEBBF6FF88300F20852AD506AB395DB759C05CB91

Function 06EEDA9D Relevance: 1.4, Strings: 1, Instructions: 125
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

PHeq, xrefs: 06EEDBF9

Memory Dump Source

Source File: 0000000F.00000002.3368240467.0000000006EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6ee0000_PZgxeUcXE.jbxd

Similarity

API ID:
String ID: PHeq
API String ID: 0-2873676430
Opcode ID: 42ba4a8c44827c99543242c7d6a7152fea5e9f1d6cc180c4d5f19d1082ce7098
Instruction ID: 1d904424635c2cdd1b1c8530c24f3706b93a3e1e192b815bf9e2201418940188
Opcode Fuzzy Hash: 42ba4a8c44827c99543242c7d6a7152fea5e9f1d6cc180c4d5f19d1082ce7098
Instruction Fuzzy Hash: 9A41B270E003099FDB61DF65D8446AEBBB6FF85344F245529E806DB244EB709946CB81

Function 06EE21D0 Relevance: 1.4, Strings: 1, Instructions: 105
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

PHeq, xrefs: 06EE230B

Memory Dump Source

Source File: 0000000F.00000002.3368240467.0000000006EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6ee0000_PZgxeUcXE.jbxd

Similarity

API ID:
String ID: PHeq
API String ID: 0-2873676430
Opcode ID: e6d7d06e5f0aeff565dc28482308c95f512507095a7baee1accaaeda679a4689
Instruction ID: 2b27b0ea4577a5ae60544d166fb9b6405cf9fdfa995f7ec5e6384f17e2cd3736
Opcode Fuzzy Hash: e6d7d06e5f0aeff565dc28482308c95f512507095a7baee1accaaeda679a4689
Instruction Fuzzy Hash: 1631FC30B102068FDB999F78D51876E3BABEF89204F649428D502DB395EE35CD41CB94

Function 06EE82DE Relevance: 1.3, Strings: 1, Instructions: 30COMMON

Download Yara Rule

Strings

$eq, xrefs: 06EE8303

Memory Dump Source

Source File: 0000000F.00000002.3368240467.0000000006EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6ee0000_PZgxeUcXE.jbxd

Similarity

API ID:
String ID: $eq
API String ID: 0-731066626
Opcode ID: 1dec63970f92e64026da3a4da146d29dde7b9e1c69760a9960051fdb0ec8cc05
Instruction ID: e04fdff608033cf3b553dc2e7886ea55d0e96fa168aa8af9e4e1b636595851b9
Opcode Fuzzy Hash: 1dec63970f92e64026da3a4da146d29dde7b9e1c69760a9960051fdb0ec8cc05
Instruction Fuzzy Hash: 76F02236F04301CFEFA88D59F9886BBB3AAEB00219F0421B2CE00C7190D334CE10CAA1

Function 06EEC170 Relevance: .6, Instructions: 644COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.3368240467.0000000006EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6ee0000_PZgxeUcXE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9a0e96b879c2850ebe9f39142f630d8ebde1b456c92b9520189f2a78349ed540
Instruction ID: 1bb85e97069b8090687f96fa561cc1295ff74b08b0c4ef9f726a462b4d5766de
Opcode Fuzzy Hash: 9a0e96b879c2850ebe9f39142f630d8ebde1b456c92b9520189f2a78349ed540
Instruction Fuzzy Hash: 9532A074F002058FDB54DB68E984BAEB7F2FB88714F209529E815DB395DB34EC468B90

Function 06EE61E0 Relevance: .2, Instructions: 229COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.3368240467.0000000006EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6ee0000_PZgxeUcXE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 934b3220ce6c82aadbc3332c0713802b791147d921ccd4f2f1b7902df2b4258a
Instruction ID: c97a42dbe0e4c4f4d40cf6fda54673d63a6c8b3795e14f583cc9eea3e0ac9684
Opcode Fuzzy Hash: 934b3220ce6c82aadbc3332c0713802b791147d921ccd4f2f1b7902df2b4258a
Instruction Fuzzy Hash: 6961C071F005124FCF519A6ED88066FBADBAFE4210B254439D80EDB365EE69EC0287D1

Function 06EE4280 Relevance: .2, Instructions: 227COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.3368240467.0000000006EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6ee0000_PZgxeUcXE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f64709ab3e3a69e3142476cdcd98b6acc95a78a6ef66349395b2ec839517613b
Instruction ID: d2d8dd638158cbdcfcbefb52cd7f89e3a3e06da05d065ea244eb7198ebe67276
Opcode Fuzzy Hash: f64709ab3e3a69e3142476cdcd98b6acc95a78a6ef66349395b2ec839517613b
Instruction Fuzzy Hash: A1814A30F006098BDB54DFA9D5547AEB7F6EF89304F108529D40AEB399EB34EC428B91

Function 06EE45A0 Relevance: .2, Instructions: 224COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.3368240467.0000000006EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6ee0000_PZgxeUcXE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2977e92c518a24559ccd0b7a92af9b83d69e755228418a20d8ee29961c6c1408
Instruction ID: 8d25787cd5824eeed6f1040134924f37b1125ed278e0caf8d8d700fa937e45c5
Opcode Fuzzy Hash: 2977e92c518a24559ccd0b7a92af9b83d69e755228418a20d8ee29961c6c1408
Instruction Fuzzy Hash: 80914F74E0071A8BDB60DF68C840B9DB7B1FF89314F208595E449BB295DB70AA85CB91

Function 06EE45B8 Relevance: .2, Instructions: 210COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.3368240467.0000000006EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6ee0000_PZgxeUcXE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1de898370ce0831dcf95ba43134ac9e9d305b516b1a2b66215b64fd4b6a7ed35
Instruction ID: 8508d3168829d737e7446bd3053151709610dc39a15e8232f515adc0f5b2b77c
Opcode Fuzzy Hash: 1de898370ce0831dcf95ba43134ac9e9d305b516b1a2b66215b64fd4b6a7ed35
Instruction Fuzzy Hash: 59915074E0061A8BDF60DF68C880B9DB7B1FF89304F208595D549BB395DB70AA85CF90

Function 06EEEEF0 Relevance: .2, Instructions: 209COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.3368240467.0000000006EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6ee0000_PZgxeUcXE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a1ff8409c623b04ea9dd5ddbdf48934a0eacf8ea12c5b7325e13fd5592b4c6bb
Instruction ID: 89d665c546280a332cf382c0011cfe3c769d3180d3126cb7e4893bad7689ba88
Opcode Fuzzy Hash: a1ff8409c623b04ea9dd5ddbdf48934a0eacf8ea12c5b7325e13fd5592b4c6bb
Instruction Fuzzy Hash: CB814B70A006499FDB54DFA8D980A9EBBF6FF88300F249569E409EB355DB34EC46CB50

Function 06EEEF00 Relevance: .2, Instructions: 201COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.3368240467.0000000006EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6ee0000_PZgxeUcXE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2339a412e7eb2097c088114679eb52c2cc9fd0d7d4b23ba69a7604c0cddb75a8
Instruction ID: f6bf77973e70c86fd293a06b5bbabdf13015475e8d66dc9fe51067d5ec1db9a8
Opcode Fuzzy Hash: 2339a412e7eb2097c088114679eb52c2cc9fd0d7d4b23ba69a7604c0cddb75a8
Instruction Fuzzy Hash: F5712A70B006099FDB54DBA8D980A9EBBF6FF88300F249469E409EB355EB34ED45CB50

Function 06EEFC58 Relevance: .2, Instructions: 179COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.3368240467.0000000006EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6ee0000_PZgxeUcXE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e9ea683cbad9a17c378b19899d99e77d65a19b4d7f1e9cee19036ad4f28103ac
Instruction ID: 43ed959a1165592854adf85b6bc490fa7a0abb8452ac8051d57946e74421b74e
Opcode Fuzzy Hash: e9ea683cbad9a17c378b19899d99e77d65a19b4d7f1e9cee19036ad4f28103ac
Instruction Fuzzy Hash: 4851E135F00209DFCB64ABB8E4447ADBBB6FB88315F208879E106DB261DB359955CB90

Function 06EEFA09 Relevance: .2, Instructions: 169COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.3368240467.0000000006EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6ee0000_PZgxeUcXE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 63b25c6784d952cf479b3f1e55d7ee1c83c02f2f042e768295a8cefef84d733b
Instruction ID: 4a14a9e25122156c3fec16e4aadf771b1fe3e2fca220f634d346bfd9f7b29eae
Opcode Fuzzy Hash: 63b25c6784d952cf479b3f1e55d7ee1c83c02f2f042e768295a8cefef84d733b
Instruction Fuzzy Hash: F051E974F203158FFF655A6CE89876F365AD7C9710F20452AE50AC73D9CA68CC818792

Function 06EEFA18 Relevance: .2, Instructions: 163COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.3368240467.0000000006EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6ee0000_PZgxeUcXE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 231e7bd2851d59c970100fbd60d0327a613c43bee835c2281e9a64ef74c92833
Instruction ID: 07d3ab99977a362e9a738d3a6545c245497edfeb9a9508c3129a7135705b80e7
Opcode Fuzzy Hash: 231e7bd2851d59c970100fbd60d0327a613c43bee835c2281e9a64ef74c92833
Instruction Fuzzy Hash: 5951F9B4F203158BEF655A6CE89872F365AE7C9714F60453AD50EC73D9CA68CC8183A2

Function 06EE53F8 Relevance: .1, Instructions: 136COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.3368240467.0000000006EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6ee0000_PZgxeUcXE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eebf7411957de602bae2cea5299af52b056fc2eab9bd31c2d268ed4565dc17de
Instruction ID: e4358444a6e2a6188f678115c57a3e92376d897209eb0861bee5b061a058d78f
Opcode Fuzzy Hash: eebf7411957de602bae2cea5299af52b056fc2eab9bd31c2d268ed4565dc17de
Instruction Fuzzy Hash: 7A416071E007099FDF70CEA9D880AAFFBB6FB84318F10492AE116D7650D331E9598B91

Function 06EED950 Relevance: .1, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.3368240467.0000000006EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6ee0000_PZgxeUcXE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d8a224bd7663402801b8f4a504228078055706eafbf4cf73f5f0541487f88520
Instruction ID: 742632f32388886d7675757465d40b534e5094ae27077737133c03f68323617a
Opcode Fuzzy Hash: d8a224bd7663402801b8f4a504228078055706eafbf4cf73f5f0541487f88520
Instruction Fuzzy Hash: 7931C370E1070A8FDB65DF68D89069EBBF6FF85304F104929E405EB250EBB1A942CB80

Function 06EE2081 Relevance: .1, Instructions: 97COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.3368240467.0000000006EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6ee0000_PZgxeUcXE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e3d34396dfdc87bb43e605caaf5e7d99cf00fa54d82d0ad4e6658848fe8465ea
Instruction ID: 23c2f2c2ba7231f1937974cef828fafdc7d809128485beec5a497d70edbebe0c
Opcode Fuzzy Hash: e3d34396dfdc87bb43e605caaf5e7d99cf00fa54d82d0ad4e6658848fe8465ea
Instruction Fuzzy Hash: 27318F31E003059FCB59CFA8D99469EB7B6FF89300F108529EA06E7350EB71AE45CB50

Function 06EE2090 Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.3368240467.0000000006EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6ee0000_PZgxeUcXE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7aad9e19dee26e1cdbf67532118404e1fa0c6b85ebcb5fab1842f0095db1ad62
Instruction ID: ccc42eab181e3e7467d8ad615ead2833da3f5acc4f3b6e2ddcd510914ffbcade
Opcode Fuzzy Hash: 7aad9e19dee26e1cdbf67532118404e1fa0c6b85ebcb5fab1842f0095db1ad62
Instruction Fuzzy Hash: 1E317E30E103059FCB59CFA5D99469EB7B6FF89300F108529EA06EB350EB71AE45CB50

Function 06EE3A80 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.3368240467.0000000006EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6ee0000_PZgxeUcXE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 367fdb4e2ba1fcc07ac3991b4014f95dfbd0a4a55d81d4845ab10e11a4acf803
Instruction ID: 530cebc90a429e749e3376f50f36da95e74ab9e6e1b95bc3e525af93d20842c3
Opcode Fuzzy Hash: 367fdb4e2ba1fcc07ac3991b4014f95dfbd0a4a55d81d4845ab10e11a4acf803
Instruction Fuzzy Hash: 11216935F012159FDB50CF69E981AEEBBF5EB48750F108025E909EB355E734DC418BA0

Function 06EE3A90 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.3368240467.0000000006EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6ee0000_PZgxeUcXE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2dd483a627685e154395120180bf7fbc6ef36faab79a78c21e6eb77c915cdaad
Instruction ID: d9de3b61139b364ac1ef3c6885adcfa635b989280df492a847fc757f858fcfdf
Opcode Fuzzy Hash: 2dd483a627685e154395120180bf7fbc6ef36faab79a78c21e6eb77c915cdaad
Instruction Fuzzy Hash: 9B218975F016159FDB40CFA9E980AAEBBF1FB88750F108029E909EB395E734DD408B90

Function 015ED030 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.3356281008.00000000015ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 015ED000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_15ed000_PZgxeUcXE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5a7933d7144949acf96d146cf646556842cfbd1c143bc0b409af689266d2e8ee
Instruction ID: fa7743060edb0c196039e33201b3e36ed62fd0d99eab14d743535788779551de
Opcode Fuzzy Hash: 5a7933d7144949acf96d146cf646556842cfbd1c143bc0b409af689266d2e8ee
Instruction Fuzzy Hash: 522125B5904200DFCB19DF58D988B26BFF5FB84314F28C96DD8090F286D33AD406CA61

Function 015ED006 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.3356281008.00000000015ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 015ED000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_15ed000_PZgxeUcXE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fc3f0d0a51bdef3c19bb3a16d7065c33e16683e6182bf79d8c93ad42b7bb648b
Instruction ID: 94ebe62131718ecfb8e631d0c76c5b2ce6f038fc329cdf69eab789a50aebc822
Opcode Fuzzy Hash: fc3f0d0a51bdef3c19bb3a16d7065c33e16683e6182bf79d8c93ad42b7bb648b
Instruction Fuzzy Hash: 8221687550D3C08FCB07CF64C994715BFB1AB46214F29C1DBC8898F2A3C23A880ACB62

Function 06EE3BA0 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.3368240467.0000000006EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6ee0000_PZgxeUcXE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6581d68b3f3593bcea355f0970bf2f2bc27161c74b09b727083480086bf16be5
Instruction ID: 6417bf6d899e9ae8576dc0282aa2383d38f8f9051a96bef478ed8ad25a1e302f
Opcode Fuzzy Hash: 6581d68b3f3593bcea355f0970bf2f2bc27161c74b09b727083480086bf16be5
Instruction Fuzzy Hash: 2C11A131F146254FDF949668D814AAE73AAEBC8310F014539D50AEB358EE24DC028BE4

Function 06EEF171 Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.3368240467.0000000006EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6ee0000_PZgxeUcXE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f690bab9dd72561651596764fa00203f1187cd155bcff6d5f9b812b66326de9a
Instruction ID: 6e52ffd037e95b5b64e41c526f97a55187c78c78bc4874fd2fd5c6fac22af438
Opcode Fuzzy Hash: f690bab9dd72561651596764fa00203f1187cd155bcff6d5f9b812b66326de9a
Instruction Fuzzy Hash: 67012471B042100FCB61D17CE860A2F77EAEBC9714F10852EE40AC7352DA14CC0743D1

Function 06EE3859 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.3368240467.0000000006EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6ee0000_PZgxeUcXE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 13db7610c0a17a915d2d337665009303841d488f0883d93c109757c0bae7afcb
Instruction ID: dd585593ea3336a371a6a20f48a129f83794fc39bb4a3d740a99e9e581babd95
Opcode Fuzzy Hash: 13db7610c0a17a915d2d337665009303841d488f0883d93c109757c0bae7afcb
Instruction Fuzzy Hash: D921C2B5D01219AFCB10CF9AD885ADEFFB8FB49310F50812AE918A7240C375A954CBA5

Function 06EE41E1 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.3368240467.0000000006EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6ee0000_PZgxeUcXE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bd89eeccaf270e6e628d5a8c124bad189cb04a31fa1e1bb96cd40c6c969da003
Instruction ID: bd8159f2d3ff86453a90fc51c2177ce1a30b5df7562aa0a1938d0b5dcdbe0fa8
Opcode Fuzzy Hash: bd89eeccaf270e6e628d5a8c124bad189cb04a31fa1e1bb96cd40c6c969da003
Instruction Fuzzy Hash: 9A012430B042115FDBA596BDA81472FB7DADFCA720F10842AE10ACB392D919CC4243D1

Function 06EEA2F0 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.3368240467.0000000006EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6ee0000_PZgxeUcXE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 45fe2d45e3ca4e65b4b7a01ec1e69ee2ec22d1c66f5b8f3b8a44a5a3290920cf
Instruction ID: 7517ac9ca9471b662c54cb9905f8ac7b8f97d6e71919563ac725790b156ee0de
Opcode Fuzzy Hash: 45fe2d45e3ca4e65b4b7a01ec1e69ee2ec22d1c66f5b8f3b8a44a5a3290920cf
Instruction Fuzzy Hash: 3D01D470B046100FDBA5967CE964B6EB7E5EB8A754F10887EE00ECB395DA25DC028791

Function 06EE3B8F Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.3368240467.0000000006EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6ee0000_PZgxeUcXE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8a0d346d837c53683b3db2e92645ed7922a39e435df69c1e2b7898bbb2bd48b5
Instruction ID: 18e3d0b15b96a00a4bc1649810bec1e126ca19e5c74c079f09673beb56eda9d2
Opcode Fuzzy Hash: 8a0d346d837c53683b3db2e92645ed7922a39e435df69c1e2b7898bbb2bd48b5
Instruction Fuzzy Hash: BE01F132F146554BDB98DAA9A8146AF77AADBC9610F04003AD50BE7284FF24DC068BA1

Function 06EE3860 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.3368240467.0000000006EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6ee0000_PZgxeUcXE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ede3d3289f9b942d8774e24722e4273bb3cee562b4017c2c2f16724980f47cf8
Instruction ID: 90a10f02ed69c6dec7dcf423f1038cd998e39dfcccc87ac97f1ffa1babc7298c
Opcode Fuzzy Hash: ede3d3289f9b942d8774e24722e4273bb3cee562b4017c2c2f16724980f47cf8
Instruction Fuzzy Hash: 6511D0B5D00219AFCB10CF9AD884ADEFFB8FB48310F50812AE918A7240C375A944CFA5

Function 06EE41F0 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.3368240467.0000000006EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6ee0000_PZgxeUcXE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4297f0b2d3aaac81ce8879ebe14106218ecf4192230320498540c91550dd3572
Instruction ID: d540f0c83007b69b726a67199db4bf9a76172c1f204763090a7b66997950f656
Opcode Fuzzy Hash: 4297f0b2d3aaac81ce8879ebe14106218ecf4192230320498540c91550dd3572
Instruction Fuzzy Hash: 8401D131B002114BDBA495ADA45472BF3DAEBC9724F108439E10AC7791DD25DC420391

Function 06EEF180 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.3368240467.0000000006EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6ee0000_PZgxeUcXE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6b891ae478e8b1135134c238b5522c71450c56ec43f795be64f03b2d3aceb30c
Instruction ID: 11943fb2cf02cc235c8853b171ab9f0f6b0a9ec4ed68066056ed4599059e5ea1
Opcode Fuzzy Hash: 6b891ae478e8b1135134c238b5522c71450c56ec43f795be64f03b2d3aceb30c
Instruction Fuzzy Hash: 6A01FF72B002150BCB6495BCE86072FA3DAEBC8724F20883DE10EC7341EE25DC020391

Function 06EEA300 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.3368240467.0000000006EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6ee0000_PZgxeUcXE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5cd81b2e0c2a6dd8ca8c40e6880b2804acb383ee7b592caba490198545f84a1d
Instruction ID: b026bc0255fa41bdad9e8a1278d5faf61c56c8e4872ee6c69a25099d6c99715d
Opcode Fuzzy Hash: 5cd81b2e0c2a6dd8ca8c40e6880b2804acb383ee7b592caba490198545f84a1d
Instruction Fuzzy Hash: D501AF70B042100BDBA0D67CE468B2EB3DAEB89714F50983DE50EC7394DA25EC018390

Function 06EE6461 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.3368240467.0000000006EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6ee0000_PZgxeUcXE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 944dc2fca53e53291beee6e281d9775bcf36178b23ef62646b0ecee8d2aa8210
Instruction ID: 261e2dbcde8123ff609efd4aa13ed583734df2caabd90c5295362ecb035e540c
Opcode Fuzzy Hash: 944dc2fca53e53291beee6e281d9775bcf36178b23ef62646b0ecee8d2aa8210
Instruction Fuzzy Hash: 99E0D871D14349ABDBE0CE70C95475E776EF711258F2058A7D405CB142E237DD028751

Non-executed Functions

Function 06EE7688 Relevance: 13.0, Strings: 10, Instructions: 468COMMON

Download Yara Rule

Strings

$eq, xrefs: 06EE7C18
$eq, xrefs: 06EE7C3A
$eq, xrefs: 06EE77C8
$eq, xrefs: 06EE7B79
$eq, xrefs: 06EE7B85
$eq, xrefs: 06EE77BC
$eq, xrefs: 06EE77F9
$eq, xrefs: 06EE7C2E
$eq, xrefs: 06EE7C24
$eq, xrefs: 06EE77ED

Memory Dump Source

Source File: 0000000F.00000002.3368240467.0000000006EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6ee0000_PZgxeUcXE.jbxd

Similarity

API ID:
String ID: $eq$$eq$$eq$$eq$$eq$$eq$$eq$$eq$$eq$$eq
API String ID: 0-2049195972
Opcode ID: 3ae8067235b1952efe793db4d9a68ebf0b18e52e9a8263cd274506349406d82c
Instruction ID: 786e841c72b265e98922ed94c472d6e512e2750da2702df5d15bb4e50befa7f8
Opcode Fuzzy Hash: 3ae8067235b1952efe793db4d9a68ebf0b18e52e9a8263cd274506349406d82c
Instruction Fuzzy Hash: 1A121B30F0121ACFDF64DF69D954A9EB7B6FF89304F209569D40AAB265DB309D81CB80

Function 06EEA920 Relevance: 10.2, Strings: 8, Instructions: 229COMMON

Download Yara Rule

Strings

$eq, xrefs: 06EEAA22
$eq, xrefs: 06EEAA71
$eq, xrefs: 06EEAA16
$eq, xrefs: 06EEAAA8
$eq, xrefs: 06EEAADE
$eq, xrefs: 06EEAAD2
$eq, xrefs: 06EEAA9C
$eq, xrefs: 06EEAA7D

Memory Dump Source

Source File: 0000000F.00000002.3368240467.0000000006EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6ee0000_PZgxeUcXE.jbxd

Similarity

API ID:
String ID: $eq$$eq$$eq$$eq$$eq$$eq$$eq$$eq
API String ID: 0-1110479544
Opcode ID: 49255c2fffd64837c49acb8c81db735e1e65e436b0f9b5974693629508034ae5
Instruction ID: d9eb519a23ad696f4462e8835be7a117469ec3a514819d982500e7dd794b15a2
Opcode Fuzzy Hash: 49255c2fffd64837c49acb8c81db735e1e65e436b0f9b5974693629508034ae5
Instruction Fuzzy Hash: 80914A70A01309DFEBA4DF68E954BAEBBB2EF84304F10953DE4069B295DB749C41CB90

Function 06EE7088 Relevance: 9.2, Strings: 7, Instructions: 405COMMON

Download Yara Rule

Strings

$eq, xrefs: 06EE7524
$eq, xrefs: 06EE7590
$eq, xrefs: 06EE73D0
$eq, xrefs: 06EE736A
.5}q, xrefs: 06EE70E3
$eq, xrefs: 06EE73C4
$eq, xrefs: 06EE759C

Memory Dump Source

Source File: 0000000F.00000002.3368240467.0000000006EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6ee0000_PZgxeUcXE.jbxd

Similarity

API ID:
String ID: .5}q$$eq$$eq$$eq$$eq$$eq$$eq
API String ID: 0-1622854337
Opcode ID: a73d3fd8b76d5e81c8e9a213188660733854dd07ac1bcd128605c230c2df740f
Instruction ID: bd32364f294bd9f6850d51a8df7628e2477fb81c450cde5c3c67f2457d426540
Opcode Fuzzy Hash: a73d3fd8b76d5e81c8e9a213188660733854dd07ac1bcd128605c230c2df740f
Instruction Fuzzy Hash: 0BF13970B01209CFDB59DFA8D854A6EBBB2FF84304F648569D4059B399DB35EC82CB90

Function 06EE83C0 Relevance: 5.3, Strings: 4, Instructions: 282COMMON

Download Yara Rule

Strings

$eq, xrefs: 06EE868B
$eq, xrefs: 06EE8626
$eq, xrefs: 06EE867F
$eq, xrefs: 06EE861A

Memory Dump Source

Source File: 0000000F.00000002.3368240467.0000000006EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6ee0000_PZgxeUcXE.jbxd

Similarity

API ID:
String ID: $eq$$eq$$eq$$eq
API String ID: 0-812946093
Opcode ID: c5c52f54e4eb9d09217e83b74d03952b028b93207d476dbd00f97f0722edefae
Instruction ID: c21940cddf594a79fe166ec670f418031278c77bf902ef36f36118a7ad116e49
Opcode Fuzzy Hash: c5c52f54e4eb9d09217e83b74d03952b028b93207d476dbd00f97f0722edefae
Instruction Fuzzy Hash: D8B15870B11219CFDB64DBA8D854AAEB7B2FF94304F249529D40ADB395DB34DC82CB81

Function 06EE87D8 Relevance: 5.2, Strings: 4, Instructions: 168COMMON

Download Yara Rule

Strings

LReq, xrefs: 06EE88CB
$eq, xrefs: 06EE8863
LReq, xrefs: 06EE891A
$eq, xrefs: 06EE8857

Memory Dump Source

Source File: 0000000F.00000002.3368240467.0000000006EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6ee0000_PZgxeUcXE.jbxd

Similarity

API ID:
String ID: LReq$LReq$$eq$$eq
API String ID: 0-731573373
Opcode ID: a059b85a47406ddbfd73def0b636327b09ec636c6aac377bd34b5653540b211d
Instruction ID: 68cc7c29bfebf4a0eb7b004644cd2f4c3a881f88b913b2bfdf34b02121748498
Opcode Fuzzy Hash: a059b85a47406ddbfd73def0b636327b09ec636c6aac377bd34b5653540b211d
Instruction Fuzzy Hash: 0851C230B00302DFDB94DB68E954A6BB7E6FF88304F149569E406DB3A5DA31EC40CB91

Function 06EEACA8 Relevance: 5.2, Strings: 4, Instructions: 162COMMON

Download Yara Rule

Strings

$eq, xrefs: 06EEADD9
$eq, xrefs: 06EEAE84
$eq, xrefs: 06EEAE2C
$eq, xrefs: 06EEAE5B

Memory Dump Source

Source File: 0000000F.00000002.3368240467.0000000006EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6ee0000_PZgxeUcXE.jbxd

Similarity

API ID:
String ID: $eq$$eq$$eq$$eq
API String ID: 0-812946093
Opcode ID: 949c332e20ce5c7285d77b227fcbdb00481e3064a8de534c1030b6389bec6491
Instruction ID: 186133c6793adfb7a5f1ddb0d4cf0ca469a2c45853b153fc8758f688f5f37919
Opcode Fuzzy Hash: 949c332e20ce5c7285d77b227fcbdb00481e3064a8de534c1030b6389bec6491
Instruction Fuzzy Hash: 67518D34F113058FDBA5DA68E4806AEB7B2FB88304F24957EE8059B354DB35DC81CB91

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Container: Container Creation, File: File Creation, File: File Modification, Process: Process Creation, Scheduled Job: Scheduled Job Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata, File: File Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search the Registry on compromised systems for insecurely stored credentials. The Windows Registry stores configuration information that can be used by the system or other programs. Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services. Sometimes these credentials are used for automatic logons.
Tactics:	Credential Access
Data Sources:	Command: Command Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report OHScaqAPjt.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Agenttesla

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Persistence and Installation Behavior

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\OHScaqAPjt.exe.log

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\PZgxeUcXE.exe.log

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_2dbxhjlr.o2v.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_2jm1xgbz.vdx.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_44i3bfjv.sqj.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_hwsm5ok3.31r.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_qj5hafjw.pbx.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_uc0tqcgq.kb2.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ue42h2m1.sc5.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ydczs14v.u5d.ps1

C:\Users\user\AppData\Local\Temp\tmp9FAF.tmp

C:\Users\user\AppData\Local\Temp\tmpBE05.tmp

Windows Analysis Report
OHScaqAPjt.exe

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre