Edit tour

Windows Analysis Report
Overdue_payment.pdf.exe

Overview

General Information

Sample name:	Overdue_payment.pdf.exe
Analysis ID:	1570483
MD5:	8b57457c486a24230c0fcc907ee84062
SHA1:	aab3ba33f51878f115eb64f3d3adf3ce90f306fb
SHA256:	c6ca7a0c812b140b8d3e1f7ceb12f0efe6bc0f564c6312814bc9dba1255e8788
Tags:	AgentTeslaexePaymentuser-cocaman
Infos:

Detection

AgentTesla

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Antivirus detection for dropped file

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Scheduled temp file as task from temp location

Sigma detected: Suspicious Double Extension File Execution

Yara detected AgentTesla

Yara detected AntiVM3

.NET source code contains potential unpacker

AI detected suspicious sample

Adds a directory exclusion to Windows Defender

Contains functionality to log keystrokes (.Net Source)

Initial sample is a PE file and has a suspicious name

Injects a PE file into a foreign processes

Loading BitLocker PowerShell Module

Machine Learning detection for dropped file

Machine Learning detection for sample

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Mail credentials (via file / registry access)

Uses an obfuscated file name to hide its real file extension (double extension)

Uses schtasks.exe or at.exe to add and modify task schedules

Yara detected Generic Downloader

Allocates memory with a write watch (potentially for evading sandboxes)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Powershell Defender Exclusion

Sigma detected: Suspicious Add Scheduled Task Parent

Sigma detected: Suspicious Outbound SMTP Connections

Sigma detected: Suspicious Schtasks From Env Var Folder

Uses 32bit PE files

Uses SMTP (mail sending)

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

Overdue_payment.pdf.exe (PID: 7560 cmdline: "C:\Users\user\Desktop\Overdue_payment.pdf.exe" MD5: 8B57457C486A24230C0FCC907EE84062)

powershell.exe (PID: 7712 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Overdue_payment.pdf.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 7724 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 7752 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\lxZwKFTCWa.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 7768 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WmiPrvSE.exe (PID: 8132 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)

schtasks.exe (PID: 7796 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\lxZwKFTCWa" /XML "C:\Users\user\AppData\Local\Temp\tmpE707.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 7808 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

Overdue_payment.pdf.exe (PID: 7984 cmdline: "C:\Users\user\Desktop\Overdue_payment.pdf.exe" MD5: 8B57457C486A24230C0FCC907EE84062)

conhost.exe (PID: 7856 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

lxZwKFTCWa.exe (PID: 8092 cmdline: C:\Users\user\AppData\Roaming\lxZwKFTCWa.exe MD5: 8B57457C486A24230C0FCC907EE84062)

schtasks.exe (PID: 2044 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\lxZwKFTCWa" /XML "C:\Users\user\AppData\Local\Temp\tmpFB89.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 5472 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

lxZwKFTCWa.exe (PID: 3584 cmdline: "C:\Users\user\AppData\Roaming\lxZwKFTCWa.exe" MD5: 8B57457C486A24230C0FCC907EE84062)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Agent Tesla, AgentTesla	A .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.	SWEED	http://blog.nsfocus.net/sweed-611/ http://l1v1ngc0d3.wordpress.com/2021/11/12/agenttesla-dropped-via-nsis-installer/ http://ropgadget.com/posts/originlogger.html http://www.secureworks.com/research/threat-profiles/gold-galleon https://0xmrmagnezi.github.io/malware%20analysis/AgentTesla/	https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Port": "25", "Host": "mail.iaa-airferight.com", "Username": "web@iaa-airferight.com", "Password": "webmaster"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
00000008.00000002.2924377723.000000000318C000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000008.00000002.2921935892.0000000000437000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000D.00000002.2924376816.000000000313C000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000008.00000002.2924377723.0000000003161000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000008.00000002.2924377723.0000000003161000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0000000D.00000002.2924376816.0000000003111000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000D.00000002.2924376816.0000000003111000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000000.00000002.1702589790.0000000004339000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.1702589790.0000000004339000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: Overdue_payment.pdf.exe PID: 7560	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: Overdue_payment.pdf.exe PID: 7560	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: Overdue_payment.pdf.exe PID: 7560	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: Overdue_payment.pdf.exe PID: 7984	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: Overdue_payment.pdf.exe PID: 7984	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: lxZwKFTCWa.exe PID: 8092	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: lxZwKFTCWa.exe PID: 3584	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: lxZwKFTCWa.exe PID: 3584	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Click to see the 12 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.Overdue_payment.pdf.exe.4339970.1.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.Overdue_payment.pdf.exe.4339970.1.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.Overdue_payment.pdf.exe.4339970.1.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x316ef:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x31761:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x317eb:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x3187d:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x318e7:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x31959:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x319ef:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x31a7f:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
0.2.Overdue_payment.pdf.exe.4374390.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.Overdue_payment.pdf.exe.4374390.0.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.Overdue_payment.pdf.exe.4374390.0.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x316ef:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x31761:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x317eb:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x3187d:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x318e7:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x31959:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x319ef:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x31a7f:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
0.2.Overdue_payment.pdf.exe.4374390.0.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.Overdue_payment.pdf.exe.4374390.0.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.2.Overdue_payment.pdf.exe.4374390.0.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.Overdue_payment.pdf.exe.4374390.0.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x334ef:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x6dd0f:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x33561:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x6dd81:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x335eb:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x6de0b:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x3367d:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x6de9d:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x336e7:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x6df07:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x33759:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x6df79:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x337ef:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x6e00f:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x3387f:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548 0x6e09f:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
0.2.Overdue_payment.pdf.exe.4339970.1.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.Overdue_payment.pdf.exe.4339970.1.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.2.Overdue_payment.pdf.exe.4339970.1.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.Overdue_payment.pdf.exe.4339970.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x334ef:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x6df0f:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0xa872f:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x33561:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x6df81:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0xa87a1:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x335eb:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x6e00b:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0xa882b:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x3367d:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x6e09d:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0xa88bd:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x336e7:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x6e107:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0xa8927:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x33759:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x6e179:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0xa8999:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x337ef:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x6e20f:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0xa8a2f:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B
Click to see the 9 entries

Sigma Signatures

System Summary

Sigma detected: Suspicious Double Extension File Execution

Source: Process started

Author: Florian Roth (Nextron Systems), @blu3_team (idea), Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Users\user\Desktop\Overdue_payment.pdf.exe", CommandLine: "C:\Users\user\Desktop\Overdue_payment.pdf.exe", CommandLine|base64offset|contains: , Image: C:\Users\user\Desktop\Overdue_payment.pdf.exe, NewProcessName: C:\Users\user\Desktop\Overdue_payment.pdf.exe, OriginalFileName: C:\Users\user\Desktop\Overdue_payment.pdf.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 2580, ProcessCommandLine: "C:\Users\user\Desktop\Overdue_payment.pdf.exe", ProcessId: 7560, ProcessName: Overdue_payment.pdf.exe

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Overdue_payment.pdf.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Overdue_payment.pdf.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\Overdue_payment.pdf.exe", ParentImage: C:\Users\user\Desktop\Overdue_payment.pdf.exe, ParentProcessId: 7560, ParentProcessName: Overdue_payment.pdf.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Overdue_payment.pdf.exe", ProcessId: 7712, ProcessName: powershell.exe

Sigma detected: Powershell Defender Exclusion

Source: Process started

Sigma detected: Suspicious Add Scheduled Task Parent

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\lxZwKFTCWa" /XML "C:\Users\user\AppData\Local\Temp\tmpFB89.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\lxZwKFTCWa" /XML "C:\Users\user\AppData\Local\Temp\tmpFB89.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: C:\Users\user\AppData\Roaming\lxZwKFTCWa.exe, ParentImage: C:\Users\user\AppData\Roaming\lxZwKFTCWa.exe, ParentProcessId: 8092, ParentProcessName: lxZwKFTCWa.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\lxZwKFTCWa" /XML "C:\Users\user\AppData\Local\Temp\tmpFB89.tmp", ProcessId: 2044, ProcessName: schtasks.exe

Sigma detected: Suspicious Outbound SMTP Connections

Source: Network Connection

Author: frack113: Data: DestinationIp: 46.175.148.58, DestinationIsIpv6: false, DestinationPort: 25, EventID: 3, Image: C:\Users\user\Desktop\Overdue_payment.pdf.exe, Initiated: true, ProcessId: 7984, Protocol: tcp, SourceIp: 192.168.2.4, SourceIsIpv6: false, SourcePort: 49735

Sigma detected: Suspicious Schtasks From Env Var Folder

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\lxZwKFTCWa" /XML "C:\Users\user\AppData\Local\Temp\tmpE707.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\lxZwKFTCWa" /XML "C:\Users\user\AppData\Local\Temp\tmpE707.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\Overdue_payment.pdf.exe", ParentImage: C:\Users\user\Desktop\Overdue_payment.pdf.exe, ParentProcessId: 7560, ParentProcessName: Overdue_payment.pdf.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\lxZwKFTCWa" /XML "C:\Users\user\AppData\Local\Temp\tmpE707.tmp", ProcessId: 7796, ProcessName: schtasks.exe

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Overdue_payment.pdf.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Overdue_payment.pdf.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\Overdue_payment.pdf.exe", ParentImage: C:\Users\user\Desktop\Overdue_payment.pdf.exe, ParentProcessId: 7560, ParentProcessName: Overdue_payment.pdf.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Overdue_payment.pdf.exe", ProcessId: 7712, ProcessName: powershell.exe

Persistence and Installation Behavior

Sigma detected: Scheduled temp file as task from temp location

Source: Process started

Author: Joe Security: Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\lxZwKFTCWa" /XML "C:\Users\user\AppData\Local\Temp\tmpE707.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\lxZwKFTCWa" /XML "C:\Users\user\AppData\Local\Temp\tmpE707.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\Overdue_payment.pdf.exe", ParentImage: C:\Users\user\Desktop\Overdue_payment.pdf.exe, ParentProcessId: 7560, ParentProcessName: Overdue_payment.pdf.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\lxZwKFTCWa" /XML "C:\Users\user\AppData\Local\Temp\tmpE707.tmp", ProcessId: 7796, ProcessName: schtasks.exe

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: Overdue_payment.pdf.exe

Avira: detected

Antivirus detection for URL or domain

Source: http://mail.iaa-airferight.com

Avira URL Cloud: Label: malware

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Roaming\lxZwKFTCWa.exe

Avira: detection malicious, Label: HEUR/AGEN.1305646

Found malware configuration

Source: 0.2.Overdue_payment.pdf.exe.4339970.1.raw.unpack

Malware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Port": "25", "Host": "mail.iaa-airferight.com", "Username": "web@iaa-airferight.com", "Password": "webmaster"}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\lxZwKFTCWa.exe

ReversingLabs: Detection: 63%

Multi AV Scanner detection for submitted file

Source: Overdue_payment.pdf.exe	ReversingLabs: Detection: 63%
Source: Overdue_payment.pdf.exe	Virustotal: Detection: 63%			Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.9% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\lxZwKFTCWa.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: Overdue_payment.pdf.exe

Joe Sandbox ML: detected

Source: Overdue_payment.pdf.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 172.67.74.152:443 -> 192.168.2.4:49733 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.74.152:443 -> 192.168.2.4:49736 version: TLS 1.2

Source: Overdue_payment.pdf.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Networking

Yara detected Generic Downloader

Source: Yara match	File source: 0.2.Overdue_payment.pdf.exe.4374390.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Overdue_payment.pdf.exe.4339970.1.raw.unpack, type: UNPACKEDPE

Source: Joe Sandbox View	IP Address: 46.175.148.58 46.175.148.58
Source: Joe Sandbox View	IP Address: 172.67.74.152 172.67.74.152
Source: Joe Sandbox View	IP Address: 172.67.74.152 172.67.74.152

Source: Joe Sandbox View

ASN Name: ASLAGIDKOM-NETUA ASLAGIDKOM-NETUA

Source: Joe Sandbox View

JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: unknown	DNS query: name: api.ipify.org
Source: unknown	DNS query: name: api.ipify.org

Source: global traffic

TCP traffic: 192.168.2.4:49735 -> 46.175.148.58:25

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: api.ipify.org
Source: global traffic	DNS traffic detected: DNS query: mail.iaa-airferight.com

Source: Overdue_payment.pdf.exe, lxZwKFTCWa.exe.0.dr	String found in binary or memory: http://localhost/calculator_server/requests.php
Source: Overdue_payment.pdf.exe, 00000008.00000002.2924377723.000000000318C000.00000004.00000800.00020000.00000000.sdmp, lxZwKFTCWa.exe, 0000000D.00000002.2924376816.000000000313C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://mail.iaa-airferight.com
Source: Overdue_payment.pdf.exe, 00000000.00000002.1701347692.0000000003367000.00000004.00000800.00020000.00000000.sdmp, Overdue_payment.pdf.exe, 00000008.00000002.2924377723.0000000003111000.00000004.00000800.00020000.00000000.sdmp, lxZwKFTCWa.exe, 00000009.00000002.1747105184.0000000002507000.00000004.00000800.00020000.00000000.sdmp, lxZwKFTCWa.exe, 0000000D.00000002.2924376816.00000000030C1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: Overdue_payment.pdf.exe, 00000000.00000002.1711559625.0000000007702000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: Overdue_payment.pdf.exe, 00000000.00000002.1711559625.0000000007702000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: Overdue_payment.pdf.exe, 00000000.00000002.1711559625.0000000007702000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: Overdue_payment.pdf.exe, 00000000.00000002.1711559625.0000000007702000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: Overdue_payment.pdf.exe, 00000000.00000002.1711559625.0000000007702000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: Overdue_payment.pdf.exe, 00000000.00000002.1711559625.0000000007702000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: Overdue_payment.pdf.exe, 00000000.00000002.1711559625.0000000007702000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
Source: Overdue_payment.pdf.exe, 00000000.00000002.1711559625.0000000007702000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: Overdue_payment.pdf.exe, 00000000.00000002.1711559625.0000000007702000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: Overdue_payment.pdf.exe, 00000000.00000002.1711559625.0000000007702000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: Overdue_payment.pdf.exe, 00000000.00000002.1711559625.0000000007702000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fonts.com
Source: Overdue_payment.pdf.exe, 00000000.00000002.1711559625.0000000007702000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: Overdue_payment.pdf.exe, 00000000.00000002.1711559625.0000000007702000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: Overdue_payment.pdf.exe, 00000000.00000002.1711559625.0000000007702000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: Overdue_payment.pdf.exe, 00000000.00000002.1711559625.0000000007702000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: Overdue_payment.pdf.exe, 00000000.00000002.1711559625.0000000007702000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: Overdue_payment.pdf.exe, 00000000.00000002.1711559625.0000000007702000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: Overdue_payment.pdf.exe, 00000000.00000002.1711559625.0000000007702000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: Overdue_payment.pdf.exe, 00000000.00000002.1711559625.0000000007702000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: Overdue_payment.pdf.exe, 00000000.00000002.1711559625.0000000007702000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sakkal.com
Source: Overdue_payment.pdf.exe, 00000000.00000002.1711559625.0000000007702000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: Overdue_payment.pdf.exe, 00000000.00000002.1711559625.0000000007702000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.tiro.com
Source: Overdue_payment.pdf.exe, 00000000.00000002.1711559625.0000000007702000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.typography.netD
Source: Overdue_payment.pdf.exe, 00000000.00000002.1711559625.0000000007702000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: Overdue_payment.pdf.exe, 00000000.00000002.1711559625.0000000007702000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: Overdue_payment.pdf.exe, 00000000.00000002.1702589790.0000000004339000.00000004.00000800.00020000.00000000.sdmp, lxZwKFTCWa.exe, 0000000D.00000002.2921923646.0000000000436000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://account.dyn.com/
Source: Overdue_payment.pdf.exe, 00000000.00000002.1702589790.0000000004339000.00000004.00000800.00020000.00000000.sdmp, Overdue_payment.pdf.exe, 00000008.00000002.2924377723.0000000003111000.00000004.00000800.00020000.00000000.sdmp, lxZwKFTCWa.exe, 0000000D.00000002.2921923646.0000000000434000.00000040.00000400.00020000.00000000.sdmp, lxZwKFTCWa.exe, 0000000D.00000002.2924376816.00000000030C1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org
Source: Overdue_payment.pdf.exe, 00000008.00000002.2924377723.0000000003111000.00000004.00000800.00020000.00000000.sdmp, lxZwKFTCWa.exe, 0000000D.00000002.2924376816.00000000030C1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org/
Source: Overdue_payment.pdf.exe, 00000008.00000002.2924377723.0000000003111000.00000004.00000800.00020000.00000000.sdmp, lxZwKFTCWa.exe, 0000000D.00000002.2924376816.00000000030C1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org/t

Source: unknown	Network traffic detected: HTTP traffic on port 49733 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49733
Source: unknown	Network traffic detected: HTTP traffic on port 49736 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49736

Source: unknown	HTTPS traffic detected: 172.67.74.152:443 -> 192.168.2.4:49733 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.74.152:443 -> 192.168.2.4:49736 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality to log keystrokes (.Net Source)

Source: 0.2.Overdue_payment.pdf.exe.4339970.1.raw.unpack, abAX9N.cs	.Net Code: OPnJT
Source: 0.2.Overdue_payment.pdf.exe.4374390.0.raw.unpack, abAX9N.cs	.Net Code: OPnJT

System Summary

Malicious sample detected (through community Yara rule)

Source: 0.2.Overdue_payment.pdf.exe.4339970.1.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.Overdue_payment.pdf.exe.4374390.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.Overdue_payment.pdf.exe.4374390.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.Overdue_payment.pdf.exe.4339970.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen

Initial sample is a PE file and has a suspicious name

Source: initial sample	Static PE information: Filename: Overdue_payment.pdf.exe
Source: initial sample	Static PE information: Filename: Overdue_payment.pdf.exe

Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe	Code function: 0_2_03183E28	0_2_03183E28
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe	Code function: 0_2_03186F90	0_2_03186F90
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe	Code function: 0_2_0318DFB4	0_2_0318DFB4
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe	Code function: 0_2_05E49698	0_2_05E49698
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe	Code function: 0_2_05E44621	0_2_05E44621
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe	Code function: 0_2_05E44630	0_2_05E44630
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe	Code function: 0_2_05E441F3	0_2_05E441F3
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe	Code function: 0_2_05E441F8	0_2_05E441F8
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe	Code function: 0_2_05E461A8	0_2_05E461A8
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe	Code function: 0_2_05E46197	0_2_05E46197
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe	Code function: 0_2_05E4C028	0_2_05E4C028
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe	Code function: 0_2_05E43DC0	0_2_05E43DC0
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe	Code function: 0_2_05E43D8B	0_2_05E43D8B
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe	Code function: 0_2_05E458D0	0_2_05E458D0
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe	Code function: 8_2_030FE6A1	8_2_030FE6A1
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe	Code function: 8_2_030F4A98	8_2_030F4A98
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe	Code function: 8_2_030F3E80	8_2_030F3E80
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe	Code function: 8_2_030F41C8	8_2_030F41C8
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe	Code function: 8_2_030FA960	8_2_030FA960
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe	Code function: 8_2_06E565E0	8_2_06E565E0
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe	Code function: 8_2_06E55588	8_2_06E55588
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe	Code function: 8_2_06E57D68	8_2_06E57D68
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe	Code function: 8_2_06E5B20F	8_2_06E5B20F
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe	Code function: 8_2_06E53040	8_2_06E53040
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe	Code function: 8_2_06E57688	8_2_06E57688
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe	Code function: 8_2_06E55CD3	8_2_06E55CD3
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe	Code function: 8_2_06E5E388	8_2_06E5E388
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe	Code function: 8_2_06E52349	8_2_06E52349
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe	Code function: 8_2_06E50040	8_2_06E50040
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe	Code function: 8_2_06E50006	8_2_06E50006
Source: C:\Users\user\AppData\Roaming\lxZwKFTCWa.exe	Code function: 9_2_00963E28	9_2_00963E28
Source: C:\Users\user\AppData\Roaming\lxZwKFTCWa.exe	Code function: 9_2_00966F90	9_2_00966F90
Source: C:\Users\user\AppData\Roaming\lxZwKFTCWa.exe	Code function: 9_2_0096DFB4	9_2_0096DFB4
Source: C:\Users\user\AppData\Roaming\lxZwKFTCWa.exe	Code function: 9_2_04AC4400	9_2_04AC4400
Source: C:\Users\user\AppData\Roaming\lxZwKFTCWa.exe	Code function: 9_2_04AC52C8	9_2_04AC52C8
Source: C:\Users\user\AppData\Roaming\lxZwKFTCWa.exe	Code function: 9_2_04AC2768	9_2_04AC2768
Source: C:\Users\user\AppData\Roaming\lxZwKFTCWa.exe	Code function: 9_2_04AC2757	9_2_04AC2757
Source: C:\Users\user\AppData\Roaming\lxZwKFTCWa.exe	Code function: 9_2_06C98570	9_2_06C98570
Source: C:\Users\user\AppData\Roaming\lxZwKFTCWa.exe	Code function: 9_2_06C94621	9_2_06C94621
Source: C:\Users\user\AppData\Roaming\lxZwKFTCWa.exe	Code function: 9_2_06C94630	9_2_06C94630
Source: C:\Users\user\AppData\Roaming\lxZwKFTCWa.exe	Code function: 9_2_06C93DC0	9_2_06C93DC0
Source: C:\Users\user\AppData\Roaming\lxZwKFTCWa.exe	Code function: 9_2_06C93DB2	9_2_06C93DB2
Source: C:\Users\user\AppData\Roaming\lxZwKFTCWa.exe	Code function: 9_2_06C958D0	9_2_06C958D0
Source: C:\Users\user\AppData\Roaming\lxZwKFTCWa.exe	Code function: 9_2_06C941F8	9_2_06C941F8
Source: C:\Users\user\AppData\Roaming\lxZwKFTCWa.exe	Code function: 9_2_06C941F2	9_2_06C941F2
Source: C:\Users\user\AppData\Roaming\lxZwKFTCWa.exe	Code function: 9_2_06C96197	9_2_06C96197
Source: C:\Users\user\AppData\Roaming\lxZwKFTCWa.exe	Code function: 9_2_06C961A8	9_2_06C961A8
Source: C:\Users\user\AppData\Roaming\lxZwKFTCWa.exe	Code function: 13_2_016DA198	13_2_016DA198
Source: C:\Users\user\AppData\Roaming\lxZwKFTCWa.exe	Code function: 13_2_016DE6A1	13_2_016DE6A1
Source: C:\Users\user\AppData\Roaming\lxZwKFTCWa.exe	Code function: 13_2_016DA960	13_2_016DA960
Source: C:\Users\user\AppData\Roaming\lxZwKFTCWa.exe	Code function: 13_2_016D4A98	13_2_016D4A98
Source: C:\Users\user\AppData\Roaming\lxZwKFTCWa.exe	Code function: 13_2_016D3E80	13_2_016D3E80
Source: C:\Users\user\AppData\Roaming\lxZwKFTCWa.exe	Code function: 13_2_016D41C8	13_2_016D41C8
Source: C:\Users\user\AppData\Roaming\lxZwKFTCWa.exe	Code function: 13_2_06D37D68	13_2_06D37D68
Source: C:\Users\user\AppData\Roaming\lxZwKFTCWa.exe	Code function: 13_2_06D3B21B	13_2_06D3B21B
Source: C:\Users\user\AppData\Roaming\lxZwKFTCWa.exe	Code function: 13_2_06D33040	13_2_06D33040
Source: C:\Users\user\AppData\Roaming\lxZwKFTCWa.exe	Code function: 13_2_06D37688	13_2_06D37688
Source: C:\Users\user\AppData\Roaming\lxZwKFTCWa.exe	Code function: 13_2_06D3E388	13_2_06D3E388
Source: C:\Users\user\AppData\Roaming\lxZwKFTCWa.exe	Code function: 13_2_06D30040	13_2_06D30040
Source: C:\Users\user\AppData\Roaming\lxZwKFTCWa.exe	Code function: 13_2_06D30007	13_2_06D30007

Source: Overdue_payment.pdf.exe, 00000000.00000002.1701347692.0000000003367000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamec5ea4fda-43b2-4fc0-8a8b-07958574f042.exe4 vs Overdue_payment.pdf.exe
Source: Overdue_payment.pdf.exe, 00000000.00000000.1667376530.000000000100C000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamesfqwa.exe( vs Overdue_payment.pdf.exe
Source: Overdue_payment.pdf.exe, 00000000.00000002.1708572841.0000000005C90000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameArthur.dll" vs Overdue_payment.pdf.exe
Source: Overdue_payment.pdf.exe, 00000000.00000002.1702589790.0000000004339000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamec5ea4fda-43b2-4fc0-8a8b-07958574f042.exe4 vs Overdue_payment.pdf.exe
Source: Overdue_payment.pdf.exe, 00000000.00000002.1702589790.0000000004339000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMontero.dll8 vs Overdue_payment.pdf.exe
Source: Overdue_payment.pdf.exe, 00000000.00000002.1701347692.000000000337C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameArthur.dll" vs Overdue_payment.pdf.exe
Source: Overdue_payment.pdf.exe, 00000000.00000002.1712623031.0000000007E90000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameMontero.dll8 vs Overdue_payment.pdf.exe
Source: Overdue_payment.pdf.exe, 00000000.00000002.1699679388.000000000146E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs Overdue_payment.pdf.exe
Source: Overdue_payment.pdf.exe, 00000008.00000002.2921935892.0000000000437000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamec5ea4fda-43b2-4fc0-8a8b-07958574f042.exe4 vs Overdue_payment.pdf.exe
Source: Overdue_payment.pdf.exe, 00000008.00000002.2922403149.00000000012F8000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameUNKNOWN_FILET vs Overdue_payment.pdf.exe
Source: Overdue_payment.pdf.exe	Binary or memory string: OriginalFilenamesfqwa.exe( vs Overdue_payment.pdf.exe

Source: Overdue_payment.pdf.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 0.2.Overdue_payment.pdf.exe.4339970.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.Overdue_payment.pdf.exe.4374390.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.Overdue_payment.pdf.exe.4374390.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.Overdue_payment.pdf.exe.4339970.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers

Source: Overdue_payment.pdf.exe	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: lxZwKFTCWa.exe.0.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 0.2.Overdue_payment.pdf.exe.4339970.1.raw.unpack, RsYAkkzVoy.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Overdue_payment.pdf.exe.4339970.1.raw.unpack, Kqqzixk.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Overdue_payment.pdf.exe.4339970.1.raw.unpack, xROdzGigX.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Overdue_payment.pdf.exe.4339970.1.raw.unpack, ywes.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Overdue_payment.pdf.exe.4339970.1.raw.unpack, iPVW0zV.cs	Cryptographic APIs: 'CreateDecryptor', 'TransformBlock'
Source: 0.2.Overdue_payment.pdf.exe.4339970.1.raw.unpack, 1Pi9sgbHwoV.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.Overdue_payment.pdf.exe.4339970.1.raw.unpack, YUgDfWK2g4.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Overdue_payment.pdf.exe.4339970.1.raw.unpack, YUgDfWK2g4.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 0.2.Overdue_payment.pdf.exe.4339970.1.raw.unpack, MarWtcu.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Overdue_payment.pdf.exe.4339970.1.raw.unpack, MarWtcu.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Overdue_payment.pdf.exe.4339970.1.raw.unpack, MarWtcu.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Overdue_payment.pdf.exe.4339970.1.raw.unpack, MarWtcu.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: 0.2.Overdue_payment.pdf.exe.4581918.2.raw.unpack, SnUA4OO8RjvSkuR9Kc.cs	Security API names: _0020.SetAccessControl
Source: 0.2.Overdue_payment.pdf.exe.4581918.2.raw.unpack, SnUA4OO8RjvSkuR9Kc.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.Overdue_payment.pdf.exe.4581918.2.raw.unpack, SnUA4OO8RjvSkuR9Kc.cs	Security API names: _0020.AddAccessRule
Source: 0.2.Overdue_payment.pdf.exe.7e90000.4.raw.unpack, SnUA4OO8RjvSkuR9Kc.cs	Security API names: _0020.SetAccessControl
Source: 0.2.Overdue_payment.pdf.exe.7e90000.4.raw.unpack, SnUA4OO8RjvSkuR9Kc.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.Overdue_payment.pdf.exe.7e90000.4.raw.unpack, SnUA4OO8RjvSkuR9Kc.cs	Security API names: _0020.AddAccessRule
Source: 0.2.Overdue_payment.pdf.exe.7e90000.4.raw.unpack, Y97VjrhD8t1GlEnXo0.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.Overdue_payment.pdf.exe.4581918.2.raw.unpack, Y97VjrhD8t1GlEnXo0.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@20/15@2/2

Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe

File created: C:\Users\user\AppData\Roaming\lxZwKFTCWa.exe

Jump to behavior

Source: C:\Users\user\AppData\Roaming\lxZwKFTCWa.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7724:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5472:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7768:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7808:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:7856:120:WilError_03

Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe

File created: C:\Users\user\AppData\Local\Temp\tmpE707.tmp

Jump to behavior

Source: Overdue_payment.pdf.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: Overdue_payment.pdf.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\lxZwKFTCWa.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Roaming\lxZwKFTCWa.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: Overdue_payment.pdf.exe	ReversingLabs: Detection: 63%
Source: Overdue_payment.pdf.exe	Virustotal: Detection: 63%

Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe

File read: C:\Users\user\Desktop\Overdue_payment.pdf.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\Overdue_payment.pdf.exe "C:\Users\user\Desktop\Overdue_payment.pdf.exe"
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Overdue_payment.pdf.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\lxZwKFTCWa.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\lxZwKFTCWa" /XML "C:\Users\user\AppData\Local\Temp\tmpE707.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe	Process created: C:\Users\user\Desktop\Overdue_payment.pdf.exe "C:\Users\user\Desktop\Overdue_payment.pdf.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\lxZwKFTCWa.exe C:\Users\user\AppData\Roaming\lxZwKFTCWa.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: C:\Users\user\AppData\Roaming\lxZwKFTCWa.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\lxZwKFTCWa" /XML "C:\Users\user\AppData\Local\Temp\tmpFB89.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\lxZwKFTCWa.exe	Process created: C:\Users\user\AppData\Roaming\lxZwKFTCWa.exe "C:\Users\user\AppData\Roaming\lxZwKFTCWa.exe"
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Overdue_payment.pdf.exe"	Jump to behavior
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\lxZwKFTCWa.exe"	Jump to behavior
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\lxZwKFTCWa" /XML "C:\Users\user\AppData\Local\Temp\tmpE707.tmp"	Jump to behavior
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe	Process created: C:\Users\user\Desktop\Overdue_payment.pdf.exe "C:\Users\user\Desktop\Overdue_payment.pdf.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lxZwKFTCWa.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\lxZwKFTCWa" /XML "C:\Users\user\AppData\Local\Temp\tmpFB89.tmp"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lxZwKFTCWa.exe	Process created: C:\Users\user\AppData\Roaming\lxZwKFTCWa.exe "C:\Users\user\AppData\Roaming\lxZwKFTCWa.exe"	Jump to behavior

Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe	Section loaded: iconcodecservice.dll	Jump to behavior
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lxZwKFTCWa.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lxZwKFTCWa.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lxZwKFTCWa.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lxZwKFTCWa.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lxZwKFTCWa.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lxZwKFTCWa.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lxZwKFTCWa.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lxZwKFTCWa.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lxZwKFTCWa.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lxZwKFTCWa.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lxZwKFTCWa.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lxZwKFTCWa.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lxZwKFTCWa.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lxZwKFTCWa.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lxZwKFTCWa.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lxZwKFTCWa.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lxZwKFTCWa.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lxZwKFTCWa.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lxZwKFTCWa.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lxZwKFTCWa.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lxZwKFTCWa.exe	Section loaded: iconcodecservice.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lxZwKFTCWa.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lxZwKFTCWa.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lxZwKFTCWa.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lxZwKFTCWa.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lxZwKFTCWa.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lxZwKFTCWa.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lxZwKFTCWa.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lxZwKFTCWa.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lxZwKFTCWa.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lxZwKFTCWa.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lxZwKFTCWa.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lxZwKFTCWa.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lxZwKFTCWa.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lxZwKFTCWa.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lxZwKFTCWa.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: fastprox.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: ncobjapi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mpclient.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: version.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wmitomi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: gpapi.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\lxZwKFTCWa.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\lxZwKFTCWa.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\lxZwKFTCWa.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\lxZwKFTCWa.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\lxZwKFTCWa.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\lxZwKFTCWa.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\lxZwKFTCWa.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\lxZwKFTCWa.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\lxZwKFTCWa.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\lxZwKFTCWa.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\lxZwKFTCWa.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\lxZwKFTCWa.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\lxZwKFTCWa.exe	Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Roaming\lxZwKFTCWa.exe	Section loaded: amsi.dll
Source: C:\Users\user\AppData\Roaming\lxZwKFTCWa.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Roaming\lxZwKFTCWa.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\lxZwKFTCWa.exe	Section loaded: rasapi32.dll
Source: C:\Users\user\AppData\Roaming\lxZwKFTCWa.exe	Section loaded: rasman.dll
Source: C:\Users\user\AppData\Roaming\lxZwKFTCWa.exe	Section loaded: rtutils.dll
Source: C:\Users\user\AppData\Roaming\lxZwKFTCWa.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Roaming\lxZwKFTCWa.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Roaming\lxZwKFTCWa.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Roaming\lxZwKFTCWa.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Roaming\lxZwKFTCWa.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Users\user\AppData\Roaming\lxZwKFTCWa.exe	Section loaded: dhcpcsvc.dll
Source: C:\Users\user\AppData\Roaming\lxZwKFTCWa.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Roaming\lxZwKFTCWa.exe	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Roaming\lxZwKFTCWa.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Roaming\lxZwKFTCWa.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Roaming\lxZwKFTCWa.exe	Section loaded: secur32.dll
Source: C:\Users\user\AppData\Roaming\lxZwKFTCWa.exe	Section loaded: schannel.dll
Source: C:\Users\user\AppData\Roaming\lxZwKFTCWa.exe	Section loaded: mskeyprotect.dll
Source: C:\Users\user\AppData\Roaming\lxZwKFTCWa.exe	Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Roaming\lxZwKFTCWa.exe	Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Roaming\lxZwKFTCWa.exe	Section loaded: ncryptsslp.dll
Source: C:\Users\user\AppData\Roaming\lxZwKFTCWa.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Roaming\lxZwKFTCWa.exe	Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Roaming\lxZwKFTCWa.exe	Section loaded: vaultcli.dll
Source: C:\Users\user\AppData\Roaming\lxZwKFTCWa.exe	Section loaded: wintypes.dll

Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\Profiles

Jump to behavior

Source: Overdue_payment.pdf.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: Overdue_payment.pdf.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Data Obfuscation

.NET source code contains potential unpacker

Source: 0.2.Overdue_payment.pdf.exe.4581918.2.raw.unpack, SnUA4OO8RjvSkuR9Kc.cs	.Net Code: w7xjBnBbgd System.Reflection.Assembly.Load(byte[])
Source: 0.2.Overdue_payment.pdf.exe.5c90000.3.raw.unpack, L2.cs	.Net Code: System.Reflection.Assembly.Load(byte[])
Source: 0.2.Overdue_payment.pdf.exe.7e90000.4.raw.unpack, SnUA4OO8RjvSkuR9Kc.cs	.Net Code: w7xjBnBbgd System.Reflection.Assembly.Load(byte[])

Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe	Code function: 0_2_03185E00 push eax; iretd	0_2_03185E09
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe	Code function: 0_2_05E43606 push cs; retf	0_2_05E4360F
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe	Code function: 0_2_05E4B95B push ecx; retf	0_2_05E4B966
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe	Code function: 8_2_030F0C55 push edi; retf	8_2_030F0C7A
Source: C:\Users\user\AppData\Roaming\lxZwKFTCWa.exe	Code function: 9_2_00965E00 push eax; iretd	9_2_00965E09
Source: C:\Users\user\AppData\Roaming\lxZwKFTCWa.exe	Code function: 9_2_06C9B295 push FFFFFF8Bh; iretd	9_2_06C9B297
Source: C:\Users\user\AppData\Roaming\lxZwKFTCWa.exe	Code function: 9_2_06C91803 push es; retf	9_2_06C91818
Source: C:\Users\user\AppData\Roaming\lxZwKFTCWa.exe	Code function: 13_2_06D387CB push esi; retf	13_2_06D387CE
Source: C:\Users\user\AppData\Roaming\lxZwKFTCWa.exe	Code function: 13_2_06D36CF7 pushfd ; retf	13_2_06D36CF9
Source: C:\Users\user\AppData\Roaming\lxZwKFTCWa.exe	Code function: 13_2_06D36583 push eax; retf	13_2_06D36589
Source: C:\Users\user\AppData\Roaming\lxZwKFTCWa.exe	Code function: 13_2_06D39A69 push 671C06CBh; retf	13_2_06D39A6E
Source: C:\Users\user\AppData\Roaming\lxZwKFTCWa.exe	Code function: 13_2_06D383B3 push ebx; retf	13_2_06D383BA
Source: C:\Users\user\AppData\Roaming\lxZwKFTCWa.exe	Code function: 13_2_06D383B0 push esp; retf	13_2_06D383B2
Source: C:\Users\user\AppData\Roaming\lxZwKFTCWa.exe	Code function: 13_2_06D34071 push cs; retf	13_2_06D34072
Source: C:\Users\user\AppData\Roaming\lxZwKFTCWa.exe	Code function: 13_2_06D33037 push es; retf	13_2_06D3303A

Source: Overdue_payment.pdf.exe	Static PE information: section name: .text entropy: 7.78729195951309
Source: lxZwKFTCWa.exe.0.dr	Static PE information: section name: .text entropy: 7.78729195951309

Source: 0.2.Overdue_payment.pdf.exe.4581918.2.raw.unpack, SI2DFygjyHMCPQXuXN.cs	High entropy of concatenated method names: 'BZkHyYdiBX', 'xxDHXfwwwO', 'GbJHN175F1', 'NINHdYa5OB', 'L5IHOfJ5HQ', 'UEhNTjf6i4', 'v9ANooakAn', 'scUN50V0VY', 'V1eNUwyBYA', 'gxwNpwBsmg'
Source: 0.2.Overdue_payment.pdf.exe.4581918.2.raw.unpack, YD81QN9glp4BWl8Zeu.cs	High entropy of concatenated method names: 'aeMNE406Fc', 'IBiNQF8YM7', 'nRof3l2Boa', 'ay2fDxdHoI', 'bqAfuCWx22', 'SY7f0nnlHr', 'CEiflMsrph', 'Nrmf1NQr5N', 'vn9fIM3rEd', 'NI1fw81LoZ'
Source: 0.2.Overdue_payment.pdf.exe.4581918.2.raw.unpack, QwIDEjzupR4yxjxB8C.cs	High entropy of concatenated method names: 'odDRGeTtHk', 'fsMRh0wd3r', 'nadR2Nmrkp', 'K5dRgEj9kt', 'ce9R4JW2KC', 'x6fRDTxlF8', 'JAyRusIGUY', 'wc8RmXMLlm', 'zucRs8saXG', 'TcqRt9KZTg'
Source: 0.2.Overdue_payment.pdf.exe.4581918.2.raw.unpack, q8kJvY5YJVWrxrrera.cs	High entropy of concatenated method names: 'Pi4nKSU9oo', 'JZHnJgs7FS', 'u6pnnmjLyj', 'U6NnZyfikF', 'VI0n85136s', 'AoJnmhqNsm', 'Dispose', 'SFvYMpKBpV', 'UnPYXlWaKs', 'AVVYflaBvS'
Source: 0.2.Overdue_payment.pdf.exe.4581918.2.raw.unpack, lOHdDllsuqB6g5ksId.cs	High entropy of concatenated method names: 'iuXdMbKPGx', 'oNsdfqXWC6', 'fLTdHgEXqN', 'MxNHexEgfn', 'TIGHzVy5UJ', 'bX0dVkN6ja', 'vCKdPoxQes', 'bDmdF4v8q9', 'N7XdcmTowL', 'gFkdjiuoXO'
Source: 0.2.Overdue_payment.pdf.exe.4581918.2.raw.unpack, iZKRe0PV56BCRlBiq0i.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'DgGR7ZALE8', 'EYMRvZIUKF', 'oETRApfICN', 'xg4Rk8iMnJ', 'gm1R6Ddw8Y', 'vNnRaE9fXr', 'ujjRqBU34W'
Source: 0.2.Overdue_payment.pdf.exe.4581918.2.raw.unpack, uPq8ZRPci2UCQ7nudbe.cs	High entropy of concatenated method names: 'dnMZedxS06', 'f3yZz06yS8', 'fqkSVgmtWm', 'finL9aP3uwBD5LLfe7r', 'AGuQpTPJ8BermwMyN4I', 'HAYvExPfhM5YcB0M1mM', 'C0f5tXPXful4ERfElUp'
Source: 0.2.Overdue_payment.pdf.exe.4581918.2.raw.unpack, SIC72jIVFQ79FV8Kht.cs	High entropy of concatenated method names: 'ScQdsp4ZnE', 'l4MdtiC1g6', 'VjtdBqZRqY', 'jWGdWeHpb4', 'SvjdEjTgMA', 'lNsdGn5Uee', 'YijdQkrKWT', 'BO4dhITOc0', 'Qrfd2IEcKu', 'Mn1d9fRJn2'
Source: 0.2.Overdue_payment.pdf.exe.4581918.2.raw.unpack, uC0yAWAaaOKLfG1SJY.cs	High entropy of concatenated method names: 'cQubhvgvgq', 'FNLb27A5k6', 'XPfbg4EhpR', 'Mw2b4Fsmxr', 'j0rbDHCRHH', 'qWybu1lQOy', 'WDhblgJrjd', 'DXOb1Torf4', 'rWbbw815xp', 'UOUb7dSLPU'
Source: 0.2.Overdue_payment.pdf.exe.4581918.2.raw.unpack, a6qh9vF22iW84Yx3oH.cs	High entropy of concatenated method names: 'uLCBmGXnc', 'i2JWePVK5', 'cxvGhPD3m', 'bsLQqLqUB', 'EYc2V0uoA', 'XTx95VOui', 'xl1iq7t841OlRuQetv', 'UQNe7OEcY2qCaqESVQ', 'FkMYfOmFp', 'vhuR6RXHQ'
Source: 0.2.Overdue_payment.pdf.exe.4581918.2.raw.unpack, SnUA4OO8RjvSkuR9Kc.cs	High entropy of concatenated method names: 'yWYcyN3lkh', 'I04cMnWj6i', 'ycZcXdWlwX', 'gagcf8Qqui', 'LaxcNFMWDN', 'QfrcHKwhN0', 'SbZcdJWN3m', 'rNYcO8B9jC', 'h1wcCPXd1d', 'FZqcipKiXf'
Source: 0.2.Overdue_payment.pdf.exe.4581918.2.raw.unpack, bPacPBqV3gGyBTCC30.cs	High entropy of concatenated method names: 'yTkJiEkYWC', 'bHTJLynV44', 'ToString', 'N6rJMNKU3D', 'T5cJX1yyRY', 'cRDJfnD6Aq', 'kncJN978nM', 'aAUJHDJTRe', 'gxCJdMW1X1', 'DYIJORTBET'
Source: 0.2.Overdue_payment.pdf.exe.4581918.2.raw.unpack, cFYdLZ2Me1w6vd722T.cs	High entropy of concatenated method names: 'vy5fWOnIaP', 'OsSfGUwyGX', 'lwgfhbAJFA', 'NDVf2UG2UH', 'qJgfKqnN1C', 'tKCfr3IJG1', 'E9bfJjuh1C', 'FMUfYMK1qN', 'mVIfnhI01D', 'UEQfRyps1X'
Source: 0.2.Overdue_payment.pdf.exe.4581918.2.raw.unpack, uMvELCaeUrFbwtMips.cs	High entropy of concatenated method names: 'ToString', 'BMbr7osRJB', 'BTvr41b48q', 'gQyr3o8QGf', 'Ia0rDk1pNg', 'r9jruottxS', 'P1Mr0lFpcU', 'qkdrlsiMn6', 'mXpr1ykpWx', 'SqLrIjmCLA'
Source: 0.2.Overdue_payment.pdf.exe.4581918.2.raw.unpack, rB6QMLkARr8RuOcGbS.cs	High entropy of concatenated method names: 'yCYKwcchAU', 'smJKvUvMgC', 'oneKk2qLnf', 'GnYK6gSBAu', 'mG9K4BG4BR', 'J3KK3XEDqv', 'eyOKDWvIY1', 'OobKuTiEPB', 'ayiK05IHNM', 'CxQKlskYnO'
Source: 0.2.Overdue_payment.pdf.exe.4581918.2.raw.unpack, b2Peb34QfCYkKXMqTd.cs	High entropy of concatenated method names: 'PoJFskhIBBUTCu0XYBi', 'fSmevnh1aS9Y1RQMjin', 'wyOHYFOpEh', 'YeEHnLA45X', 'eQ7HRciIrt', 'B3VdVchBaG1p7JaVqE8', 'mdspmQhvosvbdxSbfJ7'
Source: 0.2.Overdue_payment.pdf.exe.4581918.2.raw.unpack, OZLqOfjF6KdTvse1vC.cs	High entropy of concatenated method names: 'dkePd97Vjr', 'I8tPO1GlEn', 'tMePi1w6vd', 'O22PLTeD81', 'L8ZPKeu6I2', 'IFyPrjyHMC', 'RGGt7NZIK7kejM33Ra', 'Yop4gqJQ85HaIE2oaT', 'fXsPPqoPIk', 'BNdPcZDdal'
Source: 0.2.Overdue_payment.pdf.exe.4581918.2.raw.unpack, L9kjtgfwltBpqZpTSB.cs	High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'Tc9FpF4L07', 'b6wFewHTRK', 'wPYFzLXHbv', 'wElcVI3YfS', 'LeVcPHbpyy', 'U3VcF54FhF', 'maGccLgYsM', 'v6dbQmssTUSuPmMbVGl'
Source: 0.2.Overdue_payment.pdf.exe.4581918.2.raw.unpack, CRZFArokZ0SthcHgRC.cs	High entropy of concatenated method names: 'QOlJU8XcCK', 'fMkJeMcLgn', 'FI2YVVGA9i', 'XQkYPHkqRJ', 'rT0J7EjxgU', 'Yl0Jv4eQkF', 'WrZJA2OONj', 'zVEJk1aHH0', 'Il9J6np021', 'SrpJayMq0W'
Source: 0.2.Overdue_payment.pdf.exe.4581918.2.raw.unpack, Y97VjrhD8t1GlEnXo0.cs	High entropy of concatenated method names: 'cmvXkorfyE', 'sFSX6mEy2E', 'jufXaL2l7M', 'n5gXqBHQH5', 'QpvXTUWkvp', 'DGXXoPuRIi', 'sgpX5xWdqA', 'Sb4XUe9Rk2', 'nREXpSbsmR', 'fcZXeUIS0d'
Source: 0.2.Overdue_payment.pdf.exe.4581918.2.raw.unpack, NWigWqe4XCyLQCwHR5.cs	High entropy of concatenated method names: 'XejRfGl1IN', 'rvPRNDVPDP', 'O14RHvofAP', 'pOERdog78J', 'eJARnXXSGE', 'pnuROQvoiG', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.Overdue_payment.pdf.exe.4581918.2.raw.unpack, Mbm8MjpJLgPRwVOqj7.cs	High entropy of concatenated method names: 'eKgng6umms', 'WtCn4vguqc', 'aJCn3Kty0F', 'OnHnDJIjM8', 'TxRnuqJ3TK', 'gqnn0YMoGY', 'R4lnlElypp', 'kQ9n1k1T6i', 'VNvnITosw8', 'Q2ynwo6tjr'
Source: 0.2.Overdue_payment.pdf.exe.4581918.2.raw.unpack, zgICFdPPw5PCGx8wx3W.cs	High entropy of concatenated method names: 'ha1ReJHTml', 'vn2RzyxEid', 'YYTZVE6l3u', 'VL0ZPKbusD', 'Jg3ZFLl2xo', 'p0PZcLaf78', 'OsWZjGGkRI', 'm3xZyUgUMa', 'D8OZMbkOdh', 'Y1BZXWsDTR'
Source: 0.2.Overdue_payment.pdf.exe.4581918.2.raw.unpack, qJhEq6Xdyhgxkaf6IP.cs	High entropy of concatenated method names: 'Dispose', 'aWrPpxrrer', 'wY9F4jileT', 'itAGNhMlMW', 'SEkPesSeCl', 'FEbPzmGcny', 'ProcessDialogKey', 'mcIFVbm8Mj', 'pLgFPPRwVO', 'Tj7FFwWigW'
Source: 0.2.Overdue_payment.pdf.exe.7e90000.4.raw.unpack, SI2DFygjyHMCPQXuXN.cs	High entropy of concatenated method names: 'BZkHyYdiBX', 'xxDHXfwwwO', 'GbJHN175F1', 'NINHdYa5OB', 'L5IHOfJ5HQ', 'UEhNTjf6i4', 'v9ANooakAn', 'scUN50V0VY', 'V1eNUwyBYA', 'gxwNpwBsmg'
Source: 0.2.Overdue_payment.pdf.exe.7e90000.4.raw.unpack, YD81QN9glp4BWl8Zeu.cs	High entropy of concatenated method names: 'aeMNE406Fc', 'IBiNQF8YM7', 'nRof3l2Boa', 'ay2fDxdHoI', 'bqAfuCWx22', 'SY7f0nnlHr', 'CEiflMsrph', 'Nrmf1NQr5N', 'vn9fIM3rEd', 'NI1fw81LoZ'
Source: 0.2.Overdue_payment.pdf.exe.7e90000.4.raw.unpack, QwIDEjzupR4yxjxB8C.cs	High entropy of concatenated method names: 'odDRGeTtHk', 'fsMRh0wd3r', 'nadR2Nmrkp', 'K5dRgEj9kt', 'ce9R4JW2KC', 'x6fRDTxlF8', 'JAyRusIGUY', 'wc8RmXMLlm', 'zucRs8saXG', 'TcqRt9KZTg'
Source: 0.2.Overdue_payment.pdf.exe.7e90000.4.raw.unpack, q8kJvY5YJVWrxrrera.cs	High entropy of concatenated method names: 'Pi4nKSU9oo', 'JZHnJgs7FS', 'u6pnnmjLyj', 'U6NnZyfikF', 'VI0n85136s', 'AoJnmhqNsm', 'Dispose', 'SFvYMpKBpV', 'UnPYXlWaKs', 'AVVYflaBvS'
Source: 0.2.Overdue_payment.pdf.exe.7e90000.4.raw.unpack, lOHdDllsuqB6g5ksId.cs	High entropy of concatenated method names: 'iuXdMbKPGx', 'oNsdfqXWC6', 'fLTdHgEXqN', 'MxNHexEgfn', 'TIGHzVy5UJ', 'bX0dVkN6ja', 'vCKdPoxQes', 'bDmdF4v8q9', 'N7XdcmTowL', 'gFkdjiuoXO'
Source: 0.2.Overdue_payment.pdf.exe.7e90000.4.raw.unpack, iZKRe0PV56BCRlBiq0i.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'DgGR7ZALE8', 'EYMRvZIUKF', 'oETRApfICN', 'xg4Rk8iMnJ', 'gm1R6Ddw8Y', 'vNnRaE9fXr', 'ujjRqBU34W'
Source: 0.2.Overdue_payment.pdf.exe.7e90000.4.raw.unpack, uPq8ZRPci2UCQ7nudbe.cs	High entropy of concatenated method names: 'dnMZedxS06', 'f3yZz06yS8', 'fqkSVgmtWm', 'finL9aP3uwBD5LLfe7r', 'AGuQpTPJ8BermwMyN4I', 'HAYvExPfhM5YcB0M1mM', 'C0f5tXPXful4ERfElUp'
Source: 0.2.Overdue_payment.pdf.exe.7e90000.4.raw.unpack, SIC72jIVFQ79FV8Kht.cs	High entropy of concatenated method names: 'ScQdsp4ZnE', 'l4MdtiC1g6', 'VjtdBqZRqY', 'jWGdWeHpb4', 'SvjdEjTgMA', 'lNsdGn5Uee', 'YijdQkrKWT', 'BO4dhITOc0', 'Qrfd2IEcKu', 'Mn1d9fRJn2'
Source: 0.2.Overdue_payment.pdf.exe.7e90000.4.raw.unpack, uC0yAWAaaOKLfG1SJY.cs	High entropy of concatenated method names: 'cQubhvgvgq', 'FNLb27A5k6', 'XPfbg4EhpR', 'Mw2b4Fsmxr', 'j0rbDHCRHH', 'qWybu1lQOy', 'WDhblgJrjd', 'DXOb1Torf4', 'rWbbw815xp', 'UOUb7dSLPU'
Source: 0.2.Overdue_payment.pdf.exe.7e90000.4.raw.unpack, a6qh9vF22iW84Yx3oH.cs	High entropy of concatenated method names: 'uLCBmGXnc', 'i2JWePVK5', 'cxvGhPD3m', 'bsLQqLqUB', 'EYc2V0uoA', 'XTx95VOui', 'xl1iq7t841OlRuQetv', 'UQNe7OEcY2qCaqESVQ', 'FkMYfOmFp', 'vhuR6RXHQ'
Source: 0.2.Overdue_payment.pdf.exe.7e90000.4.raw.unpack, SnUA4OO8RjvSkuR9Kc.cs	High entropy of concatenated method names: 'yWYcyN3lkh', 'I04cMnWj6i', 'ycZcXdWlwX', 'gagcf8Qqui', 'LaxcNFMWDN', 'QfrcHKwhN0', 'SbZcdJWN3m', 'rNYcO8B9jC', 'h1wcCPXd1d', 'FZqcipKiXf'
Source: 0.2.Overdue_payment.pdf.exe.7e90000.4.raw.unpack, bPacPBqV3gGyBTCC30.cs	High entropy of concatenated method names: 'yTkJiEkYWC', 'bHTJLynV44', 'ToString', 'N6rJMNKU3D', 'T5cJX1yyRY', 'cRDJfnD6Aq', 'kncJN978nM', 'aAUJHDJTRe', 'gxCJdMW1X1', 'DYIJORTBET'
Source: 0.2.Overdue_payment.pdf.exe.7e90000.4.raw.unpack, cFYdLZ2Me1w6vd722T.cs	High entropy of concatenated method names: 'vy5fWOnIaP', 'OsSfGUwyGX', 'lwgfhbAJFA', 'NDVf2UG2UH', 'qJgfKqnN1C', 'tKCfr3IJG1', 'E9bfJjuh1C', 'FMUfYMK1qN', 'mVIfnhI01D', 'UEQfRyps1X'
Source: 0.2.Overdue_payment.pdf.exe.7e90000.4.raw.unpack, uMvELCaeUrFbwtMips.cs	High entropy of concatenated method names: 'ToString', 'BMbr7osRJB', 'BTvr41b48q', 'gQyr3o8QGf', 'Ia0rDk1pNg', 'r9jruottxS', 'P1Mr0lFpcU', 'qkdrlsiMn6', 'mXpr1ykpWx', 'SqLrIjmCLA'
Source: 0.2.Overdue_payment.pdf.exe.7e90000.4.raw.unpack, rB6QMLkARr8RuOcGbS.cs	High entropy of concatenated method names: 'yCYKwcchAU', 'smJKvUvMgC', 'oneKk2qLnf', 'GnYK6gSBAu', 'mG9K4BG4BR', 'J3KK3XEDqv', 'eyOKDWvIY1', 'OobKuTiEPB', 'ayiK05IHNM', 'CxQKlskYnO'
Source: 0.2.Overdue_payment.pdf.exe.7e90000.4.raw.unpack, b2Peb34QfCYkKXMqTd.cs	High entropy of concatenated method names: 'PoJFskhIBBUTCu0XYBi', 'fSmevnh1aS9Y1RQMjin', 'wyOHYFOpEh', 'YeEHnLA45X', 'eQ7HRciIrt', 'B3VdVchBaG1p7JaVqE8', 'mdspmQhvosvbdxSbfJ7'
Source: 0.2.Overdue_payment.pdf.exe.7e90000.4.raw.unpack, OZLqOfjF6KdTvse1vC.cs	High entropy of concatenated method names: 'dkePd97Vjr', 'I8tPO1GlEn', 'tMePi1w6vd', 'O22PLTeD81', 'L8ZPKeu6I2', 'IFyPrjyHMC', 'RGGt7NZIK7kejM33Ra', 'Yop4gqJQ85HaIE2oaT', 'fXsPPqoPIk', 'BNdPcZDdal'
Source: 0.2.Overdue_payment.pdf.exe.7e90000.4.raw.unpack, L9kjtgfwltBpqZpTSB.cs	High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'Tc9FpF4L07', 'b6wFewHTRK', 'wPYFzLXHbv', 'wElcVI3YfS', 'LeVcPHbpyy', 'U3VcF54FhF', 'maGccLgYsM', 'v6dbQmssTUSuPmMbVGl'
Source: 0.2.Overdue_payment.pdf.exe.7e90000.4.raw.unpack, CRZFArokZ0SthcHgRC.cs	High entropy of concatenated method names: 'QOlJU8XcCK', 'fMkJeMcLgn', 'FI2YVVGA9i', 'XQkYPHkqRJ', 'rT0J7EjxgU', 'Yl0Jv4eQkF', 'WrZJA2OONj', 'zVEJk1aHH0', 'Il9J6np021', 'SrpJayMq0W'
Source: 0.2.Overdue_payment.pdf.exe.7e90000.4.raw.unpack, Y97VjrhD8t1GlEnXo0.cs	High entropy of concatenated method names: 'cmvXkorfyE', 'sFSX6mEy2E', 'jufXaL2l7M', 'n5gXqBHQH5', 'QpvXTUWkvp', 'DGXXoPuRIi', 'sgpX5xWdqA', 'Sb4XUe9Rk2', 'nREXpSbsmR', 'fcZXeUIS0d'
Source: 0.2.Overdue_payment.pdf.exe.7e90000.4.raw.unpack, NWigWqe4XCyLQCwHR5.cs	High entropy of concatenated method names: 'XejRfGl1IN', 'rvPRNDVPDP', 'O14RHvofAP', 'pOERdog78J', 'eJARnXXSGE', 'pnuROQvoiG', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.Overdue_payment.pdf.exe.7e90000.4.raw.unpack, Mbm8MjpJLgPRwVOqj7.cs	High entropy of concatenated method names: 'eKgng6umms', 'WtCn4vguqc', 'aJCn3Kty0F', 'OnHnDJIjM8', 'TxRnuqJ3TK', 'gqnn0YMoGY', 'R4lnlElypp', 'kQ9n1k1T6i', 'VNvnITosw8', 'Q2ynwo6tjr'
Source: 0.2.Overdue_payment.pdf.exe.7e90000.4.raw.unpack, zgICFdPPw5PCGx8wx3W.cs	High entropy of concatenated method names: 'ha1ReJHTml', 'vn2RzyxEid', 'YYTZVE6l3u', 'VL0ZPKbusD', 'Jg3ZFLl2xo', 'p0PZcLaf78', 'OsWZjGGkRI', 'm3xZyUgUMa', 'D8OZMbkOdh', 'Y1BZXWsDTR'
Source: 0.2.Overdue_payment.pdf.exe.7e90000.4.raw.unpack, qJhEq6Xdyhgxkaf6IP.cs	High entropy of concatenated method names: 'Dispose', 'aWrPpxrrer', 'wY9F4jileT', 'itAGNhMlMW', 'SEkPesSeCl', 'FEbPzmGcny', 'ProcessDialogKey', 'mcIFVbm8Mj', 'pLgFPPRwVO', 'Tj7FFwWigW'

Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe

File created: C:\Users\user\AppData\Roaming\lxZwKFTCWa.exe

Jump to dropped file

Boot Survival

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe

Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\lxZwKFTCWa" /XML "C:\Users\user\AppData\Local\Temp\tmpE707.tmp"

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior

Uses an obfuscated file name to hide its real file extension (double extension)

Source: Possible double extension: pdf.exe

Static PE information: Overdue_payment.pdf.exe

Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate	Jump to behavior
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lxZwKFTCWa.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate
Source: C:\Users\user\AppData\Roaming\lxZwKFTCWa.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot

Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lxZwKFTCWa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lxZwKFTCWa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lxZwKFTCWa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lxZwKFTCWa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lxZwKFTCWa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lxZwKFTCWa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lxZwKFTCWa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lxZwKFTCWa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lxZwKFTCWa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lxZwKFTCWa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lxZwKFTCWa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lxZwKFTCWa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lxZwKFTCWa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lxZwKFTCWa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lxZwKFTCWa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lxZwKFTCWa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lxZwKFTCWa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lxZwKFTCWa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lxZwKFTCWa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lxZwKFTCWa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lxZwKFTCWa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lxZwKFTCWa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lxZwKFTCWa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lxZwKFTCWa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lxZwKFTCWa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lxZwKFTCWa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lxZwKFTCWa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lxZwKFTCWa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lxZwKFTCWa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lxZwKFTCWa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lxZwKFTCWa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lxZwKFTCWa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lxZwKFTCWa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lxZwKFTCWa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lxZwKFTCWa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lxZwKFTCWa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lxZwKFTCWa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lxZwKFTCWa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lxZwKFTCWa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lxZwKFTCWa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lxZwKFTCWa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\lxZwKFTCWa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\lxZwKFTCWa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\lxZwKFTCWa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\lxZwKFTCWa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\lxZwKFTCWa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\lxZwKFTCWa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\lxZwKFTCWa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\lxZwKFTCWa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\lxZwKFTCWa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\lxZwKFTCWa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\lxZwKFTCWa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\lxZwKFTCWa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\lxZwKFTCWa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\lxZwKFTCWa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\lxZwKFTCWa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\lxZwKFTCWa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\lxZwKFTCWa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\lxZwKFTCWa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\lxZwKFTCWa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\lxZwKFTCWa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\lxZwKFTCWa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\lxZwKFTCWa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\lxZwKFTCWa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\lxZwKFTCWa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\lxZwKFTCWa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\lxZwKFTCWa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\lxZwKFTCWa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\lxZwKFTCWa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\lxZwKFTCWa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\lxZwKFTCWa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\lxZwKFTCWa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\lxZwKFTCWa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\lxZwKFTCWa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\lxZwKFTCWa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\lxZwKFTCWa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\lxZwKFTCWa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\lxZwKFTCWa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\lxZwKFTCWa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\lxZwKFTCWa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\lxZwKFTCWa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\lxZwKFTCWa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\lxZwKFTCWa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\lxZwKFTCWa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\lxZwKFTCWa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\lxZwKFTCWa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\lxZwKFTCWa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\lxZwKFTCWa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\lxZwKFTCWa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\lxZwKFTCWa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\lxZwKFTCWa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\lxZwKFTCWa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\lxZwKFTCWa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\lxZwKFTCWa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\lxZwKFTCWa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\lxZwKFTCWa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\lxZwKFTCWa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\lxZwKFTCWa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\lxZwKFTCWa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\lxZwKFTCWa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\lxZwKFTCWa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\lxZwKFTCWa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\lxZwKFTCWa.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match	File source: Process Memory Space: Overdue_payment.pdf.exe PID: 7560, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: lxZwKFTCWa.exe PID: 8092, type: MEMORYSTR

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Source: C:\Users\user\AppData\Roaming\lxZwKFTCWa.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration

Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe	Memory allocated: 3140000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe	Memory allocated: 3330000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe	Memory allocated: 5330000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe	Memory allocated: 8340000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe	Memory allocated: 7F10000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe	Memory allocated: 9340000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe	Memory allocated: A340000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe	Memory allocated: 30B0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe	Memory allocated: 3110000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe	Memory allocated: 5110000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lxZwKFTCWa.exe	Memory allocated: 960000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lxZwKFTCWa.exe	Memory allocated: 24D0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lxZwKFTCWa.exe	Memory allocated: 2230000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lxZwKFTCWa.exe	Memory allocated: 6ED0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lxZwKFTCWa.exe	Memory allocated: 6CA0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lxZwKFTCWa.exe	Memory allocated: 7ED0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lxZwKFTCWa.exe	Memory allocated: 8ED0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lxZwKFTCWa.exe	Memory allocated: 16D0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\lxZwKFTCWa.exe	Memory allocated: 30C0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\lxZwKFTCWa.exe	Memory allocated: 3010000 memory reserve \| memory write watch

Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lxZwKFTCWa.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lxZwKFTCWa.exe	Thread delayed: delay time: 922337203685477

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5124	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5123	Jump to behavior
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe	Window / User API: threadDelayed 3353	Jump to behavior
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe	Window / User API: threadDelayed 6487	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lxZwKFTCWa.exe	Window / User API: threadDelayed 3080
Source: C:\Users\user\AppData\Roaming\lxZwKFTCWa.exe	Window / User API: threadDelayed 6768

Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe TID: 7580	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8048	Thread sleep time: -2767011611056431s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7976	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8072	Thread sleep time: -2767011611056431s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8036	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe TID: 736	Thread sleep count: 34 > 30	Jump to behavior
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe TID: 736	Thread sleep time: -31359464925306218s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe TID: 736	Thread sleep time: -100000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe TID: 6100	Thread sleep count: 3353 > 30	Jump to behavior
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe TID: 736	Thread sleep time: -99875s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe TID: 6100	Thread sleep count: 6487 > 30	Jump to behavior
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe TID: 736	Thread sleep time: -99765s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe TID: 736	Thread sleep time: -99656s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe TID: 736	Thread sleep time: -99547s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe TID: 736	Thread sleep time: -99437s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe TID: 736	Thread sleep time: -99328s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe TID: 736	Thread sleep time: -99219s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe TID: 736	Thread sleep time: -99109s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe TID: 736	Thread sleep time: -98998s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe TID: 736	Thread sleep time: -98890s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe TID: 736	Thread sleep time: -98781s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe TID: 736	Thread sleep time: -98650s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe TID: 736	Thread sleep time: -98531s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe TID: 736	Thread sleep time: -98422s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe TID: 736	Thread sleep time: -98312s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe TID: 736	Thread sleep time: -98203s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe TID: 736	Thread sleep time: -98094s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe TID: 736	Thread sleep time: -97984s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe TID: 736	Thread sleep time: -97875s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe TID: 736	Thread sleep time: -97765s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe TID: 736	Thread sleep time: -97656s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe TID: 736	Thread sleep time: -97547s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe TID: 736	Thread sleep time: -97437s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe TID: 736	Thread sleep time: -97328s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe TID: 736	Thread sleep time: -97219s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe TID: 736	Thread sleep time: -97109s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe TID: 736	Thread sleep time: -96998s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe TID: 736	Thread sleep time: -96890s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe TID: 736	Thread sleep time: -96781s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe TID: 736	Thread sleep time: -96662s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe TID: 736	Thread sleep time: -96543s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe TID: 736	Thread sleep time: -96422s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe TID: 736	Thread sleep time: -96306s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe TID: 736	Thread sleep time: -96113s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe TID: 736	Thread sleep time: -95890s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe TID: 736	Thread sleep time: -95765s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe TID: 736	Thread sleep time: -95656s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe TID: 736	Thread sleep time: -95547s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe TID: 736	Thread sleep time: -95437s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe TID: 736	Thread sleep time: -95328s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe TID: 736	Thread sleep time: -95218s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe TID: 736	Thread sleep time: -95109s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe TID: 736	Thread sleep time: -95000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe TID: 736	Thread sleep time: -94890s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe TID: 736	Thread sleep time: -94781s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe TID: 736	Thread sleep time: -94671s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe TID: 736	Thread sleep time: -94562s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe TID: 736	Thread sleep time: -94453s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe TID: 736	Thread sleep time: -94343s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe TID: 736	Thread sleep time: -94234s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe TID: 736	Thread sleep time: -94125s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe TID: 736	Thread sleep time: -94015s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lxZwKFTCWa.exe TID: 7344	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lxZwKFTCWa.exe TID: 7684	Thread sleep count: 36 > 30
Source: C:\Users\user\AppData\Roaming\lxZwKFTCWa.exe TID: 7684	Thread sleep time: -33204139332677172s >= -30000s
Source: C:\Users\user\AppData\Roaming\lxZwKFTCWa.exe TID: 7684	Thread sleep time: -100000s >= -30000s
Source: C:\Users\user\AppData\Roaming\lxZwKFTCWa.exe TID: 7728	Thread sleep count: 3080 > 30
Source: C:\Users\user\AppData\Roaming\lxZwKFTCWa.exe TID: 7684	Thread sleep time: -99875s >= -30000s
Source: C:\Users\user\AppData\Roaming\lxZwKFTCWa.exe TID: 7728	Thread sleep count: 6768 > 30
Source: C:\Users\user\AppData\Roaming\lxZwKFTCWa.exe TID: 7684	Thread sleep time: -99765s >= -30000s
Source: C:\Users\user\AppData\Roaming\lxZwKFTCWa.exe TID: 7684	Thread sleep time: -99656s >= -30000s
Source: C:\Users\user\AppData\Roaming\lxZwKFTCWa.exe TID: 7684	Thread sleep time: -99547s >= -30000s
Source: C:\Users\user\AppData\Roaming\lxZwKFTCWa.exe TID: 7684	Thread sleep time: -99437s >= -30000s
Source: C:\Users\user\AppData\Roaming\lxZwKFTCWa.exe TID: 7684	Thread sleep time: -99328s >= -30000s
Source: C:\Users\user\AppData\Roaming\lxZwKFTCWa.exe TID: 7684	Thread sleep time: -99219s >= -30000s
Source: C:\Users\user\AppData\Roaming\lxZwKFTCWa.exe TID: 7684	Thread sleep time: -99109s >= -30000s
Source: C:\Users\user\AppData\Roaming\lxZwKFTCWa.exe TID: 7684	Thread sleep time: -99000s >= -30000s
Source: C:\Users\user\AppData\Roaming\lxZwKFTCWa.exe TID: 7684	Thread sleep time: -98890s >= -30000s
Source: C:\Users\user\AppData\Roaming\lxZwKFTCWa.exe TID: 7684	Thread sleep time: -98781s >= -30000s
Source: C:\Users\user\AppData\Roaming\lxZwKFTCWa.exe TID: 7684	Thread sleep time: -98672s >= -30000s
Source: C:\Users\user\AppData\Roaming\lxZwKFTCWa.exe TID: 7684	Thread sleep time: -98562s >= -30000s
Source: C:\Users\user\AppData\Roaming\lxZwKFTCWa.exe TID: 7684	Thread sleep time: -98453s >= -30000s
Source: C:\Users\user\AppData\Roaming\lxZwKFTCWa.exe TID: 7684	Thread sleep time: -98343s >= -30000s
Source: C:\Users\user\AppData\Roaming\lxZwKFTCWa.exe TID: 7684	Thread sleep time: -98234s >= -30000s
Source: C:\Users\user\AppData\Roaming\lxZwKFTCWa.exe TID: 7684	Thread sleep time: -98125s >= -30000s
Source: C:\Users\user\AppData\Roaming\lxZwKFTCWa.exe TID: 7684	Thread sleep time: -97999s >= -30000s
Source: C:\Users\user\AppData\Roaming\lxZwKFTCWa.exe TID: 7684	Thread sleep time: -97886s >= -30000s
Source: C:\Users\user\AppData\Roaming\lxZwKFTCWa.exe TID: 7684	Thread sleep time: -97779s >= -30000s
Source: C:\Users\user\AppData\Roaming\lxZwKFTCWa.exe TID: 7684	Thread sleep time: -97619s >= -30000s
Source: C:\Users\user\AppData\Roaming\lxZwKFTCWa.exe TID: 7684	Thread sleep time: -97500s >= -30000s
Source: C:\Users\user\AppData\Roaming\lxZwKFTCWa.exe TID: 7684	Thread sleep time: -97390s >= -30000s
Source: C:\Users\user\AppData\Roaming\lxZwKFTCWa.exe TID: 7684	Thread sleep time: -97281s >= -30000s
Source: C:\Users\user\AppData\Roaming\lxZwKFTCWa.exe TID: 7684	Thread sleep time: -97172s >= -30000s
Source: C:\Users\user\AppData\Roaming\lxZwKFTCWa.exe TID: 7684	Thread sleep time: -97062s >= -30000s
Source: C:\Users\user\AppData\Roaming\lxZwKFTCWa.exe TID: 7684	Thread sleep time: -96946s >= -30000s
Source: C:\Users\user\AppData\Roaming\lxZwKFTCWa.exe TID: 7684	Thread sleep time: -96828s >= -30000s
Source: C:\Users\user\AppData\Roaming\lxZwKFTCWa.exe TID: 7684	Thread sleep time: -96718s >= -30000s
Source: C:\Users\user\AppData\Roaming\lxZwKFTCWa.exe TID: 7684	Thread sleep time: -96609s >= -30000s
Source: C:\Users\user\AppData\Roaming\lxZwKFTCWa.exe TID: 7684	Thread sleep time: -96500s >= -30000s
Source: C:\Users\user\AppData\Roaming\lxZwKFTCWa.exe TID: 7684	Thread sleep time: -96390s >= -30000s
Source: C:\Users\user\AppData\Roaming\lxZwKFTCWa.exe TID: 7684	Thread sleep time: -96256s >= -30000s
Source: C:\Users\user\AppData\Roaming\lxZwKFTCWa.exe TID: 7684	Thread sleep time: -96125s >= -30000s
Source: C:\Users\user\AppData\Roaming\lxZwKFTCWa.exe TID: 7684	Thread sleep time: -96015s >= -30000s
Source: C:\Users\user\AppData\Roaming\lxZwKFTCWa.exe TID: 7684	Thread sleep time: -95903s >= -30000s
Source: C:\Users\user\AppData\Roaming\lxZwKFTCWa.exe TID: 7684	Thread sleep time: -95781s >= -30000s
Source: C:\Users\user\AppData\Roaming\lxZwKFTCWa.exe TID: 7684	Thread sleep time: -95672s >= -30000s
Source: C:\Users\user\AppData\Roaming\lxZwKFTCWa.exe TID: 7684	Thread sleep time: -95551s >= -30000s
Source: C:\Users\user\AppData\Roaming\lxZwKFTCWa.exe TID: 7684	Thread sleep time: -95435s >= -30000s
Source: C:\Users\user\AppData\Roaming\lxZwKFTCWa.exe TID: 7684	Thread sleep time: -95312s >= -30000s
Source: C:\Users\user\AppData\Roaming\lxZwKFTCWa.exe TID: 7684	Thread sleep time: -95203s >= -30000s
Source: C:\Users\user\AppData\Roaming\lxZwKFTCWa.exe TID: 7684	Thread sleep time: -95093s >= -30000s
Source: C:\Users\user\AppData\Roaming\lxZwKFTCWa.exe TID: 7684	Thread sleep time: -94984s >= -30000s
Source: C:\Users\user\AppData\Roaming\lxZwKFTCWa.exe TID: 7684	Thread sleep time: -94874s >= -30000s
Source: C:\Users\user\AppData\Roaming\lxZwKFTCWa.exe TID: 7684	Thread sleep time: -94765s >= -30000s
Source: C:\Users\user\AppData\Roaming\lxZwKFTCWa.exe TID: 7684	Thread sleep time: -94656s >= -30000s
Source: C:\Users\user\AppData\Roaming\lxZwKFTCWa.exe TID: 7684	Thread sleep time: -94546s >= -30000s
Source: C:\Users\user\AppData\Roaming\lxZwKFTCWa.exe TID: 7684	Thread sleep time: -94437s >= -30000s

Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Users\user\AppData\Roaming\lxZwKFTCWa.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard

Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\lxZwKFTCWa.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Roaming\lxZwKFTCWa.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe	Thread delayed: delay time: 100000	Jump to behavior
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe	Thread delayed: delay time: 99875	Jump to behavior
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe	Thread delayed: delay time: 99765	Jump to behavior
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe	Thread delayed: delay time: 99656	Jump to behavior
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe	Thread delayed: delay time: 99547	Jump to behavior
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe	Thread delayed: delay time: 99437	Jump to behavior
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe	Thread delayed: delay time: 99328	Jump to behavior
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe	Thread delayed: delay time: 99219	Jump to behavior
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe	Thread delayed: delay time: 99109	Jump to behavior
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe	Thread delayed: delay time: 98998	Jump to behavior
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe	Thread delayed: delay time: 98890	Jump to behavior
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe	Thread delayed: delay time: 98781	Jump to behavior
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe	Thread delayed: delay time: 98650	Jump to behavior
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe	Thread delayed: delay time: 98531	Jump to behavior
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe	Thread delayed: delay time: 98422	Jump to behavior
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe	Thread delayed: delay time: 98312	Jump to behavior
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe	Thread delayed: delay time: 98203	Jump to behavior
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe	Thread delayed: delay time: 98094	Jump to behavior
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe	Thread delayed: delay time: 97984	Jump to behavior
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe	Thread delayed: delay time: 97875	Jump to behavior
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe	Thread delayed: delay time: 97765	Jump to behavior
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe	Thread delayed: delay time: 97656	Jump to behavior
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe	Thread delayed: delay time: 97547	Jump to behavior
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe	Thread delayed: delay time: 97437	Jump to behavior
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe	Thread delayed: delay time: 97328	Jump to behavior
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe	Thread delayed: delay time: 97219	Jump to behavior
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe	Thread delayed: delay time: 97109	Jump to behavior
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe	Thread delayed: delay time: 96998	Jump to behavior
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe	Thread delayed: delay time: 96890	Jump to behavior
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe	Thread delayed: delay time: 96781	Jump to behavior
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe	Thread delayed: delay time: 96662	Jump to behavior
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe	Thread delayed: delay time: 96543	Jump to behavior
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe	Thread delayed: delay time: 96422	Jump to behavior
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe	Thread delayed: delay time: 96306	Jump to behavior
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe	Thread delayed: delay time: 96113	Jump to behavior
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe	Thread delayed: delay time: 95890	Jump to behavior
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe	Thread delayed: delay time: 95765	Jump to behavior
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe	Thread delayed: delay time: 95656	Jump to behavior
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe	Thread delayed: delay time: 95547	Jump to behavior
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe	Thread delayed: delay time: 95437	Jump to behavior
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe	Thread delayed: delay time: 95328	Jump to behavior
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe	Thread delayed: delay time: 95218	Jump to behavior
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe	Thread delayed: delay time: 95109	Jump to behavior
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe	Thread delayed: delay time: 95000	Jump to behavior
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe	Thread delayed: delay time: 94890	Jump to behavior
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe	Thread delayed: delay time: 94781	Jump to behavior
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe	Thread delayed: delay time: 94671	Jump to behavior
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe	Thread delayed: delay time: 94562	Jump to behavior
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe	Thread delayed: delay time: 94453	Jump to behavior
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe	Thread delayed: delay time: 94343	Jump to behavior
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe	Thread delayed: delay time: 94234	Jump to behavior
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe	Thread delayed: delay time: 94125	Jump to behavior
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe	Thread delayed: delay time: 94015	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lxZwKFTCWa.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lxZwKFTCWa.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\lxZwKFTCWa.exe	Thread delayed: delay time: 100000
Source: C:\Users\user\AppData\Roaming\lxZwKFTCWa.exe	Thread delayed: delay time: 99875
Source: C:\Users\user\AppData\Roaming\lxZwKFTCWa.exe	Thread delayed: delay time: 99765
Source: C:\Users\user\AppData\Roaming\lxZwKFTCWa.exe	Thread delayed: delay time: 99656
Source: C:\Users\user\AppData\Roaming\lxZwKFTCWa.exe	Thread delayed: delay time: 99547
Source: C:\Users\user\AppData\Roaming\lxZwKFTCWa.exe	Thread delayed: delay time: 99437
Source: C:\Users\user\AppData\Roaming\lxZwKFTCWa.exe	Thread delayed: delay time: 99328
Source: C:\Users\user\AppData\Roaming\lxZwKFTCWa.exe	Thread delayed: delay time: 99219
Source: C:\Users\user\AppData\Roaming\lxZwKFTCWa.exe	Thread delayed: delay time: 99109
Source: C:\Users\user\AppData\Roaming\lxZwKFTCWa.exe	Thread delayed: delay time: 99000
Source: C:\Users\user\AppData\Roaming\lxZwKFTCWa.exe	Thread delayed: delay time: 98890
Source: C:\Users\user\AppData\Roaming\lxZwKFTCWa.exe	Thread delayed: delay time: 98781
Source: C:\Users\user\AppData\Roaming\lxZwKFTCWa.exe	Thread delayed: delay time: 98672
Source: C:\Users\user\AppData\Roaming\lxZwKFTCWa.exe	Thread delayed: delay time: 98562
Source: C:\Users\user\AppData\Roaming\lxZwKFTCWa.exe	Thread delayed: delay time: 98453
Source: C:\Users\user\AppData\Roaming\lxZwKFTCWa.exe	Thread delayed: delay time: 98343
Source: C:\Users\user\AppData\Roaming\lxZwKFTCWa.exe	Thread delayed: delay time: 98234
Source: C:\Users\user\AppData\Roaming\lxZwKFTCWa.exe	Thread delayed: delay time: 98125
Source: C:\Users\user\AppData\Roaming\lxZwKFTCWa.exe	Thread delayed: delay time: 97999
Source: C:\Users\user\AppData\Roaming\lxZwKFTCWa.exe	Thread delayed: delay time: 97886
Source: C:\Users\user\AppData\Roaming\lxZwKFTCWa.exe	Thread delayed: delay time: 97779
Source: C:\Users\user\AppData\Roaming\lxZwKFTCWa.exe	Thread delayed: delay time: 97619
Source: C:\Users\user\AppData\Roaming\lxZwKFTCWa.exe	Thread delayed: delay time: 97500
Source: C:\Users\user\AppData\Roaming\lxZwKFTCWa.exe	Thread delayed: delay time: 97390
Source: C:\Users\user\AppData\Roaming\lxZwKFTCWa.exe	Thread delayed: delay time: 97281
Source: C:\Users\user\AppData\Roaming\lxZwKFTCWa.exe	Thread delayed: delay time: 97172
Source: C:\Users\user\AppData\Roaming\lxZwKFTCWa.exe	Thread delayed: delay time: 97062
Source: C:\Users\user\AppData\Roaming\lxZwKFTCWa.exe	Thread delayed: delay time: 96946
Source: C:\Users\user\AppData\Roaming\lxZwKFTCWa.exe	Thread delayed: delay time: 96828
Source: C:\Users\user\AppData\Roaming\lxZwKFTCWa.exe	Thread delayed: delay time: 96718
Source: C:\Users\user\AppData\Roaming\lxZwKFTCWa.exe	Thread delayed: delay time: 96609
Source: C:\Users\user\AppData\Roaming\lxZwKFTCWa.exe	Thread delayed: delay time: 96500
Source: C:\Users\user\AppData\Roaming\lxZwKFTCWa.exe	Thread delayed: delay time: 96390
Source: C:\Users\user\AppData\Roaming\lxZwKFTCWa.exe	Thread delayed: delay time: 96256
Source: C:\Users\user\AppData\Roaming\lxZwKFTCWa.exe	Thread delayed: delay time: 96125
Source: C:\Users\user\AppData\Roaming\lxZwKFTCWa.exe	Thread delayed: delay time: 96015
Source: C:\Users\user\AppData\Roaming\lxZwKFTCWa.exe	Thread delayed: delay time: 95903
Source: C:\Users\user\AppData\Roaming\lxZwKFTCWa.exe	Thread delayed: delay time: 95781
Source: C:\Users\user\AppData\Roaming\lxZwKFTCWa.exe	Thread delayed: delay time: 95672
Source: C:\Users\user\AppData\Roaming\lxZwKFTCWa.exe	Thread delayed: delay time: 95551
Source: C:\Users\user\AppData\Roaming\lxZwKFTCWa.exe	Thread delayed: delay time: 95435
Source: C:\Users\user\AppData\Roaming\lxZwKFTCWa.exe	Thread delayed: delay time: 95312
Source: C:\Users\user\AppData\Roaming\lxZwKFTCWa.exe	Thread delayed: delay time: 95203
Source: C:\Users\user\AppData\Roaming\lxZwKFTCWa.exe	Thread delayed: delay time: 95093
Source: C:\Users\user\AppData\Roaming\lxZwKFTCWa.exe	Thread delayed: delay time: 94984
Source: C:\Users\user\AppData\Roaming\lxZwKFTCWa.exe	Thread delayed: delay time: 94874
Source: C:\Users\user\AppData\Roaming\lxZwKFTCWa.exe	Thread delayed: delay time: 94765
Source: C:\Users\user\AppData\Roaming\lxZwKFTCWa.exe	Thread delayed: delay time: 94656
Source: C:\Users\user\AppData\Roaming\lxZwKFTCWa.exe	Thread delayed: delay time: 94546
Source: C:\Users\user\AppData\Roaming\lxZwKFTCWa.exe	Thread delayed: delay time: 94437

Source: Overdue_payment.pdf.exe, 00000008.00000002.2922443177.0000000001424000.00000004.00000020.00020000.00000000.sdmp, lxZwKFTCWa.exe, 0000000D.00000002.2923066733.000000000124C000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Adds a directory exclusion to Windows Defender

Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Overdue_payment.pdf.exe"
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\lxZwKFTCWa.exe"
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Overdue_payment.pdf.exe"	Jump to behavior
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\lxZwKFTCWa.exe"	Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe	Memory written: C:\Users\user\Desktop\Overdue_payment.pdf.exe base: 400000 value starts with: 4D5A			Jump to behavior
Source: C:\Users\user\AppData\Roaming\lxZwKFTCWa.exe	Memory written: C:\Users\user\AppData\Roaming\lxZwKFTCWa.exe base: 400000 value starts with: 4D5A			Jump to behavior

Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Overdue_payment.pdf.exe"	Jump to behavior
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\lxZwKFTCWa.exe"	Jump to behavior
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\lxZwKFTCWa" /XML "C:\Users\user\AppData\Local\Temp\tmpE707.tmp"	Jump to behavior
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe	Process created: C:\Users\user\Desktop\Overdue_payment.pdf.exe "C:\Users\user\Desktop\Overdue_payment.pdf.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lxZwKFTCWa.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\lxZwKFTCWa" /XML "C:\Users\user\AppData\Local\Temp\tmpFB89.tmp"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lxZwKFTCWa.exe	Process created: C:\Users\user\AppData\Roaming\lxZwKFTCWa.exe "C:\Users\user\AppData\Roaming\lxZwKFTCWa.exe"	Jump to behavior

Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe	Queries volume information: C:\Users\user\Desktop\Overdue_payment.pdf.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe	Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe	Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe	Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe	Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe	Queries volume information: C:\Windows\Fonts\Candaral.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe	Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe	Queries volume information: C:\Windows\Fonts\Candarali.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe	Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe	Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe	Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe	Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe	Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe	Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe	Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe	Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe	Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe	Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe	Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe	Queries volume information: C:\Windows\Fonts\corbell.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe	Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe	Queries volume information: C:\Windows\Fonts\corbelli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe	Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe	Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe	Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe	Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe	Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe	Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe	Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe	Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe	Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe	Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe	Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe	Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe	Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe	Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe	Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe	Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe	Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe	Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe	Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe	Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe	Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe	Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe	Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe	Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe	Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe	Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe	Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe	Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe	Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe	Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe	Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe	Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe	Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe	Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe	Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe	Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe	Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe	Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe	Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe	Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe	Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe	Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe	Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe	Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe	Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe	Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe	Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe	Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe	Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe	Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe	Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe	Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe	Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe	Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe	Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe	Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe	Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe	Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe	Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe	Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe	Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe	Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe	Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe	Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe	Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe	Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe	Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe	Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe	Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe	Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe	Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe	Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe	Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe	Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe	Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe	Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe	Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe	Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe	Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe	Queries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe	Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe	Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe	Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe	Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe	Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe	Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe	Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe	Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe	Queries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe	Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe	Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe	Queries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe	Queries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe	Queries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe	Queries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe	Queries volume information: C:\Windows\Fonts\DUBAI-REGULAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe	Queries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe	Queries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe	Queries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe	Queries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe	Queries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe	Queries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe	Queries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe	Queries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe	Queries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe	Queries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe	Queries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe	Queries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe	Queries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe	Queries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe	Queries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe	Queries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe	Queries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe	Queries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe	Queries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe	Queries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe	Queries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe	Queries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe	Queries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe	Queries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe	Queries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe	Queries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe	Queries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe	Queries volume information: C:\Users\user\Desktop\Overdue_payment.pdf.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lxZwKFTCWa.exe	Queries volume information: C:\Users\user\AppData\Roaming\lxZwKFTCWa.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lxZwKFTCWa.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lxZwKFTCWa.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lxZwKFTCWa.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lxZwKFTCWa.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lxZwKFTCWa.exe	Queries volume information: C:\Users\user\AppData\Roaming\lxZwKFTCWa.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\lxZwKFTCWa.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\lxZwKFTCWa.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\lxZwKFTCWa.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\lxZwKFTCWa.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\lxZwKFTCWa.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation

Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct

Stealing of Sensitive Information

Yara detected AgentTesla

Source: Yara match	File source: 0.2.Overdue_payment.pdf.exe.4339970.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Overdue_payment.pdf.exe.4374390.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Overdue_payment.pdf.exe.4374390.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Overdue_payment.pdf.exe.4339970.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000008.00000002.2924377723.000000000318C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2924376816.000000000313C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2924377723.0000000003161000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2924376816.0000000003111000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1702589790.0000000004339000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Overdue_payment.pdf.exe PID: 7560, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Overdue_payment.pdf.exe PID: 7984, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: lxZwKFTCWa.exe PID: 3584, type: MEMORYSTR

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe	Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions			Jump to behavior
Source: C:\Users\user\AppData\Roaming\lxZwKFTCWa.exe	Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\AppData\Roaming\lxZwKFTCWa.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
Source: C:\Users\user\AppData\Roaming\lxZwKFTCWa.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
Source: C:\Users\user\AppData\Roaming\lxZwKFTCWa.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini
Source: C:\Users\user\AppData\Roaming\lxZwKFTCWa.exe	File opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini
Source: C:\Users\user\AppData\Roaming\lxZwKFTCWa.exe	File opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini

Tries to harvest and steal ftp login credentials

Source: C:\Users\user\AppData\Roaming\lxZwKFTCWa.exe

File opened: C:\FTP Navigator\Ftplist.txt

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles	Jump to behavior
Source: C:\Users\user\Desktop\Overdue_payment.pdf.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lxZwKFTCWa.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Users\user\AppData\Roaming\lxZwKFTCWa.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Users\user\AppData\Roaming\lxZwKFTCWa.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles
Source: C:\Users\user\AppData\Roaming\lxZwKFTCWa.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities

Source: Yara match	File source: 0.2.Overdue_payment.pdf.exe.4339970.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Overdue_payment.pdf.exe.4374390.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Overdue_payment.pdf.exe.4374390.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Overdue_payment.pdf.exe.4339970.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000008.00000002.2921935892.0000000000437000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2924377723.0000000003161000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2924376816.0000000003111000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1702589790.0000000004339000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Overdue_payment.pdf.exe PID: 7560, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Overdue_payment.pdf.exe PID: 7984, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: lxZwKFTCWa.exe PID: 3584, type: MEMORYSTR

Remote Access Functionality

Yara detected AgentTesla

Source: Yara match	File source: 0.2.Overdue_payment.pdf.exe.4339970.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Overdue_payment.pdf.exe.4374390.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Overdue_payment.pdf.exe.4374390.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Overdue_payment.pdf.exe.4339970.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000008.00000002.2924377723.000000000318C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2924376816.000000000313C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2924377723.0000000003161000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2924376816.0000000003111000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1702589790.0000000004339000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Overdue_payment.pdf.exe PID: 7560, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Overdue_payment.pdf.exe PID: 7984, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: lxZwKFTCWa.exe PID: 3584, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	131 Windows Management Instrumentation	1 DLL Side-Loading	1 DLL Side-Loading	11 Disable or Modify Tools	2 OS Credential Dumping	1 File and Directory Discovery	Remote Services	11 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Scheduled Task/Job	1 Scheduled Task/Job	111 Process Injection	1 Deobfuscate/Decode Files or Information	1 Input Capture	24 System Information Discovery	Remote Desktop Protocol	2 Data from Local System	11 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 Scheduled Task/Job	12 Obfuscated Files or Information	1 Credentials in Registry	1 Query Registry	SMB/Windows Admin Shares	1 Email Collection	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	12 Software Packing	NTDS	221 Security Software Discovery	Distributed Component Object Model	1 Input Capture	23 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	1 Process Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	11 Masquerading	Cached Domain Credentials	141 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	141 Virtualization/Sandbox Evasion	DCSync	1 Application Window Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	111 Process Injection	Proc Filesystem	1 System Network Configuration Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
Overdue_payment.pdf.exe	63%	ReversingLabs	ByteCode-MSIL.Backdoor.FormBook
Overdue_payment.pdf.exe	63%	Virustotal		Browse
Overdue_payment.pdf.exe	100%	Avira	HEUR/AGEN.1305646
Overdue_payment.pdf.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label
C:\Users\user\AppData\Roaming\lxZwKFTCWa.exe	100%	Avira	HEUR/AGEN.1305646
C:\Users\user\AppData\Roaming\lxZwKFTCWa.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\lxZwKFTCWa.exe	63%	ReversingLabs	ByteCode-MSIL.Backdoor.FormBook

Source	Detection	Scanner	Label	Link
http://mail.iaa-airferight.com	100%	Avira URL Cloud	malware

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
mail.iaa-airferight.com	46.175.148.58	true	true		unknown
api.ipify.org	172.67.74.152	true	false		high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://api.ipify.org/	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.apache.org/licenses/LICENSE-2.0	Overdue_payment.pdf.exe, 00000000.00000002.1711559625.0000000007702000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.com	Overdue_payment.pdf.exe, 00000000.00000002.1711559625.0000000007702000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.com/designersG	Overdue_payment.pdf.exe, 00000000.00000002.1711559625.0000000007702000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.com/designers/?	Overdue_payment.pdf.exe, 00000000.00000002.1711559625.0000000007702000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.founder.com.cn/cn/bThe	Overdue_payment.pdf.exe, 00000000.00000002.1711559625.0000000007702000.00000004.00000800.00020000.00000000.sdmp	false		high
https://account.dyn.com/	Overdue_payment.pdf.exe, 00000000.00000002.1702589790.0000000004339000.00000004.00000800.00020000.00000000.sdmp, lxZwKFTCWa.exe, 0000000D.00000002.2921923646.0000000000436000.00000040.00000400.00020000.00000000.sdmp	false		high
http://www.fontbureau.com/designers?	Overdue_payment.pdf.exe, 00000000.00000002.1711559625.0000000007702000.00000004.00000800.00020000.00000000.sdmp	false		high
http://mail.iaa-airferight.com	Overdue_payment.pdf.exe, 00000008.00000002.2924377723.000000000318C000.00000004.00000800.00020000.00000000.sdmp, lxZwKFTCWa.exe, 0000000D.00000002.2924376816.000000000313C000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.tiro.com	Overdue_payment.pdf.exe, 00000000.00000002.1711559625.0000000007702000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.com/designers	Overdue_payment.pdf.exe, 00000000.00000002.1711559625.0000000007702000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.goodfont.co.kr	Overdue_payment.pdf.exe, 00000000.00000002.1711559625.0000000007702000.00000004.00000800.00020000.00000000.sdmp	false		high
https://api.ipify.org/t	Overdue_payment.pdf.exe, 00000008.00000002.2924377723.0000000003111000.00000004.00000800.00020000.00000000.sdmp, lxZwKFTCWa.exe, 0000000D.00000002.2924376816.00000000030C1000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.carterandcone.coml	Overdue_payment.pdf.exe, 00000000.00000002.1711559625.0000000007702000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.sajatypeworks.com	Overdue_payment.pdf.exe, 00000000.00000002.1711559625.0000000007702000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.typography.netD	Overdue_payment.pdf.exe, 00000000.00000002.1711559625.0000000007702000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.com/designers/cabarga.htmlN	Overdue_payment.pdf.exe, 00000000.00000002.1711559625.0000000007702000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.founder.com.cn/cn/cThe	Overdue_payment.pdf.exe, 00000000.00000002.1711559625.0000000007702000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.galapagosdesign.com/staff/dennis.htm	Overdue_payment.pdf.exe, 00000000.00000002.1711559625.0000000007702000.00000004.00000800.00020000.00000000.sdmp	false		high
https://api.ipify.org	Overdue_payment.pdf.exe, 00000000.00000002.1702589790.0000000004339000.00000004.00000800.00020000.00000000.sdmp, Overdue_payment.pdf.exe, 00000008.00000002.2924377723.0000000003111000.00000004.00000800.00020000.00000000.sdmp, lxZwKFTCWa.exe, 0000000D.00000002.2921923646.0000000000434000.00000040.00000400.00020000.00000000.sdmp, lxZwKFTCWa.exe, 0000000D.00000002.2924376816.00000000030C1000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.founder.com.cn/cn	Overdue_payment.pdf.exe, 00000000.00000002.1711559625.0000000007702000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.com/designers/frere-user.html	Overdue_payment.pdf.exe, 00000000.00000002.1711559625.0000000007702000.00000004.00000800.00020000.00000000.sdmp	false		high
http://localhost/calculator_server/requests.php	Overdue_payment.pdf.exe, lxZwKFTCWa.exe.0.dr	false		high
http://www.jiyu-kobo.co.jp/	Overdue_payment.pdf.exe, 00000000.00000002.1711559625.0000000007702000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.galapagosdesign.com/DPlease	Overdue_payment.pdf.exe, 00000000.00000002.1711559625.0000000007702000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.com/designers8	Overdue_payment.pdf.exe, 00000000.00000002.1711559625.0000000007702000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fonts.com	Overdue_payment.pdf.exe, 00000000.00000002.1711559625.0000000007702000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.sandoll.co.kr	Overdue_payment.pdf.exe, 00000000.00000002.1711559625.0000000007702000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.urwpp.deDPlease	Overdue_payment.pdf.exe, 00000000.00000002.1711559625.0000000007702000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.zhongyicts.com.cn	Overdue_payment.pdf.exe, 00000000.00000002.1711559625.0000000007702000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	Overdue_payment.pdf.exe, 00000000.00000002.1701347692.0000000003367000.00000004.00000800.00020000.00000000.sdmp, Overdue_payment.pdf.exe, 00000008.00000002.2924377723.0000000003111000.00000004.00000800.00020000.00000000.sdmp, lxZwKFTCWa.exe, 00000009.00000002.1747105184.0000000002507000.00000004.00000800.00020000.00000000.sdmp, lxZwKFTCWa.exe, 0000000D.00000002.2924376816.00000000030C1000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.sakkal.com	Overdue_payment.pdf.exe, 00000000.00000002.1711559625.0000000007702000.00000004.00000800.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
46.175.148.58	mail.iaa-airferight.com	Ukraine		56394	ASLAGIDKOM-NETUA	true
172.67.74.152	api.ipify.org	United States		13335	CLOUDFLARENETUS	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1570483
Start date and time:	2024-12-07 05:32:06 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 48s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	18
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	Overdue_payment.pdf.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@20/15@2/2
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 172 Number of non-executed functions: 22
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
04:33:00	Task Scheduler	Run new task: lxZwKFTCWa path: C:\Users\user\AppData\Roaming\lxZwKFTCWa.exe
23:32:57	API Interceptor	188x Sleep call for process: Overdue_payment.pdf.exe modified
23:33:00	API Interceptor	37x Sleep call for process: powershell.exe modified
23:33:03	API Interceptor	185x Sleep call for process: lxZwKFTCWa.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
46.175.148.58	PO for fabric forecast.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse
	980001672 PPR for 30887217.scr.exe	Get hash	malicious	AgentTesla	Browse
	lC7L7oBBMC.exe	Get hash	malicious	AgentTesla	Browse
	OHScaqAPjt.exe	Get hash	malicious	AgentTesla, PureLog Stealer, zgRAT	Browse
	RFQ ENQ186 OI REQUIRE RATE.exe	Get hash	malicious	AgentTesla	Browse
	v58HgfB8Af.exe	Get hash	malicious	AgentTesla	Browse
	l6F8Xgr0Ov.exe	Get hash	malicious	AgentTesla	Browse
	SPlVyHiGOz.exe	Get hash	malicious	AgentTesla, DarkTortilla	Browse
	2bOizaPPDC.exe	Get hash	malicious	AgentTesla	Browse
	McEdhqMMhs.exe	Get hash	malicious	AgentTesla, DarkTortilla	Browse
172.67.74.152	Simple1.exe	Get hash	malicious	Unknown	Browse	api.ipify.org/
	Simple2.exe	Get hash	malicious	Unknown	Browse	api.ipify.org/
	systemConfigChecker.exe	Get hash	malicious	Unknown	Browse	api.ipify.org/
	systemConfigChecker.exe	Get hash	malicious	Unknown	Browse	api.ipify.org/
	2b7cu0KwZl.exe	Get hash	malicious	Unknown	Browse	api.ipify.org/
	Zc9eO57fgF.elf	Get hash	malicious	Unknown	Browse	api.ipify.org/
	67065b4c84713_Javiles.exe	Get hash	malicious	RDPWrap Tool	Browse	api.ipify.org/
	Yc9hcFC1ux.exe	Get hash	malicious	Unknown	Browse	api.ipify.org/
	4F08j2Rmd9.bin	Get hash	malicious	Xmrig	Browse	api.ipify.org/
	y8tCHz7CwC.bin	Get hash	malicious	Xmrig	Browse	api.ipify.org/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
mail.iaa-airferight.com	PO for fabric forecast.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	46.175.148.58
	980001672 PPR for 30887217.scr.exe	Get hash	malicious	AgentTesla	Browse	46.175.148.58
	lC7L7oBBMC.exe	Get hash	malicious	AgentTesla	Browse	46.175.148.58
	OHScaqAPjt.exe	Get hash	malicious	AgentTesla, PureLog Stealer, zgRAT	Browse	46.175.148.58
	RFQ ENQ186 OI REQUIRE RATE.exe	Get hash	malicious	AgentTesla	Browse	46.175.148.58
	v58HgfB8Af.exe	Get hash	malicious	AgentTesla	Browse	46.175.148.58
	l6F8Xgr0Ov.exe	Get hash	malicious	AgentTesla	Browse	46.175.148.58
	SPlVyHiGOz.exe	Get hash	malicious	AgentTesla, DarkTortilla	Browse	46.175.148.58
	2bOizaPPDC.exe	Get hash	malicious	AgentTesla	Browse	46.175.148.58
	McEdhqMMhs.exe	Get hash	malicious	AgentTesla, DarkTortilla	Browse	46.175.148.58
api.ipify.org	TECHNICAL SPECIFICATIONS.exe	Get hash	malicious	AgentTesla	Browse	104.26.12.205
	Shipping Documents 72908672134.exe	Get hash	malicious	AgentTesla	Browse	104.26.13.205
	980001672 PPR for 30887217.scr.exe	Get hash	malicious	AgentTesla	Browse	172.67.74.152
	y1rS62yprs.exe	Get hash	malicious	Babadeda	Browse	104.26.13.205
	apilibx64.exe	Get hash	malicious	CredGrabber, Meduza Stealer	Browse	104.26.12.205
	xKvkNk9SXR.exe	Get hash	malicious	TrojanRansom	Browse	104.26.12.205
	BiXS3FRoLe.exe	Get hash	malicious	TrojanRansom	Browse	104.26.13.205
	lEUy79aLAW.exe	Get hash	malicious	TrojanRansom	Browse	104.26.13.205
	GD8c7ARn8q.exe	Get hash	malicious	TrojanRansom	Browse	104.26.12.205
	8AbMCL2dxM.exe	Get hash	malicious	RCRU64, TrojanRansom	Browse	104.26.12.205

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
ASLAGIDKOM-NETUA	PO for fabric forecast.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	46.175.148.58
	980001672 PPR for 30887217.scr.exe	Get hash	malicious	AgentTesla	Browse	46.175.148.58
	lC7L7oBBMC.exe	Get hash	malicious	AgentTesla	Browse	46.175.148.58
	OHScaqAPjt.exe	Get hash	malicious	AgentTesla, PureLog Stealer, zgRAT	Browse	46.175.148.58
	RFQ ENQ186 OI REQUIRE RATE.exe	Get hash	malicious	AgentTesla	Browse	46.175.148.58
	v58HgfB8Af.exe	Get hash	malicious	AgentTesla	Browse	46.175.148.58
	l6F8Xgr0Ov.exe	Get hash	malicious	AgentTesla	Browse	46.175.148.58
	SPlVyHiGOz.exe	Get hash	malicious	AgentTesla, DarkTortilla	Browse	46.175.148.58
	2bOizaPPDC.exe	Get hash	malicious	AgentTesla	Browse	46.175.148.58
	McEdhqMMhs.exe	Get hash	malicious	AgentTesla, DarkTortilla	Browse	46.175.148.58
CLOUDFLARENETUS	file.exe	Get hash	malicious	Amadey, Credential Flusher, LummaC Stealer, Stealc, Vidar	Browse	104.21.16.9
	file.exe	Get hash	malicious	LummaC Stealer	Browse	104.21.16.9
	https://m.frownpasture.top/xqbgOoR7LyCdyD4DEHLii/a8f4AAdjCXhECXlkXzJZXUg0VwwMXxcvBW8NcRstA0McXyNaQkY?_t=1733539511823#	Get hash	malicious	Unknown	Browse	172.67.216.178
	file.exe	Get hash	malicious	LummaC Stealer	Browse	104.21.16.9
	file.exe	Get hash	malicious	Amadey, Credential Flusher, LummaC Stealer, Stealc, Vidar	Browse	172.67.165.166
	file.exe	Get hash	malicious	LummaC Stealer	Browse	172.67.165.166
	Fw 2025 Employee Handbook For all Colhca Employees Ref THEFUE.eml	Get hash	malicious	Unknown	Browse	162.159.61.3
	file.exe	Get hash	malicious	LummaC Stealer	Browse	104.21.16.9
	http://i777777o726f79616c627573696e65737362616e6b757361o636f6dz.oszar.com	Get hash	malicious	Unknown	Browse	172.67.11.155
	check.exe	Get hash	malicious	Unknown	Browse	104.20.23.46

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
3b5074b1b5d032e5620f69f9f700ff0e	file.exe	Get hash	malicious	LummaC Stealer	Browse	172.67.74.152
	file.exe	Get hash	malicious	LummaC Stealer	Browse	172.67.74.152
	file.exe	Get hash	malicious	Amadey, Stealc, Vidar	Browse	172.67.74.152
	TECHNICAL SPECIFICATIONS.exe	Get hash	malicious	AgentTesla	Browse	172.67.74.152
	a9YMw44iQq.exe	Get hash	malicious	AsyncRAT, XWorm	Browse	172.67.74.152
	ozgpPwVAu1.exe	Get hash	malicious	XWorm	Browse	172.67.74.152
	https://www.google.ca/url?q=1120091333775300779273902563687390256368&rct=11200913337753007792&sa=t&url=amp/s/elanpro.net/horeca/dispenc#YnJ1bml0YS5kdW5jYW5AcGFydG5lcnNtZ3UuY29t	Get hash	malicious	HTMLPhisher	Browse	172.67.74.152
	file.exe	Get hash	malicious	LummaC Stealer	Browse	172.67.74.152
	BGM LAW GROUP - RFP 2024.pdf	Get hash	malicious	Unknown	Browse	172.67.74.152
	file.exe	Get hash	malicious	Amadey, Stealc, Vidar	Browse	172.67.74.152

Process:	C:\Users\user\Desktop\Overdue_payment.pdf.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1216
Entropy (8bit):	5.34331486778365
Encrypted:	false
SSDEEP:	24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
MD5:	1330C80CAAC9A0FB172F202485E9B1E8
SHA1:	86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
SHA-256:	B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
SHA-512:	75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
Malicious:	true
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\lxZwKFTCWa.exe.log

Download File

Process:	C:\Users\user\AppData\Roaming\lxZwKFTCWa.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1216
Entropy (8bit):	5.34331486778365
Encrypted:	false
SSDEEP:	24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
MD5:	1330C80CAAC9A0FB172F202485E9B1E8
SHA1:	86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
SHA-256:	B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
SHA-512:	75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	modified
Size (bytes):	2232
Entropy (8bit):	5.380805901110357
Encrypted:	false
SSDEEP:	48:lylWSU4y4RQmFoUeWmfgZ9tK8NPZHUm7u1iMuge//ZPUyuVws:lGLHyIFKL3IZ2KRH9OugbVws
MD5:	18E30393FF7938228743359A706F90CE
SHA1:	D042841E7A99578FB7DF31A21111A90F31287D37
SHA-256:	818419579AF78103C20691E18138F0AD1154BF8356BFABFE5F43C4BADC66C367
SHA-512:	6BFEB58A5CD30CC27A410B292878AF214F711B21141DCCB5225FACC2B0269FFA17701F8878F933132545207FAAD99FB4ED7EC41298C20D474516430528B72B5F
Malicious:	false
Preview:	@...e.................................^..............@..........P................1]...E.....j.....(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..\|f........System.Core.D...............4..7..D.#V.............System.Management.AutomationL.................gQ?O.....x5.......#.Microsoft.Management.Infrastructure.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServices4.................%...K... ...........System.Xml..8..................1...L..U;V.<}........System.Numerics.4.....................@.[8]'.\........System.Data.<...............i..VdqF...\|...........System.ConfigurationH................WY..2.M.&..g(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_dgswkhhx.x42.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_dydlhjom.gv0.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_n1vq240f.yep.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ngtkmq3j.vq2.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_nkgzzp4k.jyg.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_othblkt1.iz2.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_owmh0c3f.n32.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_yyqhp04n.y44.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\tmpE707.tmp

Download File

Process:	C:\Users\user\Desktop\Overdue_payment.pdf.exe
File Type:	XML 1.0 document, ASCII text
Category:	dropped
Size (bytes):	1576
Entropy (8bit):	5.11797655864606
Encrypted:	false
SSDEEP:	24:2di4+S2qh11hXy1mvWUnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtatEJxvn:cge1wYrFdOFzOzN33ODOiDdKrsuTy0v
MD5:	5018C5304DE895FDDB79CF1ED611362A
SHA1:	5FA47DAE370603E96D068D09682718819EA6AC1E
SHA-256:	990A54003E1B78436FE286255AE67E60452F3D5322E8E6A5656E25D5FBC1F67F
SHA-512:	BB8D06519790DF8D929DB7E217507D4B81463F07AF4F1ABCB8AE348653BFD437A3A4524CF6E6A9788DDDF2B6FEA5B7BBCED65D0136424A4A429580247511A3C8
Malicious:	true
Preview:	<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetworkAvail

C:\Users\user\AppData\Local\Temp\tmpFB89.tmp

Download File

Process:	C:\Users\user\AppData\Roaming\lxZwKFTCWa.exe
File Type:	XML 1.0 document, ASCII text
Category:	dropped
Size (bytes):	1576
Entropy (8bit):	5.11797655864606
Encrypted:	false
SSDEEP:	24:2di4+S2qh11hXy1mvWUnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtatEJxvn:cge1wYrFdOFzOzN33ODOiDdKrsuTy0v
MD5:	5018C5304DE895FDDB79CF1ED611362A
SHA1:	5FA47DAE370603E96D068D09682718819EA6AC1E
SHA-256:	990A54003E1B78436FE286255AE67E60452F3D5322E8E6A5656E25D5FBC1F67F
SHA-512:	BB8D06519790DF8D929DB7E217507D4B81463F07AF4F1ABCB8AE348653BFD437A3A4524CF6E6A9788DDDF2B6FEA5B7BBCED65D0136424A4A429580247511A3C8
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetworkAvail

C:\Users\user\AppData\Roaming\lxZwKFTCWa.exe

Download File

Process:	C:\Users\user\Desktop\Overdue_payment.pdf.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	859136
Entropy (8bit):	7.490482123563364
Encrypted:	false
SSDEEP:	12288:ePGzJe7dETlnrPtl16CtyEZOnwwvxWs6xyCx2BU3QeFh7j6wIF:dUmTxLvw19nwwAdoCx2e3jiJF
MD5:	8B57457C486A24230C0FCC907EE84062
SHA1:	AAB3BA33F51878F115EB64F3D3ADF3CE90F306FB
SHA-256:	C6CA7A0C812B140B8D3E1F7CEB12F0EFE6BC0F564C6312814BC9DBA1255E8788
SHA-512:	3101846CE3A5A40B9C851671D6D3A0EE15567B276B809BE844B875139D14961D76D9A55C4669CC5F1C40DA00B1B028F12A37C10AB37DB0DFC65F7EA94C142C36
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 63%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...R.Rg..............0..`............... ........@.. .......................`............@.................................8...O.......`....................@....................................................... ............... ..H............text...._... ...`.................. ..`.rsrc...`............b..............@..@.reloc.......@......................@..B................l.......H.......L8...!...........Y..`%..........................................&.(.........0.............X.+......0.............Y.+......0.............Z.+......0............"........,."...?....[.+...0..(.................,...+....Y(.......Y(....X.+...0..!........~.........,.s.........~.....+..*....0..R........r...p..r...p(....t......rc..po.......o......rm..po.....s.......o......+-..(.........(....r...p..(....r...p(....o....&..( ...-...........o!.....("....o#...o$.......ijo%....

C:\Users\user\AppData\Roaming\lxZwKFTCWa.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\Overdue_payment.pdf.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Preview:	[ZoneTransfer]....ZoneId=0

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.490482123563364
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	Overdue_payment.pdf.exe
File size:	859'136 bytes
MD5:	8b57457c486a24230c0fcc907ee84062
SHA1:	aab3ba33f51878f115eb64f3d3adf3ce90f306fb
SHA256:	c6ca7a0c812b140b8d3e1f7ceb12f0efe6bc0f564c6312814bc9dba1255e8788
SHA512:	3101846ce3a5a40b9c851671d6d3a0ee15567b276b809be844b875139d14961d76d9a55c4669cc5f1c40da00b1b028f12a37c10ab37db0dfc65f7ea94c142c36
SSDEEP:	12288:ePGzJe7dETlnrPtl16CtyEZOnwwvxWs6xyCx2BU3QeFh7j6wIF:dUmTxLvw19nwwAdoCx2e3jiJF
TLSH:	A8050407A82D89B2DE38A33D0511D9F9A1F41D9C55C8B2164BB9BD7EF83C8211D1F92E
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...R.Rg..............0..`............... ........@.. .......................`............@................................

File Icon


Icon Hash:	2946e68e96b3ca4d

Static PE Info

General

Entrypoint:	0x4a7f8a
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x67528552 [Fri Dec 6 05:02:10 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
push ebx
add byte ptr [ecx+00h], bh
jnc 00007F96B4D14412h
je 00007F96B4D14412h
add byte ptr [ebp+00h], ch
add byte ptr [ecx+00h], al
arpl word ptr [eax], ax
je 00007F96B4D14412h
imul eax, dword ptr [eax], 00610076h
je 00007F96B4D14412h
outsd
add byte ptr [edx+00h], dh
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add al, 00h
add byte ptr [eax], al
add byte ptr [eax], al
add al, 00h
add eax, dword ptr [eax]
add byte ptr [eax], al
xor byte ptr [eax], al
add byte ptr [eax+0000000Eh], al
mov byte ptr [eax], al
add byte ptr [eax+00000010h], al
test al, 00h
add byte ptr [eax+00000018h], al
rol byte ptr [eax], 00000000h
add byte ptr [eax], 00000000h
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add al, 00h
add byte ptr [eax], al
add byte ptr [eax], al
or dword ptr [eax], eax
add dword ptr [eax], eax
add byte ptr [eax], al
fadd dword ptr [eax]
add byte ptr [eax+00000002h], al
lock add byte ptr [eax], al
add byte ptr [ebx], 00000000h

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xa7f38	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xa8000	0x2b760	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xd4000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0xa5fb0	0xa6000	3aa60354638c9b89122db397fed364a1	False	0.9318156414721386	data	7.78729195951309	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0xa8000	0x2b760	0x2b800	57bc12ec3a3c0aec57ce65299d3991f2	False	0.20974766522988506	data	5.130442113306273	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xd4000	0xc	0x200	2cab2766266d8cf627f3d39f519ccc37	False	0.044921875	data	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	ZLIB Complexity
RT_ICON	0xa82e0	0x3751	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	0.9929383518113127
RT_ICON	0xaba34	0x10828	Device independent bitmap graphic, 128 x 256 x 32, image size 67584	0.0891251626641429
RT_ICON	0xbc25c	0x94a8	Device independent bitmap graphic, 96 x 192 x 32, image size 38016	0.13335610678999368
RT_ICON	0xc5704	0x5488	Device independent bitmap graphic, 72 x 144 x 32, image size 21600	0.16816081330868762
RT_ICON	0xcab8c	0x4228	Device independent bitmap graphic, 64 x 128 x 32, image size 16896	0.15594000944733113
RT_ICON	0xcedb4	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9600	0.23392116182572614
RT_ICON	0xd135c	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4224	0.274624765478424
RT_ICON	0xd2404	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 2400	0.41885245901639345
RT_ICON	0xd2d8c	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1088	0.5
RT_GROUP_ICON	0xd31f4	0x84	data	0.7045454545454546
RT_GROUP_ICON	0xd3278	0x14	data	1.05
RT_VERSION	0xd328c	0x2e8	data	0.4327956989247312
RT_MANIFEST	0xd3574	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators	0.5489795918367347

Imports

DLL	Import
mscoree.dll	_CorExeMain

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 7, 2024 05:33:01.350500107 CET	49733	443	192.168.2.4	172.67.74.152
Dec 7, 2024 05:33:01.350533962 CET	443	49733	172.67.74.152	192.168.2.4
Dec 7, 2024 05:33:01.350644112 CET	49733	443	192.168.2.4	172.67.74.152
Dec 7, 2024 05:33:01.358824015 CET	49733	443	192.168.2.4	172.67.74.152
Dec 7, 2024 05:33:01.358839035 CET	443	49733	172.67.74.152	192.168.2.4
Dec 7, 2024 05:33:02.577302933 CET	443	49733	172.67.74.152	192.168.2.4
Dec 7, 2024 05:33:02.577409983 CET	49733	443	192.168.2.4	172.67.74.152
Dec 7, 2024 05:33:02.613600016 CET	49733	443	192.168.2.4	172.67.74.152
Dec 7, 2024 05:33:02.613617897 CET	443	49733	172.67.74.152	192.168.2.4
Dec 7, 2024 05:33:02.613920927 CET	443	49733	172.67.74.152	192.168.2.4
Dec 7, 2024 05:33:02.731827974 CET	49733	443	192.168.2.4	172.67.74.152
Dec 7, 2024 05:33:02.837492943 CET	49733	443	192.168.2.4	172.67.74.152
Dec 7, 2024 05:33:02.883327007 CET	443	49733	172.67.74.152	192.168.2.4
Dec 7, 2024 05:33:03.187841892 CET	443	49733	172.67.74.152	192.168.2.4
Dec 7, 2024 05:33:03.187908888 CET	443	49733	172.67.74.152	192.168.2.4
Dec 7, 2024 05:33:03.187972069 CET	49733	443	192.168.2.4	172.67.74.152
Dec 7, 2024 05:33:03.194797993 CET	49733	443	192.168.2.4	172.67.74.152
Dec 7, 2024 05:33:04.053900003 CET	49735	25	192.168.2.4	46.175.148.58
Dec 7, 2024 05:33:05.156918049 CET	49735	25	192.168.2.4	46.175.148.58
Dec 7, 2024 05:33:05.163402081 CET	49736	443	192.168.2.4	172.67.74.152
Dec 7, 2024 05:33:05.163444996 CET	443	49736	172.67.74.152	192.168.2.4
Dec 7, 2024 05:33:05.163535118 CET	49736	443	192.168.2.4	172.67.74.152
Dec 7, 2024 05:33:05.168292046 CET	49736	443	192.168.2.4	172.67.74.152
Dec 7, 2024 05:33:05.168303013 CET	443	49736	172.67.74.152	192.168.2.4
Dec 7, 2024 05:33:06.379400969 CET	443	49736	172.67.74.152	192.168.2.4
Dec 7, 2024 05:33:06.379473925 CET	49736	443	192.168.2.4	172.67.74.152
Dec 7, 2024 05:33:06.381390095 CET	49736	443	192.168.2.4	172.67.74.152
Dec 7, 2024 05:33:06.381398916 CET	443	49736	172.67.74.152	192.168.2.4
Dec 7, 2024 05:33:06.381643057 CET	443	49736	172.67.74.152	192.168.2.4
Dec 7, 2024 05:33:06.433756113 CET	49736	443	192.168.2.4	172.67.74.152
Dec 7, 2024 05:33:06.475332022 CET	443	49736	172.67.74.152	192.168.2.4
Dec 7, 2024 05:33:06.828893900 CET	443	49736	172.67.74.152	192.168.2.4
Dec 7, 2024 05:33:06.828958988 CET	443	49736	172.67.74.152	192.168.2.4
Dec 7, 2024 05:33:06.829204082 CET	49736	443	192.168.2.4	172.67.74.152
Dec 7, 2024 05:33:06.838840008 CET	49736	443	192.168.2.4	172.67.74.152
Dec 7, 2024 05:33:07.169226885 CET	49735	25	192.168.2.4	46.175.148.58
Dec 7, 2024 05:33:08.338046074 CET	49738	25	192.168.2.4	46.175.148.58
Dec 7, 2024 05:33:09.356688023 CET	49738	25	192.168.2.4	46.175.148.58
Dec 7, 2024 05:33:11.169243097 CET	49735	25	192.168.2.4	46.175.148.58
Dec 7, 2024 05:33:11.372363091 CET	49738	25	192.168.2.4	46.175.148.58
Dec 7, 2024 05:33:15.372389078 CET	49738	25	192.168.2.4	46.175.148.58
Dec 7, 2024 05:33:19.169482946 CET	49735	25	192.168.2.4	46.175.148.58
Dec 7, 2024 05:33:23.372426033 CET	49738	25	192.168.2.4	46.175.148.58

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 7, 2024 05:33:01.166951895 CET	56740	53	192.168.2.4	1.1.1.1
Dec 7, 2024 05:33:01.304126978 CET	53	56740	1.1.1.1	192.168.2.4
Dec 7, 2024 05:33:03.827274084 CET	52957	53	192.168.2.4	1.1.1.1
Dec 7, 2024 05:33:04.053292036 CET	53	52957	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Dec 7, 2024 05:33:01.166951895 CET	192.168.2.4	1.1.1.1	0xefd6	Standard query (0)	api.ipify.org	A (IP address)	IN (0x0001)	false
Dec 7, 2024 05:33:03.827274084 CET	192.168.2.4	1.1.1.1	0x8dea	Standard query (0)	mail.iaa-airferight.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Dec 7, 2024 05:33:01.304126978 CET	1.1.1.1	192.168.2.4	0xefd6	No error (0)	api.ipify.org	172.67.74.152	A (IP address)	IN (0x0001)	false
Dec 7, 2024 05:33:01.304126978 CET	1.1.1.1	192.168.2.4	0xefd6	No error (0)	api.ipify.org	104.26.13.205	A (IP address)	IN (0x0001)	false
Dec 7, 2024 05:33:01.304126978 CET	1.1.1.1	192.168.2.4	0xefd6	No error (0)	api.ipify.org	104.26.12.205	A (IP address)	IN (0x0001)	false
Dec 7, 2024 05:33:04.053292036 CET	1.1.1.1	192.168.2.4	0x8dea	No error (0)	mail.iaa-airferight.com	46.175.148.58	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

api.ipify.org

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49733	172.67.74.152	443	7984	C:\Users\user\Desktop\Overdue_payment.pdf.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-07 04:33:02 UTC	155	OUT	GET / HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0 Host: api.ipify.org Connection: Keep-Alive
2024-12-07 04:33:03 UTC	424	IN	HTTP/1.1 200 OK Date: Sat, 07 Dec 2024 04:33:03 GMT Content-Type: text/plain Content-Length: 12 Connection: close Vary: Origin cf-cache-status: DYNAMIC Server: cloudflare CF-RAY: 8ee1cb99e85cde92-EWR server-timing: cfL4;desc="?proto=TCP&rtt=1661&min_rtt=1651&rtt_var=641&sent=6&recv=8&lost=0&retrans=0&sent_bytes=2820&recv_bytes=769&delivery_rate=1680092&cwnd=240&unsent_bytes=0&cid=e7fcb45bc30780bb&ts=622&x=0"
2024-12-07 04:33:03 UTC	12	IN	Data Raw: 38 2e 34 36 2e 31 32 33 2e 32 32 38 Data Ascii: 8.46.123.228

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49736	172.67.74.152	443	3584	C:\Users\user\AppData\Roaming\lxZwKFTCWa.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-07 04:33:06 UTC	155	OUT	GET / HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0 Host: api.ipify.org Connection: Keep-Alive
2024-12-07 04:33:06 UTC	424	IN	HTTP/1.1 200 OK Date: Sat, 07 Dec 2024 04:33:06 GMT Content-Type: text/plain Content-Length: 12 Connection: close Vary: Origin cf-cache-status: DYNAMIC Server: cloudflare CF-RAY: 8ee1cbb09b3b4331-EWR server-timing: cfL4;desc="?proto=TCP&rtt=1675&min_rtt=1666&rtt_var=642&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2821&recv_bytes=769&delivery_rate=1680092&cwnd=233&unsent_bytes=0&cid=422aeb523caa2f23&ts=454&x=0"
2024-12-07 04:33:06 UTC	12	IN	Data Raw: 38 2e 34 36 2e 31 32 33 2e 32 32 38 Data Ascii: 8.46.123.228

Target ID:	0
Start time:	23:32:56
Start date:	06/12/2024
Path:	C:\Users\user\Desktop\Overdue_payment.pdf.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Overdue_payment.pdf.exe"
Imagebase:	0xf50000
File size:	859'136 bytes
MD5 hash:	8B57457C486A24230C0FCC907EE84062
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.1702589790.0000000004339000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.1702589790.0000000004339000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	23:32:58
Start date:	06/12/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Overdue_payment.pdf.exe"
Imagebase:	0xd70000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	23:32:58
Start date:	06/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	23:32:58
Start date:	06/12/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\lxZwKFTCWa.exe"
Imagebase:	0xd70000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	23:32:59
Start date:	06/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	23:32:59
Start date:	06/12/2024
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\lxZwKFTCWa" /XML "C:\Users\user\AppData\Local\Temp\tmpE707.tmp"
Imagebase:	0xcf0000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	23:32:59
Start date:	06/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	23:32:59
Start date:	06/12/2024
Path:	C:\Users\user\Desktop\Overdue_payment.pdf.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Overdue_payment.pdf.exe"
Imagebase:	0xdb0000
File size:	859'136 bytes
MD5 hash:	8B57457C486A24230C0FCC907EE84062
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000008.00000002.2924377723.000000000318C000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000008.00000002.2921935892.0000000000437000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000008.00000002.2924377723.0000000003161000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000008.00000002.2924377723.0000000003161000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	9
Start time:	23:33:00
Start date:	06/12/2024
Path:	C:\Users\user\AppData\Roaming\lxZwKFTCWa.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Roaming\lxZwKFTCWa.exe
Imagebase:	0x20000
File size:	859'136 bytes
MD5 hash:	8B57457C486A24230C0FCC907EE84062
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 63%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	23:33:01
Start date:	06/12/2024
Path:	C:\Windows\System32\wbem\WmiPrvSE.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Imagebase:	0x7ff693ab0000
File size:	496'640 bytes
MD5 hash:	60FF40CFD7FB8FE41EE4FE9AE5FE1C51
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	23:33:04
Start date:	06/12/2024
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\lxZwKFTCWa" /XML "C:\Users\user\AppData\Local\Temp\tmpFB89.tmp"
Imagebase:	0xcf0000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	23:33:04
Start date:	06/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	23:33:04
Start date:	06/12/2024
Path:	C:\Users\user\AppData\Roaming\lxZwKFTCWa.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\lxZwKFTCWa.exe"
Imagebase:	0xc70000
File size:	859'136 bytes
MD5 hash:	8B57457C486A24230C0FCC907EE84062
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000D.00000002.2924376816.000000000313C000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000D.00000002.2924376816.0000000003111000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000D.00000002.2924376816.0000000003111000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	16
Start time:	23:33:20
Start date:	06/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	10.5%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	5%
Total number of Nodes:	260
Total number of Limit Nodes:	11

Executed Functions

Function 05E46197 Relevance: 1.7, APIs: 1, Instructions: 164
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ResumeThread.KERNELBASE ref: 05E4615A

Memory Dump Source

Source File: 00000000.00000002.1709732768.0000000005E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e40000_Overdue_payment.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: f4a96d3ea5facd79c25b8786701429c875ca87364d371823f17421c80ad59dd5
Instruction ID: 2217afc7678bf51ba0e9595bb39c5b379bc48d23c28b420b81bbe5880a36c24e
Opcode Fuzzy Hash: f4a96d3ea5facd79c25b8786701429c875ca87364d371823f17421c80ad59dd5
Instruction Fuzzy Hash: 8F6147B0E042198BDB14CFA9D5806AEFBF2FF89304F24D16AD449AB355D7359942CFA0

Function 03186F90 Relevance: 1.4, Strings: 1, Instructions: 182COMMON

Download Yara Rule

Strings

fkq, xrefs: 031871B8

Memory Dump Source

Source File: 00000000.00000002.1700808214.0000000003180000.00000040.00000800.00020000.00000000.sdmp, Offset: 03180000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3180000_Overdue_payment.jbxd

Similarity

API ID:
String ID: fkq
API String ID: 0-1814508662
Opcode ID: a24a3863074c26a89b547f7ae8545afe9d3e6fd74ccb62c87558b9227c58031e
Instruction ID: 06459f9aeb38d6e28d5a071ef62e8ceba5feb658f7aea4af8f2488917194cb45
Opcode Fuzzy Hash: a24a3863074c26a89b547f7ae8545afe9d3e6fd74ccb62c87558b9227c58031e
Instruction Fuzzy Hash: 2381D274E012189FCF09DFA9C994AEEBBB2FF88310F248169D405AB365DB349945CF90

Function 03183E28 Relevance: 1.4, Strings: 1, Instructions: 181COMMON

Download Yara Rule

Strings

fkq, xrefs: 031871B8

Memory Dump Source

Source File: 00000000.00000002.1700808214.0000000003180000.00000040.00000800.00020000.00000000.sdmp, Offset: 03180000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3180000_Overdue_payment.jbxd

Similarity

API ID:
String ID: fkq
API String ID: 0-1814508662
Opcode ID: 4e168431fa0ce0d7fac6b7749a0c64e56e8e068f7c643ff916a2526a45ef6f9e
Instruction ID: 5ab5c1cc9ed0ef79b1fc27fe2cc59739faedb494e15cad35aa5ce6a55a71112a
Opcode Fuzzy Hash: 4e168431fa0ce0d7fac6b7749a0c64e56e8e068f7c643ff916a2526a45ef6f9e
Instruction Fuzzy Hash: BE81B274E012189FCF08DFA9C994AEEBBB2FF88310F248129D405AB364DB349945CF90

Function 05E49698 Relevance: .2, Instructions: 159COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1709732768.0000000005E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e40000_Overdue_payment.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d0068cb12e74afd313c3c20f5493727209f3ab165cf16875265cd6107c0b43d9
Instruction ID: 70afb2870497269a8ab93c6aaba61daca3addb3c806b168b95efb8a5ee557324
Opcode Fuzzy Hash: d0068cb12e74afd313c3c20f5493727209f3ab165cf16875265cd6107c0b43d9
Instruction Fuzzy Hash: FC610771D05619CBDB28CF66D8447EABBB6BF89300F10E1EAD44DA6251EB705AC5CF40

Function 0318D450 Relevance: 6.1, APIs: 4, Instructions: 133
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 0318D4DE
GetCurrentThread.KERNEL32 ref: 0318D51B
GetCurrentProcess.KERNEL32 ref: 0318D558
GetCurrentThreadId.KERNEL32 ref: 0318D5B1

Memory Dump Source

Source File: 00000000.00000002.1700808214.0000000003180000.00000040.00000800.00020000.00000000.sdmp, Offset: 03180000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3180000_Overdue_payment.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 985a497a19018fd3e1c202f0192eef49b6092889611ee685dc236796cee88821
Instruction ID: 3fed4b2c575870b93a13d5ee3c97578a9dac5bbf0c54dc53fecadbf8f447edc6
Opcode Fuzzy Hash: 985a497a19018fd3e1c202f0192eef49b6092889611ee685dc236796cee88821
Instruction Fuzzy Hash: 405178B09013498FDB14DFA9D548BAEBFF5EF48314F24845AE409A73A0DB34A944CF69

Function 0318D460 Relevance: 6.1, APIs: 4, Instructions: 128
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 0318D4DE
GetCurrentThread.KERNEL32 ref: 0318D51B
GetCurrentProcess.KERNEL32 ref: 0318D558
GetCurrentThreadId.KERNEL32 ref: 0318D5B1

Memory Dump Source

Source File: 00000000.00000002.1700808214.0000000003180000.00000040.00000800.00020000.00000000.sdmp, Offset: 03180000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3180000_Overdue_payment.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 621c5eacb53eaf12bd46b004938aff6b53264c86b755c6d6170e8f71785e0c54
Instruction ID: db0c6e06e47e4b67f14e73cf14ce4c28e2688cd11506df94a7c5cabeeb2735ec
Opcode Fuzzy Hash: 621c5eacb53eaf12bd46b004938aff6b53264c86b755c6d6170e8f71785e0c54
Instruction Fuzzy Hash: 0E5176B09003098FDB14DFA9D648B9EBFF5EF48314F248459E409A73A0CB34A944CF69

Function 05E469F4 Relevance: 1.7, APIs: 1, Instructions: 246
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 05E46C36

Memory Dump Source

Source File: 00000000.00000002.1709732768.0000000005E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e40000_Overdue_payment.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 55ac4cb0303fc15ef1213f2f33951cc533d474c1a5195c232d32919cc171b929
Instruction ID: 7b8f95ce79e71aaac643bcab39d3645639f941ce25ef77e449886badeec56fbe
Opcode Fuzzy Hash: 55ac4cb0303fc15ef1213f2f33951cc533d474c1a5195c232d32919cc171b929
Instruction Fuzzy Hash: 84A17C71D002199FEF20DF68D845BEEBBB2FF49314F1481A9E849A7280DB749985CF91

Function 05E46A00 Relevance: 1.7, APIs: 1, Instructions: 243
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 05E46C36

Memory Dump Source

Source File: 00000000.00000002.1709732768.0000000005E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e40000_Overdue_payment.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: e9310e02b3a99d4e30fb79f92f87030b9de3f14066757c94ee6876f21534dd49
Instruction ID: 5171c9c0a6c305e33524970fbb811e39c3f5eb6f82e68ec92b11022ba48cf921
Opcode Fuzzy Hash: e9310e02b3a99d4e30fb79f92f87030b9de3f14066757c94ee6876f21534dd49
Instruction Fuzzy Hash: E1917A71D002199FEF20DF68D845BEEBBB2FF49314F1481A9E849A7280DB749985CF91

Function 0318B1C8 Relevance: 1.7, APIs: 1, Instructions: 194
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 0318B41E

Memory Dump Source

Source File: 00000000.00000002.1700808214.0000000003180000.00000040.00000800.00020000.00000000.sdmp, Offset: 03180000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3180000_Overdue_payment.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 84693bf8bd4c621c0484be3328f0155bc30e0e3499ede2bc2ab2bc6f1eb81e67
Instruction ID: dcf15b1a038cb59eb8816f2086364d7a8a4c44cf0f94a1a5aa06bda73c55f1cc
Opcode Fuzzy Hash: 84693bf8bd4c621c0484be3328f0155bc30e0e3499ede2bc2ab2bc6f1eb81e67
Instruction Fuzzy Hash: 68713370A04B058FDB64EF6AD14075ABBF6FF88200F04892ED48AD7A50DB74E846CF94

Function 031844B0 Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 031859C9

Memory Dump Source

Source File: 00000000.00000002.1700808214.0000000003180000.00000040.00000800.00020000.00000000.sdmp, Offset: 03180000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3180000_Overdue_payment.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: e02aa22b0156922fd2fa1951989d2ff8d13e0e0e61a5bb098106c1f47a830244
Instruction ID: aa2fce028b44f3811db61fee7012c891380933bcaeeffeae6e7e65adb5dec0bd
Opcode Fuzzy Hash: e02aa22b0156922fd2fa1951989d2ff8d13e0e0e61a5bb098106c1f47a830244
Instruction Fuzzy Hash: 2441D3B1C00619CBDB24DFAAC984B8EBBF6FF49304F60805AD448AB251DB756945CF94

Function 0318590C Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 031859C9

Memory Dump Source

Source File: 00000000.00000002.1700808214.0000000003180000.00000040.00000800.00020000.00000000.sdmp, Offset: 03180000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3180000_Overdue_payment.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: c2f5cbfd9c4e03931a87a952fc7410a513b29c05a44f05acd826d9bb5571228e
Instruction ID: 3db2786568b1b18c0f3af1df35aaf21e5c5ebeff0c1887e1caaf0a21aae30c45
Opcode Fuzzy Hash: c2f5cbfd9c4e03931a87a952fc7410a513b29c05a44f05acd826d9bb5571228e
Instruction Fuzzy Hash: AC41E3B1C00619CBDB24DFAAC984BCEBBF6FF49304F24805AD448AB251DB756945CF94

Function 05E46770 Relevance: 1.6, APIs: 1, Instructions: 70
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 05E46808

Memory Dump Source

Source File: 00000000.00000002.1709732768.0000000005E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e40000_Overdue_payment.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: c965d398a958ab5191c1015fbd9ec9e26b907b0bce7cf81f5786c519574d328a
Instruction ID: 61a42fa6fd69bdb6bf736914958bd57468bd7c4dfbbbd14ecb33c9990df63678
Opcode Fuzzy Hash: c965d398a958ab5191c1015fbd9ec9e26b907b0bce7cf81f5786c519574d328a
Instruction Fuzzy Hash: 3C2126B29003499FDB10CFA9C985BEEBBF5FF48314F10842AE959A7240D7789A51DB60

Function 05E46778 Relevance: 1.6, APIs: 1, Instructions: 69
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 05E46808

Memory Dump Source

Source File: 00000000.00000002.1709732768.0000000005E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e40000_Overdue_payment.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 6c797b06c17dd675fec6e7f955e26e9087aae299d7e15f8376c7a4dcfbe9b684
Instruction ID: 4fdcb3c9775eafaf217b83a13452bf9e15807d5957c4e68f0020f5c79473cb01
Opcode Fuzzy Hash: 6c797b06c17dd675fec6e7f955e26e9087aae299d7e15f8376c7a4dcfbe9b684
Instruction Fuzzy Hash: C8212AB29003499FDB10CFA9C985BDEBBF5FF48314F108429E959A7240C7789540DF60

Function 05E465D8 Relevance: 1.6, APIs: 1, Instructions: 66
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 05E4665E

Memory Dump Source

Source File: 00000000.00000002.1709732768.0000000005E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e40000_Overdue_payment.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: d04c60bffa99d13963a99a1fc7b826834519b35ff1f4039d84a8893e7f9f7828
Instruction ID: ff96a450bce2ca52a87e4b6c2b14ef9965ad8ebd3b5d7e832130c8778d15d80c
Opcode Fuzzy Hash: d04c60bffa99d13963a99a1fc7b826834519b35ff1f4039d84a8893e7f9f7828
Instruction Fuzzy Hash: 642139B19003098FDB10CFAAC585BEEBBF5EF88324F14842AE459A7340CB789545CFA5

Function 05E46861 Relevance: 1.6, APIs: 1, Instructions: 65COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 05E468E8

Memory Dump Source

Source File: 00000000.00000002.1709732768.0000000005E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e40000_Overdue_payment.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 1fd3ba05a279b8f8c5d939440dec6429708ed09ad07080523735448dfc7e8e70
Instruction ID: 7f33ba80692e77ce54e8992b896c6d07cb5481d528e6d16497ad1929cc8ff6e9
Opcode Fuzzy Hash: 1fd3ba05a279b8f8c5d939440dec6429708ed09ad07080523735448dfc7e8e70
Instruction Fuzzy Hash: B42116B19003499FDB10DFAAD985ADEFBF5FF48320F50842AE919A7240CB799501DFA1

Function 05E465E0 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 05E4665E

Memory Dump Source

Source File: 00000000.00000002.1709732768.0000000005E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e40000_Overdue_payment.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 7e21b590f146c294345eda995422254ce338ce847cf1fa413ec595b4ca5568bb
Instruction ID: c9f4e5e83c7852f68070e2c795a9bc7adf32fc9484938e6c6c5a8b87a9efab09
Opcode Fuzzy Hash: 7e21b590f146c294345eda995422254ce338ce847cf1fa413ec595b4ca5568bb
Instruction Fuzzy Hash: 742118B19003098FDB10DFAAC585BAEBBF4EF98324F14842AD559A7240CB789945CFA5

Function 05E46868 Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 05E468E8

Memory Dump Source

Source File: 00000000.00000002.1709732768.0000000005E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e40000_Overdue_payment.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 4130631681e82e128a78f6d4e470a87a3a49448dc553c3694edc6865ef795ff1
Instruction ID: c339553318ed1eccc8447bf010828da2cc5dd90401f1faadba1c9856d987f8e4
Opcode Fuzzy Hash: 4130631681e82e128a78f6d4e470a87a3a49448dc553c3694edc6865ef795ff1
Instruction Fuzzy Hash: 182128B1D003499FDB10DFAAC981ADEFBF5FF48320F10842AE919A7240C7789500DBA1

Function 0318D6A8 Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0318D72F

Memory Dump Source

Source File: 00000000.00000002.1700808214.0000000003180000.00000040.00000800.00020000.00000000.sdmp, Offset: 03180000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3180000_Overdue_payment.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 2159d5d4aff758488aac919a2a3bdbca6d2d825a08236e701b1e12fbb75e5bbf
Instruction ID: 448429ac1727794314b7be37f27cfd710aa6cb820c03b331d6865b51c4a0ede8
Opcode Fuzzy Hash: 2159d5d4aff758488aac919a2a3bdbca6d2d825a08236e701b1e12fbb75e5bbf
Instruction Fuzzy Hash: DD21E4B59002499FDB10CFAAD984ADEFFF9EB48320F14801AE914A3350D374A940CF64

Function 0318D6A1 Relevance: 1.6, APIs: 1, Instructions: 60COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0318D72F

Memory Dump Source

Source File: 00000000.00000002.1700808214.0000000003180000.00000040.00000800.00020000.00000000.sdmp, Offset: 03180000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3180000_Overdue_payment.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 7cd41b9c8353fdb21f4decec2be420e708ba5c43624f321dc970048bab7eb893
Instruction ID: 19cd9a2b27bdfb36cdbf3654573dfa5c328b3349451485b9fbbf213adaf88913
Opcode Fuzzy Hash: 7cd41b9c8353fdb21f4decec2be420e708ba5c43624f321dc970048bab7eb893
Instruction Fuzzy Hash: 5E21E0B5D003499FDB10CFAAD584ADEFBF5EB48324F24842AE914A3350D378AA40CF64

Function 05E466B0 Relevance: 1.6, APIs: 1, Instructions: 56memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 05E46726

Memory Dump Source

Source File: 00000000.00000002.1709732768.0000000005E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e40000_Overdue_payment.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: d9c4c047483ef888b70b3f6548058b8e138e0a58989a2347e9432901acbb3b50
Instruction ID: 6f6447cf2e38ec0bed120490128bf36280d8b41164d4dd73a0a0b6bf04b34973
Opcode Fuzzy Hash: d9c4c047483ef888b70b3f6548058b8e138e0a58989a2347e9432901acbb3b50
Instruction Fuzzy Hash: 7F1167729002098FDB10CFAAD845ADEBFF5EB88320F14841AE519A7250C77AA500DFA0

Function 05E466B8 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 05E46726

Memory Dump Source

Source File: 00000000.00000002.1709732768.0000000005E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e40000_Overdue_payment.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: eb5b154d9f1b32a0a0c0f0f37f2691d9080407072bb28cecc6cdeda8c8d0495c
Instruction ID: 7895fe67771812f8e471af8533d44166d8ada531be5101db8a64b39596750810
Opcode Fuzzy Hash: eb5b154d9f1b32a0a0c0f0f37f2691d9080407072bb28cecc6cdeda8c8d0495c
Instruction Fuzzy Hash: BA1167B29002498FDB10DFAAC845ADFFFF5EF88320F208419E519A7250C775A540DFA0

Function 05E460F0 Relevance: 1.6, APIs: 1, Instructions: 51threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 05E4615A

Memory Dump Source

Source File: 00000000.00000002.1709732768.0000000005E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e40000_Overdue_payment.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 984b93491121703d1fa971525fb4e42f6420351589553d70e443ac826aaf0947
Instruction ID: aa1d023e20374c9e84bfbdb862056b7f4c3385286dd59cf25bac60d169935de0
Opcode Fuzzy Hash: 984b93491121703d1fa971525fb4e42f6420351589553d70e443ac826aaf0947
Instruction Fuzzy Hash: 5D1155B1D003498FDB20DFAAC8457AEFBF5AF88324F24841AD559A7340CB79A940CF94

Function 05E460F8 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 05E4615A

Memory Dump Source

Source File: 00000000.00000002.1709732768.0000000005E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e40000_Overdue_payment.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: d9a1b54091a0fb294ed899b81ce96484bcba58d1104f542ad8764f23ed1350b0
Instruction ID: 9ad1e60a2f02bdf7b80f4513f297a5cc5fa77fc9629badd03aa93194bd3b0d3c
Opcode Fuzzy Hash: d9a1b54091a0fb294ed899b81ce96484bcba58d1104f542ad8764f23ed1350b0
Instruction Fuzzy Hash: 621128B19003498BDB20DFAAC44579EFBF5EB88324F248419D519A7340CB75A540CF95

Function 0318B3B8 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 0318B41E

Memory Dump Source

Source File: 00000000.00000002.1700808214.0000000003180000.00000040.00000800.00020000.00000000.sdmp, Offset: 03180000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3180000_Overdue_payment.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: b91836e34f6019d3a8b18f8157a109d616f39106b0d181479e519060e62d37be
Instruction ID: 10e40e419a92a15d83b96b330a13b7ad9cd45b607580ef7f8e93003819babcb4
Opcode Fuzzy Hash: b91836e34f6019d3a8b18f8157a109d616f39106b0d181479e519060e62d37be
Instruction Fuzzy Hash: 8B110FB6C002498FCB10DF9AC544ADEFBF4EB88324F14846AD819A7310C379A545CFA5

Function 05E43380 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 05E4A7ED

Memory Dump Source

Source File: 00000000.00000002.1709732768.0000000005E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e40000_Overdue_payment.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 722ba194bd67f69763772fb3bec0e4ef31642c465fbf994fbe8907a3a7b9617c
Instruction ID: a8780c436c24fddeef50de9c4a3523ec269584ecaedd320800ba3b4b8e3bf7bb
Opcode Fuzzy Hash: 722ba194bd67f69763772fb3bec0e4ef31642c465fbf994fbe8907a3a7b9617c
Instruction Fuzzy Hash: 091128B58003499FDB20CF9AD489BDEFBF9EB48320F208459E958A3200D374A944CFA0

Function 05E4A789 Relevance: 1.5, APIs: 1, Instructions: 43windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 05E4A7ED

Memory Dump Source

Source File: 00000000.00000002.1709732768.0000000005E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e40000_Overdue_payment.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 0ed2314e649ecc1244878ef1cb80d71b452149c0514e0a3802b8a6a14b400c90
Instruction ID: bc43f51d9e099c3005aafa6747e259d816f34e64f647c63da4ed7acc35059575
Opcode Fuzzy Hash: 0ed2314e649ecc1244878ef1cb80d71b452149c0514e0a3802b8a6a14b400c90
Instruction Fuzzy Hash: 231103B6800349CFDB10CF99D585BDEFBF5EB48320F24845AE858A3640C375A644CFA1

Function 01A8D3D8 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1700069515.0000000001A8D000.00000040.00000800.00020000.00000000.sdmp, Offset: 01A8D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a8d000_Overdue_payment.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 90a43e28067995fab43110196c61e86dbcbd232d095d44c18515d675922e4d4b
Instruction ID: af14d24376723305e188a903ae123833ef7b458fd5f04cb074aa4d252a002a3c
Opcode Fuzzy Hash: 90a43e28067995fab43110196c61e86dbcbd232d095d44c18515d675922e4d4b
Instruction Fuzzy Hash: B52125B5504204EFDB05EF98D9C0B66BF65FB88324F24C56DE90A0B297C336E456CBA1

Function 01A9D01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1700137648.0000000001A9D000.00000040.00000800.00020000.00000000.sdmp, Offset: 01A9D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a9d000_Overdue_payment.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0ad93028e621c4d9d27bbbdc4e61004048adfc69b1e06c52c6ed76d4a942c74e
Instruction ID: bf0b5a2aeedc2c2ee57d20ba20603a2fb2446af52c2a4f0c93bdd5eb37abc15a
Opcode Fuzzy Hash: 0ad93028e621c4d9d27bbbdc4e61004048adfc69b1e06c52c6ed76d4a942c74e
Instruction Fuzzy Hash: C5210371504200DFDF15DF58D5C0B26BBA5FB84364F24C56DD90A4B246C33AD4C7CA61

Function 01A9D1D4 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1700137648.0000000001A9D000.00000040.00000800.00020000.00000000.sdmp, Offset: 01A9D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a9d000_Overdue_payment.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eb40d645c568b4b5fd538cdf9ab832655dc6aa0fca71fce3505a7fc0649ffcad
Instruction ID: a60bef08f3cc76d16ae136261759f119261082eb8e583c559231d0937d7873a3
Opcode Fuzzy Hash: eb40d645c568b4b5fd538cdf9ab832655dc6aa0fca71fce3505a7fc0649ffcad
Instruction Fuzzy Hash: 052104B5504200EFDF05DF98D9C0B26BBA5FB84324F24C9ADE9094F296C336D4C6CA61

Function 01A9D006 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1700137648.0000000001A9D000.00000040.00000800.00020000.00000000.sdmp, Offset: 01A9D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a9d000_Overdue_payment.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dda65a08faacbdef95541030587efdaabccdf37e27341ee017bee5dbd0f19ca7
Instruction ID: 51c89271f48648c6614b4d1d66a307b1eb77f3fe5352afc1aa97f862d7a351a6
Opcode Fuzzy Hash: dda65a08faacbdef95541030587efdaabccdf37e27341ee017bee5dbd0f19ca7
Instruction Fuzzy Hash: 2721A4755093808FDB13CF64D590715BFB1EB45214F28C5DAD8498B697C33AD48ACB62

Function 01A8D3D3 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1700069515.0000000001A8D000.00000040.00000800.00020000.00000000.sdmp, Offset: 01A8D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a8d000_Overdue_payment.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d470e05bf275f9961b8f2d54e60ae5f944f02dbb38b852c854ecf385a2209709
Instruction ID: 466391935f03e807321c6174500ae26b5084fb1cf9e1a80f937f4ed1e40bb7e3
Opcode Fuzzy Hash: d470e05bf275f9961b8f2d54e60ae5f944f02dbb38b852c854ecf385a2209709
Instruction Fuzzy Hash: BE110372404240DFDB12DF48D5C0B56BF72FB84324F24C2A9D9090B657C33AE45ACBA1

Function 01A9D1CF Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1700137648.0000000001A9D000.00000040.00000800.00020000.00000000.sdmp, Offset: 01A9D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a9d000_Overdue_payment.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 244c614e04a80719a4cbb1e35d09afbc7f52f2045db6f081cea45e42cbbeead8
Instruction ID: c50c5f39cdafb0df8004f8f74b26f953fdd394cf7bd22b28c506533c47ad0d96
Opcode Fuzzy Hash: 244c614e04a80719a4cbb1e35d09afbc7f52f2045db6f081cea45e42cbbeead8
Instruction Fuzzy Hash: 78118B75504280DFDB16CF54D6C4B15BBA2FB84224F24C6AAD8494B696C33AD48ACB61

Function 01A8D745 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1700069515.0000000001A8D000.00000040.00000800.00020000.00000000.sdmp, Offset: 01A8D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a8d000_Overdue_payment.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fde3a94003ede7b3569d892affb46db76b8afd4c7423e7aaa4bf471fc457e3b9
Instruction ID: fe940104a0989785cb52166fbaf39feddc8d7af9c3a6d2c7be380a6f9adcf67f
Opcode Fuzzy Hash: fde3a94003ede7b3569d892affb46db76b8afd4c7423e7aaa4bf471fc457e3b9
Instruction Fuzzy Hash: FA01DB724043849AE7107FAACDC4B66BFA8DF41364F18C55AED095F2C2D6799841C671

Function 01A8D744 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1700069515.0000000001A8D000.00000040.00000800.00020000.00000000.sdmp, Offset: 01A8D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a8d000_Overdue_payment.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 61c77125887cb81a68b2367bcddbcc236a4857d4853466c9de1106d85d464e8c
Instruction ID: fda74901cb5a5742381b1014724a1b0a6f301c552e1326e496a48d1666562192
Opcode Fuzzy Hash: 61c77125887cb81a68b2367bcddbcc236a4857d4853466c9de1106d85d464e8c
Instruction Fuzzy Hash: 7FF0C2724043809EE710AF1AC9C4B62FF98EB41234F18C05AFD085F286C2799844CBB0

Non-executed Functions

Function 05E44630 Relevance: 1.6, Strings: 1, Instructions: 312COMMON

Download Yara Rule

Strings

I^Z, xrefs: 05E4468B

Memory Dump Source

Source File: 00000000.00000002.1709732768.0000000005E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e40000_Overdue_payment.jbxd

Similarity

API ID:
String ID: I^Z
API String ID: 0-3459616432
Opcode ID: ab594f7a5a53516efbeb8c3a24f9779c49edbaab0d07b1085c423a84fdae8ecc
Instruction ID: 5dff00ba460349755e22747c118f5d066c68fd0b5f0dc3af607ab72a75e288f4
Opcode Fuzzy Hash: ab594f7a5a53516efbeb8c3a24f9779c49edbaab0d07b1085c423a84fdae8ecc
Instruction Fuzzy Hash: 29E116B4E041198FDB14CFA9D580AAEFBB2FF89304F249169E855AB355D730AD42CF60

Function 05E458D0 Relevance: 1.6, Strings: 1, Instructions: 312COMMON

Download Yara Rule

Strings

jxQ, xrefs: 05E4592B

Memory Dump Source

Source File: 00000000.00000002.1709732768.0000000005E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e40000_Overdue_payment.jbxd

Similarity

API ID:
String ID: jxQ
API String ID: 0-3241442434
Opcode ID: d0944eb9a1af5bfc01aa6324ad812225d3a79b4e57edad9c303a559033be7c5d
Instruction ID: 9f6b108b08eb2ecb811157e44d64dc0440ca879397304766f08bee78322f818e
Opcode Fuzzy Hash: d0944eb9a1af5bfc01aa6324ad812225d3a79b4e57edad9c303a559033be7c5d
Instruction Fuzzy Hash: 9CE10774E041198FDB14CFA9D5809AEBBB2FF89304F24916AD855AB355D730AD82CF60

Function 05E44621 Relevance: 1.4, Strings: 1, Instructions: 130COMMON

Download Yara Rule

Strings

I^Z, xrefs: 05E4468B

Memory Dump Source

Source File: 00000000.00000002.1709732768.0000000005E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e40000_Overdue_payment.jbxd

Similarity

API ID:
String ID: I^Z
API String ID: 0-3459616432
Opcode ID: 768df1b3b304f59347700ece2be84a60e0931cdc316f5e8b47daef330babfdd2
Instruction ID: 41fc8976bd41c95f8a7c847ae3ff28f9650e27f4b17667771145ed6ba0ae0024
Opcode Fuzzy Hash: 768df1b3b304f59347700ece2be84a60e0931cdc316f5e8b47daef330babfdd2
Instruction Fuzzy Hash: 285128B1E042198BDB14CFA9D5849AEFBF2FF89304F24D169D419AB355D7309942CFA0

Function 05E4C028 Relevance: .4, Instructions: 351COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1709732768.0000000005E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e40000_Overdue_payment.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6f29155d4385004e9629a6170473638ae4e73ca16a14c499c6e7167c853702af
Instruction ID: 021682f7ea082d368f14d134afec3c7787263b6248ad74d6c6807f0c8d553f3b
Opcode Fuzzy Hash: 6f29155d4385004e9629a6170473638ae4e73ca16a14c499c6e7167c853702af
Instruction Fuzzy Hash: A7D189747027048BEB19EB75D450BAEB7F6AF89704F24846AD18A9B290DB35E802CF51

Function 05E43DC0 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1709732768.0000000005E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e40000_Overdue_payment.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8b777082c36040be41a80b699e227f2498397b9b16cbffcd65ca1510e7ceb56d
Instruction ID: 9285e18deb22e06973defe262b1a49f9c5daef46b94205a9b9cff1f62a135993
Opcode Fuzzy Hash: 8b777082c36040be41a80b699e227f2498397b9b16cbffcd65ca1510e7ceb56d
Instruction Fuzzy Hash: E5E129B4E042198FDB14DFA9C5809AEBBB2FF48304F24D169E855AB355D730AD81CF60

Function 05E441F8 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1709732768.0000000005E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e40000_Overdue_payment.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b3c47a351df98f551fbbc304c8b9e3933eee4599a2fa27c58c6998b3ab56aba0
Instruction ID: fe977d61bbae772e93479541808beddb780893d0ba5d7bd9c7ba0c23ec31b99b
Opcode Fuzzy Hash: b3c47a351df98f551fbbc304c8b9e3933eee4599a2fa27c58c6998b3ab56aba0
Instruction Fuzzy Hash: B8E118B4E041198FDB14CFA9D580AAEFBB2FF89305F249169E845AB355D730AD41CFA0

Function 05E461A8 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1709732768.0000000005E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e40000_Overdue_payment.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8498821cae107a78bf959a3e41334a117340a36093a2031a3e1cc24d84c84414
Instruction ID: 0cccc7e52b15e62254553fa4540fa1afda1209b932fe72bd77b6bb6882ca8857
Opcode Fuzzy Hash: 8498821cae107a78bf959a3e41334a117340a36093a2031a3e1cc24d84c84414
Instruction Fuzzy Hash: 0CE119B4E041198FCB14CFA9D5809AEFBB2FF89305F249169E845AB359D730AD42CF60

Function 0318DFB4 Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1700808214.0000000003180000.00000040.00000800.00020000.00000000.sdmp, Offset: 03180000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3180000_Overdue_payment.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 59dfe81491b39bb325651090da5d4306662b1c93a23204bc89e75e004ded56a9
Instruction ID: 8e3db8002003a2367287f328a3bef049519170f814418835919d24993a4038d3
Opcode Fuzzy Hash: 59dfe81491b39bb325651090da5d4306662b1c93a23204bc89e75e004ded56a9
Instruction Fuzzy Hash: 89A15F36E00205CFCF09EFB4D8805AEB7B2FF89301B25456AE905AB265DB31E956CF50

Function 05E43D8B Relevance: .2, Instructions: 156COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1709732768.0000000005E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e40000_Overdue_payment.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eace2beb1a2eef8f17b65b51aa0395944bbf3a097f2ad3e97fbd2da8a29c350c
Instruction ID: 96934adcf1496d2a792ec0efd2bb31abd0066cf95bb7bd71772be40a67c6bee0
Opcode Fuzzy Hash: eace2beb1a2eef8f17b65b51aa0395944bbf3a097f2ad3e97fbd2da8a29c350c
Instruction Fuzzy Hash: 2C515BB0E042198FDB14CFA9D5806AEBBB2FF89304F24D169D418AB316D7319942CFA0

Function 05E441F3 Relevance: .1, Instructions: 128COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1709732768.0000000005E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e40000_Overdue_payment.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a33cf459dd36a293f6d7265e72ea5799b5a898015976e58bf353ebc318685c76
Instruction ID: b1facba59e548370f687a9aec45802a661abd1144427af535cec541d3d0d11c9
Opcode Fuzzy Hash: a33cf459dd36a293f6d7265e72ea5799b5a898015976e58bf353ebc318685c76
Instruction Fuzzy Hash: B2512A74E042198BDB14CFA9D580AAEFBF6FF89305F24D169D418AB355D730A942CFA0

Analysis Process: Overdue_payment.pdf.exePID: 7984, Parent PID: 7560COMMON

Execution Graph

Execution Coverage:	11.7%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	17
Total number of Limit Nodes:	4

Executed Functions

Function 06E53040 Relevance: 8.0, Strings: 6, Instructions: 545
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$fq, xrefs: 06E53763
$fq, xrefs: 06E5374B
$fq, xrefs: 06E53722
$fq, xrefs: 06E5373F
$fq, xrefs: 06E5376F
$fq, xrefs: 06E53716

Memory Dump Source

Source File: 00000008.00000002.2935503612.0000000006E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6e50000_Overdue_payment.jbxd

Similarity

API ID:
String ID: $fq$$fq$$fq$$fq$$fq$$fq
API String ID: 0-1582559945
Opcode ID: 1dc513288e9c81414277c50ae2a3925ce2f3d4afcfc04d265b9d20c60fbe5dd2
Instruction ID: 9fb29b8c7cb908f0a3991e7c46206f60357fda389a9cb905f4a1935d4b3c63b1
Opcode Fuzzy Hash: 1dc513288e9c81414277c50ae2a3925ce2f3d4afcfc04d265b9d20c60fbe5dd2
Instruction Fuzzy Hash: DF321D35E1071ACFCB14DF75C89059EB7B2BFC9340F61969AD409AB264EB30AD85CB90

Function 06E57D68 Relevance: 3.0, Strings: 2, Instructions: 476
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$fq, xrefs: 06E58303
$fq, xrefs: 06E5830F

Memory Dump Source

Source File: 00000008.00000002.2935503612.0000000006E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6e50000_Overdue_payment.jbxd

Similarity

API ID:
String ID: $fq$$fq
API String ID: 0-2537786760
Opcode ID: 9d4f0809bb51254125d1a352bbe88ce4a55396d8fa1e7f13e3e90f3a5a20e597
Instruction ID: 3149f6fcdbcde3b25174fdc23204680e3cffb262cb4c480256458a5b5f840925
Opcode Fuzzy Hash: 9d4f0809bb51254125d1a352bbe88ce4a55396d8fa1e7f13e3e90f3a5a20e597
Instruction Fuzzy Hash: 1302AE30B002168FDB54DB69D9906AFB7B2FF84314F159929D805DB394EB35EC82CB90

Function 06E52349 Relevance: 1.0, Instructions: 1008COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2935503612.0000000006E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6e50000_Overdue_payment.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4b5770f2ce616999e62edc6fc545108207fe8500251980a54ff932f6403db19a
Instruction ID: 2f2e7493c558cf90ea5c07521e6f0a5cb1b5a059c5f5cb5ead9210c736379aad
Opcode Fuzzy Hash: 4b5770f2ce616999e62edc6fc545108207fe8500251980a54ff932f6403db19a
Instruction Fuzzy Hash: 21925634A003048FDBA4CB68C584B5DB7F2FF49318F5694A9E909AB365DB35ED81CB80

Function 06E565E0 Relevance: .8, Instructions: 812COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2935503612.0000000006E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6e50000_Overdue_payment.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5a13c1ae85697520314da3de957eeb3712c792439e37a2bc6f2a6a702b135b59
Instruction ID: dd454172987781fb3a6ce86671bef0dc17976786699a122d5e5d757d0affc7ec
Opcode Fuzzy Hash: 5a13c1ae85697520314da3de957eeb3712c792439e37a2bc6f2a6a702b135b59
Instruction Fuzzy Hash: AA629F34B003058FDB54DB68D584AAEB7F2EF88314F659469E806DB364DB35ED82CB90

Function 06E55588 Relevance: .6, Instructions: 607COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2935503612.0000000006E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6e50000_Overdue_payment.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 599d794bec650adf87f631707e48bf333e2e20976b865330093a53905d4b882d
Instruction ID: 5485776ea857eb663ed0720c5497b096f6e9cc497fe6e9f230842e74d866fd16
Opcode Fuzzy Hash: 599d794bec650adf87f631707e48bf333e2e20976b865330093a53905d4b882d
Instruction Fuzzy Hash: 6122D271E003158FDF60CBA8C5806AEBBB2EF85324F268469D855EB394DB35DC41CB91

Function 06E5B20F Relevance: .6, Instructions: 582COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2935503612.0000000006E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6e50000_Overdue_payment.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1575d735c9ba18fc75e3cc23ad77676fff4c3ed03095f687b456e68a4a8776cb
Instruction ID: 33c04f78b8b8e5d0260bb774eb8fbaefc0047f85a0d202f1be53ed1ca2b6e526
Opcode Fuzzy Hash: 1575d735c9ba18fc75e3cc23ad77676fff4c3ed03095f687b456e68a4a8776cb
Instruction Fuzzy Hash: D0229170E102098FDF64CBA9D5A47AEB7B2FB45314F219526E805EB391DB34DC81CB91

Function 06E5B630 Relevance: 8.0, Strings: 6, Instructions: 476
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$fq, xrefs: 06E5BB63
$fq, xrefs: 06E5BBD7
$fq, xrefs: 06E5BB97
$fq, xrefs: 06E5BBA3
$fq, xrefs: 06E5BBCB
$fq, xrefs: 06E5BB6F

Memory Dump Source

Source File: 00000008.00000002.2935503612.0000000006E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6e50000_Overdue_payment.jbxd

Similarity

API ID:
String ID: $fq$$fq$$fq$$fq$$fq$$fq
API String ID: 0-1582559945
Opcode ID: 0c7f6a18a3dba93a745ea220ece08ceac37cff688cc5efd2509ce1d6becb0568
Instruction ID: a91552f023ef6097c6e356f79154b13d10150935e11230fb193a95851a7138a8
Opcode Fuzzy Hash: 0c7f6a18a3dba93a745ea220ece08ceac37cff688cc5efd2509ce1d6becb0568
Instruction Fuzzy Hash: 4502A030E103098FDBA4CF68D5A06AEB7B2FB45314F22956AE805DB395DB74DC81CB91

Function 06E59138 Relevance: 5.2, Strings: 4, Instructions: 230
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$fq, xrefs: 06E5918B
$fq, xrefs: 06E5917F
$fq, xrefs: 06E591BA
$fq, xrefs: 06E591C6

Memory Dump Source

Source File: 00000008.00000002.2935503612.0000000006E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6e50000_Overdue_payment.jbxd

Similarity

API ID:
String ID: $fq$$fq$$fq$$fq
API String ID: 0-2113499236
Opcode ID: 158f3074c07506c41a5603ff1be9d96c6a5fff3cbe5b2db5519a1b6fd589711a
Instruction ID: 9454d7acf0f6951e1da5e7d62d9e790bc2c1231f1615363abc0b37c5310487ee
Opcode Fuzzy Hash: 158f3074c07506c41a5603ff1be9d96c6a5fff3cbe5b2db5519a1b6fd589711a
Instruction Fuzzy Hash: 53912130F0021A8FDB54DF65D9A07AFB3B6FB85200F118569D809EB359EF349D868B91

Function 06E5CF28 Relevance: 4.5, Strings: 3, Instructions: 798
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$fq, xrefs: 06E5D333
$fq, xrefs: 06E5D31F
$fq, xrefs: 06E5D327

Memory Dump Source

Source File: 00000008.00000002.2935503612.0000000006E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6e50000_Overdue_payment.jbxd

Similarity

API ID:
String ID: $fq$$fq$$fq
API String ID: 0-837900676
Opcode ID: 8ee503e98f26aee039903a21b619a2020666aa52034da014919373d99dbd93dd
Instruction ID: a86f2d23ef53a5649bfb77178be883f679cb4c82168acb959172bf430848dcbe
Opcode Fuzzy Hash: 8ee503e98f26aee039903a21b619a2020666aa52034da014919373d99dbd93dd
Instruction Fuzzy Hash: D862A070A002068FCB55DF69DA90A5EB7F2FF84304F209A29D415AF365DB75EC86CB81

Function 06E54B50 Relevance: 3.9, Strings: 3, Instructions: 186
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

\Okq, xrefs: 06E54D07
fkq, xrefs: 06E5525D
XPkq, xrefs: 06E54C7D

Memory Dump Source

Source File: 00000008.00000002.2935503612.0000000006E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6e50000_Overdue_payment.jbxd

Similarity

API ID:
String ID: fkq$XPkq$\Okq
API String ID: 0-673657909
Opcode ID: 0c40c68cdd0d6e43b6b5662b4897eb5caf7c466edf15a7e4cad5c7dde0e6af18
Instruction ID: 55655d00a9d0e86484b78b4c7b9fa4b2e27a9d5ec8e8edb3d209711377e0cff9
Opcode Fuzzy Hash: 0c40c68cdd0d6e43b6b5662b4897eb5caf7c466edf15a7e4cad5c7dde0e6af18
Instruction Fuzzy Hash: 2C616D70F002199FEB549FA9C8547AEBBF6FF88310F218129D506AB394DB758C45CB90

Function 06E59127 Relevance: 2.7, Strings: 2, Instructions: 162
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$fq, xrefs: 06E5917F
$fq, xrefs: 06E591BA

Memory Dump Source

Source File: 00000008.00000002.2935503612.0000000006E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6e50000_Overdue_payment.jbxd

Similarity

API ID:
String ID: $fq$$fq
API String ID: 0-2537786760
Opcode ID: 8cc6100218dbc1d2d8696f94baef0dd81b66f33f71df14e4e0ce3c78b0dfb51a
Instruction ID: 5e4598d520bd2e5f0f526a773751215c69d68258fa6666579607ebf98d4003bb
Opcode Fuzzy Hash: 8cc6100218dbc1d2d8696f94baef0dd81b66f33f71df14e4e0ce3c78b0dfb51a
Instruction Fuzzy Hash: 6E514334B002169FDB54DB75D9A0BAF73F6FB89240F148469C809DB399EA34DC42CB95

Function 030FEB38 Relevance: 1.7, APIs: 1, Instructions: 155
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000008.00000002.2924261739.00000000030F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_30f0000_Overdue_payment.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2fad560ef52e4984f0eeed3d2a51e6c17d6b432c164a828ce73f6339acb667d3
Instruction ID: cd54284f79c616752fefcb582dc6335b3f781b84b84ad3cf983dfbb8936a5ff6
Opcode Fuzzy Hash: 2fad560ef52e4984f0eeed3d2a51e6c17d6b432c164a828ce73f6339acb667d3
Instruction Fuzzy Hash: B6517672D0139A8FCB14DF69D8006DEBBF5EF89320F1885ABD945A7351DB389841CB90

Function 030FEC20 Relevance: 1.6, APIs: 1, Instructions: 52
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GlobalMemoryStatusEx.KERNELBASE ref: 030FEC87

Memory Dump Source

Source File: 00000008.00000002.2924261739.00000000030F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_30f0000_Overdue_payment.jbxd

Similarity

API ID: GlobalMemoryStatus
String ID:
API String ID: 1890195054-0
Opcode ID: ccc5317d6f9a55865f5438d3b721a8a977d22233ae3982509d0624f4677de505
Instruction ID: b1746d9893ee3b3014605e75624b28341be25b4b1f4542c373aef97d630363a7
Opcode Fuzzy Hash: ccc5317d6f9a55865f5438d3b721a8a977d22233ae3982509d0624f4677de505
Instruction Fuzzy Hash: 91111FB1C0065A9FCB10CF9AC545B9EFBF8AF48320F14816AE918A7240D378A940CFA1

Function 06E54B40 Relevance: 1.4, Strings: 1, Instructions: 133COMMON

Download Yara Rule

Strings

XPkq, xrefs: 06E54C7D

Memory Dump Source

Source File: 00000008.00000002.2935503612.0000000006E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6e50000_Overdue_payment.jbxd

Similarity

API ID:
String ID: XPkq
API String ID: 0-3796509991
Opcode ID: bedfec22f938974d4474382a708149180d85b2c273610c539948fb5899336a7c
Instruction ID: 825c5fadc9799b8f123333c92eeedff6a0746d149fdb0b36ac900ac556b63e0c
Opcode Fuzzy Hash: bedfec22f938974d4474382a708149180d85b2c273610c539948fb5899336a7c
Instruction Fuzzy Hash: 3A417C70B002199FEB549FA9C854BAEBBF6FF88300F218529D505AB395DB748C45CB90

Function 06E5DA9D Relevance: 1.4, Strings: 1, Instructions: 125COMMON

Download Yara Rule

Strings

PHfq, xrefs: 06E5DBF9

Memory Dump Source

Source File: 00000008.00000002.2935503612.0000000006E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6e50000_Overdue_payment.jbxd

Similarity

API ID:
String ID: PHfq
API String ID: 0-2154135885
Opcode ID: 709a8cdcc6ed4f05e0d9889de76a92a92d75cc439127cd8babe7e99ff5b31ade
Instruction ID: 4e88e1381dff111bc782254682487dc52d5622614019d8bf83fbfed2d47ef769
Opcode Fuzzy Hash: 709a8cdcc6ed4f05e0d9889de76a92a92d75cc439127cd8babe7e99ff5b31ade
Instruction Fuzzy Hash: 4D419170E0030A9FDB65DF65C8906AEBBB3EF85314F218529E806EB344DB759D42CB94

Function 06E521D0 Relevance: 1.4, Strings: 1, Instructions: 105COMMON

Download Yara Rule

Strings

PHfq, xrefs: 06E5230B

Memory Dump Source

Source File: 00000008.00000002.2935503612.0000000006E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6e50000_Overdue_payment.jbxd

Similarity

API ID:
String ID: PHfq
API String ID: 0-2154135885
Opcode ID: 9aed50351f43c2cf8c081bec46be5a34b3d151249cddbecb569317b5f8fee30a
Instruction ID: 9073726ca13019d00789fecef6f976ffe613396f9ae61fc65537e6066db294a4
Opcode Fuzzy Hash: 9aed50351f43c2cf8c081bec46be5a34b3d151249cddbecb569317b5f8fee30a
Instruction Fuzzy Hash: 56311E34B002068FDF599B74C55466F3BA3AF8A214F209428E902EB384EF35DD42C7E1

Function 06E582DE Relevance: 1.3, Strings: 1, Instructions: 30COMMON

Download Yara Rule

Strings

$fq, xrefs: 06E58303

Memory Dump Source

Source File: 00000008.00000002.2935503612.0000000006E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6e50000_Overdue_payment.jbxd

Similarity

API ID:
String ID: $fq
API String ID: 0-12477121
Opcode ID: af0050d75d261ccd88337374cd8ac2f157bc35a794595f7115173d0f17bf0ec6
Instruction ID: 665e74491029696136ff4ae223e27f8f5dbdcb34faa78199e1c0b053110d779e
Opcode Fuzzy Hash: af0050d75d261ccd88337374cd8ac2f157bc35a794595f7115173d0f17bf0ec6
Instruction Fuzzy Hash: 80F0ED3AF04320CFEF688E42EA882BB73A4EB04258F1621A2CE00C3150D735CA41CA91

Function 06E5C170 Relevance: .6, Instructions: 641COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2935503612.0000000006E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6e50000_Overdue_payment.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1e9a6cf52484b274033894770bfcad887c2583b79e0ba87cef7897d465d3fcc8
Instruction ID: 5afc2920fe4732f806ef6e1454602d9d51493871bc2047669c60836771e5a8a1
Opcode Fuzzy Hash: 1e9a6cf52484b274033894770bfcad887c2583b79e0ba87cef7897d465d3fcc8
Instruction Fuzzy Hash: A832A234B003098FDB54DF68D990AAEB7B2FB88714F219529D905EB355DB34EC82CB91

Function 06E561E0 Relevance: .2, Instructions: 229COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2935503612.0000000006E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6e50000_Overdue_payment.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d743241439cf98fabb99f7f8c000e3b28287d81ce6e2d5c39e90c9ae7fa5079d
Instruction ID: 8c86b475231f75266821113ab88589288d1d30f1ccf6fe7a87dcae17505c2e07
Opcode Fuzzy Hash: d743241439cf98fabb99f7f8c000e3b28287d81ce6e2d5c39e90c9ae7fa5079d
Instruction Fuzzy Hash: C261AF72F002224BDB549A6ECC8056FEAEBAFC4224B554439D80EDB374DE66EC4287C1

Function 06E54280 Relevance: .2, Instructions: 227COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2935503612.0000000006E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6e50000_Overdue_payment.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a20a0a0cdf128d23eb388cba4608e5fd032a223c3280358b559271b314117e18
Instruction ID: 09073000a0ff1119fd78f893e25db0cbd06f12a31b7d4d820192fa2235ba19f7
Opcode Fuzzy Hash: a20a0a0cdf128d23eb388cba4608e5fd032a223c3280358b559271b314117e18
Instruction Fuzzy Hash: 2E814130B0020A9BDF54DFA9D55475EB7F6EF85314F118529D80AEB398EB34DC828791

Function 06E545A0 Relevance: .2, Instructions: 224COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2935503612.0000000006E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6e50000_Overdue_payment.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 46b93572b5ceaa6606eb089f82ad59c90410c1df62a0a59243adce792b61865a
Instruction ID: 85003a8cb82498d135f03621232b577758c4b48246b447db31911502463bbd69
Opcode Fuzzy Hash: 46b93572b5ceaa6606eb089f82ad59c90410c1df62a0a59243adce792b61865a
Instruction Fuzzy Hash: 49916F34E003198FDF60CF64C890B9DB7B1FF89304F218699D549AB291DB70AA85CB91

Function 06E5AF08 Relevance: .2, Instructions: 215COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2935503612.0000000006E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6e50000_Overdue_payment.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8f9e7800dd5b92c5dbc48cdf928a41e738b24e7b1b86a282abbbc4cb037c2deb
Instruction ID: 6576dc4163c31cb63bef37f8da8f160bbaf8dfc72c94d5762ab37ab3092dac71
Opcode Fuzzy Hash: 8f9e7800dd5b92c5dbc48cdf928a41e738b24e7b1b86a282abbbc4cb037c2deb
Instruction Fuzzy Hash: C3719130E1031A8FCF55DFA9D9906AEB7B2FF85304F119929E805AB354DF74A846CB90

Function 06E545B8 Relevance: .2, Instructions: 210COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2935503612.0000000006E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6e50000_Overdue_payment.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6db703c59483009af495ee7a2f7fdabe6f77078ddac39df67407ba2b7e15e54e
Instruction ID: 29fcd6a6e248c6d5b11ecfceec7b54fc7138f33e68914e2e58a5df592652bb9c
Opcode Fuzzy Hash: 6db703c59483009af495ee7a2f7fdabe6f77078ddac39df67407ba2b7e15e54e
Instruction Fuzzy Hash: AD915E74E006198BDF60DF68C880B9DB7B1FF89304F208699D509BB394DB70AA85CF91

Function 06E5EEF0 Relevance: .2, Instructions: 209COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2935503612.0000000006E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6e50000_Overdue_payment.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 369f49fdfe689d0fd8c1bbda628939c0d66df9f85d220ca4cd930282c4c228b2
Instruction ID: 2da5e65a5400dff0597da47ead6d5e6e71ee882f1f25523e473aaeee27fea328
Opcode Fuzzy Hash: 369f49fdfe689d0fd8c1bbda628939c0d66df9f85d220ca4cd930282c4c228b2
Instruction Fuzzy Hash: 31814970A002099FDB54DFA9D980A9EBBF6FF88304F259529E805EB355DB30ED46CB50

Function 06E5EF00 Relevance: .2, Instructions: 201COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2935503612.0000000006E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6e50000_Overdue_payment.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8e09fcc0ce19846735c60c8ced5fbebade65224cb487c13f0bbf2d0535b12037
Instruction ID: 13d0036868dcfdccfcb77a48b70e03a23264e67e6e31d8e7d6c478c6c7ecac45
Opcode Fuzzy Hash: 8e09fcc0ce19846735c60c8ced5fbebade65224cb487c13f0bbf2d0535b12037
Instruction Fuzzy Hash: F6714870A002098FDB54DFA9D980A9EBBF6FF88304F259529E805EB355DB30ED46CB50

Function 06E5FC58 Relevance: .2, Instructions: 179COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2935503612.0000000006E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6e50000_Overdue_payment.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c14dbcb6756d7c8ac191c2b20869c1f7f4d1cc02c8ff28b43b949fb10722708f
Instruction ID: 7a3eabbf0defc52dd3212b661931b34e922d746cc2d72f1b4ab97a489e70e0ee
Opcode Fuzzy Hash: c14dbcb6756d7c8ac191c2b20869c1f7f4d1cc02c8ff28b43b949fb10722708f
Instruction Fuzzy Hash: 8751E331E00209DFCB54ABB8E5546ADBBB2FB88325F11887AE906DB350DF359945CF90

Function 06E5FA09 Relevance: .2, Instructions: 171COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2935503612.0000000006E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6e50000_Overdue_payment.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 871558d19849fcb50484a18c778f25c751207d2575e6915e1f3a681996611bb8
Instruction ID: 6f19214bb1bf886894cf158d4c97bb16d6bbfa081a01216abb60e894085b7876
Opcode Fuzzy Hash: 871558d19849fcb50484a18c778f25c751207d2575e6915e1f3a681996611bb8
Instruction Fuzzy Hash: FC51D770F203158BEF6457BCD9A476F365AD789314F20542AEA0AC73A5CE28CC81D7A2

Function 06E5FA18 Relevance: .2, Instructions: 163COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2935503612.0000000006E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6e50000_Overdue_payment.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7c24242b3e80d5b22bff17a0bad8f1e127454f5c975a4b2e4925e6fb6cc450a5
Instruction ID: 04bb3162ec1e58f88f5ef903b3a3b5b2ba020a7ae12879d0ec1c53662eadc497
Opcode Fuzzy Hash: 7c24242b3e80d5b22bff17a0bad8f1e127454f5c975a4b2e4925e6fb6cc450a5
Instruction Fuzzy Hash: 4B51A870F203158BEFA457FCD9A472F265AD789354F205429DA0AC73E5CE68CC8197A2

Function 06E553F8 Relevance: .1, Instructions: 136COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2935503612.0000000006E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6e50000_Overdue_payment.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bffe7434c605a900738fc11beb9d85d8a809ec2f09a9be42de16f6e82c435198
Instruction ID: ff87ea7c0e08b5758b7c08daf89116d27658c072cad29c2db1b1fda10ca931da
Opcode Fuzzy Hash: bffe7434c605a900738fc11beb9d85d8a809ec2f09a9be42de16f6e82c435198
Instruction Fuzzy Hash: BF418B71E007099BCB70CEA9D880AAFFBB2FB85314F11492AE556D7650D330E95A8B91

Function 06E5D950 Relevance: .1, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2935503612.0000000006E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6e50000_Overdue_payment.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9e9c791b6548f5a831fda08d0c2eb18fd09e2fee6d42e7a8bac0b70e3b73c7bc
Instruction ID: 50786881b8119addecbe2525fae5b91a379d54a49dd034bfa2181b948c2d8785
Opcode Fuzzy Hash: 9e9c791b6548f5a831fda08d0c2eb18fd09e2fee6d42e7a8bac0b70e3b73c7bc
Instruction Fuzzy Hash: A831A970E1031A8BDB25DF69C99069EBBB2FF85304F119929E805EB351EB71A942C780

Function 06E52081 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2935503612.0000000006E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6e50000_Overdue_payment.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f24d92be5694c3d80eef15d5283be041a8e1bcefbd7aa46d6dc8527e3615bc52
Instruction ID: 83325b12f53a8c9541ab9ecbba663a02bdb7a0ec4a97c6a3d1374f67843ffa12
Opcode Fuzzy Hash: f24d92be5694c3d80eef15d5283be041a8e1bcefbd7aa46d6dc8527e3615bc52
Instruction Fuzzy Hash: C631A535E0020A9FDB19DF64DA5469EB7B2FF88310F11C529EA06E7350DB71AD46CB50

Function 06E52090 Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2935503612.0000000006E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6e50000_Overdue_payment.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eb19a0053fbed469dd170227d6cd135071003317f1c4bc50753570182a16117d
Instruction ID: 3b1cd2011b174136595729daf0bd4f760e8e9ec3875d69d3d35fbb0b34cccba2
Opcode Fuzzy Hash: eb19a0053fbed469dd170227d6cd135071003317f1c4bc50753570182a16117d
Instruction Fuzzy Hash: F9318F30E0020A9FCB59CF65DA9469EB7B2FF89310F11C529EA06E7350DB71AD86CB50

Function 06E53A80 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2935503612.0000000006E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6e50000_Overdue_payment.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cf76e9707791b6f580276779bbb7f70fd211199f16249b5bd157b669682dd47b
Instruction ID: f6b5db6e6cc3cfdec9108cb7909491b1e0796b66a466d0cfdf8f8f1622b62513
Opcode Fuzzy Hash: cf76e9707791b6f580276779bbb7f70fd211199f16249b5bd157b669682dd47b
Instruction Fuzzy Hash: 2F219C35F01215AFEB40DFA9D981AEEBBF5EB48750F108026E905E7355E734DC418B90

Function 06E53A90 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2935503612.0000000006E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6e50000_Overdue_payment.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2506130f14e2d69649c4f1018fc07f4e7b9078df7147a3349f533c787fa46b42
Instruction ID: 54c48d28c6e022fc0fe3e3f25b32288dee789dc423bd27a64b931f5c8307d671
Opcode Fuzzy Hash: 2506130f14e2d69649c4f1018fc07f4e7b9078df7147a3349f533c787fa46b42
Instruction Fuzzy Hash: 86219A76F012159FDB80DFA9D981AAEB7F1FB48750F10802AE905E7355E734DC418B90

Function 0176D030 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2923712072.000000000176D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0176D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_176d000_Overdue_payment.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5655caa6c683c25d3162e6f4cb7d8388c6194598a096beab06d0ff2d13c36592
Instruction ID: f6fd122a274e1ab7c6e805655db75eb8b21e08e553667ef86fb37c35600e9d02
Opcode Fuzzy Hash: 5655caa6c683c25d3162e6f4cb7d8388c6194598a096beab06d0ff2d13c36592
Instruction Fuzzy Hash: 2D2125B1614204DFCB25DF58D9C0B26FB69FB84314F24C5ADDD894B252C336D447CA61

Function 06E53BA0 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2935503612.0000000006E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6e50000_Overdue_payment.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6b8efb7849a5a4839d29bdeb76102f02c7b23d4373c9e0dde145511388fd9f2d
Instruction ID: a4c747c4e0177beebe2dc9e2d8ecaf1ea4efe10081d01b877c6a779036da64c4
Opcode Fuzzy Hash: 6b8efb7849a5a4839d29bdeb76102f02c7b23d4373c9e0dde145511388fd9f2d
Instruction Fuzzy Hash: 7711A131B0412A9FDF949668D9546AF73FAEBC8250F014539D906EB358FE25DC428BD0

Function 06E53859 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2935503612.0000000006E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6e50000_Overdue_payment.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1504c890831e957460db58c82f9b07022f21a86210171bcee4e7ffff126d4189
Instruction ID: 08197c4a026c507396f36692e942027b98f666aa3e8c4c01e0c0206ebfba18da
Opcode Fuzzy Hash: 1504c890831e957460db58c82f9b07022f21a86210171bcee4e7ffff126d4189
Instruction Fuzzy Hash: 1621F2B1D01219AFCB00CF9AD985ACEFFB8FF49310F10852AE918A7240C375A944CFA5

Function 06E541E1 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2935503612.0000000006E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6e50000_Overdue_payment.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1e795647b68d30f0aa9d30334850cc30850c8212f1f181f53bbbe9cae846ae1c
Instruction ID: 10815699e7ec7d970c4fac1ede500bee55e73ac323694044b818fa142fd29e05
Opcode Fuzzy Hash: 1e795647b68d30f0aa9d30334850cc30850c8212f1f181f53bbbe9cae846ae1c
Instruction Fuzzy Hash: 3E012834B042219FDB6196BCA55071BA7D6DBC9724F15883AE50AC7391DD29CD8283D1

Function 06E5F171 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2935503612.0000000006E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6e50000_Overdue_payment.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ddefd845765498502cbe9836da62dbad3f54bf8c2c69c84998dbf424b9e13319
Instruction ID: de1cf3ccadf7127b3d4b91c4389642ec864317ab88ec02931a1b5456a67a3b7c
Opcode Fuzzy Hash: ddefd845765498502cbe9836da62dbad3f54bf8c2c69c84998dbf424b9e13319
Instruction Fuzzy Hash: 3201D4B1B002205BDB66957CDA9072F67D6EB89624F158929F40AC7342DD14CC0747D1

Function 06E53B8F Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2935503612.0000000006E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6e50000_Overdue_payment.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c30a05bc8f6eef143ef5b574bf5d356851def5ce0f4a5fa67b97fca65db3c647
Instruction ID: dbf14a39b16142c9a19e6b7f8166eb3a5c3834255c8b4e0ec91bef7160ff5f49
Opcode Fuzzy Hash: c30a05bc8f6eef143ef5b574bf5d356851def5ce0f4a5fa67b97fca65db3c647
Instruction Fuzzy Hash: 76014532B0452A9BCF949A69D8146AFB7FAEFC9250F15043AD846D3288FF208C068791

Function 0176D02B Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2923712072.000000000176D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0176D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_176d000_Overdue_payment.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 244c614e04a80719a4cbb1e35d09afbc7f52f2045db6f081cea45e42cbbeead8
Instruction ID: fc978054b0d931b99ff343a97e2afd06bb7184ae428543aa2de81ac6ff174826
Opcode Fuzzy Hash: 244c614e04a80719a4cbb1e35d09afbc7f52f2045db6f081cea45e42cbbeead8
Instruction Fuzzy Hash: 7211BB75604284CFDB26CF58D5C0B15FBA2FB84314F28C6AADC894B656C33AD44ACB62

Function 06E5A2F0 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2935503612.0000000006E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6e50000_Overdue_payment.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5f99f868f0fc32c848e582efe34a24aaa8bdbc11447b6f7a362a2946187f7ea0
Instruction ID: 46590a968753e94b5b7b5772e8f26399b296902661fdfb275bf3c9b89e7af9a8
Opcode Fuzzy Hash: 5f99f868f0fc32c848e582efe34a24aaa8bdbc11447b6f7a362a2946187f7ea0
Instruction Fuzzy Hash: 1401D4B1B142014FC7A5DA7CE96471FBBE1EB8A618F21997AE54AC7390DE24DC42C380

Function 06E53860 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2935503612.0000000006E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6e50000_Overdue_payment.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3435ab51670e9611fd0c17a2aceaae8f624cdccef00999754b86a09b5be978c8
Instruction ID: b14f945310ca94b40dc5be4dda7afc8ccecfcee7440484f2cbab3b92bd0c513f
Opcode Fuzzy Hash: 3435ab51670e9611fd0c17a2aceaae8f624cdccef00999754b86a09b5be978c8
Instruction Fuzzy Hash: B411D3B5D01219AFCB00CF9AD985BDEFFB8FB48310F10812AE918A7240D375A944CFA5

Function 06E541F0 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2935503612.0000000006E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6e50000_Overdue_payment.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fc3d91aed3adb6c4d420c92ddec15edb6b023ee47a947f085fdfea1399cf1b81
Instruction ID: c3cb65dad3d8bd7277682761ff357aff0143bb848585e2a8af043f0a2f32df91
Opcode Fuzzy Hash: fc3d91aed3adb6c4d420c92ddec15edb6b023ee47a947f085fdfea1399cf1b81
Instruction Fuzzy Hash: 2B01D135B001229BDB6495ADA55072BE3DBEBC8724F11883DE50AC7390DD25DC824391

Function 06E5F180 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2935503612.0000000006E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6e50000_Overdue_payment.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fe344c3752b7f7abc04aacd67d976b0e03ef13ab92ee3d13b8755fa96622edcf
Instruction ID: d19de4b5c4e9e67ab51ec5bb0b91028ddd895fc6c3fdc9afb90738a2abcdeb6f
Opcode Fuzzy Hash: fe344c3752b7f7abc04aacd67d976b0e03ef13ab92ee3d13b8755fa96622edcf
Instruction Fuzzy Hash: B001AFB1B102155BDB65D67CDA9072FA3D6EBC9624F209839F90AC7341DE25DC034791

Function 06E5A300 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2935503612.0000000006E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6e50000_Overdue_payment.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 117c85225d8288934b78160872a43d0ca8c5992e86dca66d4dafc3c6356e9602
Instruction ID: f355d50ec9e3bf0a6ac1d036efcfda70cae433316a39675367903b08f336dd13
Opcode Fuzzy Hash: 117c85225d8288934b78160872a43d0ca8c5992e86dca66d4dafc3c6356e9602
Instruction Fuzzy Hash: F001A470B102155BDB65D67CE46472FB7D6EB89718F109939E90AC7350DD25DC428384

Function 06E56461 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2935503612.0000000006E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6e50000_Overdue_payment.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2ef6c2375e25abb8f8b37ad7e526dfbbbb78de8e4f149f9dfb50214dbf352709
Instruction ID: b810fcfc01e1e4d9286d8fa2e26c645ffe8ea76a41231c2c1fcafdd17858e154
Opcode Fuzzy Hash: 2ef6c2375e25abb8f8b37ad7e526dfbbbb78de8e4f149f9dfb50214dbf352709
Instruction Fuzzy Hash: 72E09271E10308ABDBB0CE64C91435A77AAFB01318F6258A5DC44CB252E632D912C351

Non-executed Functions

Function 06E57688 Relevance: 13.0, Strings: 10, Instructions: 468COMMON

Download Yara Rule

Strings

$fq, xrefs: 06E57B79
$fq, xrefs: 06E57C18
$fq, xrefs: 06E577F9
$fq, xrefs: 06E57C2E
$fq, xrefs: 06E577C8
$fq, xrefs: 06E577ED
$fq, xrefs: 06E577BC
$fq, xrefs: 06E57C3A
$fq, xrefs: 06E57C24
$fq, xrefs: 06E57B85

Memory Dump Source

Source File: 00000008.00000002.2935503612.0000000006E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6e50000_Overdue_payment.jbxd

Similarity

API ID:
String ID: $fq$$fq$$fq$$fq$$fq$$fq$$fq$$fq$$fq$$fq
API String ID: 0-1462074617
Opcode ID: dc1b689e8f14237f8a694bceb7e64188b01eaaab3ec8777aa63989f9b90d87e6
Instruction ID: ee5d244b1dbeaabc7759e32963b1a8ddaab1ad2a20038f5ec2f88fb1f7fb19d6
Opcode Fuzzy Hash: dc1b689e8f14237f8a694bceb7e64188b01eaaab3ec8777aa63989f9b90d87e6
Instruction Fuzzy Hash: 57122B34E013198FDF64DF69C984A9EB7B2BF88304F2195A9D809AB355DB309D81CF81

Function 06E5A920 Relevance: 10.2, Strings: 8, Instructions: 229COMMON

Download Yara Rule

Strings

$fq, xrefs: 06E5AADE
$fq, xrefs: 06E5AA9C
$fq, xrefs: 06E5AA7D
$fq, xrefs: 06E5AAA8
$fq, xrefs: 06E5AA71
$fq, xrefs: 06E5AA22
$fq, xrefs: 06E5AA16
$fq, xrefs: 06E5AAD2

Memory Dump Source

Source File: 00000008.00000002.2935503612.0000000006E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6e50000_Overdue_payment.jbxd

Similarity

API ID:
String ID: $fq$$fq$$fq$$fq$$fq$$fq$$fq$$fq
API String ID: 0-3929485403
Opcode ID: 96a028a194ecffd416360dbdc3a7bc3fec3e066bebea81da75cb8ade8995b079
Instruction ID: 238a1262a7442ec58d799a3e5c29f30a041559f99a17061c1c148c5176e25133
Opcode Fuzzy Hash: 96a028a194ecffd416360dbdc3a7bc3fec3e066bebea81da75cb8ade8995b079
Instruction Fuzzy Hash: B0919270A00309DFEB64DF69DA847AE7BB6FF84304F119639E8019B295DB349C81CB90

Function 06E57088 Relevance: 9.2, Strings: 7, Instructions: 405COMMON

Download Yara Rule

Strings

.5~q, xrefs: 06E570E3
$fq, xrefs: 06E5736A
$fq, xrefs: 06E573D0
$fq, xrefs: 06E57590
$fq, xrefs: 06E57524
$fq, xrefs: 06E5759C
$fq, xrefs: 06E573C4

Memory Dump Source

Source File: 00000008.00000002.2935503612.0000000006E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6e50000_Overdue_payment.jbxd

Similarity

API ID:
String ID: .5~q$$fq$$fq$$fq$$fq$$fq$$fq
API String ID: 0-1301248726
Opcode ID: dd53866876977246fe77c1b0f6901a9e5d24550bddd8dd8e4b97bc051a57c507
Instruction ID: bfe4b1d01ee21847894ee904bb1dc79c4c8136e0ddb9df290b502281710feae1
Opcode Fuzzy Hash: dd53866876977246fe77c1b0f6901a9e5d24550bddd8dd8e4b97bc051a57c507
Instruction Fuzzy Hash: 81F16B34A11309CFDB54DFA9C594A6EB7B2FF84304F219568D8069B794CB35EC82CB90

Function 06E583C0 Relevance: 5.3, Strings: 4, Instructions: 282COMMON

Download Yara Rule

Strings

$fq, xrefs: 06E58626
$fq, xrefs: 06E5861A
$fq, xrefs: 06E5867F
$fq, xrefs: 06E5868B

Memory Dump Source

Source File: 00000008.00000002.2935503612.0000000006E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6e50000_Overdue_payment.jbxd

Similarity

API ID:
String ID: $fq$$fq$$fq$$fq
API String ID: 0-2113499236
Opcode ID: baf8cea26c4192323336ab900c4eecb274887d8d4b5185ce2c581a062ac6c6de
Instruction ID: 8d76fe3780ff4cd0189a3ddce867e943509639c67bc99290285244b138ff3766
Opcode Fuzzy Hash: baf8cea26c4192323336ab900c4eecb274887d8d4b5185ce2c581a062ac6c6de
Instruction Fuzzy Hash: 71B14A30A112198FDB54DBA9C5906AFB7B2FF84304F259529D806DB395DB74DC82CB81

Function 06E587D8 Relevance: 5.2, Strings: 4, Instructions: 168COMMON

Download Yara Rule

Strings

$fq, xrefs: 06E58857
$fq, xrefs: 06E58863
LRfq, xrefs: 06E5891A
LRfq, xrefs: 06E588CB

Memory Dump Source

Source File: 00000008.00000002.2935503612.0000000006E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6e50000_Overdue_payment.jbxd

Similarity

API ID:
String ID: LRfq$LRfq$$fq$$fq
API String ID: 0-1810675050
Opcode ID: 903eb26f77870321711882ca3f1b8fe794c1c04653af1fb374f253472e6867b3
Instruction ID: 27e0d1f64ae3ee6e6949df380c020762d5d3d8d6f53cbdb9d38eef9ca9b334b6
Opcode Fuzzy Hash: 903eb26f77870321711882ca3f1b8fe794c1c04653af1fb374f253472e6867b3
Instruction Fuzzy Hash: B451B434B003119FDB58DB29D990A6BB7F6FF88304F15966CE8059B3A5DA34EC41CB91

Analysis Process: lxZwKFTCWa.exePID: 8092, Parent PID: 1044COMMON

Execution Graph

Execution Coverage:	11.4%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	222
Total number of Limit Nodes:	13

Executed Functions

Function 06C96197 Relevance: 1.7, APIs: 1, Instructions: 168
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ResumeThread.KERNELBASE ref: 06C9615A

Memory Dump Source

Source File: 00000009.00000002.1751201671.0000000006C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6c90000_lxZwKFTCWa.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 1a05c2116f2431954c074a2b077e8a6b43eec9092bb30d131dd1850eef60503a
Instruction ID: 3ffd74471519ad1d71f2707f9ba7d21b5b0c90b3754ee4d49681c7b0b8ff7dbb
Opcode Fuzzy Hash: 1a05c2116f2431954c074a2b077e8a6b43eec9092bb30d131dd1850eef60503a
Instruction Fuzzy Hash: 0E612A74E002198FDB14DFAAC5446AEFBF2FF89304F24816AD418AB255D735A942CFA0

Function 0096D450 Relevance: 6.1, APIs: 4, Instructions: 134
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 0096D4DE
GetCurrentThread.KERNEL32 ref: 0096D51B
GetCurrentProcess.KERNEL32 ref: 0096D558
GetCurrentThreadId.KERNEL32 ref: 0096D5B1

Memory Dump Source

Source File: 00000009.00000002.1744501577.0000000000960000.00000040.00000800.00020000.00000000.sdmp, Offset: 00960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_960000_lxZwKFTCWa.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 73d001654b54cadaf049e9dacb7155c3c3bfec77429ae4b56b316c74f91fdd4b
Instruction ID: 56e2dbb0537fdcc5a4337376249cb6e67d3418028c41bf6ae58bd298cb18d8d0
Opcode Fuzzy Hash: 73d001654b54cadaf049e9dacb7155c3c3bfec77429ae4b56b316c74f91fdd4b
Instruction Fuzzy Hash: 9D5146B0E013498FDB14DFAAD548B9EBFF5EF88314F248459E019AB360DB74A944CB61

Function 0096D460 Relevance: 6.1, APIs: 4, Instructions: 128
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 0096D4DE
GetCurrentThread.KERNEL32 ref: 0096D51B
GetCurrentProcess.KERNEL32 ref: 0096D558
GetCurrentThreadId.KERNEL32 ref: 0096D5B1

Memory Dump Source

Source File: 00000009.00000002.1744501577.0000000000960000.00000040.00000800.00020000.00000000.sdmp, Offset: 00960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_960000_lxZwKFTCWa.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: ca21bb1ef45538bec72a22cba746905de0bebe2d6b661d3e09ce9649d039ecc0
Instruction ID: b6835ee0075db8eca6d46a85b5ead9a41f5db8cc99d31f75a67285e619d8163c
Opcode Fuzzy Hash: ca21bb1ef45538bec72a22cba746905de0bebe2d6b661d3e09ce9649d039ecc0
Instruction Fuzzy Hash: 3C5154B0E01309CFDB14DFAAD548B9EBBF5EF88314F208459E019A7360DB74A944CB65

Function 06C969F4 Relevance: 1.7, APIs: 1, Instructions: 245
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 06C96C36

Memory Dump Source

Source File: 00000009.00000002.1751201671.0000000006C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6c90000_lxZwKFTCWa.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 9275167f41664bcb3c027bbac63317e59a2a2bbc77bbf864f6800006c4bb7cf4
Instruction ID: 729d6d01aa55339870d22108c71ac7d76acef6c97034009beb9bc30e310c38a3
Opcode Fuzzy Hash: 9275167f41664bcb3c027bbac63317e59a2a2bbc77bbf864f6800006c4bb7cf4
Instruction Fuzzy Hash: A4A16B71D002198FEF64DF69C9457DDBBB2FF48310F1485A9E808A7290DB749A85CFA1

Function 06C96A00 Relevance: 1.7, APIs: 1, Instructions: 243
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 06C96C36

Memory Dump Source

Source File: 00000009.00000002.1751201671.0000000006C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6c90000_lxZwKFTCWa.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 33a15200c2ac158dad105ab2f7616577385fbf58809bfb67d719856033652cc4
Instruction ID: 6b0e57f82f046df8aecda667d94178633331e0b7b1801f9c36776ea2f4071ef1
Opcode Fuzzy Hash: 33a15200c2ac158dad105ab2f7616577385fbf58809bfb67d719856033652cc4
Instruction Fuzzy Hash: 57915A71D002198FEF64DF69C945BDDBBB2FF48310F1485A9E808A7290DB749A85CFA1

Function 0096B1C8 Relevance: 1.7, APIs: 1, Instructions: 198
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 0096B41E

Memory Dump Source

Source File: 00000009.00000002.1744501577.0000000000960000.00000040.00000800.00020000.00000000.sdmp, Offset: 00960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_960000_lxZwKFTCWa.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 01b2940d3228aa6b20e48f7fa9c67d1b46395d73a316eb07267d31c364205f36
Instruction ID: b3c1fecbe6909c305e06ce3e2b03b493bd0f3e9b2fa4cb6293fdaa8874647a7a
Opcode Fuzzy Hash: 01b2940d3228aa6b20e48f7fa9c67d1b46395d73a316eb07267d31c364205f36
Instruction Fuzzy Hash: E0713270A00B048FDB24DF6AD055B9ABBF5FF88304F00892ED45AD7A50EB75E885CB91

Function 009644B0 Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 009659C9

Memory Dump Source

Source File: 00000009.00000002.1744501577.0000000000960000.00000040.00000800.00020000.00000000.sdmp, Offset: 00960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_960000_lxZwKFTCWa.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: e263d40653f8eb328b397bf17df511cf9382d6e04dded039ccc02899f6bc5d40
Instruction ID: 7d26a26a83cab8b7cd9a547cd10d2d3c209c8db6f7274565cfbee7d73202d0c1
Opcode Fuzzy Hash: e263d40653f8eb328b397bf17df511cf9382d6e04dded039ccc02899f6bc5d40
Instruction Fuzzy Hash: 6941DFB0C00719CBDF24DFA9C984B8EBBB9FF48304F60816AD409AB255DBB56945CF90

Function 0096590C Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 009659C9

Memory Dump Source

Source File: 00000009.00000002.1744501577.0000000000960000.00000040.00000800.00020000.00000000.sdmp, Offset: 00960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_960000_lxZwKFTCWa.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 772a48ccc8616fadcca1936d29f02079968cf11eff053ac855833683197799bb
Instruction ID: e85bd68ef3ff43e524f15d387c082520021f3b1607b4206816932c3ba122481d
Opcode Fuzzy Hash: 772a48ccc8616fadcca1936d29f02079968cf11eff053ac855833683197799bb
Instruction Fuzzy Hash: A041DFB1C00659CFDF24CFA9C984BDEBBB5BF48304F24816AD408AB255DB756946CF90

Function 06C96770 Relevance: 1.6, APIs: 1, Instructions: 70
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 06C96808

Memory Dump Source

Source File: 00000009.00000002.1751201671.0000000006C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6c90000_lxZwKFTCWa.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: db061ca9e314919feddd7b8151293db4f77f3ee5ab023fcf32b22f7c8d1b7bce
Instruction ID: 107a9ec94897d047e0f03313212036f0f02195dd39a5a70f160420c4f69a4ad3
Opcode Fuzzy Hash: db061ca9e314919feddd7b8151293db4f77f3ee5ab023fcf32b22f7c8d1b7bce
Instruction Fuzzy Hash: 282137B5D002099FDF10DFA9C985BDEBBF1FF48310F10842AE918A7250D7789940DB60

Function 06C96778 Relevance: 1.6, APIs: 1, Instructions: 69
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 06C96808

Memory Dump Source

Source File: 00000009.00000002.1751201671.0000000006C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6c90000_lxZwKFTCWa.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 05839a1fd9f8fe96063a0c329f9f8cc2d91a6a9f64c10d9657a6e37fa4269fbb
Instruction ID: 72ad37ea9a4cb435a80aaa62fb086a494e0fcdaac43325f851ce02aa51af6258
Opcode Fuzzy Hash: 05839a1fd9f8fe96063a0c329f9f8cc2d91a6a9f64c10d9657a6e37fa4269fbb
Instruction Fuzzy Hash: 1A2124B59003499FDF10DFAAC985BDEBBF5FF48320F10842AE919A7250D7789940DBA4

Function 06C965D8 Relevance: 1.6, APIs: 1, Instructions: 68threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 06C9665E

Memory Dump Source

Source File: 00000009.00000002.1751201671.0000000006C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6c90000_lxZwKFTCWa.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: e28f2995f7dd44005de01b696b533a02133ae3723fd371a1cf359c4b9f8ef975
Instruction ID: 7d97f8fe050d06ae4a789fb62c977162fbbfa22c846247c08bed3b76781902fa
Opcode Fuzzy Hash: e28f2995f7dd44005de01b696b533a02133ae3723fd371a1cf359c4b9f8ef975
Instruction Fuzzy Hash: 612139B5D002098FDB10DFAAC585BEEBBF5EF98324F14842AD419A7380D7789945CBA1

Function 06C996F9 Relevance: 1.6, APIs: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 06C996C5

Memory Dump Source

Source File: 00000009.00000002.1751201671.0000000006C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6c90000_lxZwKFTCWa.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: cffffa59e515273e4f6c5541dfa7db3d866d227064355c7b2b0567ee0c6ce310
Instruction ID: 03fa5a3d11af38b7cc56df830be35980438d3526adee9477880a12965c02cd45
Opcode Fuzzy Hash: cffffa59e515273e4f6c5541dfa7db3d866d227064355c7b2b0567ee0c6ce310
Instruction Fuzzy Hash: FE21A9B6D052188BDF61DFA6D809BDEBBF4AF88310F18805DD406B7251CB396A40CBB1

Function 06C96861 Relevance: 1.6, APIs: 1, Instructions: 67COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 06C968E8

Memory Dump Source

Source File: 00000009.00000002.1751201671.0000000006C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6c90000_lxZwKFTCWa.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 88fdd72fafb2755f78b7d933124134d2e3398c3c1965b1694261161913b76ad0
Instruction ID: be573dae3b16c6e35e628d72042f9f2a0b3c93ced42a34fd0fc14adfb5a886f9
Opcode Fuzzy Hash: 88fdd72fafb2755f78b7d933124134d2e3398c3c1965b1694261161913b76ad0
Instruction Fuzzy Hash: 362157B1D003499FDF14DFAAC985AEEBBF5FF48320F10842AE519A7250C7389504DBA4

Function 0096D6A1 Relevance: 1.6, APIs: 1, Instructions: 64COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0096D72F

Memory Dump Source

Source File: 00000009.00000002.1744501577.0000000000960000.00000040.00000800.00020000.00000000.sdmp, Offset: 00960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_960000_lxZwKFTCWa.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 8ad0ac3857a0682935bcf10bdbfc325f5b41d300132fe69abc2b0bef793d4bca
Instruction ID: 5bbc6d58a514fd4ec527f0b39fc5f529cf09c3a781fa593bc05909902c5d390c
Opcode Fuzzy Hash: 8ad0ac3857a0682935bcf10bdbfc325f5b41d300132fe69abc2b0bef793d4bca
Instruction Fuzzy Hash: DD21C4B5D012499FDB10CFAAD984ADEBFF5EB48320F14841AE918A7350D378A945CFA1

Function 06C96868 Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 06C968E8

Memory Dump Source

Source File: 00000009.00000002.1751201671.0000000006C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6c90000_lxZwKFTCWa.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: eac02668a0bb4e3c20b884e32299ba155315f5cf0824ceec2537ed33782df00b
Instruction ID: d61f74130881450cc9443b80d6c4e7b8a6b3215e6d8896f8fdf48407a17dc9b0
Opcode Fuzzy Hash: eac02668a0bb4e3c20b884e32299ba155315f5cf0824ceec2537ed33782df00b
Instruction Fuzzy Hash: 202125B1D003499FDF10DFAAC985AEEBBF5FF48320F10842AE519A7250C7789900DBA5

Function 06C965E0 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 06C9665E

Memory Dump Source

Source File: 00000009.00000002.1751201671.0000000006C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6c90000_lxZwKFTCWa.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 69171e42e22f5067480714b9110c0cc31e94aba5ed7e9468b3682798a32232be
Instruction ID: c5f8f0345b931b207406fa84670e09455025f318cf7931b3b193b0a8149516d7
Opcode Fuzzy Hash: 69171e42e22f5067480714b9110c0cc31e94aba5ed7e9468b3682798a32232be
Instruction Fuzzy Hash: 9A2138B1D003098FDB10DFAAC585BAEBBF4EF98324F14842AD419A7340C7789945CFA1

Function 0096D6A8 Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0096D72F

Memory Dump Source

Source File: 00000009.00000002.1744501577.0000000000960000.00000040.00000800.00020000.00000000.sdmp, Offset: 00960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_960000_lxZwKFTCWa.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 122db549b36ce5b9ca79f231f82c4c89bf485e64ce84a98b5c5a10500cb1b4b1
Instruction ID: ac83e74c2f5a129cd512d4c846260af2ff55b33d4cef6ea8a58ea9b91f66b51c
Opcode Fuzzy Hash: 122db549b36ce5b9ca79f231f82c4c89bf485e64ce84a98b5c5a10500cb1b4b1
Instruction Fuzzy Hash: 5421C4B5D012499FDB10CFAAD984ADEBBF9EB48320F14841AE914A7350D374A944CFA5

Function 06C966B0 Relevance: 1.6, APIs: 1, Instructions: 56memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 06C96726

Memory Dump Source

Source File: 00000009.00000002.1751201671.0000000006C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6c90000_lxZwKFTCWa.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 40b8c7fe021923612443bbfbc33b5eeb0a46bff84d0026fcdcad3cf797c8aca3
Instruction ID: f4d837ba658ee3336c519b3e4c3d4f4308e27a475aad38e1a0d9678b67f582ed
Opcode Fuzzy Hash: 40b8c7fe021923612443bbfbc33b5eeb0a46bff84d0026fcdcad3cf797c8aca3
Instruction Fuzzy Hash: BA1159B59002498FDF10DFAAC945BEEBFF5EF48320F24841AE519A7250C7759544DFA0

Function 06C966B8 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 06C96726

Memory Dump Source

Source File: 00000009.00000002.1751201671.0000000006C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6c90000_lxZwKFTCWa.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 5f55eac1b0ca034c8456d923186ba188ee5f3b9938ba2fbd5a0575daf1462b90
Instruction ID: 44927bbf93f1d1ad2d8dd5d4d48496480d48ec8fb4f2d04cb7247b5f1f01b945
Opcode Fuzzy Hash: 5f55eac1b0ca034c8456d923186ba188ee5f3b9938ba2fbd5a0575daf1462b90
Instruction Fuzzy Hash: 5B1137B59002499FDF10DFAAC845ADEBFF5EF88320F248419E519A7250C775A940DFA1

Function 06C960F0 Relevance: 1.6, APIs: 1, Instructions: 51threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 06C9615A

Memory Dump Source

Source File: 00000009.00000002.1751201671.0000000006C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6c90000_lxZwKFTCWa.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 0bcd7e677bdce71d33702e660b509a265e0bdcac17020e0c015c47f80df02243
Instruction ID: 69e60600aa33310461e54811e9fd3afa243bebfcdb808ec5e84dc280542bf495
Opcode Fuzzy Hash: 0bcd7e677bdce71d33702e660b509a265e0bdcac17020e0c015c47f80df02243
Instruction Fuzzy Hash: AE1158B5D003498FDB24DFAAC4457AEFBF5AF88324F24841AD119A7350C775A940CBA4

Function 06C99660 Relevance: 1.5, APIs: 1, Instructions: 49windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 06C996C5

Memory Dump Source

Source File: 00000009.00000002.1751201671.0000000006C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6c90000_lxZwKFTCWa.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 3462061733df7fb7c889589592bf5a9f30947cf3530593e81c2bd7a6357236ab
Instruction ID: d9eb157e3705714d1e1ebe31ee5811ba82ab8b6e008ec420de720b08711d2b88
Opcode Fuzzy Hash: 3462061733df7fb7c889589592bf5a9f30947cf3530593e81c2bd7a6357236ab
Instruction Fuzzy Hash: 1511E3B58003499FDB50DF99C945BDEBBF8EB48324F248419E518A7610D375A944CFB1

Function 06C960F8 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 06C9615A

Memory Dump Source

Source File: 00000009.00000002.1751201671.0000000006C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6c90000_lxZwKFTCWa.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 622597586a2f844e5d8f7c4242194fb799fa6049071594ec8172ba565aa74038
Instruction ID: 0de0d6718dab51e8c6d24957ff31cf34501c16610ce252f453c7bc41bb755ab2
Opcode Fuzzy Hash: 622597586a2f844e5d8f7c4242194fb799fa6049071594ec8172ba565aa74038
Instruction Fuzzy Hash: 4E113AB1D003498FDB20DFAAC84579EFBF5EF88324F248419D519A7350C775A940CBA5

Function 0096B3B8 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 0096B41E

Memory Dump Source

Source File: 00000009.00000002.1744501577.0000000000960000.00000040.00000800.00020000.00000000.sdmp, Offset: 00960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_960000_lxZwKFTCWa.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 432b9540a90c7137872945b6987d5a587156d36d998f8923a6ec023e11cf93dc
Instruction ID: 0beae3db4612d51136be4744bcb32857ddbe921e138a993f4eed0d742775c3de
Opcode Fuzzy Hash: 432b9540a90c7137872945b6987d5a587156d36d998f8923a6ec023e11cf93dc
Instruction Fuzzy Hash: 38110FB5C002498FDB20CF9AC444ADEFBF8EB88324F14841AD419A7320D379A545CFA1

Function 06C93380 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 06C996C5

Memory Dump Source

Source File: 00000009.00000002.1751201671.0000000006C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6c90000_lxZwKFTCWa.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 85c0d131009c3a4af3f6385055b81fb7a2f81067430c09e9521143f829c20829
Instruction ID: bdfa72809dc8bb076fd2ecef26049868578e32ec67d03a9e4aca33286c7a24d1
Opcode Fuzzy Hash: 85c0d131009c3a4af3f6385055b81fb7a2f81067430c09e9521143f829c20829
Instruction Fuzzy Hash: 4D1122B5800348DFDB50DF9AC989BDEBBF8EB48320F24841AE518A7310D375A940CFA0

Function 007CD4C4 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1742660431.00000000007CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 007CD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7cd000_lxZwKFTCWa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d35d3803361ac957af0189aa03de5d5dc69e883964e65a3fd092b81c2f3b407d
Instruction ID: b0bb48517a423ac620aaa8fa4815043d83991d536d0096ecca454ede0ed1d7a6
Opcode Fuzzy Hash: d35d3803361ac957af0189aa03de5d5dc69e883964e65a3fd092b81c2f3b407d
Instruction Fuzzy Hash: 9021C1B2504240DFDB25DF14E9C0F26BF65FB98318F24C57DE9090A256C33AD866DAA1

Function 007DD01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1742791404.00000000007DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 007DD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7dd000_lxZwKFTCWa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 602bf226aac0339c81e5f4e135bdb775bd667403754bd51ae187b3977823f37c
Instruction ID: 9f3c8dd273bfae05bbd573d47bb18f66cf93a6d5c829f5e2bca8abe11c8352b1
Opcode Fuzzy Hash: 602bf226aac0339c81e5f4e135bdb775bd667403754bd51ae187b3977823f37c
Instruction Fuzzy Hash: 8921D0B5604204DFCB24DF24D9C4B26BB75EBC8314F24C96AE90A4B396C33ADC47CA61

Function 007DD1D4 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1742791404.00000000007DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 007DD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7dd000_lxZwKFTCWa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 16799ea948ee0bc15e751661c04e3d9b3c747a9a1c34fe809ec35380cf6c1d26
Instruction ID: 81f6ac43d4ab381805e2c74542bab93c85790bb386855ba408395d0ba2af10ac
Opcode Fuzzy Hash: 16799ea948ee0bc15e751661c04e3d9b3c747a9a1c34fe809ec35380cf6c1d26
Instruction Fuzzy Hash: CC2104B1504204EFDB25DF54D9C0B26BBB5FB88314F24C96EE9494B392C33AEC46CA61

Function 007DD005 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1742791404.00000000007DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 007DD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7dd000_lxZwKFTCWa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cac0a0e5b3e18ce3c3a9415ae862010c4dd8fc78305cdc3eeaf3fa74c2182acf
Instruction ID: 16311fafa7bd6129125bace155458e07f07bf797037b5f38051d4bc4f80c56ef
Opcode Fuzzy Hash: cac0a0e5b3e18ce3c3a9415ae862010c4dd8fc78305cdc3eeaf3fa74c2182acf
Instruction Fuzzy Hash: DF2171755083849FCB12CF24D994711BF71EB86314F28C5DAD8498B2A7C33ADC46CB62

Function 007CD4BF Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1742660431.00000000007CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 007CD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7cd000_lxZwKFTCWa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d470e05bf275f9961b8f2d54e60ae5f944f02dbb38b852c854ecf385a2209709
Instruction ID: 1fda16c7866e262735c7834cb1fb3a7894ec5a740e064cb1221dac11ea22a596
Opcode Fuzzy Hash: d470e05bf275f9961b8f2d54e60ae5f944f02dbb38b852c854ecf385a2209709
Instruction Fuzzy Hash: 6A11B176504280CFCB16CF14E9C4B16BF72FB94318F24C6ADD8494B656C33AD86ACBA1

Function 007DD1CF Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1742791404.00000000007DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 007DD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7dd000_lxZwKFTCWa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 244c614e04a80719a4cbb1e35d09afbc7f52f2045db6f081cea45e42cbbeead8
Instruction ID: b4a184e9936f509b25920392fe073544f772765fc0f6af5e6dca44ad3a2ead87
Opcode Fuzzy Hash: 244c614e04a80719a4cbb1e35d09afbc7f52f2045db6f081cea45e42cbbeead8
Instruction Fuzzy Hash: 5F118B75504280DFDB26CF14D6C4B15BBB2FB84324F24C6AAD8494B796C33AE84ACB61

Function 007CD745 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1742660431.00000000007CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 007CD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7cd000_lxZwKFTCWa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8c5e5a8233df20a6ec2b9a27dc221f2cd7ff1b2d12c3cca1e43742d2cb3cdbbb
Instruction ID: c4c1e607df085f288d9287812636b317500f854e16c52c4052f069b9860a7b8d
Opcode Fuzzy Hash: 8c5e5a8233df20a6ec2b9a27dc221f2cd7ff1b2d12c3cca1e43742d2cb3cdbbb
Instruction Fuzzy Hash: 8701A2720083409AEB309E69CDC4F66BFA8DF51364F18C52EED094A296D77D9C41DAB1

Function 007CD744 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1742660431.00000000007CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 007CD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7cd000_lxZwKFTCWa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1f5c44960c203661bd531728df3600fb2e991f5dd2b784ff11cc267063d4c76f
Instruction ID: 1627ea4f2135690307e858b6a400fd9f29416aa149ff7b4f070b18e5ca6589fb
Opcode Fuzzy Hash: 1f5c44960c203661bd531728df3600fb2e991f5dd2b784ff11cc267063d4c76f
Instruction Fuzzy Hash: 21F06272404344AEFB209E15D9C4B62FFD8EB51734F18C45EED084A296C3799C44CBB1

Analysis Process: lxZwKFTCWa.exePID: 3584, Parent PID: 8092COMMON

Execution Graph

Execution Coverage:	11.7%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	17
Total number of Limit Nodes:	4

Executed Functions

Function 06D33040 Relevance: 8.0, Strings: 6, Instructions: 545
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$fq, xrefs: 06D3374B
$fq, xrefs: 06D33763
$fq, xrefs: 06D3376F
$fq, xrefs: 06D3373F
$fq, xrefs: 06D33722
$fq, xrefs: 06D33716

Memory Dump Source

Source File: 0000000D.00000002.2935070986.0000000006D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6d30000_lxZwKFTCWa.jbxd

Similarity

API ID:
String ID: $fq$$fq$$fq$$fq$$fq$$fq
API String ID: 0-1582559945
Opcode ID: d6dc663f9dba283fb4c2d534cfa1e44e060b1cceccdcf3b86f9c2ebd685fba9e
Instruction ID: a878de7cf0408299b8eeab4c52572dafa37812073a0c6939430f533b2a74d3aa
Opcode Fuzzy Hash: d6dc663f9dba283fb4c2d534cfa1e44e060b1cceccdcf3b86f9c2ebd685fba9e
Instruction Fuzzy Hash: 4B321C31E1076ACBCB14DF75C99459DB7B2FFD9300F2186AAD409A7264EB30AD85CB90

Function 06D37D68 Relevance: 3.0, Strings: 2, Instructions: 473
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$fq, xrefs: 06D3830F
$fq, xrefs: 06D38303

Memory Dump Source

Source File: 0000000D.00000002.2935070986.0000000006D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6d30000_lxZwKFTCWa.jbxd

Similarity

API ID:
String ID: $fq$$fq
API String ID: 0-2537786760
Opcode ID: 7cb163e29389617307ebd6b13844ff06c78e6fd246a9d5b91facc559a1010069
Instruction ID: 8f197aaa3ce6554a8c534d5291330399a0f24c2488e33ddf3a153a53722e3adc
Opcode Fuzzy Hash: 7cb163e29389617307ebd6b13844ff06c78e6fd246a9d5b91facc559a1010069
Instruction Fuzzy Hash: 5B028134B002269FDB54DF65D690A6EB7B2FF84310F148929E805EB394DB75EC82DB90

Function 06D3B21B Relevance: .6, Instructions: 564COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2935070986.0000000006D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6d30000_lxZwKFTCWa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a99f1522fc2c651f70f69cbe67862ac0bf5fb9357e1581a7f3ad6f86818a722d
Instruction ID: 6970d293c7d892f49d2dd4fd6dc72d5081bbc3d20a38dc9c27d202c111b75f73
Opcode Fuzzy Hash: a99f1522fc2c651f70f69cbe67862ac0bf5fb9357e1581a7f3ad6f86818a722d
Instruction Fuzzy Hash: F9226F74E102298FDF64CBA9D5807AEB7B2FB59310F24842BE445DB395DA34DC81CB91

Function 06D3ACB8 Relevance: 10.4, Strings: 8, Instructions: 398
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$fq, xrefs: 06D3ADE5
$fq, xrefs: 06D3AE67
$fq, xrefs: 06D3AE90
$fq, xrefs: 06D3ADD9
$fq, xrefs: 06D3AE84
$fq, xrefs: 06D3AE5B
$fq, xrefs: 06D3AE2C
$fq, xrefs: 06D3AE38

Memory Dump Source

Source File: 0000000D.00000002.2935070986.0000000006D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6d30000_lxZwKFTCWa.jbxd

Similarity

API ID:
String ID: $fq$$fq$$fq$$fq$$fq$$fq$$fq$$fq
API String ID: 0-3929485403
Opcode ID: 090e68a0843e5aed8848fd85369bb5322a6abb2945a6f2bba6657f4ec861fcbb
Instruction ID: af2b1529280689e832a1e4289917b5173ff0309488a3d38d84c76b8b8c927799
Opcode Fuzzy Hash: 090e68a0843e5aed8848fd85369bb5322a6abb2945a6f2bba6657f4ec861fcbb
Instruction Fuzzy Hash: ABE17030F102159FCB65DF69D9806AEB7B2FF85300F14892AE845EB254EB75DC42CB91

Function 06D39138 Relevance: 5.2, Strings: 4, Instructions: 230
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$fq, xrefs: 06D3918B
$fq, xrefs: 06D391BA
$fq, xrefs: 06D3917F
$fq, xrefs: 06D391C6

Memory Dump Source

Source File: 0000000D.00000002.2935070986.0000000006D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6d30000_lxZwKFTCWa.jbxd

Similarity

API ID:
String ID: $fq$$fq$$fq$$fq
API String ID: 0-2113499236
Opcode ID: 5876047b6a66080281806765607b4358619729c79be09dec560fcea74f01b038
Instruction ID: 6f910b9a5f037ab29a4a3b6457bc42d39cec28f2f675515cc967fc37ead10d91
Opcode Fuzzy Hash: 5876047b6a66080281806765607b4358619729c79be09dec560fcea74f01b038
Instruction Fuzzy Hash: C7917330F0021A9FDB54DF65DAA076E73B6FF89200F508569C409EB358EF759D828B90

Function 06D3CF28 Relevance: 4.6, Strings: 3, Instructions: 800
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$fq, xrefs: 06D3D333
$fq, xrefs: 06D3D31F
$fq, xrefs: 06D3D327

Memory Dump Source

Source File: 0000000D.00000002.2935070986.0000000006D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6d30000_lxZwKFTCWa.jbxd

Similarity

API ID:
String ID: $fq$$fq$$fq
API String ID: 0-837900676
Opcode ID: cb48218d741951ffec4a1505e2d101c071f5f9bbbc721403867690f5048fa44c
Instruction ID: 61ce35f1427cd9575ccb9432af9dca7c1989234ba2ea20798c7277d9b41c9cd0
Opcode Fuzzy Hash: cb48218d741951ffec4a1505e2d101c071f5f9bbbc721403867690f5048fa44c
Instruction Fuzzy Hash: 9A622E70A00216CFCB55EF68D590A5EB7B2FF84300F208969D405AF369DB79ED86CB91

Function 06D34B50 Relevance: 3.9, Strings: 3, Instructions: 186
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

XPkq, xrefs: 06D34C7D
fkq, xrefs: 06D3525D
\Okq, xrefs: 06D34D07

Memory Dump Source

Source File: 0000000D.00000002.2935070986.0000000006D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6d30000_lxZwKFTCWa.jbxd

Similarity

API ID:
String ID: fkq$XPkq$\Okq
API String ID: 0-673657909
Opcode ID: c0786d8cb43a5f8d971754b013f2620526d9cb45d388c9263150377baa370d92
Instruction ID: baaedb50d6e605cc1129316e6998e70eaea09406888cd1e7ec11c2314971178c
Opcode Fuzzy Hash: c0786d8cb43a5f8d971754b013f2620526d9cb45d388c9263150377baa370d92
Instruction Fuzzy Hash: 55616F70E002199FEB549FA5D8547AEBAF6FF88700F20842AD505EB394DF799C45CB90

Function 06D3912F Relevance: 2.7, Strings: 2, Instructions: 154
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$fq, xrefs: 06D391BA
$fq, xrefs: 06D3917F

Memory Dump Source

Source File: 0000000D.00000002.2935070986.0000000006D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6d30000_lxZwKFTCWa.jbxd

Similarity

API ID:
String ID: $fq$$fq
API String ID: 0-2537786760
Opcode ID: c105b103fedaf50eec95d69cf7e4266c9816bf2361901c615b813aabaaef0e5e
Instruction ID: 2bbae13b8a730b4f357fe9c5c3af8413217d7a76722310f6152b9ecd97f33b3f
Opcode Fuzzy Hash: c105b103fedaf50eec95d69cf7e4266c9816bf2361901c615b813aabaaef0e5e
Instruction Fuzzy Hash: 07516130F001169FDB54DB75DAA0B6E73F6FB88210F508429C50AEB398EB75DC429B90

Function 016DEB38 Relevance: 1.7, APIs: 1, Instructions: 152
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 0000000D.00000002.2923908091.00000000016D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_16d0000_lxZwKFTCWa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1a9ebe9dcb3f2c90bddaf85e30e8dc9fc862ccb73d5c4c05228f5e592275ec60
Instruction ID: 29a00bf1fcfb3a6ff6111660af3b82f593e58679f25f62dd9eb698c0838e7f7c
Opcode Fuzzy Hash: 1a9ebe9dcb3f2c90bddaf85e30e8dc9fc862ccb73d5c4c05228f5e592275ec60
Instruction Fuzzy Hash: 82516772D013998FCB14CF69D8446EEBFF1AF89210F1985ABD508EB351DB34A945CBA0

Function 016DEC20 Relevance: 1.6, APIs: 1, Instructions: 52
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GlobalMemoryStatusEx.KERNELBASE ref: 016DEC87

Memory Dump Source

Source File: 0000000D.00000002.2923908091.00000000016D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_16d0000_lxZwKFTCWa.jbxd

Similarity

API ID: GlobalMemoryStatus
String ID:
API String ID: 1890195054-0
Opcode ID: c1cd2eca89bd4a5641f89911448fec4215a99069d8bf7d5c9cbf4c6b676388fc
Instruction ID: 90e3ddefeb1fa363d03ea4f5f35d22f71dfb769a5a9833f4956014364cfa7b61
Opcode Fuzzy Hash: c1cd2eca89bd4a5641f89911448fec4215a99069d8bf7d5c9cbf4c6b676388fc
Instruction Fuzzy Hash: 0E11F3B1C0065A9BDB10CF9AC945BDEFBF4AF48324F14816AD918B7240D379A944CFA5

Function 06D34B4B Relevance: 1.4, Strings: 1, Instructions: 125COMMON

Download Yara Rule

Strings

XPkq, xrefs: 06D34C7D

Memory Dump Source

Source File: 0000000D.00000002.2935070986.0000000006D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6d30000_lxZwKFTCWa.jbxd

Similarity

API ID:
String ID: XPkq
API String ID: 0-3796509991
Opcode ID: a27914cba73bb33cd016b24361453ade3597b590668b9349fb22a64c9adae922
Instruction ID: 67fa19233f915b9e93cbdfbc0bcb71f54b64196179575c5487a11435a5d7b00d
Opcode Fuzzy Hash: a27914cba73bb33cd016b24361453ade3597b590668b9349fb22a64c9adae922
Instruction Fuzzy Hash: D4416F70F002199FDB549FA5C854BAEBBF6FF88300F20852AE505AB3A5DB759C45CB90

Function 06D34B47 Relevance: 1.4, Strings: 1, Instructions: 120COMMON

Download Yara Rule

Strings

XPkq, xrefs: 06D34C7D

Memory Dump Source

Source File: 0000000D.00000002.2935070986.0000000006D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6d30000_lxZwKFTCWa.jbxd

Similarity

API ID:
String ID: XPkq
API String ID: 0-3796509991
Opcode ID: 12867b5fdf47d10c1f23b7e0676cd1517ddace289891e2b650b005ab6dba9aff
Instruction ID: 51714a891eaeea528527f0e8bbdd756c8db5528867b3b2f555e303198e8215ea
Opcode Fuzzy Hash: 12867b5fdf47d10c1f23b7e0676cd1517ddace289891e2b650b005ab6dba9aff
Instruction Fuzzy Hash: 2B414C70B002199FDB54DFA9C854BAEBBF2FF88700F20852AD505EB3A5DA799C45CB50

Function 06D3DAB0 Relevance: 1.4, Strings: 1, Instructions: 117COMMON

Download Yara Rule

Strings

PHfq, xrefs: 06D3DBF9

Memory Dump Source

Source File: 0000000D.00000002.2935070986.0000000006D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6d30000_lxZwKFTCWa.jbxd

Similarity

API ID:
String ID: PHfq
API String ID: 0-2154135885
Opcode ID: 3e592ffe22ffa2598d126bcb09d7d3cd7f01bbcb78a9c03c9872e2972169fc84
Instruction ID: b83855caeb0866833dbd1b0f9e1d36e7ccdb3dcffbb6e879711ad5c9a595b962
Opcode Fuzzy Hash: 3e592ffe22ffa2598d126bcb09d7d3cd7f01bbcb78a9c03c9872e2972169fc84
Instruction Fuzzy Hash: AA418E70E102199FDB64DFA5D58069EBBB7FF85300F204929E806EB244EB74E846CF91

Function 06D3DA9D Relevance: 1.4, Strings: 1, Instructions: 116COMMON

Download Yara Rule

Strings

PHfq, xrefs: 06D3DBF9

Memory Dump Source

Source File: 0000000D.00000002.2935070986.0000000006D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6d30000_lxZwKFTCWa.jbxd

Similarity

API ID:
String ID: PHfq
API String ID: 0-2154135885
Opcode ID: 759b5fc388cfb270d54eeea50082328c4686a0f19dec2110c309364b038524cf
Instruction ID: 4afae1d72b075c40621f178621db13634eabf453da59d4985fc7508aaabafb85
Opcode Fuzzy Hash: 759b5fc388cfb270d54eeea50082328c4686a0f19dec2110c309364b038524cf
Instruction Fuzzy Hash: D6419D70E102159FDB65DF65D88069EBBB3AF85200F14452AE806EB254EB74E852CF91

Function 06D321BD Relevance: 1.4, Strings: 1, Instructions: 110COMMON

Download Yara Rule

Strings

PHfq, xrefs: 06D3230B

Memory Dump Source

Source File: 0000000D.00000002.2935070986.0000000006D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6d30000_lxZwKFTCWa.jbxd

Similarity

API ID:
String ID: PHfq
API String ID: 0-2154135885
Opcode ID: 4fb5bc0bd593961d627d770abb116ab58d8e866bc09f573db2acdb8d8a6772e1
Instruction ID: a38c9a86cde5b747e6f3ded4eadcaae5d39a45ed4bd54ee7ce4fbea503dd6ccc
Opcode Fuzzy Hash: 4fb5bc0bd593961d627d770abb116ab58d8e866bc09f573db2acdb8d8a6772e1
Instruction Fuzzy Hash: 6E311034F102219FDB689B74DA546AE3AB2EF89300F10442CD402EB399EE39DD41C7E5

Function 06D321D0 Relevance: 1.4, Strings: 1, Instructions: 105COMMON

Download Yara Rule

Strings

PHfq, xrefs: 06D3230B

Memory Dump Source

Source File: 0000000D.00000002.2935070986.0000000006D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6d30000_lxZwKFTCWa.jbxd

Similarity

API ID:
String ID: PHfq
API String ID: 0-2154135885
Opcode ID: ff9db7d0314393ecc587ce9728fafbff24666b5a3a76500af5ecec96f6d4a3f6
Instruction ID: 726fbbf8c801dfe1797aa9cf72215d00861924453084447478b0b68a9607f252
Opcode Fuzzy Hash: ff9db7d0314393ecc587ce9728fafbff24666b5a3a76500af5ecec96f6d4a3f6
Instruction Fuzzy Hash: 1F31FE34F102259FDB689B74DA5466E3BB2AF89300F20842CD402EB398EE39DD41C7E1

Function 06D382DE Relevance: 1.3, Strings: 1, Instructions: 30COMMON

Download Yara Rule

Strings

$fq, xrefs: 06D38303

Memory Dump Source

Source File: 0000000D.00000002.2935070986.0000000006D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6d30000_lxZwKFTCWa.jbxd

Similarity

API ID:
String ID: $fq
API String ID: 0-12477121
Opcode ID: 58680126d84c52b8bb47d7a9ed2dc982a22c586b338cbec632d5ef7ef8e6c449
Instruction ID: 6e126090ffda960a62e9e1ea2bc6687f1367c57b89e1bb3dcc3c467ba1d4294e
Opcode Fuzzy Hash: 58680126d84c52b8bb47d7a9ed2dc982a22c586b338cbec632d5ef7ef8e6c449
Instruction Fuzzy Hash: 53F0ED32F04220DFEF649F82EA802B9B3B4EB40251F540076EE41E3390C739CA15EA91

Function 06D35780 Relevance: .4, Instructions: 413COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2935070986.0000000006D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6d30000_lxZwKFTCWa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f3d03101a063fe57edb137ff9e0ed74e75289eeebeff5eb75f07ea4189759b9a
Instruction ID: eeebad3136fa5a29a670f45118805d98892f1fb722167d23065dfcf682c43aeb
Opcode Fuzzy Hash: f3d03101a063fe57edb137ff9e0ed74e75289eeebeff5eb75f07ea4189759b9a
Instruction Fuzzy Hash: A4E1C371F002258FDF64DFA5D5806AEB7B2FF89314F248069D845AB394DB359C86CBA0

Function 06D3B630 Relevance: .3, Instructions: 276COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2935070986.0000000006D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6d30000_lxZwKFTCWa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 77eb54a6c365482a6d134c0abcbc3c2bd2cd6c9d61f80f34777b96f629f5e540
Instruction ID: 9f5ce3e2368e846bdb172b96c8a35e84768ae4d40b4e7ea60636cd826b29b9a8
Opcode Fuzzy Hash: 77eb54a6c365482a6d134c0abcbc3c2bd2cd6c9d61f80f34777b96f629f5e540
Instruction Fuzzy Hash: F5B14C70E102298FDBA4CF68D580BADB7B1EB59310F24856BE455DB351CA74DC81CB91

Function 06D36D00 Relevance: .3, Instructions: 257COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2935070986.0000000006D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6d30000_lxZwKFTCWa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7382a21e17c022f23bf9a2ac66989f0b744074baeb8567be74c5b32319123cc0
Instruction ID: b7f84b28f2eb89e2b0f4a3cab271bbe0fd6ccff83bb5ab30b016086ef1f777da
Opcode Fuzzy Hash: 7382a21e17c022f23bf9a2ac66989f0b744074baeb8567be74c5b32319123cc0
Instruction Fuzzy Hash: 24A15A74B00624DFCB64DB69D584A6DB7F2FF84314F548869E40AAB350DB76EC81CB84

Function 06D361E0 Relevance: .2, Instructions: 229COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2935070986.0000000006D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6d30000_lxZwKFTCWa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1b0e799a574e22144f4b1072525f6b4946d8b0db3507070fe1c54ecbb1219989
Instruction ID: ac00fc72686efce9e8f59126cdcc655b29b7b03a737eaa46c60eaf793917a180
Opcode Fuzzy Hash: 1b0e799a574e22144f4b1072525f6b4946d8b0db3507070fe1c54ecbb1219989
Instruction Fuzzy Hash: 7261A072F001225FDB649B6ECD8066FBAE7AFD4210B154439D80EDB364DEA6ED0287D1

Function 06D3EE70 Relevance: .2, Instructions: 225COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2935070986.0000000006D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6d30000_lxZwKFTCWa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: abe7dc5ec776a1c9f05733ca49686cfb24cb6ebbbc10f271de776c6a88a57947
Instruction ID: 2fa31d24c7bba45cdc3a9b888f705c6b775bf8fda7dcce3e6c53374116a79383
Opcode Fuzzy Hash: abe7dc5ec776a1c9f05733ca49686cfb24cb6ebbbc10f271de776c6a88a57947
Instruction Fuzzy Hash: 39817B70E002199FCB54DFA9D980A9EBBF6FF88300F24846AD405EB355DA74EC46CB50

Function 06D345A0 Relevance: .2, Instructions: 221COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2935070986.0000000006D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6d30000_lxZwKFTCWa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be28a8f9171959aa107cf79216c61bff5717a7608e7a2624aa6bb0b1add4bb46
Instruction ID: d0fdc7b1ca765dd524c9c321698c47bf4d3375c2a42894e1ab27c0e551280273
Opcode Fuzzy Hash: be28a8f9171959aa107cf79216c61bff5717a7608e7a2624aa6bb0b1add4bb46
Instruction Fuzzy Hash: C6916F74E0021A8FDF60CF64C890B9DB7B1FF89300F208699D449BB295DB74AA85CF91

Function 06D34290 Relevance: .2, Instructions: 218COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2935070986.0000000006D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6d30000_lxZwKFTCWa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 68d5449c8f61870246ed899e51c3bdb19ffc1eca1b273df10718090859d949a9
Instruction ID: 6cbb6f32a398a569929f50e6dd272a8f9f3aba34c8604c45eec1503708482ff4
Opcode Fuzzy Hash: 68d5449c8f61870246ed899e51c3bdb19ffc1eca1b273df10718090859d949a9
Instruction Fuzzy Hash: A4811C34B102159BDB54DFA9D65476EB7F2EF89300F108429D40AEB358EB79DC828B91

Function 06D3428B Relevance: .2, Instructions: 217COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2935070986.0000000006D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6d30000_lxZwKFTCWa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0d2da030d844aa3641b6173472d1eff94c691c8c849bdf531c97a660e9fa4cac
Instruction ID: 94def63ba35803380e12424da39dc6f595b68f7c24a48fd41534b03700af7f14
Opcode Fuzzy Hash: 0d2da030d844aa3641b6173472d1eff94c691c8c849bdf531c97a660e9fa4cac
Instruction Fuzzy Hash: 52813D30F102169BDB54DFA9D65476EB7F2EF89300F108529D40AEB358EB79DC428B91

Function 06D345B8 Relevance: .2, Instructions: 210COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2935070986.0000000006D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6d30000_lxZwKFTCWa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3b3b68cf05ce2027853b14b7d8187f76a237c30e1f020c2793c90b7eb23f148b
Instruction ID: 26df736a733e82f9057f0682d24d128bf599da71f8f50f1f0843153ae10540f8
Opcode Fuzzy Hash: 3b3b68cf05ce2027853b14b7d8187f76a237c30e1f020c2793c90b7eb23f148b
Instruction Fuzzy Hash: 57915E74E1021A8BDF60DF68C880B9DB7B1FF89300F208699D549BB355DB74AA85CF90

Function 06D3EEF0 Relevance: .2, Instructions: 209COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2935070986.0000000006D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6d30000_lxZwKFTCWa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9877ad7319135b225f901c6419efa6d3f10eeb9e482f30310bd1ee62cc9b361a
Instruction ID: 6f4668270c2cea822d2fd3606c276a0d885cbdccd9a0b7685fbdf27428cc50d3
Opcode Fuzzy Hash: 9877ad7319135b225f901c6419efa6d3f10eeb9e482f30310bd1ee62cc9b361a
Instruction Fuzzy Hash: 04713B70E002199FCB54DFA9D980A9EBBF6FF88300F24852AE405EB255DB74EC46CB51

Function 06D3EF00 Relevance: .2, Instructions: 201COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2935070986.0000000006D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6d30000_lxZwKFTCWa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a2fb0a9ad6b66529cf1428b940618c2455853b971837a8a56b1fe285eb0b6919
Instruction ID: a1029600e93ad2db3cf0dafffcf5c8007bf146b6acb20134185d1280f966140e
Opcode Fuzzy Hash: a2fb0a9ad6b66529cf1428b940618c2455853b971837a8a56b1fe285eb0b6919
Instruction Fuzzy Hash: 1E710970E002199FDB54DFA9D980A9EBBF6FF88300F14842AE415EB355DA74EC46CB51

Function 06D3FC58 Relevance: .2, Instructions: 177COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2935070986.0000000006D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6d30000_lxZwKFTCWa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ae0f5a7e207eaba3942d002619af9709dba41dbb5cfcaaa158f07edc141a9772
Instruction ID: ed48ded89f88e093fe8fddd6bc81bcfac48000c68b16efdae765c4c0e57a8121
Opcode Fuzzy Hash: ae0f5a7e207eaba3942d002619af9709dba41dbb5cfcaaa158f07edc141a9772
Instruction Fuzzy Hash: 4351D671E00129DFCB54AFB8E5886AEBBB2FF88311F10487AE106E7361DB359955C790

Function 06D3FA09 Relevance: .2, Instructions: 172COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2935070986.0000000006D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6d30000_lxZwKFTCWa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6049888d1c995319004353a075e1d5831be9afda5c305197c33a60389664f4b6
Instruction ID: ccb392c2940a4bd7b9fd267c2fd93daac1074fe280ef0e0a2ef1fd625cd5fef9
Opcode Fuzzy Hash: 6049888d1c995319004353a075e1d5831be9afda5c305197c33a60389664f4b6
Instruction Fuzzy Hash: 475195B0F202289BDF645BF8D894B6F365AD789310F20443AE64AD73D4CE6CCC4193A2

Function 06D3FA18 Relevance: .2, Instructions: 163COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2935070986.0000000006D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6d30000_lxZwKFTCWa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 658f067218b107b5efd8935a29cc22877a06525090a7f809b73ccf4e308feee0
Instruction ID: 52ab768a293edcd6cab698e783667506c744ef453d99dee630d5d4fc5c72cb49
Opcode Fuzzy Hash: 658f067218b107b5efd8935a29cc22877a06525090a7f809b73ccf4e308feee0
Instruction Fuzzy Hash: 645141B0F202289BEF645BFCD894B6E365AD789750F20443AE64AD73D4CE6CCC4157A1

Function 06D35588 Relevance: .2, Instructions: 163COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2935070986.0000000006D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6d30000_lxZwKFTCWa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 693a97983bc140439ad8516b102e012e0151b5425f84c0b854539a11f2d48f15
Instruction ID: 07ace452105811e1921074fdff8bd86e878e4f183f104e26bc8e51ced39fe243
Opcode Fuzzy Hash: 693a97983bc140439ad8516b102e012e0151b5425f84c0b854539a11f2d48f15
Instruction Fuzzy Hash: 3C51B275E042258FDF708F69E5D077EBBB2FB45310F24886AE45ADB281C635E881CB91

Function 06D3C7C0 Relevance: .2, Instructions: 160COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2935070986.0000000006D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6d30000_lxZwKFTCWa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3c05b30147489b1c482cce828b1e0a962fb6677f535f1bc07c2e8a51d0d72758
Instruction ID: c874d202851e0f981616255ff375e2dd962ba099f346910e230527c3fed0e7de
Opcode Fuzzy Hash: 3c05b30147489b1c482cce828b1e0a962fb6677f535f1bc07c2e8a51d0d72758
Instruction Fuzzy Hash: 5C517C71B112299FCB54EF78D88099EB7B2FB89314F208969E406AB355DB35EC41CB90

Function 06D35408 Relevance: .1, Instructions: 126COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2935070986.0000000006D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6d30000_lxZwKFTCWa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b6da168df76f9b32a699af6f5a83cdf4f3fb907a7fadebe76333a46aa840865a
Instruction ID: 08b8dc9c2c9357d9b336372e8aea545e60c46431f94dcd1bf035937dee4efed6
Opcode Fuzzy Hash: b6da168df76f9b32a699af6f5a83cdf4f3fb907a7fadebe76333a46aa840865a
Instruction Fuzzy Hash: C6413A71E006199BDF60CFA9E880AAFFBB2FB88310F10492AE116D7650D731E9558B91

Function 06D3D950 Relevance: .1, Instructions: 100COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2935070986.0000000006D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6d30000_lxZwKFTCWa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 77bc7f75f5a3ead783b3c5e17577f29e7038be65b8d723315b7ba462f3cedeb2
Instruction ID: d9dc5e9fd5447f4f17c6f3c9c4b79937c16566ba4b03d9d395da1e1b75760947
Opcode Fuzzy Hash: 77bc7f75f5a3ead783b3c5e17577f29e7038be65b8d723315b7ba462f3cedeb2
Instruction Fuzzy Hash: D431B870E1021A9FCF14DF68D99069EBBB2FF85304F104929E405EB754DB75A946CB90

Function 06D32081 Relevance: .1, Instructions: 97COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2935070986.0000000006D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6d30000_lxZwKFTCWa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 69f775f65dac41038df4ee7ba1930fb6cd66300e5857bb3b194703e9a9cf40ec
Instruction ID: 33c67e61d637c7f8ee2e9e2189ce967d104be8fcec147bc0831327ea16c8824b
Opcode Fuzzy Hash: 69f775f65dac41038df4ee7ba1930fb6cd66300e5857bb3b194703e9a9cf40ec
Instruction Fuzzy Hash: BE319E35E102159BCB58CF64D99469EF7B2FF89300F10C429E906E7354DB71AD46CB50

Function 06D32090 Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2935070986.0000000006D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6d30000_lxZwKFTCWa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 52827ebb616752aa24c917af3933334b08ff49d9bdfefbdf3692ec088f643fc3
Instruction ID: 7fe36daadecd8910202944d977376d55ba26d1c9603c8e39649d49a08913dbb1
Opcode Fuzzy Hash: 52827ebb616752aa24c917af3933334b08ff49d9bdfefbdf3692ec088f643fc3
Instruction Fuzzy Hash: B631AD34E1021A9BCB18CF64D99469EF7B2FF89300F10C829E906E7354DB71AD82CB50

Function 06D33A80 Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2935070986.0000000006D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6d30000_lxZwKFTCWa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e710895e11b7c33a5c125b5f58311358a169733e3a4eacb27aa4d512d4b5fe88
Instruction ID: e471ee5d3c9aa195ad52937a52f2775c9feeb12fce7c10565cb7ce0985a0b553
Opcode Fuzzy Hash: e710895e11b7c33a5c125b5f58311358a169733e3a4eacb27aa4d512d4b5fe88
Instruction Fuzzy Hash: 7A219F75F00215AFDB50CF69EA80AEEBBF1EB48710F11802AE905E7350E735D8419BA4

Function 06D33A90 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2935070986.0000000006D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6d30000_lxZwKFTCWa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ed154b9d33261071dc0dfa9b1f393118721ed1d03f83c8599c58c83debc70cb7
Instruction ID: a18415cc967433758ddb019de5a4b9e9c8527085ed8d4c03db58ca5585165216
Opcode Fuzzy Hash: ed154b9d33261071dc0dfa9b1f393118721ed1d03f83c8599c58c83debc70cb7
Instruction Fuzzy Hash: DF216075F006559FDB50CF69DA80AAEB7F2FB48710F118029EA05E7350E735DD418B94

Function 06D353F8 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2935070986.0000000006D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6d30000_lxZwKFTCWa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ab103f2a4d1c0842424707a34c7572ed5da5e87ee0e32ecd5d26192580949b2e
Instruction ID: 3c697f55ad4fb5b398707dd9c795761b966a8b0ac584d35d0842115c56aef9bc
Opcode Fuzzy Hash: ab103f2a4d1c0842424707a34c7572ed5da5e87ee0e32ecd5d26192580949b2e
Instruction Fuzzy Hash: 65219F71A007159FCB24CFA9DCC0AAFBBB2FF88300F14892DE15697650D730A95A8B90

Function 0143D030 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2923520495.000000000143D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0143D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_143d000_lxZwKFTCWa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 502255f24fc2b16c1d56b151a472afc47d76158f1193b9589408df8aaa0d7521
Instruction ID: c055d06025df0303146cb164e6d08fd11a3e2dc6f8ecfff426b2380f4c674de4
Opcode Fuzzy Hash: 502255f24fc2b16c1d56b151a472afc47d76158f1193b9589408df8aaa0d7521
Instruction Fuzzy Hash: 9D21F1B1904200DFCB15DF58D980B26FB75EBC8718F64C56AE90A4A2A2C336D447CA61

Function 06D36CFB Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2935070986.0000000006D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6d30000_lxZwKFTCWa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 71bd325b98829e429d40f3ddf49fa56df5ae4e525e18f1dccfabcd2ac742e5da
Instruction ID: 34cb47838b59bfdaccd405a2c4957a0e0feff224279dc005d968c4e99485d772
Opcode Fuzzy Hash: 71bd325b98829e429d40f3ddf49fa56df5ae4e525e18f1dccfabcd2ac742e5da
Instruction Fuzzy Hash: A821D230F11029DBCF94DB69F9506AEB7B2EB84310F248429E405EB354EB35DC418B94

Function 0143D006 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2923520495.000000000143D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0143D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_143d000_lxZwKFTCWa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eca168f10ea25b3d10a8fa4b393bfb7654c0c9b27c2fe021171145a9c5125d4f
Instruction ID: dc9cef93898840358cf6275247122334ce403ed9da24b51b10359d37c4c7e311
Opcode Fuzzy Hash: eca168f10ea25b3d10a8fa4b393bfb7654c0c9b27c2fe021171145a9c5125d4f
Instruction Fuzzy Hash: EB216D755093C08FDB13CF64C990715BF71AB46214F29C5DBD8898F2A3C23A980ACB62

Function 06D33BA0 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2935070986.0000000006D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6d30000_lxZwKFTCWa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cd4e47e443fe200910fb7e070b75c1cc42314573f262ea50ab4075be2808c5db
Instruction ID: 7dde10abf4384297498340f3e4dddb0bd48042a8ea78cd61f1bb2a69447b95ab
Opcode Fuzzy Hash: cd4e47e443fe200910fb7e070b75c1cc42314573f262ea50ab4075be2808c5db
Instruction Fuzzy Hash: 1511E131B105295BDF549669DA146AF73BAEBC8200F014039D406E7358EE24DC029BD0

Function 06D3F171 Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2935070986.0000000006D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6d30000_lxZwKFTCWa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f0bdc9a50ba74623245e37dc43d92a5f96b45c296ad84532bfe75623ddc51ac2
Instruction ID: 9f7b2a72130a4959b2736ab23190875584e1051b8eefed3221f8bc9c5049b515
Opcode Fuzzy Hash: f0bdc9a50ba74623245e37dc43d92a5f96b45c296ad84532bfe75623ddc51ac2
Instruction Fuzzy Hash: 3C01D471F002246BCB65873DE960A2F77D6EBCA620F148939F50AC7340D929DC0343D2

Function 06D33859 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2935070986.0000000006D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6d30000_lxZwKFTCWa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 76232256edb43927b5d1852e8e3817b3e8fbc9b33645789bcc2ac3644e72a6b3
Instruction ID: f2912ecc41b65a025235288916b410424a6f71f9423abfd8c67755b2f7598a7a
Opcode Fuzzy Hash: 76232256edb43927b5d1852e8e3817b3e8fbc9b33645789bcc2ac3644e72a6b3
Instruction Fuzzy Hash: 3221C2B5D01259AFCB00CF9AD984ADEFBB4FB48320F11852AE518B7350D374A954CFA4

Function 06D3303B Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2935070986.0000000006D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6d30000_lxZwKFTCWa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b4450c1146a4440d29b9cc377af73b10a6b5571cd1c9b6c5645fa4da970b5871
Instruction ID: 0a961b4fb170de339b1cab3299aeb26f66286cf533cd48888359c98f08aea1dd
Opcode Fuzzy Hash: b4450c1146a4440d29b9cc377af73b10a6b5571cd1c9b6c5645fa4da970b5871
Instruction Fuzzy Hash: 9211A171E001699ECB94DFB9D9405DEF7B6EF88310F0185AAE505E7200EA319A84CB91

Function 06D33860 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2935070986.0000000006D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6d30000_lxZwKFTCWa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 53b5941842b7ef0e1f4df447057e8755c5c41248ffa486389c62c9186a332a06
Instruction ID: 04de094f08b84b754026f6e3553dae5b9155795f9f5a9c676f87248d6ccd63e3
Opcode Fuzzy Hash: 53b5941842b7ef0e1f4df447057e8755c5c41248ffa486389c62c9186a332a06
Instruction Fuzzy Hash: 6011C2B1D01259AFCB00CF9AD984ADEFBB8FB48320F10812AE518A7200C375A554CFA5

Function 06D341EB Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2935070986.0000000006D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6d30000_lxZwKFTCWa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: baec5d1ed7f95bd0d0ef82c52162125a10c5e8a526f263bb3faa978f717eef6e
Instruction ID: b8b94c0234a36ee5b30b11acb3698ffba328cbc45c51399f1d02c9b9e0b11ec6
Opcode Fuzzy Hash: baec5d1ed7f95bd0d0ef82c52162125a10c5e8a526f263bb3faa978f717eef6e
Instruction Fuzzy Hash: B201D135B000211BDBA4A6ADE95472FA6DAEBC9721F10883AE10AD7365ED69DC4203E5

Function 06D341F0 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2935070986.0000000006D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6d30000_lxZwKFTCWa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 16b6580204b447d1a543dac08fb46715c0c47ac608c19a2fee1160f5f9477eba
Instruction ID: 0088552c04787860eb8918f7e9528925712ba5cdd1d14007b03450e8a30de58c
Opcode Fuzzy Hash: 16b6580204b447d1a543dac08fb46715c0c47ac608c19a2fee1160f5f9477eba
Instruction Fuzzy Hash: F901F435B000211BDBA496ADE94472FF7DAEBC9721F10883DE10AD7365DD69EC420391

Function 06D3A2FB Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2935070986.0000000006D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6d30000_lxZwKFTCWa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cce4d01cee6dd750790f357b5167c465ebff8e2de99f572dfbde4878443770da
Instruction ID: 75e4fab43620d8b79565e86dd4516b340b04b90e10d9fcfddf0c22efa4fa7920
Opcode Fuzzy Hash: cce4d01cee6dd750790f357b5167c465ebff8e2de99f572dfbde4878443770da
Instruction Fuzzy Hash: E701D670B101205BCB60DBBCD950B6EB3D5E789760F148839E54BD7354EA26DC4287C0

Function 06D3F180 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2935070986.0000000006D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6d30000_lxZwKFTCWa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 975b6c52130a3dfc47b125bb3750137818aaed1fff5b6afb11ce57e235869d1f
Instruction ID: 23cc20884144293955e52795033d336f35b9b3e2932f943a9419dcf918b2ffc3
Opcode Fuzzy Hash: 975b6c52130a3dfc47b125bb3750137818aaed1fff5b6afb11ce57e235869d1f
Instruction Fuzzy Hash: 8601AF76F001295BDBA5977CE890B2FB3D6EBC9620F208839E50AC7344DE65DC034391

Function 06D33B9B Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2935070986.0000000006D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6d30000_lxZwKFTCWa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0430adbd2887de9cb861492721aa3dc8323b20bce030fd298382025c395c53cb
Instruction ID: 7f5f3ff8cf4e6cad32b676ee41a3c18a6ba510f00712e4aa8ca77ed9e33c7f32
Opcode Fuzzy Hash: 0430adbd2887de9cb861492721aa3dc8323b20bce030fd298382025c395c53cb
Instruction Fuzzy Hash: 2201D132F104265BDFA49669DE106EF73BBABC8611F06403AD506E7398EE64CC1297D1

Function 06D3A300 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2935070986.0000000006D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6d30000_lxZwKFTCWa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 17b9f9c3051361b74a73e124aa7ec55cdd52e60be8294775548b068c6712a53b
Instruction ID: 5ffe4f226735590230f932805dd1587308ff1f594c250b49bfb7a95d2958a84f
Opcode Fuzzy Hash: 17b9f9c3051361b74a73e124aa7ec55cdd52e60be8294775548b068c6712a53b
Instruction Fuzzy Hash: CE01A470B001205BCB64DBBCD950B2EB3D5EB89720F54883EE54BD7354DA36EC428781

Function 06D33B97 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2935070986.0000000006D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6d30000_lxZwKFTCWa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7ac88b3446ae4449a85f6fa8f2834e33133fe0e9a19239004d2493497c5da891
Instruction ID: fc19bebab0e8c94dd2981e30bfe4b9ffa8f8cb73f0bede4a10722341ce6a0462
Opcode Fuzzy Hash: 7ac88b3446ae4449a85f6fa8f2834e33133fe0e9a19239004d2493497c5da891
Instruction Fuzzy Hash: 18F0C232F244655BDF94C679EA607AF62BBEBC8611F05403AD506C7298EF24CD12A790

Function 06D3C7BB Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2935070986.0000000006D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6d30000_lxZwKFTCWa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7ab2d9dfcb50f58b72a471229450ae45ac9ec9a8630f613b414a9750b855b6a2
Instruction ID: e8514ae716024885946f5a9a1f064056e97f8d3f2e43d53eaf31c7edc94cc40e
Opcode Fuzzy Hash: 7ab2d9dfcb50f58b72a471229450ae45ac9ec9a8630f613b414a9750b855b6a2
Instruction Fuzzy Hash: E7018176F21135ABCB549F69E940A9EB776FB85314F11443AE801FB380DB35AD058B90

Function 06D3646B Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2935070986.0000000006D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6d30000_lxZwKFTCWa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e9caf81b6300579f79e1f06ba251c1c819ef966705c7550dbf258e8d00d53e58
Instruction ID: 4d4ccb0617238860966190747b2e522805de0194bcdae9f04f117efc61481a24
Opcode Fuzzy Hash: e9caf81b6300579f79e1f06ba251c1c819ef966705c7550dbf258e8d00d53e58
Instruction Fuzzy Hash: 4BE08CB1E14168BBDF90CFB0CA5475A73AAD749214F3288A5D408EB200E136CE028390

Function 06D36470 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2935070986.0000000006D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6d30000_lxZwKFTCWa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aa976699a50b98a0a6b50c08d3026a88d70fc42e5459dfcadbf44bb0d2ea6d04
Instruction ID: b56122b833f5e01e7523ecd6fa0c61609babac7f87556badfd056f294df368e6
Opcode Fuzzy Hash: aa976699a50b98a0a6b50c08d3026a88d70fc42e5459dfcadbf44bb0d2ea6d04
Instruction Fuzzy Hash: E0E0C270E14258BBDF50CFB0CA4575A73EDD705204F2088A4D408CB201E137DE018380

Function 06D36461 Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2935070986.0000000006D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6d30000_lxZwKFTCWa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 00b04abb292eb4afc3be61d29966362f3d5543366f4e5350165276087ce19722
Instruction ID: 308a768b4a5eec93c74487cc020e4d98d54b9ba4030f76a7a00edd24d91c69e7
Opcode Fuzzy Hash: 00b04abb292eb4afc3be61d29966362f3d5543366f4e5350165276087ce19722
Instruction Fuzzy Hash: F8B01243D8E3E416D5D197647D25475370FD7C2101F450AC25848CB295E50BDC30C1B2

Non-executed Functions

Function 06D37688 Relevance: 13.0, Strings: 10, Instructions: 468COMMON

Download Yara Rule

Strings

$fq, xrefs: 06D377C8
$fq, xrefs: 06D37C2E
$fq, xrefs: 06D377BC
$fq, xrefs: 06D37C3A
$fq, xrefs: 06D377F9
$fq, xrefs: 06D37B79
$fq, xrefs: 06D37C18
$fq, xrefs: 06D377ED
$fq, xrefs: 06D37B85
$fq, xrefs: 06D37C24

Memory Dump Source

Source File: 0000000D.00000002.2935070986.0000000006D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6d30000_lxZwKFTCWa.jbxd

Similarity

API ID:
String ID: $fq$$fq$$fq$$fq$$fq$$fq$$fq$$fq$$fq$$fq
API String ID: 0-1462074617
Opcode ID: 7760b2b827a21ff074dd35f8d3f62d2be41d85468d97edac425cf247cfffacb9
Instruction ID: b8f66bded05f097e6cd9ac561cc5aff3b17f6d2f41fc9b77c1d3b1dc8f03d592
Opcode Fuzzy Hash: 7760b2b827a21ff074dd35f8d3f62d2be41d85468d97edac425cf247cfffacb9
Instruction Fuzzy Hash: 5A122C70E01629CFDB64DF69C994A9EB7B2FF88300F208569D409AB354DB309D85CF95

Function 06D3A920 Relevance: 10.2, Strings: 8, Instructions: 229COMMON

Download Yara Rule

Strings

$fq, xrefs: 06D3AA9C
$fq, xrefs: 06D3AADE
$fq, xrefs: 06D3AA7D
$fq, xrefs: 06D3AAA8
$fq, xrefs: 06D3AA16
$fq, xrefs: 06D3AAD2
$fq, xrefs: 06D3AA71
$fq, xrefs: 06D3AA22

Memory Dump Source

Source File: 0000000D.00000002.2935070986.0000000006D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6d30000_lxZwKFTCWa.jbxd

Similarity

API ID:
String ID: $fq$$fq$$fq$$fq$$fq$$fq$$fq$$fq
API String ID: 0-3929485403
Opcode ID: d1f4a625df5e074cb49ca03a81864d78696274dd40cf1189e36089848193bde9
Instruction ID: 89a2b206aaef53173a285b7899541519eee26e257ec3d0a7a63ed2abff260643
Opcode Fuzzy Hash: d1f4a625df5e074cb49ca03a81864d78696274dd40cf1189e36089848193bde9
Instruction Fuzzy Hash: 04919E74F00229DFDB64DF65DA94B6E77B6EF44300F188529E481AB290DB79DC81CB90

Function 06D37088 Relevance: 9.2, Strings: 7, Instructions: 405COMMON

Download Yara Rule

Strings

$fq, xrefs: 06D37524
$fq, xrefs: 06D3736A
$fq, xrefs: 06D3759C
$fq, xrefs: 06D373C4
.5~q, xrefs: 06D370E3
$fq, xrefs: 06D37590
$fq, xrefs: 06D373D0

Memory Dump Source

Source File: 0000000D.00000002.2935070986.0000000006D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6d30000_lxZwKFTCWa.jbxd

Similarity

API ID:
String ID: .5~q$$fq$$fq$$fq$$fq$$fq$$fq
API String ID: 0-1301248726
Opcode ID: a9506dfbacf3f60c4782e2c91ef5634f7ab27a4fe05b5b3e96fda65304a64313
Instruction ID: 03daf5f174c7c21e0abb7ccc22b5b76d6ff83a168162964d519ce6a8c4721e65
Opcode Fuzzy Hash: a9506dfbacf3f60c4782e2c91ef5634f7ab27a4fe05b5b3e96fda65304a64313
Instruction Fuzzy Hash: 36F16C70A01219DFDB58DFA5C990A6EB7B3FF84300F248569D4059B3A4DB35EC82CB99

Function 06D3B9F0 Relevance: 7.7, Strings: 6, Instructions: 197COMMON

Download Yara Rule

Strings

$fq, xrefs: 06D3BB6F
$fq, xrefs: 06D3BBCB
$fq, xrefs: 06D3BB97
$fq, xrefs: 06D3BB63
$fq, xrefs: 06D3BBA3
$fq, xrefs: 06D3BBD7

Memory Dump Source

Source File: 0000000D.00000002.2935070986.0000000006D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6d30000_lxZwKFTCWa.jbxd

Similarity

API ID:
String ID: $fq$$fq$$fq$$fq$$fq$$fq
API String ID: 0-1582559945
Opcode ID: 7942e12779b28ba3aa89f6009ef4bcb87d97aa8a16087f170152c377e6ef22bf
Instruction ID: f6460219f2415378ccb6ac158095b1a4ef9b70c5907d046251b5a55bc4eae561
Opcode Fuzzy Hash: 7942e12779b28ba3aa89f6009ef4bcb87d97aa8a16087f170152c377e6ef22bf
Instruction Fuzzy Hash: EC718F71E102298FDB68CFA9D9906AEB7B2FF95300B10856AD4069F254DF70ED45CB81

Function 06D383C0 Relevance: 5.3, Strings: 4, Instructions: 282COMMON

Download Yara Rule

Strings

$fq, xrefs: 06D38626
$fq, xrefs: 06D3868B
$fq, xrefs: 06D3861A
$fq, xrefs: 06D3867F

Memory Dump Source

Source File: 0000000D.00000002.2935070986.0000000006D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6d30000_lxZwKFTCWa.jbxd

Similarity

API ID:
String ID: $fq$$fq$$fq$$fq
API String ID: 0-2113499236
Opcode ID: c27bd63ec75cd8c96a281efdfaa994aad7927ad402ba6a83e308ab777f5d94f4
Instruction ID: 9fca760e2a7b19eb5a10db2e733ab269ea3ac359473b6c2d8b0e885f060858ac
Opcode Fuzzy Hash: c27bd63ec75cd8c96a281efdfaa994aad7927ad402ba6a83e308ab777f5d94f4
Instruction Fuzzy Hash: 93B12B70E112298BDB64DFA5C9906AEB7B3FF88300F248429E405DB394DB75DC82DB91

Function 06D387D8 Relevance: 5.2, Strings: 4, Instructions: 168COMMON

Download Yara Rule

Strings

$fq, xrefs: 06D38857
$fq, xrefs: 06D38863
LRfq, xrefs: 06D388CB
LRfq, xrefs: 06D3891A

Memory Dump Source

Source File: 0000000D.00000002.2935070986.0000000006D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6d30000_lxZwKFTCWa.jbxd

Similarity

API ID:
String ID: LRfq$LRfq$$fq$$fq
API String ID: 0-1810675050
Opcode ID: 2cf54249c0ecae2c29d688decb444acdb38f9dbdbc5274e658a6c3763aaebe45
Instruction ID: cb48cb3edd4d70dc4ffb2d3416bd4443864832ab08328d1a91de576ac0d01883
Opcode Fuzzy Hash: 2cf54249c0ecae2c29d688decb444acdb38f9dbdbc5274e658a6c3763aaebe45
Instruction Fuzzy Hash: 51519130B002119FDB58DF69D980A6AB7F6FF88700F14856DE402EB3A5DA35EC41DB91

Function 06D3ACAF Relevance: 5.2, Strings: 4, Instructions: 159COMMON

Download Yara Rule

Strings

$fq, xrefs: 06D3ADD9
$fq, xrefs: 06D3AE84
$fq, xrefs: 06D3AE5B
$fq, xrefs: 06D3AE2C

Memory Dump Source

Source File: 0000000D.00000002.2935070986.0000000006D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6d30000_lxZwKFTCWa.jbxd

Similarity

API ID:
String ID: $fq$$fq$$fq$$fq
API String ID: 0-2113499236
Opcode ID: b3964d5068e495aa56f30f4b4c99fbd9f61b920e7710212d16d308d55145e89a
Instruction ID: 1669b07dd5ea70c62ac02eaee2154a2fb745bbcfa9cc6267640bf07674a036c8
Opcode Fuzzy Hash: b3964d5068e495aa56f30f4b4c99fbd9f61b920e7710212d16d308d55145e89a
Instruction Fuzzy Hash: E651B234F112159FCF65DB64E9806AEB7B2FB88200F18852DD841EB354EB35DC42CB91

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Container: Container Creation, File: File Creation, File: File Modification, Process: Process Creation, Scheduled Job: Scheduled Job Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search the Registry on compromised systems for insecurely stored credentials. The Windows Registry stores configuration information that can be used by the system or other programs. Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services. Sometimes these credentials are used for automatic logons.
Tactics:	Credential Access
Data Sources:	Command: Command Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Overdue_payment.pdf.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Agenttesla

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Persistence and Installation Behavior

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Overdue_payment.pdf.exe.log

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\lxZwKFTCWa.exe.log

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_dgswkhhx.x42.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_dydlhjom.gv0.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_n1vq240f.yep.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ngtkmq3j.vq2.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_nkgzzp4k.jyg.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_othblkt1.iz2.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_owmh0c3f.n32.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_yyqhp04n.y44.ps1

C:\Users\user\AppData\Local\Temp\tmpE707.tmp

Windows Analysis Report
Overdue_payment.pdf.exe

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre