Edit tour

Windows Analysis Report
Salary Payment Information Discrepancy_pdf.pif.exe

Overview

General Information

Sample name:	Salary Payment Information Discrepancy_pdf.pif.exe
Analysis ID:	1587581
MD5:	8e04274721445f168376690ce4d0a7d9
SHA1:	f3009e4994a5316ebbd5b711ceade454f389bcb1
SHA256:	9604ee9c0cf521a022d9726b2e1dd82e6b3813d2ade567430b39a2fd9545063b
Tags:	exepifuser-abuse_ch
Infos:

Detection

MassLogger RAT, PureLog Stealer

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Scheduled temp file as task from temp location

Yara detected AntiVM3

Yara detected MassLogger RAT

Yara detected PureLog Stealer

Yara detected Telegram RAT

AI detected suspicious sample

Adds a directory exclusion to Windows Defender

Initial sample is a PE file and has a suspicious name

Loading BitLocker PowerShell Module

Machine Learning detection for dropped file

Machine Learning detection for sample

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Tries to detect the country of the analysis system (by using the IP)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Uses schtasks.exe or at.exe to add and modify task schedules

Allocates memory with a write watch (potentially for evading sandboxes)

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

HTTP GET or POST without a user agent

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

PE / OLE file has an invalid certificate

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Powershell Defender Exclusion

Sigma detected: Suspicious Add Scheduled Task Parent

Sigma detected: Suspicious Schtasks From Env Var Folder

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Uses insecure TLS / SSL version for HTTPS connection

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

Salary Payment Information Discrepancy_pdf.pif.exe (PID: 1908 cmdline: "C:\Users\user\Desktop\Salary Payment Information Discrepancy_pdf.pif.exe" MD5: 8E04274721445F168376690CE4D0A7D9)

powershell.exe (PID: 4196 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\gmerYar.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 6428 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WmiPrvSE.exe (PID: 3820 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)

schtasks.exe (PID: 3520 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\gmerYar" /XML "C:\Users\user\AppData\Local\Temp\tmpC24A.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 5728 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

Salary Payment Information Discrepancy_pdf.pif.exe (PID: 5980 cmdline: "C:\Users\user\Desktop\Salary Payment Information Discrepancy_pdf.pif.exe" MD5: 8E04274721445F168376690CE4D0A7D9)

gmerYar.exe (PID: 6832 cmdline: C:\Users\user\AppData\Roaming\gmerYar.exe MD5: 8E04274721445F168376690CE4D0A7D9)

schtasks.exe (PID: 3060 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\gmerYar" /XML "C:\Users\user\AppData\Local\Temp\tmpD034.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 5712 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

gmerYar.exe (PID: 6636 cmdline: "C:\Users\user\AppData\Roaming\gmerYar.exe" MD5: 8E04274721445F168376690CE4D0A7D9)

cleanup

Malware Configuration

Threatname: MassLogger

{"EXfil Mode": "SMTP", "From": "serverche399@gpsamsterdamqroup.com", "Password": "     j4YX(KT7UCZ1      ", "Server": "fiber13.dnsiaas.com", "To": "almightstephen@gmail.com", "Port": 587}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000009.00000002.2191255107.000000000390E000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
00000009.00000002.2191255107.000000000390E000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000009.00000002.2191255107.000000000390E000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000009.00000002.2191255107.000000000390E000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xf83f:$a1: get_encryptedPassword 0xfb67:$a2: get_encryptedUsername 0xf5da:$a3: get_timePasswordChanged 0xf6fb:$a4: get_passwordField 0xf855:$a5: set_encryptedPassword 0x111b1:$a7: get_logins 0x10e62:$a8: GetOutlookPasswords 0x10c54:$a9: StartKeylogger 0x11101:$a10: KeyLoggerEventArgs 0x10cb1:$a11: KeyLoggerEventArgsEventHandler
00000007.00000002.3362234261.0000000000403000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
00000007.00000002.3362234261.0000000000403000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xdfa7:$a1: get_encryptedPassword 0xe2cf:$a2: get_encryptedUsername 0xdd42:$a3: get_timePasswordChanged 0xde63:$a4: get_passwordField 0xdfbd:$a5: set_encryptedPassword 0xf919:$a7: get_logins 0xf5ca:$a8: GetOutlookPasswords 0xf3bc:$a9: StartKeylogger 0xf869:$a10: KeyLoggerEventArgs 0xf419:$a11: KeyLoggerEventArgsEventHandler
00000000.00000002.2160708520.0000000003F3D000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
00000000.00000002.2160708520.0000000003F3D000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.2160708520.0000000003F3D000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000000.00000002.2160708520.0000000003F3D000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xf5ff:$a1: get_encryptedPassword 0xf927:$a2: get_encryptedUsername 0xf39a:$a3: get_timePasswordChanged 0xf4bb:$a4: get_passwordField 0xf615:$a5: set_encryptedPassword 0x10f71:$a7: get_logins 0x10c22:$a8: GetOutlookPasswords 0x10a14:$a9: StartKeylogger 0x10ec1:$a10: KeyLoggerEventArgs 0x10a71:$a11: KeyLoggerEventArgsEventHandler
00000000.00000002.2162161385.00000000070D0000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000007.00000002.3364853839.0000000002A05000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000C.00000002.3364967117.0000000002B94000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.2160708520.0000000003D68000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
00000000.00000002.2160708520.0000000003D68000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.2160708520.0000000003D68000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000000.00000002.2160708520.0000000003D68000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xf89f:$a1: get_encryptedPassword 0x896d7:$a1: get_encryptedPassword 0xfbc7:$a2: get_encryptedUsername 0x899ff:$a2: get_encryptedUsername 0xf63a:$a3: get_timePasswordChanged 0x89472:$a3: get_timePasswordChanged 0xf75b:$a4: get_passwordField 0x89593:$a4: get_passwordField 0xf8b5:$a5: set_encryptedPassword 0x896ed:$a5: set_encryptedPassword 0x11211:$a7: get_logins 0x8b049:$a7: get_logins 0x10ec2:$a8: GetOutlookPasswords 0x8acfa:$a8: GetOutlookPasswords 0x10cb4:$a9: StartKeylogger 0x8aaec:$a9: StartKeylogger 0x11161:$a10: KeyLoggerEventArgs 0x8af99:$a10: KeyLoggerEventArgs 0x10d11:$a11: KeyLoggerEventArgsEventHandler 0x8ab49:$a11: KeyLoggerEventArgsEventHandler
Process Memory Space: Salary Payment Information Discrepancy_pdf.pif.exe PID: 1908	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
Process Memory Space: Salary Payment Information Discrepancy_pdf.pif.exe PID: 1908	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: Salary Payment Information Discrepancy_pdf.pif.exe PID: 1908	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: Salary Payment Information Discrepancy_pdf.pif.exe PID: 1908	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: Salary Payment Information Discrepancy_pdf.pif.exe PID: 1908	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2c348:$a1: get_encryptedPassword 0x49443:$a1: get_encryptedPassword 0x2c661:$a2: get_encryptedUsername 0x4975c:$a2: get_encryptedUsername 0x2c0f7:$a3: get_timePasswordChanged 0x491f2:$a3: get_timePasswordChanged 0x2c218:$a4: get_passwordField 0x49313:$a4: get_passwordField 0x2c35e:$a5: set_encryptedPassword 0x49459:$a5: set_encryptedPassword 0x2dc61:$a7: get_logins 0x4ad5c:$a7: get_logins 0x2d912:$a8: GetOutlookPasswords 0x4aa0d:$a8: GetOutlookPasswords 0x2d704:$a9: StartKeylogger 0x4a7ff:$a9: StartKeylogger 0x2dbb1:$a10: KeyLoggerEventArgs 0x4acac:$a10: KeyLoggerEventArgs 0x2d761:$a11: KeyLoggerEventArgsEventHandler 0x4a85c:$a11: KeyLoggerEventArgsEventHandler
Process Memory Space: Salary Payment Information Discrepancy_pdf.pif.exe PID: 5980	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
Process Memory Space: Salary Payment Information Discrepancy_pdf.pif.exe PID: 5980	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: Salary Payment Information Discrepancy_pdf.pif.exe PID: 5980	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x336eb:$a1: get_encryptedPassword 0x33a04:$a2: get_encryptedUsername 0x3349a:$a3: get_timePasswordChanged 0x335bb:$a4: get_passwordField 0x33701:$a5: set_encryptedPassword 0x35004:$a7: get_logins 0x34cb5:$a8: GetOutlookPasswords 0x34aa7:$a9: StartKeylogger 0x34f54:$a10: KeyLoggerEventArgs 0x34b04:$a11: KeyLoggerEventArgsEventHandler
Process Memory Space: gmerYar.exe PID: 6832	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
Process Memory Space: gmerYar.exe PID: 6832	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: gmerYar.exe PID: 6832	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: gmerYar.exe PID: 6832	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: gmerYar.exe PID: 6832	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xe7d8:$a1: get_encryptedPassword 0xeaf1:$a2: get_encryptedUsername 0xe587:$a3: get_timePasswordChanged 0xe6a8:$a4: get_passwordField 0xe7ee:$a5: set_encryptedPassword 0x100f1:$a7: get_logins 0xfda2:$a8: GetOutlookPasswords 0xfb94:$a9: StartKeylogger 0x10041:$a10: KeyLoggerEventArgs 0xfbf1:$a11: KeyLoggerEventArgsEventHandler
Process Memory Space: gmerYar.exe PID: 6636	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: gmerYar.exe PID: 6636	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Click to see the 27 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.Salary Payment Information Discrepancy_pdf.pif.exe.70d0000.3.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0.2.Salary Payment Information Discrepancy_pdf.pif.exe.70d0000.3.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
7.2.Salary Payment Information Discrepancy_pdf.pif.exe.400000.0.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
7.2.Salary Payment Information Discrepancy_pdf.pif.exe.400000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
7.2.Salary Payment Information Discrepancy_pdf.pif.exe.400000.0.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xf1a7:$a1: get_encryptedPassword 0xf4cf:$a2: get_encryptedUsername 0xef42:$a3: get_timePasswordChanged 0xf063:$a4: get_passwordField 0xf1bd:$a5: set_encryptedPassword 0x10b19:$a7: get_logins 0x107ca:$a8: GetOutlookPasswords 0x105bc:$a9: StartKeylogger 0x10a69:$a10: KeyLoggerEventArgs 0x10619:$a11: KeyLoggerEventArgsEventHandler
9.2.gmerYar.exe.390e698.1.raw.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
9.2.gmerYar.exe.390e698.1.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
9.2.gmerYar.exe.390e698.1.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
9.2.gmerYar.exe.390e698.1.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xf1a7:$a1: get_encryptedPassword 0xf4cf:$a2: get_encryptedUsername 0xef42:$a3: get_timePasswordChanged 0xf063:$a4: get_passwordField 0xf1bd:$a5: set_encryptedPassword 0x10b19:$a7: get_logins 0x107ca:$a8: GetOutlookPasswords 0x105bc:$a9: StartKeylogger 0x10a69:$a10: KeyLoggerEventArgs 0x10619:$a11: KeyLoggerEventArgsEventHandler
9.2.gmerYar.exe.390e698.1.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x141ab:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x136a9:$a3: \Google\Chrome\User Data\Default\Login Data 0x139b7:$a4: \Orbitum\User Data\Default\Login Data 0x147af:$a5: \Kometa\User Data\Default\Login Data
9.2.gmerYar.exe.390e698.1.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
9.2.gmerYar.exe.390e698.1.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
9.2.gmerYar.exe.390e698.1.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
9.2.gmerYar.exe.390e698.1.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xd3a7:$a1: get_encryptedPassword 0xd6cf:$a2: get_encryptedUsername 0xd142:$a3: get_timePasswordChanged 0xd263:$a4: get_passwordField 0xd3bd:$a5: set_encryptedPassword 0xed19:$a7: get_logins 0xe9ca:$a8: GetOutlookPasswords 0xe7bc:$a9: StartKeylogger 0xec69:$a10: KeyLoggerEventArgs 0xe819:$a11: KeyLoggerEventArgsEventHandler
9.2.gmerYar.exe.390e698.1.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x123ab:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x118a9:$a3: \Google\Chrome\User Data\Default\Login Data 0x11bb7:$a4: \Orbitum\User Data\Default\Login Data 0x129af:$a5: \Kometa\User Data\Default\Login Data
0.2.Salary Payment Information Discrepancy_pdf.pif.exe.3de2530.2.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
0.2.Salary Payment Information Discrepancy_pdf.pif.exe.3de2530.2.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.Salary Payment Information Discrepancy_pdf.pif.exe.3de2530.2.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0.2.Salary Payment Information Discrepancy_pdf.pif.exe.3de2530.2.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xd3a7:$a1: get_encryptedPassword 0xd6cf:$a2: get_encryptedUsername 0xd142:$a3: get_timePasswordChanged 0xd263:$a4: get_passwordField 0xd3bd:$a5: set_encryptedPassword 0xed19:$a7: get_logins 0xe9ca:$a8: GetOutlookPasswords 0xe7bc:$a9: StartKeylogger 0xec69:$a10: KeyLoggerEventArgs 0xe819:$a11: KeyLoggerEventArgsEventHandler
0.2.Salary Payment Information Discrepancy_pdf.pif.exe.3de2530.2.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x123ab:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x118a9:$a3: \Google\Chrome\User Data\Default\Login Data 0x11bb7:$a4: \Orbitum\User Data\Default\Login Data 0x129af:$a5: \Kometa\User Data\Default\Login Data
0.2.Salary Payment Information Discrepancy_pdf.pif.exe.3f3d458.1.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
0.2.Salary Payment Information Discrepancy_pdf.pif.exe.3f3d458.1.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.Salary Payment Information Discrepancy_pdf.pif.exe.3f3d458.1.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0.2.Salary Payment Information Discrepancy_pdf.pif.exe.3f3d458.1.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xd3a7:$a1: get_encryptedPassword 0xd6cf:$a2: get_encryptedUsername 0xd142:$a3: get_timePasswordChanged 0xd263:$a4: get_passwordField 0xd3bd:$a5: set_encryptedPassword 0xed19:$a7: get_logins 0xe9ca:$a8: GetOutlookPasswords 0xe7bc:$a9: StartKeylogger 0xec69:$a10: KeyLoggerEventArgs 0xe819:$a11: KeyLoggerEventArgsEventHandler
0.2.Salary Payment Information Discrepancy_pdf.pif.exe.3f3d458.1.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x123ab:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x118a9:$a3: \Google\Chrome\User Data\Default\Login Data 0x11bb7:$a4: \Orbitum\User Data\Default\Login Data 0x129af:$a5: \Kometa\User Data\Default\Login Data
0.2.Salary Payment Information Discrepancy_pdf.pif.exe.3f3d458.1.raw.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
0.2.Salary Payment Information Discrepancy_pdf.pif.exe.3f3d458.1.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.Salary Payment Information Discrepancy_pdf.pif.exe.3f3d458.1.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0.2.Salary Payment Information Discrepancy_pdf.pif.exe.3f3d458.1.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xf1a7:$a1: get_encryptedPassword 0xf4cf:$a2: get_encryptedUsername 0xef42:$a3: get_timePasswordChanged 0xf063:$a4: get_passwordField 0xf1bd:$a5: set_encryptedPassword 0x10b19:$a7: get_logins 0x107ca:$a8: GetOutlookPasswords 0x105bc:$a9: StartKeylogger 0x10a69:$a10: KeyLoggerEventArgs 0x10619:$a11: KeyLoggerEventArgsEventHandler
0.2.Salary Payment Information Discrepancy_pdf.pif.exe.3f3d458.1.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x141ab:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x136a9:$a3: \Google\Chrome\User Data\Default\Login Data 0x139b7:$a4: \Orbitum\User Data\Default\Login Data 0x147af:$a5: \Kometa\User Data\Default\Login Data
0.2.Salary Payment Information Discrepancy_pdf.pif.exe.3de2530.2.raw.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
0.2.Salary Payment Information Discrepancy_pdf.pif.exe.3de2530.2.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.Salary Payment Information Discrepancy_pdf.pif.exe.3de2530.2.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0.2.Salary Payment Information Discrepancy_pdf.pif.exe.3de2530.2.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xf1a7:$a1: get_encryptedPassword 0xf4cf:$a2: get_encryptedUsername 0xef42:$a3: get_timePasswordChanged 0xf063:$a4: get_passwordField 0xf1bd:$a5: set_encryptedPassword 0x10b19:$a7: get_logins 0x107ca:$a8: GetOutlookPasswords 0x105bc:$a9: StartKeylogger 0x10a69:$a10: KeyLoggerEventArgs 0x10619:$a11: KeyLoggerEventArgsEventHandler
Click to see the 29 entries

Sigma Signatures

System Summary

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\gmerYar.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\gmerYar.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\Salary Payment Information Discrepancy_pdf.pif.exe", ParentImage: C:\Users\user\Desktop\Salary Payment Information Discrepancy_pdf.pif.exe, ParentProcessId: 1908, ParentProcessName: Salary Payment Information Discrepancy_pdf.pif.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\gmerYar.exe", ProcessId: 4196, ProcessName: powershell.exe

Sigma detected: Powershell Defender Exclusion

Source: Process started

Sigma detected: Suspicious Add Scheduled Task Parent

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\gmerYar" /XML "C:\Users\user\AppData\Local\Temp\tmpD034.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\gmerYar" /XML "C:\Users\user\AppData\Local\Temp\tmpD034.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: C:\Users\user\AppData\Roaming\gmerYar.exe, ParentImage: C:\Users\user\AppData\Roaming\gmerYar.exe, ParentProcessId: 6832, ParentProcessName: gmerYar.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\gmerYar" /XML "C:\Users\user\AppData\Local\Temp\tmpD034.tmp", ProcessId: 3060, ProcessName: schtasks.exe

Sigma detected: Suspicious Schtasks From Env Var Folder

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\gmerYar" /XML "C:\Users\user\AppData\Local\Temp\tmpC24A.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\gmerYar" /XML "C:\Users\user\AppData\Local\Temp\tmpC24A.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\Salary Payment Information Discrepancy_pdf.pif.exe", ParentImage: C:\Users\user\Desktop\Salary Payment Information Discrepancy_pdf.pif.exe, ParentProcessId: 1908, ParentProcessName: Salary Payment Information Discrepancy_pdf.pif.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\gmerYar" /XML "C:\Users\user\AppData\Local\Temp\tmpC24A.tmp", ProcessId: 3520, ProcessName: schtasks.exe

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\gmerYar.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\gmerYar.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\Salary Payment Information Discrepancy_pdf.pif.exe", ParentImage: C:\Users\user\Desktop\Salary Payment Information Discrepancy_pdf.pif.exe, ParentProcessId: 1908, ParentProcessName: Salary Payment Information Discrepancy_pdf.pif.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\gmerYar.exe", ProcessId: 4196, ProcessName: powershell.exe

Persistence and Installation Behavior

Sigma detected: Scheduled temp file as task from temp location

Source: Process started

Author: Joe Security: Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\gmerYar" /XML "C:\Users\user\AppData\Local\Temp\tmpC24A.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\gmerYar" /XML "C:\Users\user\AppData\Local\Temp\tmpC24A.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\Salary Payment Information Discrepancy_pdf.pif.exe", ParentImage: C:\Users\user\Desktop\Salary Payment Information Discrepancy_pdf.pif.exe, ParentProcessId: 1908, ParentProcessName: Salary Payment Information Discrepancy_pdf.pif.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\gmerYar" /XML "C:\Users\user\AppData\Local\Temp\tmpC24A.tmp", ProcessId: 3520, ProcessName: schtasks.exe

Suricata Signatures

ETPRO MALWARE Common Downloader Header Pattern UH

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-10T15:08:49.031927+0100	2803274	2	Potentially Bad Traffic	192.168.2.6	49713	193.122.130.0	80	TCP
2025-01-10T15:08:52.094428+0100	2803274	2	Potentially Bad Traffic	192.168.2.6	49718	193.122.130.0	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 0.2.Salary Payment Information Discrepancy_pdf.pif.exe.3de2530.2.raw.unpack

Malware Configuration Extractor: MassLogger {"EXfil Mode": "SMTP", "From": "serverche399@gpsamsterdamqroup.com", "Password": " j4YX(KT7UCZ1 ", "Server": "fiber13.dnsiaas.com", "To": "almightstephen@gmail.com", "Port": 587}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\gmerYar.exe	ReversingLabs: Detection: 65%
Source: C:\Users\user\AppData\Roaming\gmerYar.exe	Virustotal: Detection: 44%			Perma Link

Multi AV Scanner detection for submitted file

Source: Salary Payment Information Discrepancy_pdf.pif.exe	Virustotal: Detection: 44%			Perma Link
Source: Salary Payment Information Discrepancy_pdf.pif.exe	ReversingLabs: Detection: 65%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\gmerYar.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: Salary Payment Information Discrepancy_pdf.pif.exe

Joe Sandbox ML: detected

Location Tracking

Tries to detect the country of the analysis system (by using the IP)

Source: unknown

DNS query: name: reallyfreegeoip.org

Source: Salary Payment Information Discrepancy_pdf.pif.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 104.21.48.1:443 -> 192.168.2.6:49714 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 104.21.48.1:443 -> 192.168.2.6:49719 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 104.21.48.1:443 -> 192.168.2.6:49719 version: TLS 1.0

Source: Salary Payment Information Discrepancy_pdf.pif.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: C:\Users\user\Desktop\Salary Payment Information Discrepancy_pdf.pif.exe	Code function: 4x nop then jmp 00B19731h	7_2_00B19480
Source: C:\Users\user\Desktop\Salary Payment Information Discrepancy_pdf.pif.exe	Code function: 4x nop then jmp 00B19E5Ah	7_2_00B19A40
Source: C:\Users\user\Desktop\Salary Payment Information Discrepancy_pdf.pif.exe	Code function: 4x nop then jmp 00B19E5Ah	7_2_00B19A30
Source: C:\Users\user\Desktop\Salary Payment Information Discrepancy_pdf.pif.exe	Code function: 4x nop then jmp 00B19E5Ah	7_2_00B19D87
Source: C:\Users\user\AppData\Roaming\gmerYar.exe	Code function: 4x nop then jmp 00E99731h	12_2_00E99480
Source: C:\Users\user\AppData\Roaming\gmerYar.exe	Code function: 4x nop then jmp 00E99E5Ah	12_2_00E99A40
Source: C:\Users\user\AppData\Roaming\gmerYar.exe	Code function: 4x nop then jmp 00E99E5Ah	12_2_00E99A30
Source: C:\Users\user\AppData\Roaming\gmerYar.exe	Code function: 4x nop then jmp 00E99E5Ah	12_2_00E99D87
Source: C:\Users\user\AppData\Roaming\gmerYar.exe	Code function: 4x nop then jmp 05045E15h	12_2_05045AD8
Source: C:\Users\user\AppData\Roaming\gmerYar.exe	Code function: 4x nop then jmp 050447C9h	12_2_05044520
Source: C:\Users\user\AppData\Roaming\gmerYar.exe	Code function: 4x nop then jmp 05048830h	12_2_05048588
Source: C:\Users\user\AppData\Roaming\gmerYar.exe	Code function: 4x nop then jmp 050476D0h	12_2_05047428
Source: C:\Users\user\AppData\Roaming\gmerYar.exe	Code function: 4x nop then jmp 0504F700h	12_2_0504F458
Source: C:\Users\user\AppData\Roaming\gmerYar.exe	Code function: 4x nop then jmp 0504E9F8h	12_2_0504E750
Source: C:\Users\user\AppData\Roaming\gmerYar.exe	Code function: 4x nop then jmp 05045929h	12_2_05045680
Source: C:\Users\user\AppData\Roaming\gmerYar.exe	Code function: 4x nop then jmp 050483D8h	12_2_05048130
Source: C:\Users\user\AppData\Roaming\gmerYar.exe	Code function: 4x nop then jmp 05047278h	12_2_050471B7
Source: C:\Users\user\AppData\Roaming\gmerYar.exe	Code function: 4x nop then jmp 0504F2A8h	12_2_0504F000
Source: C:\Users\user\AppData\Roaming\gmerYar.exe	Code function: 4x nop then jmp 050454D1h	12_2_05045228
Source: C:\Users\user\AppData\Roaming\gmerYar.exe	Code function: 4x nop then jmp 0504E5A0h	12_2_0504E2F8
Source: C:\Users\user\AppData\Roaming\gmerYar.exe	Code function: 4x nop then jmp 05045079h	12_2_05044DD0
Source: C:\Users\user\AppData\Roaming\gmerYar.exe	Code function: 4x nop then jmp 05047F80h	12_2_05047CD8
Source: C:\Users\user\AppData\Roaming\gmerYar.exe	Code function: 4x nop then jmp 05044C21h	12_2_05044978
Source: C:\Users\user\AppData\Roaming\gmerYar.exe	Code function: 4x nop then jmp 05047B28h	12_2_05047880
Source: C:\Users\user\AppData\Roaming\gmerYar.exe	Code function: 4x nop then jmp 0504FB58h	12_2_0504F8B0
Source: C:\Users\user\AppData\Roaming\gmerYar.exe	Code function: 4x nop then jmp 0504EE50h	12_2_0504EBA8

Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive

Source: Joe Sandbox View	IP Address: 104.21.48.1 104.21.48.1
Source: Joe Sandbox View	IP Address: 193.122.130.0 193.122.130.0

Source: Joe Sandbox View

JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad

Source: unknown	DNS query: name: checkip.dyndns.org
Source: unknown	DNS query: name: reallyfreegeoip.org

Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.6:49713 -> 193.122.130.0:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.6:49718 -> 193.122.130.0:80

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org

Source: unknown	HTTPS traffic detected: 104.21.48.1:443 -> 192.168.2.6:49714 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 104.21.48.1:443 -> 192.168.2.6:49719 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 104.21.48.1:443 -> 192.168.2.6:49719 version: TLS 1.0

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org

Source: global traffic	DNS traffic detected: DNS query: checkip.dyndns.org
Source: global traffic	DNS traffic detected: DNS query: reallyfreegeoip.org

Source: Salary Payment Information Discrepancy_pdf.pif.exe, 00000007.00000002.3364853839.000000000292F000.00000004.00000800.00020000.00000000.sdmp, gmerYar.exe, 0000000C.00000002.3364967117.0000000002ABE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.com
Source: Salary Payment Information Discrepancy_pdf.pif.exe, 00000007.00000002.3364853839.000000000292F000.00000004.00000800.00020000.00000000.sdmp, gmerYar.exe, 0000000C.00000002.3364967117.0000000002ABE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.comd
Source: Salary Payment Information Discrepancy_pdf.pif.exe, 00000007.00000002.3364853839.00000000028B1000.00000004.00000800.00020000.00000000.sdmp, Salary Payment Information Discrepancy_pdf.pif.exe, 00000007.00000002.3364853839.000000000292F000.00000004.00000800.00020000.00000000.sdmp, gmerYar.exe, 0000000C.00000002.3364967117.0000000002AAC000.00000004.00000800.00020000.00000000.sdmp, gmerYar.exe, 0000000C.00000002.3364967117.0000000002ABE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org
Source: Salary Payment Information Discrepancy_pdf.pif.exe, 00000007.00000002.3364853839.00000000028B1000.00000004.00000800.00020000.00000000.sdmp, gmerYar.exe, 0000000C.00000002.3364967117.0000000002A41000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/
Source: Salary Payment Information Discrepancy_pdf.pif.exe, 00000007.00000002.3364853839.000000000292F000.00000004.00000800.00020000.00000000.sdmp, gmerYar.exe, 0000000C.00000002.3364967117.0000000002ABE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/d
Source: Salary Payment Information Discrepancy_pdf.pif.exe, 00000000.00000002.2160708520.0000000003F3D000.00000004.00000800.00020000.00000000.sdmp, Salary Payment Information Discrepancy_pdf.pif.exe, 00000000.00000002.2160708520.0000000003D68000.00000004.00000800.00020000.00000000.sdmp, gmerYar.exe, 00000009.00000002.2191255107.000000000390E000.00000004.00000800.00020000.00000000.sdmp, gmerYar.exe, 0000000C.00000002.3362240133.0000000000413000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/q
Source: Salary Payment Information Discrepancy_pdf.pif.exe, 00000007.00000002.3364853839.000000000292F000.00000004.00000800.00020000.00000000.sdmp, gmerYar.exe, 0000000C.00000002.3364967117.0000000002ABE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.orgd
Source: Salary Payment Information Discrepancy_pdf.pif.exe, gmerYar.exe.0.dr	String found in binary or memory: http://crl.comodoca.com/COMODORSACertificationAuthority.crl0q
Source: Salary Payment Information Discrepancy_pdf.pif.exe, gmerYar.exe.0.dr	String found in binary or memory: http://crl.comodoca.com/COMODORSACodeSigningCA.crl0t
Source: Salary Payment Information Discrepancy_pdf.pif.exe, gmerYar.exe.0.dr	String found in binary or memory: http://ocsp.comodoca.com0
Source: Salary Payment Information Discrepancy_pdf.pif.exe, 00000007.00000002.3364853839.000000000294B000.00000004.00000800.00020000.00000000.sdmp, gmerYar.exe, 0000000C.00000002.3364967117.0000000002ADB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://reallyfreegeoip.org
Source: Salary Payment Information Discrepancy_pdf.pif.exe, 00000007.00000002.3364853839.000000000294B000.00000004.00000800.00020000.00000000.sdmp, gmerYar.exe, 0000000C.00000002.3364967117.0000000002ADB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://reallyfreegeoip.orgd
Source: Salary Payment Information Discrepancy_pdf.pif.exe, 00000000.00000002.2159484652.0000000002DBA000.00000004.00000800.00020000.00000000.sdmp, Salary Payment Information Discrepancy_pdf.pif.exe, 00000007.00000002.3364853839.00000000028B1000.00000004.00000800.00020000.00000000.sdmp, gmerYar.exe, 00000009.00000002.2189932129.00000000026F1000.00000004.00000800.00020000.00000000.sdmp, gmerYar.exe, 0000000C.00000002.3364967117.0000000002A41000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: Salary Payment Information Discrepancy_pdf.pif.exe, 00000000.00000002.2160708520.0000000003F3D000.00000004.00000800.00020000.00000000.sdmp, Salary Payment Information Discrepancy_pdf.pif.exe, 00000000.00000002.2160708520.0000000003D68000.00000004.00000800.00020000.00000000.sdmp, gmerYar.exe, 00000009.00000002.2191255107.000000000390E000.00000004.00000800.00020000.00000000.sdmp, gmerYar.exe, 0000000C.00000002.3362240133.0000000000413000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot-/sendDocument?chat_id=
Source: Salary Payment Information Discrepancy_pdf.pif.exe, 00000007.00000002.3364853839.000000000292F000.00000004.00000800.00020000.00000000.sdmp, gmerYar.exe, 0000000C.00000002.3364967117.0000000002ABE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org
Source: Salary Payment Information Discrepancy_pdf.pif.exe, 00000000.00000002.2160708520.0000000003F3D000.00000004.00000800.00020000.00000000.sdmp, Salary Payment Information Discrepancy_pdf.pif.exe, 00000000.00000002.2160708520.0000000003D68000.00000004.00000800.00020000.00000000.sdmp, Salary Payment Information Discrepancy_pdf.pif.exe, 00000007.00000002.3364853839.000000000292F000.00000004.00000800.00020000.00000000.sdmp, gmerYar.exe, 00000009.00000002.2191255107.000000000390E000.00000004.00000800.00020000.00000000.sdmp, gmerYar.exe, 0000000C.00000002.3362240133.0000000000413000.00000040.00000400.00020000.00000000.sdmp, gmerYar.exe, 0000000C.00000002.3364967117.0000000002ABE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/
Source: Salary Payment Information Discrepancy_pdf.pif.exe, 00000007.00000002.3364853839.000000000292F000.00000004.00000800.00020000.00000000.sdmp, gmerYar.exe, 0000000C.00000002.3364967117.0000000002ABE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189d
Source: Salary Payment Information Discrepancy_pdf.pif.exe, 00000007.00000002.3364853839.000000000292F000.00000004.00000800.00020000.00000000.sdmp, gmerYar.exe, 0000000C.00000002.3364967117.0000000002ABE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189l
Source: Salary Payment Information Discrepancy_pdf.pif.exe, gmerYar.exe.0.dr	String found in binary or memory: https://www.chiark.greenend.org.uk/~sgtatham/putty/0

Source: unknown	Network traffic detected: HTTP traffic on port 49719 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49719
Source: unknown	Network traffic detected: HTTP traffic on port 49714 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49714

System Summary

Malicious sample detected (through community Yara rule)

Source: 7.2.Salary Payment Information Discrepancy_pdf.pif.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 9.2.gmerYar.exe.390e698.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 9.2.gmerYar.exe.390e698.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 9.2.gmerYar.exe.390e698.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 9.2.gmerYar.exe.390e698.1.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.Salary Payment Information Discrepancy_pdf.pif.exe.3de2530.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.Salary Payment Information Discrepancy_pdf.pif.exe.3de2530.2.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.Salary Payment Information Discrepancy_pdf.pif.exe.3f3d458.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.Salary Payment Information Discrepancy_pdf.pif.exe.3f3d458.1.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.Salary Payment Information Discrepancy_pdf.pif.exe.3f3d458.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.Salary Payment Information Discrepancy_pdf.pif.exe.3f3d458.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.Salary Payment Information Discrepancy_pdf.pif.exe.3de2530.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000009.00000002.2191255107.000000000390E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000007.00000002.3362234261.0000000000403000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000000.00000002.2160708520.0000000003F3D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000000.00000002.2160708520.0000000003D68000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: Salary Payment Information Discrepancy_pdf.pif.exe PID: 1908, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: Salary Payment Information Discrepancy_pdf.pif.exe PID: 5980, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: gmerYar.exe PID: 6832, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown

Initial sample is a PE file and has a suspicious name

Source: initial sample	Static PE information: Filename: Salary Payment Information Discrepancy_pdf.pif.exe
Source: initial sample	Static PE information: Filename: Salary Payment Information Discrepancy_pdf.pif.exe

Source: C:\Users\user\Desktop\Salary Payment Information Discrepancy_pdf.pif.exe	Code function: 0_2_0530AAC4	0_2_0530AAC4
Source: C:\Users\user\Desktop\Salary Payment Information Discrepancy_pdf.pif.exe	Code function: 0_2_0530C110	0_2_0530C110
Source: C:\Users\user\Desktop\Salary Payment Information Discrepancy_pdf.pif.exe	Code function: 0_2_053060B7	0_2_053060B7
Source: C:\Users\user\Desktop\Salary Payment Information Discrepancy_pdf.pif.exe	Code function: 0_2_0530608F	0_2_0530608F
Source: C:\Users\user\Desktop\Salary Payment Information Discrepancy_pdf.pif.exe	Code function: 0_2_053060C8	0_2_053060C8
Source: C:\Users\user\Desktop\Salary Payment Information Discrepancy_pdf.pif.exe	Code function: 0_2_072C5E60	0_2_072C5E60
Source: C:\Users\user\Desktop\Salary Payment Information Discrepancy_pdf.pif.exe	Code function: 0_2_072C2D70	0_2_072C2D70
Source: C:\Users\user\Desktop\Salary Payment Information Discrepancy_pdf.pif.exe	Code function: 0_2_072CD700	0_2_072CD700
Source: C:\Users\user\Desktop\Salary Payment Information Discrepancy_pdf.pif.exe	Code function: 0_2_072CF658	0_2_072CF658
Source: C:\Users\user\Desktop\Salary Payment Information Discrepancy_pdf.pif.exe	Code function: 0_2_072CF220	0_2_072CF220
Source: C:\Users\user\Desktop\Salary Payment Information Discrepancy_pdf.pif.exe	Code function: 0_2_072C5248	0_2_072C5248
Source: C:\Users\user\Desktop\Salary Payment Information Discrepancy_pdf.pif.exe	Code function: 0_2_072C5298	0_2_072C5298
Source: C:\Users\user\Desktop\Salary Payment Information Discrepancy_pdf.pif.exe	Code function: 0_2_072CDF6F	0_2_072CDF6F
Source: C:\Users\user\Desktop\Salary Payment Information Discrepancy_pdf.pif.exe	Code function: 0_2_072C5E50	0_2_072C5E50
Source: C:\Users\user\Desktop\Salary Payment Information Discrepancy_pdf.pif.exe	Code function: 0_2_072C2D63	0_2_072C2D63
Source: C:\Users\user\Desktop\Salary Payment Information Discrepancy_pdf.pif.exe	Code function: 0_2_072CDB38	0_2_072CDB38
Source: C:\Users\user\Desktop\Salary Payment Information Discrepancy_pdf.pif.exe	Code function: 0_2_072C2A88	0_2_072C2A88
Source: C:\Users\user\Desktop\Salary Payment Information Discrepancy_pdf.pif.exe	Code function: 0_2_072C2A87	0_2_072C2A87
Source: C:\Users\user\Desktop\Salary Payment Information Discrepancy_pdf.pif.exe	Code function: 7_2_00B1C530	7_2_00B1C530
Source: C:\Users\user\Desktop\Salary Payment Information Discrepancy_pdf.pif.exe	Code function: 7_2_00B127B9	7_2_00B127B9
Source: C:\Users\user\Desktop\Salary Payment Information Discrepancy_pdf.pif.exe	Code function: 7_2_00B12DD1	7_2_00B12DD1
Source: C:\Users\user\Desktop\Salary Payment Information Discrepancy_pdf.pif.exe	Code function: 7_2_00B19480	7_2_00B19480
Source: C:\Users\user\Desktop\Salary Payment Information Discrepancy_pdf.pif.exe	Code function: 7_2_00B1C521	7_2_00B1C521
Source: C:\Users\user\Desktop\Salary Payment Information Discrepancy_pdf.pif.exe	Code function: 7_2_00B1946F	7_2_00B1946F
Source: C:\Users\user\AppData\Roaming\gmerYar.exe	Code function: 9_2_06A25E60	9_2_06A25E60
Source: C:\Users\user\AppData\Roaming\gmerYar.exe	Code function: 9_2_06A22D70	9_2_06A22D70
Source: C:\Users\user\AppData\Roaming\gmerYar.exe	Code function: 9_2_06A2F658	9_2_06A2F658
Source: C:\Users\user\AppData\Roaming\gmerYar.exe	Code function: 9_2_06A2D700	9_2_06A2D700
Source: C:\Users\user\AppData\Roaming\gmerYar.exe	Code function: 9_2_06A2651D	9_2_06A2651D
Source: C:\Users\user\AppData\Roaming\gmerYar.exe	Code function: 9_2_06A252A8	9_2_06A252A8
Source: C:\Users\user\AppData\Roaming\gmerYar.exe	Code function: 9_2_06A2F220	9_2_06A2F220
Source: C:\Users\user\AppData\Roaming\gmerYar.exe	Code function: 9_2_06A25E50	9_2_06A25E50
Source: C:\Users\user\AppData\Roaming\gmerYar.exe	Code function: 9_2_06A2DF6F	9_2_06A2DF6F
Source: C:\Users\user\AppData\Roaming\gmerYar.exe	Code function: 9_2_06A22D62	9_2_06A22D62
Source: C:\Users\user\AppData\Roaming\gmerYar.exe	Code function: 9_2_06A22A88	9_2_06A22A88
Source: C:\Users\user\AppData\Roaming\gmerYar.exe	Code function: 9_2_06A22A78	9_2_06A22A78
Source: C:\Users\user\AppData\Roaming\gmerYar.exe	Code function: 9_2_06A2DB38	9_2_06A2DB38
Source: C:\Users\user\AppData\Roaming\gmerYar.exe	Code function: 12_2_00E9C530	12_2_00E9C530
Source: C:\Users\user\AppData\Roaming\gmerYar.exe	Code function: 12_2_00E99480	12_2_00E99480
Source: C:\Users\user\AppData\Roaming\gmerYar.exe	Code function: 12_2_00E9C521	12_2_00E9C521
Source: C:\Users\user\AppData\Roaming\gmerYar.exe	Code function: 12_2_00E92DD1	12_2_00E92DD1
Source: C:\Users\user\AppData\Roaming\gmerYar.exe	Code function: 12_2_00E9946F	12_2_00E9946F
Source: C:\Users\user\AppData\Roaming\gmerYar.exe	Code function: 12_2_05046138	12_2_05046138
Source: C:\Users\user\AppData\Roaming\gmerYar.exe	Code function: 12_2_050413A8	12_2_050413A8
Source: C:\Users\user\AppData\Roaming\gmerYar.exe	Code function: 12_2_0504BC50	12_2_0504BC50
Source: C:\Users\user\AppData\Roaming\gmerYar.exe	Code function: 12_2_0504AE78	12_2_0504AE78
Source: C:\Users\user\AppData\Roaming\gmerYar.exe	Code function: 12_2_050489E0	12_2_050489E0
Source: C:\Users\user\AppData\Roaming\gmerYar.exe	Code function: 12_2_05040AB8	12_2_05040AB8
Source: C:\Users\user\AppData\Roaming\gmerYar.exe	Code function: 12_2_05045AD8	12_2_05045AD8
Source: C:\Users\user\AppData\Roaming\gmerYar.exe	Code function: 12_2_0504450F	12_2_0504450F
Source: C:\Users\user\AppData\Roaming\gmerYar.exe	Code function: 12_2_05044520	12_2_05044520
Source: C:\Users\user\AppData\Roaming\gmerYar.exe	Code function: 12_2_05048579	12_2_05048579
Source: C:\Users\user\AppData\Roaming\gmerYar.exe	Code function: 12_2_05048588	12_2_05048588
Source: C:\Users\user\AppData\Roaming\gmerYar.exe	Code function: 12_2_05046F21	12_2_05046F21
Source: C:\Users\user\AppData\Roaming\gmerYar.exe	Code function: 12_2_05047418	12_2_05047418
Source: C:\Users\user\AppData\Roaming\gmerYar.exe	Code function: 12_2_05047428	12_2_05047428
Source: C:\Users\user\AppData\Roaming\gmerYar.exe	Code function: 12_2_0504F448	12_2_0504F448
Source: C:\Users\user\AppData\Roaming\gmerYar.exe	Code function: 12_2_0504F458	12_2_0504F458
Source: C:\Users\user\AppData\Roaming\gmerYar.exe	Code function: 12_2_0504E740	12_2_0504E740
Source: C:\Users\user\AppData\Roaming\gmerYar.exe	Code function: 12_2_0504E750	12_2_0504E750
Source: C:\Users\user\AppData\Roaming\gmerYar.exe	Code function: 12_2_0504566F	12_2_0504566F
Source: C:\Users\user\AppData\Roaming\gmerYar.exe	Code function: 12_2_05045680	12_2_05045680
Source: C:\Users\user\AppData\Roaming\gmerYar.exe	Code function: 12_2_05048120	12_2_05048120
Source: C:\Users\user\AppData\Roaming\gmerYar.exe	Code function: 12_2_05046136	12_2_05046136
Source: C:\Users\user\AppData\Roaming\gmerYar.exe	Code function: 12_2_05048130	12_2_05048130
Source: C:\Users\user\AppData\Roaming\gmerYar.exe	Code function: 12_2_0504E170	12_2_0504E170
Source: C:\Users\user\AppData\Roaming\gmerYar.exe	Code function: 12_2_0504F000	12_2_0504F000
Source: C:\Users\user\AppData\Roaming\gmerYar.exe	Code function: 12_2_05040320	12_2_05040320
Source: C:\Users\user\AppData\Roaming\gmerYar.exe	Code function: 12_2_05040330	12_2_05040330
Source: C:\Users\user\AppData\Roaming\gmerYar.exe	Code function: 12_2_0504521A	12_2_0504521A
Source: C:\Users\user\AppData\Roaming\gmerYar.exe	Code function: 12_2_05045228	12_2_05045228
Source: C:\Users\user\AppData\Roaming\gmerYar.exe	Code function: 12_2_0504E2F8	12_2_0504E2F8
Source: C:\Users\user\AppData\Roaming\gmerYar.exe	Code function: 12_2_05044DC0	12_2_05044DC0
Source: C:\Users\user\AppData\Roaming\gmerYar.exe	Code function: 12_2_05044DD0	12_2_05044DD0
Source: C:\Users\user\AppData\Roaming\gmerYar.exe	Code function: 12_2_05047CC8	12_2_05047CC8
Source: C:\Users\user\AppData\Roaming\gmerYar.exe	Code function: 12_2_05040CD8	12_2_05040CD8
Source: C:\Users\user\AppData\Roaming\gmerYar.exe	Code function: 12_2_05047CD8	12_2_05047CD8
Source: C:\Users\user\AppData\Roaming\gmerYar.exe	Code function: 12_2_05046FCD	12_2_05046FCD
Source: C:\Users\user\AppData\Roaming\gmerYar.exe	Code function: 12_2_05046FD0	12_2_05046FD0
Source: C:\Users\user\AppData\Roaming\gmerYar.exe	Code function: 12_2_0504EFF0	12_2_0504EFF0
Source: C:\Users\user\AppData\Roaming\gmerYar.exe	Code function: 12_2_05044969	12_2_05044969
Source: C:\Users\user\AppData\Roaming\gmerYar.exe	Code function: 12_2_05044978	12_2_05044978
Source: C:\Users\user\AppData\Roaming\gmerYar.exe	Code function: 12_2_050489D0	12_2_050489D0
Source: C:\Users\user\AppData\Roaming\gmerYar.exe	Code function: 12_2_05047871	12_2_05047871
Source: C:\Users\user\AppData\Roaming\gmerYar.exe	Code function: 12_2_05047880	12_2_05047880
Source: C:\Users\user\AppData\Roaming\gmerYar.exe	Code function: 12_2_0504F8A1	12_2_0504F8A1
Source: C:\Users\user\AppData\Roaming\gmerYar.exe	Code function: 12_2_0504F8B0	12_2_0504F8B0
Source: C:\Users\user\AppData\Roaming\gmerYar.exe	Code function: 12_2_0504EB98	12_2_0504EB98
Source: C:\Users\user\AppData\Roaming\gmerYar.exe	Code function: 12_2_0504EBA8	12_2_0504EBA8
Source: C:\Users\user\AppData\Roaming\gmerYar.exe	Code function: 12_2_05045ACA	12_2_05045ACA

Source: Salary Payment Information Discrepancy_pdf.pif.exe

Static PE information: invalid certificate

Source: Salary Payment Information Discrepancy_pdf.pif.exe, 00000000.00000002.2159484652.0000000002DBA000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCloudServices.exe< vs Salary Payment Information Discrepancy_pdf.pif.exe
Source: Salary Payment Information Discrepancy_pdf.pif.exe, 00000000.00000002.2162785219.00000000078F0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameMontero.dll8 vs Salary Payment Information Discrepancy_pdf.pif.exe
Source: Salary Payment Information Discrepancy_pdf.pif.exe, 00000000.00000000.2116549706.00000000008A2000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamelzcs.exe@ vs Salary Payment Information Discrepancy_pdf.pif.exe
Source: Salary Payment Information Discrepancy_pdf.pif.exe, 00000000.00000002.2160708520.0000000003F3D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCloudServices.exe< vs Salary Payment Information Discrepancy_pdf.pif.exe
Source: Salary Payment Information Discrepancy_pdf.pif.exe, 00000000.00000002.2160708520.0000000003F3D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMontero.dll8 vs Salary Payment Information Discrepancy_pdf.pif.exe
Source: Salary Payment Information Discrepancy_pdf.pif.exe, 00000000.00000002.2160708520.0000000003D68000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCloudServices.exe< vs Salary Payment Information Discrepancy_pdf.pif.exe
Source: Salary Payment Information Discrepancy_pdf.pif.exe, 00000000.00000002.2156561309.0000000000D4E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs Salary Payment Information Discrepancy_pdf.pif.exe
Source: Salary Payment Information Discrepancy_pdf.pif.exe, 00000000.00000002.2162314507.000000000713B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename vs Salary Payment Information Discrepancy_pdf.pif.exe
Source: Salary Payment Information Discrepancy_pdf.pif.exe, 00000000.00000002.2162161385.00000000070D0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameCaptive.dll" vs Salary Payment Information Discrepancy_pdf.pif.exe
Source: Salary Payment Information Discrepancy_pdf.pif.exe, 00000007.00000002.3362570674.00000000008F7000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameUNKNOWN_FILET vs Salary Payment Information Discrepancy_pdf.pif.exe
Source: Salary Payment Information Discrepancy_pdf.pif.exe	Binary or memory string: OriginalFilenamelzcs.exe@ vs Salary Payment Information Discrepancy_pdf.pif.exe

Source: Salary Payment Information Discrepancy_pdf.pif.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 7.2.Salary Payment Information Discrepancy_pdf.pif.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 9.2.gmerYar.exe.390e698.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 9.2.gmerYar.exe.390e698.1.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 9.2.gmerYar.exe.390e698.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 9.2.gmerYar.exe.390e698.1.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.Salary Payment Information Discrepancy_pdf.pif.exe.3de2530.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.Salary Payment Information Discrepancy_pdf.pif.exe.3de2530.2.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.Salary Payment Information Discrepancy_pdf.pif.exe.3f3d458.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.Salary Payment Information Discrepancy_pdf.pif.exe.3f3d458.1.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.Salary Payment Information Discrepancy_pdf.pif.exe.3f3d458.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.Salary Payment Information Discrepancy_pdf.pif.exe.3f3d458.1.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.Salary Payment Information Discrepancy_pdf.pif.exe.3de2530.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000009.00000002.2191255107.000000000390E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000007.00000002.3362234261.0000000000403000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000000.00000002.2160708520.0000000003F3D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000000.00000002.2160708520.0000000003D68000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: Salary Payment Information Discrepancy_pdf.pif.exe PID: 1908, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: Salary Payment Information Discrepancy_pdf.pif.exe PID: 5980, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: gmerYar.exe PID: 6832, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23

Source: Salary Payment Information Discrepancy_pdf.pif.exe	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: gmerYar.exe.0.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@16/11@2/2

Source: C:\Users\user\Desktop\Salary Payment Information Discrepancy_pdf.pif.exe

File created: C:\Users\user\AppData\Roaming\gmerYar.exe

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5728:120:WilError_03
Source: C:\Users\user\AppData\Roaming\gmerYar.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5712:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6428:120:WilError_03
Source: C:\Users\user\AppData\Roaming\gmerYar.exe	Mutant created: \Sessions\1\BaseNamedObjects\mXcKvDdxRqtDqEx

Source: C:\Users\user\Desktop\Salary Payment Information Discrepancy_pdf.pif.exe

File created: C:\Users\user\AppData\Local\Temp\tmpC24A.tmp

Jump to behavior

Source: Salary Payment Information Discrepancy_pdf.pif.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: Salary Payment Information Discrepancy_pdf.pif.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 50.01%

Source: C:\Users\user\Desktop\Salary Payment Information Discrepancy_pdf.pif.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\Salary Payment Information Discrepancy_pdf.pif.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: Salary Payment Information Discrepancy_pdf.pif.exe, 00000007.00000002.3364853839.000000000298F000.00000004.00000800.00020000.00000000.sdmp, Salary Payment Information Discrepancy_pdf.pif.exe, 00000007.00000002.3364853839.000000000299F000.00000004.00000800.00020000.00000000.sdmp, Salary Payment Information Discrepancy_pdf.pif.exe, 00000007.00000002.3366244618.00000000038DD000.00000004.00000800.00020000.00000000.sdmp, Salary Payment Information Discrepancy_pdf.pif.exe, 00000007.00000002.3364853839.00000000029AD000.00000004.00000800.00020000.00000000.sdmp, Salary Payment Information Discrepancy_pdf.pif.exe, 00000007.00000002.3364853839.00000000029C1000.00000004.00000800.00020000.00000000.sdmp, Salary Payment Information Discrepancy_pdf.pif.exe, 00000007.00000002.3364853839.00000000029CE000.00000004.00000800.00020000.00000000.sdmp, gmerYar.exe, 0000000C.00000002.3364967117.0000000002B1E000.00000004.00000800.00020000.00000000.sdmp, gmerYar.exe, 0000000C.00000002.3364967117.0000000002B51000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: Salary Payment Information Discrepancy_pdf.pif.exe	Virustotal: Detection: 44%
Source: Salary Payment Information Discrepancy_pdf.pif.exe	ReversingLabs: Detection: 65%

Source: C:\Users\user\Desktop\Salary Payment Information Discrepancy_pdf.pif.exe

File read: C:\Users\user\Desktop\Salary Payment Information Discrepancy_pdf.pif.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\Salary Payment Information Discrepancy_pdf.pif.exe "C:\Users\user\Desktop\Salary Payment Information Discrepancy_pdf.pif.exe"
Source: C:\Users\user\Desktop\Salary Payment Information Discrepancy_pdf.pif.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\gmerYar.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Salary Payment Information Discrepancy_pdf.pif.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\gmerYar" /XML "C:\Users\user\AppData\Local\Temp\tmpC24A.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Salary Payment Information Discrepancy_pdf.pif.exe	Process created: C:\Users\user\Desktop\Salary Payment Information Discrepancy_pdf.pif.exe "C:\Users\user\Desktop\Salary Payment Information Discrepancy_pdf.pif.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: unknown	Process created: C:\Users\user\AppData\Roaming\gmerYar.exe C:\Users\user\AppData\Roaming\gmerYar.exe
Source: C:\Users\user\AppData\Roaming\gmerYar.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\gmerYar" /XML "C:\Users\user\AppData\Local\Temp\tmpD034.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\gmerYar.exe	Process created: C:\Users\user\AppData\Roaming\gmerYar.exe "C:\Users\user\AppData\Roaming\gmerYar.exe"
Source: C:\Users\user\Desktop\Salary Payment Information Discrepancy_pdf.pif.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\gmerYar.exe"	Jump to behavior
Source: C:\Users\user\Desktop\Salary Payment Information Discrepancy_pdf.pif.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\gmerYar" /XML "C:\Users\user\AppData\Local\Temp\tmpC24A.tmp"	Jump to behavior
Source: C:\Users\user\Desktop\Salary Payment Information Discrepancy_pdf.pif.exe	Process created: C:\Users\user\Desktop\Salary Payment Information Discrepancy_pdf.pif.exe "C:\Users\user\Desktop\Salary Payment Information Discrepancy_pdf.pif.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gmerYar.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\gmerYar" /XML "C:\Users\user\AppData\Local\Temp\tmpD034.tmp"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gmerYar.exe	Process created: C:\Users\user\AppData\Roaming\gmerYar.exe "C:\Users\user\AppData\Roaming\gmerYar.exe"	Jump to behavior

Source: C:\Users\user\Desktop\Salary Payment Information Discrepancy_pdf.pif.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\Salary Payment Information Discrepancy_pdf.pif.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Salary Payment Information Discrepancy_pdf.pif.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Salary Payment Information Discrepancy_pdf.pif.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Salary Payment Information Discrepancy_pdf.pif.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Salary Payment Information Discrepancy_pdf.pif.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Salary Payment Information Discrepancy_pdf.pif.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Salary Payment Information Discrepancy_pdf.pif.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Salary Payment Information Discrepancy_pdf.pif.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Salary Payment Information Discrepancy_pdf.pif.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Salary Payment Information Discrepancy_pdf.pif.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Salary Payment Information Discrepancy_pdf.pif.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Salary Payment Information Discrepancy_pdf.pif.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\Salary Payment Information Discrepancy_pdf.pif.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\Salary Payment Information Discrepancy_pdf.pif.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\Salary Payment Information Discrepancy_pdf.pif.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\Salary Payment Information Discrepancy_pdf.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Salary Payment Information Discrepancy_pdf.pif.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\Salary Payment Information Discrepancy_pdf.pif.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Salary Payment Information Discrepancy_pdf.pif.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Salary Payment Information Discrepancy_pdf.pif.exe	Section loaded: iconcodecservice.dll	Jump to behavior
Source: C:\Users\user\Desktop\Salary Payment Information Discrepancy_pdf.pif.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\Salary Payment Information Discrepancy_pdf.pif.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Salary Payment Information Discrepancy_pdf.pif.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\Salary Payment Information Discrepancy_pdf.pif.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\Salary Payment Information Discrepancy_pdf.pif.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\Salary Payment Information Discrepancy_pdf.pif.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\Salary Payment Information Discrepancy_pdf.pif.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Salary Payment Information Discrepancy_pdf.pif.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\Salary Payment Information Discrepancy_pdf.pif.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\Salary Payment Information Discrepancy_pdf.pif.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\Salary Payment Information Discrepancy_pdf.pif.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\Salary Payment Information Discrepancy_pdf.pif.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\Salary Payment Information Discrepancy_pdf.pif.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Salary Payment Information Discrepancy_pdf.pif.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Salary Payment Information Discrepancy_pdf.pif.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\Salary Payment Information Discrepancy_pdf.pif.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Salary Payment Information Discrepancy_pdf.pif.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\Salary Payment Information Discrepancy_pdf.pif.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Salary Payment Information Discrepancy_pdf.pif.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Salary Payment Information Discrepancy_pdf.pif.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Salary Payment Information Discrepancy_pdf.pif.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Salary Payment Information Discrepancy_pdf.pif.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Salary Payment Information Discrepancy_pdf.pif.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Salary Payment Information Discrepancy_pdf.pif.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Salary Payment Information Discrepancy_pdf.pif.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Salary Payment Information Discrepancy_pdf.pif.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Salary Payment Information Discrepancy_pdf.pif.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Salary Payment Information Discrepancy_pdf.pif.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\Salary Payment Information Discrepancy_pdf.pif.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\Salary Payment Information Discrepancy_pdf.pif.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Salary Payment Information Discrepancy_pdf.pif.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\Salary Payment Information Discrepancy_pdf.pif.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\Salary Payment Information Discrepancy_pdf.pif.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\Salary Payment Information Discrepancy_pdf.pif.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Salary Payment Information Discrepancy_pdf.pif.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\Salary Payment Information Discrepancy_pdf.pif.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Salary Payment Information Discrepancy_pdf.pif.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\Salary Payment Information Discrepancy_pdf.pif.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Salary Payment Information Discrepancy_pdf.pif.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Salary Payment Information Discrepancy_pdf.pif.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Salary Payment Information Discrepancy_pdf.pif.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Salary Payment Information Discrepancy_pdf.pif.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\Salary Payment Information Discrepancy_pdf.pif.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Salary Payment Information Discrepancy_pdf.pif.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Salary Payment Information Discrepancy_pdf.pif.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\Salary Payment Information Discrepancy_pdf.pif.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\Salary Payment Information Discrepancy_pdf.pif.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Salary Payment Information Discrepancy_pdf.pif.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\Salary Payment Information Discrepancy_pdf.pif.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Salary Payment Information Discrepancy_pdf.pif.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Salary Payment Information Discrepancy_pdf.pif.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Salary Payment Information Discrepancy_pdf.pif.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: fastprox.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: ncobjapi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mpclient.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wmitomi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gmerYar.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gmerYar.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gmerYar.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gmerYar.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gmerYar.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gmerYar.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gmerYar.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gmerYar.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gmerYar.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gmerYar.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gmerYar.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gmerYar.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gmerYar.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gmerYar.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gmerYar.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gmerYar.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gmerYar.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gmerYar.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gmerYar.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gmerYar.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gmerYar.exe	Section loaded: iconcodecservice.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gmerYar.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gmerYar.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gmerYar.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gmerYar.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gmerYar.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gmerYar.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gmerYar.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gmerYar.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gmerYar.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gmerYar.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gmerYar.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gmerYar.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gmerYar.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gmerYar.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gmerYar.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gmerYar.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gmerYar.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gmerYar.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gmerYar.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gmerYar.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gmerYar.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gmerYar.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gmerYar.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gmerYar.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gmerYar.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gmerYar.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gmerYar.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gmerYar.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gmerYar.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gmerYar.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gmerYar.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gmerYar.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gmerYar.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gmerYar.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gmerYar.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gmerYar.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gmerYar.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gmerYar.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gmerYar.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gmerYar.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gmerYar.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gmerYar.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gmerYar.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gmerYar.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gmerYar.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gmerYar.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gmerYar.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gmerYar.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gmerYar.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gmerYar.exe	Section loaded: dpapi.dll	Jump to behavior

Source: C:\Users\user\Desktop\Salary Payment Information Discrepancy_pdf.pif.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\Salary Payment Information Discrepancy_pdf.pif.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Users\user\Desktop\Salary Payment Information Discrepancy_pdf.pif.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: Salary Payment Information Discrepancy_pdf.pif.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: Salary Payment Information Discrepancy_pdf.pif.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: C:\Users\user\Desktop\Salary Payment Information Discrepancy_pdf.pif.exe	Code function: 0_2_072C63A9 push 7407105Eh; ret		0_2_072C63B5
Source: C:\Users\user\AppData\Roaming\gmerYar.exe	Code function: 9_2_06A263A9 push 74052B5Eh; ret		9_2_06A263B5

Source: Salary Payment Information Discrepancy_pdf.pif.exe	Static PE information: section name: .text entropy: 7.636318446215792
Source: gmerYar.exe.0.dr	Static PE information: section name: .text entropy: 7.636318446215792

Source: C:\Users\user\Desktop\Salary Payment Information Discrepancy_pdf.pif.exe

File created: C:\Users\user\AppData\Roaming\gmerYar.exe

Jump to dropped file

Boot Survival

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Users\user\Desktop\Salary Payment Information Discrepancy_pdf.pif.exe

Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\gmerYar" /XML "C:\Users\user\AppData\Local\Temp\tmpC24A.tmp"

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior

Source: C:\Users\user\Desktop\Salary Payment Information Discrepancy_pdf.pif.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate	Jump to behavior
Source: C:\Users\user\Desktop\Salary Payment Information Discrepancy_pdf.pif.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gmerYar.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gmerYar.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot	Jump to behavior

Source: C:\Users\user\Desktop\Salary Payment Information Discrepancy_pdf.pif.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Salary Payment Information Discrepancy_pdf.pif.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Salary Payment Information Discrepancy_pdf.pif.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Salary Payment Information Discrepancy_pdf.pif.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Salary Payment Information Discrepancy_pdf.pif.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Salary Payment Information Discrepancy_pdf.pif.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Salary Payment Information Discrepancy_pdf.pif.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Salary Payment Information Discrepancy_pdf.pif.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Salary Payment Information Discrepancy_pdf.pif.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Salary Payment Information Discrepancy_pdf.pif.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Salary Payment Information Discrepancy_pdf.pif.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Salary Payment Information Discrepancy_pdf.pif.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Salary Payment Information Discrepancy_pdf.pif.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Salary Payment Information Discrepancy_pdf.pif.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Salary Payment Information Discrepancy_pdf.pif.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Salary Payment Information Discrepancy_pdf.pif.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Salary Payment Information Discrepancy_pdf.pif.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Salary Payment Information Discrepancy_pdf.pif.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Salary Payment Information Discrepancy_pdf.pif.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Salary Payment Information Discrepancy_pdf.pif.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Salary Payment Information Discrepancy_pdf.pif.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Salary Payment Information Discrepancy_pdf.pif.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Salary Payment Information Discrepancy_pdf.pif.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Salary Payment Information Discrepancy_pdf.pif.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Salary Payment Information Discrepancy_pdf.pif.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Salary Payment Information Discrepancy_pdf.pif.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Salary Payment Information Discrepancy_pdf.pif.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Salary Payment Information Discrepancy_pdf.pif.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Salary Payment Information Discrepancy_pdf.pif.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Salary Payment Information Discrepancy_pdf.pif.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Salary Payment Information Discrepancy_pdf.pif.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Salary Payment Information Discrepancy_pdf.pif.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Salary Payment Information Discrepancy_pdf.pif.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Salary Payment Information Discrepancy_pdf.pif.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Salary Payment Information Discrepancy_pdf.pif.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Salary Payment Information Discrepancy_pdf.pif.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Salary Payment Information Discrepancy_pdf.pif.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Salary Payment Information Discrepancy_pdf.pif.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Salary Payment Information Discrepancy_pdf.pif.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Salary Payment Information Discrepancy_pdf.pif.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Salary Payment Information Discrepancy_pdf.pif.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Salary Payment Information Discrepancy_pdf.pif.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Salary Payment Information Discrepancy_pdf.pif.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Salary Payment Information Discrepancy_pdf.pif.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Salary Payment Information Discrepancy_pdf.pif.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Salary Payment Information Discrepancy_pdf.pif.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Salary Payment Information Discrepancy_pdf.pif.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Salary Payment Information Discrepancy_pdf.pif.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Salary Payment Information Discrepancy_pdf.pif.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Salary Payment Information Discrepancy_pdf.pif.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Salary Payment Information Discrepancy_pdf.pif.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Salary Payment Information Discrepancy_pdf.pif.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Salary Payment Information Discrepancy_pdf.pif.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Salary Payment Information Discrepancy_pdf.pif.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Salary Payment Information Discrepancy_pdf.pif.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Salary Payment Information Discrepancy_pdf.pif.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Salary Payment Information Discrepancy_pdf.pif.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Salary Payment Information Discrepancy_pdf.pif.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Salary Payment Information Discrepancy_pdf.pif.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Salary Payment Information Discrepancy_pdf.pif.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Salary Payment Information Discrepancy_pdf.pif.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Salary Payment Information Discrepancy_pdf.pif.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Salary Payment Information Discrepancy_pdf.pif.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Salary Payment Information Discrepancy_pdf.pif.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Salary Payment Information Discrepancy_pdf.pif.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Salary Payment Information Discrepancy_pdf.pif.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Salary Payment Information Discrepancy_pdf.pif.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Salary Payment Information Discrepancy_pdf.pif.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Salary Payment Information Discrepancy_pdf.pif.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Salary Payment Information Discrepancy_pdf.pif.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Salary Payment Information Discrepancy_pdf.pif.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Salary Payment Information Discrepancy_pdf.pif.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Salary Payment Information Discrepancy_pdf.pif.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Salary Payment Information Discrepancy_pdf.pif.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Salary Payment Information Discrepancy_pdf.pif.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Salary Payment Information Discrepancy_pdf.pif.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Salary Payment Information Discrepancy_pdf.pif.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Salary Payment Information Discrepancy_pdf.pif.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Salary Payment Information Discrepancy_pdf.pif.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Salary Payment Information Discrepancy_pdf.pif.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Salary Payment Information Discrepancy_pdf.pif.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Salary Payment Information Discrepancy_pdf.pif.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Salary Payment Information Discrepancy_pdf.pif.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Salary Payment Information Discrepancy_pdf.pif.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Salary Payment Information Discrepancy_pdf.pif.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Salary Payment Information Discrepancy_pdf.pif.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Salary Payment Information Discrepancy_pdf.pif.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Salary Payment Information Discrepancy_pdf.pif.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Salary Payment Information Discrepancy_pdf.pif.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Salary Payment Information Discrepancy_pdf.pif.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Salary Payment Information Discrepancy_pdf.pif.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Salary Payment Information Discrepancy_pdf.pif.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Salary Payment Information Discrepancy_pdf.pif.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Salary Payment Information Discrepancy_pdf.pif.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Salary Payment Information Discrepancy_pdf.pif.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Salary Payment Information Discrepancy_pdf.pif.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Salary Payment Information Discrepancy_pdf.pif.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Salary Payment Information Discrepancy_pdf.pif.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Salary Payment Information Discrepancy_pdf.pif.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Salary Payment Information Discrepancy_pdf.pif.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gmerYar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gmerYar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gmerYar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gmerYar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gmerYar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gmerYar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gmerYar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gmerYar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gmerYar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gmerYar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gmerYar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gmerYar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gmerYar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gmerYar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gmerYar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gmerYar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gmerYar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gmerYar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gmerYar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gmerYar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gmerYar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gmerYar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gmerYar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gmerYar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gmerYar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gmerYar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gmerYar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gmerYar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gmerYar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gmerYar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gmerYar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gmerYar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gmerYar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gmerYar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gmerYar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gmerYar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gmerYar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gmerYar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gmerYar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gmerYar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gmerYar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gmerYar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gmerYar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gmerYar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gmerYar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gmerYar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gmerYar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gmerYar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gmerYar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gmerYar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gmerYar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gmerYar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gmerYar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gmerYar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gmerYar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gmerYar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gmerYar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gmerYar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gmerYar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gmerYar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gmerYar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gmerYar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gmerYar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gmerYar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gmerYar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gmerYar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gmerYar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gmerYar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gmerYar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gmerYar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gmerYar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gmerYar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gmerYar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gmerYar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gmerYar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gmerYar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gmerYar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gmerYar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gmerYar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gmerYar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gmerYar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gmerYar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gmerYar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gmerYar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gmerYar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gmerYar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gmerYar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gmerYar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gmerYar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gmerYar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gmerYar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gmerYar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gmerYar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gmerYar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gmerYar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gmerYar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gmerYar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gmerYar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gmerYar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gmerYar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gmerYar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gmerYar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gmerYar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gmerYar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gmerYar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gmerYar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gmerYar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gmerYar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gmerYar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gmerYar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gmerYar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gmerYar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gmerYar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gmerYar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gmerYar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gmerYar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gmerYar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gmerYar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gmerYar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gmerYar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gmerYar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gmerYar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gmerYar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gmerYar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gmerYar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gmerYar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gmerYar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gmerYar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gmerYar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gmerYar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gmerYar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gmerYar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gmerYar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gmerYar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match	File source: Process Memory Space: Salary Payment Information Discrepancy_pdf.pif.exe PID: 1908, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: gmerYar.exe PID: 6832, type: MEMORYSTR

Source: C:\Users\user\Desktop\Salary Payment Information Discrepancy_pdf.pif.exe	Memory allocated: 1140000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Salary Payment Information Discrepancy_pdf.pif.exe	Memory allocated: 2D20000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Salary Payment Information Discrepancy_pdf.pif.exe	Memory allocated: 2B20000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Salary Payment Information Discrepancy_pdf.pif.exe	Memory allocated: 7AA0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Salary Payment Information Discrepancy_pdf.pif.exe	Memory allocated: 8AA0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Salary Payment Information Discrepancy_pdf.pif.exe	Memory allocated: 8C50000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Salary Payment Information Discrepancy_pdf.pif.exe	Memory allocated: 9C50000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Salary Payment Information Discrepancy_pdf.pif.exe	Memory allocated: B10000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Salary Payment Information Discrepancy_pdf.pif.exe	Memory allocated: 28B0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Salary Payment Information Discrepancy_pdf.pif.exe	Memory allocated: 27C0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gmerYar.exe	Memory allocated: BD0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gmerYar.exe	Memory allocated: 26F0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gmerYar.exe	Memory allocated: 2500000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gmerYar.exe	Memory allocated: 7060000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gmerYar.exe	Memory allocated: 8060000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gmerYar.exe	Memory allocated: 8200000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gmerYar.exe	Memory allocated: 9200000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gmerYar.exe	Memory allocated: E90000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gmerYar.exe	Memory allocated: 2A40000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gmerYar.exe	Memory allocated: 2960000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\Salary Payment Information Discrepancy_pdf.pif.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gmerYar.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6362			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3361			Jump to behavior

Source: C:\Users\user\Desktop\Salary Payment Information Discrepancy_pdf.pif.exe TID: 800	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6496	Thread sleep time: -4611686018427385s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gmerYar.exe TID: 6140	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\Salary Payment Information Discrepancy_pdf.pif.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gmerYar.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: Salary Payment Information Discrepancy_pdf.pif.exe, 00000007.00000002.3363351314.0000000000B68000.00000004.00000020.00020000.00000000.sdmp, gmerYar.exe, 0000000C.00000002.3362779026.0000000000C69000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\Salary Payment Information Discrepancy_pdf.pif.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\AppData\Roaming\gmerYar.exe

Code function: 12_2_05040AB8 LdrInitializeThunk,LdrInitializeThunk,

12_2_05040AB8

Source: C:\Users\user\Desktop\Salary Payment Information Discrepancy_pdf.pif.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\Desktop\Salary Payment Information Discrepancy_pdf.pif.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Users\user\Desktop\Salary Payment Information Discrepancy_pdf.pif.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Adds a directory exclusion to Windows Defender

Source: C:\Users\user\Desktop\Salary Payment Information Discrepancy_pdf.pif.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\gmerYar.exe"
Source: C:\Users\user\Desktop\Salary Payment Information Discrepancy_pdf.pif.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\gmerYar.exe"			Jump to behavior

Source: C:\Users\user\Desktop\Salary Payment Information Discrepancy_pdf.pif.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\gmerYar.exe"	Jump to behavior
Source: C:\Users\user\Desktop\Salary Payment Information Discrepancy_pdf.pif.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\gmerYar" /XML "C:\Users\user\AppData\Local\Temp\tmpC24A.tmp"	Jump to behavior
Source: C:\Users\user\Desktop\Salary Payment Information Discrepancy_pdf.pif.exe	Process created: C:\Users\user\Desktop\Salary Payment Information Discrepancy_pdf.pif.exe "C:\Users\user\Desktop\Salary Payment Information Discrepancy_pdf.pif.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gmerYar.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\gmerYar" /XML "C:\Users\user\AppData\Local\Temp\tmpD034.tmp"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gmerYar.exe	Process created: C:\Users\user\AppData\Roaming\gmerYar.exe "C:\Users\user\AppData\Roaming\gmerYar.exe"	Jump to behavior

Source: C:\Users\user\Desktop\Salary Payment Information Discrepancy_pdf.pif.exe	Queries volume information: C:\Users\user\Desktop\Salary Payment Information Discrepancy_pdf.pif.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Salary Payment Information Discrepancy_pdf.pif.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Salary Payment Information Discrepancy_pdf.pif.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Salary Payment Information Discrepancy_pdf.pif.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Salary Payment Information Discrepancy_pdf.pif.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Salary Payment Information Discrepancy_pdf.pif.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Salary Payment Information Discrepancy_pdf.pif.exe	Queries volume information: C:\Users\user\Desktop\Salary Payment Information Discrepancy_pdf.pif.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Salary Payment Information Discrepancy_pdf.pif.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Salary Payment Information Discrepancy_pdf.pif.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Salary Payment Information Discrepancy_pdf.pif.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Salary Payment Information Discrepancy_pdf.pif.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Salary Payment Information Discrepancy_pdf.pif.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Salary Payment Information Discrepancy_pdf.pif.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gmerYar.exe	Queries volume information: C:\Users\user\AppData\Roaming\gmerYar.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gmerYar.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gmerYar.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gmerYar.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gmerYar.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gmerYar.exe	Queries volume information: C:\Users\user\AppData\Roaming\gmerYar.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gmerYar.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gmerYar.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gmerYar.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gmerYar.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gmerYar.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gmerYar.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\Salary Payment Information Discrepancy_pdf.pif.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected MassLogger RAT

Source: Yara match	File source: 7.2.Salary Payment Information Discrepancy_pdf.pif.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.gmerYar.exe.390e698.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.gmerYar.exe.390e698.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Salary Payment Information Discrepancy_pdf.pif.exe.3de2530.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Salary Payment Information Discrepancy_pdf.pif.exe.3f3d458.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Salary Payment Information Discrepancy_pdf.pif.exe.3f3d458.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Salary Payment Information Discrepancy_pdf.pif.exe.3de2530.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000009.00000002.2191255107.000000000390E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.3362234261.0000000000403000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2160708520.0000000003F3D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2160708520.0000000003D68000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Salary Payment Information Discrepancy_pdf.pif.exe PID: 1908, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Salary Payment Information Discrepancy_pdf.pif.exe PID: 5980, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: gmerYar.exe PID: 6832, type: MEMORYSTR

Yara detected PureLog Stealer

Source: Yara match	File source: 0.2.Salary Payment Information Discrepancy_pdf.pif.exe.70d0000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Salary Payment Information Discrepancy_pdf.pif.exe.70d0000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2162161385.00000000070D0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY

Yara detected Telegram RAT

Source: Yara match	File source: 9.2.gmerYar.exe.390e698.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.gmerYar.exe.390e698.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Salary Payment Information Discrepancy_pdf.pif.exe.3de2530.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Salary Payment Information Discrepancy_pdf.pif.exe.3f3d458.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Salary Payment Information Discrepancy_pdf.pif.exe.3f3d458.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Salary Payment Information Discrepancy_pdf.pif.exe.3de2530.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000009.00000002.2191255107.000000000390E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2160708520.0000000003F3D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2160708520.0000000003D68000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Salary Payment Information Discrepancy_pdf.pif.exe PID: 1908, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: gmerYar.exe PID: 6832, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: gmerYar.exe PID: 6636, type: MEMORYSTR

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\AppData\Roaming\gmerYar.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data			Jump to behavior
Source: C:\Users\user\AppData\Roaming\gmerYar.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data			Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\Desktop\Salary Payment Information Discrepancy_pdf.pif.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676			Jump to behavior
Source: C:\Users\user\AppData\Roaming\gmerYar.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676			Jump to behavior

Source: Yara match	File source: 7.2.Salary Payment Information Discrepancy_pdf.pif.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.gmerYar.exe.390e698.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.gmerYar.exe.390e698.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Salary Payment Information Discrepancy_pdf.pif.exe.3de2530.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Salary Payment Information Discrepancy_pdf.pif.exe.3f3d458.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Salary Payment Information Discrepancy_pdf.pif.exe.3f3d458.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Salary Payment Information Discrepancy_pdf.pif.exe.3de2530.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000009.00000002.2191255107.000000000390E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2160708520.0000000003F3D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.3364853839.0000000002A05000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.3364967117.0000000002B94000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2160708520.0000000003D68000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Salary Payment Information Discrepancy_pdf.pif.exe PID: 1908, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Salary Payment Information Discrepancy_pdf.pif.exe PID: 5980, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: gmerYar.exe PID: 6832, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: gmerYar.exe PID: 6636, type: MEMORYSTR

Remote Access Functionality

Yara detected MassLogger RAT

Source: Yara match	File source: 7.2.Salary Payment Information Discrepancy_pdf.pif.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.gmerYar.exe.390e698.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.gmerYar.exe.390e698.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Salary Payment Information Discrepancy_pdf.pif.exe.3de2530.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Salary Payment Information Discrepancy_pdf.pif.exe.3f3d458.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Salary Payment Information Discrepancy_pdf.pif.exe.3f3d458.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Salary Payment Information Discrepancy_pdf.pif.exe.3de2530.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000009.00000002.2191255107.000000000390E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.3362234261.0000000000403000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2160708520.0000000003F3D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2160708520.0000000003D68000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Salary Payment Information Discrepancy_pdf.pif.exe PID: 1908, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Salary Payment Information Discrepancy_pdf.pif.exe PID: 5980, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: gmerYar.exe PID: 6832, type: MEMORYSTR

Yara detected PureLog Stealer

Source: Yara match	File source: 0.2.Salary Payment Information Discrepancy_pdf.pif.exe.70d0000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Salary Payment Information Discrepancy_pdf.pif.exe.70d0000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2162161385.00000000070D0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY

Yara detected Telegram RAT

Source: Yara match	File source: 9.2.gmerYar.exe.390e698.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.gmerYar.exe.390e698.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Salary Payment Information Discrepancy_pdf.pif.exe.3de2530.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Salary Payment Information Discrepancy_pdf.pif.exe.3f3d458.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Salary Payment Information Discrepancy_pdf.pif.exe.3f3d458.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Salary Payment Information Discrepancy_pdf.pif.exe.3de2530.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000009.00000002.2191255107.000000000390E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2160708520.0000000003F3D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2160708520.0000000003D68000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Salary Payment Information Discrepancy_pdf.pif.exe PID: 1908, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: gmerYar.exe PID: 6832, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: gmerYar.exe PID: 6636, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Scheduled Task/Job	1 Scheduled Task/Job	11 Process Injection	1 Masquerading	1 OS Credential Dumping	1 Query Registry	Remote Services	1 Email Collection	11 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 DLL Side-Loading	1 Scheduled Task/Job	11 Disable or Modify Tools	LSASS Memory	11 Security Software Discovery	Remote Desktop Protocol	1 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 DLL Side-Loading	31 Virtualization/Sandbox Evasion	Security Account Manager	1 Process Discovery	SMB/Windows Admin Shares	1 Data from Local System	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	11 Process Injection	NTDS	31 Virtualization/Sandbox Evasion	Distributed Component Object Model	Input Capture	13 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	3 Obfuscated Files or Information	LSA Secrets	1 Application Window Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	2 Software Packing	Cached Domain Credentials	1 System Network Configuration Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 DLL Side-Loading	DCSync	1 File and Directory Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	Indicator Removal from Tools	Proc Filesystem	13 System Information Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
Salary Payment Information Discrepancy_pdf.pif.exe	44%	Virustotal		Browse
Salary Payment Information Discrepancy_pdf.pif.exe	66%	ReversingLabs	ByteCode-MSIL.Trojan.Jalapeno
Salary Payment Information Discrepancy_pdf.pif.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Roaming\gmerYar.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\gmerYar.exe	66%	ReversingLabs	ByteCode-MSIL.Trojan.Jalapeno
C:\Users\user\AppData\Roaming\gmerYar.exe	44%	Virustotal		Browse

Name	IP	Active	Malicious	Reputation
reallyfreegeoip.org	104.21.48.1	true	false	high
checkip.dyndns.com	193.122.130.0	true	false	high
checkip.dyndns.org	unknown	unknown	false	high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://checkip.dyndns.org/	false		high
https://reallyfreegeoip.org/xml/8.46.123.189	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Reputation
https://reallyfreegeoip.org/xml/8.46.123.189l	Salary Payment Information Discrepancy_pdf.pif.exe, 00000007.00000002.3364853839.000000000292F000.00000004.00000800.00020000.00000000.sdmp, gmerYar.exe, 0000000C.00000002.3364967117.0000000002ABE000.00000004.00000800.00020000.00000000.sdmp	false	high
http://checkip.dyndns.comd	Salary Payment Information Discrepancy_pdf.pif.exe, 00000007.00000002.3364853839.000000000292F000.00000004.00000800.00020000.00000000.sdmp, gmerYar.exe, 0000000C.00000002.3364967117.0000000002ABE000.00000004.00000800.00020000.00000000.sdmp	false	high
http://checkip.dyndns.org/q	Salary Payment Information Discrepancy_pdf.pif.exe, 00000000.00000002.2160708520.0000000003F3D000.00000004.00000800.00020000.00000000.sdmp, Salary Payment Information Discrepancy_pdf.pif.exe, 00000000.00000002.2160708520.0000000003D68000.00000004.00000800.00020000.00000000.sdmp, gmerYar.exe, 00000009.00000002.2191255107.000000000390E000.00000004.00000800.00020000.00000000.sdmp, gmerYar.exe, 0000000C.00000002.3362240133.0000000000413000.00000040.00000400.00020000.00000000.sdmp	false	high
http://reallyfreegeoip.orgd	Salary Payment Information Discrepancy_pdf.pif.exe, 00000007.00000002.3364853839.000000000294B000.00000004.00000800.00020000.00000000.sdmp, gmerYar.exe, 0000000C.00000002.3364967117.0000000002ADB000.00000004.00000800.00020000.00000000.sdmp	false	high
https://reallyfreegeoip.org/xml/8.46.123.189d	Salary Payment Information Discrepancy_pdf.pif.exe, 00000007.00000002.3364853839.000000000292F000.00000004.00000800.00020000.00000000.sdmp, gmerYar.exe, 0000000C.00000002.3364967117.0000000002ABE000.00000004.00000800.00020000.00000000.sdmp	false	high
http://reallyfreegeoip.org	Salary Payment Information Discrepancy_pdf.pif.exe, 00000007.00000002.3364853839.000000000294B000.00000004.00000800.00020000.00000000.sdmp, gmerYar.exe, 0000000C.00000002.3364967117.0000000002ADB000.00000004.00000800.00020000.00000000.sdmp	false	high
http://checkip.dyndns.orgd	Salary Payment Information Discrepancy_pdf.pif.exe, 00000007.00000002.3364853839.000000000292F000.00000004.00000800.00020000.00000000.sdmp, gmerYar.exe, 0000000C.00000002.3364967117.0000000002ABE000.00000004.00000800.00020000.00000000.sdmp	false	high
https://reallyfreegeoip.org	Salary Payment Information Discrepancy_pdf.pif.exe, 00000007.00000002.3364853839.000000000292F000.00000004.00000800.00020000.00000000.sdmp, gmerYar.exe, 0000000C.00000002.3364967117.0000000002ABE000.00000004.00000800.00020000.00000000.sdmp	false	high
http://checkip.dyndns.org	Salary Payment Information Discrepancy_pdf.pif.exe, 00000007.00000002.3364853839.00000000028B1000.00000004.00000800.00020000.00000000.sdmp, Salary Payment Information Discrepancy_pdf.pif.exe, 00000007.00000002.3364853839.000000000292F000.00000004.00000800.00020000.00000000.sdmp, gmerYar.exe, 0000000C.00000002.3364967117.0000000002AAC000.00000004.00000800.00020000.00000000.sdmp, gmerYar.exe, 0000000C.00000002.3364967117.0000000002ABE000.00000004.00000800.00020000.00000000.sdmp	false	high
http://checkip.dyndns.com	Salary Payment Information Discrepancy_pdf.pif.exe, 00000007.00000002.3364853839.000000000292F000.00000004.00000800.00020000.00000000.sdmp, gmerYar.exe, 0000000C.00000002.3364967117.0000000002ABE000.00000004.00000800.00020000.00000000.sdmp	false	high
http://checkip.dyndns.org/d	Salary Payment Information Discrepancy_pdf.pif.exe, 00000007.00000002.3364853839.000000000292F000.00000004.00000800.00020000.00000000.sdmp, gmerYar.exe, 0000000C.00000002.3364967117.0000000002ABE000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	Salary Payment Information Discrepancy_pdf.pif.exe, 00000000.00000002.2159484652.0000000002DBA000.00000004.00000800.00020000.00000000.sdmp, Salary Payment Information Discrepancy_pdf.pif.exe, 00000007.00000002.3364853839.00000000028B1000.00000004.00000800.00020000.00000000.sdmp, gmerYar.exe, 00000009.00000002.2189932129.00000000026F1000.00000004.00000800.00020000.00000000.sdmp, gmerYar.exe, 0000000C.00000002.3364967117.0000000002A41000.00000004.00000800.00020000.00000000.sdmp	false	high
https://www.chiark.greenend.org.uk/~sgtatham/putty/0	Salary Payment Information Discrepancy_pdf.pif.exe, gmerYar.exe.0.dr	false	high
https://api.telegram.org/bot-/sendDocument?chat_id=	Salary Payment Information Discrepancy_pdf.pif.exe, 00000000.00000002.2160708520.0000000003F3D000.00000004.00000800.00020000.00000000.sdmp, Salary Payment Information Discrepancy_pdf.pif.exe, 00000000.00000002.2160708520.0000000003D68000.00000004.00000800.00020000.00000000.sdmp, gmerYar.exe, 00000009.00000002.2191255107.000000000390E000.00000004.00000800.00020000.00000000.sdmp, gmerYar.exe, 0000000C.00000002.3362240133.0000000000413000.00000040.00000400.00020000.00000000.sdmp	false	high
https://reallyfreegeoip.org/xml/	Salary Payment Information Discrepancy_pdf.pif.exe, 00000000.00000002.2160708520.0000000003F3D000.00000004.00000800.00020000.00000000.sdmp, Salary Payment Information Discrepancy_pdf.pif.exe, 00000000.00000002.2160708520.0000000003D68000.00000004.00000800.00020000.00000000.sdmp, Salary Payment Information Discrepancy_pdf.pif.exe, 00000007.00000002.3364853839.000000000292F000.00000004.00000800.00020000.00000000.sdmp, gmerYar.exe, 00000009.00000002.2191255107.000000000390E000.00000004.00000800.00020000.00000000.sdmp, gmerYar.exe, 0000000C.00000002.3362240133.0000000000413000.00000040.00000400.00020000.00000000.sdmp, gmerYar.exe, 0000000C.00000002.3364967117.0000000002ABE000.00000004.00000800.00020000.00000000.sdmp	false	high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
104.21.48.1	reallyfreegeoip.org	United States		13335	CLOUDFLARENETUS	false
193.122.130.0	checkip.dyndns.com	United States		31898	ORACLE-BMC-31898US	false

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1587581
Start date and time:	2025-01-10 15:07:55 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 19s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	15
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	Salary Payment Information Discrepancy_pdf.pif.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@16/11@2/2
EGA Information:	Successful, ratio: 75%
HCA Information:	Successful, ratio: 98% Number of executed functions: 132 Number of non-executed functions: 12
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 184.28.90.27, 13.107.246.45, 52.149.20.212
Excluded domains from analysis (whitelisted): client.wns.windows.com, fs.microsoft.com, ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target Salary Payment Information Discrepancy_pdf.pif.exe, PID 5980 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.

Simulations

Behavior and APIs

Time	Type	Description
09:08:46	API Interceptor	1x Sleep call for process: Salary Payment Information Discrepancy_pdf.pif.exe modified
09:08:47	API Interceptor	12x Sleep call for process: powershell.exe modified
09:08:49	API Interceptor	1x Sleep call for process: gmerYar.exe modified
15:08:48	Task Scheduler	Run new task: gmerYar path: C:\Users\user\AppData\Roaming\gmerYar.exe

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
104.21.48.1	SH8ZyOWNi2.exe	Get hash	malicious	CMSBrute	Browse	twirpx.org/administrator/index.php
104.21.48.1	SN500, SN150 Spec.exe	Get hash	malicious	FormBook	Browse	www.antipromil.site/7ykh/
193.122.130.0	RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exe	Get hash	malicious	DarkTortilla, Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	Tepe - 20000000826476479.exe	Get hash	malicious	MassLogger RAT	Browse	checkip.dyndns.org/
	SOA NOV. Gateway Freight_MEDWA0577842.exe	Get hash	malicious	MassLogger RAT	Browse	checkip.dyndns.org/
	dekont garanti bbva_Ba#U015fka Bankaya Transfer 01112 img .exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	Tepe - 20000000826476479.exe	Get hash	malicious	MassLogger RAT	Browse	checkip.dyndns.org/
	Nuevo pedido.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	VSLS SCHEDULE_pdf.exe	Get hash	malicious	MassLogger RAT	Browse	checkip.dyndns.org/
	ungziped_file.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	New order 2025.msg	Get hash	malicious	PureLog Stealer, Snake Keylogger	Browse	checkip.dyndns.org/
	file.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
checkip.dyndns.com	PO#17971.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	158.101.44.242
	IMG_10503677.exe	Get hash	malicious	MassLogger RAT	Browse	193.122.6.168
	RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exe	Get hash	malicious	DarkTortilla, Snake Keylogger, VIP Keylogger	Browse	193.122.130.0
	Tepe - 20000000826476479.exe	Get hash	malicious	MassLogger RAT	Browse	193.122.130.0
	PO#3_RKG367.bat	Get hash	malicious	DBatLoader, MassLogger RAT, PureLog Stealer	Browse	158.101.44.242
	SOA NOV. Gateway Freight_MEDWA0577842.exe	Get hash	malicious	MassLogger RAT	Browse	193.122.130.0
	dekont garanti bbva_Ba#U015fka Bankaya Transfer 01112 img .exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	193.122.130.0
	#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	132.226.247.73
	fiyati_teklif 65TBI20_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	132.226.247.73
	fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	132.226.8.169
reallyfreegeoip.org	PO#17971.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	104.21.96.1
	IMG_10503677.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.64.1
	RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exe	Get hash	malicious	DarkTortilla, Snake Keylogger, VIP Keylogger	Browse	104.21.48.1
	Tepe - 20000000826476479.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.32.1
	PO#3_RKG367.bat	Get hash	malicious	DBatLoader, MassLogger RAT, PureLog Stealer	Browse	104.21.80.1
	SOA NOV. Gateway Freight_MEDWA0577842.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.64.1
	dekont garanti bbva_Ba#U015fka Bankaya Transfer 01112 img .exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.96.1
	#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.96.1
	fiyati_teklif 65TBI20_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.64.1
	fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.112.1

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	PO#17971.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	104.21.96.1
	http://www.lpb.gov.lr	Get hash	malicious	CAPTCHA Scam ClickFix	Browse	104.17.25.14
	https://samantacatering.com/	Get hash	malicious	Unknown	Browse	104.21.83.97
	https://sign.zoho.com/zsguest?locale=en&sign_id=234b4d535f4956237c699124bb06f6840075804affff79070f72fbd27ec4885c3a2ba06657b8a52338eb80052baee9f74c4e2e0e7f85c073df939f1ac4dff75f76c95d46ac2361c7b14335e4f12c5c5d49c49b1d2f4c838a&action_type=SIGN	Get hash	malicious	Unknown	Browse	104.17.25.14
	https://www.filemail.com/d/rxythqchkhluipl?skipreg=true	Get hash	malicious	Unknown	Browse	104.17.24.14
	random.exe	Get hash	malicious	LummaC Stealer	Browse	104.21.79.9
	http://arpaeq.ca	Get hash	malicious	Unknown	Browse	188.114.96.3
	https://eu.jotform.com/app/250092704521347	Get hash	malicious	Unknown	Browse	104.22.72.81
	https://eu.jotform.com/app/250092704521347	Get hash	malicious	Unknown	Browse	104.22.72.81
ORACLE-BMC-31898US	PO#17971.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	158.101.44.242
	IMG_10503677.exe	Get hash	malicious	MassLogger RAT	Browse	193.122.6.168
	RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exe	Get hash	malicious	DarkTortilla, Snake Keylogger, VIP Keylogger	Browse	193.122.130.0
	Tepe - 20000000826476479.exe	Get hash	malicious	MassLogger RAT	Browse	193.122.130.0
	PO#3_RKG367.bat	Get hash	malicious	DBatLoader, MassLogger RAT, PureLog Stealer	Browse	158.101.44.242
	SOA NOV. Gateway Freight_MEDWA0577842.exe	Get hash	malicious	MassLogger RAT	Browse	193.122.130.0
	dekont garanti bbva_Ba#U015fka Bankaya Transfer 01112 img .exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	193.122.130.0
	Tepe - 20000000826476479.exe	Get hash	malicious	MassLogger RAT	Browse	193.122.130.0
	Nuevo pedido.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	193.122.130.0
	Payment 01.08.25.pdf.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	193.122.6.168

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
54328bd36c14bd82ddaa0c04b25ed9ad	PO#17971.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	104.21.48.1
	IMG_10503677.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.48.1
	RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exe	Get hash	malicious	DarkTortilla, Snake Keylogger, VIP Keylogger	Browse	104.21.48.1
	Tepe - 20000000826476479.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.48.1
	PO#3_RKG367.bat	Get hash	malicious	DBatLoader, MassLogger RAT, PureLog Stealer	Browse	104.21.48.1
	SOA NOV. Gateway Freight_MEDWA0577842.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.48.1
	dekont garanti bbva_Ba#U015fka Bankaya Transfer 01112 img .exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.48.1
	#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.48.1
	fiyati_teklif 65TBI20_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.48.1
	fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.48.1

Process:	C:\Users\user\Desktop\Salary Payment Information Discrepancy_pdf.pif.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1216
Entropy (8bit):	5.34331486778365
Encrypted:	false
SSDEEP:	24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
MD5:	1330C80CAAC9A0FB172F202485E9B1E8
SHA1:	86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
SHA-256:	B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
SHA-512:	75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
Malicious:	true
Reputation:	high, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\gmerYar.exe.log

Download File

Process:	C:\Users\user\AppData\Roaming\gmerYar.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1216
Entropy (8bit):	5.34331486778365
Encrypted:	false
SSDEEP:	24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
MD5:	1330C80CAAC9A0FB172F202485E9B1E8
SHA1:	86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
SHA-256:	B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
SHA-512:	75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	2232
Entropy (8bit):	5.3810236212315665
Encrypted:	false
SSDEEP:	48:lylWSU4xympgv4RIoUP7gZ9tK8NPZHUx7u1iMuge//MPUyus:lGLHxv2IfLZ2KRH6Ougss
MD5:	9C9009E37BE7F14D3C2D8B84965A1A0D
SHA1:	8D870B8274AF618336656EFDC210114CE425EB74
SHA-256:	94F8C1B353B445EA4153F253F4106B3487ADC3671D1461E73FCC1D05D1994107
SHA-512:	2DCC2F9F2B1896A472250731DEE17B0846D872F37ED4AE60253784D7410341766D62FDC5482150288D496B2DF5724BE9090E06C48B12917AAEB6B22C8C7C3230
Malicious:	false
Preview:	@...e.................................^..............@..........P................1]...E.....j.....(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..\|f........System.Core.D...............4..7..D.#V.............System.Management.Automation<...............i..VdqF...\|...........System.Configuration4.................%...K... ...........System.Xml..4.....................@.[8]'.\........System.Data.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServicesL.................gQ?O.....x5.......#.Microsoft.Management.Infrastructure.8..................1...L..U;V.<}........System.Numerics.H................WY..2.M.&..g(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5v2xlns2.gtq.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_caxzab3i.ws0.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_eiazdzge.hgl.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_k00vqra4.yfx.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\tmpC24A.tmp

Download File

Process:	C:\Users\user\Desktop\Salary Payment Information Discrepancy_pdf.pif.exe
File Type:	XML 1.0 document, ASCII text
Category:	dropped
Size (bytes):	1594
Entropy (8bit):	5.0871511993713785
Encrypted:	false
SSDEEP:	24:2di4+S2qhHb1eHky1mIHdUnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtLnPxvn:cge7QYrFdOFzOzN33ODOiDdKrsuTNv
MD5:	2C13988DF1148CD5D6E7BFA4DC283894
SHA1:	BCF2A7BAFFB9AA1CFD3D78C0D7E713152907A9A1
SHA-256:	170DA34063968D5BD5DD9AC683C36C935377E1890F9C17A6ECCF0F8599F3F465
SHA-512:	882ADBF7AE614EC715B52B188260ED2E17BD2E5ECA8F836FEE8BE9BC67504E56EC1F5B39670DBE852BE623BC661BBC2872633F1ACC932C95710755197DEB47AD
Malicious:	true
Preview:	<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <Run

C:\Users\user\AppData\Local\Temp\tmpD034.tmp

Download File

Process:	C:\Users\user\AppData\Roaming\gmerYar.exe
File Type:	XML 1.0 document, ASCII text
Category:	dropped
Size (bytes):	1594
Entropy (8bit):	5.0871511993713785
Encrypted:	false
SSDEEP:	24:2di4+S2qhHb1eHky1mIHdUnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtLnPxvn:cge7QYrFdOFzOzN33ODOiDdKrsuTNv
MD5:	2C13988DF1148CD5D6E7BFA4DC283894
SHA1:	BCF2A7BAFFB9AA1CFD3D78C0D7E713152907A9A1
SHA-256:	170DA34063968D5BD5DD9AC683C36C935377E1890F9C17A6ECCF0F8599F3F465
SHA-512:	882ADBF7AE614EC715B52B188260ED2E17BD2E5ECA8F836FEE8BE9BC67504E56EC1F5B39670DBE852BE623BC661BBC2872633F1ACC932C95710755197DEB47AD
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <Run

C:\Users\user\AppData\Roaming\gmerYar.exe

Download File

Process:	C:\Users\user\Desktop\Salary Payment Information Discrepancy_pdf.pif.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	605704
Entropy (8bit):	7.63977805405386
Encrypted:	false
SSDEEP:	12288:kugT8/720mXkfzEoYrvyRD5JzaNwl9R9q4bNplTnF7EERVllt2tQukR:kugT8S0ck7EoUve5Jzl9RsoNplTnFYEz
MD5:	8E04274721445F168376690CE4D0A7D9
SHA1:	F3009E4994A5316EBBD5B711CEADE454F389BCB1
SHA-256:	9604EE9C0CF521A022D9726B2E1DD82E6B3813D2ADE567430B39A2FD9545063B
SHA-512:	F5DE33AA7A628BF559AC0501D165BA52CBB9B9783164A7A01F09321695E12B9B867DC389ACDB0E40BFA8C7E767C82CD73E5034AAB8FBA8F571248C3BB7465E9A
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 66% Antivirus: Virustotal, Detection: 44%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...e(.g..............0................. ........@.. .......................`............`.................................l...O.......\|'...............6...@....................................................... ............... ..H............text........ ...................... ..`.rsrc...\|'.......(..................@..@.reloc.......@......................@..B........................H........C...:......%...D~..(\|.............................................}......}.....(........}......o.......0............{........+....0............{........+....0..9.........(.........,.r...ps....z.{....o ...o!....o"...t.....+......0..9.........(.........,.r...ps....z.{....o#...o!....o"...t.....+......0..C.........($...u...........,...+(.o%...u.............,...+..o$...u.....+....0..+.........(......,.r+..ps....z..}.....(!....o&......0..8.........{.........,...+$.{

C:\Users\user\AppData\Roaming\gmerYar.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\Salary Payment Information Discrepancy_pdf.pif.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Preview:	[ZoneTransfer]....ZoneId=0

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.63977805405386
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 50.01% Win32 Executable (generic) a (10002005/4) 49.97% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	Salary Payment Information Discrepancy_pdf.pif.exe
File size:	605'704 bytes
MD5:	8e04274721445f168376690ce4d0a7d9
SHA1:	f3009e4994a5316ebbd5b711ceade454f389bcb1
SHA256:	9604ee9c0cf521a022d9726b2e1dd82e6b3813d2ade567430b39a2fd9545063b
SHA512:	f5de33aa7a628bf559ac0501d165ba52cbb9b9783164a7a01f09321695e12b9b867dc389acdb0e40bfa8c7e767c82cd73e5034aab8fba8f571248c3bb7465e9a
SSDEEP:	12288:kugT8/720mXkfzEoYrvyRD5JzaNwl9R9q4bNplTnF7EERVllt2tQukR:kugT8S0ck7EoUve5Jzl9RsoNplTnFYEz
TLSH:	0DD4F1592669DC03C9A21BB469A1E3FC56744FC8E912C3038AFDBDFF7D382917858291
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...e(.g..............0......*........... ........@.. .......................`............`................................

File Icon


Icon Hash:	33362c2d36335470

Static PE Info

General

Entrypoint:	0x48fabe
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x677F2865 [Thu Jan 9 01:37:41 2025 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Authenticode Signature

Signature Valid:	false
Signature Issuer:	CN=COMODO RSA Code Signing CA, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB
Signature Validation Error:	The digital signature of the object did not verify
Error Number:	-2146869232
Not Before, Not After	13/11/2018 01:00:00 09/11/2021 00:59:59
Subject Chain	CN=Simon Tatham, O=Simon Tatham, L=Cambridge, S=Cambridgeshire, C=GB
Version:	3
Thumbprint MD5:	DABD77E44EF6B3BB91740FA46696B779
Thumbprint SHA-1:	5B9E273CF11941FD8C6BE3F038C4797BBE884268
Thumbprint SHA-256:	4CD3325617EBB63319BA6E8F2A74B0B8CCA58920B48D8026EBCA2C756630D570
Serial:	7C1118CBBADC95DA3752C46E47A27438

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x8fa6c	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x90000	0x277c	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x90800	0x3608
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x94000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x8dac4	0x8dc00	64043c0fa705600d61cd73601e0edc40	False	0.8894607032627866	data	7.636318446215792	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x90000	0x277c	0x2800	d3f5f11540dc16c55342af493af98d0e	False	0.87900390625	data	7.595500962257975	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x94000	0xc	0x200	a27a37e6a237faa11e40bbe5d76c1993	False	0.044921875	data	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	ZLIB Complexity
RT_ICON	0x900c8	0x2356	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	0.9427371213796153
RT_GROUP_ICON	0x92430	0x14	data	1.05
RT_VERSION	0x92454	0x324	data	0.43407960199004975

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2025-01-10T15:08:49.031927+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.6	49713	193.122.130.0	80	TCP
2025-01-10T15:08:52.094428+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.6	49718	193.122.130.0	80	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 10, 2025 15:08:48.075768948 CET	49713	80	192.168.2.6	193.122.130.0
Jan 10, 2025 15:08:48.080627918 CET	80	49713	193.122.130.0	192.168.2.6
Jan 10, 2025 15:08:48.080701113 CET	49713	80	192.168.2.6	193.122.130.0
Jan 10, 2025 15:08:48.080928087 CET	49713	80	192.168.2.6	193.122.130.0
Jan 10, 2025 15:08:48.085702896 CET	80	49713	193.122.130.0	192.168.2.6
Jan 10, 2025 15:08:48.852408886 CET	80	49713	193.122.130.0	192.168.2.6
Jan 10, 2025 15:08:48.863393068 CET	49713	80	192.168.2.6	193.122.130.0
Jan 10, 2025 15:08:48.868235111 CET	80	49713	193.122.130.0	192.168.2.6
Jan 10, 2025 15:08:48.980582952 CET	80	49713	193.122.130.0	192.168.2.6
Jan 10, 2025 15:08:48.989938974 CET	49714	443	192.168.2.6	104.21.48.1
Jan 10, 2025 15:08:48.989989042 CET	443	49714	104.21.48.1	192.168.2.6
Jan 10, 2025 15:08:48.990396976 CET	49714	443	192.168.2.6	104.21.48.1
Jan 10, 2025 15:08:48.998970032 CET	49714	443	192.168.2.6	104.21.48.1
Jan 10, 2025 15:08:48.998994112 CET	443	49714	104.21.48.1	192.168.2.6
Jan 10, 2025 15:08:49.031927109 CET	49713	80	192.168.2.6	193.122.130.0
Jan 10, 2025 15:08:49.465286016 CET	443	49714	104.21.48.1	192.168.2.6
Jan 10, 2025 15:08:49.465459108 CET	49714	443	192.168.2.6	104.21.48.1
Jan 10, 2025 15:08:49.470865965 CET	49714	443	192.168.2.6	104.21.48.1
Jan 10, 2025 15:08:49.470880032 CET	443	49714	104.21.48.1	192.168.2.6
Jan 10, 2025 15:08:49.471288919 CET	443	49714	104.21.48.1	192.168.2.6
Jan 10, 2025 15:08:49.518819094 CET	49714	443	192.168.2.6	104.21.48.1
Jan 10, 2025 15:08:49.558192015 CET	49714	443	192.168.2.6	104.21.48.1
Jan 10, 2025 15:08:49.599333048 CET	443	49714	104.21.48.1	192.168.2.6
Jan 10, 2025 15:08:49.683680058 CET	443	49714	104.21.48.1	192.168.2.6
Jan 10, 2025 15:08:49.683859110 CET	443	49714	104.21.48.1	192.168.2.6
Jan 10, 2025 15:08:49.683994055 CET	49714	443	192.168.2.6	104.21.48.1
Jan 10, 2025 15:08:49.690120935 CET	49714	443	192.168.2.6	104.21.48.1
Jan 10, 2025 15:08:51.483236074 CET	49718	80	192.168.2.6	193.122.130.0
Jan 10, 2025 15:08:51.488116980 CET	80	49718	193.122.130.0	192.168.2.6
Jan 10, 2025 15:08:51.488205910 CET	49718	80	192.168.2.6	193.122.130.0
Jan 10, 2025 15:08:51.488424063 CET	49718	80	192.168.2.6	193.122.130.0
Jan 10, 2025 15:08:51.493341923 CET	80	49718	193.122.130.0	192.168.2.6
Jan 10, 2025 15:08:51.943603039 CET	80	49718	193.122.130.0	192.168.2.6
Jan 10, 2025 15:08:51.947137117 CET	49718	80	192.168.2.6	193.122.130.0
Jan 10, 2025 15:08:51.952014923 CET	80	49718	193.122.130.0	192.168.2.6
Jan 10, 2025 15:08:52.047543049 CET	80	49718	193.122.130.0	192.168.2.6
Jan 10, 2025 15:08:52.049271107 CET	49719	443	192.168.2.6	104.21.48.1
Jan 10, 2025 15:08:52.049304008 CET	443	49719	104.21.48.1	192.168.2.6
Jan 10, 2025 15:08:52.049371004 CET	49719	443	192.168.2.6	104.21.48.1
Jan 10, 2025 15:08:52.053529978 CET	49719	443	192.168.2.6	104.21.48.1
Jan 10, 2025 15:08:52.053548098 CET	443	49719	104.21.48.1	192.168.2.6
Jan 10, 2025 15:08:52.094428062 CET	49718	80	192.168.2.6	193.122.130.0
Jan 10, 2025 15:08:52.508259058 CET	443	49719	104.21.48.1	192.168.2.6
Jan 10, 2025 15:08:52.508332968 CET	49719	443	192.168.2.6	104.21.48.1
Jan 10, 2025 15:08:52.509744883 CET	49719	443	192.168.2.6	104.21.48.1
Jan 10, 2025 15:08:52.509757042 CET	443	49719	104.21.48.1	192.168.2.6
Jan 10, 2025 15:08:52.510046005 CET	443	49719	104.21.48.1	192.168.2.6
Jan 10, 2025 15:08:52.563155890 CET	49719	443	192.168.2.6	104.21.48.1
Jan 10, 2025 15:08:52.566035986 CET	49719	443	192.168.2.6	104.21.48.1
Jan 10, 2025 15:08:52.607351065 CET	443	49719	104.21.48.1	192.168.2.6
Jan 10, 2025 15:08:52.678692102 CET	443	49719	104.21.48.1	192.168.2.6
Jan 10, 2025 15:08:52.678767920 CET	443	49719	104.21.48.1	192.168.2.6
Jan 10, 2025 15:08:52.678839922 CET	49719	443	192.168.2.6	104.21.48.1
Jan 10, 2025 15:08:52.688196898 CET	49719	443	192.168.2.6	104.21.48.1
Jan 10, 2025 15:09:53.982311010 CET	80	49713	193.122.130.0	192.168.2.6
Jan 10, 2025 15:09:53.982518911 CET	49713	80	192.168.2.6	193.122.130.0
Jan 10, 2025 15:09:57.047436953 CET	80	49718	193.122.130.0	192.168.2.6
Jan 10, 2025 15:09:57.047621965 CET	49718	80	192.168.2.6	193.122.130.0
Jan 10, 2025 15:10:28.985780954 CET	49713	80	192.168.2.6	193.122.130.0
Jan 10, 2025 15:10:28.990607977 CET	80	49713	193.122.130.0	192.168.2.6
Jan 10, 2025 15:10:32.063875914 CET	49718	80	192.168.2.6	193.122.130.0
Jan 10, 2025 15:10:32.068898916 CET	80	49718	193.122.130.0	192.168.2.6

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 10, 2025 15:08:48.051980972 CET	57407	53	192.168.2.6	1.1.1.1
Jan 10, 2025 15:08:48.058897018 CET	53	57407	1.1.1.1	192.168.2.6
Jan 10, 2025 15:08:48.982184887 CET	50283	53	192.168.2.6	1.1.1.1
Jan 10, 2025 15:08:48.989250898 CET	53	50283	1.1.1.1	192.168.2.6

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jan 10, 2025 15:08:48.051980972 CET	192.168.2.6	1.1.1.1	0x38b2	Standard query (0)	checkip.dyndns.org	A (IP address)	IN (0x0001)	false
Jan 10, 2025 15:08:48.982184887 CET	192.168.2.6	1.1.1.1	0x83eb	Standard query (0)	reallyfreegeoip.org	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jan 10, 2025 15:08:48.058897018 CET	1.1.1.1	192.168.2.6	0x38b2	No error (0)	checkip.dyndns.org	checkip.dyndns.com		CNAME (Canonical name)	IN (0x0001)	false
Jan 10, 2025 15:08:48.058897018 CET	1.1.1.1	192.168.2.6	0x38b2	No error (0)	checkip.dyndns.com		193.122.130.0	A (IP address)	IN (0x0001)	false
Jan 10, 2025 15:08:48.058897018 CET	1.1.1.1	192.168.2.6	0x38b2	No error (0)	checkip.dyndns.com		158.101.44.242	A (IP address)	IN (0x0001)	false
Jan 10, 2025 15:08:48.058897018 CET	1.1.1.1	192.168.2.6	0x38b2	No error (0)	checkip.dyndns.com		132.226.8.169	A (IP address)	IN (0x0001)	false
Jan 10, 2025 15:08:48.058897018 CET	1.1.1.1	192.168.2.6	0x38b2	No error (0)	checkip.dyndns.com		193.122.6.168	A (IP address)	IN (0x0001)	false
Jan 10, 2025 15:08:48.058897018 CET	1.1.1.1	192.168.2.6	0x38b2	No error (0)	checkip.dyndns.com		132.226.247.73	A (IP address)	IN (0x0001)	false
Jan 10, 2025 15:08:48.989250898 CET	1.1.1.1	192.168.2.6	0x83eb	No error (0)	reallyfreegeoip.org		104.21.48.1	A (IP address)	IN (0x0001)	false
Jan 10, 2025 15:08:48.989250898 CET	1.1.1.1	192.168.2.6	0x83eb	No error (0)	reallyfreegeoip.org		104.21.80.1	A (IP address)	IN (0x0001)	false
Jan 10, 2025 15:08:48.989250898 CET	1.1.1.1	192.168.2.6	0x83eb	No error (0)	reallyfreegeoip.org		104.21.96.1	A (IP address)	IN (0x0001)	false
Jan 10, 2025 15:08:48.989250898 CET	1.1.1.1	192.168.2.6	0x83eb	No error (0)	reallyfreegeoip.org		104.21.32.1	A (IP address)	IN (0x0001)	false
Jan 10, 2025 15:08:48.989250898 CET	1.1.1.1	192.168.2.6	0x83eb	No error (0)	reallyfreegeoip.org		104.21.112.1	A (IP address)	IN (0x0001)	false
Jan 10, 2025 15:08:48.989250898 CET	1.1.1.1	192.168.2.6	0x83eb	No error (0)	reallyfreegeoip.org		104.21.16.1	A (IP address)	IN (0x0001)	false
Jan 10, 2025 15:08:48.989250898 CET	1.1.1.1	192.168.2.6	0x83eb	No error (0)	reallyfreegeoip.org		104.21.64.1	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

reallyfreegeoip.org

checkip.dyndns.org

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.6	49713	193.122.130.0	80	5980	C:\Users\user\Desktop\Salary Payment Information Discrepancy_pdf.pif.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 15:08:48.080928087 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 10, 2025 15:08:48.852408886 CET	321	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 14:08:48 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 4107e179186839ae9a0fe3c2c40f3fae Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
Jan 10, 2025 15:08:48.863393068 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Jan 10, 2025 15:08:48.980582952 CET	321	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 14:08:48 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 1bcd56e322041bfd0112f9e562f9d91f Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.6	49718	193.122.130.0	80	6636	C:\Users\user\AppData\Roaming\gmerYar.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 15:08:51.488424063 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 10, 2025 15:08:51.943603039 CET	321	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 14:08:51 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: fa513af50b72e40fd1b2779bf29f3ef5 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
Jan 10, 2025 15:08:51.947137117 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Jan 10, 2025 15:08:52.047543049 CET	321	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 14:08:52 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: ba6104e3f80335590bdf904970306cff Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.6	49714	104.21.48.1	443	5980	C:\Users\user\Desktop\Salary Payment Information Discrepancy_pdf.pif.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-10 14:08:49 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2025-01-10 14:08:49 UTC	863	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 14:08:49 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1832918 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=THb6Ija80BMFtOwJ7ax1gdYCj%2F7IrIzQeRL9M4X3nDIbRghuDH%2BmeUnp%2Fdj%2FvY4ys0D%2FhkSBLhoWgr0RgTQxEppH7ruDWt2eRkII%2BBmNGQWsXJhf1WNJTshqMNOawskDArap7%2Fj6"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ffd3dc618228c15-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1767&min_rtt=1763&rtt_var=671&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2847&recv_bytes=699&delivery_rate=1620421&cwnd=238&unsent_bytes=0&cid=418f1f1b1a9b3e6f&ts=234&x=0"
2025-01-10 14:08:49 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.6	49719	104.21.48.1	443	6636	C:\Users\user\AppData\Roaming\gmerYar.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-10 14:08:52 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2025-01-10 14:08:52 UTC	863	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 14:08:52 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1832921 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=UOmHs0j5ggA7ouKUnKngKC0vh1%2Bm6LiMliH21q9kdtaoSQO%2Bpzs8VdQhWAdaEjVU21X7wJbJPJNATJ7NMsYeP3uIxPQz5%2F7FY3GVTJ8BoWZXS%2BoxRS%2FnbYj%2Byr4oT4iftrBQLm0%2B"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ffd3dd8ef35c323-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1531&min_rtt=1528&rtt_var=580&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1872995&cwnd=214&unsent_bytes=0&cid=c1f1ca10d4cb8deb&ts=176&x=0"
2025-01-10 14:08:52 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Target ID:	0
Start time:	09:08:45
Start date:	10/01/2025
Path:	C:\Users\user\Desktop\Salary Payment Information Discrepancy_pdf.pif.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Salary Payment Information Discrepancy_pdf.pif.exe"
Imagebase:	0x8a0000
File size:	605'704 bytes
MD5 hash:	8E04274721445F168376690CE4D0A7D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_MassLogger, Description: Yara detected MassLogger RAT, Source: 00000000.00000002.2160708520.0000000003F3D000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.2160708520.0000000003F3D000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000000.00000002.2160708520.0000000003F3D000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000000.00000002.2160708520.0000000003F3D000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000002.2162161385.00000000070D0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MassLogger, Description: Yara detected MassLogger RAT, Source: 00000000.00000002.2160708520.0000000003D68000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.2160708520.0000000003D68000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000000.00000002.2160708520.0000000003D68000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000000.00000002.2160708520.0000000003D68000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	09:08:46
Start date:	10/01/2025
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\gmerYar.exe"
Imagebase:	0x970000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	09:08:46
Start date:	10/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	09:08:46
Start date:	10/01/2025
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\gmerYar" /XML "C:\Users\user\AppData\Local\Temp\tmpC24A.tmp"
Imagebase:	0xeb0000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	09:08:46
Start date:	10/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	09:08:47
Start date:	10/01/2025
Path:	C:\Users\user\Desktop\Salary Payment Information Discrepancy_pdf.pif.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Salary Payment Information Discrepancy_pdf.pif.exe"
Imagebase:	0x470000
File size:	605'704 bytes
MD5 hash:	8E04274721445F168376690CE4D0A7D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_MassLogger, Description: Yara detected MassLogger RAT, Source: 00000007.00000002.3362234261.0000000000403000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000007.00000002.3362234261.0000000000403000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000007.00000002.3364853839.0000000002A05000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	8
Start time:	09:08:48
Start date:	10/01/2025
Path:	C:\Windows\System32\wbem\WmiPrvSE.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Imagebase:	0x7ff717f30000
File size:	496'640 bytes
MD5 hash:	60FF40CFD7FB8FE41EE4FE9AE5FE1C51
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	09:08:48
Start date:	10/01/2025
Path:	C:\Users\user\AppData\Roaming\gmerYar.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Roaming\gmerYar.exe
Imagebase:	0x300000
File size:	605'704 bytes
MD5 hash:	8E04274721445F168376690CE4D0A7D9
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_MassLogger, Description: Yara detected MassLogger RAT, Source: 00000009.00000002.2191255107.000000000390E000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000009.00000002.2191255107.000000000390E000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000009.00000002.2191255107.000000000390E000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000009.00000002.2191255107.000000000390E000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
Antivirus matches:	Detection: 100%, Joe Sandbox ML Detection: 66%, ReversingLabs Detection: 44%, Virustotal, Browse
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	09:08:50
Start date:	10/01/2025
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\gmerYar" /XML "C:\Users\user\AppData\Local\Temp\tmpD034.tmp"
Imagebase:	0xeb0000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	09:08:50
Start date:	10/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	09:08:50
Start date:	10/01/2025
Path:	C:\Users\user\AppData\Roaming\gmerYar.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\gmerYar.exe"
Imagebase:	0x5b0000
File size:	605'704 bytes
MD5 hash:	8E04274721445F168376690CE4D0A7D9
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000C.00000002.3364967117.0000000002B94000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	9.6%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	2.7%
Total number of Nodes:	110
Total number of Limit Nodes:	9

Executed Functions

Function 072C2D70 Relevance: 2.3, Strings: 1, Instructions: 1029
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

\ lw, xrefs: 072C3179

Memory Dump Source

Source File: 00000000.00000002.2162593954.00000000072C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72c0000_Salary Payment Information Discrepancy_pdf.jbxd

Similarity

API ID:
String ID: \ lw
API String ID: 0-2684086738
Opcode ID: 7d4c8131b6518b48f8ee6a15536cec9cbf358ef08cef8007b9c206c015b1ee75
Instruction ID: 7efb84ac9c80f35341f2e6993011145d0b81dee96b3b0fce80e39a4a1dffa12a
Opcode Fuzzy Hash: 7d4c8131b6518b48f8ee6a15536cec9cbf358ef08cef8007b9c206c015b1ee75
Instruction Fuzzy Hash: D8B2B075E00629CFDB64CF69C984AD9BBB2BF89304F1581E9D509AB325DB319E81CF40

Function 072C5248 Relevance: 1.5, Strings: 1, Instructions: 218
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

X+, xrefs: 072C544E, 072C54BE

Memory Dump Source

Source File: 00000000.00000002.2162593954.00000000072C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72c0000_Salary Payment Information Discrepancy_pdf.jbxd

Similarity

API ID:
String ID: X+
API String ID: 0-3443634675
Opcode ID: 9aa04867471b3734ce8fd3b91ddf58acd4f20b25c5465081c081920746f7d46a
Instruction ID: 428f579bb2643c4a5a2c5ff81b807be4a3c586f773042993d58933c6f50cfb84
Opcode Fuzzy Hash: 9aa04867471b3734ce8fd3b91ddf58acd4f20b25c5465081c081920746f7d46a
Instruction Fuzzy Hash: 04815CB0D25209DFDB14DFAAC4406EEFBB5FF9A300F20822AD419A7251D774A955CF50

Function 0530AAC4 Relevance: .7, Instructions: 652COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2161690696.0000000005300000.00000040.00000800.00020000.00000000.sdmp, Offset: 05300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5300000_Salary Payment Information Discrepancy_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6702cab8423d00ef91fdb0d9345db2c6c0371ed79aecdbb37b7e4c39892ab318
Instruction ID: cb161d8fdef7450c2477d26bb3df6f08ed7198a59c0ffdc4b0d8869e32b4ed08
Opcode Fuzzy Hash: 6702cab8423d00ef91fdb0d9345db2c6c0371ed79aecdbb37b7e4c39892ab318
Instruction Fuzzy Hash: E8424B70A003188FDB54DFA9D8A47AEBBF2BF88300F149569D40AAB385DB349D45CB95

Function 0530C110 Relevance: .3, Instructions: 281COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2161690696.0000000005300000.00000040.00000800.00020000.00000000.sdmp, Offset: 05300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5300000_Salary Payment Information Discrepancy_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f5585b0243d69000f2af437044e5f2f509cabf23643ac18285751d96b09a87ad
Instruction ID: 72486b37e1c9fc13913e8cc71584829c0b667a0e1c801001e17c15ff4fc4c65b
Opcode Fuzzy Hash: f5585b0243d69000f2af437044e5f2f509cabf23643ac18285751d96b09a87ad
Instruction Fuzzy Hash: ABC16B71E003588FCF15CFA5D89479AFBB2BF88310F14A2AAD409AB295DB74D985CF50

Function 072C5E50 Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2162593954.00000000072C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72c0000_Salary Payment Information Discrepancy_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ea0cd1ec5c6903a02ec1649065fe204f881a293dbe3a1765d992924e84e7a075
Instruction ID: 9c51fc412fb3f5448c8a7d41597aed216cccb95d7e1683c899d1454bafaae070
Opcode Fuzzy Hash: ea0cd1ec5c6903a02ec1649065fe204f881a293dbe3a1765d992924e84e7a075
Instruction Fuzzy Hash: D52117B1D156588BEB18CFABC94069EFFF2BF89200F14C1AAC458A7255EB740A46CF50

Function 072C5E60 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2162593954.00000000072C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72c0000_Salary Payment Information Discrepancy_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c47f503dd30651385b0083615f19500741af5bd89cd3f9bdb8955cbf26af82e8
Instruction ID: 1051e6b196e98787089b3d8325ed8e62abc9d1289022a3c645b64f0d45ffa9b1
Opcode Fuzzy Hash: c47f503dd30651385b0083615f19500741af5bd89cd3f9bdb8955cbf26af82e8
Instruction Fuzzy Hash: ED21C6B1D14658CBEB18CFABC94069EFBF6BFD9300F14C16AC418A7255EB705A468F50

Function 0114DEA0 Relevance: 6.1, APIs: 4, Instructions: 128
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 0114DF1E
GetCurrentThread.KERNEL32 ref: 0114DF5B
GetCurrentProcess.KERNEL32 ref: 0114DF98
GetCurrentThreadId.KERNEL32 ref: 0114DFF1

Memory Dump Source

Source File: 00000000.00000002.2158791118.0000000001140000.00000040.00000800.00020000.00000000.sdmp, Offset: 01140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1140000_Salary Payment Information Discrepancy_pdf.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 4b32615416e22afa40907cbc1f95946585b636253741818800fc42eeb83bbfb8
Instruction ID: 73ca6412ec5b7abdf5f043490dc0a5d93d7b28c1e22199fd83829ab03a012fad
Opcode Fuzzy Hash: 4b32615416e22afa40907cbc1f95946585b636253741818800fc42eeb83bbfb8
Instruction Fuzzy Hash: 375135B0900749DFEB18CFAAE548BAEBBF1EF88314F208459E519A7350D7346944CB66

Function 0114BC04 Relevance: 1.7, APIs: 1, Instructions: 199
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 0114BE5E

Memory Dump Source

Source File: 00000000.00000002.2158791118.0000000001140000.00000040.00000800.00020000.00000000.sdmp, Offset: 01140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1140000_Salary Payment Information Discrepancy_pdf.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 3fbb553c6a01ad264abe68a92617acdd3d08abd160407c2a7a241a7fa5ba64fb
Instruction ID: 26773ef27b6e9f22165afef2d229a244d779c30c2a9f79098c2673692d9d23b9
Opcode Fuzzy Hash: 3fbb553c6a01ad264abe68a92617acdd3d08abd160407c2a7a241a7fa5ba64fb
Instruction Fuzzy Hash: 7F814770A00B058FD728DF2AD49475ABBF1FF88704F00892DD596DBA40DB35E845CB95

Function 0114448C Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 011459C9

Memory Dump Source

Source File: 00000000.00000002.2158791118.0000000001140000.00000040.00000800.00020000.00000000.sdmp, Offset: 01140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1140000_Salary Payment Information Discrepancy_pdf.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 7d9e19b5553b792f38eebe8a4dfb5e9817ecd630afaec29d3ccc12c7dcdbe0e1
Instruction ID: cf498b842334a95a1287c3d94a023de8d4cd2585d60cfacc249c50fd80b27a78
Opcode Fuzzy Hash: 7d9e19b5553b792f38eebe8a4dfb5e9817ecd630afaec29d3ccc12c7dcdbe0e1
Instruction Fuzzy Hash: 8941E370C0071DCBEB28CFA9C884B8EBBB6BF89704F20846AD509AB255D7756945CF91

Function 0114590D Relevance: 1.6, APIs: 1, Instructions: 94
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 011459C9

Memory Dump Source

Source File: 00000000.00000002.2158791118.0000000001140000.00000040.00000800.00020000.00000000.sdmp, Offset: 01140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1140000_Salary Payment Information Discrepancy_pdf.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 85fe3b09d7b3da51a66abe26cd2ac4031560c7e338707516352d85326831b702
Instruction ID: 287f65b233031171e729dc6b836ae5a9380d2c309c02fe58557debdd33a5a96e
Opcode Fuzzy Hash: 85fe3b09d7b3da51a66abe26cd2ac4031560c7e338707516352d85326831b702
Instruction Fuzzy Hash: 3F41E070C0071DCBEB28CFA9C884B8EBBB6BF89704F20846AD409AB255DB756945CF51

Function 0530CAE8 Relevance: 1.6, APIs: 1, Instructions: 84
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.2161690696.0000000005300000.00000040.00000800.00020000.00000000.sdmp, Offset: 05300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5300000_Salary Payment Information Discrepancy_pdf.jbxd

Similarity

API ID: CreateFromIconResource
String ID:
API String ID: 3668623891-0
Opcode ID: e28a8e85a5b760c5437edf5b2986b581f8061c9c3133a670eea4fc834242f8b6
Instruction ID: 1298650cc3f84ac546f323391e9b8c55a71cbb8c73a433fdf473966b20f4305a
Opcode Fuzzy Hash: e28a8e85a5b760c5437edf5b2986b581f8061c9c3133a670eea4fc834242f8b6
Instruction Fuzzy Hash: 24317872904389EFCB119FA9D840ADABFF8EF49310F14806AEA54A7261C3359950DFA1

Function 072C08A0 Relevance: 1.6, APIs: 1, Instructions: 64
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

MonitorFromPoint.USER32(?,?,00000002), ref: 072C091F

Memory Dump Source

Source File: 00000000.00000002.2162593954.00000000072C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72c0000_Salary Payment Information Discrepancy_pdf.jbxd

Similarity

API ID: FromMonitorPoint
String ID:
API String ID: 1566494148-0
Opcode ID: d0b2a94496e466022a33a55f45624b1379b5dde0aaa77f03b0a47c49887c3672
Instruction ID: cc613f402ece164f0c83a7d9e908f2c349a03d19571cc74c30596f1211dafbcb
Opcode Fuzzy Hash: d0b2a94496e466022a33a55f45624b1379b5dde0aaa77f03b0a47c49887c3672
Instruction Fuzzy Hash: 1E2198B0A00249DFDB10DF9AD408BAEFFF4EB48720F108009E995AB340C734A904CFA1

Function 0114E4F0 Relevance: 1.6, APIs: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0114E577

Memory Dump Source

Source File: 00000000.00000002.2158791118.0000000001140000.00000040.00000800.00020000.00000000.sdmp, Offset: 01140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1140000_Salary Payment Information Discrepancy_pdf.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 807cff7a377f84ed672b200ac1c7b7620aae33a4f1c41db655993466e127e6ea
Instruction ID: d82b4e18cc490c3e44d093f280d7c3a4375932843e0ee5143c9676cf87440de0
Opcode Fuzzy Hash: 807cff7a377f84ed672b200ac1c7b7620aae33a4f1c41db655993466e127e6ea
Instruction Fuzzy Hash: 9F21E4B5901248EFDB10CFAAD984ADEFBF8FB48310F14841AE914A7310D378A954CFA5

Function 072C089F Relevance: 1.6, APIs: 1, Instructions: 57
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

MonitorFromPoint.USER32(?,?,00000002), ref: 072C091F

Memory Dump Source

Source File: 00000000.00000002.2162593954.00000000072C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72c0000_Salary Payment Information Discrepancy_pdf.jbxd

Similarity

API ID: FromMonitorPoint
String ID:
API String ID: 1566494148-0
Opcode ID: cd7490addeec4843db6313e7ffaa5823323672d676d400aac594570c3db8b00a
Instruction ID: 1c9aa76e327fc372b801ecaaed07a51e0003e35fa93f043c0ad04347101bca19
Opcode Fuzzy Hash: cd7490addeec4843db6313e7ffaa5823323672d676d400aac594570c3db8b00a
Instruction Fuzzy Hash: E92195B4900249DFDB20DF9AD444BEEFBF4EB08710F108009E855AB240C7346A44CFA1

Function 0530AB1C Relevance: 1.6, APIs: 1, Instructions: 56
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateIconFromResourceEx.USER32(?,?,?,?,?,?,?,?,?,?,0530CB02,?,?,?,?,?), ref: 0530CBA7

Memory Dump Source

Source File: 00000000.00000002.2161690696.0000000005300000.00000040.00000800.00020000.00000000.sdmp, Offset: 05300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5300000_Salary Payment Information Discrepancy_pdf.jbxd

Similarity

API ID: CreateFromIconResource
String ID:
API String ID: 3668623891-0
Opcode ID: b19239fe41744f217a363b149e62e6daecfaef5551be58c99ac0c8ac749f29f1
Instruction ID: 8200f63d447759ac8666264fabb53ada1b3538b780a244447fefa1730d2d6115
Opcode Fuzzy Hash: b19239fe41744f217a363b149e62e6daecfaef5551be58c99ac0c8ac749f29f1
Instruction Fuzzy Hash: 2C1103B580034DDFDB10DFAAD844BDEBBF8EB48320F14841AE915A7250C379A954CFA5

Function 072C0890 Relevance: 1.6, APIs: 1, Instructions: 54
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

MonitorFromPoint.USER32(?,?,00000002), ref: 072C091F

Memory Dump Source

Source File: 00000000.00000002.2162593954.00000000072C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72c0000_Salary Payment Information Discrepancy_pdf.jbxd

Similarity

API ID: FromMonitorPoint
String ID:
API String ID: 1566494148-0
Opcode ID: ee35a6de9476abb38c65045ebc6c773056bfa365f39dcf018f66ad9f7f08536c
Instruction ID: 9933db80f85c742e7acf1986c402909fb564c7a578a0b6a4deab24a7ef3f95b3
Opcode Fuzzy Hash: ee35a6de9476abb38c65045ebc6c773056bfa365f39dcf018f66ad9f7f08536c
Instruction Fuzzy Hash: 9E11BEF581434ADFDB22CF95C8043EEBFB0FB1A310F14828AD495AB241C7355A05CBA1

Function 072CFE78 Relevance: 1.6, APIs: 1, Instructions: 52
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ResumeThread.KERNELBASE ref: 072CFEE2

Memory Dump Source

Source File: 00000000.00000002.2162593954.00000000072C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72c0000_Salary Payment Information Discrepancy_pdf.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: ba5a7097cc630389cf066ee39352bd143390a631761a9adef4f45affa423548d
Instruction ID: 161fe716cf2ed9b22e37711aa854a407d6d5cd1c452a7a7c6db24d46d33e5270
Opcode Fuzzy Hash: ba5a7097cc630389cf066ee39352bd143390a631761a9adef4f45affa423548d
Instruction Fuzzy Hash: FD1158B2D003898FDB10DFAAD4457DEFBF5AF88724F20881AD519A7240CB399944CF95

Function 072CFE80 Relevance: 1.5, APIs: 1, Instructions: 49
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ResumeThread.KERNELBASE ref: 072CFEE2

Memory Dump Source

Source File: 00000000.00000002.2162593954.00000000072C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72c0000_Salary Payment Information Discrepancy_pdf.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 52ca4a6859b0a84d5d9707de94bb457cb789481ec8068836ed8d33048c71dd41
Instruction ID: ef31a2ed01dce5052f13ee9e0b030d0d4cbd59277cf32308e64ebc6a4f8f6696
Opcode Fuzzy Hash: 52ca4a6859b0a84d5d9707de94bb457cb789481ec8068836ed8d33048c71dd41
Instruction Fuzzy Hash: EE113AB19003498FDB14DFAAC44579FFBF5AF88710F24881AD519A7240CB79A944CFA5

Function 0114BDF8 Relevance: 1.5, APIs: 1, Instructions: 47
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 0114BE5E

Memory Dump Source

Source File: 00000000.00000002.2158791118.0000000001140000.00000040.00000800.00020000.00000000.sdmp, Offset: 01140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1140000_Salary Payment Information Discrepancy_pdf.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 9f13c571b5a258caac006b5c66e588f885ba312e3a4a23e477040506e2feadee
Instruction ID: 65e867f93f772afc353d01a2df9b8950060b2cdf58984d9a3ceebbb7ee04e441
Opcode Fuzzy Hash: 9f13c571b5a258caac006b5c66e588f885ba312e3a4a23e477040506e2feadee
Instruction Fuzzy Hash: D9110FB5C00659CFDB24CFAAC444A9EFBF4AB88610F10842AD529B7210C379A545CFA5

Function 010ED3D8 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2158513290.00000000010ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 010ED000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10ed000_Salary Payment Information Discrepancy_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6ade49b5f2d389a43d32e8d4aa3ec3504c70767d2039997fe8abbe7644c96c0e
Instruction ID: d6011d7586dec6cae3c9161eebe7e7d61f1308bf81285aa5db621f969c6ecf57
Opcode Fuzzy Hash: 6ade49b5f2d389a43d32e8d4aa3ec3504c70767d2039997fe8abbe7644c96c0e
Instruction Fuzzy Hash: AD2136B1500204EFDB05DF55D9C4B5ABFE5FB94314F20C1ADE9490B256C736E446CBA2

Function 010FD01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2158572769.00000000010FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 010FD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10fd000_Salary Payment Information Discrepancy_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f9250fe8b3427e0c9aa04ee917a516f75b5fb6c77f65c65df3546614e6a1c676
Instruction ID: 66d1d5d19a87b0ca680fa101720fd44def6d0add096f691d19bb787394a374e8
Opcode Fuzzy Hash: f9250fe8b3427e0c9aa04ee917a516f75b5fb6c77f65c65df3546614e6a1c676
Instruction Fuzzy Hash: 4721F571604304EFDB15DF64D5C1B16BBA5FB84314F20C5ADEA894B646C33AD447CB61

Function 010FD1D4 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2158572769.00000000010FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 010FD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10fd000_Salary Payment Information Discrepancy_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 57a36b77b829b7510bc948ef3624d0fbd5599fb64cd8ff8d95e2ce4a45e4474b
Instruction ID: ddd9aad46058ee5bcedacd43c5e9458682ff330eaa788d5f7c2de8464c375605
Opcode Fuzzy Hash: 57a36b77b829b7510bc948ef3624d0fbd5599fb64cd8ff8d95e2ce4a45e4474b
Instruction Fuzzy Hash: 80214975504300EFDB81DF94D5C1B26BBA1FB84324F20C5ADDA894B642C33AD446CBA1

Function 010ED3D3 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2158513290.00000000010ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 010ED000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10ed000_Salary Payment Information Discrepancy_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 77fadd82fdc2d56cf39070efea1a70d2bd0433e89b8e3a9964b57efaebe0ac53
Instruction ID: 55121ab0984cfc0917ab56cf9fed6f5ca349594d3f6384e81275025586d14050
Opcode Fuzzy Hash: 77fadd82fdc2d56cf39070efea1a70d2bd0433e89b8e3a9964b57efaebe0ac53
Instruction Fuzzy Hash: 841103B6504280DFCB06CF44D5C4B56BFB1FB94324F24C2A9D8490B257C33AE45ACBA2

Function 010FD1CF Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2158572769.00000000010FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 010FD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10fd000_Salary Payment Information Discrepancy_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 42a98d763aa616cafc5cdf308aa0cc1e619621035a6359fb41dac703237424f2
Instruction ID: 2047cfae2e9ac1ab92fa9f3ec0c6b25570254e1f921827acecc45913e4c2bac9
Opcode Fuzzy Hash: 42a98d763aa616cafc5cdf308aa0cc1e619621035a6359fb41dac703237424f2
Instruction Fuzzy Hash: 2E11BE79504240DFCB42CF54C5C0B15FFA1FB84224F24C6AED9494B656C33AD40ACB91

Function 010FD017 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2158572769.00000000010FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 010FD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10fd000_Salary Payment Information Discrepancy_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 42a98d763aa616cafc5cdf308aa0cc1e619621035a6359fb41dac703237424f2
Instruction ID: 5ec6bb3af195e3a25ea1f9868d71825d881e9a56584414454dc942c2b1395a4e
Opcode Fuzzy Hash: 42a98d763aa616cafc5cdf308aa0cc1e619621035a6359fb41dac703237424f2
Instruction Fuzzy Hash: 2A11BB75504280DFCB16CF54D5C4B15FFA2FB84314F24C6AEE9494BA56C33AD40ACBA2

Non-executed Functions

Function 072CF220 Relevance: 1.6, Strings: 1, Instructions: 312COMMON

Download Yara Rule

Strings

+Y6, xrefs: 072CF27B

Memory Dump Source

Source File: 00000000.00000002.2162593954.00000000072C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72c0000_Salary Payment Information Discrepancy_pdf.jbxd

Similarity

API ID:
String ID: +Y6
API String ID: 0-1517896787
Opcode ID: 37ccae029f13c60406bad8d925ae0399e29a3797b7feca7f527c45561b71d974
Instruction ID: 9d14a53f0c3397d1d230e608924b7da9e0d83c3b707d899c767e2396831ff199
Opcode Fuzzy Hash: 37ccae029f13c60406bad8d925ae0399e29a3797b7feca7f527c45561b71d974
Instruction Fuzzy Hash: 60E13DB5E102198FDB24DFA9C5809AEFBF2FF99305F248259D914AB355C730A942CF60

Function 072C5298 Relevance: 1.4, Strings: 1, Instructions: 195COMMON

Download Yara Rule

Strings

X+, xrefs: 072C544E, 072C54BE

Memory Dump Source

Source File: 00000000.00000002.2162593954.00000000072C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72c0000_Salary Payment Information Discrepancy_pdf.jbxd

Similarity

API ID:
String ID: X+
API String ID: 0-3443634675
Opcode ID: 59ad0520a513f95f78aa04e2549f8a6771db4c2c1083be93fb65ef3fddbc12de
Instruction ID: ef6d1197ea93bd75d2a7188decb641101569c8ee1b5417ab30fc9b873c08b8a3
Opcode Fuzzy Hash: 59ad0520a513f95f78aa04e2549f8a6771db4c2c1083be93fb65ef3fddbc12de
Instruction Fuzzy Hash: C4715CB0D25209CFDB14DFAAC4405EEFBB6FF9A300F20922AD419AB251D770A956CF50

Function 072CDB38 Relevance: .3, Instructions: 320COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2162593954.00000000072C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72c0000_Salary Payment Information Discrepancy_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: da3490def57641d4a20b84841e34367c9670084b993f7d89741e3d3b721e7af1
Instruction ID: 0d1ce53e092b16fe1c15ff6fef5abfb49de30c2817418a77a0a44e6ddc9ad366
Opcode Fuzzy Hash: da3490def57641d4a20b84841e34367c9670084b993f7d89741e3d3b721e7af1
Instruction Fuzzy Hash: 12E12EB4E102598FDB24DFA9C580AAEFBF2FF59305F248169D414A7356D7309942CFA0

Function 072CD700 Relevance: .3, Instructions: 317COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2162593954.00000000072C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72c0000_Salary Payment Information Discrepancy_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dd2e14025a87c66f545ce467d2aae3341e6b95ef0a2dbd578e23894c56190f77
Instruction ID: fd011fcd3f2f230d61be93b8e491150a722b77c1ca0f47ffe4eaab5e1145808a
Opcode Fuzzy Hash: dd2e14025a87c66f545ce467d2aae3341e6b95ef0a2dbd578e23894c56190f77
Instruction Fuzzy Hash: 16E10DB4E102198FDB24DFA9C580AAEFBF2FF59305F248269D414AB355D7349942CF60

Function 072CDF6F Relevance: .3, Instructions: 317COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2162593954.00000000072C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72c0000_Salary Payment Information Discrepancy_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fa651d143f0940af13f502366b984eb52703145e368ca1918dfd86c1b240d8f2
Instruction ID: 93d52d417be9d9afb2bffee8355506d9bbece6639c90fe0a28b1740c85148e91
Opcode Fuzzy Hash: fa651d143f0940af13f502366b984eb52703145e368ca1918dfd86c1b240d8f2
Instruction Fuzzy Hash: 9EE1FCB4E102198FDB24DF99C580AAEFBF2FF99305F248259D814AB355D730A941CFA1

Function 072CF658 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2162593954.00000000072C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72c0000_Salary Payment Information Discrepancy_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9145b3045fb32177cbdad23b67550b9579473e4af997aa424d65c9e78ca18957
Instruction ID: 91928e99a2e07e30d56168975f86d3fb5bca951b416da3f47f0094ec7ea68095
Opcode Fuzzy Hash: 9145b3045fb32177cbdad23b67550b9579473e4af997aa424d65c9e78ca18957
Instruction Fuzzy Hash: 28E10CB5E102198FDB24DFA9C6809AEFBF2FF59305F248259D814AB355D730A941CFA0

Function 0530608F Relevance: .3, Instructions: 279COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2161690696.0000000005300000.00000040.00000800.00020000.00000000.sdmp, Offset: 05300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5300000_Salary Payment Information Discrepancy_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8e44df8285fcad43e258aa05cbe4a07cb6da98be0eedb6a02096d752dbed76fd
Instruction ID: 7559320e03b31c08a15d5dc8211d42f1769dd5af39b2b67d4a654594f4e00bb7
Opcode Fuzzy Hash: 8e44df8285fcad43e258aa05cbe4a07cb6da98be0eedb6a02096d752dbed76fd
Instruction Fuzzy Hash: ABE1083192075ACADB10EB64D9946E9F7B1FFA5200F11C79AE00A3B254EB706AC5CB91

Function 053060B7 Relevance: .3, Instructions: 267COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2161690696.0000000005300000.00000040.00000800.00020000.00000000.sdmp, Offset: 05300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5300000_Salary Payment Information Discrepancy_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a3507d99c4176f3f51bda808bbc609fe64f359793e71c3383f93938e93c20c56
Instruction ID: 39780a406f5797fe83fb98d6c4aa700fc41d67f38e2c30051b14280f00dc296a
Opcode Fuzzy Hash: a3507d99c4176f3f51bda808bbc609fe64f359793e71c3383f93938e93c20c56
Instruction Fuzzy Hash: 40D1F73192075BCADB10EB64D9946EDF7B1FFA5200F11C79AE14A3B214EB706AC5CB90

Function 053060C8 Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2161690696.0000000005300000.00000040.00000800.00020000.00000000.sdmp, Offset: 05300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5300000_Salary Payment Information Discrepancy_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 98ec953732f974ea50680b24e42b9a3aeca72ba661e2aa630b263ea5a7b3555c
Instruction ID: c31a2de925c3a8abde0edbc5785e1069935cf06afbe9515556162cb8147af17f
Opcode Fuzzy Hash: 98ec953732f974ea50680b24e42b9a3aeca72ba661e2aa630b263ea5a7b3555c
Instruction Fuzzy Hash: 65D1E73192075BCADB10EB64D9946E9F7B1FFA5200F11C79AE10A3B214EB706AC5CB90

Function 072C2D63 Relevance: .2, Instructions: 239COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2162593954.00000000072C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72c0000_Salary Payment Information Discrepancy_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7a33bd8cfd96658cec28f6735dbf4ae47705d1201d08b3786216578d7f16a1aa
Instruction ID: 04c40e3627fee6e9baee5462751c08967d8f35c772f6cb5d2b076a068df143ee
Opcode Fuzzy Hash: 7a33bd8cfd96658cec28f6735dbf4ae47705d1201d08b3786216578d7f16a1aa
Instruction Fuzzy Hash: E6C173B5E006188FDB68DF6AC9446DDBBF2BF89300F14C1A9D409AB325DB305A85CF50

Function 072C2A87 Relevance: .2, Instructions: 160COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2162593954.00000000072C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72c0000_Salary Payment Information Discrepancy_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ecc50df06c35f57bccb188f769ee93a558e7206ed0fd4d11672c0d7eb3526096
Instruction ID: e2e18072ba6ecdc0cf04819c4bd6427d7417341e55ba081ee25040649be9643e
Opcode Fuzzy Hash: ecc50df06c35f57bccb188f769ee93a558e7206ed0fd4d11672c0d7eb3526096
Instruction Fuzzy Hash: 0361FDB1901606CFD758EF7AE851699BBF3FBD8300F14C169D0049B35AEB785905CB50

Function 072C2A88 Relevance: .2, Instructions: 159COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2162593954.00000000072C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72c0000_Salary Payment Information Discrepancy_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 45d5db67886bd42c7faabfe60ac5cad399acf11afe2f453ebeab075a5f264fa5
Instruction ID: 5a0cb779c00bc5057e45f224db458d549248e0564a75d524c652503cc3a627f6
Opcode Fuzzy Hash: 45d5db67886bd42c7faabfe60ac5cad399acf11afe2f453ebeab075a5f264fa5
Instruction Fuzzy Hash: AB61FDB1901606CFD758EF7AE851699BBF3FBD8300F14C169D0049B35AEB785905CB50

Analysis Process: Salary Payment Information Discrepancy_pdf.pif.exePID: 5980, Parent PID: 1908COMMON

Executed Functions

Function 00B1C530 Relevance: 4.3, Strings: 1, Instructions: 3069COMMON

Download Yara Rule

Strings

N, xrefs: 00B1F910

Memory Dump Source

Source File: 00000007.00000002.3363197092.0000000000B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_b10000_Salary Payment Information Discrepancy_pdf.jbxd

Similarity

API ID:
String ID: N
API String ID: 0-1130791706
Opcode ID: faef57fa2260be107243b3f740c9bd0c116f3121b379c1560686359dae26eb86
Instruction ID: ea143a0bf3cb30e44b4e0cf49d2f90249e31fc1b52b6a44c4f612405a57c40a2
Opcode Fuzzy Hash: faef57fa2260be107243b3f740c9bd0c116f3121b379c1560686359dae26eb86
Instruction Fuzzy Hash: C473E331D1075A8ADB11EF68C844AD9FBB1FF99300F55C6DAE45867221EB70AAC4CF81

Function 00B127B9 Relevance: .6, Instructions: 595COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3363197092.0000000000B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_b10000_Salary Payment Information Discrepancy_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 68358776f7a58e8fbc43255c3915f6eb4ee94d7f19991229c12cf3b6a91ab44d
Instruction ID: c00b36d47bffbf1d59e9b9810259eee7a98002af0f12155c8896571ebdc77df6
Opcode Fuzzy Hash: 68358776f7a58e8fbc43255c3915f6eb4ee94d7f19991229c12cf3b6a91ab44d
Instruction Fuzzy Hash: D512C55164CAF04FEB265738657A2D6AFE25A2A3547B8F0CED2C24F34BE65110C387C6

Function 00B19480 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3363197092.0000000000B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_b10000_Salary Payment Information Discrepancy_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6d88a5f74afa7f7b5dd45803a5bf20b45d80f807b9d84feb64a4c509edd6c6d
Instruction ID: f8d235d8f786785704bf64f2b2f0f0e1709ce37046eea595c1daa0d9136bde69
Opcode Fuzzy Hash: d6d88a5f74afa7f7b5dd45803a5bf20b45d80f807b9d84feb64a4c509edd6c6d
Instruction Fuzzy Hash: 37C19F74E01218CFDB14DFA5D994B9DBBB2FB89300F2081AAD809AB365DB355E85CF50

Function 00B12DD1 Relevance: .3, Instructions: 265COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3363197092.0000000000B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_b10000_Salary Payment Information Discrepancy_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cf2d79b08221bcdf3a25e6f33d66759e6704d478007f9f2ba16f545fb7520d57
Instruction ID: b77e6498f85224bc51ab01620ecae195c0cfc6adcaae3d9c2454a424f1fb9d18
Opcode Fuzzy Hash: cf2d79b08221bcdf3a25e6f33d66759e6704d478007f9f2ba16f545fb7520d57
Instruction Fuzzy Hash: 0791C534B01255DBDB08DB7498687BEBBF3BFC8B00B15856EE507E7288DE3489429791

Function 00B1C521 Relevance: .2, Instructions: 227COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3363197092.0000000000B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_b10000_Salary Payment Information Discrepancy_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5d44afd37279b613ff59a1e6dd1f1266a42261660ff72bfae704e9ad635e601e
Instruction ID: 6094623daf8c0eb1ddc40da7413e7f95c0efdc4c26d92aabd7ad17afa663cc4f
Opcode Fuzzy Hash: 5d44afd37279b613ff59a1e6dd1f1266a42261660ff72bfae704e9ad635e601e
Instruction Fuzzy Hash: D0A1F371D006198EDB14DFA9C8847EDFBB2EF99300F54C2AAE45867260EB709AC5CF41

Function 00B19A30 Relevance: .2, Instructions: 224COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3363197092.0000000000B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_b10000_Salary Payment Information Discrepancy_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3f8fd04c81545496143c1ae9eab87f223186f53e040b11453acae1c7c3c033da
Instruction ID: 01b05e20b27f4b16edfcfc30c64a0949f101614df35c127f8b9e98fca165f547
Opcode Fuzzy Hash: 3f8fd04c81545496143c1ae9eab87f223186f53e040b11453acae1c7c3c033da
Instruction Fuzzy Hash: E7A1F470D00218CFEB14DFA9D598BDDBBB1FF89304F20826AE409AB291DB759985CF50

Function 00B19A40 Relevance: .2, Instructions: 220COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3363197092.0000000000B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_b10000_Salary Payment Information Discrepancy_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f1ddc8e7b3631d0c3d7aabcc19d0799c054a3120e61b0de01e207dc1715963d
Instruction ID: b91713def8e4f79938b9c3a0ff93f3dfbf8728c68a2924cbd38facff9e090e01
Opcode Fuzzy Hash: 4f1ddc8e7b3631d0c3d7aabcc19d0799c054a3120e61b0de01e207dc1715963d
Instruction Fuzzy Hash: E5A1E470D00218CFEB14DFA9D558BDDBBB1FF89304F208269E409A7291DB759985CF54

Function 00B19D87 Relevance: .2, Instructions: 202COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3363197092.0000000000B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_b10000_Salary Payment Information Discrepancy_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b467da99afa14db0798d55cce35ade3f486c7cf1bb02d0f7e1f6c443c2bc5d25
Instruction ID: 2305221d724452e39eac2f61c4ccc4f7f472eb313bbefa663b2698043c38cf08
Opcode Fuzzy Hash: b467da99afa14db0798d55cce35ade3f486c7cf1bb02d0f7e1f6c443c2bc5d25
Instruction Fuzzy Hash: 4A91E170D00258CFEB14DFA8D898BDDBBB1FF49311F2082A9E409AB291DB759985CF54

Function 00B1946F Relevance: .1, Instructions: 102COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3363197092.0000000000B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_b10000_Salary Payment Information Discrepancy_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 87467bff7a38eccf5cffded47dd74675b7f76a6d6197d7257ebea3d29aea95fb
Instruction ID: 9aff8109d0bfbd68b5faef127d171c9ef200a6a827c3d0c1adc458bf725e97e4
Opcode Fuzzy Hash: 87467bff7a38eccf5cffded47dd74675b7f76a6d6197d7257ebea3d29aea95fb
Instruction Fuzzy Hash: 0C41D275E01248CBEB18DFAAD8546DDBBF2BF88301F24C12AD415AB368EB345946CF50

Function 00B1AF78 Relevance: 1.5, Strings: 1, Instructions: 224COMMON

Download Yara Rule

Strings

, xrefs: 00B1B065

Memory Dump Source

Source File: 00000007.00000002.3363197092.0000000000B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_b10000_Salary Payment Information Discrepancy_pdf.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 898b5b59986eb8458fde4195b762ba3ddc2639e4f063219459ab6a6b6990200a
Instruction ID: 7981afdf04e0ee21f32139ab46f146d8ce8ebd73e4d4675cecc7d56b292af143
Opcode Fuzzy Hash: 898b5b59986eb8458fde4195b762ba3ddc2639e4f063219459ab6a6b6990200a
Instruction Fuzzy Hash: C071E431700604DBEF146F78E4686AE36D3EF89360FA48219E926973D0CF359D4187A1

Function 00B1AF77 Relevance: 1.4, Strings: 1, Instructions: 182COMMON

Download Yara Rule

Strings

, xrefs: 00B1B015

Memory Dump Source

Source File: 00000007.00000002.3363197092.0000000000B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_b10000_Salary Payment Information Discrepancy_pdf.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 111b0f3fc1d3fb169cec387740b39114930c1f92e2304fb4dab8c8cf27801322
Instruction ID: dd9d8973c234bd1ebaff182d787e17e73f84e116df6402b595bb236d6665e3c2
Opcode Fuzzy Hash: 111b0f3fc1d3fb169cec387740b39114930c1f92e2304fb4dab8c8cf27801322
Instruction Fuzzy Hash: 1851C235B006049BEB146F74E4687AE3BE2EFC9760F548529E526D73C0DF349D418BA1

Function 00B1B5B0 Relevance: .3, Instructions: 339COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3363197092.0000000000B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_b10000_Salary Payment Information Discrepancy_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 43d852fae6bcefad8b2e67769d6e6931370a9b5ff74751dedef0d5ab618d8aaa
Instruction ID: d5733486949cb8c56388e4b84c68541d32acab67b87e05c62e0c926924b9f217
Opcode Fuzzy Hash: 43d852fae6bcefad8b2e67769d6e6931370a9b5ff74751dedef0d5ab618d8aaa
Instruction Fuzzy Hash: 22B1A231B002048FDB14DB68D491AEEBBF6EF89320F5441A9E505EB3A1DB31DD82CB91

Function 00B119B8 Relevance: .3, Instructions: 318COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3363197092.0000000000B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_b10000_Salary Payment Information Discrepancy_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: acfbe8c03f3744a73e01e57c08da20be3564c772c9fd6ce85bac608be1cc991f
Instruction ID: 0af80708f3f6866f1b3c519193dd9f1505c2c0abaed65cb17d2c12ca03c4e94f
Opcode Fuzzy Hash: acfbe8c03f3744a73e01e57c08da20be3564c772c9fd6ce85bac608be1cc991f
Instruction Fuzzy Hash: DDA1D8309486294FDF248B7CA5A53DF7BF3EB59300F60A496D246A7346E63049C787D2

Function 00B1BF80 Relevance: .2, Instructions: 228COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3363197092.0000000000B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_b10000_Salary Payment Information Discrepancy_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dce64bad0d1660c290a849a69675a1ab9f9749545915ae529eb9f86771c03f0f
Instruction ID: 0d150015d52e879518a29f71d419207dc0915dcb995549098d1f6c16e097b56a
Opcode Fuzzy Hash: dce64bad0d1660c290a849a69675a1ab9f9749545915ae529eb9f86771c03f0f
Instruction Fuzzy Hash: 6461E272B40205DFCB249AB9D894AEABFF5EBC9320B54857AE519D7340D631DC4287A0

Function 00B10B20 Relevance: .2, Instructions: 213COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3363197092.0000000000B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_b10000_Salary Payment Information Discrepancy_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7ecf737ee5691aaef78f534286e4291caac042675cb530c858ec9da7c3c40957
Instruction ID: eba8418a1264b27d14af7b167f2da65734ca8c9114d47c33b0d1ab32cc15c3be
Opcode Fuzzy Hash: 7ecf737ee5691aaef78f534286e4291caac042675cb530c858ec9da7c3c40957
Instruction Fuzzy Hash: 5AA1FA74A0064BCFCB05EFB8E894A9DBBB1FF89300B104669D515AB369EB706D45CF90

Function 00B10B30 Relevance: .2, Instructions: 200COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3363197092.0000000000B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_b10000_Salary Payment Information Discrepancy_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9de0e94546ac0a3b1a453540716812b7f0f533f52f1dfba50465a19afd8c7f2e
Instruction ID: b0c29420480f5c242e2ae7950b8f4a6790cb86f4169cbfdb7162da6797e53b06
Opcode Fuzzy Hash: 9de0e94546ac0a3b1a453540716812b7f0f533f52f1dfba50465a19afd8c7f2e
Instruction Fuzzy Hash: A7A1DD74A0060BCFCB05EFB8E894ADDBBB1FB89300B104669D515AB369EB706D45CF90

Function 00B13F78 Relevance: .1, Instructions: 125COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3363197092.0000000000B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_b10000_Salary Payment Information Discrepancy_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bbb7cb2ce992844501538d24c198c881bed5146efbb796c550474e8f5d82e641
Instruction ID: 6af1905a8f5703f9a7bcd9b22ec3764505b50a817e2c090eefd8947636ef3e17
Opcode Fuzzy Hash: bbb7cb2ce992844501538d24c198c881bed5146efbb796c550474e8f5d82e641
Instruction Fuzzy Hash: 7951B374E00248DFDB48DFAAD494ADDBBF2BF89310F248569E815AB364DB749942CF10

Function 00B13168 Relevance: .1, Instructions: 109COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3363197092.0000000000B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_b10000_Salary Payment Information Discrepancy_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 86521ebaf6e6121b6518b8b39b725946bbfc4324f5e77f042d1b2af97dd04c03
Instruction ID: f36f6b9a7ce79c3214536123a2d0944de487d74d421c59ed7c9d50154c9a28f1
Opcode Fuzzy Hash: 86521ebaf6e6121b6518b8b39b725946bbfc4324f5e77f042d1b2af97dd04c03
Instruction Fuzzy Hash: F141AF74E012089FCB08DFAAD8949DDBBF2BF89300F649569E805BB364EB319941CF14

Function 00B19249 Relevance: .1, Instructions: 109COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3363197092.0000000000B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_b10000_Salary Payment Information Discrepancy_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b1ae76acd78badb7c0d17567935ef5ba8541a3f2fb0267607aad4788c03965d8
Instruction ID: 187c4528bb68b23514314e0225a2e07863569f9dcdd18e72456fb92ce4108aec
Opcode Fuzzy Hash: b1ae76acd78badb7c0d17567935ef5ba8541a3f2fb0267607aad4788c03965d8
Instruction Fuzzy Hash: E831D87546626ACFD3042F21A5BD17ABFA4EB4F3237046D07E44EC2612DB7829898F30

Function 00B1B869 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3363197092.0000000000B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_b10000_Salary Payment Information Discrepancy_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e6ab24eb1a4e87d21749459e2f30dedccae7f1565e6256c2b59c98732137b503
Instruction ID: 917dd6e4ddb1c7b23f201765fc311327e73a094719995a1acccf01dd372ea3cd
Opcode Fuzzy Hash: e6ab24eb1a4e87d21749459e2f30dedccae7f1565e6256c2b59c98732137b503
Instruction Fuzzy Hash: F6311775B001098FDB05EBA8D490EDDBBF6EF89320F595194E601EB361DB70EC818BA0

Function 00B1B89D Relevance: .1, Instructions: 100COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3363197092.0000000000B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_b10000_Salary Payment Information Discrepancy_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5e3573c7e3e98ee22ff8e7a9a0fbc92613abd9af7a19555551a99919c1c4244e
Instruction ID: 659e00cb8755612928407268e3ecdbab9d21b0cdaa1b4e741a7e47556bdc2dce
Opcode Fuzzy Hash: 5e3573c7e3e98ee22ff8e7a9a0fbc92613abd9af7a19555551a99919c1c4244e
Instruction Fuzzy Hash: 91311775B001098FDB45EBA8D490EDDBBF6EF89320F555194E601EB361DA71EC818BA0

Function 00B1BDE8 Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3363197092.0000000000B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_b10000_Salary Payment Information Discrepancy_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 392bcedb7de7032a909183c76e25d996d353e07dbd803e705ffe9fdb1cb5e3d6
Instruction ID: b73d291aee544082dd2e6be6b7223f20c0263141064649b85e5ed8a6edf2da08
Opcode Fuzzy Hash: 392bcedb7de7032a909183c76e25d996d353e07dbd803e705ffe9fdb1cb5e3d6
Instruction Fuzzy Hash: B231D635705204DFDB04EF78D4A5AAE7BB6FF89310B5080A9E5058B352CF319D46CB91

Function 00B1BCE8 Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3363197092.0000000000B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_b10000_Salary Payment Information Discrepancy_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b5d607d4bc3b7128dd33d07ff1b0bc894d0dda71205cfe6e3c0f87b8bd409dcc
Instruction ID: 09e2a6e87894b6f8d4dd15f894b47346a7804b361acbb663138b0dd7e9ee179f
Opcode Fuzzy Hash: b5d607d4bc3b7128dd33d07ff1b0bc894d0dda71205cfe6e3c0f87b8bd409dcc
Instruction Fuzzy Hash: A7218E72A001089FDB44EFB9D855AFF7BB6EF88200B508169E51AD7655DF309E06CBA0

Function 00B118C8 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3363197092.0000000000B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_b10000_Salary Payment Information Discrepancy_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 266c6d81fdf5c575bb1dded48e92a9c8a0d8bab3790fbe6ed6ca47f80746faf0
Instruction ID: 38e1ee46ea63ba72814971918e4bcf103a7faa7fab8dd8928b65773170f0a7ab
Opcode Fuzzy Hash: 266c6d81fdf5c575bb1dded48e92a9c8a0d8bab3790fbe6ed6ca47f80746faf0
Instruction Fuzzy Hash: 1121F431A0014A9FCF14DF28D4509EE73A4EBD9350B90C499E91A9B340EB31EE46CB90

Function 00ACD030 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3362871758.0000000000ACD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00ACD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_acd000_Salary Payment Information Discrepancy_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0c2e51f5d5275730ebd04b2a9bd8381a1282ac52f34dc33d55dadbcda1e2e78a
Instruction ID: bb5cec26cf0d6c5a48c1fdac14f3087057591f1a4a22d5267c06b00dc505c45e
Opcode Fuzzy Hash: 0c2e51f5d5275730ebd04b2a9bd8381a1282ac52f34dc33d55dadbcda1e2e78a
Instruction Fuzzy Hash: 9521C271604244EFDB14DF18D9C0F26BBA5FB84318F24C57DD94A4B296C37AD846CA62

Function 00B10EC8 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3363197092.0000000000B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_b10000_Salary Payment Information Discrepancy_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 90baeccff144a9d7da833b023b22a43619333899a4de08cccae5288a087dcf51
Instruction ID: f6b965a3c6cde4af003c5bf34ab28f4712325b6bbd6d924c78f76bf8b8ca76b9
Opcode Fuzzy Hash: 90baeccff144a9d7da833b023b22a43619333899a4de08cccae5288a087dcf51
Instruction Fuzzy Hash: EB218C71E042099FDB06EFB9D4116EEBBB2EF8A304F1084ED94149B285DBB45A85CF40

Function 00ACD006 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3362871758.0000000000ACD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00ACD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_acd000_Salary Payment Information Discrepancy_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d501ccea1ee714c2ced961d01a1c0661cdd9f5fbb383fd29bd2b7dafbba7176b
Instruction ID: 269b584d0485592310f2e428225bcdce2ee2032e728e9cb168aaae8c53daef7d
Opcode Fuzzy Hash: d501ccea1ee714c2ced961d01a1c0661cdd9f5fbb383fd29bd2b7dafbba7176b
Instruction Fuzzy Hash: 9321307550D3C09FC713CF24D990B15BF71AB46214F29C5EBD8898F6A7C23A980ACB62

Function 00B117B8 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3363197092.0000000000B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_b10000_Salary Payment Information Discrepancy_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ab089a1b9f61168f83a009530d84db7ad6665cd578c04ef4a1cdac9c6ea9112d
Instruction ID: 1da6fb58497f0660a2ba88bf71e7b111c10ed1a6e892b2be6ba884146fb2d16c
Opcode Fuzzy Hash: ab089a1b9f61168f83a009530d84db7ad6665cd578c04ef4a1cdac9c6ea9112d
Instruction Fuzzy Hash: E3212574C0525A8FCB01DFB8D8945EDBFF0EF0A300F1455AAD405BB2A1EB344A95CBA1

Function 00B1BB48 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3363197092.0000000000B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_b10000_Salary Payment Information Discrepancy_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: acffefe07be50357dfc63c4c060a636105db9d8b95c2b300dbef4dea7e1895d9
Instruction ID: ad85391673e061dd3fd3bd1cfadd0e050880fc5b1a3c9354c329cd0852f5333f
Opcode Fuzzy Hash: acffefe07be50357dfc63c4c060a636105db9d8b95c2b300dbef4dea7e1895d9
Instruction Fuzzy Hash: 05118C72304204CFD714DB69E994E96B7F6EF98721B6080A9E14A8B764CB71EC40CB50

Function 00B14850 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3363197092.0000000000B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_b10000_Salary Payment Information Discrepancy_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6d643569411c43f1dc96dba555f9f4605914b6e214adc6c301a9d3bc07ae018
Instruction ID: c7f9ebc3542886bf4d069a111c542ad6d1ffad5414cfba26c5ec876b15b7481c
Opcode Fuzzy Hash: d6d643569411c43f1dc96dba555f9f4605914b6e214adc6c301a9d3bc07ae018
Instruction Fuzzy Hash: C001D232B013424FD7149BB9880856B7BEB9F85368344457AD905CB354FE70CC408790

Function 00B14860 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3363197092.0000000000B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_b10000_Salary Payment Information Discrepancy_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 25e584a6cbd0c53ec5706e06c6b4a0da525f9707a1867e03c6299742de611fb1
Instruction ID: 0f178e7b87d9eb85325e730b01f637be16a2c2e63d06f1bd98d99f7ae966dd63
Opcode Fuzzy Hash: 25e584a6cbd0c53ec5706e06c6b4a0da525f9707a1867e03c6299742de611fb1
Instruction Fuzzy Hash: 3A01AD36F012564FD714ABBA884856F76EBEFC47683504579D905C7394FEB0CC008BA0

Function 00B1A508 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3363197092.0000000000B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_b10000_Salary Payment Information Discrepancy_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9c29b2fdecd922ba81e121248b596e3a1939d414157a93b9650c0fc72fe23b59
Instruction ID: 57bc59805ea5d325dbc2b31a936969f9b23f114eb0c227ea207a503b2c8ea1fa
Opcode Fuzzy Hash: 9c29b2fdecd922ba81e121248b596e3a1939d414157a93b9650c0fc72fe23b59
Instruction Fuzzy Hash: D4019EB1E002199FCF10DF69D8586AE7BBAFB88310F40402AE91AD7341DB349D10CBA1

Function 00B1BB47 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3363197092.0000000000B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_b10000_Salary Payment Information Discrepancy_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0c92bad3976a7fbeb55905f09685f17dbd0fc1c61b062aa119854022392c70ed
Instruction ID: ce9c8d22b1f9cbb48d27237381e604cf641d1899272127bdc8a06f99ee0264c3
Opcode Fuzzy Hash: 0c92bad3976a7fbeb55905f09685f17dbd0fc1c61b062aa119854022392c70ed
Instruction Fuzzy Hash: 31015A71304200CFD714DB69D994F96B7E6EF89721F5180A9E14A8B765CB70EC44CB50

Function 00B1A4F9 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3363197092.0000000000B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_b10000_Salary Payment Information Discrepancy_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2bfc475434d42ee4a1bfc8617f98c1f6aef2d518735e7479938999c295bda187
Instruction ID: 0a2201984157dd8e4d48b1aab80f1559f3b0fea367b08ff1762c0674075b63ef
Opcode Fuzzy Hash: 2bfc475434d42ee4a1bfc8617f98c1f6aef2d518735e7479938999c295bda187
Instruction Fuzzy Hash: FB017C71A11219DFCB10DFA9D8949EE7BB5EB88710B104136EE19D3241DB349E11CBA2

Function 00B1BEF8 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3363197092.0000000000B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_b10000_Salary Payment Information Discrepancy_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: de694a43eac709b04fbaf18a76f8d29febfda093f4d061a59075161513d1be35
Instruction ID: b3793cf441071c28c33d3b0588ab75995d5b4eb2a531783d73b89bc3582bb367
Opcode Fuzzy Hash: de694a43eac709b04fbaf18a76f8d29febfda093f4d061a59075161513d1be35
Instruction Fuzzy Hash: 82F028357043449FCB052774A8184AE3FE7EBCA610B04406BE54AC7382DA698C079791

Function 00B1B9E9 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3363197092.0000000000B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_b10000_Salary Payment Information Discrepancy_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1bb86a5106c7191bd64737672f1b333d5aea9609961c382090d5e436ae463a77
Instruction ID: 9f411cd32ab474094ff1079f9e8cb7a102638b8a4a5cf4cbb59b252322dede80
Opcode Fuzzy Hash: 1bb86a5106c7191bd64737672f1b333d5aea9609961c382090d5e436ae463a77
Instruction Fuzzy Hash: 89F0F672E011089FCB10DFADE8805DFBFF6EB98250B414236D509D3A01EB309A078BD1

Function 00B1C1B0 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3363197092.0000000000B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_b10000_Salary Payment Information Discrepancy_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b72ad236dd0cec306ba827b8d4500ff540f7e7093aaa3f87c7a6a5be5cc6313e
Instruction ID: 42ceb762e180b20903e6b5d93059170634a82c696996ab9cb06df8a0fdb53fee
Opcode Fuzzy Hash: b72ad236dd0cec306ba827b8d4500ff540f7e7093aaa3f87c7a6a5be5cc6313e
Instruction Fuzzy Hash: F9F0A032B446119BCB19576AE4149AEBBEAEFC573175440BAF509EB352CF32DC0287A0

Function 00B1B9F8 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3363197092.0000000000B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_b10000_Salary Payment Information Discrepancy_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a61a2c35690189960c7abf84879611e39c7b185d5073ae68c8a6ba522b17c774
Instruction ID: 458fd776b21c19c07cf80abd406d25065151ef32d75210f9603b504fee523709
Opcode Fuzzy Hash: a61a2c35690189960c7abf84879611e39c7b185d5073ae68c8a6ba522b17c774
Instruction Fuzzy Hash: 83F08271A042089F8B50DFADA8409EFBBF5FB88350B50452AD609D3201E7709A118BE1

Function 00B146C9 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3363197092.0000000000B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_b10000_Salary Payment Information Discrepancy_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fe22cf72023b21e6bc0c207f87f97abeff8b1344a7a77418a2af32179a42b0b3
Instruction ID: b23c413083c29976ace20111d2c4d25cf573f1f83ed976ce133754f62d91d500
Opcode Fuzzy Hash: fe22cf72023b21e6bc0c207f87f97abeff8b1344a7a77418a2af32179a42b0b3
Instruction Fuzzy Hash: 76F01C318157468FE300ABB0ECACA6A7B31EF0B30BB4A2C48F00A95021CB312082CF04

Function 00B146D8 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3363197092.0000000000B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_b10000_Salary Payment Information Discrepancy_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6b63c69a85fbd93a4e762a7b72b0897e2a6123445e17f37ce037b6afa3e5febf
Instruction ID: cf3346d46d076688422e95f9269131d94c9e5a51f2c770177cc0b012c3841041
Opcode Fuzzy Hash: 6b63c69a85fbd93a4e762a7b72b0897e2a6123445e17f37ce037b6afa3e5febf
Instruction Fuzzy Hash: F6E00275861B0ACBE310ABB4A9ACA7A7A65EB0B317B862D50F01E91071CF7064968E54

Function 00B11877 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3363197092.0000000000B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_b10000_Salary Payment Information Discrepancy_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bd01e33e7d8015823cce510407c7fa442455f528c7341f385082b6836ff9bd6c
Instruction ID: bec46ee90bd85279e3a195a2576a79df30a59cb939d7d3d6783433a36d082ff2
Opcode Fuzzy Hash: bd01e33e7d8015823cce510407c7fa442455f528c7341f385082b6836ff9bd6c
Instruction Fuzzy Hash: 1AE01A319653A79ECB03AFB4A8144EEBB74EE92210B4542B7E514AF190EB301599CBA1

Function 00B11888 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3363197092.0000000000B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_b10000_Salary Payment Information Discrepancy_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 66d54ee532a1afaed0d3f0c4025045a147c8f4550880362f4d6d9412f1ed13b7
Instruction ID: 73aaf64c7bb5018b7e65ebf16bc7ffe48f22b4e9635f271f6c0d446ca8962ddd
Opcode Fuzzy Hash: 66d54ee532a1afaed0d3f0c4025045a147c8f4550880362f4d6d9412f1ed13b7
Instruction Fuzzy Hash: 57D02B31D2022B53CB00E7A1FC004DFF738EEC1220B404222E91033000FB302658C6F0

Function 00B1BCE4 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3363197092.0000000000B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_b10000_Salary Payment Information Discrepancy_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6efafe5c913a7ded3f50194d230151e09f2c71bc54d3e134498fdb7857340411
Instruction ID: 0b80d39f0331181d0a40f780c47444279cd191a7d0db1868b18c4d48b9106f8b
Opcode Fuzzy Hash: 6efafe5c913a7ded3f50194d230151e09f2c71bc54d3e134498fdb7857340411
Instruction Fuzzy Hash: B9C02B3323524803CF0CB7F078038A932358A41107BC043FD7C4E8D511E693886A83C1

Function 00B14831 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3363197092.0000000000B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_b10000_Salary Payment Information Discrepancy_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c76656c0ffa9865da08b8e04b02c88f302ba48f5dae38665577202d257b1c7aa
Instruction ID: a9e277787b513957bfa17bb4812bae1bb899d1f9612a5cdcb67e81a312d2bff1
Opcode Fuzzy Hash: c76656c0ffa9865da08b8e04b02c88f302ba48f5dae38665577202d257b1c7aa
Instruction Fuzzy Hash: 84C0482684E3C10ECF0B4BB405290ABBF70AE57208B5A1CEBC0C2DA093D914602AC302

Analysis Process: gmerYar.exePID: 6832, Parent PID: 1064COMMON

Execution Graph

Execution Coverage:	10.3%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	28
Total number of Limit Nodes:	2

Executed Functions

Function 00BD448C Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 00BD59C9

Memory Dump Source

Source File: 00000009.00000002.2189541749.0000000000BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_bd0000_gmerYar.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 15c59dc2b381f5bdb122c8376e3bf858e54fb442843d2e06fe267d5aec4ea4fe
Instruction ID: 31bd9b165479571abaf6a3e834ebabe456cac06a9b06dde9efcbad5607b5092b
Opcode Fuzzy Hash: 15c59dc2b381f5bdb122c8376e3bf858e54fb442843d2e06fe267d5aec4ea4fe
Instruction Fuzzy Hash: DA41CF70C00B1DCBEB24CFA9C884B9DBBF5EB49704F2081AAD408AB255E7756945CF90

Function 00BD590D Relevance: 1.6, APIs: 1, Instructions: 94
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 00BD59C9

Memory Dump Source

Source File: 00000009.00000002.2189541749.0000000000BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_bd0000_gmerYar.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: ef8cb4022e76cf5574249f03be3b224afaf0f372688ec053cda17dbdf94f3c60
Instruction ID: 59db4425248d3c3aae6a70f393425ef777fe7efc498cd4641818ae09cbf3202d
Opcode Fuzzy Hash: ef8cb4022e76cf5574249f03be3b224afaf0f372688ec053cda17dbdf94f3c60
Instruction Fuzzy Hash: 6541D0B0C01B19CBEB24DFA9C88478DBBF1BF49304F2081AAD408AB255DB756945CF50

Function 00BDE09C Relevance: 1.6, APIs: 1, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,00BDE4B6,?,?,?,?,?), ref: 00BDE577

Memory Dump Source

Source File: 00000009.00000002.2189541749.0000000000BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_bd0000_gmerYar.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: ec37c40eed242c72c75050aa38583bf324c8405d0f4d454e81cf47a6fbb2bbea
Instruction ID: 71ef78c83082a9dc4f4cdfb14363bee9d896bd8fb47d85d43bab0f1977f731a8
Opcode Fuzzy Hash: ec37c40eed242c72c75050aa38583bf324c8405d0f4d454e81cf47a6fbb2bbea
Instruction Fuzzy Hash: 2621E6B5900249DFDB10DFAAD884ADEFBF8EB48314F14845AE914B7310D374A954CFA5

Function 06A2FE78 Relevance: 1.6, APIs: 1, Instructions: 52
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ResumeThread.KERNELBASE ref: 06A2FEE2

Memory Dump Source

Source File: 00000009.00000002.2193824692.0000000006A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6a20000_gmerYar.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 1dbc0b4a84f05fa0310ebfaa30a122d87608051b78d580ce64a129222a406335
Instruction ID: b84ad2a097ba5ed4629e59374df1e0807b88db0c2b3a43e305e829930c1df9c5
Opcode Fuzzy Hash: 1dbc0b4a84f05fa0310ebfaa30a122d87608051b78d580ce64a129222a406335
Instruction Fuzzy Hash: B21176B18003498FDB10DFAAC8457DEBBF4AF88320F208419D919A7200CB399900CBA0

Function 06A2FE80 Relevance: 1.5, APIs: 1, Instructions: 49
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ResumeThread.KERNELBASE ref: 06A2FEE2

Memory Dump Source

Source File: 00000009.00000002.2193824692.0000000006A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6a20000_gmerYar.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 02a90f7f974cebf42b0b5e46c9e91e9485b138aa7c11e26759a000bddd8bfd25
Instruction ID: 46a6f127b7e3813b344746a32b48d88094951e54d496ecedd547a0ab77caf371
Opcode Fuzzy Hash: 02a90f7f974cebf42b0b5e46c9e91e9485b138aa7c11e26759a000bddd8bfd25
Instruction Fuzzy Hash: 081136B1D003498FDB10DFAAC84579FFBF4AF89724F24841AD519A7240CB79A944CFA5

Function 00BDBDF8 Relevance: 1.5, APIs: 1, Instructions: 47
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 00BDBE5E

Memory Dump Source

Source File: 00000009.00000002.2189541749.0000000000BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_bd0000_gmerYar.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: d7e36cedb47b55fc7f7441f20b5cbc82c7dcf07b99075e327c0759f0064b465e
Instruction ID: 9cbe330ef737e2fbd7a9cbc2fb98e166be80b41a3afae65a81b93bd1e4f2e276
Opcode Fuzzy Hash: d7e36cedb47b55fc7f7441f20b5cbc82c7dcf07b99075e327c0759f0064b465e
Instruction Fuzzy Hash: BA110FB6C00649CFDB10CF9AC844ADEFBF4EB88714F11846AD918A7310D379A545CFA1

Function 00B7D3D8 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2189279867.0000000000B7D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B7D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_b7d000_gmerYar.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8e5ef0d343e0f7e657b4c96170064788b62eea4ab35a85d86f02de2fe7a8c2c3
Instruction ID: 08f7d894d49841f468e9e476534dd601010643eab5add29b38a3ec0209ce845f
Opcode Fuzzy Hash: 8e5ef0d343e0f7e657b4c96170064788b62eea4ab35a85d86f02de2fe7a8c2c3
Instruction Fuzzy Hash: 7D21C472504204EFDB05DF14D9C0B16BBB5FF94364F24C5A9D90E4B356C336E856CAA2

Function 00B7D4C4 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2189279867.0000000000B7D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B7D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_b7d000_gmerYar.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 83c21ad72ef607e1c07af713dd2d4b4603001e0856b3a918b2a71c9ff7426c44
Instruction ID: 497504382e89b4a534c0b4ccb5d6ad8f50c8d24ccc24e30d16732a6681908f79
Opcode Fuzzy Hash: 83c21ad72ef607e1c07af713dd2d4b4603001e0856b3a918b2a71c9ff7426c44
Instruction Fuzzy Hash: 86212572504240EFDB05DF14D9C0B26BFB5FF98358F24C5A9E9090B256C336D856CBA2

Function 00B8D01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2189346273.0000000000B8D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B8D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_b8d000_gmerYar.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6006012b0967502b0cc126c3de00d56a400a4984d93ddca5f8eb091e82ddbf30
Instruction ID: 136dadfb71027eb8e2cc5bdbde3945cf04ddda8a2c3d1636831cf5abde12295f
Opcode Fuzzy Hash: 6006012b0967502b0cc126c3de00d56a400a4984d93ddca5f8eb091e82ddbf30
Instruction Fuzzy Hash: 8921F571604304EFDB14EF24D9D0B16BBA5FB84314F20C5AED9094B2A6C336D847CB61

Function 00B8D1D4 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2189346273.0000000000B8D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B8D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_b8d000_gmerYar.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b9cbfcd5e66fcf8745fe053704cbb9d60875515bf780fc2aea7de83d0cad28e5
Instruction ID: 2c63a7e0369f508d66683f740600d79038e80865bb18065baf17cb5e2ba0a799
Opcode Fuzzy Hash: b9cbfcd5e66fcf8745fe053704cbb9d60875515bf780fc2aea7de83d0cad28e5
Instruction Fuzzy Hash: 0F21D471604204EFDB05EF64D9C0F26BBA5FB84314F24C6AEE9094B2E2C376D846CB61

Function 00B8D006 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2189346273.0000000000B8D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B8D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_b8d000_gmerYar.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 35baabd34aa2cbefd6e5b386f6c0a7b3f259cfb2d9f96f24fde7a0212fe3ba55
Instruction ID: 53a30304b9ea5b089b46f1df1f6145e13003fa52973f3d0fc9aaaf98863faf60
Opcode Fuzzy Hash: 35baabd34aa2cbefd6e5b386f6c0a7b3f259cfb2d9f96f24fde7a0212fe3ba55
Instruction Fuzzy Hash: 2E219275509380DFCB02DF20D5A0715BFB1EB45314F28C5DBD8498B2A7C33A980ACB62

Function 00B7D4BF Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2189279867.0000000000B7D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B7D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_b7d000_gmerYar.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 77fadd82fdc2d56cf39070efea1a70d2bd0433e89b8e3a9964b57efaebe0ac53
Instruction ID: c7baab380768b5e90bae0eeff86785a772a6aa2a352ddf588bd8a78970e0dd1a
Opcode Fuzzy Hash: 77fadd82fdc2d56cf39070efea1a70d2bd0433e89b8e3a9964b57efaebe0ac53
Instruction Fuzzy Hash: 5511D376504280DFCB15CF10D5C4B16BFB1FF94324F24C6A9D8490B656C33AD85ACBA2

Function 00B7D3D3 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2189279867.0000000000B7D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B7D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_b7d000_gmerYar.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 77fadd82fdc2d56cf39070efea1a70d2bd0433e89b8e3a9964b57efaebe0ac53
Instruction ID: ee36dd89711b01d819df87fb7d0c4170eaf3b977da450fef96b15a82f6e40158
Opcode Fuzzy Hash: 77fadd82fdc2d56cf39070efea1a70d2bd0433e89b8e3a9964b57efaebe0ac53
Instruction Fuzzy Hash: 0D11AF76504240DFCB15CF10D5C4B16BFB1FB94324F24C6A9D8090B656C33AE85ACBA2

Function 00B8D1CF Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2189346273.0000000000B8D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B8D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_b8d000_gmerYar.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 42a98d763aa616cafc5cdf308aa0cc1e619621035a6359fb41dac703237424f2
Instruction ID: bd9c39d6cdd2dfde6c97a5ed18e606d5b779642fa6a30513d6172840783cdf8f
Opcode Fuzzy Hash: 42a98d763aa616cafc5cdf308aa0cc1e619621035a6359fb41dac703237424f2
Instruction Fuzzy Hash: 51118B75904284DFCB15DF14D5C4B15FBA1FB84314F24C6AAD8494B6A6C33AD84ACB62

Analysis Process: gmerYar.exePID: 6636, Parent PID: 6832COMMON

Execution Graph

Execution Coverage:	13.1%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	12.3%
Total number of Nodes:	57
Total number of Limit Nodes:	9

Executed Functions

Function 00E9C530 Relevance: 4.3, Strings: 1, Instructions: 3069COMMON

Download Yara Rule

Strings

N, xrefs: 00E9F910

Memory Dump Source

Source File: 0000000C.00000002.3363967752.0000000000E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_e90000_gmerYar.jbxd

Similarity

API ID:
String ID: N
API String ID: 0-1130791706
Opcode ID: d4727f816f46b92f0daf421bbc8048d17494ce663f04e7c8d8247bf7e2f87f0e
Instruction ID: 72e673c285b0b62975a757dbd3ddae5519137905cfec78e3fa1c02cab5cb26d6
Opcode Fuzzy Hash: d4727f816f46b92f0daf421bbc8048d17494ce663f04e7c8d8247bf7e2f87f0e
Instruction Fuzzy Hash: 4173D531D1075A8EDB11EF68C844A99FBB1FF99300F55D69AE44877221EB70AAC4CF81

Function 05040AB8 Relevance: 3.5, APIs: 2, Instructions: 533
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 05040D70

Memory Dump Source

Source File: 0000000C.00000002.3367277907.0000000005040000.00000040.00000800.00020000.00000000.sdmp, Offset: 05040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_5040000_gmerYar.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 80964476d5b943ce8cd9f406b1dbf07de80d528c42ec28cebd39d379b33e84fc
Instruction ID: a4d9e55ab1dee30f76b0003707ea27ce8cbbe57f3fb09ddf4832777ea15a1d21
Opcode Fuzzy Hash: 80964476d5b943ce8cd9f406b1dbf07de80d528c42ec28cebd39d379b33e84fc
Instruction Fuzzy Hash: E1222AB4E00218CFDB14DFA8D894BADBBF2BF84304F1485A9D509AB395DB349985CF90

Function 05040CD8 Relevance: 1.6, APIs: 1, Instructions: 88
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 05040D70

Memory Dump Source

Source File: 0000000C.00000002.3367277907.0000000005040000.00000040.00000800.00020000.00000000.sdmp, Offset: 05040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_5040000_gmerYar.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: d6f4e6ac4d5f3b1931bc50febaafa60394770362c8ecb11e118dab5af47ad76c
Instruction ID: a04424c2af02afeeb22a589b0c9d2e45fbba0eeb4d8a07536cd52215a01654c3
Opcode Fuzzy Hash: d6f4e6ac4d5f3b1931bc50febaafa60394770362c8ecb11e118dab5af47ad76c
Instruction Fuzzy Hash: C531F5B1D016189BEB18CFAAD9887DDFBF2BF88310F14C16AD418B72A4DB7049458F10

Function 00E99480 Relevance: .3, Instructions: 268
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 0000000C.00000002.3363967752.0000000000E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_e90000_gmerYar.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6e16ec616f6d1a650461a46359841e43c06cbd55a712482e4174210b9125c724
Instruction ID: fbbe31356b3da57b0738f8cfb93749a55dee5f96ad57d347dc4004b12317d8ab
Opcode Fuzzy Hash: 6e16ec616f6d1a650461a46359841e43c06cbd55a712482e4174210b9125c724
Instruction Fuzzy Hash: D8C18F78E01218CFDB14DFA5D994B9DBBB2FB89300F2081A9D809A7355DB35AE85CF10

Function 00E9C521 Relevance: .2, Instructions: 227COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3363967752.0000000000E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_e90000_gmerYar.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f57afa3e0178c81489f82cdf21a9bb4daf5f07c5002a00319cbedf822ae89928
Instruction ID: 091d9baf92df5ff76cd5d87059e82acfe50f667e8d2d54fab98307c0eddc3662
Opcode Fuzzy Hash: f57afa3e0178c81489f82cdf21a9bb4daf5f07c5002a00319cbedf822ae89928
Instruction Fuzzy Hash: BEA1F271D016198EDB14EFA9C8447DDFBB1AF89300F14D2AAE458B7261EB709A85CF41

Function 00E99A30 Relevance: .2, Instructions: 224
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 0000000C.00000002.3363967752.0000000000E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_e90000_gmerYar.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a0d39e890b537341526c7e1682fc0796cfcfb03289b7a44b137dcdb25c13d10b
Instruction ID: d806ba20a51acad8ffde87c920e2da621d342ce7932d30c0b22c53b7212bfe4d
Opcode Fuzzy Hash: a0d39e890b537341526c7e1682fc0796cfcfb03289b7a44b137dcdb25c13d10b
Instruction Fuzzy Hash: 56A1F470D00208CFEB14DFA9D988BDDBBB1FF88305F209269E409A7292DB759985CF54

Function 00E99A40 Relevance: .2, Instructions: 220COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3363967752.0000000000E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_e90000_gmerYar.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b83056dcef4d02e4931043fa90f9cc300928302db77f761557a1d103444e5d3f
Instruction ID: a2ad61c4e62a4bc4ef948de75782960b359274403da94592e30cbf57450ef637
Opcode Fuzzy Hash: b83056dcef4d02e4931043fa90f9cc300928302db77f761557a1d103444e5d3f
Instruction Fuzzy Hash: 7CA10470D00208CFEB24DFA9D948B9DBBB1FF88305F209269E408B7292DB749985CF54

Function 00E99D87 Relevance: .2, Instructions: 202COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3363967752.0000000000E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_e90000_gmerYar.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 521a5903089980f2e2f51dacf00fe6eca1110021f8064f7d6bdeeaf00103d4df
Instruction ID: bee57c4af936a0809bb0148d4903255f1b007e9f055569ffaf5ff121a54eb428
Opcode Fuzzy Hash: 521a5903089980f2e2f51dacf00fe6eca1110021f8064f7d6bdeeaf00103d4df
Instruction Fuzzy Hash: DE91CF70D00208CFEB14DFA8D988B9CBBB1FB89315F209259E409BB292DB759985CF55

Function 00E9946F Relevance: .1, Instructions: 102COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3363967752.0000000000E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_e90000_gmerYar.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dd9f7e438da13a543dbb1833fa5bd3f592d7f5d6b480ca05b46e9b19e936cca2
Instruction ID: 64057423111fa24d2c5172b5d2e46bc3a33999b694b8744645d028db1f3592c3
Opcode Fuzzy Hash: dd9f7e438da13a543dbb1833fa5bd3f592d7f5d6b480ca05b46e9b19e936cca2
Instruction Fuzzy Hash: EA41D475D01208CBEB18CFAAD8446DDFBB2BF88300F24D12AD815BB255EB395946CF50

Function 050410BC Relevance: 1.6, APIs: 1, Instructions: 62
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL(00000000), ref: 050411FE

Memory Dump Source

Source File: 0000000C.00000002.3367277907.0000000005040000.00000040.00000800.00020000.00000000.sdmp, Offset: 05040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_5040000_gmerYar.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 58aa730808f04b44e670d07544cc643bcb6e5abf34c6627870650fa0553e4116
Instruction ID: 4831f30a500062951b4d4104965ee460b86f5e820c8bcb66060c7884cf6275b3
Opcode Fuzzy Hash: 58aa730808f04b44e670d07544cc643bcb6e5abf34c6627870650fa0553e4116
Instruction Fuzzy Hash: B1113DB4E041099FDB18DBA8E484EFDBBF5FB88305F148175E814A7255D730A981CF54

Function 00E9AF78 Relevance: 1.5, Strings: 1, Instructions: 224
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

, xrefs: 00E9B065

Memory Dump Source

Source File: 0000000C.00000002.3363967752.0000000000E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_e90000_gmerYar.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: a97b9aa3724ad698f4e4611cc4263c85539b22b748705f94d6638e480316d381
Instruction ID: c7bba4b0da699fefb538af99d79c047f0db4a5be9a98dc8dafc437a3e3abedb3
Opcode Fuzzy Hash: a97b9aa3724ad698f4e4611cc4263c85539b22b748705f94d6638e480316d381
Instruction Fuzzy Hash: 6371E430700208DBEF186F78E45867E7692EFC5364F20862AE926AB3D0DF358D41C761

Function 00E9AF76 Relevance: 1.4, Strings: 1, Instructions: 182
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

, xrefs: 00E9B015

Memory Dump Source

Source File: 0000000C.00000002.3363967752.0000000000E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_e90000_gmerYar.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 7957b934b16db6a97f12f89f09c0f48e740d5d97b3da987c77f807f904fa5ace
Instruction ID: f3db2503758b3a8810720e960d2d988742291bacd906641d5f7aa8c82b9d3753
Opcode Fuzzy Hash: 7957b934b16db6a97f12f89f09c0f48e740d5d97b3da987c77f807f904fa5ace
Instruction Fuzzy Hash: 2651C335B006088BEF186F79E45866E7B92EFC5364F148629E926EB3D0DF348D41C7A1

Function 00E9BF80 Relevance: .2, Instructions: 227
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 0000000C.00000002.3363967752.0000000000E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_e90000_gmerYar.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 068c68ff2b5469353ddeed31ee31188d3feec9471042f5bca4ebd45f0bca4de7
Instruction ID: edbd4bcbc2518c20f8c89532438ff7ecd3741a11cb89dc98019aa1a48c3c80d2
Opcode Fuzzy Hash: 068c68ff2b5469353ddeed31ee31188d3feec9471042f5bca4ebd45f0bca4de7
Instruction Fuzzy Hash: 5561D272B002059FCB24EBB9D8949AEBBB5EBC8324F24953AE419E7750D731DC0187A0

Function 00E90B20 Relevance: .2, Instructions: 208COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3363967752.0000000000E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_e90000_gmerYar.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 08c656ef550d9f6fabb40fc5f41302e52b18ed548f0fbc7d60c2117a57f63468
Instruction ID: 37495109501101ab9d65d5e564703c919b8447f3064df215bf485e4544c95ea7
Opcode Fuzzy Hash: 08c656ef550d9f6fabb40fc5f41302e52b18ed548f0fbc7d60c2117a57f63468
Instruction Fuzzy Hash: 75A1C27890024ACFCF05EFB8E894A9DBBB1FF89301B104529E515A7399EB716D46CF80

Function 00E90B30 Relevance: .2, Instructions: 200COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3363967752.0000000000E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_e90000_gmerYar.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5de54b0ced9d75c2187750516ee1f3b55529e01ca77c7447afe8e8cc9b523420
Instruction ID: 48c6cfbf633e059921a03d1d56a60d550c9386802421cfe04acc14f7ff819bf6
Opcode Fuzzy Hash: 5de54b0ced9d75c2187750516ee1f3b55529e01ca77c7447afe8e8cc9b523420
Instruction Fuzzy Hash: 23A1C57890024ACFCF05EFB8E895A9DBBB1FF89301B104529E515A7399EB716D46CF80

Function 00E919B8 Relevance: .2, Instructions: 195COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3363967752.0000000000E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_e90000_gmerYar.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a25be328e1d1ed61e1292420f1b6d8f39cdee40ebcf69883af03ce4c4e8b0571
Instruction ID: fd42cd38443ebb193c169741944196b2c780f1d8a4f0d8e8eb445d64626474a3
Opcode Fuzzy Hash: a25be328e1d1ed61e1292420f1b6d8f39cdee40ebcf69883af03ce4c4e8b0571
Instruction Fuzzy Hash: 7171B131E0431A8FDF559BB888543EEBBB6BF85310F1481AAD519B3291EB708D45CBA1

Function 00E92C60 Relevance: .1, Instructions: 129COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3363967752.0000000000E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_e90000_gmerYar.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9a4bbe1a8d583592e3ea195cb11bbd3447f7547f13899a6ec9752d23d8a782da
Instruction ID: 9ce13a1562962bb542474a49e8e452d6c787e0fe9654f544df2db6f7b0f1bd33
Opcode Fuzzy Hash: 9a4bbe1a8d583592e3ea195cb11bbd3447f7547f13899a6ec9752d23d8a782da
Instruction Fuzzy Hash: A3414335B05355ABDF190A7948A42BEBBB5BFD1304F28506EDA02E72C1EB748C498361

Function 00E9B7E8 Relevance: .1, Instructions: 128COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3363967752.0000000000E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_e90000_gmerYar.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb89bbf291e6aeaf614b1f98028ec481d0a1202684db31881f9e28b0f31429fa
Instruction ID: fb32411e6474e47d4468b9750a1c869dc626fadadc1ab117d7a6122d70ba9a3b
Opcode Fuzzy Hash: fb89bbf291e6aeaf614b1f98028ec481d0a1202684db31881f9e28b0f31429fa
Instruction Fuzzy Hash: CC41F575A001088FCB15DBA8D590EEDBBB6EF8D320F195154E601BB3A1DB71ED81CBA1

Function 00E93F78 Relevance: .1, Instructions: 125COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3363967752.0000000000E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_e90000_gmerYar.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3093d6c33639cec4af6616b06201895724ed715c732045990d8da12e25fd725f
Instruction ID: 23a18ff162e5039cde30c64379dfdeda0ced5ae7f93ee959feb8f46d787f0fd3
Opcode Fuzzy Hash: 3093d6c33639cec4af6616b06201895724ed715c732045990d8da12e25fd725f
Instruction Fuzzy Hash: 1A51B7B4E01208DFDB48DFAAD484A9DBBF2BF89310F109429E915BB364DB749946CF50

Function 00E9B7E4 Relevance: .1, Instructions: 118COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3363967752.0000000000E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_e90000_gmerYar.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 97c7a670725d6ec8e59da83f85cc6e05a1e97639ea1d11af3e87c6f925db1a70
Instruction ID: 1e70dd2935162ba9598cba9eaaa11c5263ab41134400a9feb733d5ff8601ed05
Opcode Fuzzy Hash: 97c7a670725d6ec8e59da83f85cc6e05a1e97639ea1d11af3e87c6f925db1a70
Instruction Fuzzy Hash: 45411735A001088FCB15DBA8D590EEDBBB6EF8D320F195154E601BB3A1DB71ED85CBA1

Function 00E93158 Relevance: .1, Instructions: 114COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3363967752.0000000000E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_e90000_gmerYar.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f8f2c4c32a363d666ad7e110b614f3dda3244952498dcfb6d41bf1a6b3b41bab
Instruction ID: 44b0c4262a304fba764c7d02e7ead4cafe0e3e333d888caa488e6d389c549032
Opcode Fuzzy Hash: f8f2c4c32a363d666ad7e110b614f3dda3244952498dcfb6d41bf1a6b3b41bab
Instruction Fuzzy Hash: 8341D275E01208DFCB08DFAAD884A9DBBF2BF89300F249569E805BB365DB355946CF10

Function 00E93168 Relevance: .1, Instructions: 109COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3363967752.0000000000E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_e90000_gmerYar.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 51ad887ae2410451d2c3ed799da8d5c34d5d69a78df4b92f188d29438c9446bd
Instruction ID: 6de728a1e2c57f02741c56960040d12334be975a78751d0c4269ba1fe7ca457a
Opcode Fuzzy Hash: 51ad887ae2410451d2c3ed799da8d5c34d5d69a78df4b92f188d29438c9446bd
Instruction Fuzzy Hash: A541B274E01208DFCB08DFAAD98499DBBF2BF89300F249569E805BB365DB35A945CF14

Function 00E99249 Relevance: .1, Instructions: 109COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3363967752.0000000000E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_e90000_gmerYar.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1cfab9e94d7cfda122dd37cd94f9d18cb81874959b04cb717f2dfa73dc3598ce
Instruction ID: 2b6b06c0a08211071db8bc202a051cd39408edebb6e39fa19974ce65fd42daac
Opcode Fuzzy Hash: 1cfab9e94d7cfda122dd37cd94f9d18cb81874959b04cb717f2dfa73dc3598ce
Instruction Fuzzy Hash: 1831DF7006634FCFD6202BA1B9EC17ABBA1FB8F3137446C05E41A90522DB3828CA8B51

Function 00E9B869 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3363967752.0000000000E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_e90000_gmerYar.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 02bd59192dce8edf227e6a4bf230c3703f8d6752725d7a24cb858830df9b1e53
Instruction ID: dbe544e24b4b7d43ad2a36e993a4fdb90e9388dde6c5831870857c208ea40f22
Opcode Fuzzy Hash: 02bd59192dce8edf227e6a4bf230c3703f8d6752725d7a24cb858830df9b1e53
Instruction Fuzzy Hash: E8311375B102098FDB05DFA8D590EEDBBB6FF89320F195154E601AB361DB70EC818BA1

Function 00E9B89D Relevance: .1, Instructions: 100COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3363967752.0000000000E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_e90000_gmerYar.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f24f3424a9ae8ee9a87d65efb1bc5cc97c9e625b089240d27462d77f956d276
Instruction ID: d973184813c44fb2e5f9e85ec416bb76d6e206a4e45bc23edfb0dd92cb518abb
Opcode Fuzzy Hash: 4f24f3424a9ae8ee9a87d65efb1bc5cc97c9e625b089240d27462d77f956d276
Instruction Fuzzy Hash: 14312775B002098FDB45DFA8D490EEDBBB2EF89324F195154E601EB361DB71EC818BA1

Function 00E9BDE8 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3363967752.0000000000E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_e90000_gmerYar.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bfd97a886b8041dc11191465469d7bea5a8e0ec4e409e924637d76ac6dfccc3c
Instruction ID: 6d35de24a21a28d4405c3352a01bc30f7c2c7a9007797fb0902b2bf025e5cf09
Opcode Fuzzy Hash: bfd97a886b8041dc11191465469d7bea5a8e0ec4e409e924637d76ac6dfccc3c
Instruction Fuzzy Hash: 8731D634704208DFDB04DF69D551AAE7BB6FF89300F248069E6059B391DF319D46CB91

Function 00E9BCE8 Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3363967752.0000000000E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_e90000_gmerYar.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3ac527dd8e19e2cd2ccf0a22147943bea1bfd097629e2b9df12ab80470b1d56d
Instruction ID: 0bb39ff4d6529adae27554706075abdb240ceafcbecc7b251299581fcdb3ef22
Opcode Fuzzy Hash: 3ac527dd8e19e2cd2ccf0a22147943bea1bfd097629e2b9df12ab80470b1d56d
Instruction Fuzzy Hash: C721B571A001089FDB44EFB8D855ABE7BB6EF88300F508579E519E7251DF349E06C7A0

Function 00E918C8 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3363967752.0000000000E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_e90000_gmerYar.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3d7688d4e0f2cba7f36297e38a95e8fff04a3ae870d00b6c51519a9a07820d8a
Instruction ID: f5913a2900475c9bbc5bd25dd4292cbc7a4a7f2d45f2d60e00fa19ff54bc8c54
Opcode Fuzzy Hash: 3d7688d4e0f2cba7f36297e38a95e8fff04a3ae870d00b6c51519a9a07820d8a
Instruction Fuzzy Hash: BC21CF35A0014A9FCF14DB24D850AAE77B5EBD9360B60C099EC09AB340EB31EE06CBD1

Function 00E0D030 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3363606771.0000000000E0D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E0D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_e0d000_gmerYar.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 97141ac9860641742b7cd364bb4969cdb613bfe16c2090ce4a2762af11206dd1
Instruction ID: 80879d8b3ca88a53ee38d4aa5d1b2dcfeff927905ed153caf11f2abd74943001
Opcode Fuzzy Hash: 97141ac9860641742b7cd364bb4969cdb613bfe16c2090ce4a2762af11206dd1
Instruction Fuzzy Hash: DE210371608304EFDB10DF54D980B26BB66EB84318F20C56DD84D1B296C376D886CB62

Function 00E0D005 Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3363606771.0000000000E0D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E0D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_e0d000_gmerYar.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e879e754e58f56617f5ccc83505d6338fe8a5c66f4dac0c501d1b580d5af11a3
Instruction ID: 6823f1852aec04b0c6089fbf8276cf97330578844ba582290268af94074a7009
Opcode Fuzzy Hash: e879e754e58f56617f5ccc83505d6338fe8a5c66f4dac0c501d1b580d5af11a3
Instruction Fuzzy Hash: 3F212C7150D3C49FC703CB64D990711BF71AB46314F29C5EBD8898F2A7C27A985ACB62

Function 00E90EC8 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3363967752.0000000000E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_e90000_gmerYar.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 843520aefe5dc3e4c90942b0d22e9d7ee9fc2e111514d20f7bdcd12c6355743c
Instruction ID: 232edb52ebec12f552382b81343c750c1d93a41ab2a4d9ad265085692d0ee140
Opcode Fuzzy Hash: 843520aefe5dc3e4c90942b0d22e9d7ee9fc2e111514d20f7bdcd12c6355743c
Instruction Fuzzy Hash: 4721BAB0E042099FCF05EFB9D8117AEBBB2EF85304F10D4AA95146B2D5DB745A42CF51

Function 00E94830 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3363967752.0000000000E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_e90000_gmerYar.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 947202faaf815f4b9ab95153d179c9c630d2c24dbfe78d101bff0d172ccbe16e
Instruction ID: 0da88abee5690b8c42ae7d4f6bce9b9ee9c2c47885d5057d239e691d7cc8430f
Opcode Fuzzy Hash: 947202faaf815f4b9ab95153d179c9c630d2c24dbfe78d101bff0d172ccbe16e
Instruction Fuzzy Hash: 9A113676F093824FD71A5F78881466EBBFAAF86254B0544ABD400CB2D5FE348C028B51

Function 00E917B8 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3363967752.0000000000E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_e90000_gmerYar.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05b57e92545d8e8e6a0b1941fcb6b3e2bfdd0d301c54a541fa19146a9dad568c
Instruction ID: 09472fd018109ccca4e9fcf7b325777a311d3d75cf99d57bc18d250cfc5b9ddb
Opcode Fuzzy Hash: 05b57e92545d8e8e6a0b1941fcb6b3e2bfdd0d301c54a541fa19146a9dad568c
Instruction Fuzzy Hash: AE211474C0524A8FCF01DFB8D8945EDBFF4BF0A204F1455AAD405BB2A1EB315A99CBA1

Function 00E9BB48 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3363967752.0000000000E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_e90000_gmerYar.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e2982a24078e8137acc42c947d0c44b2089bfdd8e606356a1a9c07dca035206f
Instruction ID: 51d7a6ba83e9888a9069ac13d341437c40a01027676712f47d7186629d24785a
Opcode Fuzzy Hash: e2982a24078e8137acc42c947d0c44b2089bfdd8e606356a1a9c07dca035206f
Instruction Fuzzy Hash: 7D119171300104CFDB14DB69E998E56B7E6FF99725B21806AE149CB3A4CB71EC00CB50

Function 00E90FB8 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3363967752.0000000000E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_e90000_gmerYar.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9afd8a29027895a96103d6a0926d23c57f3e6640f0705b29098b35e55c3a4d67
Instruction ID: 4965eafe1f9fdd0b0da7c8a7e607896c8f12f8cf882b5e4f4ff57f8313d02aca
Opcode Fuzzy Hash: 9afd8a29027895a96103d6a0926d23c57f3e6640f0705b29098b35e55c3a4d67
Instruction Fuzzy Hash: CB110430B082498FCF22ABB4E0102ED7771EF92319F50A2BED5456B2C5DB768E46CB41

Function 00E94860 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3363967752.0000000000E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_e90000_gmerYar.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 44f6d01577e4e0a79517706babddde72d8a93bb3d6b73796ba7b8291b5dbdd63
Instruction ID: ac51fd843136bada3280d52b20a2486784177fab79f0a95304e4334ee67a08c6
Opcode Fuzzy Hash: 44f6d01577e4e0a79517706babddde72d8a93bb3d6b73796ba7b8291b5dbdd63
Instruction Fuzzy Hash: 5601D176F012554FDB28ABBA884892F76EFAFC4668310453AE905C7394FE70CC018B90

Function 00E9A508 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3363967752.0000000000E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_e90000_gmerYar.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 15841387323a887acc4a5fff5813d223a196a658f5c379c954c372235c15055b
Instruction ID: c7994191036edecbd5a09c3b470dc47ae1951d3ab8043e3638843c6f49d5d0f2
Opcode Fuzzy Hash: 15841387323a887acc4a5fff5813d223a196a658f5c379c954c372235c15055b
Instruction Fuzzy Hash: 74014C75A0020E9BDF54AFA9E8486AE7BB5FF88310B404439E91A97241DA349D10CBA1

Function 00E9BB46 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3363967752.0000000000E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_e90000_gmerYar.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8396ff02829b5a086d83e710ed36b3f17d5a29d0440551f46127e648599451ba
Instruction ID: 61e380fdec1266fc5fc4b38871e1e763f9b1d885ddad348f4a9092f3ffd126fd
Opcode Fuzzy Hash: 8396ff02829b5a086d83e710ed36b3f17d5a29d0440551f46127e648599451ba
Instruction Fuzzy Hash: 0A017C71300200CFDB14DB69EA98B66B7E5EF89725F118069E1498B3A4DB70EC05CB50

Function 00E9BEF8 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3363967752.0000000000E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_e90000_gmerYar.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a4923243204c9eec8c122ac3e9ad6c29008c2e38947992c3efd9e9649867a622
Instruction ID: ad7f2b863022e4d8c0cd88f76d5a4f78933fe72adf7f37ff76372f8d284b57dd
Opcode Fuzzy Hash: a4923243204c9eec8c122ac3e9ad6c29008c2e38947992c3efd9e9649867a622
Instruction Fuzzy Hash: A2F028357053485FCB152774BC1906E3FA6EBC6310B04446AE54AC7682DE29CC47D791

Function 00E9A4F9 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3363967752.0000000000E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_e90000_gmerYar.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9d014464308140baa04e3beebbb2ee2b6c72bc7d8bbcfec81adb37b16b987109
Instruction ID: 1f45974f4a450ed0fc49e30270a66825b1d49754994b5a385a16cf68d5d85d91
Opcode Fuzzy Hash: 9d014464308140baa04e3beebbb2ee2b6c72bc7d8bbcfec81adb37b16b987109
Instruction Fuzzy Hash: DA017C71A0011E9FCF14DFA8E8449EE7BB5FF88310B104136E919E3241EB708E11CB92

Function 00E9C1B0 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3363967752.0000000000E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_e90000_gmerYar.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5461038140fec8dbaa507c6b31dbb34f70c8a668f84102f2e29cdb4df7faf1ee
Instruction ID: 896bcef58ed7db6e4f62459371d3ae16054efb8df7907dad1b0280397ac709ba
Opcode Fuzzy Hash: 5461038140fec8dbaa507c6b31dbb34f70c8a668f84102f2e29cdb4df7faf1ee
Instruction Fuzzy Hash: CAF02032B002219BCB19666AF81096EB7EAEFC8330710007AF008EB391CF32CC028790

Function 00E9B9F4 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3363967752.0000000000E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_e90000_gmerYar.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4061be1330210b97ae1a561e875103324dda430112c3a5823378581ec9c29733
Instruction ID: 834bab12c89fa6ececf4e86601b3ea7e07426a77d6715183531ef8fe35cac753
Opcode Fuzzy Hash: 4061be1330210b97ae1a561e875103324dda430112c3a5823378581ec9c29733
Instruction Fuzzy Hash: 3DF08971D041089F8B50DFA9A4405DFFFF5FB9C350B10452AD509D3201E7705A1187D1

Function 00E9B9F8 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3363967752.0000000000E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_e90000_gmerYar.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e01cd317429bb5c1369d668311d72cc6503416c7246db410fe0da353ac8c532d
Instruction ID: a16b580e97128bb01b4d4512ed914ab16e292eec608d1877937b68e9af8edc31
Opcode Fuzzy Hash: e01cd317429bb5c1369d668311d72cc6503416c7246db410fe0da353ac8c532d
Instruction Fuzzy Hash: 15F01275A042089F8B50DFAD98409EFBBF5FB98350B50452AD609E3211E7709A159BE1

Function 00E946C9 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3363967752.0000000000E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_e90000_gmerYar.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9002ca31667df93729b2573809f6265f10f85307f497773e437d4d1c42d25b74
Instruction ID: 940fdcd4f96a99e48d9edf668822c632a3e21c46d2b33c9116e0ced7bc1f1b1b
Opcode Fuzzy Hash: 9002ca31667df93729b2573809f6265f10f85307f497773e437d4d1c42d25b74
Instruction Fuzzy Hash: CAF098760557868FE7116B32ACAC72BBF70FB0B317B442D54E45AA50A2CB720489CE14

Function 00E946D8 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3363967752.0000000000E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_e90000_gmerYar.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 28650fe13f7726bfd6daea14b4de055cac187f2f4e1318214d75aa750a82164c
Instruction ID: 64c10409b0a7d5e47b8d36e9f6b0a25807aeec68e207b51bf2cf81445ff0244d
Opcode Fuzzy Hash: 28650fe13f7726bfd6daea14b4de055cac187f2f4e1318214d75aa750a82164c
Instruction Fuzzy Hash: F2E002B6461B06CFE6102B62BDAC63F7A65EB0B317B802D14A11EA10B1DF7344998E54

Function 00E91877 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3363967752.0000000000E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_e90000_gmerYar.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 82387cf0178a7370f794587f34892b387e3709c396e4d38fce72094c194d6ac4
Instruction ID: 3f426f90744f5029db0d8eae9f22994d7c5e3af046aa057309ba7b127312df60
Opcode Fuzzy Hash: 82387cf0178a7370f794587f34892b387e3709c396e4d38fce72094c194d6ac4
Instruction Fuzzy Hash: B7E0D835D243978ACB039BB0AC101DDBB345F82121F494293D464360D1E730114ACBA1

Function 00E91888 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3363967752.0000000000E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_e90000_gmerYar.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 902f1127b96f547a7266abdf7e553731f07ecead1948027f0bee7feb0d610918
Instruction ID: 73aaf64c7bb5018b7e65ebf16bc7ffe48f22b4e9635f271f6c0d446ca8962ddd
Opcode Fuzzy Hash: 902f1127b96f547a7266abdf7e553731f07ecead1948027f0bee7feb0d610918
Instruction Fuzzy Hash: 57D02B31D2022B53CB00E7A1FC004DFF738EEC1220B404222E91033000FB302658C6F0

Function 00E9B79C Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3363967752.0000000000E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_e90000_gmerYar.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a59cbb6e5a431559a238a38395afa494708287289156152fb962e471ba424fa5
Instruction ID: 7154be4a4558a185ecfa9cc26bb68d6a214cc7eba8cc64a44b9b139119c6995a
Opcode Fuzzy Hash: a59cbb6e5a431559a238a38395afa494708287289156152fb962e471ba424fa5
Instruction Fuzzy Hash: E2D0927A3411548FC3149B69E454899BB79FF9922632456BEE2428B622C6368845CB21

Function 00E9BCE4 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3363967752.0000000000E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_e90000_gmerYar.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7e99815b2c8b8254d9e708b9a4b4fc470c41c86ac13b48e1fa3cd3fb99298c3b
Instruction ID: bb350e65cd783e999c9b78d2080db402b0132289b4d83cbfb083793e5ea02534
Opcode Fuzzy Hash: 7e99815b2c8b8254d9e708b9a4b4fc470c41c86ac13b48e1fa3cd3fb99298c3b
Instruction Fuzzy Hash: 92C02B73615284038E0CB7E079034393229CA83107B8047BE7C0EAE612E713882983C1

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Container: Container Creation, File: File Creation, File: File Modification, Process: Process Creation, Scheduled Job: Scheduled Job Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Salary Payment Information Discrepancy_pdf.pif.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: MassLogger

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Persistence and Installation Behavior

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Location Tracking

Compliance

Software Vulnerabilities

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Salary Payment Information Discrepancy_pdf.pif.exe.log

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\gmerYar.exe.log

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5v2xlns2.gtq.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_caxzab3i.ws0.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_eiazdzge.hgl.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_k00vqra4.yfx.ps1

C:\Users\user\AppData\Local\Temp\tmpC24A.tmp

C:\Users\user\AppData\Local\Temp\tmpD034.tmp

C:\Users\user\AppData\Roaming\gmerYar.exe

C:\Users\user\AppData\Roaming\gmerYar.exe:Zone.Identifier

Static File Info

General

Windows Analysis Report
Salary Payment Information Discrepancy_pdf.pif.exe

Function 072C2D70 Relevance: 2.3, Strings: 1, Instructions: 1029
COMMON

Function 072C5248 Relevance: 1.5, Strings: 1, Instructions: 218
COMMON

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre