Edit tour

Windows Analysis Report
980001672 PPR for 30887217.scr.exe

Overview

General Information

Sample name:	980001672 PPR for 30887217.scr.exe
Analysis ID:	1570147
MD5:	c2ed28c5339e0b3a5b676b45ad6d978b
SHA1:	6c25dc91c3e5e230645f83d49edaa5e1f909393f
SHA256:	76144b7c900168c9893aaa223a1ec8e8081cd827c99eadd3a6695efd0ad337dd
Tags:	exePaymentscruser-cocaman
Infos:

Detection

AgentTesla

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Antivirus detection for dropped file

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Scheduled temp file as task from temp location

Yara detected AgentTesla

Yara detected AntiVM3

.NET source code contains potential unpacker

AI detected suspicious sample

Adds a directory exclusion to Windows Defender

Contains functionality to log keystrokes (.Net Source)

Injects a PE file into a foreign processes

Installs a global keyboard hook

Loading BitLocker PowerShell Module

Machine Learning detection for dropped file

Machine Learning detection for sample

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Mail credentials (via file / registry access)

Uses schtasks.exe or at.exe to add and modify task schedules

Yara detected Generic Downloader

Allocates memory with a write watch (potentially for evading sandboxes)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates a window with clipboard capturing capabilities

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Powershell Defender Exclusion

Sigma detected: Suspicious Add Scheduled Task Parent

Sigma detected: Suspicious Outbound SMTP Connections

Sigma detected: Suspicious Schtasks From Env Var Folder

Uses 32bit PE files

Uses SMTP (mail sending)

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

980001672 PPR for 30887217.scr.exe (PID: 6812 cmdline: "C:\Users\user\Desktop\980001672 PPR for 30887217.scr.exe" MD5: C2ED28C5339E0B3A5B676B45AD6D978B)

powershell.exe (PID: 5800 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\980001672 PPR for 30887217.scr.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 1384 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 2940 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\PpIvKmzUbDB.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 5524 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WmiPrvSE.exe (PID: 1916 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)

schtasks.exe (PID: 3456 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\PpIvKmzUbDB" /XML "C:\Users\user\AppData\Local\Temp\tmp7B3.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 6136 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

980001672 PPR for 30887217.scr.exe (PID: 6408 cmdline: "C:\Users\user\Desktop\980001672 PPR for 30887217.scr.exe" MD5: C2ED28C5339E0B3A5B676B45AD6D978B)

PpIvKmzUbDB.exe (PID: 1628 cmdline: C:\Users\user\AppData\Roaming\PpIvKmzUbDB.exe MD5: C2ED28C5339E0B3A5B676B45AD6D978B)

schtasks.exe (PID: 4200 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\PpIvKmzUbDB" /XML "C:\Users\user\AppData\Local\Temp\tmp1BF6.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 3648 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

PpIvKmzUbDB.exe (PID: 1152 cmdline: "C:\Users\user\AppData\Roaming\PpIvKmzUbDB.exe" MD5: C2ED28C5339E0B3A5B676B45AD6D978B)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Agent Tesla, AgentTesla	A .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.	SWEED	http://blog.nsfocus.net/sweed-611/ http://l1v1ngc0d3.wordpress.com/2021/11/12/agenttesla-dropped-via-nsis-installer/ http://ropgadget.com/posts/originlogger.html http://www.secureworks.com/research/threat-profiles/gold-galleon https://0xmrmagnezi.github.io/malware%20analysis/AgentTesla/	https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Port": "25", "Host": "mail.iaa-airferight.com", "Username": "mail@iaa-airferight.com", "Password": "Asaprocky11"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
00000009.00000002.2691709359.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000009.00000002.2691709359.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0000000E.00000002.2696170324.0000000002F81000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000E.00000002.2696170324.0000000002F81000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0000000E.00000002.2696170324.0000000002FAC000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000009.00000002.2696096691.0000000002E3C000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000009.00000002.2696096691.0000000002E11000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000009.00000002.2696096691.0000000002E11000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000000.00000002.1469392053.00000000040E9000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.1469392053.00000000040E9000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: 980001672 PPR for 30887217.scr.exe PID: 6812	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: 980001672 PPR for 30887217.scr.exe PID: 6812	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: 980001672 PPR for 30887217.scr.exe PID: 6812	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: 980001672 PPR for 30887217.scr.exe PID: 6408	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: 980001672 PPR for 30887217.scr.exe PID: 6408	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: PpIvKmzUbDB.exe PID: 1628	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: PpIvKmzUbDB.exe PID: 1152	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: PpIvKmzUbDB.exe PID: 1152	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Click to see the 13 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.980001672 PPR for 30887217.scr.exe.4124390.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.980001672 PPR for 30887217.scr.exe.4124390.0.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.980001672 PPR for 30887217.scr.exe.4124390.0.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x316f7:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x31769:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x317f3:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x31885:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x318ef:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x31961:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x319f7:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x31a87:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
0.2.980001672 PPR for 30887217.scr.exe.40e9970.1.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.980001672 PPR for 30887217.scr.exe.40e9970.1.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.980001672 PPR for 30887217.scr.exe.40e9970.1.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x316f7:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x31769:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x317f3:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x31885:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x318ef:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x31961:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x319f7:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x31a87:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
0.2.980001672 PPR for 30887217.scr.exe.4124390.0.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.980001672 PPR for 30887217.scr.exe.4124390.0.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.2.980001672 PPR for 30887217.scr.exe.4124390.0.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.980001672 PPR for 30887217.scr.exe.4124390.0.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x334f7:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x6dd17:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x33569:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x6dd89:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x335f3:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x6de13:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x33685:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x6dea5:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x336ef:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x6df0f:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x33761:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x6df81:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x337f7:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x6e017:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x33887:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548 0x6e0a7:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
0.2.980001672 PPR for 30887217.scr.exe.40e9970.1.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.980001672 PPR for 30887217.scr.exe.40e9970.1.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.2.980001672 PPR for 30887217.scr.exe.40e9970.1.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.980001672 PPR for 30887217.scr.exe.40e9970.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x334f7:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x6df17:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0xa8737:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x33569:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x6df89:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0xa87a9:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x335f3:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x6e013:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0xa8833:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x33685:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x6e0a5:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0xa88c5:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x336ef:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x6e10f:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0xa892f:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x33761:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x6e181:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0xa89a1:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x337f7:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x6e217:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0xa8a37:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B
Click to see the 9 entries

Sigma Signatures

System Summary

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\980001672 PPR for 30887217.scr.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\980001672 PPR for 30887217.scr.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\980001672 PPR for 30887217.scr.exe", ParentImage: C:\Users\user\Desktop\980001672 PPR for 30887217.scr.exe, ParentProcessId: 6812, ParentProcessName: 980001672 PPR for 30887217.scr.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\980001672 PPR for 30887217.scr.exe", ProcessId: 5800, ProcessName: powershell.exe

Sigma detected: Powershell Defender Exclusion

Source: Process started

Sigma detected: Suspicious Add Scheduled Task Parent

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\PpIvKmzUbDB" /XML "C:\Users\user\AppData\Local\Temp\tmp1BF6.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\PpIvKmzUbDB" /XML "C:\Users\user\AppData\Local\Temp\tmp1BF6.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: C:\Users\user\AppData\Roaming\PpIvKmzUbDB.exe, ParentImage: C:\Users\user\AppData\Roaming\PpIvKmzUbDB.exe, ParentProcessId: 1628, ParentProcessName: PpIvKmzUbDB.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\PpIvKmzUbDB" /XML "C:\Users\user\AppData\Local\Temp\tmp1BF6.tmp", ProcessId: 4200, ProcessName: schtasks.exe

Sigma detected: Suspicious Outbound SMTP Connections

Source: Network Connection

Author: frack113: Data: DestinationIp: 46.175.148.58, DestinationIsIpv6: false, DestinationPort: 25, EventID: 3, Image: C:\Users\user\Desktop\980001672 PPR for 30887217.scr.exe, Initiated: true, ProcessId: 6408, Protocol: tcp, SourceIp: 192.168.2.8, SourceIsIpv6: false, SourcePort: 49710

Sigma detected: Suspicious Schtasks From Env Var Folder

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\PpIvKmzUbDB" /XML "C:\Users\user\AppData\Local\Temp\tmp7B3.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\PpIvKmzUbDB" /XML "C:\Users\user\AppData\Local\Temp\tmp7B3.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\980001672 PPR for 30887217.scr.exe", ParentImage: C:\Users\user\Desktop\980001672 PPR for 30887217.scr.exe, ParentProcessId: 6812, ParentProcessName: 980001672 PPR for 30887217.scr.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\PpIvKmzUbDB" /XML "C:\Users\user\AppData\Local\Temp\tmp7B3.tmp", ProcessId: 3456, ProcessName: schtasks.exe

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\980001672 PPR for 30887217.scr.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\980001672 PPR for 30887217.scr.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\980001672 PPR for 30887217.scr.exe", ParentImage: C:\Users\user\Desktop\980001672 PPR for 30887217.scr.exe, ParentProcessId: 6812, ParentProcessName: 980001672 PPR for 30887217.scr.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\980001672 PPR for 30887217.scr.exe", ProcessId: 5800, ProcessName: powershell.exe

Persistence and Installation Behavior

Sigma detected: Scheduled temp file as task from temp location

Source: Process started

Author: Joe Security: Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\PpIvKmzUbDB" /XML "C:\Users\user\AppData\Local\Temp\tmp7B3.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\PpIvKmzUbDB" /XML "C:\Users\user\AppData\Local\Temp\tmp7B3.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\980001672 PPR for 30887217.scr.exe", ParentImage: C:\Users\user\Desktop\980001672 PPR for 30887217.scr.exe, ParentProcessId: 6812, ParentProcessName: 980001672 PPR for 30887217.scr.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\PpIvKmzUbDB" /XML "C:\Users\user\AppData\Local\Temp\tmp7B3.tmp", ProcessId: 3456, ProcessName: schtasks.exe

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: 980001672 PPR for 30887217.scr.exe

Avira: detected

Antivirus detection for URL or domain

Source: http://mail.iaa-airferight.com

Avira URL Cloud: Label: malware

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Roaming\PpIvKmzUbDB.exe

Avira: detection malicious, Label: HEUR/AGEN.1307351

Found malware configuration

Source: 0.2.980001672 PPR for 30887217.scr.exe.4124390.0.raw.unpack

Malware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Port": "25", "Host": "mail.iaa-airferight.com", "Username": "mail@iaa-airferight.com", "Password": "Asaprocky11"}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\PpIvKmzUbDB.exe

ReversingLabs: Detection: 26%

Multi AV Scanner detection for submitted file

Source: 980001672 PPR for 30887217.scr.exe

ReversingLabs: Detection: 26%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\PpIvKmzUbDB.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: 980001672 PPR for 30887217.scr.exe

Joe Sandbox ML: detected

Source: 980001672 PPR for 30887217.scr.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 172.67.74.152:443 -> 192.168.2.8:49707 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.74.152:443 -> 192.168.2.8:49711 version: TLS 1.2

Source: 980001672 PPR for 30887217.scr.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Networking

Yara detected Generic Downloader

Source: Yara match	File source: 0.2.980001672 PPR for 30887217.scr.exe.4124390.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.980001672 PPR for 30887217.scr.exe.40e9970.1.raw.unpack, type: UNPACKEDPE

Source: Joe Sandbox View	IP Address: 46.175.148.58 46.175.148.58
Source: Joe Sandbox View	IP Address: 172.67.74.152 172.67.74.152
Source: Joe Sandbox View	IP Address: 172.67.74.152 172.67.74.152

Source: Joe Sandbox View

ASN Name: ASLAGIDKOM-NETUA ASLAGIDKOM-NETUA

Source: Joe Sandbox View

JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: unknown	DNS query: name: api.ipify.org
Source: unknown	DNS query: name: api.ipify.org

Source: global traffic

TCP traffic: 192.168.2.8:49710 -> 46.175.148.58:25

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: api.ipify.org
Source: global traffic	DNS traffic detected: DNS query: mail.iaa-airferight.com

Source: 980001672 PPR for 30887217.scr.exe, PpIvKmzUbDB.exe.0.dr	String found in binary or memory: http://localhost/calculator_server/requests.php
Source: 980001672 PPR for 30887217.scr.exe, 00000009.00000002.2696096691.0000000002E3C000.00000004.00000800.00020000.00000000.sdmp, PpIvKmzUbDB.exe, 0000000E.00000002.2696170324.0000000002FAC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://mail.iaa-airferight.com
Source: 980001672 PPR for 30887217.scr.exe, 00000000.00000002.1468454106.0000000003117000.00000004.00000800.00020000.00000000.sdmp, 980001672 PPR for 30887217.scr.exe, 00000009.00000002.2696096691.0000000002DC1000.00000004.00000800.00020000.00000000.sdmp, PpIvKmzUbDB.exe, 0000000A.00000002.1514445576.0000000003457000.00000004.00000800.00020000.00000000.sdmp, PpIvKmzUbDB.exe, 0000000E.00000002.2696170324.0000000002F31000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: 980001672 PPR for 30887217.scr.exe, 00000000.00000002.1469392053.00000000040E9000.00000004.00000800.00020000.00000000.sdmp, 980001672 PPR for 30887217.scr.exe, 00000009.00000002.2691709359.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://account.dyn.com/
Source: 980001672 PPR for 30887217.scr.exe, 00000000.00000002.1469392053.00000000040E9000.00000004.00000800.00020000.00000000.sdmp, 980001672 PPR for 30887217.scr.exe, 00000009.00000002.2691709359.0000000000402000.00000040.00000400.00020000.00000000.sdmp, 980001672 PPR for 30887217.scr.exe, 00000009.00000002.2696096691.0000000002DC1000.00000004.00000800.00020000.00000000.sdmp, PpIvKmzUbDB.exe, 0000000E.00000002.2696170324.0000000002F31000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org
Source: 980001672 PPR for 30887217.scr.exe, 00000009.00000002.2696096691.0000000002DC1000.00000004.00000800.00020000.00000000.sdmp, PpIvKmzUbDB.exe, 0000000E.00000002.2696170324.0000000002F31000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org/
Source: 980001672 PPR for 30887217.scr.exe, 00000009.00000002.2696096691.0000000002DC1000.00000004.00000800.00020000.00000000.sdmp, PpIvKmzUbDB.exe, 0000000E.00000002.2696170324.0000000002F31000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org/t

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49711
Source: unknown	Network traffic detected: HTTP traffic on port 49707 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49711 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49707

Source: unknown	HTTPS traffic detected: 172.67.74.152:443 -> 192.168.2.8:49707 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.74.152:443 -> 192.168.2.8:49711 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality to log keystrokes (.Net Source)

Source: 0.2.980001672 PPR for 30887217.scr.exe.4124390.0.raw.unpack, abAX9N.cs	.Net Code: BFeixnEv
Source: 0.2.980001672 PPR for 30887217.scr.exe.40e9970.1.raw.unpack, abAX9N.cs	.Net Code: BFeixnEv

Installs a global keyboard hook

Source: C:\Users\user\Desktop\980001672 PPR for 30887217.scr.exe	Windows user hook set: 0 keyboard low level C:\Users\user\Desktop\980001672 PPR for 30887217.scr.exe			Jump to behavior
Source: C:\Users\user\AppData\Roaming\PpIvKmzUbDB.exe	Windows user hook set: 0 keyboard low level C:\Users\user\AppData\Roaming\PpIvKmzUbDB.exe

Source: C:\Users\user\Desktop\980001672 PPR for 30887217.scr.exe	Window created: window name: CLIPBRDWNDCLASS			Jump to behavior
Source: C:\Users\user\AppData\Roaming\PpIvKmzUbDB.exe	Window created: window name: CLIPBRDWNDCLASS

System Summary

Malicious sample detected (through community Yara rule)

Source: 0.2.980001672 PPR for 30887217.scr.exe.4124390.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.980001672 PPR for 30887217.scr.exe.40e9970.1.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.980001672 PPR for 30887217.scr.exe.4124390.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.980001672 PPR for 30887217.scr.exe.40e9970.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen

Source: C:\Users\user\Desktop\980001672 PPR for 30887217.scr.exe	Code function: 0_2_02F23E28	0_2_02F23E28
Source: C:\Users\user\Desktop\980001672 PPR for 30887217.scr.exe	Code function: 0_2_02F24B01	0_2_02F24B01
Source: C:\Users\user\Desktop\980001672 PPR for 30887217.scr.exe	Code function: 0_2_02F26F90	0_2_02F26F90
Source: C:\Users\user\Desktop\980001672 PPR for 30887217.scr.exe	Code function: 0_2_02F2DFB4	0_2_02F2DFB4
Source: C:\Users\user\Desktop\980001672 PPR for 30887217.scr.exe	Code function: 0_2_07600E08	0_2_07600E08
Source: C:\Users\user\Desktop\980001672 PPR for 30887217.scr.exe	Code function: 0_2_07604720	0_2_07604720
Source: C:\Users\user\Desktop\980001672 PPR for 30887217.scr.exe	Code function: 0_2_07606600	0_2_07606600
Source: C:\Users\user\Desktop\980001672 PPR for 30887217.scr.exe	Code function: 0_2_07603EB0	0_2_07603EB0
Source: C:\Users\user\Desktop\980001672 PPR for 30887217.scr.exe	Code function: 0_2_07600DF9	0_2_07600DF9
Source: C:\Users\user\Desktop\980001672 PPR for 30887217.scr.exe	Code function: 0_2_076042E8	0_2_076042E8
Source: C:\Users\user\Desktop\980001672 PPR for 30887217.scr.exe	Code function: 0_2_076042D8	0_2_076042D8
Source: C:\Users\user\Desktop\980001672 PPR for 30887217.scr.exe	Code function: 0_2_076059C0	0_2_076059C0
Source: C:\Users\user\Desktop\980001672 PPR for 30887217.scr.exe	Code function: 0_2_07F408A4	0_2_07F408A4
Source: C:\Users\user\Desktop\980001672 PPR for 30887217.scr.exe	Code function: 0_2_07F42518	0_2_07F42518
Source: C:\Users\user\Desktop\980001672 PPR for 30887217.scr.exe	Code function: 9_2_01124A98	9_2_01124A98
Source: C:\Users\user\Desktop\980001672 PPR for 30887217.scr.exe	Code function: 9_2_01123E80	9_2_01123E80
Source: C:\Users\user\Desktop\980001672 PPR for 30887217.scr.exe	Code function: 9_2_011241C8	9_2_011241C8
Source: C:\Users\user\Desktop\980001672 PPR for 30887217.scr.exe	Code function: 9_2_0112F8A5	9_2_0112F8A5
Source: C:\Users\user\Desktop\980001672 PPR for 30887217.scr.exe	Code function: 9_2_069B45A0	9_2_069B45A0
Source: C:\Users\user\Desktop\980001672 PPR for 30887217.scr.exe	Code function: 9_2_069B5D30	9_2_069B5D30
Source: C:\Users\user\Desktop\980001672 PPR for 30887217.scr.exe	Code function: 9_2_069B3578	9_2_069B3578
Source: C:\Users\user\Desktop\980001672 PPR for 30887217.scr.exe	Code function: 9_2_069BE0B9	9_2_069BE0B9
Source: C:\Users\user\Desktop\980001672 PPR for 30887217.scr.exe	Code function: 9_2_069B1030	9_2_069B1030
Source: C:\Users\user\Desktop\980001672 PPR for 30887217.scr.exe	Code function: 9_2_069B91E2	9_2_069B91E2
Source: C:\Users\user\Desktop\980001672 PPR for 30887217.scr.exe	Code function: 9_2_069BA140	9_2_069BA140
Source: C:\Users\user\Desktop\980001672 PPR for 30887217.scr.exe	Code function: 9_2_069B5650	9_2_069B5650
Source: C:\Users\user\Desktop\980001672 PPR for 30887217.scr.exe	Code function: 9_2_069B3C8F	9_2_069B3C8F
Source: C:\Users\user\Desktop\980001672 PPR for 30887217.scr.exe	Code function: 9_2_069BC358	9_2_069BC358
Source: C:\Users\user\AppData\Roaming\PpIvKmzUbDB.exe	Code function: 10_2_01963E28	10_2_01963E28
Source: C:\Users\user\AppData\Roaming\PpIvKmzUbDB.exe	Code function: 10_2_01966F90	10_2_01966F90
Source: C:\Users\user\AppData\Roaming\PpIvKmzUbDB.exe	Code function: 10_2_0196DFB4	10_2_0196DFB4
Source: C:\Users\user\AppData\Roaming\PpIvKmzUbDB.exe	Code function: 10_2_057D1164	10_2_057D1164
Source: C:\Users\user\AppData\Roaming\PpIvKmzUbDB.exe	Code function: 10_2_057D1158	10_2_057D1158
Source: C:\Users\user\AppData\Roaming\PpIvKmzUbDB.exe	Code function: 10_2_057D0040	10_2_057D0040
Source: C:\Users\user\AppData\Roaming\PpIvKmzUbDB.exe	Code function: 10_2_057D0007	10_2_057D0007
Source: C:\Users\user\AppData\Roaming\PpIvKmzUbDB.exe	Code function: 10_2_057D1FF6	10_2_057D1FF6
Source: C:\Users\user\AppData\Roaming\PpIvKmzUbDB.exe	Code function: 10_2_07810E08	10_2_07810E08
Source: C:\Users\user\AppData\Roaming\PpIvKmzUbDB.exe	Code function: 10_2_07814720	10_2_07814720
Source: C:\Users\user\AppData\Roaming\PpIvKmzUbDB.exe	Code function: 10_2_07816600	10_2_07816600
Source: C:\Users\user\AppData\Roaming\PpIvKmzUbDB.exe	Code function: 10_2_07813E50	10_2_07813E50
Source: C:\Users\user\AppData\Roaming\PpIvKmzUbDB.exe	Code function: 10_2_07810DF9	10_2_07810DF9
Source: C:\Users\user\AppData\Roaming\PpIvKmzUbDB.exe	Code function: 10_2_078142D8	10_2_078142D8
Source: C:\Users\user\AppData\Roaming\PpIvKmzUbDB.exe	Code function: 10_2_078142E8	10_2_078142E8
Source: C:\Users\user\AppData\Roaming\PpIvKmzUbDB.exe	Code function: 10_2_078159C0	10_2_078159C0
Source: C:\Users\user\AppData\Roaming\PpIvKmzUbDB.exe	Code function: 10_2_07C608A4	10_2_07C608A4
Source: C:\Users\user\AppData\Roaming\PpIvKmzUbDB.exe	Code function: 10_2_07C6B8E9	10_2_07C6B8E9
Source: C:\Users\user\AppData\Roaming\PpIvKmzUbDB.exe	Code function: 10_2_07C62518	10_2_07C62518
Source: C:\Users\user\AppData\Roaming\PpIvKmzUbDB.exe	Code function: 10_2_07C6F108	10_2_07C6F108
Source: C:\Users\user\AppData\Roaming\PpIvKmzUbDB.exe	Code function: 14_2_010BA957	14_2_010BA957
Source: C:\Users\user\AppData\Roaming\PpIvKmzUbDB.exe	Code function: 14_2_010B4A98	14_2_010B4A98
Source: C:\Users\user\AppData\Roaming\PpIvKmzUbDB.exe	Code function: 14_2_010BDD5F	14_2_010BDD5F
Source: C:\Users\user\AppData\Roaming\PpIvKmzUbDB.exe	Code function: 14_2_010B3E80	14_2_010B3E80
Source: C:\Users\user\AppData\Roaming\PpIvKmzUbDB.exe	Code function: 14_2_010B41C8	14_2_010B41C8
Source: C:\Users\user\AppData\Roaming\PpIvKmzUbDB.exe	Code function: 14_2_068F45A0	14_2_068F45A0
Source: C:\Users\user\AppData\Roaming\PpIvKmzUbDB.exe	Code function: 14_2_068F5D30	14_2_068F5D30
Source: C:\Users\user\AppData\Roaming\PpIvKmzUbDB.exe	Code function: 14_2_068F3578	14_2_068F3578
Source: C:\Users\user\AppData\Roaming\PpIvKmzUbDB.exe	Code function: 14_2_068FE0B9	14_2_068FE0B9
Source: C:\Users\user\AppData\Roaming\PpIvKmzUbDB.exe	Code function: 14_2_068F1030	14_2_068F1030
Source: C:\Users\user\AppData\Roaming\PpIvKmzUbDB.exe	Code function: 14_2_068F91EB	14_2_068F91EB
Source: C:\Users\user\AppData\Roaming\PpIvKmzUbDB.exe	Code function: 14_2_068FA140	14_2_068FA140
Source: C:\Users\user\AppData\Roaming\PpIvKmzUbDB.exe	Code function: 14_2_068F5650	14_2_068F5650
Source: C:\Users\user\AppData\Roaming\PpIvKmzUbDB.exe	Code function: 14_2_068F3C8F	14_2_068F3C8F
Source: C:\Users\user\AppData\Roaming\PpIvKmzUbDB.exe	Code function: 14_2_068FC358	14_2_068FC358

Source: 980001672 PPR for 30887217.scr.exe, 00000000.00000002.1468454106.000000000312C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameArthur.dll" vs 980001672 PPR for 30887217.scr.exe
Source: 980001672 PPR for 30887217.scr.exe, 00000000.00000002.1472918685.000000000622A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename vs 980001672 PPR for 30887217.scr.exe
Source: 980001672 PPR for 30887217.scr.exe, 00000000.00000000.1439562509.0000000000CFA000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameYLCxD.exe" vs 980001672 PPR for 30887217.scr.exe
Source: 980001672 PPR for 30887217.scr.exe, 00000000.00000002.1469392053.00000000040E9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename8854fa4e-ee03-4899-b0c3-2df80b3f7614.exe4 vs 980001672 PPR for 30887217.scr.exe
Source: 980001672 PPR for 30887217.scr.exe, 00000000.00000002.1469392053.00000000040E9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMontero.dll8 vs 980001672 PPR for 30887217.scr.exe
Source: 980001672 PPR for 30887217.scr.exe, 00000000.00000002.1468454106.0000000003117000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename8854fa4e-ee03-4899-b0c3-2df80b3f7614.exe4 vs 980001672 PPR for 30887217.scr.exe
Source: 980001672 PPR for 30887217.scr.exe, 00000000.00000002.1472566116.0000000005A80000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameArthur.dll" vs 980001672 PPR for 30887217.scr.exe
Source: 980001672 PPR for 30887217.scr.exe, 00000000.00000002.1474643730.0000000007550000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameMontero.dll8 vs 980001672 PPR for 30887217.scr.exe
Source: 980001672 PPR for 30887217.scr.exe, 00000000.00000002.1462878341.00000000012BE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs 980001672 PPR for 30887217.scr.exe
Source: 980001672 PPR for 30887217.scr.exe, 00000009.00000002.2691965313.0000000000BD8000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameUNKNOWN_FILET vs 980001672 PPR for 30887217.scr.exe
Source: 980001672 PPR for 30887217.scr.exe, 00000009.00000002.2691709359.0000000000402000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: OriginalFilename8854fa4e-ee03-4899-b0c3-2df80b3f7614.exe4 vs 980001672 PPR for 30887217.scr.exe
Source: 980001672 PPR for 30887217.scr.exe	Binary or memory string: OriginalFilenameYLCxD.exe" vs 980001672 PPR for 30887217.scr.exe

Source: 980001672 PPR for 30887217.scr.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 0.2.980001672 PPR for 30887217.scr.exe.4124390.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.980001672 PPR for 30887217.scr.exe.40e9970.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.980001672 PPR for 30887217.scr.exe.4124390.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.980001672 PPR for 30887217.scr.exe.40e9970.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers

Source: 980001672 PPR for 30887217.scr.exe	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: PpIvKmzUbDB.exe.0.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 0.2.980001672 PPR for 30887217.scr.exe.4124390.0.raw.unpack, RsYAkkzVoy.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.980001672 PPR for 30887217.scr.exe.4124390.0.raw.unpack, Kqqzixk.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.980001672 PPR for 30887217.scr.exe.4124390.0.raw.unpack, xROdzGigX.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.980001672 PPR for 30887217.scr.exe.4124390.0.raw.unpack, ywes.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.980001672 PPR for 30887217.scr.exe.4124390.0.raw.unpack, iPVW0zV.cs	Cryptographic APIs: 'CreateDecryptor', 'TransformBlock'
Source: 0.2.980001672 PPR for 30887217.scr.exe.4124390.0.raw.unpack, 1Pi9sgbHwoV.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.980001672 PPR for 30887217.scr.exe.4124390.0.raw.unpack, YUgDfWK2g4.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.980001672 PPR for 30887217.scr.exe.4124390.0.raw.unpack, YUgDfWK2g4.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 0.2.980001672 PPR for 30887217.scr.exe.4124390.0.raw.unpack, MarWtcu.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.980001672 PPR for 30887217.scr.exe.4124390.0.raw.unpack, MarWtcu.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.980001672 PPR for 30887217.scr.exe.4124390.0.raw.unpack, MarWtcu.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.980001672 PPR for 30887217.scr.exe.4124390.0.raw.unpack, MarWtcu.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: 0.2.980001672 PPR for 30887217.scr.exe.4333718.2.raw.unpack, pJq8U2aptIKF5n7Q2L.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.980001672 PPR for 30887217.scr.exe.4333718.2.raw.unpack, ywfhRrvSAdRJx7tAsQ.cs	Security API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
Source: 0.2.980001672 PPR for 30887217.scr.exe.4333718.2.raw.unpack, ywfhRrvSAdRJx7tAsQ.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.980001672 PPR for 30887217.scr.exe.4333718.2.raw.unpack, ywfhRrvSAdRJx7tAsQ.cs	Security API names: _0020.AddAccessRule
Source: 0.2.980001672 PPR for 30887217.scr.exe.7550000.4.raw.unpack, ywfhRrvSAdRJx7tAsQ.cs	Security API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
Source: 0.2.980001672 PPR for 30887217.scr.exe.7550000.4.raw.unpack, ywfhRrvSAdRJx7tAsQ.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.980001672 PPR for 30887217.scr.exe.7550000.4.raw.unpack, ywfhRrvSAdRJx7tAsQ.cs	Security API names: _0020.AddAccessRule
Source: 0.2.980001672 PPR for 30887217.scr.exe.7550000.4.raw.unpack, pJq8U2aptIKF5n7Q2L.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@19/15@2/2

Source: C:\Users\user\Desktop\980001672 PPR for 30887217.scr.exe

File created: C:\Users\user\AppData\Roaming\PpIvKmzUbDB.exe

Jump to behavior

Source: C:\Users\user\AppData\Roaming\PpIvKmzUbDB.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1384:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3648:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6136:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5524:120:WilError_03

Source: C:\Users\user\Desktop\980001672 PPR for 30887217.scr.exe

File created: C:\Users\user\AppData\Local\Temp\tmp7B3.tmp

Jump to behavior

Source: 980001672 PPR for 30887217.scr.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 980001672 PPR for 30887217.scr.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Source: C:\Users\user\Desktop\980001672 PPR for 30887217.scr.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\980001672 PPR for 30887217.scr.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\PpIvKmzUbDB.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Roaming\PpIvKmzUbDB.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\980001672 PPR for 30887217.scr.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\980001672 PPR for 30887217.scr.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: 980001672 PPR for 30887217.scr.exe

ReversingLabs: Detection: 26%

Source: C:\Users\user\Desktop\980001672 PPR for 30887217.scr.exe

File read: C:\Users\user\Desktop\980001672 PPR for 30887217.scr.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\980001672 PPR for 30887217.scr.exe "C:\Users\user\Desktop\980001672 PPR for 30887217.scr.exe"
Source: C:\Users\user\Desktop\980001672 PPR for 30887217.scr.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\980001672 PPR for 30887217.scr.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\980001672 PPR for 30887217.scr.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\PpIvKmzUbDB.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\980001672 PPR for 30887217.scr.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\PpIvKmzUbDB" /XML "C:\Users\user\AppData\Local\Temp\tmp7B3.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\980001672 PPR for 30887217.scr.exe	Process created: C:\Users\user\Desktop\980001672 PPR for 30887217.scr.exe "C:\Users\user\Desktop\980001672 PPR for 30887217.scr.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\PpIvKmzUbDB.exe C:\Users\user\AppData\Roaming\PpIvKmzUbDB.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: C:\Users\user\AppData\Roaming\PpIvKmzUbDB.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\PpIvKmzUbDB" /XML "C:\Users\user\AppData\Local\Temp\tmp1BF6.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\PpIvKmzUbDB.exe	Process created: C:\Users\user\AppData\Roaming\PpIvKmzUbDB.exe "C:\Users\user\AppData\Roaming\PpIvKmzUbDB.exe"
Source: C:\Users\user\Desktop\980001672 PPR for 30887217.scr.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\980001672 PPR for 30887217.scr.exe"	Jump to behavior
Source: C:\Users\user\Desktop\980001672 PPR for 30887217.scr.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\PpIvKmzUbDB.exe"	Jump to behavior
Source: C:\Users\user\Desktop\980001672 PPR for 30887217.scr.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\PpIvKmzUbDB" /XML "C:\Users\user\AppData\Local\Temp\tmp7B3.tmp"	Jump to behavior
Source: C:\Users\user\Desktop\980001672 PPR for 30887217.scr.exe	Process created: C:\Users\user\Desktop\980001672 PPR for 30887217.scr.exe "C:\Users\user\Desktop\980001672 PPR for 30887217.scr.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PpIvKmzUbDB.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\PpIvKmzUbDB" /XML "C:\Users\user\AppData\Local\Temp\tmp1BF6.tmp"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PpIvKmzUbDB.exe	Process created: C:\Users\user\AppData\Roaming\PpIvKmzUbDB.exe "C:\Users\user\AppData\Roaming\PpIvKmzUbDB.exe"	Jump to behavior

Source: C:\Users\user\Desktop\980001672 PPR for 30887217.scr.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\980001672 PPR for 30887217.scr.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\980001672 PPR for 30887217.scr.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\980001672 PPR for 30887217.scr.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\980001672 PPR for 30887217.scr.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\980001672 PPR for 30887217.scr.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\980001672 PPR for 30887217.scr.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\980001672 PPR for 30887217.scr.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\980001672 PPR for 30887217.scr.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\980001672 PPR for 30887217.scr.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\980001672 PPR for 30887217.scr.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\980001672 PPR for 30887217.scr.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\980001672 PPR for 30887217.scr.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\980001672 PPR for 30887217.scr.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\980001672 PPR for 30887217.scr.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\980001672 PPR for 30887217.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\980001672 PPR for 30887217.scr.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\980001672 PPR for 30887217.scr.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\980001672 PPR for 30887217.scr.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\980001672 PPR for 30887217.scr.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\980001672 PPR for 30887217.scr.exe	Section loaded: iconcodecservice.dll	Jump to behavior
Source: C:\Users\user\Desktop\980001672 PPR for 30887217.scr.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\980001672 PPR for 30887217.scr.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\980001672 PPR for 30887217.scr.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\980001672 PPR for 30887217.scr.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\980001672 PPR for 30887217.scr.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\980001672 PPR for 30887217.scr.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\980001672 PPR for 30887217.scr.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\980001672 PPR for 30887217.scr.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\980001672 PPR for 30887217.scr.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\980001672 PPR for 30887217.scr.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\980001672 PPR for 30887217.scr.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\980001672 PPR for 30887217.scr.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\980001672 PPR for 30887217.scr.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\980001672 PPR for 30887217.scr.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\980001672 PPR for 30887217.scr.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\980001672 PPR for 30887217.scr.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\980001672 PPR for 30887217.scr.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\980001672 PPR for 30887217.scr.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\980001672 PPR for 30887217.scr.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\980001672 PPR for 30887217.scr.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\980001672 PPR for 30887217.scr.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\980001672 PPR for 30887217.scr.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\980001672 PPR for 30887217.scr.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\980001672 PPR for 30887217.scr.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\980001672 PPR for 30887217.scr.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\980001672 PPR for 30887217.scr.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\980001672 PPR for 30887217.scr.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\980001672 PPR for 30887217.scr.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\980001672 PPR for 30887217.scr.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\980001672 PPR for 30887217.scr.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\980001672 PPR for 30887217.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\980001672 PPR for 30887217.scr.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\980001672 PPR for 30887217.scr.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\980001672 PPR for 30887217.scr.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\980001672 PPR for 30887217.scr.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\980001672 PPR for 30887217.scr.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\980001672 PPR for 30887217.scr.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\980001672 PPR for 30887217.scr.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\980001672 PPR for 30887217.scr.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\980001672 PPR for 30887217.scr.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\980001672 PPR for 30887217.scr.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\980001672 PPR for 30887217.scr.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\980001672 PPR for 30887217.scr.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\980001672 PPR for 30887217.scr.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\980001672 PPR for 30887217.scr.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\980001672 PPR for 30887217.scr.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\980001672 PPR for 30887217.scr.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\980001672 PPR for 30887217.scr.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\980001672 PPR for 30887217.scr.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\980001672 PPR for 30887217.scr.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\980001672 PPR for 30887217.scr.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\980001672 PPR for 30887217.scr.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\980001672 PPR for 30887217.scr.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\980001672 PPR for 30887217.scr.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\980001672 PPR for 30887217.scr.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\980001672 PPR for 30887217.scr.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\980001672 PPR for 30887217.scr.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PpIvKmzUbDB.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PpIvKmzUbDB.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PpIvKmzUbDB.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PpIvKmzUbDB.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PpIvKmzUbDB.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PpIvKmzUbDB.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PpIvKmzUbDB.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PpIvKmzUbDB.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PpIvKmzUbDB.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PpIvKmzUbDB.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PpIvKmzUbDB.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PpIvKmzUbDB.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PpIvKmzUbDB.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PpIvKmzUbDB.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PpIvKmzUbDB.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PpIvKmzUbDB.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PpIvKmzUbDB.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PpIvKmzUbDB.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PpIvKmzUbDB.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PpIvKmzUbDB.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PpIvKmzUbDB.exe	Section loaded: iconcodecservice.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PpIvKmzUbDB.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PpIvKmzUbDB.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PpIvKmzUbDB.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PpIvKmzUbDB.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PpIvKmzUbDB.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PpIvKmzUbDB.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PpIvKmzUbDB.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PpIvKmzUbDB.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PpIvKmzUbDB.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PpIvKmzUbDB.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PpIvKmzUbDB.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PpIvKmzUbDB.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PpIvKmzUbDB.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PpIvKmzUbDB.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PpIvKmzUbDB.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: fastprox.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: ncobjapi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mpclient.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: version.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wmitomi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: gpapi.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\PpIvKmzUbDB.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\PpIvKmzUbDB.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\PpIvKmzUbDB.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\PpIvKmzUbDB.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\PpIvKmzUbDB.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\PpIvKmzUbDB.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\PpIvKmzUbDB.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\PpIvKmzUbDB.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\PpIvKmzUbDB.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\PpIvKmzUbDB.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\PpIvKmzUbDB.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\PpIvKmzUbDB.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\PpIvKmzUbDB.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\PpIvKmzUbDB.exe	Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Roaming\PpIvKmzUbDB.exe	Section loaded: amsi.dll
Source: C:\Users\user\AppData\Roaming\PpIvKmzUbDB.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Roaming\PpIvKmzUbDB.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\PpIvKmzUbDB.exe	Section loaded: rasapi32.dll
Source: C:\Users\user\AppData\Roaming\PpIvKmzUbDB.exe	Section loaded: rasman.dll
Source: C:\Users\user\AppData\Roaming\PpIvKmzUbDB.exe	Section loaded: rtutils.dll
Source: C:\Users\user\AppData\Roaming\PpIvKmzUbDB.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Roaming\PpIvKmzUbDB.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Roaming\PpIvKmzUbDB.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Roaming\PpIvKmzUbDB.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Roaming\PpIvKmzUbDB.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Users\user\AppData\Roaming\PpIvKmzUbDB.exe	Section loaded: dhcpcsvc.dll
Source: C:\Users\user\AppData\Roaming\PpIvKmzUbDB.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Roaming\PpIvKmzUbDB.exe	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Roaming\PpIvKmzUbDB.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Roaming\PpIvKmzUbDB.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Roaming\PpIvKmzUbDB.exe	Section loaded: secur32.dll
Source: C:\Users\user\AppData\Roaming\PpIvKmzUbDB.exe	Section loaded: schannel.dll
Source: C:\Users\user\AppData\Roaming\PpIvKmzUbDB.exe	Section loaded: mskeyprotect.dll
Source: C:\Users\user\AppData\Roaming\PpIvKmzUbDB.exe	Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Roaming\PpIvKmzUbDB.exe	Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Roaming\PpIvKmzUbDB.exe	Section loaded: ncryptsslp.dll
Source: C:\Users\user\AppData\Roaming\PpIvKmzUbDB.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Roaming\PpIvKmzUbDB.exe	Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Roaming\PpIvKmzUbDB.exe	Section loaded: vaultcli.dll
Source: C:\Users\user\AppData\Roaming\PpIvKmzUbDB.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Roaming\PpIvKmzUbDB.exe	Section loaded: edputil.dll

Source: C:\Users\user\Desktop\980001672 PPR for 30887217.scr.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\980001672 PPR for 30887217.scr.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Users\user\Desktop\980001672 PPR for 30887217.scr.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\Profiles

Jump to behavior

Source: 980001672 PPR for 30887217.scr.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: 980001672 PPR for 30887217.scr.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Data Obfuscation

.NET source code contains potential unpacker

Source: 0.2.980001672 PPR for 30887217.scr.exe.7550000.4.raw.unpack, ywfhRrvSAdRJx7tAsQ.cs	.Net Code: SyDKmsInLltoTGlhWOK System.Reflection.Assembly.Load(byte[])
Source: 0.2.980001672 PPR for 30887217.scr.exe.5a80000.3.raw.unpack, L2.cs	.Net Code: System.Reflection.Assembly.Load(byte[])
Source: 0.2.980001672 PPR for 30887217.scr.exe.4333718.2.raw.unpack, ywfhRrvSAdRJx7tAsQ.cs	.Net Code: SyDKmsInLltoTGlhWOK System.Reflection.Assembly.Load(byte[])

Source: C:\Users\user\Desktop\980001672 PPR for 30887217.scr.exe	Code function: 0_2_02F25E00 push eax; iretd	0_2_02F25E09
Source: C:\Users\user\Desktop\980001672 PPR for 30887217.scr.exe	Code function: 0_2_0760BEF0 push cs; iretd	0_2_0760BF0F
Source: C:\Users\user\Desktop\980001672 PPR for 30887217.scr.exe	Code function: 0_2_0760B8EB push esp; retf	0_2_0760B8F1
Source: C:\Users\user\Desktop\980001672 PPR for 30887217.scr.exe	Code function: 9_2_01127A1D pushfd ; iretd	9_2_01127A22
Source: C:\Users\user\Desktop\980001672 PPR for 30887217.scr.exe	Code function: 9_2_01120C55 push ebx; retf	9_2_01120C52
Source: C:\Users\user\Desktop\980001672 PPR for 30887217.scr.exe	Code function: 9_2_01120C6D push edi; retf	9_2_01120C7A
Source: C:\Users\user\AppData\Roaming\PpIvKmzUbDB.exe	Code function: 10_2_01965E00 push eax; iretd	10_2_01965E09
Source: C:\Users\user\AppData\Roaming\PpIvKmzUbDB.exe	Code function: 10_2_0781AE28 push esp; retn 077Fh	10_2_0781AE69
Source: C:\Users\user\AppData\Roaming\PpIvKmzUbDB.exe	Code function: 14_2_010B7A1D pushfd ; iretd	14_2_010B7A22
Source: C:\Users\user\AppData\Roaming\PpIvKmzUbDB.exe	Code function: 14_2_010B0C6D push edi; retf	14_2_010B0C7A

Source: 980001672 PPR for 30887217.scr.exe	Static PE information: section name: .text entropy: 7.785707287399863
Source: PpIvKmzUbDB.exe.0.dr	Static PE information: section name: .text entropy: 7.785707287399863

Source: 0.2.980001672 PPR for 30887217.scr.exe.7550000.4.raw.unpack, VP8x08lpCg2R8DNxmHL.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'IGnPNyMuJg', 'kL8P80WAb6', 'HCbPQ4Pcec', 'y6VPk16o6N', 'LK8P7bpjUC', 'AbtP5ImCs3', 'klIPwhwVu0'
Source: 0.2.980001672 PPR for 30887217.scr.exe.7550000.4.raw.unpack, eEhlJn5y6fubQUEjdE.cs	High entropy of concatenated method names: 'ToString', 'Dl7YNGwd0n', 'GYPYSU2xPv', 'obSY1iGrYr', 'YlOYbZSjxC', 'F12YGvRgmo', 'L6qYWJciX2', 'FZaYOYEpa9', 'LjBYxJbpB5', 'hxZYTA2Uk8'
Source: 0.2.980001672 PPR for 30887217.scr.exe.7550000.4.raw.unpack, BCMnjV6Colu9Vcjs5U.cs	High entropy of concatenated method names: 'm6oVZo0Lg4', 'HA2VoyACdl', 'QxrVMD4jvF', 'KxVVJLDBhS', 'xgTVvHN97B', 'kYiMdxRqit', 'aZ0Mi2mCee', 'U4fMhSt7SF', 'k5QMyGT8tc', 'CHMMHE5ZmP'
Source: 0.2.980001672 PPR for 30887217.scr.exe.7550000.4.raw.unpack, wNw74bHXs0maqBd5t4.cs	High entropy of concatenated method names: 'BPIC6yW2ZL', 'hu4CSw3Um4', 'DICC1GcHWM', 'UnpCb2Rorp', 'UDRCGlQHh4', 'JL9CWkiG8h', 'FYECORJHk1', 'xHSCxniwam', 'vhjCTtrY8R', 'VIyCt0MtA2'
Source: 0.2.980001672 PPR for 30887217.scr.exe.7550000.4.raw.unpack, r1Vi2dzTOs0VDm4yt0.cs	High entropy of concatenated method names: 'jFaPeaQ0iP', 'oELPa3I9XF', 'JkkPXa6OSd', 'Yh8P6HyUMa', 'c7CPSQwQOo', 'WIqPbVI5p6', 'u8QPGk0Y0H', 'EJxPLrZkU7', 'nXcPukntR8', 'EsDP2hwRIe'
Source: 0.2.980001672 PPR for 30887217.scr.exe.7550000.4.raw.unpack, TCGTi0T7OchMG58grO.cs	High entropy of concatenated method names: 'QCqJu8sKiK', 'VbsJ2VF9ug', 'HL6Jg4KIRY', 'dlrJnlTUHs', 'nJvJIONasy', 'z9GJenwLri', 'fRbJU7fr6O', 'GdMJatIWVr', 'fX9JXLtQRE', 'Fc1Jsici1b'
Source: 0.2.980001672 PPR for 30887217.scr.exe.7550000.4.raw.unpack, MIHqUPQNct9tw9NClb.cs	High entropy of concatenated method names: 'frHqaF2mpH', 'J9wqXHXVmb', 'pcnq6RcCa2', 'y3lqSC886T', 'yNSqbbiEkj', 'QvYqGdOoeK', 'znTqObonrB', 'KVRqxOLsWN', 'SchqtfrB8k', 'WhoqN7T8wV'
Source: 0.2.980001672 PPR for 30887217.scr.exe.7550000.4.raw.unpack, C5ZPVHljiZfSWPcFgFZ.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'grDBC40AAM', 'X13BPp43eW', 'eqZBADpRxG', 'rT2BBdAVPE', 'n59B0Fu9jc', 'wJPBrbCEX6', 'dCQBLInpgw'
Source: 0.2.980001672 PPR for 30887217.scr.exe.7550000.4.raw.unpack, mZcOda9wIsyTZWihIU.cs	High entropy of concatenated method names: 'jFugg0tj5', 'iglnR8ySU', 'MNdefrspv', 'usrU94EWd', 'cQiXjZC6E', 'pPRsHkty0', 'VeMUpx50jYmP2aPrTt', 'XDqSgVD8uFVv4FbX6R', 'Htb3DFGmG', 'XWoPvqD0i'
Source: 0.2.980001672 PPR for 30887217.scr.exe.7550000.4.raw.unpack, pJq8U2aptIKF5n7Q2L.cs	High entropy of concatenated method names: 'hGvokKbEle', 'kfeo7Ai5Au', 'S2Do5p68Uk', 'iBvowZQr79', 'li0odYoedk', 'JnLoidkBW2', 'vROohkSBBv', 'Q8foyKQjN1', 'LXMoHxQNhd', 'gnyoDaZ20F'
Source: 0.2.980001672 PPR for 30887217.scr.exe.7550000.4.raw.unpack, vj7DrWsWsS5rGgZ0JI.cs	High entropy of concatenated method names: 'VXDMIL2gNa', 'EqdMU1JrGD', 'q7sK1mtp6b', 'LOfKb3utDy', 'YkTKGWsOtO', 'EHYKWsvpys', 'CJ2KODwWgK', 'YXPKxcVTop', 'G8mKTxD9Ab', 'bNRKtiLZZN'
Source: 0.2.980001672 PPR for 30887217.scr.exe.7550000.4.raw.unpack, WP3Ov4h3g519DdkKHV.cs	High entropy of concatenated method names: 'm1CCm8rSb7', 'nhbCfy52FS', 'O3RCCZrYCE', 'u55CALguxr', 'cZ4C0DfyQA', 'PZwCLOBT8B', 'Dispose', 'j4Q3RAouXF', 'KpL3o6Se4S', 'PRG3K7KIsH'
Source: 0.2.980001672 PPR for 30887217.scr.exe.7550000.4.raw.unpack, xeb2GJXQ5OwCmEvcd6.cs	High entropy of concatenated method names: 'TwvKnJbcTp', 'Y47KelIYVI', 'a2WKaBm4E6', 'XeqKXstsnZ', 'AyaKmuOCpn', 'lFgKYfcjuf', 'OCYKf9ZHyB', 'AZZK3SZ3B7', 't12KCouWfD', 'MVEKPEE5FB'
Source: 0.2.980001672 PPR for 30887217.scr.exe.7550000.4.raw.unpack, cRxpNEDGLmiGYqsh9h.cs	High entropy of concatenated method names: 'LLZPKriiAS', 'uBvPMb4tgS', 'Tg9PVt86iW', 'G20PJEdEBd', 'J2GPCZq6mI', 'I1RPvSGI1q', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.980001672 PPR for 30887217.scr.exe.7550000.4.raw.unpack, si1CgDjQ3mdO1bqhqY.cs	High entropy of concatenated method names: 'jaYlJJq8U2', 'atIlvKF5n7', 'jQ5l4OwCmE', 'kcdlF60j7D', 'zZ0lmJIeCM', 'AjVlYColu9', 'ljBTlta3ERFoQjhY4h', 'rkUZIiiZSa1pAl0AV7', 'h64llouIGE', 'wH5lEO4Uvw'
Source: 0.2.980001672 PPR for 30887217.scr.exe.7550000.4.raw.unpack, f8Yx2VwLIG2QjqKdIi.cs	High entropy of concatenated method names: 'I92f422O1D', 'eWEfFDnX5r', 'ToString', 'UZGfRdfGh2', 'QdyfoogtWp', 'UMFfKXsegZ', 'xF3fMjxnKp', 'awGfVFbQTV', 'KyVfJjpkeD', 'gBxfvJCaB9'
Source: 0.2.980001672 PPR for 30887217.scr.exe.7550000.4.raw.unpack, tfvD9GONI24i9FRncK.cs	High entropy of concatenated method names: 'a8hJRSSMsV', 'w04JKXmnvL', 'RoYJVdiVr9', 'iRmVD6KtUA', 'MqLVzyxEjI', 'GhJJpFlMRl', 'k9yJlLVDj5', 'OkoJ9QEZIh', 'uP6JEKZJkj', 'IfkJjx3VUX'
Source: 0.2.980001672 PPR for 30887217.scr.exe.7550000.4.raw.unpack, uI9OvFoqN2m38omLrC.cs	High entropy of concatenated method names: 'Dispose', 'S19lHDdkKH', 'lxD9SA4tWB', 'iMteit5CPs', 'jGYlDYuyvD', 'MW3lzpgu0M', 'ProcessDialogKey', 'Gir9pNw74b', 'Es09lmaqBd', 'St4999RxpN'
Source: 0.2.980001672 PPR for 30887217.scr.exe.7550000.4.raw.unpack, UDaVkAKybY9Thfag8n.cs	High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'Fq09H7DraP', 'vrJ9DLdwAp', 'xhI9z2An4b', 'zR6EpBjpgW', 'thFElTD9RR', 'TNwE95KLtI', 'GZ3EESgnH8', 'v54T1QcIuZGDQqWxGV'
Source: 0.2.980001672 PPR for 30887217.scr.exe.7550000.4.raw.unpack, y4pS0DllhVP7FOyj4U5.cs	High entropy of concatenated method names: 'yqePDPJS9k', 'rVyPzwLx2i', 'efRApOFMOd', 'BXlAlcf189', 'dopA9S5Vw6', 'bETAEtA3Km', 'w89AjZbCF5', 'tCVAZSfKbQ', 'D3oARvOvhs', 'DebAoMe4yU'
Source: 0.2.980001672 PPR for 30887217.scr.exe.7550000.4.raw.unpack, ywfhRrvSAdRJx7tAsQ.cs	High entropy of concatenated method names: 'C53EZeNkOe', 'jofERKY7yh', 'nSREoMhc7A', 'QwSEKavR4a', 'qIWEMQXQjI', 'CCSEVJA0ak', 'wwZEJMreui', 'f7jEvjMefm', 'dSiEcVyBNw', 'GLvE4pFxs2'
Source: 0.2.980001672 PPR for 30887217.scr.exe.7550000.4.raw.unpack, XPJ3mviHc9Hvk95Ym2.cs	High entropy of concatenated method names: 't8TfylEVvx', 'v9wfDEquPW', 'yOI3pOdLBD', 'pBS3lQyR5T', 'tS5fNB9GwP', 'XSaf83xAMN', 'IH1fQYQ4RY', 'p7TfkhRATr', 'rfIf7WwGXg', 'JFMf5SQGqj'
Source: 0.2.980001672 PPR for 30887217.scr.exe.4333718.2.raw.unpack, VP8x08lpCg2R8DNxmHL.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'IGnPNyMuJg', 'kL8P80WAb6', 'HCbPQ4Pcec', 'y6VPk16o6N', 'LK8P7bpjUC', 'AbtP5ImCs3', 'klIPwhwVu0'
Source: 0.2.980001672 PPR for 30887217.scr.exe.4333718.2.raw.unpack, eEhlJn5y6fubQUEjdE.cs	High entropy of concatenated method names: 'ToString', 'Dl7YNGwd0n', 'GYPYSU2xPv', 'obSY1iGrYr', 'YlOYbZSjxC', 'F12YGvRgmo', 'L6qYWJciX2', 'FZaYOYEpa9', 'LjBYxJbpB5', 'hxZYTA2Uk8'
Source: 0.2.980001672 PPR for 30887217.scr.exe.4333718.2.raw.unpack, BCMnjV6Colu9Vcjs5U.cs	High entropy of concatenated method names: 'm6oVZo0Lg4', 'HA2VoyACdl', 'QxrVMD4jvF', 'KxVVJLDBhS', 'xgTVvHN97B', 'kYiMdxRqit', 'aZ0Mi2mCee', 'U4fMhSt7SF', 'k5QMyGT8tc', 'CHMMHE5ZmP'
Source: 0.2.980001672 PPR for 30887217.scr.exe.4333718.2.raw.unpack, wNw74bHXs0maqBd5t4.cs	High entropy of concatenated method names: 'BPIC6yW2ZL', 'hu4CSw3Um4', 'DICC1GcHWM', 'UnpCb2Rorp', 'UDRCGlQHh4', 'JL9CWkiG8h', 'FYECORJHk1', 'xHSCxniwam', 'vhjCTtrY8R', 'VIyCt0MtA2'
Source: 0.2.980001672 PPR for 30887217.scr.exe.4333718.2.raw.unpack, r1Vi2dzTOs0VDm4yt0.cs	High entropy of concatenated method names: 'jFaPeaQ0iP', 'oELPa3I9XF', 'JkkPXa6OSd', 'Yh8P6HyUMa', 'c7CPSQwQOo', 'WIqPbVI5p6', 'u8QPGk0Y0H', 'EJxPLrZkU7', 'nXcPukntR8', 'EsDP2hwRIe'
Source: 0.2.980001672 PPR for 30887217.scr.exe.4333718.2.raw.unpack, TCGTi0T7OchMG58grO.cs	High entropy of concatenated method names: 'QCqJu8sKiK', 'VbsJ2VF9ug', 'HL6Jg4KIRY', 'dlrJnlTUHs', 'nJvJIONasy', 'z9GJenwLri', 'fRbJU7fr6O', 'GdMJatIWVr', 'fX9JXLtQRE', 'Fc1Jsici1b'
Source: 0.2.980001672 PPR for 30887217.scr.exe.4333718.2.raw.unpack, MIHqUPQNct9tw9NClb.cs	High entropy of concatenated method names: 'frHqaF2mpH', 'J9wqXHXVmb', 'pcnq6RcCa2', 'y3lqSC886T', 'yNSqbbiEkj', 'QvYqGdOoeK', 'znTqObonrB', 'KVRqxOLsWN', 'SchqtfrB8k', 'WhoqN7T8wV'
Source: 0.2.980001672 PPR for 30887217.scr.exe.4333718.2.raw.unpack, C5ZPVHljiZfSWPcFgFZ.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'grDBC40AAM', 'X13BPp43eW', 'eqZBADpRxG', 'rT2BBdAVPE', 'n59B0Fu9jc', 'wJPBrbCEX6', 'dCQBLInpgw'
Source: 0.2.980001672 PPR for 30887217.scr.exe.4333718.2.raw.unpack, mZcOda9wIsyTZWihIU.cs	High entropy of concatenated method names: 'jFugg0tj5', 'iglnR8ySU', 'MNdefrspv', 'usrU94EWd', 'cQiXjZC6E', 'pPRsHkty0', 'VeMUpx50jYmP2aPrTt', 'XDqSgVD8uFVv4FbX6R', 'Htb3DFGmG', 'XWoPvqD0i'
Source: 0.2.980001672 PPR for 30887217.scr.exe.4333718.2.raw.unpack, pJq8U2aptIKF5n7Q2L.cs	High entropy of concatenated method names: 'hGvokKbEle', 'kfeo7Ai5Au', 'S2Do5p68Uk', 'iBvowZQr79', 'li0odYoedk', 'JnLoidkBW2', 'vROohkSBBv', 'Q8foyKQjN1', 'LXMoHxQNhd', 'gnyoDaZ20F'
Source: 0.2.980001672 PPR for 30887217.scr.exe.4333718.2.raw.unpack, vj7DrWsWsS5rGgZ0JI.cs	High entropy of concatenated method names: 'VXDMIL2gNa', 'EqdMU1JrGD', 'q7sK1mtp6b', 'LOfKb3utDy', 'YkTKGWsOtO', 'EHYKWsvpys', 'CJ2KODwWgK', 'YXPKxcVTop', 'G8mKTxD9Ab', 'bNRKtiLZZN'
Source: 0.2.980001672 PPR for 30887217.scr.exe.4333718.2.raw.unpack, WP3Ov4h3g519DdkKHV.cs	High entropy of concatenated method names: 'm1CCm8rSb7', 'nhbCfy52FS', 'O3RCCZrYCE', 'u55CALguxr', 'cZ4C0DfyQA', 'PZwCLOBT8B', 'Dispose', 'j4Q3RAouXF', 'KpL3o6Se4S', 'PRG3K7KIsH'
Source: 0.2.980001672 PPR for 30887217.scr.exe.4333718.2.raw.unpack, xeb2GJXQ5OwCmEvcd6.cs	High entropy of concatenated method names: 'TwvKnJbcTp', 'Y47KelIYVI', 'a2WKaBm4E6', 'XeqKXstsnZ', 'AyaKmuOCpn', 'lFgKYfcjuf', 'OCYKf9ZHyB', 'AZZK3SZ3B7', 't12KCouWfD', 'MVEKPEE5FB'
Source: 0.2.980001672 PPR for 30887217.scr.exe.4333718.2.raw.unpack, cRxpNEDGLmiGYqsh9h.cs	High entropy of concatenated method names: 'LLZPKriiAS', 'uBvPMb4tgS', 'Tg9PVt86iW', 'G20PJEdEBd', 'J2GPCZq6mI', 'I1RPvSGI1q', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.980001672 PPR for 30887217.scr.exe.4333718.2.raw.unpack, si1CgDjQ3mdO1bqhqY.cs	High entropy of concatenated method names: 'jaYlJJq8U2', 'atIlvKF5n7', 'jQ5l4OwCmE', 'kcdlF60j7D', 'zZ0lmJIeCM', 'AjVlYColu9', 'ljBTlta3ERFoQjhY4h', 'rkUZIiiZSa1pAl0AV7', 'h64llouIGE', 'wH5lEO4Uvw'
Source: 0.2.980001672 PPR for 30887217.scr.exe.4333718.2.raw.unpack, f8Yx2VwLIG2QjqKdIi.cs	High entropy of concatenated method names: 'I92f422O1D', 'eWEfFDnX5r', 'ToString', 'UZGfRdfGh2', 'QdyfoogtWp', 'UMFfKXsegZ', 'xF3fMjxnKp', 'awGfVFbQTV', 'KyVfJjpkeD', 'gBxfvJCaB9'
Source: 0.2.980001672 PPR for 30887217.scr.exe.4333718.2.raw.unpack, tfvD9GONI24i9FRncK.cs	High entropy of concatenated method names: 'a8hJRSSMsV', 'w04JKXmnvL', 'RoYJVdiVr9', 'iRmVD6KtUA', 'MqLVzyxEjI', 'GhJJpFlMRl', 'k9yJlLVDj5', 'OkoJ9QEZIh', 'uP6JEKZJkj', 'IfkJjx3VUX'
Source: 0.2.980001672 PPR for 30887217.scr.exe.4333718.2.raw.unpack, uI9OvFoqN2m38omLrC.cs	High entropy of concatenated method names: 'Dispose', 'S19lHDdkKH', 'lxD9SA4tWB', 'iMteit5CPs', 'jGYlDYuyvD', 'MW3lzpgu0M', 'ProcessDialogKey', 'Gir9pNw74b', 'Es09lmaqBd', 'St4999RxpN'
Source: 0.2.980001672 PPR for 30887217.scr.exe.4333718.2.raw.unpack, UDaVkAKybY9Thfag8n.cs	High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'Fq09H7DraP', 'vrJ9DLdwAp', 'xhI9z2An4b', 'zR6EpBjpgW', 'thFElTD9RR', 'TNwE95KLtI', 'GZ3EESgnH8', 'v54T1QcIuZGDQqWxGV'
Source: 0.2.980001672 PPR for 30887217.scr.exe.4333718.2.raw.unpack, y4pS0DllhVP7FOyj4U5.cs	High entropy of concatenated method names: 'yqePDPJS9k', 'rVyPzwLx2i', 'efRApOFMOd', 'BXlAlcf189', 'dopA9S5Vw6', 'bETAEtA3Km', 'w89AjZbCF5', 'tCVAZSfKbQ', 'D3oARvOvhs', 'DebAoMe4yU'
Source: 0.2.980001672 PPR for 30887217.scr.exe.4333718.2.raw.unpack, ywfhRrvSAdRJx7tAsQ.cs	High entropy of concatenated method names: 'C53EZeNkOe', 'jofERKY7yh', 'nSREoMhc7A', 'QwSEKavR4a', 'qIWEMQXQjI', 'CCSEVJA0ak', 'wwZEJMreui', 'f7jEvjMefm', 'dSiEcVyBNw', 'GLvE4pFxs2'
Source: 0.2.980001672 PPR for 30887217.scr.exe.4333718.2.raw.unpack, XPJ3mviHc9Hvk95Ym2.cs	High entropy of concatenated method names: 't8TfylEVvx', 'v9wfDEquPW', 'yOI3pOdLBD', 'pBS3lQyR5T', 'tS5fNB9GwP', 'XSaf83xAMN', 'IH1fQYQ4RY', 'p7TfkhRATr', 'rfIf7WwGXg', 'JFMf5SQGqj'

Source: C:\Users\user\Desktop\980001672 PPR for 30887217.scr.exe

File created: C:\Users\user\AppData\Roaming\PpIvKmzUbDB.exe

Jump to dropped file

Boot Survival

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Users\user\Desktop\980001672 PPR for 30887217.scr.exe

Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\PpIvKmzUbDB" /XML "C:\Users\user\AppData\Local\Temp\tmp7B3.tmp"

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior

Source: C:\Users\user\Desktop\980001672 PPR for 30887217.scr.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate	Jump to behavior
Source: C:\Users\user\Desktop\980001672 PPR for 30887217.scr.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PpIvKmzUbDB.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate
Source: C:\Users\user\AppData\Roaming\PpIvKmzUbDB.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot

Source: C:\Users\user\Desktop\980001672 PPR for 30887217.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\980001672 PPR for 30887217.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\980001672 PPR for 30887217.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\980001672 PPR for 30887217.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\980001672 PPR for 30887217.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\980001672 PPR for 30887217.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\980001672 PPR for 30887217.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\980001672 PPR for 30887217.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\980001672 PPR for 30887217.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\980001672 PPR for 30887217.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\980001672 PPR for 30887217.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\980001672 PPR for 30887217.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\980001672 PPR for 30887217.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\980001672 PPR for 30887217.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\980001672 PPR for 30887217.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\980001672 PPR for 30887217.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\980001672 PPR for 30887217.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\980001672 PPR for 30887217.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\980001672 PPR for 30887217.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\980001672 PPR for 30887217.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\980001672 PPR for 30887217.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\980001672 PPR for 30887217.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\980001672 PPR for 30887217.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\980001672 PPR for 30887217.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\980001672 PPR for 30887217.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\980001672 PPR for 30887217.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\980001672 PPR for 30887217.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\980001672 PPR for 30887217.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\980001672 PPR for 30887217.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\980001672 PPR for 30887217.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\980001672 PPR for 30887217.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\980001672 PPR for 30887217.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\980001672 PPR for 30887217.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\980001672 PPR for 30887217.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\980001672 PPR for 30887217.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\980001672 PPR for 30887217.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\980001672 PPR for 30887217.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\980001672 PPR for 30887217.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\980001672 PPR for 30887217.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\980001672 PPR for 30887217.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\980001672 PPR for 30887217.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\980001672 PPR for 30887217.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\980001672 PPR for 30887217.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\980001672 PPR for 30887217.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\980001672 PPR for 30887217.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\980001672 PPR for 30887217.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\980001672 PPR for 30887217.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\980001672 PPR for 30887217.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\980001672 PPR for 30887217.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\980001672 PPR for 30887217.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\980001672 PPR for 30887217.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\980001672 PPR for 30887217.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\980001672 PPR for 30887217.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\980001672 PPR for 30887217.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\980001672 PPR for 30887217.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\980001672 PPR for 30887217.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\980001672 PPR for 30887217.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\980001672 PPR for 30887217.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\980001672 PPR for 30887217.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\980001672 PPR for 30887217.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\980001672 PPR for 30887217.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\980001672 PPR for 30887217.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\980001672 PPR for 30887217.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\980001672 PPR for 30887217.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\980001672 PPR for 30887217.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\980001672 PPR for 30887217.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\980001672 PPR for 30887217.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\980001672 PPR for 30887217.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\980001672 PPR for 30887217.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\980001672 PPR for 30887217.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\980001672 PPR for 30887217.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\980001672 PPR for 30887217.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\980001672 PPR for 30887217.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\980001672 PPR for 30887217.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\980001672 PPR for 30887217.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\980001672 PPR for 30887217.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\980001672 PPR for 30887217.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\980001672 PPR for 30887217.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\980001672 PPR for 30887217.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\980001672 PPR for 30887217.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\980001672 PPR for 30887217.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\980001672 PPR for 30887217.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\980001672 PPR for 30887217.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\980001672 PPR for 30887217.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\980001672 PPR for 30887217.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\980001672 PPR for 30887217.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\980001672 PPR for 30887217.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\980001672 PPR for 30887217.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\980001672 PPR for 30887217.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\980001672 PPR for 30887217.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\980001672 PPR for 30887217.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\980001672 PPR for 30887217.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\980001672 PPR for 30887217.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\980001672 PPR for 30887217.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\980001672 PPR for 30887217.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\980001672 PPR for 30887217.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\980001672 PPR for 30887217.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\980001672 PPR for 30887217.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\980001672 PPR for 30887217.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\980001672 PPR for 30887217.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\980001672 PPR for 30887217.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\980001672 PPR for 30887217.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\980001672 PPR for 30887217.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\980001672 PPR for 30887217.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\980001672 PPR for 30887217.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PpIvKmzUbDB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PpIvKmzUbDB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PpIvKmzUbDB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PpIvKmzUbDB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PpIvKmzUbDB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PpIvKmzUbDB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PpIvKmzUbDB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PpIvKmzUbDB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PpIvKmzUbDB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PpIvKmzUbDB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PpIvKmzUbDB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PpIvKmzUbDB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PpIvKmzUbDB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PpIvKmzUbDB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PpIvKmzUbDB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PpIvKmzUbDB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PpIvKmzUbDB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PpIvKmzUbDB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PpIvKmzUbDB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PpIvKmzUbDB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PpIvKmzUbDB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PpIvKmzUbDB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PpIvKmzUbDB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PpIvKmzUbDB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PpIvKmzUbDB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PpIvKmzUbDB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PpIvKmzUbDB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PpIvKmzUbDB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PpIvKmzUbDB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PpIvKmzUbDB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PpIvKmzUbDB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PpIvKmzUbDB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PpIvKmzUbDB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PpIvKmzUbDB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PpIvKmzUbDB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PpIvKmzUbDB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PpIvKmzUbDB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PpIvKmzUbDB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PpIvKmzUbDB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PpIvKmzUbDB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PpIvKmzUbDB.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\PpIvKmzUbDB.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\PpIvKmzUbDB.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\PpIvKmzUbDB.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\PpIvKmzUbDB.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\PpIvKmzUbDB.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\PpIvKmzUbDB.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\PpIvKmzUbDB.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\PpIvKmzUbDB.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\PpIvKmzUbDB.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\PpIvKmzUbDB.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\PpIvKmzUbDB.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\PpIvKmzUbDB.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\PpIvKmzUbDB.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\PpIvKmzUbDB.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\PpIvKmzUbDB.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\PpIvKmzUbDB.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\PpIvKmzUbDB.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\PpIvKmzUbDB.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\PpIvKmzUbDB.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\PpIvKmzUbDB.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\PpIvKmzUbDB.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\PpIvKmzUbDB.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\PpIvKmzUbDB.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\PpIvKmzUbDB.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\PpIvKmzUbDB.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\PpIvKmzUbDB.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\PpIvKmzUbDB.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\PpIvKmzUbDB.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\PpIvKmzUbDB.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\PpIvKmzUbDB.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\PpIvKmzUbDB.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\PpIvKmzUbDB.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\PpIvKmzUbDB.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\PpIvKmzUbDB.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\PpIvKmzUbDB.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\PpIvKmzUbDB.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\PpIvKmzUbDB.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\PpIvKmzUbDB.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\PpIvKmzUbDB.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\PpIvKmzUbDB.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\PpIvKmzUbDB.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\PpIvKmzUbDB.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\PpIvKmzUbDB.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\PpIvKmzUbDB.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\PpIvKmzUbDB.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\PpIvKmzUbDB.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\PpIvKmzUbDB.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\PpIvKmzUbDB.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\PpIvKmzUbDB.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\PpIvKmzUbDB.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\PpIvKmzUbDB.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\PpIvKmzUbDB.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\PpIvKmzUbDB.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\PpIvKmzUbDB.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\PpIvKmzUbDB.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\PpIvKmzUbDB.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\PpIvKmzUbDB.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\PpIvKmzUbDB.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\PpIvKmzUbDB.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\PpIvKmzUbDB.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\PpIvKmzUbDB.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\PpIvKmzUbDB.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match	File source: Process Memory Space: 980001672 PPR for 30887217.scr.exe PID: 6812, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: PpIvKmzUbDB.exe PID: 1628, type: MEMORYSTR

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Source: C:\Users\user\Desktop\980001672 PPR for 30887217.scr.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Source: C:\Users\user\AppData\Roaming\PpIvKmzUbDB.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration

Source: C:\Users\user\Desktop\980001672 PPR for 30887217.scr.exe	Memory allocated: 2E70000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\980001672 PPR for 30887217.scr.exe	Memory allocated: 30E0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\980001672 PPR for 30887217.scr.exe	Memory allocated: 2E70000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\980001672 PPR for 30887217.scr.exe	Memory allocated: 8000000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\980001672 PPR for 30887217.scr.exe	Memory allocated: 7750000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\980001672 PPR for 30887217.scr.exe	Memory allocated: 9000000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\980001672 PPR for 30887217.scr.exe	Memory allocated: A000000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\980001672 PPR for 30887217.scr.exe	Memory allocated: 1120000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\980001672 PPR for 30887217.scr.exe	Memory allocated: 2DC0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\980001672 PPR for 30887217.scr.exe	Memory allocated: 2AC0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PpIvKmzUbDB.exe	Memory allocated: 18C0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PpIvKmzUbDB.exe	Memory allocated: 3420000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PpIvKmzUbDB.exe	Memory allocated: 18C0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PpIvKmzUbDB.exe	Memory allocated: 7D20000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PpIvKmzUbDB.exe	Memory allocated: 7960000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PpIvKmzUbDB.exe	Memory allocated: 8D20000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PpIvKmzUbDB.exe	Memory allocated: 9D20000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PpIvKmzUbDB.exe	Memory allocated: 10B0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\PpIvKmzUbDB.exe	Memory allocated: 2F30000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\PpIvKmzUbDB.exe	Memory allocated: 1730000 memory reserve \| memory write watch

Source: C:\Users\user\Desktop\980001672 PPR for 30887217.scr.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\980001672 PPR for 30887217.scr.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PpIvKmzUbDB.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PpIvKmzUbDB.exe	Thread delayed: delay time: 922337203685477

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3703	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 362	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4567	Jump to behavior
Source: C:\Users\user\Desktop\980001672 PPR for 30887217.scr.exe	Window / User API: threadDelayed 3756	Jump to behavior
Source: C:\Users\user\Desktop\980001672 PPR for 30887217.scr.exe	Window / User API: threadDelayed 6090	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PpIvKmzUbDB.exe	Window / User API: threadDelayed 5824
Source: C:\Users\user\AppData\Roaming\PpIvKmzUbDB.exe	Window / User API: threadDelayed 4028

Source: C:\Users\user\Desktop\980001672 PPR for 30887217.scr.exe TID: 1936	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4136	Thread sleep count: 3703 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5080	Thread sleep time: -3689348814741908s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3832	Thread sleep count: 362 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4640	Thread sleep time: -1844674407370954s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3276	Thread sleep time: -2767011611056431s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6876	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\980001672 PPR for 30887217.scr.exe TID: 1824	Thread sleep count: 39 > 30	Jump to behavior
Source: C:\Users\user\Desktop\980001672 PPR for 30887217.scr.exe TID: 1824	Thread sleep time: -35971150943733603s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\980001672 PPR for 30887217.scr.exe TID: 1824	Thread sleep time: -100000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\980001672 PPR for 30887217.scr.exe TID: 6108	Thread sleep count: 3756 > 30	Jump to behavior
Source: C:\Users\user\Desktop\980001672 PPR for 30887217.scr.exe TID: 1824	Thread sleep time: -99859s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\980001672 PPR for 30887217.scr.exe TID: 6108	Thread sleep count: 6090 > 30	Jump to behavior
Source: C:\Users\user\Desktop\980001672 PPR for 30887217.scr.exe TID: 1824	Thread sleep time: -99749s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\980001672 PPR for 30887217.scr.exe TID: 1824	Thread sleep time: -99640s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\980001672 PPR for 30887217.scr.exe TID: 1824	Thread sleep time: -99530s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\980001672 PPR for 30887217.scr.exe TID: 1824	Thread sleep time: -99421s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\980001672 PPR for 30887217.scr.exe TID: 1824	Thread sleep time: -99312s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\980001672 PPR for 30887217.scr.exe TID: 1824	Thread sleep time: -99203s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\980001672 PPR for 30887217.scr.exe TID: 1824	Thread sleep time: -99093s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\980001672 PPR for 30887217.scr.exe TID: 1824	Thread sleep time: -98984s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\980001672 PPR for 30887217.scr.exe TID: 1824	Thread sleep time: -98870s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\980001672 PPR for 30887217.scr.exe TID: 1824	Thread sleep time: -98765s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\980001672 PPR for 30887217.scr.exe TID: 1824	Thread sleep time: -98651s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\980001672 PPR for 30887217.scr.exe TID: 1824	Thread sleep time: -98546s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\980001672 PPR for 30887217.scr.exe TID: 1824	Thread sleep time: -98437s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\980001672 PPR for 30887217.scr.exe TID: 1824	Thread sleep time: -98328s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\980001672 PPR for 30887217.scr.exe TID: 1824	Thread sleep time: -98218s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\980001672 PPR for 30887217.scr.exe TID: 1824	Thread sleep time: -98109s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\980001672 PPR for 30887217.scr.exe TID: 1824	Thread sleep time: -98000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\980001672 PPR for 30887217.scr.exe TID: 1824	Thread sleep time: -97890s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\980001672 PPR for 30887217.scr.exe TID: 1824	Thread sleep time: -97781s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\980001672 PPR for 30887217.scr.exe TID: 1824	Thread sleep time: -97672s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\980001672 PPR for 30887217.scr.exe TID: 1824	Thread sleep time: -97547s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\980001672 PPR for 30887217.scr.exe TID: 1824	Thread sleep time: -97437s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\980001672 PPR for 30887217.scr.exe TID: 1824	Thread sleep time: -97328s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\980001672 PPR for 30887217.scr.exe TID: 1824	Thread sleep time: -97219s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\980001672 PPR for 30887217.scr.exe TID: 1824	Thread sleep time: -97094s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\980001672 PPR for 30887217.scr.exe TID: 1824	Thread sleep time: -96978s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\980001672 PPR for 30887217.scr.exe TID: 1824	Thread sleep time: -96874s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\980001672 PPR for 30887217.scr.exe TID: 1824	Thread sleep time: -96765s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\980001672 PPR for 30887217.scr.exe TID: 1824	Thread sleep time: -96644s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\980001672 PPR for 30887217.scr.exe TID: 1824	Thread sleep time: -96516s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\980001672 PPR for 30887217.scr.exe TID: 1824	Thread sleep time: -96363s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\980001672 PPR for 30887217.scr.exe TID: 1824	Thread sleep time: -96241s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\980001672 PPR for 30887217.scr.exe TID: 1824	Thread sleep time: -96078s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\980001672 PPR for 30887217.scr.exe TID: 1824	Thread sleep time: -95921s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\980001672 PPR for 30887217.scr.exe TID: 1824	Thread sleep time: -95812s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\980001672 PPR for 30887217.scr.exe TID: 1824	Thread sleep time: -95703s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\980001672 PPR for 30887217.scr.exe TID: 1824	Thread sleep time: -95591s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\980001672 PPR for 30887217.scr.exe TID: 1824	Thread sleep time: -95484s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\980001672 PPR for 30887217.scr.exe TID: 1824	Thread sleep time: -95375s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\980001672 PPR for 30887217.scr.exe TID: 1824	Thread sleep time: -95265s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\980001672 PPR for 30887217.scr.exe TID: 1824	Thread sleep time: -95156s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\980001672 PPR for 30887217.scr.exe TID: 1824	Thread sleep time: -95047s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\980001672 PPR for 30887217.scr.exe TID: 1824	Thread sleep time: -94937s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\980001672 PPR for 30887217.scr.exe TID: 1824	Thread sleep time: -94828s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\980001672 PPR for 30887217.scr.exe TID: 1824	Thread sleep time: -94718s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\980001672 PPR for 30887217.scr.exe TID: 1824	Thread sleep time: -94609s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\980001672 PPR for 30887217.scr.exe TID: 1824	Thread sleep time: -94500s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\980001672 PPR for 30887217.scr.exe TID: 1824	Thread sleep time: -94390s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\980001672 PPR for 30887217.scr.exe TID: 1824	Thread sleep time: -94281s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\980001672 PPR for 30887217.scr.exe TID: 1824	Thread sleep time: -94172s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PpIvKmzUbDB.exe TID: 4080	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PpIvKmzUbDB.exe TID: 3340	Thread sleep count: 38 > 30
Source: C:\Users\user\AppData\Roaming\PpIvKmzUbDB.exe TID: 3340	Thread sleep time: -35048813740048126s >= -30000s
Source: C:\Users\user\AppData\Roaming\PpIvKmzUbDB.exe TID: 3340	Thread sleep time: -100000s >= -30000s
Source: C:\Users\user\AppData\Roaming\PpIvKmzUbDB.exe TID: 3340	Thread sleep time: -99890s >= -30000s
Source: C:\Users\user\AppData\Roaming\PpIvKmzUbDB.exe TID: 1384	Thread sleep count: 5824 > 30
Source: C:\Users\user\AppData\Roaming\PpIvKmzUbDB.exe TID: 1384	Thread sleep count: 4028 > 30
Source: C:\Users\user\AppData\Roaming\PpIvKmzUbDB.exe TID: 3340	Thread sleep time: -99777s >= -30000s
Source: C:\Users\user\AppData\Roaming\PpIvKmzUbDB.exe TID: 3340	Thread sleep time: -99656s >= -30000s
Source: C:\Users\user\AppData\Roaming\PpIvKmzUbDB.exe TID: 3340	Thread sleep time: -99545s >= -30000s
Source: C:\Users\user\AppData\Roaming\PpIvKmzUbDB.exe TID: 3340	Thread sleep time: -99421s >= -30000s
Source: C:\Users\user\AppData\Roaming\PpIvKmzUbDB.exe TID: 3340	Thread sleep time: -99312s >= -30000s
Source: C:\Users\user\AppData\Roaming\PpIvKmzUbDB.exe TID: 3340	Thread sleep time: -99203s >= -30000s
Source: C:\Users\user\AppData\Roaming\PpIvKmzUbDB.exe TID: 3340	Thread sleep time: -99093s >= -30000s
Source: C:\Users\user\AppData\Roaming\PpIvKmzUbDB.exe TID: 3340	Thread sleep time: -98984s >= -30000s
Source: C:\Users\user\AppData\Roaming\PpIvKmzUbDB.exe TID: 3340	Thread sleep time: -98874s >= -30000s
Source: C:\Users\user\AppData\Roaming\PpIvKmzUbDB.exe TID: 3340	Thread sleep time: -98765s >= -30000s
Source: C:\Users\user\AppData\Roaming\PpIvKmzUbDB.exe TID: 3340	Thread sleep time: -98639s >= -30000s
Source: C:\Users\user\AppData\Roaming\PpIvKmzUbDB.exe TID: 3340	Thread sleep time: -98524s >= -30000s
Source: C:\Users\user\AppData\Roaming\PpIvKmzUbDB.exe TID: 3340	Thread sleep time: -98419s >= -30000s
Source: C:\Users\user\AppData\Roaming\PpIvKmzUbDB.exe TID: 3340	Thread sleep time: -98229s >= -30000s
Source: C:\Users\user\AppData\Roaming\PpIvKmzUbDB.exe TID: 3340	Thread sleep time: -98076s >= -30000s
Source: C:\Users\user\AppData\Roaming\PpIvKmzUbDB.exe TID: 3340	Thread sleep time: -97850s >= -30000s
Source: C:\Users\user\AppData\Roaming\PpIvKmzUbDB.exe TID: 3340	Thread sleep time: -97727s >= -30000s
Source: C:\Users\user\AppData\Roaming\PpIvKmzUbDB.exe TID: 3340	Thread sleep time: -97624s >= -30000s
Source: C:\Users\user\AppData\Roaming\PpIvKmzUbDB.exe TID: 3340	Thread sleep time: -97514s >= -30000s
Source: C:\Users\user\AppData\Roaming\PpIvKmzUbDB.exe TID: 3340	Thread sleep time: -97405s >= -30000s
Source: C:\Users\user\AppData\Roaming\PpIvKmzUbDB.exe TID: 3340	Thread sleep time: -97281s >= -30000s
Source: C:\Users\user\AppData\Roaming\PpIvKmzUbDB.exe TID: 3340	Thread sleep time: -97171s >= -30000s
Source: C:\Users\user\AppData\Roaming\PpIvKmzUbDB.exe TID: 3340	Thread sleep time: -97062s >= -30000s
Source: C:\Users\user\AppData\Roaming\PpIvKmzUbDB.exe TID: 3340	Thread sleep time: -96952s >= -30000s
Source: C:\Users\user\AppData\Roaming\PpIvKmzUbDB.exe TID: 3340	Thread sleep time: -96828s >= -30000s
Source: C:\Users\user\AppData\Roaming\PpIvKmzUbDB.exe TID: 3340	Thread sleep time: -96718s >= -30000s
Source: C:\Users\user\AppData\Roaming\PpIvKmzUbDB.exe TID: 3340	Thread sleep time: -96605s >= -30000s
Source: C:\Users\user\AppData\Roaming\PpIvKmzUbDB.exe TID: 3340	Thread sleep time: -96484s >= -30000s
Source: C:\Users\user\AppData\Roaming\PpIvKmzUbDB.exe TID: 3340	Thread sleep time: -96374s >= -30000s
Source: C:\Users\user\AppData\Roaming\PpIvKmzUbDB.exe TID: 3340	Thread sleep time: -96265s >= -30000s
Source: C:\Users\user\AppData\Roaming\PpIvKmzUbDB.exe TID: 3340	Thread sleep time: -96140s >= -30000s
Source: C:\Users\user\AppData\Roaming\PpIvKmzUbDB.exe TID: 3340	Thread sleep time: -96031s >= -30000s
Source: C:\Users\user\AppData\Roaming\PpIvKmzUbDB.exe TID: 3340	Thread sleep time: -95921s >= -30000s
Source: C:\Users\user\AppData\Roaming\PpIvKmzUbDB.exe TID: 3340	Thread sleep time: -95812s >= -30000s
Source: C:\Users\user\AppData\Roaming\PpIvKmzUbDB.exe TID: 3340	Thread sleep time: -95702s >= -30000s
Source: C:\Users\user\AppData\Roaming\PpIvKmzUbDB.exe TID: 3340	Thread sleep time: -95578s >= -30000s
Source: C:\Users\user\AppData\Roaming\PpIvKmzUbDB.exe TID: 3340	Thread sleep time: -95467s >= -30000s
Source: C:\Users\user\AppData\Roaming\PpIvKmzUbDB.exe TID: 3340	Thread sleep time: -95285s >= -30000s
Source: C:\Users\user\AppData\Roaming\PpIvKmzUbDB.exe TID: 3340	Thread sleep time: -95139s >= -30000s
Source: C:\Users\user\AppData\Roaming\PpIvKmzUbDB.exe TID: 3340	Thread sleep time: -95030s >= -30000s
Source: C:\Users\user\AppData\Roaming\PpIvKmzUbDB.exe TID: 3340	Thread sleep time: -94919s >= -30000s
Source: C:\Users\user\AppData\Roaming\PpIvKmzUbDB.exe TID: 3340	Thread sleep time: -94793s >= -30000s
Source: C:\Users\user\AppData\Roaming\PpIvKmzUbDB.exe TID: 3340	Thread sleep time: -94680s >= -30000s
Source: C:\Users\user\AppData\Roaming\PpIvKmzUbDB.exe TID: 3340	Thread sleep time: -94578s >= -30000s
Source: C:\Users\user\AppData\Roaming\PpIvKmzUbDB.exe TID: 3340	Thread sleep time: -94447s >= -30000s
Source: C:\Users\user\AppData\Roaming\PpIvKmzUbDB.exe TID: 3340	Thread sleep time: -94343s >= -30000s
Source: C:\Users\user\AppData\Roaming\PpIvKmzUbDB.exe TID: 3340	Thread sleep time: -94234s >= -30000s
Source: C:\Users\user\AppData\Roaming\PpIvKmzUbDB.exe TID: 3340	Thread sleep time: -94125s >= -30000s

Source: C:\Users\user\Desktop\980001672 PPR for 30887217.scr.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Users\user\AppData\Roaming\PpIvKmzUbDB.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard

Source: C:\Users\user\Desktop\980001672 PPR for 30887217.scr.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\980001672 PPR for 30887217.scr.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\PpIvKmzUbDB.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Roaming\PpIvKmzUbDB.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\980001672 PPR for 30887217.scr.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\980001672 PPR for 30887217.scr.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\980001672 PPR for 30887217.scr.exe	Thread delayed: delay time: 100000	Jump to behavior
Source: C:\Users\user\Desktop\980001672 PPR for 30887217.scr.exe	Thread delayed: delay time: 99859	Jump to behavior
Source: C:\Users\user\Desktop\980001672 PPR for 30887217.scr.exe	Thread delayed: delay time: 99749	Jump to behavior
Source: C:\Users\user\Desktop\980001672 PPR for 30887217.scr.exe	Thread delayed: delay time: 99640	Jump to behavior
Source: C:\Users\user\Desktop\980001672 PPR for 30887217.scr.exe	Thread delayed: delay time: 99530	Jump to behavior
Source: C:\Users\user\Desktop\980001672 PPR for 30887217.scr.exe	Thread delayed: delay time: 99421	Jump to behavior
Source: C:\Users\user\Desktop\980001672 PPR for 30887217.scr.exe	Thread delayed: delay time: 99312	Jump to behavior
Source: C:\Users\user\Desktop\980001672 PPR for 30887217.scr.exe	Thread delayed: delay time: 99203	Jump to behavior
Source: C:\Users\user\Desktop\980001672 PPR for 30887217.scr.exe	Thread delayed: delay time: 99093	Jump to behavior
Source: C:\Users\user\Desktop\980001672 PPR for 30887217.scr.exe	Thread delayed: delay time: 98984	Jump to behavior
Source: C:\Users\user\Desktop\980001672 PPR for 30887217.scr.exe	Thread delayed: delay time: 98870	Jump to behavior
Source: C:\Users\user\Desktop\980001672 PPR for 30887217.scr.exe	Thread delayed: delay time: 98765	Jump to behavior
Source: C:\Users\user\Desktop\980001672 PPR for 30887217.scr.exe	Thread delayed: delay time: 98651	Jump to behavior
Source: C:\Users\user\Desktop\980001672 PPR for 30887217.scr.exe	Thread delayed: delay time: 98546	Jump to behavior
Source: C:\Users\user\Desktop\980001672 PPR for 30887217.scr.exe	Thread delayed: delay time: 98437	Jump to behavior
Source: C:\Users\user\Desktop\980001672 PPR for 30887217.scr.exe	Thread delayed: delay time: 98328	Jump to behavior
Source: C:\Users\user\Desktop\980001672 PPR for 30887217.scr.exe	Thread delayed: delay time: 98218	Jump to behavior
Source: C:\Users\user\Desktop\980001672 PPR for 30887217.scr.exe	Thread delayed: delay time: 98109	Jump to behavior
Source: C:\Users\user\Desktop\980001672 PPR for 30887217.scr.exe	Thread delayed: delay time: 98000	Jump to behavior
Source: C:\Users\user\Desktop\980001672 PPR for 30887217.scr.exe	Thread delayed: delay time: 97890	Jump to behavior
Source: C:\Users\user\Desktop\980001672 PPR for 30887217.scr.exe	Thread delayed: delay time: 97781	Jump to behavior
Source: C:\Users\user\Desktop\980001672 PPR for 30887217.scr.exe	Thread delayed: delay time: 97672	Jump to behavior
Source: C:\Users\user\Desktop\980001672 PPR for 30887217.scr.exe	Thread delayed: delay time: 97547	Jump to behavior
Source: C:\Users\user\Desktop\980001672 PPR for 30887217.scr.exe	Thread delayed: delay time: 97437	Jump to behavior
Source: C:\Users\user\Desktop\980001672 PPR for 30887217.scr.exe	Thread delayed: delay time: 97328	Jump to behavior
Source: C:\Users\user\Desktop\980001672 PPR for 30887217.scr.exe	Thread delayed: delay time: 97219	Jump to behavior
Source: C:\Users\user\Desktop\980001672 PPR for 30887217.scr.exe	Thread delayed: delay time: 97094	Jump to behavior
Source: C:\Users\user\Desktop\980001672 PPR for 30887217.scr.exe	Thread delayed: delay time: 96978	Jump to behavior
Source: C:\Users\user\Desktop\980001672 PPR for 30887217.scr.exe	Thread delayed: delay time: 96874	Jump to behavior
Source: C:\Users\user\Desktop\980001672 PPR for 30887217.scr.exe	Thread delayed: delay time: 96765	Jump to behavior
Source: C:\Users\user\Desktop\980001672 PPR for 30887217.scr.exe	Thread delayed: delay time: 96644	Jump to behavior
Source: C:\Users\user\Desktop\980001672 PPR for 30887217.scr.exe	Thread delayed: delay time: 96516	Jump to behavior
Source: C:\Users\user\Desktop\980001672 PPR for 30887217.scr.exe	Thread delayed: delay time: 96363	Jump to behavior
Source: C:\Users\user\Desktop\980001672 PPR for 30887217.scr.exe	Thread delayed: delay time: 96241	Jump to behavior
Source: C:\Users\user\Desktop\980001672 PPR for 30887217.scr.exe	Thread delayed: delay time: 96078	Jump to behavior
Source: C:\Users\user\Desktop\980001672 PPR for 30887217.scr.exe	Thread delayed: delay time: 95921	Jump to behavior
Source: C:\Users\user\Desktop\980001672 PPR for 30887217.scr.exe	Thread delayed: delay time: 95812	Jump to behavior
Source: C:\Users\user\Desktop\980001672 PPR for 30887217.scr.exe	Thread delayed: delay time: 95703	Jump to behavior
Source: C:\Users\user\Desktop\980001672 PPR for 30887217.scr.exe	Thread delayed: delay time: 95591	Jump to behavior
Source: C:\Users\user\Desktop\980001672 PPR for 30887217.scr.exe	Thread delayed: delay time: 95484	Jump to behavior
Source: C:\Users\user\Desktop\980001672 PPR for 30887217.scr.exe	Thread delayed: delay time: 95375	Jump to behavior
Source: C:\Users\user\Desktop\980001672 PPR for 30887217.scr.exe	Thread delayed: delay time: 95265	Jump to behavior
Source: C:\Users\user\Desktop\980001672 PPR for 30887217.scr.exe	Thread delayed: delay time: 95156	Jump to behavior
Source: C:\Users\user\Desktop\980001672 PPR for 30887217.scr.exe	Thread delayed: delay time: 95047	Jump to behavior
Source: C:\Users\user\Desktop\980001672 PPR for 30887217.scr.exe	Thread delayed: delay time: 94937	Jump to behavior
Source: C:\Users\user\Desktop\980001672 PPR for 30887217.scr.exe	Thread delayed: delay time: 94828	Jump to behavior
Source: C:\Users\user\Desktop\980001672 PPR for 30887217.scr.exe	Thread delayed: delay time: 94718	Jump to behavior
Source: C:\Users\user\Desktop\980001672 PPR for 30887217.scr.exe	Thread delayed: delay time: 94609	Jump to behavior
Source: C:\Users\user\Desktop\980001672 PPR for 30887217.scr.exe	Thread delayed: delay time: 94500	Jump to behavior
Source: C:\Users\user\Desktop\980001672 PPR for 30887217.scr.exe	Thread delayed: delay time: 94390	Jump to behavior
Source: C:\Users\user\Desktop\980001672 PPR for 30887217.scr.exe	Thread delayed: delay time: 94281	Jump to behavior
Source: C:\Users\user\Desktop\980001672 PPR for 30887217.scr.exe	Thread delayed: delay time: 94172	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PpIvKmzUbDB.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PpIvKmzUbDB.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\PpIvKmzUbDB.exe	Thread delayed: delay time: 100000
Source: C:\Users\user\AppData\Roaming\PpIvKmzUbDB.exe	Thread delayed: delay time: 99890
Source: C:\Users\user\AppData\Roaming\PpIvKmzUbDB.exe	Thread delayed: delay time: 99777
Source: C:\Users\user\AppData\Roaming\PpIvKmzUbDB.exe	Thread delayed: delay time: 99656
Source: C:\Users\user\AppData\Roaming\PpIvKmzUbDB.exe	Thread delayed: delay time: 99545
Source: C:\Users\user\AppData\Roaming\PpIvKmzUbDB.exe	Thread delayed: delay time: 99421
Source: C:\Users\user\AppData\Roaming\PpIvKmzUbDB.exe	Thread delayed: delay time: 99312
Source: C:\Users\user\AppData\Roaming\PpIvKmzUbDB.exe	Thread delayed: delay time: 99203
Source: C:\Users\user\AppData\Roaming\PpIvKmzUbDB.exe	Thread delayed: delay time: 99093
Source: C:\Users\user\AppData\Roaming\PpIvKmzUbDB.exe	Thread delayed: delay time: 98984
Source: C:\Users\user\AppData\Roaming\PpIvKmzUbDB.exe	Thread delayed: delay time: 98874
Source: C:\Users\user\AppData\Roaming\PpIvKmzUbDB.exe	Thread delayed: delay time: 98765
Source: C:\Users\user\AppData\Roaming\PpIvKmzUbDB.exe	Thread delayed: delay time: 98639
Source: C:\Users\user\AppData\Roaming\PpIvKmzUbDB.exe	Thread delayed: delay time: 98524
Source: C:\Users\user\AppData\Roaming\PpIvKmzUbDB.exe	Thread delayed: delay time: 98419
Source: C:\Users\user\AppData\Roaming\PpIvKmzUbDB.exe	Thread delayed: delay time: 98229
Source: C:\Users\user\AppData\Roaming\PpIvKmzUbDB.exe	Thread delayed: delay time: 98076
Source: C:\Users\user\AppData\Roaming\PpIvKmzUbDB.exe	Thread delayed: delay time: 97850
Source: C:\Users\user\AppData\Roaming\PpIvKmzUbDB.exe	Thread delayed: delay time: 97727
Source: C:\Users\user\AppData\Roaming\PpIvKmzUbDB.exe	Thread delayed: delay time: 97624
Source: C:\Users\user\AppData\Roaming\PpIvKmzUbDB.exe	Thread delayed: delay time: 97514
Source: C:\Users\user\AppData\Roaming\PpIvKmzUbDB.exe	Thread delayed: delay time: 97405
Source: C:\Users\user\AppData\Roaming\PpIvKmzUbDB.exe	Thread delayed: delay time: 97281
Source: C:\Users\user\AppData\Roaming\PpIvKmzUbDB.exe	Thread delayed: delay time: 97171
Source: C:\Users\user\AppData\Roaming\PpIvKmzUbDB.exe	Thread delayed: delay time: 97062
Source: C:\Users\user\AppData\Roaming\PpIvKmzUbDB.exe	Thread delayed: delay time: 96952
Source: C:\Users\user\AppData\Roaming\PpIvKmzUbDB.exe	Thread delayed: delay time: 96828
Source: C:\Users\user\AppData\Roaming\PpIvKmzUbDB.exe	Thread delayed: delay time: 96718
Source: C:\Users\user\AppData\Roaming\PpIvKmzUbDB.exe	Thread delayed: delay time: 96605
Source: C:\Users\user\AppData\Roaming\PpIvKmzUbDB.exe	Thread delayed: delay time: 96484
Source: C:\Users\user\AppData\Roaming\PpIvKmzUbDB.exe	Thread delayed: delay time: 96374
Source: C:\Users\user\AppData\Roaming\PpIvKmzUbDB.exe	Thread delayed: delay time: 96265
Source: C:\Users\user\AppData\Roaming\PpIvKmzUbDB.exe	Thread delayed: delay time: 96140
Source: C:\Users\user\AppData\Roaming\PpIvKmzUbDB.exe	Thread delayed: delay time: 96031
Source: C:\Users\user\AppData\Roaming\PpIvKmzUbDB.exe	Thread delayed: delay time: 95921
Source: C:\Users\user\AppData\Roaming\PpIvKmzUbDB.exe	Thread delayed: delay time: 95812
Source: C:\Users\user\AppData\Roaming\PpIvKmzUbDB.exe	Thread delayed: delay time: 95702
Source: C:\Users\user\AppData\Roaming\PpIvKmzUbDB.exe	Thread delayed: delay time: 95578
Source: C:\Users\user\AppData\Roaming\PpIvKmzUbDB.exe	Thread delayed: delay time: 95467
Source: C:\Users\user\AppData\Roaming\PpIvKmzUbDB.exe	Thread delayed: delay time: 95285
Source: C:\Users\user\AppData\Roaming\PpIvKmzUbDB.exe	Thread delayed: delay time: 95139
Source: C:\Users\user\AppData\Roaming\PpIvKmzUbDB.exe	Thread delayed: delay time: 95030
Source: C:\Users\user\AppData\Roaming\PpIvKmzUbDB.exe	Thread delayed: delay time: 94919
Source: C:\Users\user\AppData\Roaming\PpIvKmzUbDB.exe	Thread delayed: delay time: 94793
Source: C:\Users\user\AppData\Roaming\PpIvKmzUbDB.exe	Thread delayed: delay time: 94680
Source: C:\Users\user\AppData\Roaming\PpIvKmzUbDB.exe	Thread delayed: delay time: 94578
Source: C:\Users\user\AppData\Roaming\PpIvKmzUbDB.exe	Thread delayed: delay time: 94447
Source: C:\Users\user\AppData\Roaming\PpIvKmzUbDB.exe	Thread delayed: delay time: 94343
Source: C:\Users\user\AppData\Roaming\PpIvKmzUbDB.exe	Thread delayed: delay time: 94234
Source: C:\Users\user\AppData\Roaming\PpIvKmzUbDB.exe	Thread delayed: delay time: 94125

Source: 980001672 PPR for 30887217.scr.exe, 00000009.00000002.2692143565.0000000000EFD000.00000004.00000020.00020000.00000000.sdmp, PpIvKmzUbDB.exe, 0000000E.00000002.2692533920.0000000000F8C000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\Desktop\980001672 PPR for 30887217.scr.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Users\user\Desktop\980001672 PPR for 30887217.scr.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Adds a directory exclusion to Windows Defender

Source: C:\Users\user\Desktop\980001672 PPR for 30887217.scr.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\980001672 PPR for 30887217.scr.exe"
Source: C:\Users\user\Desktop\980001672 PPR for 30887217.scr.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\PpIvKmzUbDB.exe"
Source: C:\Users\user\Desktop\980001672 PPR for 30887217.scr.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\980001672 PPR for 30887217.scr.exe"	Jump to behavior
Source: C:\Users\user\Desktop\980001672 PPR for 30887217.scr.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\PpIvKmzUbDB.exe"	Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\980001672 PPR for 30887217.scr.exe	Memory written: C:\Users\user\Desktop\980001672 PPR for 30887217.scr.exe base: 400000 value starts with: 4D5A			Jump to behavior
Source: C:\Users\user\AppData\Roaming\PpIvKmzUbDB.exe	Memory written: C:\Users\user\AppData\Roaming\PpIvKmzUbDB.exe base: 400000 value starts with: 4D5A			Jump to behavior

Source: C:\Users\user\Desktop\980001672 PPR for 30887217.scr.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\980001672 PPR for 30887217.scr.exe"	Jump to behavior
Source: C:\Users\user\Desktop\980001672 PPR for 30887217.scr.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\PpIvKmzUbDB.exe"	Jump to behavior
Source: C:\Users\user\Desktop\980001672 PPR for 30887217.scr.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\PpIvKmzUbDB" /XML "C:\Users\user\AppData\Local\Temp\tmp7B3.tmp"	Jump to behavior
Source: C:\Users\user\Desktop\980001672 PPR for 30887217.scr.exe	Process created: C:\Users\user\Desktop\980001672 PPR for 30887217.scr.exe "C:\Users\user\Desktop\980001672 PPR for 30887217.scr.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PpIvKmzUbDB.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\PpIvKmzUbDB" /XML "C:\Users\user\AppData\Local\Temp\tmp1BF6.tmp"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PpIvKmzUbDB.exe	Process created: C:\Users\user\AppData\Roaming\PpIvKmzUbDB.exe "C:\Users\user\AppData\Roaming\PpIvKmzUbDB.exe"	Jump to behavior

Source: C:\Users\user\Desktop\980001672 PPR for 30887217.scr.exe	Queries volume information: C:\Users\user\Desktop\980001672 PPR for 30887217.scr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\980001672 PPR for 30887217.scr.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\980001672 PPR for 30887217.scr.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\980001672 PPR for 30887217.scr.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\980001672 PPR for 30887217.scr.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\980001672 PPR for 30887217.scr.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\980001672 PPR for 30887217.scr.exe	Queries volume information: C:\Users\user\Desktop\980001672 PPR for 30887217.scr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\980001672 PPR for 30887217.scr.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\980001672 PPR for 30887217.scr.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\980001672 PPR for 30887217.scr.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\980001672 PPR for 30887217.scr.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\980001672 PPR for 30887217.scr.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PpIvKmzUbDB.exe	Queries volume information: C:\Users\user\AppData\Roaming\PpIvKmzUbDB.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PpIvKmzUbDB.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PpIvKmzUbDB.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PpIvKmzUbDB.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PpIvKmzUbDB.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PpIvKmzUbDB.exe	Queries volume information: C:\Users\user\AppData\Roaming\PpIvKmzUbDB.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\PpIvKmzUbDB.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\PpIvKmzUbDB.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\PpIvKmzUbDB.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\PpIvKmzUbDB.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\PpIvKmzUbDB.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation

Source: C:\Users\user\Desktop\980001672 PPR for 30887217.scr.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected AgentTesla

Source: Yara match	File source: 0.2.980001672 PPR for 30887217.scr.exe.4124390.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.980001672 PPR for 30887217.scr.exe.40e9970.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.980001672 PPR for 30887217.scr.exe.4124390.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.980001672 PPR for 30887217.scr.exe.40e9970.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000009.00000002.2691709359.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.2696170324.0000000002F81000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.2696170324.0000000002FAC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2696096691.0000000002E3C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2696096691.0000000002E11000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1469392053.00000000040E9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 980001672 PPR for 30887217.scr.exe PID: 6812, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 980001672 PPR for 30887217.scr.exe PID: 6408, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: PpIvKmzUbDB.exe PID: 1152, type: MEMORYSTR

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Source: C:\Users\user\Desktop\980001672 PPR for 30887217.scr.exe	Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions			Jump to behavior
Source: C:\Users\user\AppData\Roaming\PpIvKmzUbDB.exe	Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\AppData\Roaming\PpIvKmzUbDB.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
Source: C:\Users\user\AppData\Roaming\PpIvKmzUbDB.exe	File opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini
Source: C:\Users\user\AppData\Roaming\PpIvKmzUbDB.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini
Source: C:\Users\user\AppData\Roaming\PpIvKmzUbDB.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
Source: C:\Users\user\AppData\Roaming\PpIvKmzUbDB.exe	File opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini

Tries to harvest and steal ftp login credentials

Source: C:\Users\user\AppData\Roaming\PpIvKmzUbDB.exe

File opened: C:\FTP Navigator\Ftplist.txt

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\Desktop\980001672 PPR for 30887217.scr.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\980001672 PPR for 30887217.scr.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\980001672 PPR for 30887217.scr.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles	Jump to behavior
Source: C:\Users\user\Desktop\980001672 PPR for 30887217.scr.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PpIvKmzUbDB.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Users\user\AppData\Roaming\PpIvKmzUbDB.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Users\user\AppData\Roaming\PpIvKmzUbDB.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles
Source: C:\Users\user\AppData\Roaming\PpIvKmzUbDB.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities

Source: Yara match	File source: 0.2.980001672 PPR for 30887217.scr.exe.4124390.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.980001672 PPR for 30887217.scr.exe.40e9970.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.980001672 PPR for 30887217.scr.exe.4124390.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.980001672 PPR for 30887217.scr.exe.40e9970.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000009.00000002.2691709359.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.2696170324.0000000002F81000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2696096691.0000000002E11000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1469392053.00000000040E9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 980001672 PPR for 30887217.scr.exe PID: 6812, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 980001672 PPR for 30887217.scr.exe PID: 6408, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: PpIvKmzUbDB.exe PID: 1152, type: MEMORYSTR

Remote Access Functionality

Yara detected AgentTesla

Source: Yara match	File source: 0.2.980001672 PPR for 30887217.scr.exe.4124390.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.980001672 PPR for 30887217.scr.exe.40e9970.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.980001672 PPR for 30887217.scr.exe.4124390.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.980001672 PPR for 30887217.scr.exe.40e9970.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000009.00000002.2691709359.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.2696170324.0000000002F81000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.2696170324.0000000002FAC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2696096691.0000000002E3C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2696096691.0000000002E11000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1469392053.00000000040E9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 980001672 PPR for 30887217.scr.exe PID: 6812, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 980001672 PPR for 30887217.scr.exe PID: 6408, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: PpIvKmzUbDB.exe PID: 1152, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	121 Windows Management Instrumentation	1 DLL Side-Loading	1 DLL Side-Loading	11 Disable or Modify Tools	2 OS Credential Dumping	1 File and Directory Discovery	Remote Services	11 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Scheduled Task/Job	1 Scheduled Task/Job	111 Process Injection	1 Deobfuscate/Decode Files or Information	21 Input Capture	24 System Information Discovery	Remote Desktop Protocol	2 Data from Local System	11 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 Scheduled Task/Job	2 Obfuscated Files or Information	1 Credentials in Registry	1 Query Registry	SMB/Windows Admin Shares	1 Email Collection	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	12 Software Packing	NTDS	211 Security Software Discovery	Distributed Component Object Model	21 Input Capture	23 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	1 Process Discovery	SSH	1 Clipboard Data	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Masquerading	Cached Domain Credentials	141 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	141 Virtualization/Sandbox Evasion	DCSync	1 Application Window Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	111 Process Injection	Proc Filesystem	1 System Network Configuration Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label
980001672 PPR for 30887217.scr.exe	26%	ReversingLabs
980001672 PPR for 30887217.scr.exe	100%	Avira	HEUR/AGEN.1307351
980001672 PPR for 30887217.scr.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label
C:\Users\user\AppData\Roaming\PpIvKmzUbDB.exe	100%	Avira	HEUR/AGEN.1307351
C:\Users\user\AppData\Roaming\PpIvKmzUbDB.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\PpIvKmzUbDB.exe	26%	ReversingLabs

Source	Detection	Scanner	Label	Link
http://mail.iaa-airferight.com	100%	Avira URL Cloud	malware

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
mail.iaa-airferight.com	46.175.148.58	true	true		unknown
api.ipify.org	172.67.74.152	true	false		high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://api.ipify.org/	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://api.ipify.org	980001672 PPR for 30887217.scr.exe, 00000000.00000002.1469392053.00000000040E9000.00000004.00000800.00020000.00000000.sdmp, 980001672 PPR for 30887217.scr.exe, 00000009.00000002.2691709359.0000000000402000.00000040.00000400.00020000.00000000.sdmp, 980001672 PPR for 30887217.scr.exe, 00000009.00000002.2696096691.0000000002DC1000.00000004.00000800.00020000.00000000.sdmp, PpIvKmzUbDB.exe, 0000000E.00000002.2696170324.0000000002F31000.00000004.00000800.00020000.00000000.sdmp	false		high
https://account.dyn.com/	980001672 PPR for 30887217.scr.exe, 00000000.00000002.1469392053.00000000040E9000.00000004.00000800.00020000.00000000.sdmp, 980001672 PPR for 30887217.scr.exe, 00000009.00000002.2691709359.0000000000402000.00000040.00000400.00020000.00000000.sdmp	false		high
https://api.ipify.org/t	980001672 PPR for 30887217.scr.exe, 00000009.00000002.2696096691.0000000002DC1000.00000004.00000800.00020000.00000000.sdmp, PpIvKmzUbDB.exe, 0000000E.00000002.2696170324.0000000002F31000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	980001672 PPR for 30887217.scr.exe, 00000000.00000002.1468454106.0000000003117000.00000004.00000800.00020000.00000000.sdmp, 980001672 PPR for 30887217.scr.exe, 00000009.00000002.2696096691.0000000002DC1000.00000004.00000800.00020000.00000000.sdmp, PpIvKmzUbDB.exe, 0000000A.00000002.1514445576.0000000003457000.00000004.00000800.00020000.00000000.sdmp, PpIvKmzUbDB.exe, 0000000E.00000002.2696170324.0000000002F31000.00000004.00000800.00020000.00000000.sdmp	false		high
http://localhost/calculator_server/requests.php	980001672 PPR for 30887217.scr.exe, PpIvKmzUbDB.exe.0.dr	false		high
http://mail.iaa-airferight.com	980001672 PPR for 30887217.scr.exe, 00000009.00000002.2696096691.0000000002E3C000.00000004.00000800.00020000.00000000.sdmp, PpIvKmzUbDB.exe, 0000000E.00000002.2696170324.0000000002FAC000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
46.175.148.58	mail.iaa-airferight.com	Ukraine		56394	ASLAGIDKOM-NETUA	true
172.67.74.152	api.ipify.org	United States		13335	CLOUDFLARENETUS	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1570147
Start date and time:	2024-12-06 15:44:07 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 8m 2s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	19
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	980001672 PPR for 30887217.scr.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@19/15@2/2
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 170 Number of non-executed functions: 7
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
VT rate limit hit for: 980001672 PPR for 30887217.scr.exe

Simulations

Behavior and APIs

Time	Type	Description
09:45:07	API Interceptor	1643728x Sleep call for process: 980001672 PPR for 30887217.scr.exe modified
09:45:09	API Interceptor	41x Sleep call for process: powershell.exe modified
09:45:13	API Interceptor	798208x Sleep call for process: PpIvKmzUbDB.exe modified
15:45:09	Task Scheduler	Run new task: PpIvKmzUbDB path: C:\Users\user\AppData\Roaming\PpIvKmzUbDB.exe

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
46.175.148.58	lC7L7oBBMC.exe	Get hash	malicious	AgentTesla	Browse
	OHScaqAPjt.exe	Get hash	malicious	AgentTesla, PureLog Stealer, zgRAT	Browse
	RFQ ENQ186 OI REQUIRE RATE.exe	Get hash	malicious	AgentTesla	Browse
	v58HgfB8Af.exe	Get hash	malicious	AgentTesla	Browse
	l6F8Xgr0Ov.exe	Get hash	malicious	AgentTesla	Browse
	SPlVyHiGOz.exe	Get hash	malicious	AgentTesla, DarkTortilla	Browse
	2bOizaPPDC.exe	Get hash	malicious	AgentTesla	Browse
	McEdhqMMhs.exe	Get hash	malicious	AgentTesla, DarkTortilla	Browse
	55qIbHIAZi.exe	Get hash	malicious	AgentTesla, DarkTortilla	Browse
	tEEa6j67ss.exe	Get hash	malicious	AgentTesla	Browse
172.67.74.152	Simple1.exe	Get hash	malicious	Unknown	Browse	api.ipify.org/
	Simple2.exe	Get hash	malicious	Unknown	Browse	api.ipify.org/
	systemConfigChecker.exe	Get hash	malicious	Unknown	Browse	api.ipify.org/
	systemConfigChecker.exe	Get hash	malicious	Unknown	Browse	api.ipify.org/
	2b7cu0KwZl.exe	Get hash	malicious	Unknown	Browse	api.ipify.org/
	Zc9eO57fgF.elf	Get hash	malicious	Unknown	Browse	api.ipify.org/
	67065b4c84713_Javiles.exe	Get hash	malicious	RDPWrap Tool	Browse	api.ipify.org/
	Yc9hcFC1ux.exe	Get hash	malicious	Unknown	Browse	api.ipify.org/
	4F08j2Rmd9.bin	Get hash	malicious	Xmrig	Browse	api.ipify.org/
	y8tCHz7CwC.bin	Get hash	malicious	Xmrig	Browse	api.ipify.org/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
mail.iaa-airferight.com	lC7L7oBBMC.exe	Get hash	malicious	AgentTesla	Browse	46.175.148.58
	OHScaqAPjt.exe	Get hash	malicious	AgentTesla, PureLog Stealer, zgRAT	Browse	46.175.148.58
	RFQ ENQ186 OI REQUIRE RATE.exe	Get hash	malicious	AgentTesla	Browse	46.175.148.58
	v58HgfB8Af.exe	Get hash	malicious	AgentTesla	Browse	46.175.148.58
	l6F8Xgr0Ov.exe	Get hash	malicious	AgentTesla	Browse	46.175.148.58
	SPlVyHiGOz.exe	Get hash	malicious	AgentTesla, DarkTortilla	Browse	46.175.148.58
	2bOizaPPDC.exe	Get hash	malicious	AgentTesla	Browse	46.175.148.58
	McEdhqMMhs.exe	Get hash	malicious	AgentTesla, DarkTortilla	Browse	46.175.148.58
	55qIbHIAZi.exe	Get hash	malicious	AgentTesla, DarkTortilla	Browse	46.175.148.58
	tEEa6j67ss.exe	Get hash	malicious	AgentTesla	Browse	46.175.148.58
api.ipify.org	y1rS62yprs.exe	Get hash	malicious	Babadeda	Browse	104.26.13.205
	apilibx64.exe	Get hash	malicious	CredGrabber, Meduza Stealer	Browse	104.26.12.205
	xKvkNk9SXR.exe	Get hash	malicious	TrojanRansom	Browse	104.26.12.205
	BiXS3FRoLe.exe	Get hash	malicious	TrojanRansom	Browse	104.26.13.205
	lEUy79aLAW.exe	Get hash	malicious	TrojanRansom	Browse	104.26.13.205
	GD8c7ARn8q.exe	Get hash	malicious	TrojanRansom	Browse	104.26.12.205
	8AbMCL2dxM.exe	Get hash	malicious	RCRU64, TrojanRansom	Browse	104.26.12.205
	Simple1.exe	Get hash	malicious	Unknown	Browse	172.67.74.152
	Simple1.exe	Get hash	malicious	Unknown	Browse	104.26.13.205
	Simple2.exe	Get hash	malicious	Unknown	Browse	104.26.12.205

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
ASLAGIDKOM-NETUA	lC7L7oBBMC.exe	Get hash	malicious	AgentTesla	Browse	46.175.148.58
	OHScaqAPjt.exe	Get hash	malicious	AgentTesla, PureLog Stealer, zgRAT	Browse	46.175.148.58
	RFQ ENQ186 OI REQUIRE RATE.exe	Get hash	malicious	AgentTesla	Browse	46.175.148.58
	v58HgfB8Af.exe	Get hash	malicious	AgentTesla	Browse	46.175.148.58
	l6F8Xgr0Ov.exe	Get hash	malicious	AgentTesla	Browse	46.175.148.58
	SPlVyHiGOz.exe	Get hash	malicious	AgentTesla, DarkTortilla	Browse	46.175.148.58
	2bOizaPPDC.exe	Get hash	malicious	AgentTesla	Browse	46.175.148.58
	McEdhqMMhs.exe	Get hash	malicious	AgentTesla, DarkTortilla	Browse	46.175.148.58
	55qIbHIAZi.exe	Get hash	malicious	AgentTesla, DarkTortilla	Browse	46.175.148.58
	tEEa6j67ss.exe	Get hash	malicious	AgentTesla	Browse	46.175.148.58
CLOUDFLARENETUS	https://drive.usercontent.google.com/u/0/uc?id=1-lzlsIQVVFZj1nVUNs7vmgIfcVZr8ZT3&export=download	Get hash	malicious	Unknown	Browse	104.22.20.144
	qe4efGS22G.exe	Get hash	malicious	Unknown	Browse	104.18.21.66
	ALFq7XP17d.lnk	Get hash	malicious	Unknown	Browse	172.67.201.111
	JSWunwO4rS.lnk	Get hash	malicious	LummaC Stealer	Browse	172.67.219.101
	IErMYVWrv9.exe	Get hash	malicious	Python Stealer, Luna Grabber, Luna Logger	Browse	162.159.135.232
	7p5nITtglJ.lnk	Get hash	malicious	Abobus Obfuscator, Braodo	Browse	172.65.251.78
	kjshdkfgjsdg.bat	Get hash	malicious	Abobus Obfuscator, Braodo	Browse	172.65.251.78
	https://wdurl.ru/4mA#yml4dckta8ps5sz	Get hash	malicious	Unknown	Browse	104.21.74.88
	jew.x86.elf	Get hash	malicious	Unknown	Browse	1.4.26.77
	jew.mpsl.elf	Get hash	malicious	Unknown	Browse	104.23.193.103

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
3b5074b1b5d032e5620f69f9f700ff0e	lg1wwLsmCX.exe	Get hash	malicious	Unknown	Browse	172.67.74.152
	y1rS62yprs.exe	Get hash	malicious	Babadeda	Browse	172.67.74.152
	IFhqcKaIol.lnk	Get hash	malicious	Unknown	Browse	172.67.74.152
	JSWunwO4rS.lnk	Get hash	malicious	LummaC Stealer	Browse	172.67.74.152
	7p5nITtglJ.lnk	Get hash	malicious	Abobus Obfuscator, Braodo	Browse	172.67.74.152
	kjshdkfgjsdg.bat	Get hash	malicious	Abobus Obfuscator, Braodo	Browse	172.67.74.152
	https://t.ly/alBFX	Get hash	malicious	Unknown	Browse	172.67.74.152
	QD40FIJ8QK.lnk	Get hash	malicious	Unknown	Browse	172.67.74.152
	TEKL_F _STE_I Unilever San ve Tic Trk A__PDF.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	172.67.74.152

Process:	C:\Users\user\Desktop\980001672 PPR for 30887217.scr.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	1216
Entropy (8bit):	5.34331486778365
Encrypted:	false
SSDEEP:	24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
MD5:	1330C80CAAC9A0FB172F202485E9B1E8
SHA1:	86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
SHA-256:	B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
SHA-512:	75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
Malicious:	true
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\PpIvKmzUbDB.exe.log

Download File

Process:	C:\Users\user\AppData\Roaming\PpIvKmzUbDB.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1216
Entropy (8bit):	5.34331486778365
Encrypted:	false
SSDEEP:	24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
MD5:	1330C80CAAC9A0FB172F202485E9B1E8
SHA1:	86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
SHA-256:	B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
SHA-512:	75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	2232
Entropy (8bit):	5.380503343696294
Encrypted:	false
SSDEEP:	48:+WSU4xympgv4RIoUP7gZ9tK8NPZHUx7u1iMugeoPUyus:+LHxv2IfLZ2KRH6OugYs
MD5:	6330406134F07C4344EF6A6DFFA6FF77
SHA1:	FC73921B1F3F20B019F281B62E0C9D06FE161196
SHA-256:	09EC8B3734FA3F2A1E1E7E83396F9A13C426C3F7F4A0514DFBD6D19686839B21
SHA-512:	642FD0FC17C5B3C6CEBA78C37720BE1FEFDF81E6289567095CF24296C16CCFFADB587BBCA29659FD6EBF5F6D7A4C9688160809E41D283B098C179B0C502EA5C1
Malicious:	false
Preview:	@...e................................................@..........P................1]...E.....j.....(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..\|f........System.Core.D...............4..7..D.#V.............System.Management.Automation<...............i..VdqF...\|...........System.Configuration4.................%...K... ...........System.Xml..4.....................@.[8]'.\........System.Data.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServicesL.................gQ?O.....x5.......#.Microsoft.Management.Infrastructure.8..................1...L..U;V.<}........System.Numerics.H................WY..2.M.&..g(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4oicssh2.iak.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_esbf45ym.anx.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_jpqgbxfw.gjw.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_jtl5qiop.omt.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ldvzfpoc.lyu.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_nfurtpnj.u4t.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ps4rxfzv.vzz.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_pu2itpzt.upb.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\tmp1BF6.tmp

Download File

Process:	C:\Users\user\AppData\Roaming\PpIvKmzUbDB.exe
File Type:	XML 1.0 document, ASCII text
Category:	dropped
Size (bytes):	1584
Entropy (8bit):	5.1174212704784825
Encrypted:	false
SSDEEP:	24:2di4+S2qhtJ12iy1mcrUnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtFxvn:cgeLAYrFdOFzOzN33ODOiDdKrsuTbv
MD5:	D42BBB597AD022A05E49870537AB2F04
SHA1:	8E06E90FEA35F3B008C6D9DC0E6BA2882F69F459
SHA-256:	883D746F5CFB1F8388222679C3DAA28D4DD9D166E93BDDAD50C0F05D7F7CAAC1
SHA-512:	1B26AC3E9A121AC1A14029C39CDB46D22105F47CAD0D23015745E1646CE242614CD5B27639DBC2D74BDF4A4CAB9FD2D1FC3F1736DC5052F6B62F24D509931BEA
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetwor

C:\Users\user\AppData\Local\Temp\tmp7B3.tmp

Download File

Process:	C:\Users\user\Desktop\980001672 PPR for 30887217.scr.exe
File Type:	XML 1.0 document, ASCII text
Category:	dropped
Size (bytes):	1584
Entropy (8bit):	5.1174212704784825
Encrypted:	false
SSDEEP:	24:2di4+S2qhtJ12iy1mcrUnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtFxvn:cgeLAYrFdOFzOzN33ODOiDdKrsuTbv
MD5:	D42BBB597AD022A05E49870537AB2F04
SHA1:	8E06E90FEA35F3B008C6D9DC0E6BA2882F69F459
SHA-256:	883D746F5CFB1F8388222679C3DAA28D4DD9D166E93BDDAD50C0F05D7F7CAAC1
SHA-512:	1B26AC3E9A121AC1A14029C39CDB46D22105F47CAD0D23015745E1646CE242614CD5B27639DBC2D74BDF4A4CAB9FD2D1FC3F1736DC5052F6B62F24D509931BEA
Malicious:	true
Preview:	<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetwor

C:\Users\user\AppData\Roaming\PpIvKmzUbDB.exe

Download File

Process:	C:\Users\user\Desktop\980001672 PPR for 30887217.scr.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	912896
Entropy (8bit):	7.317085186679611
Encrypted:	false
SSDEEP:	12288:aPGU5KgkV9aVEbjN7tN8J05ZZIMGZedgx5zEn2lPlgrdm4Vz0Rppppppppppppp9:iKgK4uQKGzzhlP
MD5:	C2ED28C5339E0B3A5B676B45AD6D978B
SHA1:	6C25DC91C3E5E230645F83D49EDAA5E1F909393F
SHA-256:	76144B7C900168C9893AAA223A1EC8E8081CD827C99EADD3A6695EFD0AD337DD
SHA-512:	021362171A2511E313CDED56619E11C3A87FDBBE47806886B6D496161AF1B2DE2EBB3F875EBC05505A9428713B8DCB8B49DE4A65EA3E296C301B38A701C35269
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 26%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....ZRg..............0..h.............. ........@.. .......................`............@.................................t...O.......L....................@....................................................... ............... ..H............text....f... ...h.................. ..`.rsrc...L............j..............@..@.reloc.......@......................@..B........................H.......L8..x!...........Y...,..........................................&.(.........0.............X.+......0.............Y.+......0.............Z.+......0............"........,."...?....[.+...0..(.................,...+....Y(.......Y(....X.+...0..!........~.........,.s.........~.....+..*....0..R........r...p..r...p(....t......rc..po.......o......rm..po.....s.......o......+-..(.........(....r...p..(....r...p(....o....&..( ...-...........o!.....("....o#...o$.......ijo%....

C:\Users\user\AppData\Roaming\PpIvKmzUbDB.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\980001672 PPR for 30887217.scr.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Preview:	[ZoneTransfer]....ZoneId=0

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.317085186679611
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	980001672 PPR for 30887217.scr.exe
File size:	912'896 bytes
MD5:	c2ed28c5339e0b3a5b676b45ad6d978b
SHA1:	6c25dc91c3e5e230645f83d49edaa5e1f909393f
SHA256:	76144b7c900168c9893aaa223a1ec8e8081cd827c99eadd3a6695efd0ad337dd
SHA512:	021362171a2511e313cded56619e11c3a87fdbbe47806886b6d496161af1b2de2ebb3f875ebc05505a9428713b8dcb8b49de4a65ea3e296c301b38a701c35269
SSDEEP:	12288:aPGU5KgkV9aVEbjN7tN8J05ZZIMGZedgx5zEn2lPlgrdm4Vz0Rppppppppppppp9:iKgK4uQKGzzhlP
TLSH:	2915F085E400EA26CE19A7341F32DA3507297EADBD31D22E5AED7CDB3FBB9925414013
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....ZRg..............0..h............... ........@.. .......................`............@................................

File Icon


Icon Hash:	c5949296969e8473

Static PE Info

General

Entrypoint:	0x4a86c6
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x67525AA4 [Fri Dec 6 02:00:04 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
push ebx
add byte ptr [ecx+00h], bh
jnc 00007FC604E1F512h
je 00007FC604E1F512h
add byte ptr [ebp+00h], ch
add byte ptr [ecx+00h], al
arpl word ptr [eax], ax
je 00007FC604E1F512h
imul eax, dword ptr [eax], 00610076h
je 00007FC604E1F512h
outsd
add byte ptr [edx+00h], dh
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xa8674	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xaa000	0x3814c	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xe4000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0xa66ec	0xa6800	0b0555e1695d1833fa343603ac953bd8	False	0.9316538217905406	data	7.785707287399863	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0xaa000	0x3814c	0x38200	5aa588eb759410a6dc952049e4a39912	False	0.3080717566815145	data	5.205795545155309	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xe4000	0xc	0x200	d12ec79440fa257df0fb8336359dccb8	False	0.044921875	data	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	ZLIB Complexity
RT_ICON	0xaa490	0x668	Device independent bitmap graphic, 48 x 96 x 4, image size 1152	0.38353658536585367
RT_ICON	0xaaaf8	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 512	0.48655913978494625
RT_ICON	0xaade0	0x1e8	Device independent bitmap graphic, 24 x 48 x 4, image size 288	0.5286885245901639
RT_ICON	0xaafc8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128	0.5878378378378378
RT_ICON	0xab0f0	0x6739	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	0.9933017975402081
RT_ICON	0xb182c	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colors	0.5578358208955224
RT_ICON	0xb26d4	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colors	0.6367328519855595
RT_ICON	0xb2f7c	0x6c8	Device independent bitmap graphic, 24 x 48 x 8, image size 576, 256 important colors	0.6497695852534562
RT_ICON	0xb3644	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colors	0.47760115606936415
RT_ICON	0xb3bac	0x10828	Device independent bitmap graphic, 128 x 256 x 32, image size 67584	0.125
RT_ICON	0xc43d4	0x94a8	Device independent bitmap graphic, 96 x 192 x 32, image size 38016	0.21113622030691612
RT_ICON	0xcd87c	0x67e8	Device independent bitmap graphic, 80 x 160 x 32, image size 26560	0.21157894736842106
RT_ICON	0xd4064	0x5488	Device independent bitmap graphic, 72 x 144 x 32, image size 21600	0.24269870609981517
RT_ICON	0xd94ec	0x4228	Device independent bitmap graphic, 64 x 128 x 32, image size 16896	0.22325224374114314
RT_ICON	0xdd714	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9600	0.3196058091286307
RT_ICON	0xdfcbc	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4224	0.3642120075046904
RT_ICON	0xe0d64	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 2400	0.5086065573770492
RT_ICON	0xe16ec	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1088	0.5735815602836879
RT_GROUP_ICON	0xe1b54	0x102	data	0.5697674418604651
RT_GROUP_ICON	0xe1c58	0x14	data	1.05
RT_VERSION	0xe1c6c	0x2f4	data	0.43386243386243384
RT_MANIFEST	0xe1f60	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators	0.5489795918367347

Imports

DLL	Import
mscoree.dll	_CorExeMain

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 6, 2024 15:45:10.515013933 CET	49707	443	192.168.2.8	172.67.74.152
Dec 6, 2024 15:45:10.515063047 CET	443	49707	172.67.74.152	192.168.2.8
Dec 6, 2024 15:45:10.515141964 CET	49707	443	192.168.2.8	172.67.74.152
Dec 6, 2024 15:45:10.522721052 CET	49707	443	192.168.2.8	172.67.74.152
Dec 6, 2024 15:45:10.522731066 CET	443	49707	172.67.74.152	192.168.2.8
Dec 6, 2024 15:45:11.741411924 CET	443	49707	172.67.74.152	192.168.2.8
Dec 6, 2024 15:45:11.741590977 CET	49707	443	192.168.2.8	172.67.74.152
Dec 6, 2024 15:45:11.745471954 CET	49707	443	192.168.2.8	172.67.74.152
Dec 6, 2024 15:45:11.745486975 CET	443	49707	172.67.74.152	192.168.2.8
Dec 6, 2024 15:45:11.745816946 CET	443	49707	172.67.74.152	192.168.2.8
Dec 6, 2024 15:45:11.951328039 CET	443	49707	172.67.74.152	192.168.2.8
Dec 6, 2024 15:45:11.951421022 CET	49707	443	192.168.2.8	172.67.74.152
Dec 6, 2024 15:45:12.226412058 CET	49707	443	192.168.2.8	172.67.74.152
Dec 6, 2024 15:45:12.267343998 CET	443	49707	172.67.74.152	192.168.2.8
Dec 6, 2024 15:45:12.561753988 CET	443	49707	172.67.74.152	192.168.2.8
Dec 6, 2024 15:45:12.562197924 CET	443	49707	172.67.74.152	192.168.2.8
Dec 6, 2024 15:45:12.562258005 CET	49707	443	192.168.2.8	172.67.74.152
Dec 6, 2024 15:45:12.567365885 CET	49707	443	192.168.2.8	172.67.74.152
Dec 6, 2024 15:45:13.783782959 CET	49710	25	192.168.2.8	46.175.148.58
Dec 6, 2024 15:45:14.985203981 CET	49710	25	192.168.2.8	46.175.148.58
Dec 6, 2024 15:45:15.201059103 CET	49711	443	192.168.2.8	172.67.74.152
Dec 6, 2024 15:45:15.201112032 CET	443	49711	172.67.74.152	192.168.2.8
Dec 6, 2024 15:45:15.201193094 CET	49711	443	192.168.2.8	172.67.74.152
Dec 6, 2024 15:45:15.204616070 CET	49711	443	192.168.2.8	172.67.74.152
Dec 6, 2024 15:45:15.204657078 CET	443	49711	172.67.74.152	192.168.2.8
Dec 6, 2024 15:45:16.431031942 CET	443	49711	172.67.74.152	192.168.2.8
Dec 6, 2024 15:45:16.431117058 CET	49711	443	192.168.2.8	172.67.74.152
Dec 6, 2024 15:45:16.433062077 CET	49711	443	192.168.2.8	172.67.74.152
Dec 6, 2024 15:45:16.433098078 CET	443	49711	172.67.74.152	192.168.2.8
Dec 6, 2024 15:45:16.433440924 CET	443	49711	172.67.74.152	192.168.2.8
Dec 6, 2024 15:45:16.578962088 CET	49711	443	192.168.2.8	172.67.74.152
Dec 6, 2024 15:45:16.654371977 CET	49711	443	192.168.2.8	172.67.74.152
Dec 6, 2024 15:45:16.695339918 CET	443	49711	172.67.74.152	192.168.2.8
Dec 6, 2024 15:45:16.988848925 CET	49710	25	192.168.2.8	46.175.148.58
Dec 6, 2024 15:45:16.993288994 CET	443	49711	172.67.74.152	192.168.2.8
Dec 6, 2024 15:45:16.993364096 CET	443	49711	172.67.74.152	192.168.2.8
Dec 6, 2024 15:45:16.993465900 CET	49711	443	192.168.2.8	172.67.74.152
Dec 6, 2024 15:45:17.016796112 CET	49711	443	192.168.2.8	172.67.74.152
Dec 6, 2024 15:45:18.271440983 CET	49713	25	192.168.2.8	46.175.148.58
Dec 6, 2024 15:45:19.282155037 CET	49713	25	192.168.2.8	46.175.148.58
Dec 6, 2024 15:45:20.985219955 CET	49710	25	192.168.2.8	46.175.148.58
Dec 6, 2024 15:45:21.282125950 CET	49713	25	192.168.2.8	46.175.148.58
Dec 6, 2024 15:45:25.282167912 CET	49713	25	192.168.2.8	46.175.148.58
Dec 6, 2024 15:45:29.000904083 CET	49710	25	192.168.2.8	46.175.148.58
Dec 6, 2024 15:45:33.282944918 CET	49713	25	192.168.2.8	46.175.148.58

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 6, 2024 15:45:10.358406067 CET	62712	53	192.168.2.8	1.1.1.1
Dec 6, 2024 15:45:10.500093937 CET	53	62712	1.1.1.1	192.168.2.8
Dec 6, 2024 15:45:13.494599104 CET	51031	53	192.168.2.8	1.1.1.1
Dec 6, 2024 15:45:13.783000946 CET	53	51031	1.1.1.1	192.168.2.8

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Dec 6, 2024 15:45:10.358406067 CET	192.168.2.8	1.1.1.1	0xcc69	Standard query (0)	api.ipify.org	A (IP address)	IN (0x0001)	false
Dec 6, 2024 15:45:13.494599104 CET	192.168.2.8	1.1.1.1	0x86f6	Standard query (0)	mail.iaa-airferight.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Dec 6, 2024 15:45:10.500093937 CET	1.1.1.1	192.168.2.8	0xcc69	No error (0)	api.ipify.org	172.67.74.152	A (IP address)	IN (0x0001)	false
Dec 6, 2024 15:45:10.500093937 CET	1.1.1.1	192.168.2.8	0xcc69	No error (0)	api.ipify.org	104.26.12.205	A (IP address)	IN (0x0001)	false
Dec 6, 2024 15:45:10.500093937 CET	1.1.1.1	192.168.2.8	0xcc69	No error (0)	api.ipify.org	104.26.13.205	A (IP address)	IN (0x0001)	false
Dec 6, 2024 15:45:13.783000946 CET	1.1.1.1	192.168.2.8	0x86f6	No error (0)	mail.iaa-airferight.com	46.175.148.58	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

api.ipify.org

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.8	49707	172.67.74.152	443	6408	C:\Users\user\Desktop\980001672 PPR for 30887217.scr.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-06 14:45:12 UTC	155	OUT	GET / HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0 Host: api.ipify.org Connection: Keep-Alive
2024-12-06 14:45:12 UTC	424	IN	HTTP/1.1 200 OK Date: Fri, 06 Dec 2024 14:45:12 GMT Content-Type: text/plain Content-Length: 12 Connection: close Vary: Origin CF-Cache-Status: DYNAMIC Server: cloudflare CF-RAY: 8edd0ef06b5643ca-EWR server-timing: cfL4;desc="?proto=TCP&rtt=1772&min_rtt=1757&rtt_var=689&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2819&recv_bytes=769&delivery_rate=1553191&cwnd=223&unsent_bytes=0&cid=1d6132aeede1a09e&ts=832&x=0"
2024-12-06 14:45:12 UTC	12	IN	Data Raw: 38 2e 34 36 2e 31 32 33 2e 32 32 38 Data Ascii: 8.46.123.228

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.8	49711	172.67.74.152	443	1152	C:\Users\user\AppData\Roaming\PpIvKmzUbDB.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-06 14:45:16 UTC	155	OUT	GET / HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0 Host: api.ipify.org Connection: Keep-Alive
2024-12-06 14:45:16 UTC	424	IN	HTTP/1.1 200 OK Date: Fri, 06 Dec 2024 14:45:16 GMT Content-Type: text/plain Content-Length: 12 Connection: close Vary: Origin CF-Cache-Status: DYNAMIC Server: cloudflare CF-RAY: 8edd0f0c19514372-EWR server-timing: cfL4;desc="?proto=TCP&rtt=1697&min_rtt=1679&rtt_var=666&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2820&recv_bytes=769&delivery_rate=1600000&cwnd=242&unsent_bytes=0&cid=0ae2c6348091b80d&ts=567&x=0"
2024-12-06 14:45:16 UTC	12	IN	Data Raw: 38 2e 34 36 2e 31 32 33 2e 32 32 38 Data Ascii: 8.46.123.228

Target ID:	0
Start time:	09:45:07
Start date:	06/12/2024
Path:	C:\Users\user\Desktop\980001672 PPR for 30887217.scr.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\980001672 PPR for 30887217.scr.exe"
Imagebase:	0xc50000
File size:	912'896 bytes
MD5 hash:	C2ED28C5339E0B3A5B676B45AD6D978B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.1469392053.00000000040E9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.1469392053.00000000040E9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	09:45:08
Start date:	06/12/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\980001672 PPR for 30887217.scr.exe"
Imagebase:	0xd60000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	09:45:08
Start date:	06/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6ee680000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	09:45:08
Start date:	06/12/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\PpIvKmzUbDB.exe"
Imagebase:	0xd60000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	09:45:08
Start date:	06/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6ee680000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	09:45:08
Start date:	06/12/2024
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\PpIvKmzUbDB" /XML "C:\Users\user\AppData\Local\Temp\tmp7B3.tmp"
Imagebase:	0xa90000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	09:45:08
Start date:	06/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6ee680000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	09:45:09
Start date:	06/12/2024
Path:	C:\Users\user\Desktop\980001672 PPR for 30887217.scr.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\980001672 PPR for 30887217.scr.exe"
Imagebase:	0x960000
File size:	912'896 bytes
MD5 hash:	C2ED28C5339E0B3A5B676B45AD6D978B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000009.00000002.2691709359.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000009.00000002.2691709359.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000009.00000002.2696096691.0000000002E3C000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000009.00000002.2696096691.0000000002E11000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000009.00000002.2696096691.0000000002E11000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	10
Start time:	09:45:09
Start date:	06/12/2024
Path:	C:\Users\user\AppData\Roaming\PpIvKmzUbDB.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Roaming\PpIvKmzUbDB.exe
Imagebase:	0xe50000
File size:	912'896 bytes
MD5 hash:	C2ED28C5339E0B3A5B676B45AD6D978B
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 26%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	09:45:12
Start date:	06/12/2024
Path:	C:\Windows\System32\wbem\WmiPrvSE.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Imagebase:	0x7ff605670000
File size:	496'640 bytes
MD5 hash:	60FF40CFD7FB8FE41EE4FE9AE5FE1C51
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	12
Start time:	09:45:13
Start date:	06/12/2024
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\PpIvKmzUbDB" /XML "C:\Users\user\AppData\Local\Temp\tmp1BF6.tmp"
Imagebase:	0xa90000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	09:45:13
Start date:	06/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6ee680000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	09:45:14
Start date:	06/12/2024
Path:	C:\Users\user\AppData\Roaming\PpIvKmzUbDB.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\PpIvKmzUbDB.exe"
Imagebase:	0x8a0000
File size:	912'896 bytes
MD5 hash:	C2ED28C5339E0B3A5B676B45AD6D978B
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000E.00000002.2696170324.0000000002F81000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000E.00000002.2696170324.0000000002F81000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000E.00000002.2696170324.0000000002FAC000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	9.3%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	1.9%
Total number of Nodes:	314
Total number of Limit Nodes:	22

Executed Functions

Function 07F408A4 Relevance: .6, Instructions: 623COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1485630838.0000000007F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 07F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f40000_980001672 PPR for 30887217.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 740ee235fcf7a234b47c0f33038be18180a7ea6bf71f99f7456666583a2442e7
Instruction ID: 9759523256f371ab5fa8296fb87e8e03fa3659883ff4dee3f60d85192faf910e
Opcode Fuzzy Hash: 740ee235fcf7a234b47c0f33038be18180a7ea6bf71f99f7456666583a2442e7
Instruction Fuzzy Hash: EA3261B1E002159FDB14DFA8C8507AEBBB2BF85300F14856AE409AB385DF749D85CF95

Function 07F42518 Relevance: .3, Instructions: 280COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1485630838.0000000007F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 07F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f40000_980001672 PPR for 30887217.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6679117b8df00755482646ceeab2a44729244d9b2edc5a77fb5d2435dc080ae8
Instruction ID: 8b1b23f4e354516bfe53b679c5589c32759e4b91ee2743873d501a41653cf948
Opcode Fuzzy Hash: 6679117b8df00755482646ceeab2a44729244d9b2edc5a77fb5d2435dc080ae8
Instruction Fuzzy Hash: 11C139B1E10219DFDB14CFA5C88079DBBB2FF89310F18C5AAE449AB255DB709985CF90

Function 02F24B01 Relevance: .2, Instructions: 248COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1467156149.0000000002F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f20000_980001672 PPR for 30887217.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1d791e437c819e49fa083be8dc4caaf64b0f85953e2af45afedef2070c069fee
Instruction ID: a39b87a996f4903b7c4cf53aa9bcedfecfdf4a2fd722994cbe22a1e50b755e05
Opcode Fuzzy Hash: 1d791e437c819e49fa083be8dc4caaf64b0f85953e2af45afedef2070c069fee
Instruction Fuzzy Hash: 25818053F14556DBCB21A4BE6C123AD10C2539E45CF1CEA556A55EA3D6F2E2CC00A3A2

Function 02F26F90 Relevance: .2, Instructions: 183COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1467156149.0000000002F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f20000_980001672 PPR for 30887217.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 60e9a7ed521b3cd7485125e2ad3094ce16c1047b2a19b4cf01aff0aa36b4ad01
Instruction ID: f8653b46a1f192351792fb695fa1d1b22dcdc78f13f28f8dec88da96b199f1b9
Opcode Fuzzy Hash: 60e9a7ed521b3cd7485125e2ad3094ce16c1047b2a19b4cf01aff0aa36b4ad01
Instruction Fuzzy Hash: 1981A170E012199FDB08DFA9D894AEEBBB2FF88300F248129D415AB364DB355945CF90

Function 02F23E28 Relevance: .2, Instructions: 181COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1467156149.0000000002F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f20000_980001672 PPR for 30887217.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a6349d667756ae69333e9b60ee667219780f6da28e49f2e8bfe5a2de66f23816
Instruction ID: 984340507cd50e457adfffb74d692f788d5aac1e6057e3f6cc53d4b1c7ad8df5
Opcode Fuzzy Hash: a6349d667756ae69333e9b60ee667219780f6da28e49f2e8bfe5a2de66f23816
Instruction Fuzzy Hash: 3381AF70E012199FDB08DFA9D894AEEBBB2FF89300F648529D405AB364DB355945CF90

Function 07600DF9 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1479031587.0000000007600000.00000040.00000800.00020000.00000000.sdmp, Offset: 07600000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7600000_980001672 PPR for 30887217.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e8100aa1559a7967c93fd594abcf3d727077667cc89046110b2a98d5f40620b
Instruction ID: e09463cd53359c8d264865c11214dd34ca43461a38f857da7e65f03b53da5171
Opcode Fuzzy Hash: 3e8100aa1559a7967c93fd594abcf3d727077667cc89046110b2a98d5f40620b
Instruction Fuzzy Hash: 0021DDB1D156588BEB1CCFA7C8443EEFBF6AF8A300F04C16AD40966255DB7505468F90

Function 07600E08 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1479031587.0000000007600000.00000040.00000800.00020000.00000000.sdmp, Offset: 07600000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7600000_980001672 PPR for 30887217.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 450bde4fb1eefe69b337a93824d9535660b2d097511604df767eca72465fb047
Instruction ID: 0256b02a7a937df8a76ec0d6192c5438c3a7513649767d9e280eb9652865da54
Opcode Fuzzy Hash: 450bde4fb1eefe69b337a93824d9535660b2d097511604df767eca72465fb047
Instruction Fuzzy Hash: E721A8B1D146588BEB1CCF97C8457EEFAF6BFCA300F14C169D40A662A4EB7509468F90

Function 07606AE4 Relevance: 1.8, APIs: 1, Instructions: 282
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 07606D26

Memory Dump Source

Source File: 00000000.00000002.1479031587.0000000007600000.00000040.00000800.00020000.00000000.sdmp, Offset: 07600000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7600000_980001672 PPR for 30887217.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 5d39118d3a9f96556555f77c8a30f45c8e1d4d7c52d91549256f3359ee150124
Instruction ID: d4fa8105e9d87bc87ded5dc5856a003fbf22b690726371587b333d96fca6c9f2
Opcode Fuzzy Hash: 5d39118d3a9f96556555f77c8a30f45c8e1d4d7c52d91549256f3359ee150124
Instruction Fuzzy Hash: 22B18BB1D0021ADFEB24DFA8C8407EEBBB2FF45310F148569D849A7280DB7599A5CF91

Function 07606AF0 Relevance: 1.7, APIs: 1, Instructions: 243
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 07606D26

Memory Dump Source

Source File: 00000000.00000002.1479031587.0000000007600000.00000040.00000800.00020000.00000000.sdmp, Offset: 07600000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7600000_980001672 PPR for 30887217.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: f706f5d2720b19e193889ccdc0d2cebaab1cdd8cd5662c6eb253362e40a1b9ef
Instruction ID: b141bf972028882faf08fccdb8f09697f0a65e8ee7aa936ae2ee1ac38444596b
Opcode Fuzzy Hash: f706f5d2720b19e193889ccdc0d2cebaab1cdd8cd5662c6eb253362e40a1b9ef
Instruction Fuzzy Hash: 5E916BB1D0021ADFEB24DF68C8407EEBBB2FF45310F148169D859A7280DB7599A5CF91

Function 02F2B1C8 Relevance: 1.7, APIs: 1, Instructions: 196
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.1467156149.0000000002F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f20000_980001672 PPR for 30887217.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 952753465dbbb76e0449b8d2d4bbab40c0fda7e7b36aef1fe908c13d399dd4fa
Instruction ID: 505438541c4c9d62fcfb9480ac837aa47020c6c3a2a7e52ce29049ea20be8782
Opcode Fuzzy Hash: 952753465dbbb76e0449b8d2d4bbab40c0fda7e7b36aef1fe908c13d399dd4fa
Instruction Fuzzy Hash: 46714670A00B158FD724CF6AD55475ABBF2FF89248F00892DD58AD7A40DB74E849CB91

Function 076065F0 Relevance: 1.7, APIs: 1, Instructions: 167
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 076065A0

Memory Dump Source

Source File: 00000000.00000002.1479031587.0000000007600000.00000040.00000800.00020000.00000000.sdmp, Offset: 07600000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7600000_980001672 PPR for 30887217.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 45db0bf45db1981745d3698fd065f526c25951732b072f189b34c112f32a9c17
Instruction ID: 89c931244a21dc43ee2f26a51ddfdede8be8b8e99d7ac68728b520a00c305c99
Opcode Fuzzy Hash: 45db0bf45db1981745d3698fd065f526c25951732b072f189b34c112f32a9c17
Instruction Fuzzy Hash: 1C615AB1E002198FDB18CFA9D5406AEFBB2FF89310F24816AD419BB356D7359941CFA1

Function 02F2590C Relevance: 1.6, APIs: 1, Instructions: 97
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 02F259C9

Memory Dump Source

Source File: 00000000.00000002.1467156149.0000000002F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f20000_980001672 PPR for 30887217.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 24420c5954088d8518f35332f2c55a45fc9c8562919dd3aa18b79d86e9e12fdd
Instruction ID: 3cfe8ea9292f4388afed8cce2a661b93e75157d2248850752469c719b08bd7fd
Opcode Fuzzy Hash: 24420c5954088d8518f35332f2c55a45fc9c8562919dd3aa18b79d86e9e12fdd
Instruction Fuzzy Hash: 74410371C00728CFEB24CFA9C885BCEBBB5BF49704F60806AD408AB251DB716949CF50

Function 02F244B0 Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 02F259C9

Memory Dump Source

Source File: 00000000.00000002.1467156149.0000000002F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f20000_980001672 PPR for 30887217.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 0b620bdbea50252fc6241d5f88be3b0a34d360ef7776df78f1d84e79fc7faedc
Instruction ID: 72d13ee3290c2e2c1f52b1c59a75f06edfeee972d60db72d733b9c2011654211
Opcode Fuzzy Hash: 0b620bdbea50252fc6241d5f88be3b0a34d360ef7776df78f1d84e79fc7faedc
Instruction Fuzzy Hash: 8C41F271D01729CBEB24CFA9C884B9EBBF5BF49714F60806AD408AB251DB716949CF90

Function 07F42E50 Relevance: 1.6, APIs: 1, Instructions: 88
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.1485630838.0000000007F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 07F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f40000_980001672 PPR for 30887217.jbxd

Similarity

API ID: CreateFromIconResource
String ID:
API String ID: 3668623891-0
Opcode ID: 3a70b78da51356a5c03896e4dcc71d1a9a38feadd0122e35d6eda4d61fc0147e
Instruction ID: 0c540dd7f450efce51e8e1bf119e20053e7047874ad74e4be2211d44a947a9eb
Opcode Fuzzy Hash: 3a70b78da51356a5c03896e4dcc71d1a9a38feadd0122e35d6eda4d61fc0147e
Instruction Fuzzy Hash: 98316AB69002499FDB118FA9D804BEABFF8EF09210F18845AF954A7221D3399854DFA1

Function 07606428 Relevance: 1.6, APIs: 1, Instructions: 72
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 076064C0

Memory Dump Source

Source File: 00000000.00000002.1479031587.0000000007600000.00000040.00000800.00020000.00000000.sdmp, Offset: 07600000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7600000_980001672 PPR for 30887217.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 115ebd5bac353b37b83b4b4c93fe2e521e8e89f4f527e9bcc5ef19b0a3c19c02
Instruction ID: 9bae8e40ce33d05847f5b0d0e892726bcb9bb962a76383da5642aabc69cde015
Opcode Fuzzy Hash: 115ebd5bac353b37b83b4b4c93fe2e521e8e89f4f527e9bcc5ef19b0a3c19c02
Instruction Fuzzy Hash: 352146B29003199FDB10DFA9C880BDEBBF1FF48310F10882AE959A7240D7789955CBA4

Function 07606430 Relevance: 1.6, APIs: 1, Instructions: 69
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 076064C0

Memory Dump Source

Source File: 00000000.00000002.1479031587.0000000007600000.00000040.00000800.00020000.00000000.sdmp, Offset: 07600000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7600000_980001672 PPR for 30887217.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: abbab20ef7e7d1c313058bcd387fc9a2a97ad89c9e813b65f3da8f9b9da17f8e
Instruction ID: 6bedc7b183bf1b07be4bb004c1b942b4f6fb7d00faf7becf59d052a4091956be
Opcode Fuzzy Hash: abbab20ef7e7d1c313058bcd387fc9a2a97ad89c9e813b65f3da8f9b9da17f8e
Instruction Fuzzy Hash: 6E2124B19003599FDB14CFAAC881BDEBBF5FF48310F14882AE919A7240C7789954CBA0

Function 07606518 Relevance: 1.6, APIs: 1, Instructions: 68
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 076065A0

Memory Dump Source

Source File: 00000000.00000002.1479031587.0000000007600000.00000040.00000800.00020000.00000000.sdmp, Offset: 07600000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7600000_980001672 PPR for 30887217.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 6d8f22931ae1ef95de3ce176aabe604551931f2101992e81a599bf054778509a
Instruction ID: ce3f87c6d0fdecac153d61087ecce5f4fe7e3a4c42dbb1419d1fd1d8422a0e1c
Opcode Fuzzy Hash: 6d8f22931ae1ef95de3ce176aabe604551931f2101992e81a599bf054778509a
Instruction Fuzzy Hash: EA2136B2C003599FDB14CFAAD881BEEBBF5FF48310F14842AE519A7240C7399951CBA0

Function 07606290 Relevance: 1.6, APIs: 1, Instructions: 66
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 07606316

Memory Dump Source

Source File: 00000000.00000002.1479031587.0000000007600000.00000040.00000800.00020000.00000000.sdmp, Offset: 07600000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7600000_980001672 PPR for 30887217.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 4b57630380a816e74b2e47110e4aa475c8ab3a4e639952b63e0a6f541fc90ee6
Instruction ID: d7320834fe625e9a5b35d55fa642611179d07d9784b6b6ab2e4d6efdfae7e88d
Opcode Fuzzy Hash: 4b57630380a816e74b2e47110e4aa475c8ab3a4e639952b63e0a6f541fc90ee6
Instruction Fuzzy Hash: CC2123B2D003099FDB14DFAAC4847EEBBF4EF88220F14842AD419A7241CB789945CBA5

Function 02F2B0B4 Relevance: 1.6, APIs: 1, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,02F2D66E,?,?,?,?,?), ref: 02F2D72F

Memory Dump Source

Source File: 00000000.00000002.1467156149.0000000002F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f20000_980001672 PPR for 30887217.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: fdf1b6a070854c0d3d973265435a1a7e39b175e99e206e1e5f1b93f8635b0ee9
Instruction ID: 7b69cfcc1128bd6c89b726487223908628e2970e1e7995ed861b4b4389a6e4e6
Opcode Fuzzy Hash: fdf1b6a070854c0d3d973265435a1a7e39b175e99e206e1e5f1b93f8635b0ee9
Instruction Fuzzy Hash: C221E6B5D00258EFDB10CF9AD484ADEBBF4FB48310F14841AE918A7310D378A954CFA5

Function 07606298 Relevance: 1.6, APIs: 1, Instructions: 63
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 07606316

Memory Dump Source

Source File: 00000000.00000002.1479031587.0000000007600000.00000040.00000800.00020000.00000000.sdmp, Offset: 07600000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7600000_980001672 PPR for 30887217.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 8969742592f14bf509695299e3428be5ac260e977af90e18edccd8997918e558
Instruction ID: 4a9f46e263b41f049102f7dec5909498eb5170a40d38f1af28b2295dec48874e
Opcode Fuzzy Hash: 8969742592f14bf509695299e3428be5ac260e977af90e18edccd8997918e558
Instruction Fuzzy Hash: 242115B1D003099FDB14DFAAC4857AEBBF4EF49210F54842AD419A7241CB789945CFA5

Function 07606520 Relevance: 1.6, APIs: 1, Instructions: 63
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 076065A0

Memory Dump Source

Source File: 00000000.00000002.1479031587.0000000007600000.00000040.00000800.00020000.00000000.sdmp, Offset: 07600000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7600000_980001672 PPR for 30887217.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: b57f4e18b8c956d6a190573ebd68154be8734dda6e185c3eede102cb22f6fc90
Instruction ID: a5ef537cc55d8b557bfab0abc0e94e1ca99a5e46e157378ab9b1076eb751708b
Opcode Fuzzy Hash: b57f4e18b8c956d6a190573ebd68154be8734dda6e185c3eede102cb22f6fc90
Instruction Fuzzy Hash: 672128B1C003499FDB10CFAAC841BDEBBF5FF48310F14842AE519A7240C7799510CBA1

Function 02F2D6A1 Relevance: 1.6, APIs: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,02F2D66E,?,?,?,?,?), ref: 02F2D72F

Memory Dump Source

Source File: 00000000.00000002.1467156149.0000000002F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f20000_980001672 PPR for 30887217.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 43b97ef864a50dd8cbab0eed9883080dfc720a97ce6da9c23e5fe9e9bd263c3d
Instruction ID: 743c4b7c098e894a1bd29f0bdb432183299aa78297f3a161826f3896da0000f8
Opcode Fuzzy Hash: 43b97ef864a50dd8cbab0eed9883080dfc720a97ce6da9c23e5fe9e9bd263c3d
Instruction Fuzzy Hash: FE21C2B5D00258EFDB10CFAAD984ADEBBF8EB48314F14841AE918A7350D378A954CF65

Function 07606368 Relevance: 1.6, APIs: 1, Instructions: 56memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 076063DE

Memory Dump Source

Source File: 00000000.00000002.1479031587.0000000007600000.00000040.00000800.00020000.00000000.sdmp, Offset: 07600000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7600000_980001672 PPR for 30887217.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: e25a5175828b74b11f100416839c7b82222b2f860c65fbc86ea85c4d4af37372
Instruction ID: 20fe5d05731e6936df4cd67f7e2930d4732d416fd86babc63cf4621c393ecbe7
Opcode Fuzzy Hash: e25a5175828b74b11f100416839c7b82222b2f860c65fbc86ea85c4d4af37372
Instruction Fuzzy Hash: C2118972900249DFDB14CFA9D8447DFBBF1EF48310F14881AE515A7250C7359550CFA0

Function 07F408EC Relevance: 1.6, APIs: 1, Instructions: 56windowCOMMON

Download Yara Rule

APIs

CreateIconFromResourceEx.USER32(?,?,?,?,?,?,?,?,?,?,07F42E6A,?,?,?,?,?), ref: 07F42F0F

Memory Dump Source

Source File: 00000000.00000002.1485630838.0000000007F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 07F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f40000_980001672 PPR for 30887217.jbxd

Similarity

API ID: CreateFromIconResource
String ID:
API String ID: 3668623891-0
Opcode ID: a7f70ab688c138eac316bd12beca94a8cda20a1b4569be6a5736c899c8042163
Instruction ID: c4e97639513f74c9a6300600628e95ffae2fbe2c4c02cc392b05e74290431729
Opcode Fuzzy Hash: a7f70ab688c138eac316bd12beca94a8cda20a1b4569be6a5736c899c8042163
Instruction Fuzzy Hash: C71117B59002499FDB10CFAAD844BDEBFF8EB48320F54841AE914A7210C375A950CFA5

Function 07606370 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 076063DE

Memory Dump Source

Source File: 00000000.00000002.1479031587.0000000007600000.00000040.00000800.00020000.00000000.sdmp, Offset: 07600000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7600000_980001672 PPR for 30887217.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 72a00c4e016ff0c033b6ae4936af412e107dca49aff5c3ed63200ef72fd65014
Instruction ID: e376db93ae6fa6ba4ab5ffb41c4f3e3ccc39d2aeccc5bcaa770b422fd951177b
Opcode Fuzzy Hash: 72a00c4e016ff0c033b6ae4936af412e107dca49aff5c3ed63200ef72fd65014
Instruction Fuzzy Hash: 6B1126728002499FDB14DFAAC844BDFBBF5EF48310F148819E519A7250C7759950CBA1

Function 076061E0 Relevance: 1.6, APIs: 1, Instructions: 53threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 0760624A

Memory Dump Source

Source File: 00000000.00000002.1479031587.0000000007600000.00000040.00000800.00020000.00000000.sdmp, Offset: 07600000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7600000_980001672 PPR for 30887217.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: d9b20f6549ccb6a6ed9cec1e82db98483e7c3ef9dd47fe86fde5162b86c11369
Instruction ID: dc3deff71ebc773d4b0e04810c0616b94eec21645cafc998f12ad3eddad1cc74
Opcode Fuzzy Hash: d9b20f6549ccb6a6ed9cec1e82db98483e7c3ef9dd47fe86fde5162b86c11369
Instruction Fuzzy Hash: E31113B1D002498FDB24DFAAD4457EEBBF5EB88220F24881AD519A7240C679A941CBA5

Function 02F29C38 Relevance: 1.6, APIs: 1, Instructions: 50COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000,?,?,?,?,?,?,?,02F2B1E4), ref: 02F2B41E

Memory Dump Source

Source File: 00000000.00000002.1467156149.0000000002F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f20000_980001672 PPR for 30887217.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 60f7438243a5d6aead834b0bc70197570fb7d83ebb01d853e77ccb0fc7cb4861
Instruction ID: bff06fb4cbc26f8ffa5c9b55df4ba2baa67762e642c0f6418bfd35cf97e21786
Opcode Fuzzy Hash: 60f7438243a5d6aead834b0bc70197570fb7d83ebb01d853e77ccb0fc7cb4861
Instruction Fuzzy Hash: 661132B2C007488FCB10CF9AC544BDEFBF4EB48218F14845AD918A7300C375A505CFA1

Function 076061E8 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 0760624A

Memory Dump Source

Source File: 00000000.00000002.1479031587.0000000007600000.00000040.00000800.00020000.00000000.sdmp, Offset: 07600000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7600000_980001672 PPR for 30887217.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 66b14a1f2570049dcac8336e3337820d645654a5243bda48130a6c1286866182
Instruction ID: 55b727f852130b57577706b6265ad430986325b07ffa6d92670f94d3f90a159d
Opcode Fuzzy Hash: 66b14a1f2570049dcac8336e3337820d645654a5243bda48130a6c1286866182
Instruction Fuzzy Hash: 461136B1D003498FDB24DFAAC44579FFBF4EF88220F24881AD419A7240CB79A940CBA5

Function 076034E0 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 0760A8FD

Memory Dump Source

Source File: 00000000.00000002.1479031587.0000000007600000.00000040.00000800.00020000.00000000.sdmp, Offset: 07600000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7600000_980001672 PPR for 30887217.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 90cb86c0a166a832a0a5969e94438570b4c5fcbc668434c59b07ceb4e10c6cbe
Instruction ID: 3ce85e896def10a88571316ccdd4823af5688b8a33c0f8b08c772c695d2267c3
Opcode Fuzzy Hash: 90cb86c0a166a832a0a5969e94438570b4c5fcbc668434c59b07ceb4e10c6cbe
Instruction Fuzzy Hash: 0011F2B5800349DFDB20DF9AD884BDFBBF8EB48320F10841AE919A7240D375A944CFA1

Function 0760A89E Relevance: 1.5, APIs: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 0760A8FD

Memory Dump Source

Source File: 00000000.00000002.1479031587.0000000007600000.00000040.00000800.00020000.00000000.sdmp, Offset: 07600000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7600000_980001672 PPR for 30887217.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: c61c8dba0fda87d45aaf8eb62e0b673525219dad546b547a726d32aed2feacd8
Instruction ID: 3fbf186b83f68592199eec80841ed959a1044941cf296d2d1bcae097e1472d32
Opcode Fuzzy Hash: c61c8dba0fda87d45aaf8eb62e0b673525219dad546b547a726d32aed2feacd8
Instruction Fuzzy Hash: 7711D3B5900349DFDB20DF9AD845BEEFBF8EB48320F10845AE519A7650C375A944CFA1

Function 0163D1D4 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1465658507.000000000163D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0163D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_163d000_980001672 PPR for 30887217.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ca83ffa7ff27f3ca28d37876d8c0c65af013e99a9ac12fc930d66222f90bee6c
Instruction ID: fd378ee2a47467814a69e0ea879edc5a1d50dab3b539ba2cbe301a44b937a677
Opcode Fuzzy Hash: ca83ffa7ff27f3ca28d37876d8c0c65af013e99a9ac12fc930d66222f90bee6c
Instruction Fuzzy Hash: EC212271504204EFDB01DFA4D9C0B26BBA1FBC4328F60C5ADEA094B342C336D806CA62

Function 0163D01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1465658507.000000000163D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0163D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_163d000_980001672 PPR for 30887217.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 38a2e68ba31523b5d56a9b6d9570925a1933a70498506be3dbfe190f8e26a4a2
Instruction ID: f82c2aa9c55cfb78a91a35c9e327e8d5a1212476d056718566d9a2a6dd0737b5
Opcode Fuzzy Hash: 38a2e68ba31523b5d56a9b6d9570925a1933a70498506be3dbfe190f8e26a4a2
Instruction Fuzzy Hash: 832100B1604204EFDB15DFA4D880B26FBA5FBC4A14F60C569E84A0B386C336D847CA62

Function 0163D017 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1465658507.000000000163D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0163D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_163d000_980001672 PPR for 30887217.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a6f14a2633b0976cf55fba98dc8f49a251bcab79b87bdac7509de7911a20ab2c
Instruction ID: 5867b4189c6cb22bb48df28f777c3e6042fdffcaead7e5506d1ee6b91806e252
Opcode Fuzzy Hash: a6f14a2633b0976cf55fba98dc8f49a251bcab79b87bdac7509de7911a20ab2c
Instruction Fuzzy Hash: D711BB75904280DFCB12CF54D9C4B15FFA2FB84714F24C6AAD8494B796C33AD44ACBA2

Function 0163D1CF Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1465658507.000000000163D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0163D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_163d000_980001672 PPR for 30887217.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a6f14a2633b0976cf55fba98dc8f49a251bcab79b87bdac7509de7911a20ab2c
Instruction ID: 47e79b63b41ec450882faf4e92deed776d3a25c2b49076f71401f4f470171107
Opcode Fuzzy Hash: a6f14a2633b0976cf55fba98dc8f49a251bcab79b87bdac7509de7911a20ab2c
Instruction Fuzzy Hash: 3811BB75904280DFCB02CF54C9C0B15FFA1FB84224F24C6A9D9494B797C33AD44ACB62

Function 0162D745 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1465520361.000000000162D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0162D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_162d000_980001672 PPR for 30887217.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c7b841aa840817d04f881d6789fa42991fe8b26d83b4197a2eaa34fc52ba0052
Instruction ID: 226e6427b96d93c084be1a6d64ef163c6dc4a71c6b55d0627baadff5c54c7f65
Opcode Fuzzy Hash: c7b841aa840817d04f881d6789fa42991fe8b26d83b4197a2eaa34fc52ba0052
Instruction Fuzzy Hash: 8201F771404B94AAF7204EA9CC84B76BB98EF41760F04C51AED080E282C33D9401CEB2

Function 0162D744 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1465520361.000000000162D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0162D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_162d000_980001672 PPR for 30887217.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ff8c7366339dd723d7d2db1276ecd24af77370f0fe93d1ca7409421336bf5437
Instruction ID: 8f89ca37022fd300296265626cb0f0893e536cca3fc06f9a16a1f0996cbd5bd8
Opcode Fuzzy Hash: ff8c7366339dd723d7d2db1276ecd24af77370f0fe93d1ca7409421336bf5437
Instruction Fuzzy Hash: CAF06272404794AEE7108E59DC84B62FFD8EB41734F18C55AED484A287C3799844CFB2

Non-executed Functions

Function 07604720 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1479031587.0000000007600000.00000040.00000800.00020000.00000000.sdmp, Offset: 07600000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7600000_980001672 PPR for 30887217.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c055e41c812e97b724b0a3b8c4ec58c280a2b7473abcf00a69b0f4b1390b6c76
Instruction ID: 39e3ed6a0eef97f656c2da6dbe8fff77634088d154dbdf9f960025b26a5e41ec
Opcode Fuzzy Hash: c055e41c812e97b724b0a3b8c4ec58c280a2b7473abcf00a69b0f4b1390b6c76
Instruction Fuzzy Hash: 8DE12CB4E002598FDB24CFA9C580AAEBBB2FF89301F248169D555AB355DB349D41CFA0

Function 07606600 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1479031587.0000000007600000.00000040.00000800.00020000.00000000.sdmp, Offset: 07600000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7600000_980001672 PPR for 30887217.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 137d78188e9ce52f37c6b6657dadd6c4c6d4b3df84135401b1851ceadca47f14
Instruction ID: d706dd7372367594cec09f502d4f2af47c37b0647f8c38583153deb5704fff4d
Opcode Fuzzy Hash: 137d78188e9ce52f37c6b6657dadd6c4c6d4b3df84135401b1851ceadca47f14
Instruction Fuzzy Hash: 1FE11AB4E002198FDB18DFA9C580AAEFBB2FF89305F248169D455AB355D734AD41CFA0

Function 076042E8 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1479031587.0000000007600000.00000040.00000800.00020000.00000000.sdmp, Offset: 07600000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7600000_980001672 PPR for 30887217.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5fa7aafb7321ba0f430e4b9904480c9c3337dba26e34c4a9b041372c2d29b9c8
Instruction ID: bd09c3f16ada4961ad3a3bd2b27daddd57124c50cee4e9acc4a8bc186d448420
Opcode Fuzzy Hash: 5fa7aafb7321ba0f430e4b9904480c9c3337dba26e34c4a9b041372c2d29b9c8
Instruction Fuzzy Hash: 36E14FB4E002598FDB24CFA9C5809AEFBB2FF89301F248169D505AB355DB349D41CFA0

Function 07603EB0 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1479031587.0000000007600000.00000040.00000800.00020000.00000000.sdmp, Offset: 07600000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7600000_980001672 PPR for 30887217.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48ddee1db7755450d9c0bfeb066068238dff665e368cb48dec84e594ea3851d9
Instruction ID: 9e73a18342de19638d8d7af627353a3154bbf6cce25ba7d80fef78e527193773
Opcode Fuzzy Hash: 48ddee1db7755450d9c0bfeb066068238dff665e368cb48dec84e594ea3851d9
Instruction Fuzzy Hash: 8BE12AB4E002598FDB24CFA9C5809AEFBB2FF89305F248169D515AB355DB34AD41CFA0

Function 076059C0 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1479031587.0000000007600000.00000040.00000800.00020000.00000000.sdmp, Offset: 07600000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7600000_980001672 PPR for 30887217.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a1e0d79cb27d1ca0b949d955476c6200f6aa8fccaf9a6c424d8d226c720b212e
Instruction ID: 06ac13bbdf130e0bf815accf2737973380e316de972c5ba30c8c41b26c84f053
Opcode Fuzzy Hash: a1e0d79cb27d1ca0b949d955476c6200f6aa8fccaf9a6c424d8d226c720b212e
Instruction Fuzzy Hash: 0BE1ECB4E002198FDB14CFA9C5809AEFBB2FF89305F248169D456AB356D735AD41CFA0

Function 02F2DFB4 Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1467156149.0000000002F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f20000_980001672 PPR for 30887217.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d8191e61da18628e13ea416a4a16ff5c0fbef28520919e88d60bf07320f21486
Instruction ID: 0989325db1008e16b20cde8d5812853815be6b6e0256851dc440a6970ce514d7
Opcode Fuzzy Hash: d8191e61da18628e13ea416a4a16ff5c0fbef28520919e88d60bf07320f21486
Instruction Fuzzy Hash: 6DA16F32E102198FCF15DFB4C8405DEBBB2FF86340B25456AE905AB265DB35E95ACF40

Function 076042D8 Relevance: .1, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1479031587.0000000007600000.00000040.00000800.00020000.00000000.sdmp, Offset: 07600000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7600000_980001672 PPR for 30887217.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 977905d834489e7455f4d72f1fab3a3819afd9fa8cb0f4bbcd4de1cc5dd5e3d8
Instruction ID: 6574ec9e5b329b6a965ecc51f3079791ef6bf1c081426794edaebe1c24b2237a
Opcode Fuzzy Hash: 977905d834489e7455f4d72f1fab3a3819afd9fa8cb0f4bbcd4de1cc5dd5e3d8
Instruction Fuzzy Hash: 03514DB0E002598FDB18CFAAC5805AEBBB2FF89201F248169D459BB355C7359D42CFA0

Analysis Process: 980001672 PPR for 30887217.scr.exePID: 6408, Parent PID: 6812COMMON

Execution Graph

Execution Coverage:	12%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	26
Total number of Limit Nodes:	5

Executed Functions

Function 01124A98 Relevance: .3, Instructions: 266COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2694531337.0000000001120000.00000040.00000800.00020000.00000000.sdmp, Offset: 01120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1120000_980001672 PPR for 30887217.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e467668e8b23a0314f4f281c454c913cd8acfa840f9c94e7dc23590c32c566c0
Instruction ID: 20a9be9b3a8f5d8f01298705c9e649517f815bc54659da7b11b2ebd3e017d965
Opcode Fuzzy Hash: e467668e8b23a0314f4f281c454c913cd8acfa840f9c94e7dc23590c32c566c0
Instruction Fuzzy Hash: 09B17070E00229CFDF18CFA9D89179DBBF2AF88314F148529D815EB794EB749865CB81

Function 01123E80 Relevance: .2, Instructions: 238COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2694531337.0000000001120000.00000040.00000800.00020000.00000000.sdmp, Offset: 01120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1120000_980001672 PPR for 30887217.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0fd86ddabfc087ae1daa4fded54d3ccab5cd7e0977d400fbf9b8d7509f5e6988
Instruction ID: bf082942d412f26a4ee8d7f1cdd8fe52634dd423fbe5e1df7fcc4694c14f7b13
Opcode Fuzzy Hash: 0fd86ddabfc087ae1daa4fded54d3ccab5cd7e0977d400fbf9b8d7509f5e6988
Instruction Fuzzy Hash: 5F917070E10219CFDF18CFA9D8857DEBBF2BF88314F148129E415A7654EB789895CB82

Function 069BE950 Relevance: 1.6, APIs: 1, Instructions: 125
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000009.00000002.2708539295.00000000069B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_69b0000_980001672 PPR for 30887217.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b9319b52903eadaf635b9c8903249285890572b5f5bc1c6beb72ff143c19d3b5
Instruction ID: 5e5f0d6b921a0e3a0ed3025144ea60ac8d41b3bfdd96d125ac1a67f342bccfad
Opcode Fuzzy Hash: b9319b52903eadaf635b9c8903249285890572b5f5bc1c6beb72ff143c19d3b5
Instruction Fuzzy Hash: 08410072D007498FCB14DFB5D9403DEBBF5AFC9210F18856AD814ABB90EB789845CB91

Function 069BEA38 Relevance: 1.6, APIs: 1, Instructions: 52
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GlobalMemoryStatusEx.KERNEL32 ref: 069BEA9F

Memory Dump Source

Source File: 00000009.00000002.2708539295.00000000069B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_69b0000_980001672 PPR for 30887217.jbxd

Similarity

API ID: GlobalMemoryStatus
String ID:
API String ID: 1890195054-0
Opcode ID: 9052286a8d64ad2c6ceb0ed4bd25c7bd2ccf1da958bf3a4990277b4b4b46ede7
Instruction ID: d530c1de68d33adbedf12607f7b6daa10575fb5240f159dd418eaf12baf5c0a3
Opcode Fuzzy Hash: 9052286a8d64ad2c6ceb0ed4bd25c7bd2ccf1da958bf3a4990277b4b4b46ede7
Instruction Fuzzy Hash: 7D11F3B1C006599BDB10CFAAC544BDEFBF8BF48720F15816AD818B7640D378A945CFA5

Function 011286C8 Relevance: .6, Instructions: 570
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000009.00000002.2694531337.0000000001120000.00000040.00000800.00020000.00000000.sdmp, Offset: 01120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1120000_980001672 PPR for 30887217.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 65b3cf43f31fbbd91a97b60af72760374abe138ef28316b5fce578dedff9c400
Instruction ID: 94320a4952d558cbaa218c173b4f4fd0bbd097e791a3b1041e239a2c29eda38c
Opcode Fuzzy Hash: 65b3cf43f31fbbd91a97b60af72760374abe138ef28316b5fce578dedff9c400
Instruction Fuzzy Hash: D0226C317103179BDB1AAB7CE4542AC33E2FBC9764B204939E006CB755DF35E8668B82

Function 01128720 Relevance: .6, Instructions: 553
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000009.00000002.2694531337.0000000001120000.00000040.00000800.00020000.00000000.sdmp, Offset: 01120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1120000_980001672 PPR for 30887217.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f3653c95c96ae4a847bb0982fa0fd3838dfd4ad85cc5af1e00457977386270c7
Instruction ID: 76af685f89f7e0e60e5a5386b619fb1339e8769a48821c6ad2c6ac1555ca432d
Opcode Fuzzy Hash: f3653c95c96ae4a847bb0982fa0fd3838dfd4ad85cc5af1e00457977386270c7
Instruction Fuzzy Hash: EF126C317103179BDB19AB7CE4542AC33E2FBC9765B208938E006CB755DF75E8668B82

Function 0112A1AA Relevance: .4, Instructions: 398
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000009.00000002.2694531337.0000000001120000.00000040.00000800.00020000.00000000.sdmp, Offset: 01120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1120000_980001672 PPR for 30887217.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: de6ec63b5651ede9cad4a67dd12e5cd6437c52d19cf795221f6f23068de4305c
Instruction ID: 969c34b99c1e4416116260ce1d0f575660afd03087e4b3828c01ede030aceee4
Opcode Fuzzy Hash: de6ec63b5651ede9cad4a67dd12e5cd6437c52d19cf795221f6f23068de4305c
Instruction Fuzzy Hash: B6E1C130B002158FDF19DB68E594AADBBB2FF89310F248569E906DB751DB35EC42CB81

Function 01124A8E Relevance: .3, Instructions: 260COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2694531337.0000000001120000.00000040.00000800.00020000.00000000.sdmp, Offset: 01120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1120000_980001672 PPR for 30887217.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f26c15076f1acf10ab9a231c27d03c7350e3fddecdd6df9ffb9d1c692dbf0ccd
Instruction ID: 787bfb5cb80f6f00c8074bcfbf34546f33d2675ff8a3cf8e5f7675c76e5d97aa
Opcode Fuzzy Hash: f26c15076f1acf10ab9a231c27d03c7350e3fddecdd6df9ffb9d1c692dbf0ccd
Instruction Fuzzy Hash: 5CA16F70E00229CFDB19CFA8D8917DDBBF1AF88314F148129D818EB754EB759865CB81

Function 01123E74 Relevance: .2, Instructions: 235COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2694531337.0000000001120000.00000040.00000800.00020000.00000000.sdmp, Offset: 01120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1120000_980001672 PPR for 30887217.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b868c959f8b0be914014439321669eb91904354dc1d7e691ac26f201003c292b
Instruction ID: 3638c44d37b945f68d5b8071caa647ed37e80a83bf8d0e5a6bcd76e20b77c602
Opcode Fuzzy Hash: b868c959f8b0be914014439321669eb91904354dc1d7e691ac26f201003c292b
Instruction Fuzzy Hash: 19918F70E10219CFDF18CFA8D8857DDBBF2BF88314F248129E415A7654EB789895CB82

Function 01124810 Relevance: .2, Instructions: 180COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2694531337.0000000001120000.00000040.00000800.00020000.00000000.sdmp, Offset: 01120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1120000_980001672 PPR for 30887217.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cf0f0ee103cf02cabbbf8b1a865b54cef4d696162139c740c539996954838b00
Instruction ID: 8a04a663518f1905d71659f56074dadee7dee822be41ac161bd8d198f1df3849
Opcode Fuzzy Hash: cf0f0ee103cf02cabbbf8b1a865b54cef4d696162139c740c539996954838b00
Instruction Fuzzy Hash: CC717AB0E00259CFDF18CFA9D8807AEBBF2BF88714F148129E415AB654EB749851CF95

Function 01124806 Relevance: .2, Instructions: 178COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2694531337.0000000001120000.00000040.00000800.00020000.00000000.sdmp, Offset: 01120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1120000_980001672 PPR for 30887217.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c4537595e1599a62f8a06043b0cff0c3777c6aa0a2e5f6dd7ea8b08397b2ac6
Instruction ID: eb5d6c94b79cf2f95167eb4c13202e460bdccbaff6ef05f5530447e69870ae8b
Opcode Fuzzy Hash: 6c4537595e1599a62f8a06043b0cff0c3777c6aa0a2e5f6dd7ea8b08397b2ac6
Instruction Fuzzy Hash: B57169B0E00259CFDF18CFA9D88079EBBF2BF88714F148129E415AB654EB749851CB95

Function 01126ECF Relevance: .2, Instructions: 169COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2694531337.0000000001120000.00000040.00000800.00020000.00000000.sdmp, Offset: 01120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1120000_980001672 PPR for 30887217.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6386f98a8f15958f27ab071e718c213cde7324a128b85277f0a1a106ef2030bf
Instruction ID: ba967dc4c120da485ed0584735f848a74df53cdc9c86cb03aa1912b2a8af2f20
Opcode Fuzzy Hash: 6386f98a8f15958f27ab071e718c213cde7324a128b85277f0a1a106ef2030bf
Instruction Fuzzy Hash: 14516F347102258FDB18DB68D468BAE7BF2BF89700F2040A9E406EB3A1DB75DC51CB91

Function 0112A6C8 Relevance: .1, Instructions: 137COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2694531337.0000000001120000.00000040.00000800.00020000.00000000.sdmp, Offset: 01120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1120000_980001672 PPR for 30887217.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3438abdd9d87264ffd96359843ea5009cf88ce1fbaef06a6df17929d3cc4e327
Instruction ID: 0ee3d4814ce95ba0dcaa4289f192ca1d9cfa71a684e2a8d0664a08c521bbb92b
Opcode Fuzzy Hash: 3438abdd9d87264ffd96359843ea5009cf88ce1fbaef06a6df17929d3cc4e327
Instruction Fuzzy Hash: 1C514A71A00205CFDB14DFA9E884B99FBB2FF88310F14C2AAE9099B755E771D945CB90

Function 01126CD4 Relevance: .1, Instructions: 134COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2694531337.0000000001120000.00000040.00000800.00020000.00000000.sdmp, Offset: 01120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1120000_980001672 PPR for 30887217.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1cc2c9126e1f8a250e965a6dd8dab021d766e9acd8c570925d0e6fd8ddb3ed89
Instruction ID: 24e14275b02057876097b6cb186edec578de1848f08fc18761c541be2ad93c85
Opcode Fuzzy Hash: 1cc2c9126e1f8a250e965a6dd8dab021d766e9acd8c570925d0e6fd8ddb3ed89
Instruction Fuzzy Hash: 2C510270E10268CFDB18CFA9C895BADBBB1BF48314F148129E815AB391D774A845CB95

Function 01126CE0 Relevance: .1, Instructions: 132COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2694531337.0000000001120000.00000040.00000800.00020000.00000000.sdmp, Offset: 01120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1120000_980001672 PPR for 30887217.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 301ab22f6240284cfb8de273c8d7bdefa94ce35abc652062fd7f450f0dcf8cf6
Instruction ID: 885343e7c08ace6361d56a6a226096b2515e437e57aee3dd651af9a32c1a9b95
Opcode Fuzzy Hash: 301ab22f6240284cfb8de273c8d7bdefa94ce35abc652062fd7f450f0dcf8cf6
Instruction Fuzzy Hash: DC510170D10268CFDB18CFA9C895B9DBBF1BF48314F14852AE819AB391D774A844CF95

Function 01121128 Relevance: .1, Instructions: 116COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2694531337.0000000001120000.00000040.00000800.00020000.00000000.sdmp, Offset: 01120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1120000_980001672 PPR for 30887217.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9f1771e3c70e2f9e498ad1148ac5dec8f944c494773badb5af606e14d42b4bf9
Instruction ID: 439a8082f6449fd9284fa492a5f4fbbf5c475489fc28852a33aefc6a9bdb67d2
Opcode Fuzzy Hash: 9f1771e3c70e2f9e498ad1148ac5dec8f944c494773badb5af606e14d42b4bf9
Instruction Fuzzy Hash: 95510A72632247CFCB06FF6DF8809997BB1B796304304896DD0448B76EDA796906CB81

Function 01121138 Relevance: .1, Instructions: 112COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2694531337.0000000001120000.00000040.00000800.00020000.00000000.sdmp, Offset: 01120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1120000_980001672 PPR for 30887217.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 96edfe5b56bb6bb43a5276da5dc6a6136cc9fd1f297eeb2e55af4c0b777a3dba
Instruction ID: 5ade05fa905b73e1e8f946a756af3d52210d93814eaad79b8dddc61a45e4b9fc
Opcode Fuzzy Hash: 96edfe5b56bb6bb43a5276da5dc6a6136cc9fd1f297eeb2e55af4c0b777a3dba
Instruction Fuzzy Hash: EF51F932632347CFCB06FF6DF8809997BB1B796704304896DD0448B76EEA792906CB85

Function 0112DE6A Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2694531337.0000000001120000.00000040.00000800.00020000.00000000.sdmp, Offset: 01120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1120000_980001672 PPR for 30887217.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bbf4aea9ee5f9292632af7a23bc36813d730e52286445e3ef8a5e2f999ac32ad
Instruction ID: 8e0199c94cec765b81cb22c790640bc5149e595c22817a6a984016bd73e7c691
Opcode Fuzzy Hash: bbf4aea9ee5f9292632af7a23bc36813d730e52286445e3ef8a5e2f999ac32ad
Instruction Fuzzy Hash: 4D316E75B00216EFD705DF68D890E3AB767BBC4600F55C168E4029B299CB36EC52CB90

Function 01127D90 Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2694531337.0000000001120000.00000040.00000800.00020000.00000000.sdmp, Offset: 01120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1120000_980001672 PPR for 30887217.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5f5307ac69652a66f580df9ecff70fa86910d31e7327c0a179a6d794c8a5b693
Instruction ID: 0fd4e78f7f45d79ae13b330092b21da0e2ba4129bfc6729e6b60e94c7708ab49
Opcode Fuzzy Hash: 5f5307ac69652a66f580df9ecff70fa86910d31e7327c0a179a6d794c8a5b693
Instruction Fuzzy Hash: D7316F31E1022ACFDB19DF69C4407AFB7B2FF95310F208529E805EB280DB75A851CB51

Function 011226DC Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2694531337.0000000001120000.00000040.00000800.00020000.00000000.sdmp, Offset: 01120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1120000_980001672 PPR for 30887217.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2e2cc08fc8e3079daa5b1ec0595225bb843bd6ec4b9cc06d7f2814fa1128bba4
Instruction ID: 43ae1000a69785f28aa2bd5b041a1d66ddc6a8cb595f6148078745f6d22bc706
Opcode Fuzzy Hash: 2e2cc08fc8e3079daa5b1ec0595225bb843bd6ec4b9cc06d7f2814fa1128bba4
Instruction Fuzzy Hash: 7A41E0B0D00349DFEB14DFA9C484ADEBBF5BF98314F248429E809AB250DB759945CB91

Function 01127D80 Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2694531337.0000000001120000.00000040.00000800.00020000.00000000.sdmp, Offset: 01120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1120000_980001672 PPR for 30887217.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 37321efd231b6bc5d588c4f785cd65660ff926b800d1975cdbf77ab291eeba1a
Instruction ID: ca4447b17a93a93a2259a80699583afcb530ea967a5350860fb8ae7f1b7e8942
Opcode Fuzzy Hash: 37321efd231b6bc5d588c4f785cd65660ff926b800d1975cdbf77ab291eeba1a
Instruction Fuzzy Hash: D1316D31E1022ACBDB19DF68C4507AFB7B2EF95310F608529E805EB280EB759D52CB51

Function 011226E8 Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2694531337.0000000001120000.00000040.00000800.00020000.00000000.sdmp, Offset: 01120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1120000_980001672 PPR for 30887217.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e3e703560c0b15ab6e8d7fe4c80984ea46e50c601fd5ff2f59b49085c8d7ab68
Instruction ID: 84d8079042d7ab35e9ea102aab02d4cf9d2b48447e9c1507d1f7ad11cc568d1e
Opcode Fuzzy Hash: e3e703560c0b15ab6e8d7fe4c80984ea46e50c601fd5ff2f59b49085c8d7ab68
Instruction Fuzzy Hash: 4D41EEB0D00348DFEB14CFA9C884A9EBBF5FF48310F248029E809AB250DB75A945CB91

Function 011250A8 Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2694531337.0000000001120000.00000040.00000800.00020000.00000000.sdmp, Offset: 01120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1120000_980001672 PPR for 30887217.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e39e4fc02afd6d34dc1d687a7b0da762f8230d421c204183acddbb576adf091c
Instruction ID: 9fdef4f712ed0b4125811bee8aeeda84a023b62f6ee9ece3b166bd23af4199fe
Opcode Fuzzy Hash: e39e4fc02afd6d34dc1d687a7b0da762f8230d421c204183acddbb576adf091c
Instruction Fuzzy Hash: 2E312B30B14226CFDB5DEB78C9546AE77F2AF88644F20046CD801AB398DB3ADC51CB95

Function 01125097 Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2694531337.0000000001120000.00000040.00000800.00020000.00000000.sdmp, Offset: 01120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1120000_980001672 PPR for 30887217.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 98eccf52fedca62421485c103b8c45466b2d8f27c80b464ab03ec78a995b2e63
Instruction ID: 6c5ab6be9cbefa945bc46550ddc0315b7146599771ff2769af399b30c06c1dfb
Opcode Fuzzy Hash: 98eccf52fedca62421485c103b8c45466b2d8f27c80b464ab03ec78a995b2e63
Instruction Fuzzy Hash: D8313C30B10226CFDB59EB78C9A46AD77B2AF88244B20046CD401AB399DB3ADC51CB91

Function 0112A068 Relevance: .1, Instructions: 82COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2694531337.0000000001120000.00000040.00000800.00020000.00000000.sdmp, Offset: 01120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1120000_980001672 PPR for 30887217.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 06fcdf36be95ae2b4dd3aa5602248f40ef9e67e49c299d86fa382b33574e2ac3
Instruction ID: 3bf4320e038147871582dcd9cf74fc79d393a9737feddd131c7644b4eba8befd
Opcode Fuzzy Hash: 06fcdf36be95ae2b4dd3aa5602248f40ef9e67e49c299d86fa382b33574e2ac3
Instruction Fuzzy Hash: E931C535E1021A9BDB19CFA8D85479EF7B2FF89310F14C619E801EB741DB75A881CB90

Function 0112169F Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2694531337.0000000001120000.00000040.00000800.00020000.00000000.sdmp, Offset: 01120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1120000_980001672 PPR for 30887217.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1ee29db739c1ea48ee0c28d766549c231af331ddc6751849e9dfc82fe4dedadd
Instruction ID: 196e60421f136d69015640f80b34f15c3977fe872d31fb6eb39fe61d36b05227
Opcode Fuzzy Hash: 1ee29db739c1ea48ee0c28d766549c231af331ddc6751849e9dfc82fe4dedadd
Instruction Fuzzy Hash: 8F2191356302179FDF26EB7CF8847AD3362FB8A204F148965D006C7357EB29C8568B92

Function 0112A078 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2694531337.0000000001120000.00000040.00000800.00020000.00000000.sdmp, Offset: 01120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1120000_980001672 PPR for 30887217.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3478be72422054b3b4268eab5ded716bd115403cde3e03b02cb88020fd5b6a75
Instruction ID: 40f33607de2e452104a54cf392a6953ca5f798c382e12eee5667908b5eda40ad
Opcode Fuzzy Hash: 3478be72422054b3b4268eab5ded716bd115403cde3e03b02cb88020fd5b6a75
Instruction Fuzzy Hash: 9921A635E1021A9BDB19CF68E85069EF7B2FF89310F24C619E805FB741DB759852CB90

Function 010DD006 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2694128806.00000000010DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 010DD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_10dd000_980001672 PPR for 30887217.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6b3518c2f691135380483325fa62698cd3bfa774a32a95a316fdd298716f9f23
Instruction ID: 2528add1c60b985808cbc6467739b1e43811fdf43533d9b9ffa4455d55edf529
Opcode Fuzzy Hash: 6b3518c2f691135380483325fa62698cd3bfa774a32a95a316fdd298716f9f23
Instruction Fuzzy Hash: 54219E7550D3C49FC703CB64C890711BF71AB86214F29C5DBD9888F2A3C23A980ACB62

Function 01129F68 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2694531337.0000000001120000.00000040.00000800.00020000.00000000.sdmp, Offset: 01120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1120000_980001672 PPR for 30887217.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 67b73e1d630e711b12df57cc044a581826fe22486cc70d013f01bbdac8488d7f
Instruction ID: ddaa10934f49d937603135edb323be3b9c225e38ea6f93cbd3090d3394c5d06c
Opcode Fuzzy Hash: 67b73e1d630e711b12df57cc044a581826fe22486cc70d013f01bbdac8488d7f
Instruction Fuzzy Hash: D4217731E003299BCB19CF68D450ADEFBB2EF89314F24851AE816FB741DB759846CB51

Function 01121488 Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2694531337.0000000001120000.00000040.00000800.00020000.00000000.sdmp, Offset: 01120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1120000_980001672 PPR for 30887217.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eb50ac234a58a0ef1ab3090ad8c471988cc3d6e2a0687be2e1d2f0bf35cfbda7
Instruction ID: ec2b8b74d00549660ec53bc5faf9024d08473e8429ab6cf3d6a6cc8d283a5707
Opcode Fuzzy Hash: eb50ac234a58a0ef1ab3090ad8c471988cc3d6e2a0687be2e1d2f0bf35cfbda7
Instruction Fuzzy Hash: 7B21E471A002669FCF2AEFBCD4502AD77E5EB49224F1404B9D80ADB301EB35C95287D2

Function 0112A852 Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2694531337.0000000001120000.00000040.00000800.00020000.00000000.sdmp, Offset: 01120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1120000_980001672 PPR for 30887217.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e913e02ae0d6ee680e25d0084e22fe39ce13ed96dbb502568f44481b678fa27
Instruction ID: a4efddda7fd7b282f5fa63e0044c9fb64fda85d5400f5bf9281cb449de7c8557
Opcode Fuzzy Hash: 3e913e02ae0d6ee680e25d0084e22fe39ce13ed96dbb502568f44481b678fa27
Instruction Fuzzy Hash: 0621F435B002148FEB18CB79D954BAD7BF6AF88710F118129E101EB7A4EBB1CC008B50

Function 01126B98 Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2694531337.0000000001120000.00000040.00000800.00020000.00000000.sdmp, Offset: 01120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1120000_980001672 PPR for 30887217.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1e8b178e33778376a517cfde9ff376421c6d21d8c6b0d75d54c6c11c3f8f3392
Instruction ID: 334d971ef7d036e75ff8a8e10e6cc63457c3f4a591b8c4df14a7bfe8346f9d99
Opcode Fuzzy Hash: 1e8b178e33778376a517cfde9ff376421c6d21d8c6b0d75d54c6c11c3f8f3392
Instruction Fuzzy Hash: 4D2138317182518FC71AEB78D4602AD7BB2EFCA610B1484AED046CB78ADE39DC41C792

Function 010DD030 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2694128806.00000000010DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 010DD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_10dd000_980001672 PPR for 30887217.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3d0213a0bc9a109063310d0aa0e6b061f0e72e94a16fc068d43846d485dd626c
Instruction ID: 5c09b4059f19989d064e262baea5eab075a44dc5f8fe919a22fa406e781f4036
Opcode Fuzzy Hash: 3d0213a0bc9a109063310d0aa0e6b061f0e72e94a16fc068d43846d485dd626c
Instruction Fuzzy Hash: 1D210071504304EFDB11DFA4D980B26BFA5FBC4314F24C5A9E9890B282C336D846CB62

Function 01124F8A Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2694531337.0000000001120000.00000040.00000800.00020000.00000000.sdmp, Offset: 01120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1120000_980001672 PPR for 30887217.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d5c0ad06c7d9ed1098b69375bb79ae8dacc3219e78c32f7f7f2cec88e2914f1d
Instruction ID: c35df6f6dfa89e947e3d0e61a30f544888aec190d406e6ec0afe99f7263031d2
Opcode Fuzzy Hash: d5c0ad06c7d9ed1098b69375bb79ae8dacc3219e78c32f7f7f2cec88e2914f1d
Instruction Fuzzy Hash: 5F215E30B001158FDB58DB78C598AAD7BF2EF88704F100468E406EB369DB7A8D01CB91

Function 01121888 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2694531337.0000000001120000.00000040.00000800.00020000.00000000.sdmp, Offset: 01120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1120000_980001672 PPR for 30887217.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 80b062d54e310c4a72cb471652cb0c489d2e80697c6149798fe83306a9fa959d
Instruction ID: 6150dd6bf1707340441d7304027c4a1212a5f09aa73d86c5d0e4a2119f0a9526
Opcode Fuzzy Hash: 80b062d54e310c4a72cb471652cb0c489d2e80697c6149798fe83306a9fa959d
Instruction Fuzzy Hash: E3213D30B042259FDF18EB68C5547AE77F2AF89344F200468D506EB394EB768D61CBA1

Function 01129F78 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2694531337.0000000001120000.00000040.00000800.00020000.00000000.sdmp, Offset: 01120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1120000_980001672 PPR for 30887217.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 15ffe166ee4965bd7eed2d54093c7effdffa781106d89614bf39c19cac4702ab
Instruction ID: ddf525ebf3ce0a4672d051972e273f4e1a491845dc67a3c03ff9ffe5463daa0a
Opcode Fuzzy Hash: 15ffe166ee4965bd7eed2d54093c7effdffa781106d89614bf39c19cac4702ab
Instruction Fuzzy Hash: F5216530E0032A9BDB1DCF68D450A9EF7B2AF89314F14851AE816FB741DB71A945CB51

Function 011216B0 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2694531337.0000000001120000.00000040.00000800.00020000.00000000.sdmp, Offset: 01120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1120000_980001672 PPR for 30887217.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d138e503c9999ac7610e979e83df80fb23faf938c36bc9d2ce8ff0ea8cf9603c
Instruction ID: fd3d1830317d77790d840cad9f2f92300baea6d568776074d243fd6d0279221d
Opcode Fuzzy Hash: d138e503c9999ac7610e979e83df80fb23faf938c36bc9d2ce8ff0ea8cf9603c
Instruction Fuzzy Hash: 44216D356302179BEF26EB7CF8847993366FB89604F108A21D006C735AEB39D8518B92

Function 01121878 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2694531337.0000000001120000.00000040.00000800.00020000.00000000.sdmp, Offset: 01120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1120000_980001672 PPR for 30887217.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8946b0ff368ba81f299e5704436ffad99a445851fb77e2e3ab480f3580af3a90
Instruction ID: 7222132e3f4e33c4940b9cf23ab9763316eac20f024a57796fc2907b802a6289
Opcode Fuzzy Hash: 8946b0ff368ba81f299e5704436ffad99a445851fb77e2e3ab480f3580af3a90
Instruction Fuzzy Hash: B0215E31B042669FDF18EB68C5547AE77F2AF49344F20046DC506EB3A4EB768D50CB91

Function 01121382 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2694531337.0000000001120000.00000040.00000800.00020000.00000000.sdmp, Offset: 01120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1120000_980001672 PPR for 30887217.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 96a2bf95c09d6f877066cd8aa657f5ecda3482e59abd0ad7715c0ddc878a0e1a
Instruction ID: f2fca6e94832f5bb28b87c5cc3a39699410c0d068dadd6816253b707b5aef748
Opcode Fuzzy Hash: 96a2bf95c09d6f877066cd8aa657f5ecda3482e59abd0ad7715c0ddc878a0e1a
Instruction Fuzzy Hash: 12212CB1A641519BEF3A972CE58836C7762FB03351F504869E40BC7782DB39C865C783

Function 01124F98 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2694531337.0000000001120000.00000040.00000800.00020000.00000000.sdmp, Offset: 01120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1120000_980001672 PPR for 30887217.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c9853b9dd1e1cd0488ca1a0f7701840e39003d2d97604470aeb1a913ff0fd1f3
Instruction ID: 0b4b5a05cb4143326b3e02497fff74427fea08614851ceb2027ff23ce1f7e24d
Opcode Fuzzy Hash: c9853b9dd1e1cd0488ca1a0f7701840e39003d2d97604470aeb1a913ff0fd1f3
Instruction Fuzzy Hash: 17211B30B102158FDB58EB79C958A9E7BF1EF89704F100468E406EB369DB7A9D00CB95

Function 01120848 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2694531337.0000000001120000.00000040.00000800.00020000.00000000.sdmp, Offset: 01120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1120000_980001672 PPR for 30887217.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c9711eb8e8a2a2f0c967892882188ba1cfc7659ba05e7665d973bd7f15c0b7c5
Instruction ID: 56067d3d7df152580f57e58f516095ebfeeaf84a21659fa9663d210c64a8e1c7
Opcode Fuzzy Hash: c9711eb8e8a2a2f0c967892882188ba1cfc7659ba05e7665d973bd7f15c0b7c5
Instruction Fuzzy Hash: 62118231F102294BEF6DA6BCD44436A3255FB8A610F218A79F006DF352EBA5CC958BC1

Function 01120838 Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2694531337.0000000001120000.00000040.00000800.00020000.00000000.sdmp, Offset: 01120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1120000_980001672 PPR for 30887217.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e151abf638f5bbe021e2ba93492a7a009a9df708efcb1877d387bb48faa3e5f6
Instruction ID: 9cc5eabbe67ecbc065089891943dd16cb4d1f0db125acf04b82d23f56c5f953f
Opcode Fuzzy Hash: e151abf638f5bbe021e2ba93492a7a009a9df708efcb1877d387bb48faa3e5f6
Instruction Fuzzy Hash: 5611C631F243254BEF2E6678D54436B3251E74A210F108A3EF006DB246EBA5C8658BC2

Function 011217C0 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2694531337.0000000001120000.00000040.00000800.00020000.00000000.sdmp, Offset: 01120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1120000_980001672 PPR for 30887217.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 57942c725c119502d6f87d9cf70ad72c2ecdf4059ca8fffe62eff34837cfe241
Instruction ID: a524051a64fa0cb4b71405ca24a91716bd3ca0673b4e476df27c2c73712ebe87
Opcode Fuzzy Hash: 57942c725c119502d6f87d9cf70ad72c2ecdf4059ca8fffe62eff34837cfe241
Instruction Fuzzy Hash: 6E11E176F012639FCB11AFB8994466F7BF5AB89690F100829E906E3344EB39C811C781

Function 0112DBCF Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2694531337.0000000001120000.00000040.00000800.00020000.00000000.sdmp, Offset: 01120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1120000_980001672 PPR for 30887217.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c6e9663fc5ae0eadeec554ae131b538cc710260d2527e1f8cac1e44bf98d1518
Instruction ID: 81406339aecaaa365ca205b5dc6f12285e9bd0f08c2db6aab9478a2ec61315ec
Opcode Fuzzy Hash: c6e9663fc5ae0eadeec554ae131b538cc710260d2527e1f8cac1e44bf98d1518
Instruction Fuzzy Hash: 3401D8727052355FEB18AAD9F8547ABB76AFFC0B20B10892ED1184F144CBB26C21C7D4

Function 01121498 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2694531337.0000000001120000.00000040.00000800.00020000.00000000.sdmp, Offset: 01120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1120000_980001672 PPR for 30887217.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 59858643d3e47de714c164676d7aedb348ce22791bc94d00062433c2e0b46f63
Instruction ID: e6a744b2adf2d46dd49eb961a87da7188705b792348ae36fd7907dbe0b8dd72b
Opcode Fuzzy Hash: 59858643d3e47de714c164676d7aedb348ce22791bc94d00062433c2e0b46f63
Instruction Fuzzy Hash: E6014031E002669FCB29EFBC84505AE7BF5EB49224B1505BAD805E7301E735C952CBD5

Function 0112A6B8 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2694531337.0000000001120000.00000040.00000800.00020000.00000000.sdmp, Offset: 01120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1120000_980001672 PPR for 30887217.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a127dad2db00de4d0744a5ba1fdf11e932fe937611cece65d90de1bd6e1eb87d
Instruction ID: aa0cc7c882276de698ea2fe16e2c33b97fab33eb9286eec30861fa6eb810fe50
Opcode Fuzzy Hash: a127dad2db00de4d0744a5ba1fdf11e932fe937611cece65d90de1bd6e1eb87d
Instruction Fuzzy Hash: 40110430A002048BDB14DFA8E8847DABBB2FFD9310F14C178CC881F696E7749905CBA1

Function 01128F08 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2694531337.0000000001120000.00000040.00000800.00020000.00000000.sdmp, Offset: 01120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1120000_980001672 PPR for 30887217.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cff53a6883b6fc61259886ebd9cab0fca2c281aaea57e17e66397966e492f664
Instruction ID: 7c5dc92c5d77db1e6313b2b5b297adef9bf478ee567b0cbf22637972717e3abb
Opcode Fuzzy Hash: cff53a6883b6fc61259886ebd9cab0fca2c281aaea57e17e66397966e492f664
Instruction Fuzzy Hash: 9C01843592024ADFCB46FBB8F9606EC7BB2FF85200F1486A9C0459B355EB351E059B51

Function 01121524 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2694531337.0000000001120000.00000040.00000800.00020000.00000000.sdmp, Offset: 01120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1120000_980001672 PPR for 30887217.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 76d9f12929cd4ce2c15548f6395895894edcd16bfbbd3bfaa591812331fa2af1
Instruction ID: 3f8ff6c840de92a1da7cadfd834097b75554419bf6ba05683447527e154b3fff
Opcode Fuzzy Hash: 76d9f12929cd4ce2c15548f6395895894edcd16bfbbd3bfaa591812331fa2af1
Instruction Fuzzy Hash: 39F02B33A08170EFDB1ACBE894501AC7FB0EA6911171D00E7D806DB201D321D452C752

Function 01127EA8 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2694531337.0000000001120000.00000040.00000800.00020000.00000000.sdmp, Offset: 01120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1120000_980001672 PPR for 30887217.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1dc5bf06eda34beb3bc9da4a331dca07034d4ac95e04e56cf5f71e2d4f13b4b2
Instruction ID: 68a7a2ae66e0ed9299d190e292492cee18add97af97a34283ceca9d35bb2f532
Opcode Fuzzy Hash: 1dc5bf06eda34beb3bc9da4a331dca07034d4ac95e04e56cf5f71e2d4f13b4b2
Instruction Fuzzy Hash: C8F0C435B40214CFCB04EB68D598A6D77B2EF89755F6488A8E5069B3A0DB35AD12CB40

Function 01128F18 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2694531337.0000000001120000.00000040.00000800.00020000.00000000.sdmp, Offset: 01120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1120000_980001672 PPR for 30887217.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cf32d69ce02057df5e780d6ccab30986d1788cced9e145e4be3a72eed7d188b1
Instruction ID: 7512161ce1673898faccc222ff3ad8073a564eef77e54eb4cd509d2e644132fd
Opcode Fuzzy Hash: cf32d69ce02057df5e780d6ccab30986d1788cced9e145e4be3a72eed7d188b1
Instruction Fuzzy Hash: DEF0EC3593020EDFDB41FBB8F9506DD77B5BB84600F1096B8C0459B255EF366E049B92

Function 0112A957 Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2694531337.0000000001120000.00000040.00000800.00020000.00000000.sdmp, Offset: 01120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1120000_980001672 PPR for 30887217.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9dcb16ea5e12df0e608b631c98ff28504d9250c20f4b5475b89e375aebbb76a9
Instruction ID: bd0685755ac2c6852d7e0f68d3b11d216f733b8c0d355d8673fbbd8ebfa40ade
Opcode Fuzzy Hash: 9dcb16ea5e12df0e608b631c98ff28504d9250c20f4b5475b89e375aebbb76a9
Instruction Fuzzy Hash: 1EB0124110F3C01EC20352102C157C23F110B97300F35409F40C01505255074C068B17

Analysis Process: PpIvKmzUbDB.exePID: 1628, Parent PID: 660COMMON

Execution Graph

Execution Coverage:	11.3%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	257
Total number of Limit Nodes:	20

Executed Functions

Function 0196D450 Relevance: 6.1, APIs: 4, Instructions: 130
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 0196D4DE
GetCurrentThread.KERNEL32 ref: 0196D51B
GetCurrentProcess.KERNEL32 ref: 0196D558
GetCurrentThreadId.KERNEL32 ref: 0196D5B1

Memory Dump Source

Source File: 0000000A.00000002.1513405263.0000000001960000.00000040.00000800.00020000.00000000.sdmp, Offset: 01960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1960000_PpIvKmzUbDB.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: bb15ca53875fb205d5f7c1e4d44f3d2de970bd8c90ea9b8a4059f4a3205ba8a2
Instruction ID: d37c7620071fa7d699a61345a3a2dc921ae55b734bd0a11fc32feb65ddd89059
Opcode Fuzzy Hash: bb15ca53875fb205d5f7c1e4d44f3d2de970bd8c90ea9b8a4059f4a3205ba8a2
Instruction Fuzzy Hash: B65178B0900709CFEB18DFA9D588BAEBBF5EF48314F248059D019AB360D7359944CF62

Function 0196D460 Relevance: 6.1, APIs: 4, Instructions: 128
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 0196D4DE
GetCurrentThread.KERNEL32 ref: 0196D51B
GetCurrentProcess.KERNEL32 ref: 0196D558
GetCurrentThreadId.KERNEL32 ref: 0196D5B1

Memory Dump Source

Source File: 0000000A.00000002.1513405263.0000000001960000.00000040.00000800.00020000.00000000.sdmp, Offset: 01960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1960000_PpIvKmzUbDB.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 2bc46f8e40294c21115910f6aecf45b48c0d772c7533a82554c122cc248dc01d
Instruction ID: d0745fe1f49b6f4a3a3fcc07faae9530128de073da063aaf0800f0ab3aa5d609
Opcode Fuzzy Hash: 2bc46f8e40294c21115910f6aecf45b48c0d772c7533a82554c122cc248dc01d
Instruction Fuzzy Hash: 075178B0900709CFEB18DFAAD548B9EBBF5EF88314F208059D019AB360D7359944CB62

Function 07816AE4 Relevance: 1.8, APIs: 1, Instructions: 283
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 07816D26

Memory Dump Source

Source File: 0000000A.00000002.1518909863.0000000007810000.00000040.00000800.00020000.00000000.sdmp, Offset: 07810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7810000_PpIvKmzUbDB.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: b26586906cd390242240a290fdb8dd0333541b623824e796aa05fddc6939df96
Instruction ID: 6a897d074c5721c32b48f0a1e76a94f124b7d972de92550c59f1eba55184f283
Opcode Fuzzy Hash: b26586906cd390242240a290fdb8dd0333541b623824e796aa05fddc6939df96
Instruction Fuzzy Hash: 38B17BB1E0021ACFEB20CF69C8407EEBBB5FB54310F1485A9D898E7240EB759995CF91

Function 07816AF0 Relevance: 1.7, APIs: 1, Instructions: 243
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 07816D26

Memory Dump Source

Source File: 0000000A.00000002.1518909863.0000000007810000.00000040.00000800.00020000.00000000.sdmp, Offset: 07810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7810000_PpIvKmzUbDB.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: a937effc58f2c2b64187f01c3ac7720f37aecb1dba5abeea084ad58fa170c186
Instruction ID: 63fc1b3982126531ab05765e8fa458c52333b012b3ab5bd0da7227aa044a5594
Opcode Fuzzy Hash: a937effc58f2c2b64187f01c3ac7720f37aecb1dba5abeea084ad58fa170c186
Instruction Fuzzy Hash: 629159B1E0021ACFEB10CF69C8817EDBBB6BB48310F1481A9D858E7240EB759995CF91

Function 0196B1C8 Relevance: 1.7, APIs: 1, Instructions: 198
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 0196B41E

Memory Dump Source

Source File: 0000000A.00000002.1513405263.0000000001960000.00000040.00000800.00020000.00000000.sdmp, Offset: 01960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1960000_PpIvKmzUbDB.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 14f9ecd3b2f968545ce6b445099cde3189f1a8c0770797cf6e2837c016c5a0b8
Instruction ID: 01ce955487ff9da22b72e60cbfcc66e3c51669020ce473c908896d594e6859ca
Opcode Fuzzy Hash: 14f9ecd3b2f968545ce6b445099cde3189f1a8c0770797cf6e2837c016c5a0b8
Instruction Fuzzy Hash: B5714570A00B058FE724DF6AD444B9ABBF9FF88204F00892DD44AD7B50EB75E945CBA1

Function 078165F0 Relevance: 1.7, APIs: 1, Instructions: 168
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 078165A0

Memory Dump Source

Source File: 0000000A.00000002.1518909863.0000000007810000.00000040.00000800.00020000.00000000.sdmp, Offset: 07810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7810000_PpIvKmzUbDB.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 9d82fe628ed226740a394dccc5bf449d4518b7783e4c814d1621756a90597bb5
Instruction ID: f93e74b4b5efb5f684ef5b5fe52c1970d14b43cae373aa8378e768556ae8f2a6
Opcode Fuzzy Hash: 9d82fe628ed226740a394dccc5bf449d4518b7783e4c814d1621756a90597bb5
Instruction Fuzzy Hash: 26614BB1E0021A8FDB24CFA9C5406AEFBB6FF89300F24C16AD458A7255DB359941CFA1

Function 057D1CE4 Relevance: 1.6, APIs: 1, Instructions: 118
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 057D1E02

Memory Dump Source

Source File: 0000000A.00000002.1517602236.00000000057D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_57d0000_PpIvKmzUbDB.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: e73ccdee8990c61e98676f164f5fccfd8bd9b6d65b131a59edb0817fde638b8a
Instruction ID: 039521b6ad49d5dbe11db3a51fac723be25c63f55638b6799dbc3e2f94ecc4fa
Opcode Fuzzy Hash: e73ccdee8990c61e98676f164f5fccfd8bd9b6d65b131a59edb0817fde638b8a
Instruction Fuzzy Hash: 9551B0B1D00309DFDB14CFAAC984ADEFBB5BF48310F64812AE819AB210D7759845CF90

Function 057D1CF0 Relevance: 1.6, APIs: 1, Instructions: 113
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 057D1E02

Memory Dump Source

Source File: 0000000A.00000002.1517602236.00000000057D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_57d0000_PpIvKmzUbDB.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: a3c614e70dd239190970f4ed8d01bff0179ba7ba39c5102fd479354fcb6e1c7d
Instruction ID: 41ddea39633a9a9b1e37c879ecb108214ff5d0bbde52fc05878bb4784d58d9cd
Opcode Fuzzy Hash: a3c614e70dd239190970f4ed8d01bff0179ba7ba39c5102fd479354fcb6e1c7d
Instruction Fuzzy Hash: 4641B0B1D00349DFDB14CFAAC984ADEFBB5BF88310F64812AE819AB210D7759845CF90

Function 057D1264 Relevance: 1.6, APIs: 1, Instructions: 97
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CallWindowProcW.USER32(?,?,?,?,?), ref: 057D4381

Memory Dump Source

Source File: 0000000A.00000002.1517602236.00000000057D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_57d0000_PpIvKmzUbDB.jbxd

Similarity

API ID: CallProcWindow
String ID:
API String ID: 2714655100-0
Opcode ID: 65ccfe90193830818c438bf720f2826c567aaad6c7f2fa1c3692449bf43004d5
Instruction ID: 23ade3062a6d68eaeade674094e939b5bdf1f9c3731963af16b63a9f841a3e16
Opcode Fuzzy Hash: 65ccfe90193830818c438bf720f2826c567aaad6c7f2fa1c3692449bf43004d5
Instruction Fuzzy Hash: 98412AB4900709DFDB14CF99C488AAAFBF6FB88314F148459D519AB321C374A841CFA0

Function 019644B0 Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 019659C9

Memory Dump Source

Source File: 0000000A.00000002.1513405263.0000000001960000.00000040.00000800.00020000.00000000.sdmp, Offset: 01960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1960000_PpIvKmzUbDB.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 2d5bf2252f629dcd4dfda2a1d0ae0fa92ac8a2fa8bea99059bdc4498b59bfefe
Instruction ID: 087e23c06e38079b7cc3535374cb3f83c92800d474542bd68938ec96314611fc
Opcode Fuzzy Hash: 2d5bf2252f629dcd4dfda2a1d0ae0fa92ac8a2fa8bea99059bdc4498b59bfefe
Instruction Fuzzy Hash: F041D271C0071DCFEB24CFAAC985B9EBBB5BF89704F60806AD408AB251DB715945CFA0

Function 0196590C Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 019659C9

Memory Dump Source

Source File: 0000000A.00000002.1513405263.0000000001960000.00000040.00000800.00020000.00000000.sdmp, Offset: 01960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1960000_PpIvKmzUbDB.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: c88a3a191be38c1ee8fd240e79232dd648516b013d8aa28a5852109765022fe5
Instruction ID: 028d88d8dae154dc530e29c5c15c9e26da38bb8a9242e9587c0736230ead54ba
Opcode Fuzzy Hash: c88a3a191be38c1ee8fd240e79232dd648516b013d8aa28a5852109765022fe5
Instruction Fuzzy Hash: 2B41F3B1C00719CFEB24CFA9C985BDEBBB5BF89704F24806AD408AB251DB755946CF50

Function 07C62E41 Relevance: 1.6, APIs: 1, Instructions: 88
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateIconFromResourceEx.USER32(?,?,?,?,?,?,?), ref: 07C62F0F

Memory Dump Source

Source File: 0000000A.00000002.1519075850.0000000007C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7c60000_PpIvKmzUbDB.jbxd

Similarity

API ID: CreateFromIconResource
String ID:
API String ID: 3668623891-0
Opcode ID: 7c75dd83aec9bde982657afb385dd988c18864150eb0f6a6af42af4c40029cb2
Instruction ID: 36a18d74c82016df31c0a8dbc5e2b146a1bdd5dc7223ea5da3a3392424cdf626
Opcode Fuzzy Hash: 7c75dd83aec9bde982657afb385dd988c18864150eb0f6a6af42af4c40029cb2
Instruction Fuzzy Hash: FB318C72804359DFCB118FAAC884B9ABFF9EF09310F04805AE954A7261C3359954DBA1

Function 07816428 Relevance: 1.6, APIs: 1, Instructions: 71injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 078164C0

Memory Dump Source

Source File: 0000000A.00000002.1518909863.0000000007810000.00000040.00000800.00020000.00000000.sdmp, Offset: 07810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7810000_PpIvKmzUbDB.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 16ae9bf89d17bb3a3b64a2b90dfc808e3e2d0d5d13b9b4df8fe60ecbffcf274a
Instruction ID: 81632bacd9b58e6e65dce515eca1796416a1a970b091d701595e7ec407ef4622
Opcode Fuzzy Hash: 16ae9bf89d17bb3a3b64a2b90dfc808e3e2d0d5d13b9b4df8fe60ecbffcf274a
Instruction Fuzzy Hash: F82148B5900359DFDB10CFAAC8407DEBBF5FF48310F14882AE958A7241D7789545CBA5

Function 07816430 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 078164C0

Memory Dump Source

Source File: 0000000A.00000002.1518909863.0000000007810000.00000040.00000800.00020000.00000000.sdmp, Offset: 07810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7810000_PpIvKmzUbDB.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 325937a035a631ad8a7f419a88f50af8a28a0e8e410db9d7b0f8406feb4c6928
Instruction ID: 135a89ec27e44848830f8ea2262164ab6bc15fe0460c13d49079027ba35f86cb
Opcode Fuzzy Hash: 325937a035a631ad8a7f419a88f50af8a28a0e8e410db9d7b0f8406feb4c6928
Instruction Fuzzy Hash: A82125B1900359DFDB10CFAAC881BDEBBF5FF48310F14882AE958A7240D7799944CBA4

Function 07816518 Relevance: 1.6, APIs: 1, Instructions: 67COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 078165A0

Memory Dump Source

Source File: 0000000A.00000002.1518909863.0000000007810000.00000040.00000800.00020000.00000000.sdmp, Offset: 07810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7810000_PpIvKmzUbDB.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 8bf09b342725d10d62e135c5666f3262e64baeb3bd54ba97fd436e4c037fa16b
Instruction ID: 350e653ab0854f8d18edf2113dd5a55952b38129bd4e1f9ee8e7780d40b4e5fb
Opcode Fuzzy Hash: 8bf09b342725d10d62e135c5666f3262e64baeb3bd54ba97fd436e4c037fa16b
Instruction Fuzzy Hash: 032139B1D00259DFDB10CFAAD840BEEBBF5FF48310F14842AE558A7240D7799541CB61

Function 07816290 Relevance: 1.6, APIs: 1, Instructions: 65threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 07816316

Memory Dump Source

Source File: 0000000A.00000002.1518909863.0000000007810000.00000040.00000800.00020000.00000000.sdmp, Offset: 07810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7810000_PpIvKmzUbDB.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: f70255d22b14d2abdc5bd4860f32bca33b6f11348a8927093a635b5aaab846cb
Instruction ID: 59b1dac9d3a39989548554e932514b224363536c6462823709b93280776e0f8c
Opcode Fuzzy Hash: f70255d22b14d2abdc5bd4860f32bca33b6f11348a8927093a635b5aaab846cb
Instruction Fuzzy Hash: E32125B1D003099FDB14CFAAC4857EEBBF4FF88310F14842AD459A7241DB789945CBA5

Function 0196D6A1 Relevance: 1.6, APIs: 1, Instructions: 64COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0196D72F

Memory Dump Source

Source File: 0000000A.00000002.1513405263.0000000001960000.00000040.00000800.00020000.00000000.sdmp, Offset: 01960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1960000_PpIvKmzUbDB.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 994da07d1f312687782b6b0191432162893441e42318a01cb4a55457f4dd4887
Instruction ID: 3d064cb1f9f076daecc03dcb9d71dcc5d32075ca22a78faf8aadb7329ede6a09
Opcode Fuzzy Hash: 994da07d1f312687782b6b0191432162893441e42318a01cb4a55457f4dd4887
Instruction Fuzzy Hash: 9A21E3B5900348AFDB10CFAAD984ADEBBF8EB48310F14841AE958A7310D378A940CF65

Function 07816298 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 07816316

Memory Dump Source

Source File: 0000000A.00000002.1518909863.0000000007810000.00000040.00000800.00020000.00000000.sdmp, Offset: 07810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7810000_PpIvKmzUbDB.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 5570039c03e88f49c6336c612e9c5f4a47aac46a974c7632c1f4d420e8ed1f6b
Instruction ID: dc33f88954ee72491305b39d8ccb1f03fcbdae775f54561b6b10e065624542a8
Opcode Fuzzy Hash: 5570039c03e88f49c6336c612e9c5f4a47aac46a974c7632c1f4d420e8ed1f6b
Instruction Fuzzy Hash: 732135B1D003099FDB10DFAAC4857AEBBF4EF88210F14842AD459A7241DB789945CFA5

Function 07816520 Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 078165A0

Memory Dump Source

Source File: 0000000A.00000002.1518909863.0000000007810000.00000040.00000800.00020000.00000000.sdmp, Offset: 07810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7810000_PpIvKmzUbDB.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 8c73c1c43598ab4717f4207d214b2adeb8d8a85e49b3352b374b540bf7338bdd
Instruction ID: 7a55770efc08de821c76e4f4a726d8e6420c259617fbc623556836e5e7c94285
Opcode Fuzzy Hash: 8c73c1c43598ab4717f4207d214b2adeb8d8a85e49b3352b374b540bf7338bdd
Instruction Fuzzy Hash: F52128B1D003599FDB10CFAAC941BDEBBF5FF48310F14842AE959A7240D7799500DBA5

Function 0196D6A8 Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0196D72F

Memory Dump Source

Source File: 0000000A.00000002.1513405263.0000000001960000.00000040.00000800.00020000.00000000.sdmp, Offset: 01960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1960000_PpIvKmzUbDB.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 79a4629ff7ebed44752a61f192a2438aa15119bec5346346fecb66b658a6e2df
Instruction ID: 7a968c1dff63d9c783848d89684a78bc0b21924b593a32d603572deb22de3aaa
Opcode Fuzzy Hash: 79a4629ff7ebed44752a61f192a2438aa15119bec5346346fecb66b658a6e2df
Instruction Fuzzy Hash: 7B21C4B5900248DFDB10CFAAD984ADEFBF8FB48310F14841AE958A7350D379A944CF65

Function 07816368 Relevance: 1.6, APIs: 1, Instructions: 55memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 078163DE

Memory Dump Source

Source File: 0000000A.00000002.1518909863.0000000007810000.00000040.00000800.00020000.00000000.sdmp, Offset: 07810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7810000_PpIvKmzUbDB.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: b8ab14b3fe1fca248f108c073fdd7f70e8157b7903102d071016cd792670ebc1
Instruction ID: 3376bca723eeeb9d41670c884e42a73491a585f706b97d4329a3528c85ef3a32
Opcode Fuzzy Hash: b8ab14b3fe1fca248f108c073fdd7f70e8157b7903102d071016cd792670ebc1
Instruction Fuzzy Hash: 74115971900249DFDB20CFAAC844BEFBBF5EF88310F14881AE555A7250CB359541DBA1

Function 07C62EA0 Relevance: 1.6, APIs: 1, Instructions: 53windowCOMMON

Download Yara Rule

APIs

CreateIconFromResourceEx.USER32(?,?,?,?,?,?,?), ref: 07C62F0F

Memory Dump Source

Source File: 0000000A.00000002.1519075850.0000000007C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7c60000_PpIvKmzUbDB.jbxd

Similarity

API ID: CreateFromIconResource
String ID:
API String ID: 3668623891-0
Opcode ID: e2878c460db41c99ae4122ea7b733d58cfbd0f2974f5f462cffac7dd1b522f1b
Instruction ID: 4c9fccd8d4bb446dcc62fa93bf77401cd063cc3d402572fa12d9f8fb15c9c112
Opcode Fuzzy Hash: e2878c460db41c99ae4122ea7b733d58cfbd0f2974f5f462cffac7dd1b522f1b
Instruction Fuzzy Hash: DC1104B5800259DFDB10CFAAD884BDEBFF8EB48320F14841AE914A7250C379A954DFA5

Function 07816370 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 078163DE

Memory Dump Source

Source File: 0000000A.00000002.1518909863.0000000007810000.00000040.00000800.00020000.00000000.sdmp, Offset: 07810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7810000_PpIvKmzUbDB.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 35362852fa49b0e110cedf0639bc6f1535ecfcb14ce6cccafa537700f472821b
Instruction ID: 6ad452296905bac4f5f317f1154c3dae636e2f7377eefff4e209e5e7520624e5
Opcode Fuzzy Hash: 35362852fa49b0e110cedf0639bc6f1535ecfcb14ce6cccafa537700f472821b
Instruction Fuzzy Hash: 921126719002499FDB10DFAAC844BDEBBF5EB88310F148819E519A7250CB769540CBA1

Function 078161E0 Relevance: 1.6, APIs: 1, Instructions: 52threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 0781624A

Memory Dump Source

Source File: 0000000A.00000002.1518909863.0000000007810000.00000040.00000800.00020000.00000000.sdmp, Offset: 07810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7810000_PpIvKmzUbDB.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: ca9193eb0c6388ade4c84fe6072c17a231cd4f8573bee7687135f1e8643eff60
Instruction ID: d0c932758e42c0b84e6f16f0cc418cec3924a09d5f8a8a56627d9d3a89dd12dd
Opcode Fuzzy Hash: ca9193eb0c6388ade4c84fe6072c17a231cd4f8573bee7687135f1e8643eff60
Instruction Fuzzy Hash: 86115BB1D00249CFDB20CFAAD8447EEFBF4AB88310F24845AC459A7240CB759541CBA5

Function 078161E8 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 0781624A

Memory Dump Source

Source File: 0000000A.00000002.1518909863.0000000007810000.00000040.00000800.00020000.00000000.sdmp, Offset: 07810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7810000_PpIvKmzUbDB.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: e0566eeac69c8e74d3d3a0ca5ae7fd6142b450f9a0075372a6552fae08498816
Instruction ID: 40cb080b69466ec824e8d7099a27c2c89ca9e199a944d5ede587a2bb80957b8e
Opcode Fuzzy Hash: e0566eeac69c8e74d3d3a0ca5ae7fd6142b450f9a0075372a6552fae08498816
Instruction Fuzzy Hash: 76113AB1D003498FDB20DFAAD44579EFBF8EF88310F248819D519A7240CB796544CBA5

Function 0196B3B8 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 0196B41E

Memory Dump Source

Source File: 0000000A.00000002.1513405263.0000000001960000.00000040.00000800.00020000.00000000.sdmp, Offset: 01960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1960000_PpIvKmzUbDB.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 1124d16bb29f218e84f6c5d7c2862fe16697c6aca744e1bacab201a73b90fd94
Instruction ID: d111616dddd639ff275797be2136c8bafd2bcd778e737ac7bbd5d41692b8d999
Opcode Fuzzy Hash: 1124d16bb29f218e84f6c5d7c2862fe16697c6aca744e1bacab201a73b90fd94
Instruction Fuzzy Hash: 48110FB5D006498FDB20CF9AD444ADEFBF8AB88614F14841AD829A7310D375A545CFA1

Function 078134E0 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 07819745

Memory Dump Source

Source File: 0000000A.00000002.1518909863.0000000007810000.00000040.00000800.00020000.00000000.sdmp, Offset: 07810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7810000_PpIvKmzUbDB.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: cd2900d764a8dc18f4a5d5dc7a17c645117f69f2e83b206374546a5568566348
Instruction ID: 8736af07596bad7149c0cbfe07a1a2da3311b80a4ee27ea46ae40d16f9883b09
Opcode Fuzzy Hash: cd2900d764a8dc18f4a5d5dc7a17c645117f69f2e83b206374546a5568566348
Instruction Fuzzy Hash: 0911F5B5800749DFDB10CF9AC485BEEBBF8EB48314F108859E518A7201C375A944CFA5

Function 078196E7 Relevance: 1.5, APIs: 1, Instructions: 45windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 07819745

Memory Dump Source

Source File: 0000000A.00000002.1518909863.0000000007810000.00000040.00000800.00020000.00000000.sdmp, Offset: 07810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7810000_PpIvKmzUbDB.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 9e874d5b72c35e0b05f6cb9384cb00a8f1d1fc434783262d9dd85e71e9a488ec
Instruction ID: a3fc7323229de76ff6df84e6f6cd090b34d3e0ac50b572bfc03fe098bfdc9c70
Opcode Fuzzy Hash: 9e874d5b72c35e0b05f6cb9384cb00a8f1d1fc434783262d9dd85e71e9a488ec
Instruction Fuzzy Hash: 2C1103B5800349DFDB20CF9AD885BDEFBF8EB48310F10885AE518A7600C375A544CFA1

Function 0171D3D8 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1512528153.000000000171D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0171D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_171d000_PpIvKmzUbDB.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ba73659a43e070de0bce4cdb40e27713b2c90a70352bc4fe0c8d647b967383a4
Instruction ID: 0e8497dcb5a61561ae3c5c51ea6571f36616d2e1a6a90c46bd2f3dbdfac11ee6
Opcode Fuzzy Hash: ba73659a43e070de0bce4cdb40e27713b2c90a70352bc4fe0c8d647b967383a4
Instruction Fuzzy Hash: B82148B1540204DFDB25DF98D9C4B56FB65FB88314F20C1A8EC090B24AC336E446CFA2

Function 0172D1D4 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1512718892.000000000172D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0172D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_172d000_PpIvKmzUbDB.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bbedf937988ac8cde9e79859fa0ecb80370f0cb3905b5e364a93e8ee32be5568
Instruction ID: 6e48e78bc08a2f98534c74e71dcb6038148aae63e4443a94e55103ae7ea6770c
Opcode Fuzzy Hash: bbedf937988ac8cde9e79859fa0ecb80370f0cb3905b5e364a93e8ee32be5568
Instruction Fuzzy Hash: FC212971508344EFDB25DF94D9C0B25FBA5FB85324F24C5ADE8094B252C336D447CA62

Function 0172D01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1512718892.000000000172D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0172D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_172d000_PpIvKmzUbDB.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9cfb03d42e7c4ffc66f3cc8c0d4222f3c5b61657fa73f12227dc305bb6b55142
Instruction ID: 37837fa1089211f03de1bd87053f1d1478f28b6d8154a0cc874a78c4dc3cb57c
Opcode Fuzzy Hash: 9cfb03d42e7c4ffc66f3cc8c0d4222f3c5b61657fa73f12227dc305bb6b55142
Instruction Fuzzy Hash: 14210371604244DFDB35DFA4D980B16FB61FB84214F20C5ADD8090B266C33AD407CA62

Function 0171D3D3 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1512528153.000000000171D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0171D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_171d000_PpIvKmzUbDB.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0d1964494f132f00775c0e221f472ab769a33717f3edcd57285c8181465a4d2f
Instruction ID: 06beaef832233a6e91092914489e76f238c1eaba2de71963decbec47fcf8d43f
Opcode Fuzzy Hash: 0d1964494f132f00775c0e221f472ab769a33717f3edcd57285c8181465a4d2f
Instruction Fuzzy Hash: CE11CD72404240DFCB16CF48D9C4B56FF62FB84224F24C6A9DC090A65BC33AE456CFA2

Function 0172D017 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1512718892.000000000172D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0172D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_172d000_PpIvKmzUbDB.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a6f14a2633b0976cf55fba98dc8f49a251bcab79b87bdac7509de7911a20ab2c
Instruction ID: 0add9548eb8624cab38f0c3551086d689fb33124c7a782f1b96b5f44bf560a26
Opcode Fuzzy Hash: a6f14a2633b0976cf55fba98dc8f49a251bcab79b87bdac7509de7911a20ab2c
Instruction Fuzzy Hash: 8B11BB75504280DFCB22CF54D5C4B15FFA2FB88314F24C6AAD8494B666C33AD44BCBA2

Function 0172D1CF Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1512718892.000000000172D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0172D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_172d000_PpIvKmzUbDB.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a6f14a2633b0976cf55fba98dc8f49a251bcab79b87bdac7509de7911a20ab2c
Instruction ID: 712af78a6f4b4226b14a47bdd5cc1ccb85cd6341df74d3e6e3f09961c172ceb4
Opcode Fuzzy Hash: a6f14a2633b0976cf55fba98dc8f49a251bcab79b87bdac7509de7911a20ab2c
Instruction Fuzzy Hash: 2C11BB75908280DFDB12CF54C5C0B15FFA1FB85224F24C6A9D8498B696C33AD44ACB62

Function 0171D745 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1512528153.000000000171D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0171D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_171d000_PpIvKmzUbDB.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 020029c0922b2cd1ccfdf47832e0fc325d0e0f635d67b4d6313b5eae001c7ec2
Instruction ID: 794ac82cd62f83aec0f5a2a563b310c7a911d96ddd9f799c9c8a61e9c375e103
Opcode Fuzzy Hash: 020029c0922b2cd1ccfdf47832e0fc325d0e0f635d67b4d6313b5eae001c7ec2
Instruction Fuzzy Hash: 5B01A771004784AAF7305EADDD88B67FF98EF81764F18C55AED090E28BD2799441CE72

Function 0171D744 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1512528153.000000000171D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0171D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_171d000_PpIvKmzUbDB.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dbc8fc0d1fe164a01c84006c43879f56d16b40381409041b5d27ebc69ecbe187
Instruction ID: 3e5b7277331d70b06384210db7a24df8b7955a753ce84b773d8b21f6e4310ee7
Opcode Fuzzy Hash: dbc8fc0d1fe164a01c84006c43879f56d16b40381409041b5d27ebc69ecbe187
Instruction Fuzzy Hash: 7FF06271404784AEE7209E5AD888B66FFD8EB81734F18C45AED084E297C2799844CFB1

Analysis Process: PpIvKmzUbDB.exePID: 1152, Parent PID: 1628COMMON

Execution Graph

Execution Coverage:	12.2%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	26
Total number of Limit Nodes:	5

Executed Functions

Function 010BA957 Relevance: 2.8, Instructions: 2830COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2694645126.00000000010B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_10b0000_PpIvKmzUbDB.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9eae01b266d9278297f047fb6f426a585c8e3a750658764247c9a63941c5fdbb
Instruction ID: 2bf2690de0c6b41dd377818facc2a6aa76fd13241cf0e66cab3c617b39c2743f
Opcode Fuzzy Hash: 9eae01b266d9278297f047fb6f426a585c8e3a750658764247c9a63941c5fdbb
Instruction Fuzzy Hash: 2C53F631D10B1A8ADB51EF68C9846D9F7B1EF99300F11D79AE4587B121FB70AAC4CB81

Function 010BDD5F Relevance: 2.2, Instructions: 2201COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2694645126.00000000010B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_10b0000_PpIvKmzUbDB.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2b6d5d094b25a68346eee17dc8e9d8047dc7ab1d348c249ad36c6466fc7e4127
Instruction ID: 916558b94978b924d71c4b8a4546ee427e6524c7c8391ff5be718e1f5b1ad1eb
Opcode Fuzzy Hash: 2b6d5d094b25a68346eee17dc8e9d8047dc7ab1d348c249ad36c6466fc7e4127
Instruction Fuzzy Hash: 9C231E31D1071A8ADB11EF68C8845EDF7B1FF99300F15C79AE459A7221EB70AAC5CB81

Function 010B4A98 Relevance: .3, Instructions: 266COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2694645126.00000000010B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_10b0000_PpIvKmzUbDB.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 811fa1c3aed66d3ac61beb2c5d9633df5e574964860314284de7a4a289a94bd1
Instruction ID: 8162273dfb993cd7cbcbd3b0a158f4aa43d33eeadbb2f2fcf8c87cd6759b7b33
Opcode Fuzzy Hash: 811fa1c3aed66d3ac61beb2c5d9633df5e574964860314284de7a4a289a94bd1
Instruction Fuzzy Hash: D7B18C70E00209CFDB50DFA8C8C1BEDBBF2AF88714F148129D956EB295EB749945CB81

Function 010B3E80 Relevance: .2, Instructions: 238COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2694645126.00000000010B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_10b0000_PpIvKmzUbDB.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2cd86cfebe161dcbc5b1f38069043bfc54dd31af177597df7f5992498ce860d1
Instruction ID: 2df5753b790fffd0158120ef7ea508f366ab64588ae35c6ced11ad2a1de7a4ec
Opcode Fuzzy Hash: 2cd86cfebe161dcbc5b1f38069043bfc54dd31af177597df7f5992498ce860d1
Instruction Fuzzy Hash: C2915B70E0020ADFDB50CFA9C8857EEBBF2BF88314F248529E445EB255EB749945CB91

Function 068FE950 Relevance: 1.6, APIs: 1, Instructions: 135
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 0000000E.00000002.2708964161.00000000068F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_68f0000_PpIvKmzUbDB.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d92efbc7d7dd464191e7f3f5ab6c752cc749f5676e24ced5681a35856cf3e319
Instruction ID: 9aead60f8a999d041332110b1ec0c77ba118a5c704697c477424ffc68db874a1
Opcode Fuzzy Hash: d92efbc7d7dd464191e7f3f5ab6c752cc749f5676e24ced5681a35856cf3e319
Instruction Fuzzy Hash: 61412472D007499FCB14DFA9D8042AEBBF5AF89210F14856ADA44EB340EB749844CB91

Function 068FEA38 Relevance: 1.6, APIs: 1, Instructions: 52
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GlobalMemoryStatusEx.KERNEL32 ref: 068FEA9F

Memory Dump Source

Source File: 0000000E.00000002.2708964161.00000000068F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_68f0000_PpIvKmzUbDB.jbxd

Similarity

API ID: GlobalMemoryStatus
String ID:
API String ID: 1890195054-0
Opcode ID: 3d5bcbcab81c21bf397f77e3774234cfb1be8764eeb59e93a9f68dd5b9ebddfb
Instruction ID: cd144d582ae70c97d22b43429c7f44770601d595b2793f1e299b1fa3cbd46bb5
Opcode Fuzzy Hash: 3d5bcbcab81c21bf397f77e3774234cfb1be8764eeb59e93a9f68dd5b9ebddfb
Instruction Fuzzy Hash: F31112B1C006599BDB10CFAAC444B9EFBF4BB48220F14812AD918B7240D378A944CFA5

Function 010B8720 Relevance: .6, Instructions: 555
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 0000000E.00000002.2694645126.00000000010B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_10b0000_PpIvKmzUbDB.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 980a619c896379a58b8b2f356ce4597484326443ce0ca2c6099cf92f40600f47
Instruction ID: 1c147191d39fc70a72af20ea7d39a6f92447f2bc1e455f467ad98eb6fe478713
Opcode Fuzzy Hash: 980a619c896379a58b8b2f356ce4597484326443ce0ca2c6099cf92f40600f47
Instruction Fuzzy Hash: E31290307002069BDB6AAB7CF49469C33D6FBCA210B109A39E146CF355DF75ED4A8B91

Function 010BA1AA Relevance: .4, Instructions: 404
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 0000000E.00000002.2694645126.00000000010B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_10b0000_PpIvKmzUbDB.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4486a6fa13fc33ca74ea68429eaf22cf4aa24568031fb3e07d40d1b54ab4db04
Instruction ID: 1fcbaaea7ecca4e7426f46a0a4931736a4a8b6502fd900e20617b46ca3f5a429
Opcode Fuzzy Hash: 4486a6fa13fc33ca74ea68429eaf22cf4aa24568031fb3e07d40d1b54ab4db04
Instruction Fuzzy Hash: 03E1BE30B00209CFDB55DB68D894AADBBF2FB89310F24856AE546DB391DB35DD42CB50

Function 010B4A8E Relevance: .3, Instructions: 263COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2694645126.00000000010B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_10b0000_PpIvKmzUbDB.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 90db7d182e2e6fccb462fa56834fff69decfa8ac6b65659fd1a071d9f4d0f506
Instruction ID: bb296c5c86f47d6d83020bdbffa8bf7b1a5ac2dc13ec349ffb54daa7159b1324
Opcode Fuzzy Hash: 90db7d182e2e6fccb462fa56834fff69decfa8ac6b65659fd1a071d9f4d0f506
Instruction Fuzzy Hash: F1B17C70E00209CFDB50DFA8C881BEDBBF1BF88714F148129D956EB255EB759945CB81

Function 010B3E74 Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2694645126.00000000010B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_10b0000_PpIvKmzUbDB.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dc3ab892cb06724158fcd7fbbb57f76cb857c957407787a78eb2df8a090c9a25
Instruction ID: b09290891abd842589056f6bf7343c62828448dbecdb105e6844dcda726302e6
Opcode Fuzzy Hash: dc3ab892cb06724158fcd7fbbb57f76cb857c957407787a78eb2df8a090c9a25
Instruction Fuzzy Hash: 9EA16A70E0020ADFDB50CFA8C8857EEBBF1BF88314F248529E485EB255EB749945CB91

Function 010B6ECF Relevance: .2, Instructions: 172COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2694645126.00000000010B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_10b0000_PpIvKmzUbDB.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d68a014d06305eb3de7f152715b643f4fe0aad03b64d00ca8ab52b5d255ec9f1
Instruction ID: cb8e6182ef93665f4983aae6b4a8df7214041b7b78509d4fe782c5719dcc8afd
Opcode Fuzzy Hash: d68a014d06305eb3de7f152715b643f4fe0aad03b64d00ca8ab52b5d255ec9f1
Instruction Fuzzy Hash: B3518E34710215CFDB54EB68C598AAE77F2FF89700F2040A9E546EB3A1DB769C41CBA1

Function 010BA6C8 Relevance: .1, Instructions: 137COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2694645126.00000000010B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_10b0000_PpIvKmzUbDB.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bd733411bc1cb6930e470843f765ecb33cb20f74e4658bf4cac35bbeabc1a5f1
Instruction ID: fd9f7a7f94e639b5b6852dc8ff57f1247ef16bc0c3191ec54fe4b3b123eefd9c
Opcode Fuzzy Hash: bd733411bc1cb6930e470843f765ecb33cb20f74e4658bf4cac35bbeabc1a5f1
Instruction Fuzzy Hash: 1C513971A00209CFDB54DF69E884B99FBB2FF88310F14C2AAE9099F355E7709945CB90

Function 010B6CD4 Relevance: .1, Instructions: 136COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2694645126.00000000010B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_10b0000_PpIvKmzUbDB.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0b93585b10d624950e686bc7d25969474a49018a4cc75ba7d857b8981653d438
Instruction ID: 598d156de4d13fcf772076c1c359eb2a7441d0f9d9d5d2165abc053833d51803
Opcode Fuzzy Hash: 0b93585b10d624950e686bc7d25969474a49018a4cc75ba7d857b8981653d438
Instruction Fuzzy Hash: 7B512270D00218CFDB18DFA9C884BEEBBF1BF48300F148169E859AB391D775A844CB95

Function 010B6CE0 Relevance: .1, Instructions: 132COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2694645126.00000000010B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_10b0000_PpIvKmzUbDB.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6345fd5dfb8fc6d3951b83c9bd5b6bea2430f0f1636c020d0027eaae09da1c29
Instruction ID: 487aaf31d6bca29fbf7f3f79864c8e48f70b3bb325f7f304f387f39fe33097dd
Opcode Fuzzy Hash: 6345fd5dfb8fc6d3951b83c9bd5b6bea2430f0f1636c020d0027eaae09da1c29
Instruction Fuzzy Hash: E4510070D002188FDB18DFA9C884BEEBBF1BF48310F14856AE855AB391D775A844CF95

Function 010B1128 Relevance: .1, Instructions: 118COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2694645126.00000000010B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_10b0000_PpIvKmzUbDB.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c202e905b314a03db4674e2454188c42f60e8d231e26f5509326350010fc6590
Instruction ID: 06f8d03a2bb8a405ead3759066e9a66471db3f49ecc52c8efbeb737b498573b7
Opcode Fuzzy Hash: c202e905b314a03db4674e2454188c42f60e8d231e26f5509326350010fc6590
Instruction Fuzzy Hash: A8511A3125124EDFC70AFF6CF8A09D93BA3BB96204304497AD0448B27EEB756905CB92

Function 010B1138 Relevance: .1, Instructions: 112COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2694645126.00000000010B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_10b0000_PpIvKmzUbDB.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a10e4dd5c44cc3c821ecd9a6aaee0ce7ea19a4307995b8c08b48a6e439eb605d
Instruction ID: 5e846190525e9bf34747343504452400a3892af155414519d154682034c143a7
Opcode Fuzzy Hash: a10e4dd5c44cc3c821ecd9a6aaee0ce7ea19a4307995b8c08b48a6e439eb605d
Instruction Fuzzy Hash: 16510C3125124EDFC70AFF7CF8A09D93BA3BB96204304897AD0448B27EDB716905CB92

Function 010B7D90 Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2694645126.00000000010B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_10b0000_PpIvKmzUbDB.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b942d9f2496e08a1c5aa45b4d977ee21d533a95fc46f9a1e713f472d4bf11a0e
Instruction ID: 807793083944c65b90152cd794c067b484c5e1ce12d2cba7de475915a2590726
Opcode Fuzzy Hash: b942d9f2496e08a1c5aa45b4d977ee21d533a95fc46f9a1e713f472d4bf11a0e
Instruction Fuzzy Hash: F9316E31E0021ADBDB65DF69C8806EEB7F2FF89300F208565E505EB281DB71A941CB50

Function 010B26DC Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2694645126.00000000010B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_10b0000_PpIvKmzUbDB.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 735f5e21a6032688aec30cc538fad494a9e28baa9b68feb7ae3c161c9b3d445f
Instruction ID: 4c2296ab41297b4287c65e8064cf00c047d836a4c274dbec7ad55431712c89d7
Opcode Fuzzy Hash: 735f5e21a6032688aec30cc538fad494a9e28baa9b68feb7ae3c161c9b3d445f
Instruction Fuzzy Hash: 5E41F0B0D00348DFEB14DFA9C984ADEBBF5BF48304F148429E809AB250DB75A946CB91

Function 010B7D80 Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2694645126.00000000010B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_10b0000_PpIvKmzUbDB.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cae5a283cf66b979a2968d27b8f78a496012eed5f7eb37cdbb3c7f6fc86191f6
Instruction ID: 5c7b46a8315167a19c7f47389a10ec21dd1ef56242dc1908f5eb9a113ae5ef8f
Opcode Fuzzy Hash: cae5a283cf66b979a2968d27b8f78a496012eed5f7eb37cdbb3c7f6fc86191f6
Instruction Fuzzy Hash: 9F313C31E1021ADFEB65DF69C8846EEB7F2EF89300F208569E545EB281E7719941CB50

Function 010B5097 Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2694645126.00000000010B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_10b0000_PpIvKmzUbDB.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 84f796ab1fc44bb636e3a2e00f253fed7fca87773416d5e3ab59079f115cc599
Instruction ID: 1437825ec2bf53ecc73ac9128173e7919065840841f662b3f145e088ebc2f57f
Opcode Fuzzy Hash: 84f796ab1fc44bb636e3a2e00f253fed7fca87773416d5e3ab59079f115cc599
Instruction Fuzzy Hash: 3931363060421ADFDB65EF78D9A46EE77F2AF48204F1008B8D941AB3A5DB769C41CB91

Function 010B26E8 Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2694645126.00000000010B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_10b0000_PpIvKmzUbDB.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4a74bd250bc7d9a83ead15454d8f54e5f35188a1968dde8cee9a72a62f1ce0e0
Instruction ID: 6c6ffab7d533ac6d6a7db462e84849107a0ec5d3af807e7845668bacaae7dcd4
Opcode Fuzzy Hash: 4a74bd250bc7d9a83ead15454d8f54e5f35188a1968dde8cee9a72a62f1ce0e0
Instruction Fuzzy Hash: DF41DEB0D00348DFEB14DFA9C884ADEBBF5FF48310F248429E819AB254DB75A945CB91

Function 010B50A8 Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2694645126.00000000010B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_10b0000_PpIvKmzUbDB.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 437790d9a705553d62935005eec31d1b9f5d17aedbbc837db7cb85514a86ccd6
Instruction ID: 8b536c348f680d8d00865c7226a47ff212b03d2969a7ac403383bedd16876480
Opcode Fuzzy Hash: 437790d9a705553d62935005eec31d1b9f5d17aedbbc837db7cb85514a86ccd6
Instruction Fuzzy Hash: 00316C34704209DFDB55EB78D9A06EE77F2AF88200F1008B8D941AB398DB36DC41CB91

Function 010B17C0 Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2694645126.00000000010B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_10b0000_PpIvKmzUbDB.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fa6ea4d95841d0b111908e6f5d1eb5040b4d543dbc62d086ee2bd308646bae79
Instruction ID: e433bc98f724a0314a38fa708a33b50f08831b46dee79da8964560d9ee616e1c
Opcode Fuzzy Hash: fa6ea4d95841d0b111908e6f5d1eb5040b4d543dbc62d086ee2bd308646bae79
Instruction Fuzzy Hash: 6721F435B002069BDBA1ABBCF8A479E37F6FB8A650F100476E845C7349EB35C8418BC1

Function 010B148A Relevance: .1, Instructions: 82COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2694645126.00000000010B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_10b0000_PpIvKmzUbDB.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6367bd2133029794e641006038f99baf8a382501e7a20d0c15163a8806bfccd8
Instruction ID: d7536f78b9c09378271e4f8ef6c0f2a48a3d00a22d4acd2be85c832bb0859f26
Opcode Fuzzy Hash: 6367bd2133029794e641006038f99baf8a382501e7a20d0c15163a8806bfccd8
Instruction Fuzzy Hash: FD21B031B002168BDB62ABBCA4A02EE77F5EB45250F1004BAE485DB345EB39C8428BD1

Function 010BA068 Relevance: .1, Instructions: 80COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2694645126.00000000010B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_10b0000_PpIvKmzUbDB.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5c408a6caef560761c3b51bea446e076d2df4b8b6441215f1552b4f046676955
Instruction ID: 4dd5343b3ac2142284523243c64c888233f3583329fe538a6cd70a265d348816
Opcode Fuzzy Hash: 5c408a6caef560761c3b51bea446e076d2df4b8b6441215f1552b4f046676955
Instruction Fuzzy Hash: 9F31C030F0020ACBDB55CF68C8946DEF7B2BF8A300F14C659E945EB241DB729946CB40

Function 010B169F Relevance: .1, Instructions: 80COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2694645126.00000000010B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_10b0000_PpIvKmzUbDB.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9a75fd6f47811870d9f2bebfd85267b7f9d21bb2f855cc0e10e8e36ea97de230
Instruction ID: 6d4f8e05dd6818c5acd8eb320921051af73050d4278d5215d0a98815d05397ad
Opcode Fuzzy Hash: 9a75fd6f47811870d9f2bebfd85267b7f9d21bb2f855cc0e10e8e36ea97de230
Instruction Fuzzy Hash: 8121B73460010A8FDB92EB7CF8E47DD33A6FF46204F1049B6D045CB25AEB35D8418B92

Function 0106D006 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2694228052.000000000106D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0106D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_106d000_PpIvKmzUbDB.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9aa61a5d6bf49782f8e0108e0d963dd94451ec26223f67aa230511279bb87a8c
Instruction ID: ff46683f667370c4f5a90600dff62ee00cee5e429ec6111f2ec829e17fbf4ee0
Opcode Fuzzy Hash: 9aa61a5d6bf49782f8e0108e0d963dd94451ec26223f67aa230511279bb87a8c
Instruction Fuzzy Hash: B33189715093C49FDB13CF64C890711BFB5AF46214F29C5DBD8888F2A3C23A980ACB62

Function 010BA078 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2694645126.00000000010B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_10b0000_PpIvKmzUbDB.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7786a44bb3649c721b6898e3a32f8091e1db23cdfadd201e25643479dbb107f0
Instruction ID: 9685c6789789bc1fc2cd1f8879955d082131b2a0e494eb62af49048699abcb1b
Opcode Fuzzy Hash: 7786a44bb3649c721b6898e3a32f8091e1db23cdfadd201e25643479dbb107f0
Instruction Fuzzy Hash: 60214D34E1020ADBDB59CFA8D8906DEF7B2BF89300F10866AE945EB345DB7199458B90

Function 010B9F68 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2694645126.00000000010B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_10b0000_PpIvKmzUbDB.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bafc0c1756ec5d79e1add851a8c7ea6d04300ce90fffcb2f671d38d5a2af6f13
Instruction ID: 287782c163982d4c41bbb2888628ffde385c75a74a3494f4d50252c24edf79b3
Opcode Fuzzy Hash: bafc0c1756ec5d79e1add851a8c7ea6d04300ce90fffcb2f671d38d5a2af6f13
Instruction Fuzzy Hash: 2B217170E1020A9BCB15CF68C4906DEB7B2AF89310F10856AE915FB350DB71E845CB91

Function 010BA85A Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2694645126.00000000010B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_10b0000_PpIvKmzUbDB.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 462a0d06ebc90ab4c69dab30faa68c654711435fb3c5ed13dd1adb7d78a33b5d
Instruction ID: ae68e7f121df372835521f2068de3e3540f5dddf1c3d33fe2fd6788dfe987e11
Opcode Fuzzy Hash: 462a0d06ebc90ab4c69dab30faa68c654711435fb3c5ed13dd1adb7d78a33b5d
Instruction Fuzzy Hash: 2121B030B10205DFEB54DB68C894BEE7BF6BF88720F118169E145FB3A4DA718C008B90

Function 010B4F8A Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2694645126.00000000010B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_10b0000_PpIvKmzUbDB.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 488dbde5df42ae756d272856a19e7e1633252f37e0dbcd80d642be67e2250321
Instruction ID: eec767d97a1e0813fededd70f9b9bca0d0b7b4694996da0b271ed39071a1c10a
Opcode Fuzzy Hash: 488dbde5df42ae756d272856a19e7e1633252f37e0dbcd80d642be67e2250321
Instruction Fuzzy Hash: 32212730B10209CFCB95EB78C9A8A9D77F1AB89714F1004A8E546EB3A5DB769D01CB91

Function 0106D030 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2694228052.000000000106D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0106D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_106d000_PpIvKmzUbDB.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 46a5f365cd750cc8ce968a07e918501bd53b1ce8255f49f7009dd7f9b16e9759
Instruction ID: 00c349102591e80515ea77f2adf1edf7c7746cb8c31af440e8cbd4462ec6415a
Opcode Fuzzy Hash: 46a5f365cd750cc8ce968a07e918501bd53b1ce8255f49f7009dd7f9b16e9759
Instruction Fuzzy Hash: 15212271604204EFEB11DF94D980B26BBA9FB84314F24C5ADE8C94B242C336D847CB62

Function 010B1382 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2694645126.00000000010B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_10b0000_PpIvKmzUbDB.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d91f08249a986ae67d919793f595bc92f67e00b834330a7727aa83ee9571a286
Instruction ID: b6829a15731ea1455007fd90f988981793d93e3ab4ee978ececabf9467075efb
Opcode Fuzzy Hash: d91f08249a986ae67d919793f595bc92f67e00b834330a7727aa83ee9571a286
Instruction Fuzzy Hash: 6D21A4306002018BEBB2572CF4E83AD37E1EB43311F1044AAE586CF295EB3989858B92

Function 010B1888 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2694645126.00000000010B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_10b0000_PpIvKmzUbDB.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 92eba6969ed90a39ef151fb02ebf61c667d64a7b1a4a080752b33c25155f349a
Instruction ID: a1b3f4024074222179b6e71408c9795fd6ce19dbd34dfcd7429ab22cf5be082f
Opcode Fuzzy Hash: 92eba6969ed90a39ef151fb02ebf61c667d64a7b1a4a080752b33c25155f349a
Instruction Fuzzy Hash: F4216D30B04249CFDB54EB68D5A47EE77F2AF89200F2004A8D546EB394DB768C40CBA1

Function 010B9F78 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2694645126.00000000010B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_10b0000_PpIvKmzUbDB.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9ae5687adbcfd91d7a8178f61293a1e4e06b50d1b01b432637bb06812bcee292
Instruction ID: bf7c70930c46163257b0ef555e4a4bc0745ab0d945da3e84d74019445dfee183
Opcode Fuzzy Hash: 9ae5687adbcfd91d7a8178f61293a1e4e06b50d1b01b432637bb06812bcee292
Instruction Fuzzy Hash: 6A217F70E0020ADBCB19CF68C4906DEB7B2AF89310F10862AF915FB380DB71A945CB50

Function 010B16B0 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2694645126.00000000010B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_10b0000_PpIvKmzUbDB.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05a82021945f21a9eeb964111038c739ea9bc2de6ba9d0603379506e2b219dd6
Instruction ID: 43c98e5bc0fb17c6b963618d98fa6445009121a36bdd53536680702d802a903f
Opcode Fuzzy Hash: 05a82021945f21a9eeb964111038c739ea9bc2de6ba9d0603379506e2b219dd6
Instruction Fuzzy Hash: FB21813460010A8BEBA2E77CF8E479D33A6FB89605F104972D446CB25AEB35D8418B92

Function 010B1878 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2694645126.00000000010B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_10b0000_PpIvKmzUbDB.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d2b5a80d4ab4a5dcbff38109357e46765ff5db0ac4c5ebf27ea51e20ae841d01
Instruction ID: 5cf57e143df625382605a225bd8505cb6c951dab54abb929a6de8b20a853c9a6
Opcode Fuzzy Hash: d2b5a80d4ab4a5dcbff38109357e46765ff5db0ac4c5ebf27ea51e20ae841d01
Instruction Fuzzy Hash: 3E218C30B04249CFDB65EB68E5A87EE37F2AF49304F2008A8D145EB295DB768C41CB91

Function 010B4F98 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2694645126.00000000010B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_10b0000_PpIvKmzUbDB.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9f2575c52a909321be95ead96e24a15d3e1e10ba3812fd55200cacb48c788bd9
Instruction ID: 1b629a69c3770e7431ef007e207b2e875cce427aeae4928237abb4ab16fcac59
Opcode Fuzzy Hash: 9f2575c52a909321be95ead96e24a15d3e1e10ba3812fd55200cacb48c788bd9
Instruction Fuzzy Hash: 09211934B10209CFDB54EB78D998AAD77F2AF8D710F1004A8E546EB3A5DB769D00CB91

Function 010B0838 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2694645126.00000000010B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_10b0000_PpIvKmzUbDB.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0a27d7c1d00d9c6b70696a90147ef259d1a66ed7a33884aafcbb105a5708bd79
Instruction ID: 44b0defb143f57c87b2c99dc80b3a9a3059f6f31b3c8af4a251a5eedfa60561a
Opcode Fuzzy Hash: 0a27d7c1d00d9c6b70696a90147ef259d1a66ed7a33884aafcbb105a5708bd79
Instruction Fuzzy Hash: 65119430A003054BEFA69678D8943EF33B1EB42214F1049BAF0C6DF25ADA65CA858BC1

Function 010B0848 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2694645126.00000000010B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_10b0000_PpIvKmzUbDB.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1e66fa249347da42de9fbb7473556264ac3c3af1669d9016ecaa0a625698d819
Instruction ID: 6494a28b737e13d5a498d4b1fb784db9505f48225300e1811a1ea9242b983842
Opcode Fuzzy Hash: 1e66fa249347da42de9fbb7473556264ac3c3af1669d9016ecaa0a625698d819
Instruction Fuzzy Hash: 3F119830B002094BEFA5967CD4943AF32A5FB45610F2089B9F0C6CF259DA21CD858BC1

Function 010B6B98 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2694645126.00000000010B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_10b0000_PpIvKmzUbDB.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fea3640fb71468cd07e1244c86864500e300e4a48f7a34f211c55748bb543871
Instruction ID: f7326e9b1c964e1a821d38d9dd06271925ede8e1649ec42ca8c2851779a05d30
Opcode Fuzzy Hash: fea3640fb71468cd07e1244c86864500e300e4a48f7a34f211c55748bb543871
Instruction Fuzzy Hash: FA11E9317083519FC3166B78D4642AE7BF2EFCB610B1584EEC199CF691EA3A4C45C792

Function 010B1498 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2694645126.00000000010B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_10b0000_PpIvKmzUbDB.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 49cdb7c9b0fd64ec79003df22aaa27242d9e893555637cb5cb8a68ae249d8269
Instruction ID: d25bb508c24338579e147b6327443fd204a83318bf6470982a72ad83c90762c0
Opcode Fuzzy Hash: 49cdb7c9b0fd64ec79003df22aaa27242d9e893555637cb5cb8a68ae249d8269
Instruction Fuzzy Hash: 43012D31B002169BCB65EFB994A02EE7BF5EB48260B1404B9E845E7305EB35C8428B95

Function 010BA6B8 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2694645126.00000000010B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_10b0000_PpIvKmzUbDB.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7ec448f0bf68ef1792699f4aaa045c1fffa32c4bc2e63a6f82abf79292aea297
Instruction ID: 11590537bd3e081ff374c3e6ecb07154973404f6cac735881aaee0a6bc4df359
Opcode Fuzzy Hash: 7ec448f0bf68ef1792699f4aaa045c1fffa32c4bc2e63a6f82abf79292aea297
Instruction Fuzzy Hash: 10110830A002048FDB14DFA9E9846CABBB2FFC9310F14C1B5C8485F2A6E7B49D05CBA1

Function 010B8F08 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2694645126.00000000010B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_10b0000_PpIvKmzUbDB.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 097aebf285577807105a524f83a400829de2df07eb10ea0c94293242c2faa769
Instruction ID: 8f53e1e20e59682037a58fd51c3d3f4a7dbc8b377eb9a5a1911e9e44e1adab84
Opcode Fuzzy Hash: 097aebf285577807105a524f83a400829de2df07eb10ea0c94293242c2faa769
Instruction Fuzzy Hash: EF015A3490020EDFDB85EBB8E9606DC77B2BF85600B1046B9C0459B265EB321E059B91

Function 010B1524 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2694645126.00000000010B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_10b0000_PpIvKmzUbDB.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cfe44541515940140d576469826dc2aab82449b7d29a387c08988d947c1ddcc0
Instruction ID: af8f3bcb28ec195c3c442354cdc2566247d6d69129298cf45d804a7ceaa1dfb4
Opcode Fuzzy Hash: cfe44541515940140d576469826dc2aab82449b7d29a387c08988d947c1ddcc0
Instruction Fuzzy Hash: AAF0F033A04110DFDB228BA8A8E02ECBFB0FEA922171C00E7D886DB215D736D402CB51

Function 010B7EA8 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2694645126.00000000010B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_10b0000_PpIvKmzUbDB.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 28bc925f4d67f732fca6d95202bb7cdc6833b37915dd8151990c5c21dd682c09
Instruction ID: 83a832766400ea598839499c6b6df199955f168f0f8950f96c6848b54a04899f
Opcode Fuzzy Hash: 28bc925f4d67f732fca6d95202bb7cdc6833b37915dd8151990c5c21dd682c09
Instruction Fuzzy Hash: AAF0C435B00118CFC754EB68D5A8A6C77F2EF89715F6444A8E5069B3A4DB36AD02CF40

Function 010B8F18 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2694645126.00000000010B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_10b0000_PpIvKmzUbDB.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 26ec3c04eab5d18f779c920bdd1530163439eefd05552b81945e8ae6171df949
Instruction ID: 9171c0fe2bac7948f5334e89e857743f2eabd62d8fd3ddc7e785383fde2f8228
Opcode Fuzzy Hash: 26ec3c04eab5d18f779c920bdd1530163439eefd05552b81945e8ae6171df949
Instruction Fuzzy Hash: 16F03C3490020EEFDB45FBB8F9A0ADD77B6BF84600F5056B9C0459B258EB322E049B91

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Container: Container Creation, File: File Creation, File: File Modification, Process: Process Creation, Scheduled Job: Scheduled Job Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search the Registry on compromised systems for insecurely stored credentials. The Windows Registry stores configuration information that can be used by the system or other programs. Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services. Sometimes these credentials are used for automatic logons.
Tactics:	Credential Access
Data Sources:	Command: Command Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report 980001672 PPR for 30887217.scr.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Agenttesla

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Persistence and Installation Behavior

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\980001672 PPR for 30887217.scr.exe.log

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\PpIvKmzUbDB.exe.log

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4oicssh2.iak.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_esbf45ym.anx.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_jpqgbxfw.gjw.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_jtl5qiop.omt.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ldvzfpoc.lyu.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_nfurtpnj.u4t.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ps4rxfzv.vzz.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_pu2itpzt.upb.psm1

C:\Users\user\AppData\Local\Temp\tmp1BF6.tmp

C:\Users\user\AppData\Local\Temp\tmp7B3.tmp

Windows Analysis Report
980001672 PPR for 30887217.scr.exe

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre