Edit tour

Windows Analysis Report
H9YFiQB7o3.exe

Overview

General Information

Sample name:	H9YFiQB7o3.exe renamed because original name is a hash value
Original sample name:	3eda9fff3dbbc6e74162eec9de159c5c07cdc37f27c84ca20eece700ecf98666.exe
Analysis ID:	1587598
MD5:	254ea708867541a0b41fb64a6896bb2b
SHA1:	d0fb4c2e311c685ac97822f0e49ae77afda72ccc
SHA256:	3eda9fff3dbbc6e74162eec9de159c5c07cdc37f27c84ca20eece700ecf98666
Tags:	exeuser-adrian__luca
Infos:

Detection

AgentTesla

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected AgentTesla

Yara detected AntiVM3

AI detected suspicious sample

Adds a directory exclusion to Windows Defender

Check if machine is in data center or colocation facility

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Injects a PE file into a foreign processes

Loading BitLocker PowerShell Module

Machine Learning detection for sample

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Yara detected Generic Downloader

Allocates memory with a write watch (potentially for evading sandboxes)

Checks if the current process is being debugged

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

HTTP GET or POST without a user agent

IP address seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Sigma detected: Powershell Defender Exclusion

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

H9YFiQB7o3.exe (PID: 6308 cmdline: "C:\Users\user\Desktop\H9YFiQB7o3.exe" MD5: 254EA708867541A0B41FB64A6896BB2B)

powershell.exe (PID: 5660 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\H9YFiQB7o3.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 1008 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WmiPrvSE.exe (PID: 7660 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)

H9YFiQB7o3.exe (PID: 1072 cmdline: "C:\Users\user\Desktop\H9YFiQB7o3.exe" MD5: 254EA708867541A0B41FB64A6896BB2B)

H9YFiQB7o3.exe (PID: 6016 cmdline: "C:\Users\user\Desktop\H9YFiQB7o3.exe" MD5: 254EA708867541A0B41FB64A6896BB2B)

H9YFiQB7o3.exe (PID: 820 cmdline: "C:\Users\user\Desktop\H9YFiQB7o3.exe" MD5: 254EA708867541A0B41FB64A6896BB2B)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Agent Tesla, AgentTesla	A .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.	SWEED	http://blog.nsfocus.net/sweed-611/ http://l1v1ngc0d3.wordpress.com/2021/11/12/agenttesla-dropped-via-nsis-installer/ http://ropgadget.com/posts/originlogger.html http://www.secureworks.com/research/threat-profiles/gold-galleon https://0xmrmagnezi.github.io/malware%20analysis/AgentTesla/	https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "FTP", "Host": "ftp://ftp.fosna.net", "Username": "sarthiever@fosna.net", "Password": "(=8fPSH$KO_!"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
00000007.00000002.2496050071.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000007.00000002.2496050071.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000007.00000002.2499635522.00000000029F5000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.1271894317.0000000003ED9000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.1271894317.0000000003ED9000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: H9YFiQB7o3.exe PID: 6308	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: H9YFiQB7o3.exe PID: 6308	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: H9YFiQB7o3.exe PID: 6308	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: H9YFiQB7o3.exe PID: 820	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: H9YFiQB7o3.exe PID: 820	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Click to see the 5 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.H9YFiQB7o3.exe.3ed9970.1.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.H9YFiQB7o3.exe.3ed9970.1.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.H9YFiQB7o3.exe.3ed9970.1.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x325c5:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x32637:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x326c1:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x32753:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x327bd:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x3282f:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x328c5:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x32955:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
0.2.H9YFiQB7o3.exe.3ed9970.1.unpack	MALWARE_Win_AgentTeslaV2	AgenetTesla Type 2 Keylogger payload	ditekSHen	0x2f78d:$s2: GetPrivateProfileString 0x2ee5d:$s3: get_OSFullName 0x304a3:$s5: remove_Key 0x30693:$s5: remove_Key 0x315ac:$s6: FtpWebRequest 0x325a7:$s7: logins 0x32b19:$s7: logins 0x357fc:$s7: logins 0x358dc:$s7: logins 0x37231:$s7: logins 0x36476:$s9: 1.85 (Hash, version 2, native byte-order)
7.2.H9YFiQB7o3.exe.400000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
7.2.H9YFiQB7o3.exe.400000.0.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
7.2.H9YFiQB7o3.exe.400000.0.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
7.2.H9YFiQB7o3.exe.400000.0.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x343c5:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x34437:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x344c1:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x34553:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x345bd:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x3462f:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x346c5:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x34755:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
7.2.H9YFiQB7o3.exe.400000.0.unpack	MALWARE_Win_AgentTeslaV2	AgenetTesla Type 2 Keylogger payload	ditekSHen	0x3158d:$s2: GetPrivateProfileString 0x30c5d:$s3: get_OSFullName 0x322a3:$s5: remove_Key 0x32493:$s5: remove_Key 0x333ac:$s6: FtpWebRequest 0x343a7:$s7: logins 0x34919:$s7: logins 0x375fc:$s7: logins 0x376dc:$s7: logins 0x39031:$s7: logins 0x38276:$s9: 1.85 (Hash, version 2, native byte-order)
0.2.H9YFiQB7o3.exe.3f15390.2.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.H9YFiQB7o3.exe.3f15390.2.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.H9YFiQB7o3.exe.3f15390.2.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x325c5:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x32637:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x326c1:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x32753:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x327bd:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x3282f:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x328c5:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x32955:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
0.2.H9YFiQB7o3.exe.3f15390.2.unpack	MALWARE_Win_AgentTeslaV2	AgenetTesla Type 2 Keylogger payload	ditekSHen	0x2f78d:$s2: GetPrivateProfileString 0x2ee5d:$s3: get_OSFullName 0x304a3:$s5: remove_Key 0x30693:$s5: remove_Key 0x315ac:$s6: FtpWebRequest 0x325a7:$s7: logins 0x32b19:$s7: logins 0x357fc:$s7: logins 0x358dc:$s7: logins 0x37231:$s7: logins 0x36476:$s9: 1.85 (Hash, version 2, native byte-order)
0.2.H9YFiQB7o3.exe.3f15390.2.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.H9YFiQB7o3.exe.3f15390.2.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.2.H9YFiQB7o3.exe.3f15390.2.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.H9YFiQB7o3.exe.3f15390.2.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x343c5:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x6fbe5:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x34437:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x6fc57:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x344c1:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x6fce1:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x34553:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x6fd73:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x345bd:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x6fddd:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x3462f:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x6fe4f:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x346c5:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x6fee5:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x34755:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548 0x6ff75:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
0.2.H9YFiQB7o3.exe.3f15390.2.raw.unpack	MALWARE_Win_AgentTeslaV2	AgenetTesla Type 2 Keylogger payload	ditekSHen	0x3158d:$s2: GetPrivateProfileString 0x6cdad:$s2: GetPrivateProfileString 0x30c5d:$s3: get_OSFullName 0x6c47d:$s3: get_OSFullName 0x322a3:$s5: remove_Key 0x32493:$s5: remove_Key 0x6dac3:$s5: remove_Key 0x6dcb3:$s5: remove_Key 0x333ac:$s6: FtpWebRequest 0x6ebcc:$s6: FtpWebRequest 0x343a7:$s7: logins 0x34919:$s7: logins 0x375fc:$s7: logins 0x376dc:$s7: logins 0x39031:$s7: logins 0x6fbc7:$s7: logins 0x70139:$s7: logins 0x72e1c:$s7: logins 0x72efc:$s7: logins 0x74851:$s7: logins 0x38276:$s9: 1.85 (Hash, version 2, native byte-order)
0.2.H9YFiQB7o3.exe.3ed9970.1.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.H9YFiQB7o3.exe.3ed9970.1.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.2.H9YFiQB7o3.exe.3ed9970.1.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.H9YFiQB7o3.exe.3ed9970.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x343c5:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x6fde5:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0xab605:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x34437:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x6fe57:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0xab677:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x344c1:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x6fee1:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0xab701:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x34553:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x6ff73:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0xab793:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x345bd:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x6ffdd:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0xab7fd:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x3462f:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x7004f:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0xab86f:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x346c5:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x700e5:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0xab905:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B
0.2.H9YFiQB7o3.exe.3ed9970.1.raw.unpack	MALWARE_Win_AgentTeslaV2	AgenetTesla Type 2 Keylogger payload	ditekSHen	0x3158d:$s2: GetPrivateProfileString 0x6cfad:$s2: GetPrivateProfileString 0xa87cd:$s2: GetPrivateProfileString 0x30c5d:$s3: get_OSFullName 0x6c67d:$s3: get_OSFullName 0xa7e9d:$s3: get_OSFullName 0x322a3:$s5: remove_Key 0x32493:$s5: remove_Key 0x6dcc3:$s5: remove_Key 0x6deb3:$s5: remove_Key 0xa94e3:$s5: remove_Key 0xa96d3:$s5: remove_Key 0x333ac:$s6: FtpWebRequest 0x6edcc:$s6: FtpWebRequest 0xaa5ec:$s6: FtpWebRequest 0x343a7:$s7: logins 0x34919:$s7: logins 0x375fc:$s7: logins 0x376dc:$s7: logins 0x39031:$s7: logins 0x6fdc7:$s7: logins
Click to see the 18 entries

Sigma Signatures

System Summary

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\H9YFiQB7o3.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\H9YFiQB7o3.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\H9YFiQB7o3.exe", ParentImage: C:\Users\user\Desktop\H9YFiQB7o3.exe, ParentProcessId: 6308, ParentProcessName: H9YFiQB7o3.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\H9YFiQB7o3.exe", ProcessId: 5660, ProcessName: powershell.exe

Sigma detected: Powershell Defender Exclusion

Source: Process started

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\H9YFiQB7o3.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\H9YFiQB7o3.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\H9YFiQB7o3.exe", ParentImage: C:\Users\user\Desktop\H9YFiQB7o3.exe, ParentProcessId: 6308, ParentProcessName: H9YFiQB7o3.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\H9YFiQB7o3.exe", ProcessId: 5660, ProcessName: powershell.exe

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: H9YFiQB7o3.exe

Avira: detected

Found malware configuration

Source: 0.2.H9YFiQB7o3.exe.3f15390.2.raw.unpack

Malware Configuration Extractor: Agenttesla {"Exfil Mode": "FTP", "Host": "ftp://ftp.fosna.net", "Username": "sarthiever@fosna.net", "Password": "(=8fPSH$KO_!"}

Multi AV Scanner detection for submitted file

Source: H9YFiQB7o3.exe	Virustotal: Detection: 79%			Perma Link
Source: H9YFiQB7o3.exe	ReversingLabs: Detection: 86%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.9% probability

Machine Learning detection for sample

Source: H9YFiQB7o3.exe

Joe Sandbox ML: detected

Source: H9YFiQB7o3.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: H9YFiQB7o3.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Networking

Yara detected Generic Downloader

Source: Yara match	File source: 7.2.H9YFiQB7o3.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.H9YFiQB7o3.exe.3f15390.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.H9YFiQB7o3.exe.3ed9970.1.raw.unpack, type: UNPACKEDPE

Source: global traffic

HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive

Source: Joe Sandbox View

IP Address: 208.95.112.1 208.95.112.1

Source: unknown

DNS query: name: ip-api.com

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive

Source: global traffic

DNS traffic detected: DNS query: ip-api.com

Source: H9YFiQB7o3.exe, 00000007.00000002.2499635522.0000000002A88000.00000004.00000800.00020000.00000000.sdmp, H9YFiQB7o3.exe, 00000007.00000002.2499635522.0000000002AA3000.00000004.00000800.00020000.00000000.sdmp, H9YFiQB7o3.exe, 00000007.00000002.2499635522.00000000029C1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ip-api.com
Source: H9YFiQB7o3.exe, 00000000.00000002.1271894317.0000000003ED9000.00000004.00000800.00020000.00000000.sdmp, H9YFiQB7o3.exe, 00000007.00000002.2497672411.0000000000B85000.00000004.00000020.00020000.00000000.sdmp, H9YFiQB7o3.exe, 00000007.00000002.2499635522.0000000002A88000.00000004.00000800.00020000.00000000.sdmp, H9YFiQB7o3.exe, 00000007.00000002.2496050071.0000000000402000.00000040.00000400.00020000.00000000.sdmp, H9YFiQB7o3.exe, 00000007.00000002.2499635522.00000000029C1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ip-api.com/line/?fields=hosting
Source: H9YFiQB7o3.exe, 00000007.00000002.2497672411.0000000000B85000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ip-api.com/line/?fields=hosting=
Source: H9YFiQB7o3.exe, 00000000.00000002.1271158882.0000000002F2E000.00000004.00000800.00020000.00000000.sdmp, H9YFiQB7o3.exe, 00000007.00000002.2499635522.0000000002A88000.00000004.00000800.00020000.00000000.sdmp, H9YFiQB7o3.exe, 00000007.00000002.2499635522.00000000029C1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: H9YFiQB7o3.exe, 00000000.00000002.1271894317.0000000003ED9000.00000004.00000800.00020000.00000000.sdmp, H9YFiQB7o3.exe, 00000007.00000002.2496050071.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://account.dyn.com/

System Summary

Malicious sample detected (through community Yara rule)

Source: 0.2.H9YFiQB7o3.exe.3ed9970.1.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.H9YFiQB7o3.exe.3ed9970.1.unpack, type: UNPACKEDPE	Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 7.2.H9YFiQB7o3.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 7.2.H9YFiQB7o3.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 0.2.H9YFiQB7o3.exe.3f15390.2.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.H9YFiQB7o3.exe.3f15390.2.unpack, type: UNPACKEDPE	Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 0.2.H9YFiQB7o3.exe.3f15390.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.H9YFiQB7o3.exe.3f15390.2.raw.unpack, type: UNPACKEDPE	Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 0.2.H9YFiQB7o3.exe.3ed9970.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.H9YFiQB7o3.exe.3ed9970.1.raw.unpack, type: UNPACKEDPE	Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen

Source: C:\Users\user\Desktop\H9YFiQB7o3.exe	Code function: 0_2_0139D304	0_2_0139D304
Source: C:\Users\user\Desktop\H9YFiQB7o3.exe	Code function: 0_2_05AB55E0	0_2_05AB55E0
Source: C:\Users\user\Desktop\H9YFiQB7o3.exe	Code function: 0_2_05AB63B9	0_2_05AB63B9
Source: C:\Users\user\Desktop\H9YFiQB7o3.exe	Code function: 0_2_05AB63C8	0_2_05AB63C8
Source: C:\Users\user\Desktop\H9YFiQB7o3.exe	Code function: 0_2_05ABB240	0_2_05ABB240
Source: C:\Users\user\Desktop\H9YFiQB7o3.exe	Code function: 0_2_05AB2F88	0_2_05AB2F88
Source: C:\Users\user\Desktop\H9YFiQB7o3.exe	Code function: 0_2_05AB5F80	0_2_05AB5F80
Source: C:\Users\user\Desktop\H9YFiQB7o3.exe	Code function: 0_2_05AB5F90	0_2_05AB5F90
Source: C:\Users\user\Desktop\H9YFiQB7o3.exe	Code function: 0_2_05AB3EE8	0_2_05AB3EE8
Source: C:\Users\user\Desktop\H9YFiQB7o3.exe	Code function: 0_2_05AB3AB0	0_2_05AB3AB0
Source: C:\Users\user\Desktop\H9YFiQB7o3.exe	Code function: 0_2_05AB3A7F	0_2_05AB3A7F
Source: C:\Users\user\Desktop\H9YFiQB7o3.exe	Code function: 7_2_00E3D890	7_2_00E3D890
Source: C:\Users\user\Desktop\H9YFiQB7o3.exe	Code function: 7_2_00E34A88	7_2_00E34A88
Source: C:\Users\user\Desktop\H9YFiQB7o3.exe	Code function: 7_2_00E33E70	7_2_00E33E70
Source: C:\Users\user\Desktop\H9YFiQB7o3.exe	Code function: 7_2_00E341B8	7_2_00E341B8
Source: C:\Users\user\Desktop\H9YFiQB7o3.exe	Code function: 7_2_00E3D284	7_2_00E3D284
Source: C:\Users\user\Desktop\H9YFiQB7o3.exe	Code function: 7_2_064B2300	7_2_064B2300
Source: C:\Users\user\Desktop\H9YFiQB7o3.exe	Code function: 7_2_064B1150	7_2_064B1150
Source: C:\Users\user\Desktop\H9YFiQB7o3.exe	Code function: 7_2_064B3AB0	7_2_064B3AB0
Source: C:\Users\user\Desktop\H9YFiQB7o3.exe	Code function: 7_2_064B33C8	7_2_064B33C8

Source: H9YFiQB7o3.exe, 00000000.00000002.1271158882.0000000002F2E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename88e10d5e-7fd5-494e-a8ee-82170ba0d629.exe4 vs H9YFiQB7o3.exe
Source: H9YFiQB7o3.exe, 00000000.00000002.1268671235.000000000119E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs H9YFiQB7o3.exe
Source: H9YFiQB7o3.exe, 00000000.00000002.1277427257.0000000007430000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameTyrone.dll8 vs H9YFiQB7o3.exe
Source: H9YFiQB7o3.exe, 00000000.00000002.1271894317.0000000003ED9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename88e10d5e-7fd5-494e-a8ee-82170ba0d629.exe4 vs H9YFiQB7o3.exe
Source: H9YFiQB7o3.exe, 00000000.00000002.1271894317.0000000003ED9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameTyrone.dll8 vs H9YFiQB7o3.exe
Source: H9YFiQB7o3.exe, 00000000.00000000.1250586702.0000000000AD2000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameJRoe.exe@ vs H9YFiQB7o3.exe
Source: H9YFiQB7o3.exe, 00000007.00000002.2496392107.00000000007F9000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameUNKNOWN_FILET vs H9YFiQB7o3.exe
Source: H9YFiQB7o3.exe, 00000007.00000002.2496050071.000000000043E000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: OriginalFilename88e10d5e-7fd5-494e-a8ee-82170ba0d629.exe4 vs H9YFiQB7o3.exe
Source: H9YFiQB7o3.exe	Binary or memory string: OriginalFilenameJRoe.exe@ vs H9YFiQB7o3.exe

Source: H9YFiQB7o3.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 0.2.H9YFiQB7o3.exe.3ed9970.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.H9YFiQB7o3.exe.3ed9970.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 7.2.H9YFiQB7o3.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 7.2.H9YFiQB7o3.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 0.2.H9YFiQB7o3.exe.3f15390.2.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.H9YFiQB7o3.exe.3f15390.2.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 0.2.H9YFiQB7o3.exe.3f15390.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.H9YFiQB7o3.exe.3f15390.2.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 0.2.H9YFiQB7o3.exe.3ed9970.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.H9YFiQB7o3.exe.3ed9970.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload

Source: H9YFiQB7o3.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@11/6@1/1

Source: C:\Users\user\Desktop\H9YFiQB7o3.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\H9YFiQB7o3.exe.log

Jump to behavior

Source: C:\Users\user\Desktop\H9YFiQB7o3.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1008:120:WilError_03

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_uh0xaq55.xan.ps1

Jump to behavior

Source: H9YFiQB7o3.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: H9YFiQB7o3.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%

Source: C:\Users\user\Desktop\H9YFiQB7o3.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor

Source: C:\Users\user\Desktop\H9YFiQB7o3.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\H9YFiQB7o3.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: H9YFiQB7o3.exe, 00000007.00000002.2499635522.0000000002AC1000.00000004.00000800.00020000.00000000.sdmp, H9YFiQB7o3.exe, 00000007.00000002.2499635522.0000000002AD4000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: H9YFiQB7o3.exe	Virustotal: Detection: 79%
Source: H9YFiQB7o3.exe	ReversingLabs: Detection: 86%

Source: unknown	Process created: C:\Users\user\Desktop\H9YFiQB7o3.exe "C:\Users\user\Desktop\H9YFiQB7o3.exe"
Source: C:\Users\user\Desktop\H9YFiQB7o3.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\H9YFiQB7o3.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\H9YFiQB7o3.exe	Process created: C:\Users\user\Desktop\H9YFiQB7o3.exe "C:\Users\user\Desktop\H9YFiQB7o3.exe"
Source: C:\Users\user\Desktop\H9YFiQB7o3.exe	Process created: C:\Users\user\Desktop\H9YFiQB7o3.exe "C:\Users\user\Desktop\H9YFiQB7o3.exe"
Source: C:\Users\user\Desktop\H9YFiQB7o3.exe	Process created: C:\Users\user\Desktop\H9YFiQB7o3.exe "C:\Users\user\Desktop\H9YFiQB7o3.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: C:\Users\user\Desktop\H9YFiQB7o3.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\H9YFiQB7o3.exe"	Jump to behavior
Source: C:\Users\user\Desktop\H9YFiQB7o3.exe	Process created: C:\Users\user\Desktop\H9YFiQB7o3.exe "C:\Users\user\Desktop\H9YFiQB7o3.exe"	Jump to behavior
Source: C:\Users\user\Desktop\H9YFiQB7o3.exe	Process created: C:\Users\user\Desktop\H9YFiQB7o3.exe "C:\Users\user\Desktop\H9YFiQB7o3.exe"	Jump to behavior
Source: C:\Users\user\Desktop\H9YFiQB7o3.exe	Process created: C:\Users\user\Desktop\H9YFiQB7o3.exe "C:\Users\user\Desktop\H9YFiQB7o3.exe"	Jump to behavior

Source: C:\Users\user\Desktop\H9YFiQB7o3.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\H9YFiQB7o3.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\H9YFiQB7o3.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\H9YFiQB7o3.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\H9YFiQB7o3.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\H9YFiQB7o3.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\H9YFiQB7o3.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\H9YFiQB7o3.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\H9YFiQB7o3.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\H9YFiQB7o3.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\H9YFiQB7o3.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\H9YFiQB7o3.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\H9YFiQB7o3.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\H9YFiQB7o3.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\H9YFiQB7o3.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\H9YFiQB7o3.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\H9YFiQB7o3.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\H9YFiQB7o3.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\H9YFiQB7o3.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\H9YFiQB7o3.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\H9YFiQB7o3.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\H9YFiQB7o3.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\H9YFiQB7o3.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\H9YFiQB7o3.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\H9YFiQB7o3.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\H9YFiQB7o3.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\H9YFiQB7o3.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\H9YFiQB7o3.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\H9YFiQB7o3.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\H9YFiQB7o3.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\H9YFiQB7o3.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\H9YFiQB7o3.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\H9YFiQB7o3.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\H9YFiQB7o3.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\H9YFiQB7o3.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\H9YFiQB7o3.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\H9YFiQB7o3.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\H9YFiQB7o3.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\H9YFiQB7o3.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\H9YFiQB7o3.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\H9YFiQB7o3.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\H9YFiQB7o3.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\H9YFiQB7o3.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\H9YFiQB7o3.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\H9YFiQB7o3.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\H9YFiQB7o3.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\H9YFiQB7o3.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\H9YFiQB7o3.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\H9YFiQB7o3.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\H9YFiQB7o3.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\H9YFiQB7o3.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\H9YFiQB7o3.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\H9YFiQB7o3.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\H9YFiQB7o3.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\H9YFiQB7o3.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\H9YFiQB7o3.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\H9YFiQB7o3.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\H9YFiQB7o3.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\H9YFiQB7o3.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\H9YFiQB7o3.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\H9YFiQB7o3.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\H9YFiQB7o3.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\H9YFiQB7o3.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\H9YFiQB7o3.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\H9YFiQB7o3.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\H9YFiQB7o3.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\H9YFiQB7o3.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: fastprox.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: ncobjapi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mpclient.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wmitomi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: gpapi.dll	Jump to behavior

Source: C:\Users\user\Desktop\H9YFiQB7o3.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\H9YFiQB7o3.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Users\user\Desktop\H9YFiQB7o3.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\Profiles

Jump to behavior

Source: H9YFiQB7o3.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: H9YFiQB7o3.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: C:\Users\user\Desktop\H9YFiQB7o3.exe

Code function: 0_2_0139F498 pushad ; iretd

0_2_0139F499

Source: H9YFiQB7o3.exe

Static PE information: section name: .text entropy: 7.9043059772658495

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior

Source: C:\Users\user\Desktop\H9YFiQB7o3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\H9YFiQB7o3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\H9YFiQB7o3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\H9YFiQB7o3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\H9YFiQB7o3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\H9YFiQB7o3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\H9YFiQB7o3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\H9YFiQB7o3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\H9YFiQB7o3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\H9YFiQB7o3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\H9YFiQB7o3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\H9YFiQB7o3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\H9YFiQB7o3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\H9YFiQB7o3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\H9YFiQB7o3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\H9YFiQB7o3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\H9YFiQB7o3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\H9YFiQB7o3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\H9YFiQB7o3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\H9YFiQB7o3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\H9YFiQB7o3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\H9YFiQB7o3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\H9YFiQB7o3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\H9YFiQB7o3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\H9YFiQB7o3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\H9YFiQB7o3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\H9YFiQB7o3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\H9YFiQB7o3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\H9YFiQB7o3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\H9YFiQB7o3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\H9YFiQB7o3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\H9YFiQB7o3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\H9YFiQB7o3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\H9YFiQB7o3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\H9YFiQB7o3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\H9YFiQB7o3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\H9YFiQB7o3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\H9YFiQB7o3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\H9YFiQB7o3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\H9YFiQB7o3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\H9YFiQB7o3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\H9YFiQB7o3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\H9YFiQB7o3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\H9YFiQB7o3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\H9YFiQB7o3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\H9YFiQB7o3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\H9YFiQB7o3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\H9YFiQB7o3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\H9YFiQB7o3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\H9YFiQB7o3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\H9YFiQB7o3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\H9YFiQB7o3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\H9YFiQB7o3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\H9YFiQB7o3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\H9YFiQB7o3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\H9YFiQB7o3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\H9YFiQB7o3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\H9YFiQB7o3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\H9YFiQB7o3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\H9YFiQB7o3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\H9YFiQB7o3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\H9YFiQB7o3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\H9YFiQB7o3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\H9YFiQB7o3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\H9YFiQB7o3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\H9YFiQB7o3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\H9YFiQB7o3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\H9YFiQB7o3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\H9YFiQB7o3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\H9YFiQB7o3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\H9YFiQB7o3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\H9YFiQB7o3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\H9YFiQB7o3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\H9YFiQB7o3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\H9YFiQB7o3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\H9YFiQB7o3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\H9YFiQB7o3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\H9YFiQB7o3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\H9YFiQB7o3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\H9YFiQB7o3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\H9YFiQB7o3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\H9YFiQB7o3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\H9YFiQB7o3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\H9YFiQB7o3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\H9YFiQB7o3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\H9YFiQB7o3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\H9YFiQB7o3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\H9YFiQB7o3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\H9YFiQB7o3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\H9YFiQB7o3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\H9YFiQB7o3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\H9YFiQB7o3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\H9YFiQB7o3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\H9YFiQB7o3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match

File source: Process Memory Space: H9YFiQB7o3.exe PID: 6308, type: MEMORYSTR

Check if machine is in data center or colocation facility

Source: global traffic

HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Source: C:\Users\user\Desktop\H9YFiQB7o3.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\Users\user\Desktop\H9YFiQB7o3.exe

WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: H9YFiQB7o3.exe, 00000000.00000002.1271894317.0000000003ED9000.00000004.00000800.00020000.00000000.sdmp, H9YFiQB7o3.exe, 00000007.00000002.2499635522.00000000029F5000.00000004.00000800.00020000.00000000.sdmp, H9YFiQB7o3.exe, 00000007.00000002.2499635522.0000000002AA3000.00000004.00000800.00020000.00000000.sdmp, H9YFiQB7o3.exe, 00000007.00000002.2496050071.0000000000402000.00000040.00000400.00020000.00000000.sdmp

Binary or memory string: SBIEDLL.DLL

Source: C:\Users\user\Desktop\H9YFiQB7o3.exe	Memory allocated: 1140000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\H9YFiQB7o3.exe	Memory allocated: 2ED0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\H9YFiQB7o3.exe	Memory allocated: 2DE0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\H9YFiQB7o3.exe	Memory allocated: 8AD0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\H9YFiQB7o3.exe	Memory allocated: 9AD0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\H9YFiQB7o3.exe	Memory allocated: 9CC0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\H9YFiQB7o3.exe	Memory allocated: ACC0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\H9YFiQB7o3.exe	Memory allocated: E30000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\H9YFiQB7o3.exe	Memory allocated: 29C0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\H9YFiQB7o3.exe	Memory allocated: 2830000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\H9YFiQB7o3.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 7103			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2431			Jump to behavior

Source: C:\Users\user\Desktop\H9YFiQB7o3.exe TID: 1548	Thread sleep time: -922337203685477s >= -30000s			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7372	Thread sleep time: -6456360425798339s >= -30000s			Jump to behavior

Source: C:\Users\user\Desktop\H9YFiQB7o3.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard

Source: C:\Users\user\Desktop\H9YFiQB7o3.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem

Source: C:\Users\user\Desktop\H9YFiQB7o3.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor

Source: C:\Users\user\Desktop\H9YFiQB7o3.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: H9YFiQB7o3.exe, 00000007.00000002.2499635522.0000000002AA3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware
Source: H9YFiQB7o3.exe, 00000007.00000002.2496050071.0000000000402000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: vmware
Source: H9YFiQB7o3.exe, 00000007.00000002.2496050071.0000000000402000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: VMwareVBoxESelect * from Win32_ComputerSystem
Source: H9YFiQB7o3.exe, 00000007.00000002.2497672411.0000000000C0C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\H9YFiQB7o3.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Source: C:\Users\user\Desktop\H9YFiQB7o3.exe

Code function: 7_2_00E37070 CheckRemoteDebuggerPresent,

7_2_00E37070

Source: C:\Users\user\Desktop\H9YFiQB7o3.exe

Process queried: DebugPort

Jump to behavior

Source: C:\Users\user\Desktop\H9YFiQB7o3.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\Desktop\H9YFiQB7o3.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Users\user\Desktop\H9YFiQB7o3.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Adds a directory exclusion to Windows Defender

Source: C:\Users\user\Desktop\H9YFiQB7o3.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\H9YFiQB7o3.exe"
Source: C:\Users\user\Desktop\H9YFiQB7o3.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\H9YFiQB7o3.exe"			Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\H9YFiQB7o3.exe

Memory written: C:\Users\user\Desktop\H9YFiQB7o3.exe base: 400000 value starts with: 4D5A

Jump to behavior

Source: C:\Users\user\Desktop\H9YFiQB7o3.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\H9YFiQB7o3.exe"	Jump to behavior
Source: C:\Users\user\Desktop\H9YFiQB7o3.exe	Process created: C:\Users\user\Desktop\H9YFiQB7o3.exe "C:\Users\user\Desktop\H9YFiQB7o3.exe"	Jump to behavior
Source: C:\Users\user\Desktop\H9YFiQB7o3.exe	Process created: C:\Users\user\Desktop\H9YFiQB7o3.exe "C:\Users\user\Desktop\H9YFiQB7o3.exe"	Jump to behavior
Source: C:\Users\user\Desktop\H9YFiQB7o3.exe	Process created: C:\Users\user\Desktop\H9YFiQB7o3.exe "C:\Users\user\Desktop\H9YFiQB7o3.exe"	Jump to behavior

Source: C:\Users\user\Desktop\H9YFiQB7o3.exe	Queries volume information: C:\Users\user\Desktop\H9YFiQB7o3.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\H9YFiQB7o3.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\H9YFiQB7o3.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\H9YFiQB7o3.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\H9YFiQB7o3.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\H9YFiQB7o3.exe	Queries volume information: C:\Users\user\Desktop\H9YFiQB7o3.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\H9YFiQB7o3.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\H9YFiQB7o3.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\H9YFiQB7o3.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\H9YFiQB7o3.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\H9YFiQB7o3.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected AgentTesla

Source: Yara match	File source: 0.2.H9YFiQB7o3.exe.3ed9970.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.H9YFiQB7o3.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.H9YFiQB7o3.exe.3f15390.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.H9YFiQB7o3.exe.3f15390.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.H9YFiQB7o3.exe.3ed9970.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000007.00000002.2496050071.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1271894317.0000000003ED9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: H9YFiQB7o3.exe PID: 6308, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: H9YFiQB7o3.exe PID: 820, type: MEMORYSTR

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\H9YFiQB7o3.exe	File opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\H9YFiQB7o3.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\H9YFiQB7o3.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\H9YFiQB7o3.exe	File opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\H9YFiQB7o3.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\Desktop\H9YFiQB7o3.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\H9YFiQB7o3.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\H9YFiQB7o3.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\H9YFiQB7o3.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles	Jump to behavior
Source: C:\Users\user\Desktop\H9YFiQB7o3.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities	Jump to behavior

Source: Yara match	File source: 0.2.H9YFiQB7o3.exe.3ed9970.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.H9YFiQB7o3.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.H9YFiQB7o3.exe.3f15390.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.H9YFiQB7o3.exe.3f15390.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.H9YFiQB7o3.exe.3ed9970.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000007.00000002.2496050071.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2499635522.00000000029F5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1271894317.0000000003ED9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: H9YFiQB7o3.exe PID: 6308, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: H9YFiQB7o3.exe PID: 820, type: MEMORYSTR

Remote Access Functionality

Yara detected AgentTesla

Source: Yara match	File source: 0.2.H9YFiQB7o3.exe.3ed9970.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.H9YFiQB7o3.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.H9YFiQB7o3.exe.3f15390.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.H9YFiQB7o3.exe.3f15390.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.H9YFiQB7o3.exe.3ed9970.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000007.00000002.2496050071.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1271894317.0000000003ED9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: H9YFiQB7o3.exe PID: 6308, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: H9YFiQB7o3.exe PID: 820, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	231 Windows Management Instrumentation	1 DLL Side-Loading	111 Process Injection	1 Masquerading	1 OS Credential Dumping	531 Security Software Discovery	Remote Services	1 Email Collection	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	11 Disable or Modify Tools	LSASS Memory	1 Process Discovery	Remote Desktop Protocol	1 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	261 Virtualization/Sandbox Evasion	Security Account Manager	261 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	1 Data from Local System	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	111 Process Injection	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	2 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	2 Obfuscated Files or Information	LSA Secrets	1 System Network Configuration Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	2 Software Packing	Cached Domain Credentials	1 File and Directory Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 DLL Side-Loading	DCSync	34 System Information Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
H9YFiQB7o3.exe	79%	Virustotal		Browse
H9YFiQB7o3.exe	86%	ReversingLabs	Win32.Spyware.Negasteal
H9YFiQB7o3.exe	100%	Avira	TR/AD.GenSteal.pvpbb
H9YFiQB7o3.exe	100%	Joe Sandbox ML

Name	IP	Active	Malicious	Antivirus Detection	Reputation
ip-api.com	208.95.112.1	true	false		high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://ip-api.com/line/?fields=hosting	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Reputation
https://account.dyn.com/	H9YFiQB7o3.exe, 00000000.00000002.1271894317.0000000003ED9000.00000004.00000800.00020000.00000000.sdmp, H9YFiQB7o3.exe, 00000007.00000002.2496050071.0000000000402000.00000040.00000400.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	H9YFiQB7o3.exe, 00000000.00000002.1271158882.0000000002F2E000.00000004.00000800.00020000.00000000.sdmp, H9YFiQB7o3.exe, 00000007.00000002.2499635522.0000000002A88000.00000004.00000800.00020000.00000000.sdmp, H9YFiQB7o3.exe, 00000007.00000002.2499635522.00000000029C1000.00000004.00000800.00020000.00000000.sdmp	false	high
http://ip-api.com/line/?fields=hosting=	H9YFiQB7o3.exe, 00000007.00000002.2497672411.0000000000B85000.00000004.00000020.00020000.00000000.sdmp	false	high
http://ip-api.com	H9YFiQB7o3.exe, 00000007.00000002.2499635522.0000000002A88000.00000004.00000800.00020000.00000000.sdmp, H9YFiQB7o3.exe, 00000007.00000002.2499635522.0000000002AA3000.00000004.00000800.00020000.00000000.sdmp, H9YFiQB7o3.exe, 00000007.00000002.2499635522.00000000029C1000.00000004.00000800.00020000.00000000.sdmp	false	high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
208.95.112.1	ip-api.com	United States		53334	TUT-ASUS	false

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1587598
Start date and time:	2025-01-10 15:23:01 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 15s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	20
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	H9YFiQB7o3.exe renamed because original name is a hash value
Original Sample Name:	3eda9fff3dbbc6e74162eec9de159c5c07cdc37f27c84ca20eece700ecf98666.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@11/6@1/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 31 Number of non-executed functions: 11
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, SgrmBroker.exe, conhost.exe, backgroundTaskHost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 2.23.242.162, 13.107.246.45, 52.149.20.212
Excluded domains from analysis (whitelisted): fs.microsoft.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, time.windows.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
09:23:56	API Interceptor	1x Sleep call for process: H9YFiQB7o3.exe modified
09:23:58	API Interceptor	16x Sleep call for process: powershell.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
208.95.112.1	lFlw40OH6u.exe	Get hash	malicious	AgentTesla	Browse	ip-api.com/line/?fields=hosting
	Pago devuelto #.Documentos#9787565789678675645767856843.exe	Get hash	malicious	AgentTesla	Browse	ip-api.com/line/?fields=hosting
	driver.exe	Get hash	malicious	Blank Grabber	Browse	ip-api.com/json/?fields=225545
	XClient.exe	Get hash	malicious	XWorm	Browse	ip-api.com/line/?fields=hosting
	Comprobante.de.pago.pdf.exe	Get hash	malicious	AgentTesla	Browse	ip-api.com/line/?fields=hosting
	p.exe	Get hash	malicious	Unknown	Browse	ip-api.com/csv/?fields=query
	rNuevaorden_pdf.exe	Get hash	malicious	AgentTesla	Browse	ip-api.com/line/?fields=hosting
	I334hDwRjj.exe	Get hash	malicious	Blank Grabber, Njrat	Browse	ip-api.com/json/?fields=225545
	startup_str_466.bat	Get hash	malicious	XWorm	Browse	ip-api.com/line/?fields=hosting
	7dtpow.ps1	Get hash	malicious	AgentTesla	Browse	ip-api.com/line/?fields=hosting

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
ip-api.com	lFlw40OH6u.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	Pago devuelto #.Documentos#9787565789678675645767856843.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	driver.exe	Get hash	malicious	Blank Grabber	Browse	208.95.112.1
	XClient.exe	Get hash	malicious	XWorm	Browse	208.95.112.1
	Comprobante.de.pago.pdf.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	p.exe	Get hash	malicious	Unknown	Browse	208.95.112.1
	rNuevaorden_pdf.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	I334hDwRjj.exe	Get hash	malicious	Blank Grabber, Njrat	Browse	208.95.112.1
	startup_str_466.bat	Get hash	malicious	XWorm	Browse	208.95.112.1
	7dtpow.ps1	Get hash	malicious	AgentTesla	Browse	208.95.112.1

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
TUT-ASUS	lFlw40OH6u.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	Pago devuelto #.Documentos#9787565789678675645767856843.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	driver.exe	Get hash	malicious	Blank Grabber	Browse	208.95.112.1
	XClient.exe	Get hash	malicious	XWorm	Browse	208.95.112.1
	Comprobante.de.pago.pdf.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	p.exe	Get hash	malicious	Unknown	Browse	208.95.112.1
	rNuevaorden_pdf.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	I334hDwRjj.exe	Get hash	malicious	Blank Grabber, Njrat	Browse	208.95.112.1
	startup_str_466.bat	Get hash	malicious	XWorm	Browse	208.95.112.1
	7dtpow.ps1	Get hash	malicious	AgentTesla	Browse	208.95.112.1

Process:	C:\Users\user\Desktop\H9YFiQB7o3.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	1216
Entropy (8bit):	5.34331486778365
Encrypted:	false
SSDEEP:	24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
MD5:	1330C80CAAC9A0FB172F202485E9B1E8
SHA1:	86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
SHA-256:	B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
SHA-512:	75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
Malicious:	true
Reputation:	high, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	2232
Entropy (8bit):	5.380285623575084
Encrypted:	false
SSDEEP:	48:+WSU4xympjgZ9tz4RIoUl8NPZHUl7u1iMuge//YM0Uyus:+LHxvCZfIfSKRHmOug81s
MD5:	CAA9F51B6B2EF6B91691AB0F9D7E1CBB
SHA1:	910495587AF5EEAC020254B9222ADB3E540CD780
SHA-256:	4B0E953BB1137D570E6B6AEC7C3ABDE92C592104CC406F977549D1C89A18D068
SHA-512:	EE18ED7F122CF485D67405666D62004F9F83F68606EDDE2D67F6766AAB94C387B3D9E9A2919D85E72F8740DDF955B3009F678D652A6F3EAD1398897CEB7118EB
Malicious:	false
Reputation:	low
Preview:	@...e................................................@..........P................1]...E.....j.....(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..\|f........System.Core.D...............4..7..D.#V.............System.Management.Automation<...............i..VdqF...\|...........System.Configuration4.................%...K... ...........System.Xml..4.....................@.[8]'.\........System.Data.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServicesH................WY..2.M.&..g(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.L.................gQ?O.....x5.......#.Microsoft.Management.Infrastructure.8..................1...L..U;V.<}........System.Numerics.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_abxmhbbd.s41.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	high, very likely benign file
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_bjw53ttx.nwb.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_gvxohm1h.2lo.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_uh0xaq55.xan.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.896318613313735
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.80% Win32 Executable (generic) a (10002005/4) 49.75% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Windows Screen Saver (13104/52) 0.07% Generic Win/DOS Executable (2004/3) 0.01%
File name:	H9YFiQB7o3.exe
File size:	722'432 bytes
MD5:	254ea708867541a0b41fb64a6896bb2b
SHA1:	d0fb4c2e311c685ac97822f0e49ae77afda72ccc
SHA256:	3eda9fff3dbbc6e74162eec9de159c5c07cdc37f27c84ca20eece700ecf98666
SHA512:	2412318afb2415b97336aa1e64045e63993e79aadea29d6d0b25049f896114782818a7170afafafb8b1687cd9b0f8182f9bf3cd64c6d7cd8ca008da94ef53662
SSDEEP:	12288:oyH5mU+8fo3iraJEW6I/4xE+6R+sSSC4D0s9JT7Y9kas9Mof:1HxzakasgEsShm9u9U
TLSH:	15E4120432FC0B32DABB4BFD55B5411547B3B92A6532EA0E2FED60CE1B67B409920767
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...>1.g..............0.............B.... ... ....@.. .......................`............@................................

File Icon


Icon Hash:	71f06930924d0f0f

Static PE Info

General

Entrypoint:	0x4b0d42
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x6704313E [Mon Oct 7 19:06:38 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xb0cf0	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xb2000	0x1340	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xb4000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0xaed48	0xaee00	00a5ffd7b21414d830cd7b94dfb730ba	False	0.9291877010364546	data	7.9043059772658495	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0xb2000	0x1340	0x1400	bec998d313c2f8e3fc4675d9fe2fba1c	False	0.7451171875	data	6.915025369519242	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xb4000	0xc	0x200	dc8add2ca5cc82c5f0ea2deceac68051	False	0.044921875	data	0.08153941234324169	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	ZLIB Complexity
RT_ICON	0xb20c8	0xf1a	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	0.8706673564407656
RT_GROUP_ICON	0xb2ff4	0x14	data	1.05
RT_VERSION	0xb3018	0x324	data	0.4291044776119403

Imports

DLL	Import
mscoree.dll	_CorExeMain

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 10, 2025 15:23:59.399918079 CET	49702	80	192.168.2.7	208.95.112.1
Jan 10, 2025 15:23:59.404834986 CET	80	49702	208.95.112.1	192.168.2.7
Jan 10, 2025 15:23:59.404942036 CET	49702	80	192.168.2.7	208.95.112.1
Jan 10, 2025 15:23:59.406059980 CET	49702	80	192.168.2.7	208.95.112.1
Jan 10, 2025 15:23:59.411034107 CET	80	49702	208.95.112.1	192.168.2.7
Jan 10, 2025 15:23:59.860126019 CET	80	49702	208.95.112.1	192.168.2.7
Jan 10, 2025 15:23:59.911194086 CET	49702	80	192.168.2.7	208.95.112.1
Jan 10, 2025 15:25:01.202681065 CET	80	49702	208.95.112.1	192.168.2.7
Jan 10, 2025 15:25:01.202790022 CET	49702	80	192.168.2.7	208.95.112.1
Jan 10, 2025 15:25:39.873939991 CET	49702	80	192.168.2.7	208.95.112.1
Jan 10, 2025 15:25:39.878851891 CET	80	49702	208.95.112.1	192.168.2.7

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 10, 2025 15:23:59.377098083 CET	60220	53	192.168.2.7	1.1.1.1
Jan 10, 2025 15:23:59.383836985 CET	53	60220	1.1.1.1	192.168.2.7

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jan 10, 2025 15:23:59.377098083 CET	192.168.2.7	1.1.1.1	0xaf33	Standard query (0)	ip-api.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jan 10, 2025 15:23:59.383836985 CET	1.1.1.1	192.168.2.7	0xaf33	No error (0)	ip-api.com		208.95.112.1	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

ip-api.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.7	49702	208.95.112.1	80	820	C:\Users\user\Desktop\H9YFiQB7o3.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 15:23:59.406059980 CET	80	OUT	GET /line/?fields=hosting HTTP/1.1 Host: ip-api.com Connection: Keep-Alive
Jan 10, 2025 15:23:59.860126019 CET	175	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 14:23:59 GMT Content-Type: text/plain; charset=utf-8 Content-Length: 6 Access-Control-Allow-Origin: * X-Ttl: 59 X-Rl: 43 Data Raw: 66 61 6c 73 65 0a Data Ascii: false

Target ID:	0
Start time:	09:23:56
Start date:	10/01/2025
Path:	C:\Users\user\Desktop\H9YFiQB7o3.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\H9YFiQB7o3.exe"
Imagebase:	0xa20000
File size:	722'432 bytes
MD5 hash:	254EA708867541A0B41FB64A6896BB2B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.1271894317.0000000003ED9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.1271894317.0000000003ED9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	09:23:57
Start date:	10/01/2025
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\H9YFiQB7o3.exe"
Imagebase:	0xc0000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	09:23:57
Start date:	10/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff75da10000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	09:23:57
Start date:	10/01/2025
Path:	C:\Users\user\Desktop\H9YFiQB7o3.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\H9YFiQB7o3.exe"
Imagebase:	0x360000
File size:	722'432 bytes
MD5 hash:	254EA708867541A0B41FB64A6896BB2B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	09:23:57
Start date:	10/01/2025
Path:	C:\Users\user\Desktop\H9YFiQB7o3.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\H9YFiQB7o3.exe"
Imagebase:	0x3b0000
File size:	722'432 bytes
MD5 hash:	254EA708867541A0B41FB64A6896BB2B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	09:23:57
Start date:	10/01/2025
Path:	C:\Users\user\Desktop\H9YFiQB7o3.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\H9YFiQB7o3.exe"
Imagebase:	0x5b0000
File size:	722'432 bytes
MD5 hash:	254EA708867541A0B41FB64A6896BB2B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000007.00000002.2496050071.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000007.00000002.2496050071.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000007.00000002.2499635522.00000000029F5000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	13
Start time:	09:23:59
Start date:	10/01/2025
Path:	C:\Windows\System32\wbem\WmiPrvSE.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Imagebase:	0x7ff7fb730000
File size:	496'640 bytes
MD5 hash:	60FF40CFD7FB8FE41EE4FE9AE5FE1C51
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	7.8%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	181
Total number of Limit Nodes:	16

Executed Functions

Function 0139D3D8 Relevance: 6.1, APIs: 4, Instructions: 128
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 0139D456
GetCurrentThread.KERNEL32 ref: 0139D493
GetCurrentProcess.KERNEL32 ref: 0139D4D0
GetCurrentThreadId.KERNEL32 ref: 0139D529

Memory Dump Source

Source File: 00000000.00000002.1269057511.0000000001390000.00000040.00000800.00020000.00000000.sdmp, Offset: 01390000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1390000_H9YFiQB7o3.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: f776ca368ab2ff7720c9ac8ee66d3c03dcb064bafe10ce474a38c3c5ceee5ad7
Instruction ID: 7a68dfbea6ffbc64e7812be9893307a4485614f80e2814cae8b14e8ea36ede82
Opcode Fuzzy Hash: f776ca368ab2ff7720c9ac8ee66d3c03dcb064bafe10ce474a38c3c5ceee5ad7
Instruction Fuzzy Hash: C05156B0D003098FEB14DFAAD949BEEBBF1AB48314F208459E459A73A0DB346945CF65

Function 05AB6B3C Relevance: 1.7, APIs: 1, Instructions: 244
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 05AB6D7E

Memory Dump Source

Source File: 00000000.00000002.1276685808.0000000005AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05AB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5ab0000_H9YFiQB7o3.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 9dcc7ac534212e370dc9ad396a43a3de7d12dc194eefdc790f5590522065e4db
Instruction ID: 5be1fc550a3108d75117fe53ae9d4bb74ce94eb8a8c79ec798c1db4e0e56315b
Opcode Fuzzy Hash: 9dcc7ac534212e370dc9ad396a43a3de7d12dc194eefdc790f5590522065e4db
Instruction Fuzzy Hash: 09917B71D00219CFEB24CFA9C841BEDBBB6FF49310F1481A9D819A7240DBB59985CF91

Function 05AB6B48 Relevance: 1.7, APIs: 1, Instructions: 243
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 05AB6D7E

Memory Dump Source

Source File: 00000000.00000002.1276685808.0000000005AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05AB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5ab0000_H9YFiQB7o3.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 30458f1f72f233937de766db5bbbd8396425b5911bc265c2146d8f687f99d05e
Instruction ID: f54c32840254b369e9c08d26bde2502bb47ef0c7c0d45e4e2923d0d0d833c966
Opcode Fuzzy Hash: 30458f1f72f233937de766db5bbbd8396425b5911bc265c2146d8f687f99d05e
Instruction Fuzzy Hash: B4916A71D00219DFEB24CFA9C841BEDBBB6FF49310F1481A9E819A7240DBB59985CF91

Function 0139AD48 Relevance: 1.7, APIs: 1, Instructions: 199
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32(00000000), ref: 0139AF9E

Memory Dump Source

Source File: 00000000.00000002.1269057511.0000000001390000.00000040.00000800.00020000.00000000.sdmp, Offset: 01390000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1390000_H9YFiQB7o3.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 8e3626b99599caec58babec1d6e9590a8164009e4595ca66c60d7e603d516f40
Instruction ID: 8c4417e9a5ab05073cb8e0793e23a8641e6f5d843476f4a4c310ea728e43f11c
Opcode Fuzzy Hash: 8e3626b99599caec58babec1d6e9590a8164009e4595ca66c60d7e603d516f40
Instruction Fuzzy Hash: 2E812670A00B058FEB24DF6AD45579ABBF1FF88208F008A2DD58AD7B50D775E849CB91

Function 0139590D Relevance: 1.6, APIs: 1, Instructions: 98
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 013959C9

Memory Dump Source

Source File: 00000000.00000002.1269057511.0000000001390000.00000040.00000800.00020000.00000000.sdmp, Offset: 01390000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1390000_H9YFiQB7o3.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 9efd76769e69692c300707a91004db657c711d11997f6f86b74fc5f4cbc44310
Instruction ID: a6273573a733d75c90c8a06b621c4fd93b17d8edaa30ffe3a6fe9870ba50fa6b
Opcode Fuzzy Hash: 9efd76769e69692c300707a91004db657c711d11997f6f86b74fc5f4cbc44310
Instruction Fuzzy Hash: 32410471C0072DCBEB25DFAAC88478DBBB5BF49314F20815AD419AB290DB75594ACF50

Function 013944E4 Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 013959C9

Memory Dump Source

Source File: 00000000.00000002.1269057511.0000000001390000.00000040.00000800.00020000.00000000.sdmp, Offset: 01390000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1390000_H9YFiQB7o3.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 123ef228ae461d4a9df0615695701d97d5a4a481827612e8569ce6b27373c66b
Instruction ID: e7158d0802a9e68fb59da5831110af93dcb9446327c768a7f9c5dcf7aca84b2e
Opcode Fuzzy Hash: 123ef228ae461d4a9df0615695701d97d5a4a481827612e8569ce6b27373c66b
Instruction Fuzzy Hash: 2D41D471C0072DCBEB25DFAAC84478EBBF5BF49314F20815AD409AB251DB755946CF90

Function 0139D6E1 Relevance: 1.6, APIs: 1, Instructions: 84
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0139D6A7

Memory Dump Source

Source File: 00000000.00000002.1269057511.0000000001390000.00000040.00000800.00020000.00000000.sdmp, Offset: 01390000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1390000_H9YFiQB7o3.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: cf326df31454e3cdce6c175668875a67a36b6370e582452956066170a6f00072
Instruction ID: 83afffd8561685f0fab11f99ec52b69794f8320e3a07e69e2cf1ea3dd944fa69
Opcode Fuzzy Hash: cf326df31454e3cdce6c175668875a67a36b6370e582452956066170a6f00072
Instruction Fuzzy Hash: 2E31A574A803419FE304EF62F4457693BB6F784310F508539EA158B7D8DBB868A5CF21

Function 05AB68B8 Relevance: 1.6, APIs: 1, Instructions: 70
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNEL32(?,?,00000000,?,?), ref: 05AB6950

Memory Dump Source

Source File: 00000000.00000002.1276685808.0000000005AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05AB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5ab0000_H9YFiQB7o3.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 0d9716c0778c8a141c8010f95ab6a424aa203738b7ef056bc8cdbdaed0aa8c2c
Instruction ID: 55d6f01378546285e4c86652bdc193bb93771dd5fb6b3468cba6b19c0428e710
Opcode Fuzzy Hash: 0d9716c0778c8a141c8010f95ab6a424aa203738b7ef056bc8cdbdaed0aa8c2c
Instruction Fuzzy Hash: 872144B5D00309DFDB10CFA9C981BEEBBF5BF48310F14842AE969A7240C7789944CBA0

Function 05AB68C0 Relevance: 1.6, APIs: 1, Instructions: 69
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNEL32(?,?,00000000,?,?), ref: 05AB6950

Memory Dump Source

Source File: 00000000.00000002.1276685808.0000000005AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05AB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5ab0000_H9YFiQB7o3.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: cd4601d11c453a507473a6bdffec748ea3a0d14381ff0f4f9e4c8517d76a5e39
Instruction ID: 0262b7af1050b6ecd06ceee6dd6ccdcba7a77bd02939721612f541551b166ec1
Opcode Fuzzy Hash: cd4601d11c453a507473a6bdffec748ea3a0d14381ff0f4f9e4c8517d76a5e39
Instruction Fuzzy Hash: 3F212371D003499FDB10DFAAC885BEEBBF5FF48310F50842AE969A7241C7789944CBA4

Function 05AB69A9 Relevance: 1.6, APIs: 1, Instructions: 63
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ReadProcessMemory.KERNEL32(?,?,?,?,?), ref: 05AB6A30

Memory Dump Source

Source File: 00000000.00000002.1276685808.0000000005AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05AB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5ab0000_H9YFiQB7o3.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 0ff24e36cba38c41fb2b98228d323138b9d22febbb12ce6554e1ab1ee6a160b1
Instruction ID: 4678a61722fa579ccc0cf05734f7a6a1a268b2a65c8ca744d126b90dd86e0dc1
Opcode Fuzzy Hash: 0ff24e36cba38c41fb2b98228d323138b9d22febbb12ce6554e1ab1ee6a160b1
Instruction Fuzzy Hash: F12116B5C003199FDB10DFA9C981BEEBBF5BF48310F54842AE959A7240C7789905DBA0

Function 05AB69B0 Relevance: 1.6, APIs: 1, Instructions: 63
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ReadProcessMemory.KERNEL32(?,?,?,?,?), ref: 05AB6A30

Memory Dump Source

Source File: 00000000.00000002.1276685808.0000000005AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05AB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5ab0000_H9YFiQB7o3.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 7c581cf31bfd5a699316db784d399a12e4a134a9535d86d2f362938835d9ba5c
Instruction ID: 45ba80ee7f62cccd5a513e426b64e6d4941e90884fe2266fb8d86fe4bcc5ba7a
Opcode Fuzzy Hash: 7c581cf31bfd5a699316db784d399a12e4a134a9535d86d2f362938835d9ba5c
Instruction Fuzzy Hash: 012116B1C003499FDB10DFAAC881BDEBBF5FF48310F508429E919A7240C7799905CBA4

Function 0139D620 Relevance: 1.6, APIs: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0139D6A7

Memory Dump Source

Source File: 00000000.00000002.1269057511.0000000001390000.00000040.00000800.00020000.00000000.sdmp, Offset: 01390000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1390000_H9YFiQB7o3.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: f09feb7d095fe340fe960d3797a9a7d1f299a481ee32d7b6d1daf9049b0565fe
Instruction ID: 4ad1315488bda14fe0637ac8fb383a2a4e9cd94ac0e0943f28969f9ac831278f
Opcode Fuzzy Hash: f09feb7d095fe340fe960d3797a9a7d1f299a481ee32d7b6d1daf9049b0565fe
Instruction Fuzzy Hash: 2921E4B5D00209DFDB10CF9AD985ADEBBF4EB48320F14841AE918A3350C378A944CFA4

Function 05AB67F8 Relevance: 1.6, APIs: 1, Instructions: 54memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNEL32(?,?,?,?,?), ref: 05AB686E

Memory Dump Source

Source File: 00000000.00000002.1276685808.0000000005AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05AB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5ab0000_H9YFiQB7o3.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 466535eb34b71b9183ab87c1759337d33bf948c71e1c8f0a237c86c6e92ad6c2
Instruction ID: 6bcd33b4713e040f79899de5aaa73610c56ff2fd067735d011709d9db649cc00
Opcode Fuzzy Hash: 466535eb34b71b9183ab87c1759337d33bf948c71e1c8f0a237c86c6e92ad6c2
Instruction Fuzzy Hash: DA112676D003098FDB24DFA9C945BEEBBF5AF48320F14881AE929A7250C7759945CFA0

Function 05AB6800 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNEL32(?,?,?,?,?), ref: 05AB686E

Memory Dump Source

Source File: 00000000.00000002.1276685808.0000000005AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05AB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5ab0000_H9YFiQB7o3.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 15ca15dd09a6e16d9b6da6d20a1425c4f7cdc3b0b2361d4b8d96b767e0f0e7ec
Instruction ID: cb099bacd32d122d80d6675f72cda9cbb1e6578945b43f2c416d14ba5c7fe7e8
Opcode Fuzzy Hash: 15ca15dd09a6e16d9b6da6d20a1425c4f7cdc3b0b2361d4b8d96b767e0f0e7ec
Instruction Fuzzy Hash: CD112672D003499FDB24DFAAC845BDEBFF5EB48320F148419E529A7250CB759944CFA0

Function 05AB4BBC Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 05AB942D

Memory Dump Source

Source File: 00000000.00000002.1276685808.0000000005AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05AB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5ab0000_H9YFiQB7o3.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: e506270dd02bca34928a0b46547648197c0c42fda5d58406cc845334251002e0
Instruction ID: fa65f29cda5d28a9ee9799c3078a0d45bf66f61a42508883dd10226634fe7979
Opcode Fuzzy Hash: e506270dd02bca34928a0b46547648197c0c42fda5d58406cc845334251002e0
Instruction Fuzzy Hash: F011E0B58003499FDB20DF9AD945BDEBBF8EB48320F108459E619A7241C3B5A944CFA5

Function 0139AF38 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000), ref: 0139AF9E

Memory Dump Source

Source File: 00000000.00000002.1269057511.0000000001390000.00000040.00000800.00020000.00000000.sdmp, Offset: 01390000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1390000_H9YFiQB7o3.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: f2e81e249a17c6a5901faf7493a2f5aee76c8e5835908480ec03a55837492777
Instruction ID: c8c50fdc3dfc0a70d32aebe006d9a7c724ec8cea0dcf105357bae784c244c3bf
Opcode Fuzzy Hash: f2e81e249a17c6a5901faf7493a2f5aee76c8e5835908480ec03a55837492777
Instruction Fuzzy Hash: 1B1113B6C003498FDB10CF9AC844BDEFBF4EB88314F10851AD429A7250C379A549CFA1

Function 05AB93C8 Relevance: 1.5, APIs: 1, Instructions: 44windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 05AB942D

Memory Dump Source

Source File: 00000000.00000002.1276685808.0000000005AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05AB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5ab0000_H9YFiQB7o3.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 81652d358d646eb1c36756005b6b9d882d36ff8eaa2e54c361f9f390003f9402
Instruction ID: f08fb489e95ea575922f9e2ded4709666e21265b491de1a4db350305355fda4f
Opcode Fuzzy Hash: 81652d358d646eb1c36756005b6b9d882d36ff8eaa2e54c361f9f390003f9402
Instruction Fuzzy Hash: 3011F2B5800249CFDB10DF99D545BDEBBF8EB08320F20845AD569A7211C375AA44CFA1

Function 010AD4C4 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1268089540.00000000010AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 010AD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10ad000_H9YFiQB7o3.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a7822212e3e1bf33d0da9b9d78e11728d8933556ca69c865f7e572613b12d40a
Instruction ID: ffd1edd00bbc99fc5721dcff8bb1c59d9c81fc8d79a47d7fbd148b71900e2dc9
Opcode Fuzzy Hash: a7822212e3e1bf33d0da9b9d78e11728d8933556ca69c865f7e572613b12d40a
Instruction Fuzzy Hash: 03214871504200DFDB15DFA4D9C0B2ABFA1FB88318F60C5A9E8850F656C336D446CBA2

Function 010BD01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1268222010.00000000010BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 010BD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10bd000_H9YFiQB7o3.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d9a243ee57b3d82f7a1a0bc720402a19f90cd935a46374a96c47be9cc2b78b6b
Instruction ID: b2cd2254df9ad1a758c3ca8b072c03c70061d06639af11a8362719485a2fe977
Opcode Fuzzy Hash: d9a243ee57b3d82f7a1a0bc720402a19f90cd935a46374a96c47be9cc2b78b6b
Instruction Fuzzy Hash: 08210375614300DFDB15DF54D9C4B56FBA1EB84318F20C5ADE8890B246C336D407CB61

Function 010BD1D4 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1268222010.00000000010BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 010BD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10bd000_H9YFiQB7o3.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5c0dec01dbef2dd78225ea2bffcc064a13e169de3bd2eab73d3a02e9d498e8cc
Instruction ID: 4e19232b9130be172cc01729d209c8535a2f93b0cc99a45effa63eb9dde5d36c
Opcode Fuzzy Hash: 5c0dec01dbef2dd78225ea2bffcc064a13e169de3bd2eab73d3a02e9d498e8cc
Instruction Fuzzy Hash: 1421F575A04240EFDB15DF94D9C0B55FBA5FB94328F20C5ADD8894B252C336D846CB61

Function 010BD006 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1268222010.00000000010BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 010BD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10bd000_H9YFiQB7o3.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c54de2308fa4d3231fa34fe90a21b1704fe48c9fdd284fddab12d35ffa3d9594
Instruction ID: abf4ea8b98085f3a23aacdc4af0dc9050fea9b1c9877d44230638ad8b6480ac5
Opcode Fuzzy Hash: c54de2308fa4d3231fa34fe90a21b1704fe48c9fdd284fddab12d35ffa3d9594
Instruction Fuzzy Hash: A32153755083809FCB16CF54D9D4711BFB1EB46314F28C5DAD8898F2A7C33A9856CB62

Function 010AD4BF Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1268089540.00000000010AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 010AD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10ad000_H9YFiQB7o3.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 099256442a3ab3004f72329a4e4b6c70090b87d396c4978555b43c732be305a7
Instruction ID: a72f1f308ee467d07c6c281792574fc020c53545bd54bb67b8aa652a67e1603f
Opcode Fuzzy Hash: 099256442a3ab3004f72329a4e4b6c70090b87d396c4978555b43c732be305a7
Instruction Fuzzy Hash: 2E11B176504280CFCB16CF54D5C4B16BFB2FB84324F24C6A9D8890B657C336D456CBA1

Function 010BD1CF Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1268222010.00000000010BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 010BD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10bd000_H9YFiQB7o3.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4ccb17c466d2e34b86bde66ac975e9cbefd8e24c09005379d072ef0b40a0d1c0
Instruction ID: ccac7ac6c407e99890f74d78f1ab6be334920f59b44ba4079b4f371432c424d8
Opcode Fuzzy Hash: 4ccb17c466d2e34b86bde66ac975e9cbefd8e24c09005379d072ef0b40a0d1c0
Instruction Fuzzy Hash: FA11BB75504280DFCB06CF54C5C0B55FFA2FB84328F24C6ADD8894B296C33AD80ACB61

Function 010AD759 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1268089540.00000000010AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 010AD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10ad000_H9YFiQB7o3.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3a3a21077d77df2152f34e26691c7e69e5f0ee738e86a0c18b23ca917dfaca10
Instruction ID: da3c01ded74b9f9bf15dfcf0bd68d07ede5d55bef413cab049e0fb214c0105a3
Opcode Fuzzy Hash: 3a3a21077d77df2152f34e26691c7e69e5f0ee738e86a0c18b23ca917dfaca10
Instruction Fuzzy Hash: 3401F7311043809EE7644AD5CC84B6EBFD8EF41221F58C45AED490A682D2389844CBB1

Function 010AD758 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1268089540.00000000010AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 010AD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10ad000_H9YFiQB7o3.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 164660198552a35e279d9557e0ad6f9d06fd22f654de8a1afc2dda9836a65d77
Instruction ID: 4ef179e2f5c89c93d83755b3fc53cecbd9478c56d7f412930be573124e1300cf
Opcode Fuzzy Hash: 164660198552a35e279d9557e0ad6f9d06fd22f654de8a1afc2dda9836a65d77
Instruction Fuzzy Hash: B8F0C2310043809EE7648A4ACC84B66FFE8EF40734F18C49AED480A286C279A844CBB1

Non-executed Functions

Function 05ABB240 Relevance: .4, Instructions: 351COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1276685808.0000000005AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05AB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5ab0000_H9YFiQB7o3.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 154772d23abdc79e432d5b0992eff4012de35e945a248da98a15fab3f9740b52
Instruction ID: 4ff2c687f967b68d3e204300d63dbf7cc817c5e1b7d8aba8bfe8dc6c9322f74f
Opcode Fuzzy Hash: 154772d23abdc79e432d5b0992eff4012de35e945a248da98a15fab3f9740b52
Instruction Fuzzy Hash: F9D1BD717006088FEB25DB7AC550BAE77FAAF89700F144569D156CB292CFB4D902CBA1

Function 05AB55E0 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1276685808.0000000005AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05AB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5ab0000_H9YFiQB7o3.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7aa33a2309e5fd627a2e5c9f370b0dc244893b4fd4c84646608c6656bdbda357
Instruction ID: 8eea767867d458681cc8b7043847d9a22f0fbd393b9fd3d3266df9ad992a6092
Opcode Fuzzy Hash: 7aa33a2309e5fd627a2e5c9f370b0dc244893b4fd4c84646608c6656bdbda357
Instruction Fuzzy Hash: C1E11B74E042598FDB14DF99C580AAEFBF6BF49304F248169D815A735AD730AD42CFA0

Function 05AB5F90 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1276685808.0000000005AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05AB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5ab0000_H9YFiQB7o3.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 994e015d1b77c711ab3dc05f2a7588cadfb5c325f14498ede76d247031d201ca
Instruction ID: 3ebf675708bbe2c6a149d57e6c3a92d88a9b8f854c1b7528b758c5b57ddf11d8
Opcode Fuzzy Hash: 994e015d1b77c711ab3dc05f2a7588cadfb5c325f14498ede76d247031d201ca
Instruction Fuzzy Hash: 80E11B74E042598FDB14DFA9C580AAEFBF6BF89304F248169D815A7356C730AD42CFA0

Function 05AB3EE8 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1276685808.0000000005AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05AB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5ab0000_H9YFiQB7o3.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1d9cbc33d80a89188bde581ed7654a22f26f43d09d24fcfea90cc2676191d882
Instruction ID: b027215aa0db86dd496e060b0e308bfa738a4c111e0beb53c63d91eefd9e6588
Opcode Fuzzy Hash: 1d9cbc33d80a89188bde581ed7654a22f26f43d09d24fcfea90cc2676191d882
Instruction Fuzzy Hash: BCE10B74E042298FDB14DFA9D580AAEFBF6BF89300F248159D415AB35AD7709D42CFA0

Function 05AB63C8 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1276685808.0000000005AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05AB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5ab0000_H9YFiQB7o3.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 52914d0dfec1ef9a401c8ab8d9e4fe39d9c2f269cd7035ed7c4748af112c2d29
Instruction ID: 7f6d033c9f1f1aba55a913d7941a5b3ec0e13f5cbc1f061afc4ec6918d2a305c
Opcode Fuzzy Hash: 52914d0dfec1ef9a401c8ab8d9e4fe39d9c2f269cd7035ed7c4748af112c2d29
Instruction Fuzzy Hash: 57E11B74E042198FDB14DFA9C580AAEFBF6BF49304F248169D815A735AD770AD41CFA0

Function 05AB3AB0 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1276685808.0000000005AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05AB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5ab0000_H9YFiQB7o3.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 44c19f5e1407cebd73c6c8ea0554fc1eb66cb06baf0e15edf7b95a18940b5d79
Instruction ID: 7b7bf828dc57928ba56dabe084221c49b798259e0527c8a2322a103a429ee8e5
Opcode Fuzzy Hash: 44c19f5e1407cebd73c6c8ea0554fc1eb66cb06baf0e15edf7b95a18940b5d79
Instruction Fuzzy Hash: A9E12B74E002598FDB14DF99C580AAEFBF6BF49300F24856AD415A735AC771AD42CFA0

Function 0139D304 Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1269057511.0000000001390000.00000040.00000800.00020000.00000000.sdmp, Offset: 01390000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1390000_H9YFiQB7o3.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0b81a0f22b2922e66c5041519e89f030c3a9f7d164c0c11c00f44b6d29edaa84
Instruction ID: 966e783f4b4527ab66dcb2a4a36604fcbc103dceddf5bca7367fdbafd379627d
Opcode Fuzzy Hash: 0b81a0f22b2922e66c5041519e89f030c3a9f7d164c0c11c00f44b6d29edaa84
Instruction Fuzzy Hash: 8EA19232E00209CFCF15DFB9C84059EBBBAFF85304B25456AE905EB265DB71E956CB40

Function 05AB3A7F Relevance: .1, Instructions: 148COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1276685808.0000000005AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05AB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5ab0000_H9YFiQB7o3.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bc1fb5cf2abb7b53860a787529af88dae2c17df9b9ec4d1f834045624e0b28ee
Instruction ID: 3b6163776cffbc402188cdf237a915dda42caf3b787bbde6979d65a63b47b284
Opcode Fuzzy Hash: bc1fb5cf2abb7b53860a787529af88dae2c17df9b9ec4d1f834045624e0b28ee
Instruction Fuzzy Hash: B8512D74E042598FDB14CFA9C580AAEFBF6BF89300F24856AD418A7356D7319D42CFA1

Function 05AB2F88 Relevance: .1, Instructions: 139COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1276685808.0000000005AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05AB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5ab0000_H9YFiQB7o3.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3efc017c327a16f549b8e8b98fa78a7123caa4a2c238ea7492c6c1653c792032
Instruction ID: 729d1269a0517b92aa6c268cf12770cf1b5be85cc710c33b76c5cd319d77cd8c
Opcode Fuzzy Hash: 3efc017c327a16f549b8e8b98fa78a7123caa4a2c238ea7492c6c1653c792032
Instruction Fuzzy Hash: D151D674E09609DFEF04CFAAD4449EEBBFABF89310F149426E419A7212D7B19941CF90

Function 05AB5F80 Relevance: .1, Instructions: 131COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1276685808.0000000005AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05AB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5ab0000_H9YFiQB7o3.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b4f5ee49036099ed705d74fcfb2c67e51ea79c8e582e515b21e52bbd4d26a392
Instruction ID: 563abc24fd8dfc282a8cde3701fe8167b90522986ba268e166246976e3b25725
Opcode Fuzzy Hash: b4f5ee49036099ed705d74fcfb2c67e51ea79c8e582e515b21e52bbd4d26a392
Instruction Fuzzy Hash: 0751F874E042298FDB14DFAAD5809AEBBF6BF89300F24C169D418A7356D7319942CFA0

Function 05AB63B9 Relevance: .1, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1276685808.0000000005AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05AB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5ab0000_H9YFiQB7o3.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 79195006f0c7a63890fee3fb2de52d36681cbbf5b859b2bf9713783ea99b73ab
Instruction ID: e23960772e09edc35a5f45cc10d57b70dc70ae0fdcc56e7fe4c99e17b149c774
Opcode Fuzzy Hash: 79195006f0c7a63890fee3fb2de52d36681cbbf5b859b2bf9713783ea99b73ab
Instruction Fuzzy Hash: 9F511B74E042298FDB14DFA9C540AAEFBF6BF89300F248169D419A735AD7319D41CFA1

Analysis Process: H9YFiQB7o3.exePID: 820, Parent PID: 6308COMMON

Execution Graph

Execution Coverage:	8.7%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	60%
Total number of Nodes:	5
Total number of Limit Nodes:	0

Executed Functions

Function 00E37070 Relevance: 1.6, APIs: 1, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CheckRemoteDebuggerPresent.KERNELBASE(?,?), ref: 00E370E7

Memory Dump Source

Source File: 00000007.00000002.2498558270.0000000000E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_e30000_H9YFiQB7o3.jbxd

Similarity

API ID: CheckDebuggerPresentRemote
String ID:
API String ID: 3662101638-0
Opcode ID: ec7b32b62191e57b8e513beaf8f7593940a809a90d07fadca725e17fae1fef72
Instruction ID: 9a8c077149c5a91125426eeb4529993e2401254f00599ae5ae7742da762da34c
Opcode Fuzzy Hash: ec7b32b62191e57b8e513beaf8f7593940a809a90d07fadca725e17fae1fef72
Instruction Fuzzy Hash: C12128B5C002598FDB14CF9AD485BEEFBF4AF49310F14842AE459B3250D778A944CF61

Function 00E3706A Relevance: 1.6, APIs: 1, Instructions: 67
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CheckRemoteDebuggerPresent.KERNELBASE(?,?), ref: 00E370E7

Memory Dump Source

Source File: 00000007.00000002.2498558270.0000000000E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_e30000_H9YFiQB7o3.jbxd

Similarity

API ID: CheckDebuggerPresentRemote
String ID:
API String ID: 3662101638-0
Opcode ID: 3181515346bbae011cf102f152b93c1c62e9da489e03e49cb39b6994ac53e3d3
Instruction ID: 07069e003f6d526c0840d0248e191df85d9624a399b1d26df0d7e39a3fa8ee24
Opcode Fuzzy Hash: 3181515346bbae011cf102f152b93c1c62e9da489e03e49cb39b6994ac53e3d3
Instruction Fuzzy Hash: 832124B5C002598FDB24CF9AD485BEEBBF4AF49320F14842AE459B3250C7789A45CF60

Function 064BA928 Relevance: 1.6, APIs: 1, Instructions: 63
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 064BA9B7

Memory Dump Source

Source File: 00000007.00000002.2502391660.00000000064B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_64b0000_H9YFiQB7o3.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: de98a79ef7aaf951f8bdd44365485c1bf7173455f12b593a0e32572c6abcdb56
Instruction ID: cd345a8a59d2f853346fcb8e4f353daf137266a84c4b62383e2f7a4379713bb7
Opcode Fuzzy Hash: de98a79ef7aaf951f8bdd44365485c1bf7173455f12b593a0e32572c6abcdb56
Instruction Fuzzy Hash: AA21E4B5D10208DFDB10CFAAD984AEEBBF5EB48310F14841AE958A3350D375A945DFA1

Function 064BA930 Relevance: 1.6, APIs: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 064BA9B7

Memory Dump Source

Source File: 00000007.00000002.2502391660.00000000064B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_64b0000_H9YFiQB7o3.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: b66b29073975020208f152f7fb9171b4a75938656ef48d3efd6006be11246858
Instruction ID: d92207dfe2bc96f437e17ca2b4b81dc549e2506f20c2a8b7a11945eeab175c6f
Opcode Fuzzy Hash: b66b29073975020208f152f7fb9171b4a75938656ef48d3efd6006be11246858
Instruction Fuzzy Hash: F221E4B5D10208DFDB10CF9AD984ADEFBF4EB48310F14841AE918A3350D375A944CFA0

Function 00B0D01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2496888053.0000000000B0D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B0D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_b0d000_H9YFiQB7o3.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 73c734d5a5709dc968303117472e074b2e4c08bb1ded5c1eae4d7c6c359557dc
Instruction ID: c33f38fb61ed4d346e517b5259abcd6870a4e276ac8430d28da2a20776015ed3
Opcode Fuzzy Hash: 73c734d5a5709dc968303117472e074b2e4c08bb1ded5c1eae4d7c6c359557dc
Instruction Fuzzy Hash: D321D075604200DFDB14DF54D9D4B16BFA5EB84324F20C5ADD84E4B2D6D336D847CA62

Function 00B0D006 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2496888053.0000000000B0D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B0D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_b0d000_H9YFiQB7o3.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 26fc60d63533a3438c2be5c108211631deb60a9d98e91a691cdce8eecfb46c16
Instruction ID: 82347cf3d33c053fe82f59eef44316aa533ac19b172db13ee81cf6726944911b
Opcode Fuzzy Hash: 26fc60d63533a3438c2be5c108211631deb60a9d98e91a691cdce8eecfb46c16
Instruction Fuzzy Hash: E52162755083809FCB06CF54D994B11BFB1EB46314F28C5DAD8498F2E7D33A9856CB62

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report H9YFiQB7o3.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Agenttesla

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\H9YFiQB7o3.exe.log

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_abxmhbbd.s41.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_bjw53ttx.nwb.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_gvxohm1h.2lo.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_uh0xaq55.xan.ps1

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Network Behavior

Windows Analysis Report
H9YFiQB7o3.exe

Function 0139D3D8 Relevance: 6.1, APIs: 4, Instructions: 128
threadCOMMON

Function 05AB6B3C Relevance: 1.7, APIs: 1, Instructions: 244
processCOMMON

Function 05AB6B48 Relevance: 1.7, APIs: 1, Instructions: 243
processCOMMON

Function 0139AD48 Relevance: 1.7, APIs: 1, Instructions: 199
COMMON

Function 0139590D Relevance: 1.6, APIs: 1, Instructions: 98
COMMON

Function 013944E4 Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Function 0139D6E1 Relevance: 1.6, APIs: 1, Instructions: 84
COMMON

Function 05AB68B8 Relevance: 1.6, APIs: 1, Instructions: 70
injectionCOMMON

Function 05AB68C0 Relevance: 1.6, APIs: 1, Instructions: 69
injectionCOMMON

Function 05AB69A9 Relevance: 1.6, APIs: 1, Instructions: 63
COMMON

Function 05AB69B0 Relevance: 1.6, APIs: 1, Instructions: 63
COMMON

Function 0139D620 Relevance: 1.6, APIs: 1, Instructions: 62
COMMON

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre