Edit tour

Windows Analysis Report
9pIm5d0rsW.exe

Overview

General Information

Sample name:	9pIm5d0rsW.exe renamed because original name is a hash value
Original sample name:	20b88c89c50d71a77a0f2e1007a39cdb0b78f44c8507d3b492e8875a44861279.exe
Analysis ID:	1587609
MD5:	aac6e12f57c5e384767f42ba7809a66b
SHA1:	665522465ccffb1fde659a7c072d6c0ff6b24b61
SHA256:	20b88c89c50d71a77a0f2e1007a39cdb0b78f44c8507d3b492e8875a44861279
Tags:	exeuser-adrian__luca
Infos:

Detection

AgentTesla, PureLog Stealer, zgRAT

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected AgentTesla

Yara detected PureLog Stealer

Yara detected zgRAT

AI detected suspicious sample

Adds a directory exclusion to Windows Defender

Injects a PE file into a foreign processes

Loading BitLocker PowerShell Module

Machine Learning detection for sample

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Mail credentials (via file / registry access)

Yara detected Generic Downloader

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Sigma detected: Powershell Defender Exclusion

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

9pIm5d0rsW.exe (PID: 6260 cmdline: "C:\Users\user\Desktop\9pIm5d0rsW.exe" MD5: AAC6E12F57C5E384767F42BA7809A66B)

powershell.exe (PID: 4564 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\9pIm5d0rsW.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 5040 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WmiPrvSE.exe (PID: 7260 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)

9pIm5d0rsW.exe (PID: 1456 cmdline: "C:\Users\user\Desktop\9pIm5d0rsW.exe" MD5: AAC6E12F57C5E384767F42BA7809A66B)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Agent Tesla, AgentTesla	A .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.	SWEED	http://blog.nsfocus.net/sweed-611/ http://l1v1ngc0d3.wordpress.com/2021/11/12/agenttesla-dropped-via-nsis-installer/ http://ropgadget.com/posts/originlogger.html http://www.secureworks.com/research/threat-profiles/gold-galleon https://0xmrmagnezi.github.io/malware%20analysis/AgentTesla/	https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

Name	Description	Attribution	Blogpost URLs	Link
zgRAT	zgRAT is a Remote Access Trojan malware which sometimes drops other malware such as AgentTesla malware. zgRAT has an inforstealer use which targets browser information and cryptowallets.Usually spreads by USB or phishing emails with -zip/-lnk/.bat/.xlsx attachments and so on.	No Attribution	https://bazaar.abuse.ch/browse/signature/zgRAT/ https://kcm.trellix.com/corporate/index?page=content&id=KB96190&locale=en_US https://www.cloudsek.com/blog/threat-actors-abuse-ai-generated-youtube-videos-to-spread-stealer-malware https://www.difesaesicurezza.com/cyber/cybercrime-rfq-dalla-turchia-veicola-agenttesla-e-zgrat/ https://www.fortinet.com/blog/threat-research/smokeloader-using-old-vulnerabilities	https://malpedia.caad.fkie.fraunhofer.de/details/win.zgrat

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "FTP", "Host": "ftp://beirutrest.com", "Username": "belogs@beirutrest.com", "Password": "9yXQ39wz(uL+"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
00000000.00000002.1687610433.0000000006DE0000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000003.00000002.4122220015.0000000002F4C000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000003.00000002.4122220015.0000000002F21000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000003.00000002.4122220015.0000000002F21000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000003.00000002.4119886234.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000003.00000002.4119886234.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000000.00000002.1683264639.0000000003969000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.1683264639.0000000003969000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000000.00000002.1683264639.0000000003969000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
Process Memory Space: 9pIm5d0rsW.exe PID: 6260	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: 9pIm5d0rsW.exe PID: 6260	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: 9pIm5d0rsW.exe PID: 1456	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: 9pIm5d0rsW.exe PID: 1456	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Click to see the 8 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.9pIm5d0rsW.exe.6de0000.6.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0.2.9pIm5d0rsW.exe.6de0000.6.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0.2.9pIm5d0rsW.exe.3c82680.5.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.9pIm5d0rsW.exe.3c82680.5.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.9pIm5d0rsW.exe.3c82680.5.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x312d3:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x31345:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x313cf:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x31461:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x314cb:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x3153d:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x315d3:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x31663:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
0.2.9pIm5d0rsW.exe.3c82680.5.unpack	MALWARE_Win_AgentTeslaV2	AgenetTesla Type 2 Keylogger payload	ditekSHen	0x2e6c6:$s2: GetPrivateProfileString 0x2ddc5:$s3: get_OSFullName 0x2f403:$s5: remove_Key 0x2f592:$s5: remove_Key 0x30473:$s6: FtpWebRequest 0x312b5:$s7: logins 0x31827:$s7: logins 0x3450a:$s7: logins 0x345ea:$s7: logins 0x35ee6:$s7: logins 0x35184:$s9: 1.85 (Hash, version 2, native byte-order)
0.2.9pIm5d0rsW.exe.3c48060.3.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.9pIm5d0rsW.exe.3c48060.3.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.9pIm5d0rsW.exe.3c48060.3.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x312d3:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x31345:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x313cf:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x31461:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x314cb:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x3153d:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x315d3:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x31663:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
0.2.9pIm5d0rsW.exe.3c48060.3.unpack	MALWARE_Win_AgentTeslaV2	AgenetTesla Type 2 Keylogger payload	ditekSHen	0x2e6c6:$s2: GetPrivateProfileString 0x2ddc5:$s3: get_OSFullName 0x2f403:$s5: remove_Key 0x2f592:$s5: remove_Key 0x30473:$s6: FtpWebRequest 0x312b5:$s7: logins 0x31827:$s7: logins 0x3450a:$s7: logins 0x345ea:$s7: logins 0x35ee6:$s7: logins 0x35184:$s9: 1.85 (Hash, version 2, native byte-order)
3.2.9pIm5d0rsW.exe.400000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
3.2.9pIm5d0rsW.exe.400000.0.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
3.2.9pIm5d0rsW.exe.400000.0.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x330d3:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x33145:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x331cf:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x33261:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x332cb:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x3333d:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x333d3:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x33463:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
3.2.9pIm5d0rsW.exe.400000.0.unpack	MALWARE_Win_AgentTeslaV2	AgenetTesla Type 2 Keylogger payload	ditekSHen	0x304c6:$s2: GetPrivateProfileString 0x2fbc5:$s3: get_OSFullName 0x31203:$s5: remove_Key 0x31392:$s5: remove_Key 0x32273:$s6: FtpWebRequest 0x330b5:$s7: logins 0x33627:$s7: logins 0x3630a:$s7: logins 0x363ea:$s7: logins 0x37ce6:$s7: logins 0x36f84:$s9: 1.85 (Hash, version 2, native byte-order)
0.2.9pIm5d0rsW.exe.3c82680.5.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.9pIm5d0rsW.exe.3c82680.5.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.9pIm5d0rsW.exe.3c82680.5.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x330d3:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x33145:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x331cf:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x33261:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x332cb:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x3333d:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x333d3:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x33463:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
0.2.9pIm5d0rsW.exe.3c82680.5.raw.unpack	MALWARE_Win_AgentTeslaV2	AgenetTesla Type 2 Keylogger payload	ditekSHen	0x304c6:$s2: GetPrivateProfileString 0x2fbc5:$s3: get_OSFullName 0x31203:$s5: remove_Key 0x31392:$s5: remove_Key 0x32273:$s6: FtpWebRequest 0x330b5:$s7: logins 0x33627:$s7: logins 0x3630a:$s7: logins 0x363ea:$s7: logins 0x37ce6:$s7: logins 0x36f84:$s9: 1.85 (Hash, version 2, native byte-order)
0.2.9pIm5d0rsW.exe.3c48060.3.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.9pIm5d0rsW.exe.3c48060.3.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.9pIm5d0rsW.exe.3c48060.3.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x330d3:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x6d6f3:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x33145:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x6d765:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x331cf:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x6d7ef:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x33261:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x6d881:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x332cb:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x6d8eb:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x3333d:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x6d95d:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x333d3:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x6d9f3:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x33463:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548 0x6da83:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
0.2.9pIm5d0rsW.exe.3c48060.3.raw.unpack	MALWARE_Win_AgentTeslaV2	AgenetTesla Type 2 Keylogger payload	ditekSHen	0x304c6:$s2: GetPrivateProfileString 0x6aae6:$s2: GetPrivateProfileString 0x2fbc5:$s3: get_OSFullName 0x6a1e5:$s3: get_OSFullName 0x31203:$s5: remove_Key 0x31392:$s5: remove_Key 0x6b823:$s5: remove_Key 0x6b9b2:$s5: remove_Key 0x32273:$s6: FtpWebRequest 0x6c893:$s6: FtpWebRequest 0x330b5:$s7: logins 0x33627:$s7: logins 0x3630a:$s7: logins 0x363ea:$s7: logins 0x37ce6:$s7: logins 0x6d6d5:$s7: logins 0x6dc47:$s7: logins 0x7092a:$s7: logins 0x70a0a:$s7: logins 0x72306:$s7: logins 0x36f84:$s9: 1.85 (Hash, version 2, native byte-order)
0.2.9pIm5d0rsW.exe.39b0060.4.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.9pIm5d0rsW.exe.39b0060.4.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.2.9pIm5d0rsW.exe.39b0060.4.raw.unpack	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
0.2.9pIm5d0rsW.exe.39b0060.4.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.9pIm5d0rsW.exe.39b0060.4.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0.2.9pIm5d0rsW.exe.39b0060.4.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x1442c3:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x2cb0d3:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x3056f3:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x144335:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x2cb145:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x305765:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x1443bf:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x2cb1cf:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x3057ef:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x144451:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x2cb261:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x305881:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x1444bb:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x2cb2cb:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x3058eb:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x14452d:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x2cb33d:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x30595d:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x1445c3:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x2cb3d3:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x3059f3:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B
0.2.9pIm5d0rsW.exe.39b0060.4.raw.unpack	MALWARE_Win_AgentTeslaV2	AgenetTesla Type 2 Keylogger payload	ditekSHen	0x1416b6:$s2: GetPrivateProfileString 0x2c84c6:$s2: GetPrivateProfileString 0x302ae6:$s2: GetPrivateProfileString 0x140db5:$s3: get_OSFullName 0x2c7bc5:$s3: get_OSFullName 0x3021e5:$s3: get_OSFullName 0x1423f3:$s5: remove_Key 0x142582:$s5: remove_Key 0x2c9203:$s5: remove_Key 0x2c9392:$s5: remove_Key 0x303823:$s5: remove_Key 0x3039b2:$s5: remove_Key 0x143463:$s6: FtpWebRequest 0x2ca273:$s6: FtpWebRequest 0x304893:$s6: FtpWebRequest 0x1442a5:$s7: logins 0x144817:$s7: logins 0x1474fa:$s7: logins 0x1475da:$s7: logins 0x148ed6:$s7: logins 0x2cb0b5:$s7: logins
0.2.9pIm5d0rsW.exe.39b0060.4.raw.unpack	MALWARE_Win_zgRAT	Detects zgRAT	ditekSHen	0x846c9:$s1: file:/// 0x84625:$s2: {11111-22222-10009-11112} 0x84659:$s3: {11111-22222-50001-00000} 0x829f3:$s4: get_Module 0x1410d6:$s5: Reverse 0x2c7ee6:$s5: Reverse 0x302506:$s5: Reverse 0x31327:$s6: BlockCopy 0x143a76:$s6: BlockCopy 0x2ca886:$s6: BlockCopy 0x304ea6:$s6: BlockCopy 0x311af:$s7: ReadByte 0x14133b:$s7: ReadByte 0x2c814b:$s7: ReadByte 0x30276b:$s7: ReadByte 0x846db:$s8: 4C 00 6F 00 63 00 61 00 74 00 69 00 6F 00 6E 00 00 0B 46 00 69 00 6E 00 64 00 20 00 00 13 52 00 65 00 73 00 6F 00 75 00 72 00 63 00 65 00 41 00 00 11 56 00 69 00 72 00 74 00 75 00 61 00 6C 00 ...
Click to see the 25 entries

Sigma Signatures

System Summary

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\9pIm5d0rsW.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\9pIm5d0rsW.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\9pIm5d0rsW.exe", ParentImage: C:\Users\user\Desktop\9pIm5d0rsW.exe, ParentProcessId: 6260, ParentProcessName: 9pIm5d0rsW.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\9pIm5d0rsW.exe", ProcessId: 4564, ProcessName: powershell.exe

Sigma detected: Powershell Defender Exclusion

Source: Process started

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\9pIm5d0rsW.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\9pIm5d0rsW.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\9pIm5d0rsW.exe", ParentImage: C:\Users\user\Desktop\9pIm5d0rsW.exe, ParentProcessId: 6260, ParentProcessName: 9pIm5d0rsW.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\9pIm5d0rsW.exe", ProcessId: 4564, ProcessName: powershell.exe

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for URL or domain

Source: http://beirutrest.com

Avira URL Cloud: Label: malware

Found malware configuration

Source: 0.2.9pIm5d0rsW.exe.3c48060.3.raw.unpack

Malware Configuration Extractor: Agenttesla {"Exfil Mode": "FTP", "Host": "ftp://beirutrest.com", "Username": "belogs@beirutrest.com", "Password": "9yXQ39wz(uL+"}

Multi AV Scanner detection for submitted file

Source: 9pIm5d0rsW.exe	Virustotal: Detection: 76%			Perma Link
Source: 9pIm5d0rsW.exe	ReversingLabs: Detection: 79%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: 9pIm5d0rsW.exe

Joe Sandbox ML: detected

Source: 9pIm5d0rsW.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown

HTTPS traffic detected: 104.26.13.205:443 -> 192.168.2.4:49732 version: TLS 1.2

Source: 9pIm5d0rsW.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: kbog.pdb source: 9pIm5d0rsW.exe
Source:	Binary string: kbog.pdbSHA256 source: 9pIm5d0rsW.exe

Networking

Yara detected Generic Downloader

Source: Yara match

File source: 0.2.9pIm5d0rsW.exe.39b0060.4.raw.unpack, type: UNPACKEDPE

Source: Joe Sandbox View	IP Address: 104.26.13.205 104.26.13.205
Source: Joe Sandbox View	IP Address: 104.26.13.205 104.26.13.205
Source: Joe Sandbox View	IP Address: 50.87.144.157 50.87.144.157

Source: Joe Sandbox View

ASN Name: UNIFIEDLAYER-AS-1US UNIFIEDLAYER-AS-1US

Source: Joe Sandbox View

JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: unknown	DNS query: name: api.ipify.org
Source: unknown	DNS query: name: api.ipify.org

Source: global traffic

HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: api.ipify.org
Source: global traffic	DNS traffic detected: DNS query: beirutrest.com

Source: 9pIm5d0rsW.exe, 00000003.00000002.4122220015.0000000002F4C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://beirutrest.com
Source: 9pIm5d0rsW.exe, 00000003.00000002.4120398918.0000000001126000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://go.microsoft.c
Source: 9pIm5d0rsW.exe, 00000000.00000002.1681718490.0000000002961000.00000004.00000800.00020000.00000000.sdmp, 9pIm5d0rsW.exe, 00000003.00000002.4122220015.0000000002ED1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: 9pIm5d0rsW.exe, 00000000.00000002.1687729994.0000000006E22000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: 9pIm5d0rsW.exe, 00000000.00000002.1687729994.0000000006E22000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: 9pIm5d0rsW.exe, 00000000.00000002.1687729994.0000000006E22000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: 9pIm5d0rsW.exe, 00000000.00000002.1687729994.0000000006E22000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: 9pIm5d0rsW.exe, 00000000.00000002.1687729994.0000000006E22000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: 9pIm5d0rsW.exe, 00000000.00000002.1687729994.0000000006E22000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: 9pIm5d0rsW.exe, 00000000.00000002.1687729994.0000000006E22000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
Source: 9pIm5d0rsW.exe, 00000000.00000002.1687729994.0000000006E22000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: 9pIm5d0rsW.exe, 00000000.00000002.1687729994.0000000006E22000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: 9pIm5d0rsW.exe, 00000000.00000002.1687729994.0000000006E22000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: 9pIm5d0rsW.exe, 00000000.00000002.1687729994.0000000006E22000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fonts.com
Source: 9pIm5d0rsW.exe, 00000000.00000002.1687729994.0000000006E22000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: 9pIm5d0rsW.exe, 00000000.00000002.1687729994.0000000006E22000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: 9pIm5d0rsW.exe, 00000000.00000002.1687729994.0000000006E22000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: 9pIm5d0rsW.exe, 00000000.00000002.1687729994.0000000006E22000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: 9pIm5d0rsW.exe, 00000000.00000002.1687729994.0000000006E22000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: 9pIm5d0rsW.exe, 00000000.00000002.1687729994.0000000006E22000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: 9pIm5d0rsW.exe, 00000000.00000002.1687729994.0000000006E22000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: 9pIm5d0rsW.exe, 00000000.00000002.1687729994.0000000006E22000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: 9pIm5d0rsW.exe, 00000000.00000002.1687729994.0000000006E22000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sakkal.com
Source: 9pIm5d0rsW.exe, 00000000.00000002.1687729994.0000000006E22000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: 9pIm5d0rsW.exe, 00000000.00000002.1687729994.0000000006E22000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.tiro.com
Source: 9pIm5d0rsW.exe, 00000000.00000002.1687729994.0000000006E22000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.typography.netD
Source: 9pIm5d0rsW.exe, 00000000.00000002.1687729994.0000000006E22000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: 9pIm5d0rsW.exe, 00000000.00000002.1687729994.0000000006E22000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: 9pIm5d0rsW.exe, 00000000.00000002.1683264639.0000000003969000.00000004.00000800.00020000.00000000.sdmp, 9pIm5d0rsW.exe, 00000003.00000002.4119886234.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://account.dyn.com/
Source: 9pIm5d0rsW.exe, 00000000.00000002.1683264639.0000000003969000.00000004.00000800.00020000.00000000.sdmp, 9pIm5d0rsW.exe, 00000003.00000002.4119886234.0000000000402000.00000040.00000400.00020000.00000000.sdmp, 9pIm5d0rsW.exe, 00000003.00000002.4122220015.0000000002ED1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org
Source: 9pIm5d0rsW.exe, 00000003.00000002.4122220015.0000000002ED1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org/
Source: 9pIm5d0rsW.exe, 00000003.00000002.4122220015.0000000002ED1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org/t
Source: 9pIm5d0rsW.exe	String found in binary or memory: https://cdn.pixabay.com/photo/2017/02/12/21/29/false-2061132_640.png

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49732
Source: unknown	Network traffic detected: HTTP traffic on port 49732 -> 443

Source: unknown

HTTPS traffic detected: 104.26.13.205:443 -> 192.168.2.4:49732 version: TLS 1.2

System Summary

Malicious sample detected (through community Yara rule)

Source: 0.2.9pIm5d0rsW.exe.3c82680.5.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.9pIm5d0rsW.exe.3c82680.5.unpack, type: UNPACKEDPE	Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 0.2.9pIm5d0rsW.exe.3c48060.3.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.9pIm5d0rsW.exe.3c48060.3.unpack, type: UNPACKEDPE	Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 3.2.9pIm5d0rsW.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 3.2.9pIm5d0rsW.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 0.2.9pIm5d0rsW.exe.3c82680.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.9pIm5d0rsW.exe.3c82680.5.raw.unpack, type: UNPACKEDPE	Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 0.2.9pIm5d0rsW.exe.3c48060.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.9pIm5d0rsW.exe.3c48060.3.raw.unpack, type: UNPACKEDPE	Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 0.2.9pIm5d0rsW.exe.39b0060.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.9pIm5d0rsW.exe.39b0060.4.raw.unpack, type: UNPACKEDPE	Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 0.2.9pIm5d0rsW.exe.39b0060.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects zgRAT Author: ditekSHen

Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Code function: 0_2_00FA4210	0_2_00FA4210
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Code function: 0_2_00FA6F92	0_2_00FA6F92
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Code function: 0_2_00FAD524	0_2_00FAD524
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Code function: 0_2_07550040	0_2_07550040
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Code function: 0_2_07554000	0_2_07554000
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Code function: 0_2_0755E7B0	0_2_0755E7B0
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Code function: 0_2_0755C460	0_2_0755C460
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Code function: 0_2_0755E378	0_2_0755E378
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Code function: 0_2_0755E367	0_2_0755E367
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Code function: 0_2_0755003A	0_2_0755003A
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Code function: 0_2_0755CCD0	0_2_0755CCD0
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Code function: 0_2_07553878	0_2_07553878
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Code function: 0_2_0755C889	0_2_0755C889
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Code function: 0_2_07553888	0_2_07553888
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Code function: 0_2_0BB923C9	0_2_0BB923C9
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Code function: 0_2_0BB93C28	0_2_0BB93C28
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Code function: 3_2_0142E5C8	3_2_0142E5C8
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Code function: 3_2_0142A9E0	3_2_0142A9E0
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Code function: 3_2_01424A58	3_2_01424A58
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Code function: 3_2_0142DD38	3_2_0142DD38
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Code function: 3_2_01423E40	3_2_01423E40
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Code function: 3_2_01424188	3_2_01424188
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Code function: 3_2_06BB8970	3_2_06BB8970
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Code function: 3_2_06BC55A0	3_2_06BC55A0
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Code function: 3_2_06BC65F0	3_2_06BC65F0
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Code function: 3_2_06BCB248	3_2_06BCB248
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Code function: 3_2_06BC2350	3_2_06BC2350
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Code function: 3_2_06BCC190	3_2_06BCC190
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Code function: 3_2_06BC7D80	3_2_06BC7D80
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Code function: 3_2_06BC76A0	3_2_06BC76A0
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Code function: 3_2_06BCE3A8	3_2_06BCE3A8
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Code function: 3_2_06BC0040	3_2_06BC0040
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Code function: 3_2_06BC5CF8	3_2_06BC5CF8
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Code function: 3_2_06BC0006	3_2_06BC0006

Source: 9pIm5d0rsW.exe, 00000000.00000002.1687610433.0000000006DE0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameArthur.dll" vs 9pIm5d0rsW.exe
Source: 9pIm5d0rsW.exe, 00000000.00000002.1683264639.0000000003969000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMontero.dll8 vs 9pIm5d0rsW.exe
Source: 9pIm5d0rsW.exe, 00000000.00000002.1683264639.0000000003969000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameArthur.dll" vs 9pIm5d0rsW.exe
Source: 9pIm5d0rsW.exe, 00000000.00000002.1683264639.0000000003969000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename2ee75d06-d489-4537-90fc-92fe0f559436.exe4 vs 9pIm5d0rsW.exe
Source: 9pIm5d0rsW.exe, 00000000.00000002.1681718490.00000000029AB000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename2ee75d06-d489-4537-90fc-92fe0f559436.exe4 vs 9pIm5d0rsW.exe
Source: 9pIm5d0rsW.exe, 00000000.00000000.1658783617.000000000065A000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamekbog.exeJ vs 9pIm5d0rsW.exe
Source: 9pIm5d0rsW.exe, 00000000.00000002.1683264639.0000000003CC6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMontero.dll8 vs 9pIm5d0rsW.exe
Source: 9pIm5d0rsW.exe, 00000000.00000002.1691900595.0000000008CC0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameMontero.dll8 vs 9pIm5d0rsW.exe
Source: 9pIm5d0rsW.exe, 00000000.00000002.1678794948.0000000000D5E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs 9pIm5d0rsW.exe
Source: 9pIm5d0rsW.exe, 00000003.00000002.4119886234.0000000000402000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: OriginalFilename2ee75d06-d489-4537-90fc-92fe0f559436.exe4 vs 9pIm5d0rsW.exe
Source: 9pIm5d0rsW.exe, 00000003.00000002.4120059285.0000000000F68000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameUNKNOWN_FILET vs 9pIm5d0rsW.exe
Source: 9pIm5d0rsW.exe	Binary or memory string: OriginalFilenamekbog.exeJ vs 9pIm5d0rsW.exe

Source: 9pIm5d0rsW.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 0.2.9pIm5d0rsW.exe.3c82680.5.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.9pIm5d0rsW.exe.3c82680.5.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 0.2.9pIm5d0rsW.exe.3c48060.3.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.9pIm5d0rsW.exe.3c48060.3.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 3.2.9pIm5d0rsW.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 3.2.9pIm5d0rsW.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 0.2.9pIm5d0rsW.exe.3c82680.5.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.9pIm5d0rsW.exe.3c82680.5.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 0.2.9pIm5d0rsW.exe.3c48060.3.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.9pIm5d0rsW.exe.3c48060.3.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 0.2.9pIm5d0rsW.exe.39b0060.4.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.9pIm5d0rsW.exe.39b0060.4.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 0.2.9pIm5d0rsW.exe.39b0060.4.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT

Source: 9pIm5d0rsW.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@7/6@2/2

Source: C:\Users\user\Desktop\9pIm5d0rsW.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\9pIm5d0rsW.exe.log

Jump to behavior

Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5040:120:WilError_03

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_zuzp3u5l.lgq.ps1

Jump to behavior

Source: 9pIm5d0rsW.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 9pIm5d0rsW.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\9pIm5d0rsW.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\9pIm5d0rsW.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: 9pIm5d0rsW.exe	Virustotal: Detection: 76%
Source: 9pIm5d0rsW.exe	ReversingLabs: Detection: 79%

Source: unknown	Process created: C:\Users\user\Desktop\9pIm5d0rsW.exe "C:\Users\user\Desktop\9pIm5d0rsW.exe"
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\9pIm5d0rsW.exe"
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Process created: C:\Users\user\Desktop\9pIm5d0rsW.exe "C:\Users\user\Desktop\9pIm5d0rsW.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\9pIm5d0rsW.exe"	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Process created: C:\Users\user\Desktop\9pIm5d0rsW.exe "C:\Users\user\Desktop\9pIm5d0rsW.exe"	Jump to behavior

Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: fastprox.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: ncobjapi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mpclient.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wmitomi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: gpapi.dll	Jump to behavior

Source: C:\Users\user\Desktop\9pIm5d0rsW.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\9pIm5d0rsW.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Users\user\Desktop\9pIm5d0rsW.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\Profiles

Jump to behavior

Source: 9pIm5d0rsW.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: 9pIm5d0rsW.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: 9pIm5d0rsW.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: kbog.pdb source: 9pIm5d0rsW.exe
Source:	Binary string: kbog.pdbSHA256 source: 9pIm5d0rsW.exe

Source: 9pIm5d0rsW.exe

Static PE information: 0xEC38769D [Tue Aug 2 11:35:57 2095 UTC]

Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Code function: 3_2_01420C6D push edi; retf	3_2_01420C7A
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Code function: 3_2_06BBE580 push eax; retf	3_2_06BBE58A
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Code function: 3_2_06BBE503 push eax; retf	3_2_06BBE50A
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Code function: 3_2_06BBE500 push eax; retf	3_2_06BBE502
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Code function: 3_2_06BBF6F3 push es; ret	3_2_06BBF6F4
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Code function: 3_2_06BBFC78 pushfd ; retf	3_2_06BBFC79
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Code function: 3_2_06BB7DE8 push ss; retf	3_2_06BB7DEA
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Code function: 3_2_06BB7D7B push ss; retf	3_2_06BB7D82
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Code function: 3_2_06BB7D78 push ss; retf	3_2_06BB7D7A
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Code function: 3_2_06BB7A49 push cs; retf	3_2_06BB7A4A
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Code function: 3_2_06BB79A9 push cs; retf	3_2_06BB79AA
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Code function: 3_2_06BB7979 push cs; retf	3_2_06BB797A

Source: 9pIm5d0rsW.exe

Static PE information: section name: .text entropy: 7.016631887401928

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior

Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate			Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot			Jump to behavior

Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Source: C:\Users\user\Desktop\9pIm5d0rsW.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration

Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Memory allocated: FA0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Memory allocated: 2960000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Memory allocated: 4960000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Memory allocated: 8E40000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Memory allocated: 9E40000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Memory allocated: A050000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Memory allocated: B050000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Memory allocated: 1420000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Memory allocated: 2ED0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Memory allocated: 4ED0000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Thread delayed: delay time: 599875	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Thread delayed: delay time: 599766	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Thread delayed: delay time: 599641	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Thread delayed: delay time: 599531	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Thread delayed: delay time: 599422	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Thread delayed: delay time: 599313	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Thread delayed: delay time: 599188	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Thread delayed: delay time: 599063	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Thread delayed: delay time: 598949	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Thread delayed: delay time: 598844	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Thread delayed: delay time: 598719	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Thread delayed: delay time: 598607	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Thread delayed: delay time: 598500	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Thread delayed: delay time: 598391	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Thread delayed: delay time: 598281	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Thread delayed: delay time: 598168	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Thread delayed: delay time: 598063	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Thread delayed: delay time: 597927	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Thread delayed: delay time: 597781	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Thread delayed: delay time: 597672	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Thread delayed: delay time: 597562	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Thread delayed: delay time: 597416	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Thread delayed: delay time: 597311	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Thread delayed: delay time: 597202	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Thread delayed: delay time: 597080	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Thread delayed: delay time: 596953	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Thread delayed: delay time: 596844	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Thread delayed: delay time: 596719	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Thread delayed: delay time: 596610	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Thread delayed: delay time: 596485	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Thread delayed: delay time: 596360	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Thread delayed: delay time: 596235	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Thread delayed: delay time: 596110	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Thread delayed: delay time: 595985	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Thread delayed: delay time: 595860	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Thread delayed: delay time: 595735	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Thread delayed: delay time: 595610	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Thread delayed: delay time: 595485	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Thread delayed: delay time: 595360	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Thread delayed: delay time: 595235	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Thread delayed: delay time: 595110	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Thread delayed: delay time: 594985	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Thread delayed: delay time: 594860	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Thread delayed: delay time: 594735	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Thread delayed: delay time: 594578	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Thread delayed: delay time: 594426	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Thread delayed: delay time: 594219	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Thread delayed: delay time: 594092	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Thread delayed: delay time: 593985	Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6911	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2772	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Window / User API: threadDelayed 3446	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Window / User API: threadDelayed 6356	Jump to behavior

Source: C:\Users\user\Desktop\9pIm5d0rsW.exe TID: 6436	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7228	Thread sleep time: -7378697629483816s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe TID: 7256	Thread sleep count: 41 > 30	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe TID: 7256	Thread sleep time: -37815825351104557s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe TID: 7256	Thread sleep time: -600000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe TID: 7300	Thread sleep count: 3446 > 30	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe TID: 7256	Thread sleep time: -599875s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe TID: 7300	Thread sleep count: 6356 > 30	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe TID: 7256	Thread sleep time: -599766s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe TID: 7256	Thread sleep time: -599641s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe TID: 7256	Thread sleep time: -599531s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe TID: 7256	Thread sleep time: -599422s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe TID: 7256	Thread sleep time: -599313s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe TID: 7256	Thread sleep time: -599188s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe TID: 7256	Thread sleep time: -599063s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe TID: 7256	Thread sleep time: -598949s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe TID: 7256	Thread sleep time: -598844s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe TID: 7256	Thread sleep time: -598719s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe TID: 7256	Thread sleep time: -598607s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe TID: 7256	Thread sleep time: -598500s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe TID: 7256	Thread sleep time: -598391s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe TID: 7256	Thread sleep time: -598281s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe TID: 7256	Thread sleep time: -598168s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe TID: 7256	Thread sleep time: -598063s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe TID: 7256	Thread sleep time: -597927s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe TID: 7256	Thread sleep time: -597781s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe TID: 7256	Thread sleep time: -597672s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe TID: 7256	Thread sleep time: -597562s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe TID: 7256	Thread sleep time: -597416s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe TID: 7256	Thread sleep time: -597311s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe TID: 7256	Thread sleep time: -597202s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe TID: 7256	Thread sleep time: -597080s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe TID: 7256	Thread sleep time: -596953s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe TID: 7256	Thread sleep time: -596844s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe TID: 7256	Thread sleep time: -596719s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe TID: 7256	Thread sleep time: -596610s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe TID: 7256	Thread sleep time: -596485s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe TID: 7256	Thread sleep time: -596360s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe TID: 7256	Thread sleep time: -596235s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe TID: 7256	Thread sleep time: -596110s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe TID: 7256	Thread sleep time: -595985s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe TID: 7256	Thread sleep time: -595860s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe TID: 7256	Thread sleep time: -595735s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe TID: 7256	Thread sleep time: -595610s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe TID: 7256	Thread sleep time: -595485s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe TID: 7256	Thread sleep time: -595360s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe TID: 7256	Thread sleep time: -595235s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe TID: 7256	Thread sleep time: -595110s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe TID: 7256	Thread sleep time: -594985s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe TID: 7256	Thread sleep time: -594860s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe TID: 7256	Thread sleep time: -594735s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe TID: 7256	Thread sleep time: -594578s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe TID: 7256	Thread sleep time: -594426s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe TID: 7256	Thread sleep time: -594219s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe TID: 7256	Thread sleep time: -594092s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe TID: 7256	Thread sleep time: -593985s >= -30000s	Jump to behavior

Source: C:\Users\user\Desktop\9pIm5d0rsW.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard

Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Thread delayed: delay time: 599875	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Thread delayed: delay time: 599766	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Thread delayed: delay time: 599641	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Thread delayed: delay time: 599531	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Thread delayed: delay time: 599422	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Thread delayed: delay time: 599313	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Thread delayed: delay time: 599188	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Thread delayed: delay time: 599063	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Thread delayed: delay time: 598949	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Thread delayed: delay time: 598844	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Thread delayed: delay time: 598719	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Thread delayed: delay time: 598607	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Thread delayed: delay time: 598500	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Thread delayed: delay time: 598391	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Thread delayed: delay time: 598281	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Thread delayed: delay time: 598168	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Thread delayed: delay time: 598063	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Thread delayed: delay time: 597927	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Thread delayed: delay time: 597781	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Thread delayed: delay time: 597672	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Thread delayed: delay time: 597562	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Thread delayed: delay time: 597416	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Thread delayed: delay time: 597311	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Thread delayed: delay time: 597202	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Thread delayed: delay time: 597080	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Thread delayed: delay time: 596953	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Thread delayed: delay time: 596844	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Thread delayed: delay time: 596719	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Thread delayed: delay time: 596610	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Thread delayed: delay time: 596485	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Thread delayed: delay time: 596360	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Thread delayed: delay time: 596235	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Thread delayed: delay time: 596110	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Thread delayed: delay time: 595985	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Thread delayed: delay time: 595860	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Thread delayed: delay time: 595735	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Thread delayed: delay time: 595610	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Thread delayed: delay time: 595485	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Thread delayed: delay time: 595360	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Thread delayed: delay time: 595235	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Thread delayed: delay time: 595110	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Thread delayed: delay time: 594985	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Thread delayed: delay time: 594860	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Thread delayed: delay time: 594735	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Thread delayed: delay time: 594578	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Thread delayed: delay time: 594426	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Thread delayed: delay time: 594219	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Thread delayed: delay time: 594092	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Thread delayed: delay time: 593985	Jump to behavior

Source: 9pIm5d0rsW.exe, 00000000.00000002.1683264639.0000000003969000.00000004.00000800.00020000.00000000.sdmp, 9pIm5d0rsW.exe, 00000000.00000002.1691900595.0000000008CC0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: DQEmUBm4C7uh1AFcG6j
Source: 9pIm5d0rsW.exe, 00000000.00000002.1689422475.0000000007320000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: 9pIm5d0rsW.exe, 00000000.00000002.1689422475.0000000007320000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
Source: 9pIm5d0rsW.exe, 00000003.00000002.4120398918.00000000011D1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Users\user\Desktop\9pIm5d0rsW.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Adds a directory exclusion to Windows Defender

Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\9pIm5d0rsW.exe"
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\9pIm5d0rsW.exe"			Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\9pIm5d0rsW.exe

Memory written: C:\Users\user\Desktop\9pIm5d0rsW.exe base: 400000 value starts with: 4D5A

Jump to behavior

Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\9pIm5d0rsW.exe"			Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Process created: C:\Users\user\Desktop\9pIm5d0rsW.exe "C:\Users\user\Desktop\9pIm5d0rsW.exe"			Jump to behavior

Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Queries volume information: C:\Users\user\Desktop\9pIm5d0rsW.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Queries volume information: C:\Windows\Fonts\corbell.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Queries volume information: C:\Windows\Fonts\corbelli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Queries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Queries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Queries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Queries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Queries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Queries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Queries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Queries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Queries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Queries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Queries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Queries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Queries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Queries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Queries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Queries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Queries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Queries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Queries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Queries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Queries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Queries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Queries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Queries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Queries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Queries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Queries volume information: C:\Users\user\Desktop\9pIm5d0rsW.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\9pIm5d0rsW.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected AgentTesla

Source: Yara match	File source: 0.2.9pIm5d0rsW.exe.3c82680.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.9pIm5d0rsW.exe.3c48060.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.9pIm5d0rsW.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.9pIm5d0rsW.exe.3c82680.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.9pIm5d0rsW.exe.3c48060.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.9pIm5d0rsW.exe.39b0060.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.4122220015.0000000002F4C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.4122220015.0000000002F21000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.4119886234.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1683264639.0000000003969000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 9pIm5d0rsW.exe PID: 6260, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 9pIm5d0rsW.exe PID: 1456, type: MEMORYSTR

Yara detected PureLog Stealer

Source: Yara match	File source: 0.2.9pIm5d0rsW.exe.6de0000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.9pIm5d0rsW.exe.6de0000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.9pIm5d0rsW.exe.39b0060.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1687610433.0000000006DE0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1683264639.0000000003969000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Yara detected zgRAT

Source: Yara match

File source: 0.2.9pIm5d0rsW.exe.39b0060.4.raw.unpack, type: UNPACKEDPE

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Source: C:\Users\user\Desktop\9pIm5d0rsW.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions

Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	File opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	File opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini	Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Users\user\Desktop\9pIm5d0rsW.exe

File opened: C:\FTP Navigator\Ftplist.txt

Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles	Jump to behavior
Source: C:\Users\user\Desktop\9pIm5d0rsW.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities	Jump to behavior

Source: Yara match	File source: 0.2.9pIm5d0rsW.exe.3c82680.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.9pIm5d0rsW.exe.3c48060.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.9pIm5d0rsW.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.9pIm5d0rsW.exe.3c82680.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.9pIm5d0rsW.exe.3c48060.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.9pIm5d0rsW.exe.39b0060.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.4122220015.0000000002F21000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.4119886234.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1683264639.0000000003969000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 9pIm5d0rsW.exe PID: 6260, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 9pIm5d0rsW.exe PID: 1456, type: MEMORYSTR

Remote Access Functionality

Yara detected AgentTesla

Source: Yara match	File source: 0.2.9pIm5d0rsW.exe.3c82680.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.9pIm5d0rsW.exe.3c48060.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.9pIm5d0rsW.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.9pIm5d0rsW.exe.3c82680.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.9pIm5d0rsW.exe.3c48060.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.9pIm5d0rsW.exe.39b0060.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.4122220015.0000000002F4C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.4122220015.0000000002F21000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.4119886234.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1683264639.0000000003969000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 9pIm5d0rsW.exe PID: 6260, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 9pIm5d0rsW.exe PID: 1456, type: MEMORYSTR

Yara detected PureLog Stealer

Source: Yara match	File source: 0.2.9pIm5d0rsW.exe.6de0000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.9pIm5d0rsW.exe.6de0000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.9pIm5d0rsW.exe.39b0060.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1687610433.0000000006DE0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1683264639.0000000003969000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Yara detected zgRAT

Source: Yara match

File source: 0.2.9pIm5d0rsW.exe.39b0060.4.raw.unpack, type: UNPACKEDPE

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	121 Windows Management Instrumentation	1 DLL Side-Loading	111 Process Injection	1 Masquerading	2 OS Credential Dumping	1 Query Registry	Remote Services	1 Email Collection	11 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	11 Disable or Modify Tools	1 Credentials in Registry	111 Security Software Discovery	Remote Desktop Protocol	1 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	141 Virtualization/Sandbox Evasion	Security Account Manager	1 Process Discovery	SMB/Windows Admin Shares	2 Data from Local System	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	111 Process Injection	NTDS	141 Virtualization/Sandbox Evasion	Distributed Component Object Model	Input Capture	13 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	2 Obfuscated Files or Information	LSA Secrets	1 Application Window Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	2 Software Packing	Cached Domain Credentials	1 System Network Configuration Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 Timestomp	DCSync	1 File and Directory Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 DLL Side-Loading	Proc Filesystem	24 System Information Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
9pIm5d0rsW.exe	76%	Virustotal		Browse
9pIm5d0rsW.exe	79%	ReversingLabs	Win32.Trojan.Leonem
9pIm5d0rsW.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label	Link
http://beirutrest.com	100%	Avira URL Cloud	malware

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
beirutrest.com	50.87.144.157	true	true		unknown
api.ipify.org	104.26.13.205	true	false		high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://api.ipify.org/	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.apache.org/licenses/LICENSE-2.0	9pIm5d0rsW.exe, 00000000.00000002.1687729994.0000000006E22000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.com	9pIm5d0rsW.exe, 00000000.00000002.1687729994.0000000006E22000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.com/designersG	9pIm5d0rsW.exe, 00000000.00000002.1687729994.0000000006E22000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.com/designers/?	9pIm5d0rsW.exe, 00000000.00000002.1687729994.0000000006E22000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.founder.com.cn/cn/bThe	9pIm5d0rsW.exe, 00000000.00000002.1687729994.0000000006E22000.00000004.00000800.00020000.00000000.sdmp	false		high
https://account.dyn.com/	9pIm5d0rsW.exe, 00000000.00000002.1683264639.0000000003969000.00000004.00000800.00020000.00000000.sdmp, 9pIm5d0rsW.exe, 00000003.00000002.4119886234.0000000000402000.00000040.00000400.00020000.00000000.sdmp	false		high
http://www.fontbureau.com/designers?	9pIm5d0rsW.exe, 00000000.00000002.1687729994.0000000006E22000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.tiro.com	9pIm5d0rsW.exe, 00000000.00000002.1687729994.0000000006E22000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.com/designers	9pIm5d0rsW.exe, 00000000.00000002.1687729994.0000000006E22000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.goodfont.co.kr	9pIm5d0rsW.exe, 00000000.00000002.1687729994.0000000006E22000.00000004.00000800.00020000.00000000.sdmp	false		high
https://api.ipify.org/t	9pIm5d0rsW.exe, 00000003.00000002.4122220015.0000000002ED1000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.carterandcone.coml	9pIm5d0rsW.exe, 00000000.00000002.1687729994.0000000006E22000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.sajatypeworks.com	9pIm5d0rsW.exe, 00000000.00000002.1687729994.0000000006E22000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.typography.netD	9pIm5d0rsW.exe, 00000000.00000002.1687729994.0000000006E22000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.com/designers/cabarga.htmlN	9pIm5d0rsW.exe, 00000000.00000002.1687729994.0000000006E22000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.founder.com.cn/cn/cThe	9pIm5d0rsW.exe, 00000000.00000002.1687729994.0000000006E22000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.galapagosdesign.com/staff/dennis.htm	9pIm5d0rsW.exe, 00000000.00000002.1687729994.0000000006E22000.00000004.00000800.00020000.00000000.sdmp	false		high
https://api.ipify.org	9pIm5d0rsW.exe, 00000000.00000002.1683264639.0000000003969000.00000004.00000800.00020000.00000000.sdmp, 9pIm5d0rsW.exe, 00000003.00000002.4119886234.0000000000402000.00000040.00000400.00020000.00000000.sdmp, 9pIm5d0rsW.exe, 00000003.00000002.4122220015.0000000002ED1000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.founder.com.cn/cn	9pIm5d0rsW.exe, 00000000.00000002.1687729994.0000000006E22000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.com/designers/frere-user.html	9pIm5d0rsW.exe, 00000000.00000002.1687729994.0000000006E22000.00000004.00000800.00020000.00000000.sdmp	false		high
https://cdn.pixabay.com/photo/2017/02/12/21/29/false-2061132_640.png	9pIm5d0rsW.exe	false		high
http://www.jiyu-kobo.co.jp/	9pIm5d0rsW.exe, 00000000.00000002.1687729994.0000000006E22000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.galapagosdesign.com/DPlease	9pIm5d0rsW.exe, 00000000.00000002.1687729994.0000000006E22000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.com/designers8	9pIm5d0rsW.exe, 00000000.00000002.1687729994.0000000006E22000.00000004.00000800.00020000.00000000.sdmp	false		high
http://go.microsoft.c	9pIm5d0rsW.exe, 00000003.00000002.4120398918.0000000001126000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.fonts.com	9pIm5d0rsW.exe, 00000000.00000002.1687729994.0000000006E22000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.sandoll.co.kr	9pIm5d0rsW.exe, 00000000.00000002.1687729994.0000000006E22000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.urwpp.deDPlease	9pIm5d0rsW.exe, 00000000.00000002.1687729994.0000000006E22000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.zhongyicts.com.cn	9pIm5d0rsW.exe, 00000000.00000002.1687729994.0000000006E22000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	9pIm5d0rsW.exe, 00000000.00000002.1681718490.0000000002961000.00000004.00000800.00020000.00000000.sdmp, 9pIm5d0rsW.exe, 00000003.00000002.4122220015.0000000002ED1000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.sakkal.com	9pIm5d0rsW.exe, 00000000.00000002.1687729994.0000000006E22000.00000004.00000800.00020000.00000000.sdmp	false		high
http://beirutrest.com	9pIm5d0rsW.exe, 00000003.00000002.4122220015.0000000002F4C000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
104.26.13.205	api.ipify.org	United States		13335	CLOUDFLARENETUS	false
50.87.144.157	beirutrest.com	United States		46606	UNIFIEDLAYER-AS-1US	true

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1587609
Start date and time:	2025-01-10 15:36:52 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 7m 45s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	10
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	9pIm5d0rsW.exe renamed because original name is a hash value
Original Sample Name:	20b88c89c50d71a77a0f2e1007a39cdb0b78f44c8507d3b492e8875a44861279.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@7/6@2/2
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 94 Number of non-executed functions: 17
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 184.28.90.27, 20.12.23.50, 13.107.246.45
Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
09:37:42	API Interceptor	10632708x Sleep call for process: 9pIm5d0rsW.exe modified
09:37:43	API Interceptor	16x Sleep call for process: powershell.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
104.26.13.205	Yoranis Setup.exe	Get hash	malicious	Unknown	Browse	api.ipify.org/
	BiXS3FRoLe.exe	Get hash	malicious	TrojanRansom	Browse	api.ipify.org/
	lEUy79aLAW.exe	Get hash	malicious	TrojanRansom	Browse	api.ipify.org/
	Simple1.exe	Get hash	malicious	Unknown	Browse	api.ipify.org/
	2b7cu0KwZl.exe	Get hash	malicious	Unknown	Browse	api.ipify.org/
	file.exe	Get hash	malicious	Unknown	Browse	api.ipify.org/
	file.exe	Get hash	malicious	LummaC, PrivateLoader, Stealc, Vidar	Browse	api.ipify.org/
	file.exe	Get hash	malicious	LummaC, PrivateLoader, Stealc, Vidar	Browse	api.ipify.org/
	file.exe	Get hash	malicious	RDPWrap Tool	Browse	api.ipify.org/
	Prismifyr-Install.exe	Get hash	malicious	Node Stealer	Browse	api.ipify.org/
50.87.144.157	KASHI SHIP PARTICULARS.pdf.scr.exe	Get hash	malicious	AgentTesla	Browse
	0wxckB4Iba.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse
	pR65xo6sud.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse
	ship's particulars-TBN.pdf.scr.exe	Get hash	malicious	AgentTesla, PureLog Stealer, zgRAT	Browse
	Packing List - SAPPHIRE X.xlsx.scr.exe	Get hash	malicious	AgentTesla, PureLog Stealer, zgRAT	Browse
	WOOYANG VENUS PARTICULARS.pdf.scr.exe	Get hash	malicious	AgentTesla, PureLog Stealer, zgRAT	Browse
	CHARIKLIA JUNIOR DETAILS (1) (1).pdf.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse
	MV BBG MUARA Ship's Particulars.pdf.scr.exe	Get hash	malicious	AgentTesla	Browse
	CHARIKLIA JUNIOR DETAILS.pdf.scr.exe	Get hash	malicious	AgentTesla	Browse
	PEACE SHIP PARTICULARS.pdf.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
beirutrest.com	KASHI SHIP PARTICULARS.pdf.scr.exe	Get hash	malicious	AgentTesla	Browse	50.87.144.157
	0wxckB4Iba.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	50.87.144.157
	pR65xo6sud.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	50.87.144.157
	ship's particulars-TBN.pdf.scr.exe	Get hash	malicious	AgentTesla, PureLog Stealer, zgRAT	Browse	50.87.144.157
	Packing List - SAPPHIRE X.xlsx.scr.exe	Get hash	malicious	AgentTesla, PureLog Stealer, zgRAT	Browse	50.87.144.157
	WOOYANG VENUS PARTICULARS.pdf.scr.exe	Get hash	malicious	AgentTesla, PureLog Stealer, zgRAT	Browse	50.87.144.157
	CHARIKLIA JUNIOR DETAILS (1) (1).pdf.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	50.87.144.157
	MV BBG MUARA Ship's Particulars.pdf.scr.exe	Get hash	malicious	AgentTesla	Browse	50.87.144.157
	CHARIKLIA JUNIOR DETAILS.pdf.scr.exe	Get hash	malicious	AgentTesla	Browse	50.87.144.157
	PEACE SHIP PARTICULARS.pdf.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	50.87.144.157
api.ipify.org	VYLigyTDuW.exe	Get hash	malicious	AgentTesla	Browse	172.67.74.152
	gem1.exe	Get hash	malicious	CredGrabber, Meduza Stealer	Browse	104.26.12.205
	https://www.tremendous.com/email/activate/yE_yBdRtyVv4Xqgg7hu_	Get hash	malicious	Unknown	Browse	172.67.74.152
	https://marcuso-wq.github.io/home/	Get hash	malicious	HTMLPhisher	Browse	172.67.74.152
	drop1.exe	Get hash	malicious	CredGrabber, Meduza Stealer	Browse	172.67.74.152
	https://vq6btbhdpo.nutignaera.shop/?email=YWxlamFuZHJvLmdhcnJpZG9Ac2VhYm9hcmRtYXJpbmUuY29t	Get hash	malicious	EvilProxy, HTMLPhisher	Browse	104.26.12.205
	EZZGTmJj4O.exe	Get hash	malicious	AgentTesla	Browse	104.26.13.205
	proforma invoice pdf.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	104.26.12.205
	mail (4).eml	Get hash	malicious	Unknown	Browse	172.67.74.152
	random.exe	Get hash	malicious	CStealer	Browse	104.26.12.205

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	VIAmJUhQ54.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.80.1
	VYLigyTDuW.exe	Get hash	malicious	AgentTesla	Browse	172.67.74.152
	bd9Gvqt6AK.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.80.1
	PO-0005082025 pdf.exe	Get hash	malicious	FormBook, PureLog Stealer	Browse	172.67.131.144
	zrNcqxZRSM.exe	Get hash	malicious	CobaltStrike, Metasploit	Browse	188.114.96.3
	Salary Payment Information Discrepancy_pdf.pif.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	104.21.48.1
	PO#17971.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	104.21.96.1
	http://www.lpb.gov.lr	Get hash	malicious	CAPTCHA Scam ClickFix	Browse	104.17.25.14
	https://samantacatering.com/	Get hash	malicious	Unknown	Browse	104.21.83.97
	https://sign.zoho.com/zsguest?locale=en&sign_id=234b4d535f4956237c699124bb06f6840075804affff79070f72fbd27ec4885c3a2ba06657b8a52338eb80052baee9f74c4e2e0e7f85c073df939f1ac4dff75f76c95d46ac2361c7b14335e4f12c5c5d49c49b1d2f4c838a&action_type=SIGN	Get hash	malicious	Unknown	Browse	104.17.25.14
UNIFIEDLAYER-AS-1US	armv6l.elf	Get hash	malicious	Unknown	Browse	76.162.166.146
	https://sacredartscommunications.com/	Get hash	malicious	HTMLPhisher	Browse	192.185.25.242
	http://abdullaksa.com/fetching//index.xml#?email=Z2xhbGlja2VyQGhpbGNvcnAuY29t	Get hash	malicious	EvilProxy, HTMLPhisher	Browse	192.185.118.129
	5.elf	Get hash	malicious	Unknown	Browse	162.144.117.236
	https://p3rsa.appdocumentcenter.com/BpdLO	Get hash	malicious	HTMLPhisher	Browse	162.241.149.91
	https://app.whirr.co/p/cm4711if90205nv0h2e4l0imu	Get hash	malicious	Unknown	Browse	162.241.149.91
	Fantazy.mips.elf	Get hash	malicious	Unknown	Browse	142.7.14.49
	ReIayMSG__polarisrx.com_#7107380109.htm	Get hash	malicious	HTMLPhisher	Browse	162.241.149.91
	ReIayMSG__polarisrx.com_#6577807268.htm	Get hash	malicious	HTMLPhisher	Browse	162.241.149.91
	sora.sh4.elf	Get hash	malicious	Unknown	Browse	142.7.196.19

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
3b5074b1b5d032e5620f69f9f700ff0e	B7N48hmO78.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.26.13.205
	VIAmJUhQ54.exe	Get hash	malicious	MassLogger RAT	Browse	104.26.13.205
	VYLigyTDuW.exe	Get hash	malicious	AgentTesla	Browse	104.26.13.205
	QUOTATION-9044456778.pdf (83kb).com.exe	Get hash	malicious	PureLog Stealer, Quasar	Browse	104.26.13.205
	PO#17971.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	104.26.13.205
	https://sign.zoho.com/zsguest?locale=en&sign_id=234b4d535f4956237c699124bb06f6840075804affff79070f72fbd27ec4885c3a2ba06657b8a52338eb80052baee9f74c4e2e0e7f85c073df939f1ac4dff75f76c95d46ac2361c7b14335e4f12c5c5d49c49b1d2f4c838a&action_type=SIGN	Get hash	malicious	Unknown	Browse	104.26.13.205
	IMG_10503677.exe	Get hash	malicious	MassLogger RAT	Browse	104.26.13.205
	XClient.exe	Get hash	malicious	XWorm	Browse	104.26.13.205
	RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exe	Get hash	malicious	DarkTortilla, Snake Keylogger, VIP Keylogger	Browse	104.26.13.205

Process:	C:\Users\user\Desktop\9pIm5d0rsW.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1216
Entropy (8bit):	5.34331486778365
Encrypted:	false
SSDEEP:	24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
MD5:	1330C80CAAC9A0FB172F202485E9B1E8
SHA1:	86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
SHA-256:	B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
SHA-512:	75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
Malicious:	true
Reputation:	high, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	2232
Entropy (8bit):	5.379677338874509
Encrypted:	false
SSDEEP:	48:tWSU4xymI4RfoUeW+gZ9tK8NPZHUxL7u1iMuge//ZmUyus:tLHxvIIwLgZ2KRHWLOuggs
MD5:	F825B63C7D6B045FCFBA8BE6E0757BB8
SHA1:	789ED088BEEB1F6A08141F2D3F2DC8315AD23B35
SHA-256:	E1CA090C9A65A42E64DD89FB4FBD281F8128747D20DEE28178B630029F2D5818
SHA-512:	A13109C035829E502531A8741A28154F4FABF8719B92BF1646255B6B53CB3F3FA8BD8CAC4DC363E0A1D5308440E57170DB6ED2CA50549EEAC487CAB70DD5E6AF
Malicious:	false
Reputation:	low
Preview:	@...e.................................,..............@..........P................1]...E.....j.....(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..\|f........System.Core.D...............4..7..D.#V.............System.Management.Automation<...............i..VdqF...\|...........System.Configuration4.................%...K... ...........System.Xml..L.................gQ?O.....x5.......#.Microsoft.Management.Infrastructure.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServices8..................1...L..U;V.<}........System.Numerics.4.....................@.[8]'.\........System.Data.H................WY..2.M.&..g(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_0vpz1lzz.bql.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	high, very likely benign file
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_cazrgh0j.utj.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_cxkl0lc5.mzr.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_zuzp3u5l.lgq.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.008196177026252
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	9pIm5d0rsW.exe
File size:	880'640 bytes
MD5:	aac6e12f57c5e384767f42ba7809a66b
SHA1:	665522465ccffb1fde659a7c072d6c0ff6b24b61
SHA256:	20b88c89c50d71a77a0f2e1007a39cdb0b78f44c8507d3b492e8875a44861279
SHA512:	31a9c2bfdf91c3730646a8a5f92ac78e0a32f627025c36dbb10c3f36af19d666d4e1ab9d0466aea51d817297d5dc5aaaf624ff0f1f73d2aa36cd056782d7ab0a
SSDEEP:	12288:EhF0yHZA08tzXpjfDW6Kf00/0Zp2cbNMGpaIQyIc:UBopjrR800/0Zp2cJ/paIN7
TLSH:	3515B33E19B9622BB1B5C765FBE48127F0709AEFF151AD64D0EB436A4306A0374C326D
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....v8...............0..d............... ........@.. ....................................@................................

File Icon


Icon Hash:	90cececece8e8eb0

Static PE Info

General

Entrypoint:	0x4d8302
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0xEC38769D [Tue Aug 2 11:35:57 2095 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
push ebx
add byte ptr [ecx+00h], bh
jnc 00007FE464D13802h
je 00007FE464D13802h
add byte ptr [ebp+00h], ch
add byte ptr [ecx+00h], al
arpl word ptr [eax], ax
je 00007FE464D13802h
imul eax, dword ptr [eax], 00610076h
je 00007FE464D13802h
outsd
add byte ptr [edx+00h], dh
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xd82b0	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xda000	0x644	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xdc000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0xd6f4c	0x70	.text
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0xd6328	0xd6400	59987d3339b6cc587f4d6d23dce6af78	False	0.7144221302508752	data	7.016631887401928	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0xda000	0x644	0x800	923367f037173941559cc8689cc2b81f	False	0.34228515625	data	3.492787482683551	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xdc000	0xc	0x200	e2f55c2be31b83a1581b12a2a5d71975	False	0.044921875	data	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0xda090	0x3b4	data			0.41244725738396626
RT_MANIFEST	0xda454	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators			0.5489795918367347

Imports

DLL	Import
mscoree.dll	_CorExeMain

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 10, 2025 15:37:44.475145102 CET	49732	443	192.168.2.4	104.26.13.205
Jan 10, 2025 15:37:44.475167990 CET	443	49732	104.26.13.205	192.168.2.4
Jan 10, 2025 15:37:44.475657940 CET	49732	443	192.168.2.4	104.26.13.205
Jan 10, 2025 15:37:44.482575893 CET	49732	443	192.168.2.4	104.26.13.205
Jan 10, 2025 15:37:44.482589006 CET	443	49732	104.26.13.205	192.168.2.4
Jan 10, 2025 15:37:44.961597919 CET	443	49732	104.26.13.205	192.168.2.4
Jan 10, 2025 15:37:44.961694956 CET	49732	443	192.168.2.4	104.26.13.205
Jan 10, 2025 15:37:44.966006994 CET	49732	443	192.168.2.4	104.26.13.205
Jan 10, 2025 15:37:44.966016054 CET	443	49732	104.26.13.205	192.168.2.4
Jan 10, 2025 15:37:44.966274977 CET	443	49732	104.26.13.205	192.168.2.4
Jan 10, 2025 15:37:45.020265102 CET	49732	443	192.168.2.4	104.26.13.205
Jan 10, 2025 15:37:45.035514116 CET	49732	443	192.168.2.4	104.26.13.205
Jan 10, 2025 15:37:45.079329967 CET	443	49732	104.26.13.205	192.168.2.4
Jan 10, 2025 15:37:45.148798943 CET	443	49732	104.26.13.205	192.168.2.4
Jan 10, 2025 15:37:45.148869991 CET	443	49732	104.26.13.205	192.168.2.4
Jan 10, 2025 15:37:45.149334908 CET	49732	443	192.168.2.4	104.26.13.205
Jan 10, 2025 15:37:45.154786110 CET	49732	443	192.168.2.4	104.26.13.205
Jan 10, 2025 15:37:46.093017101 CET	49734	21	192.168.2.4	50.87.144.157
Jan 10, 2025 15:37:46.097847939 CET	21	49734	50.87.144.157	192.168.2.4
Jan 10, 2025 15:37:46.097953081 CET	49734	21	192.168.2.4	50.87.144.157
Jan 10, 2025 15:37:46.101248026 CET	49734	21	192.168.2.4	50.87.144.157
Jan 10, 2025 15:37:46.106090069 CET	21	49734	50.87.144.157	192.168.2.4
Jan 10, 2025 15:37:46.106199980 CET	49734	21	192.168.2.4	50.87.144.157

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 10, 2025 15:37:44.462629080 CET	53441	53	192.168.2.4	1.1.1.1
Jan 10, 2025 15:37:44.469223976 CET	53	53441	1.1.1.1	192.168.2.4
Jan 10, 2025 15:37:45.802334070 CET	53994	53	192.168.2.4	1.1.1.1
Jan 10, 2025 15:37:46.092271090 CET	53	53994	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jan 10, 2025 15:37:44.462629080 CET	192.168.2.4	1.1.1.1	0xd3bf	Standard query (0)	api.ipify.org	A (IP address)	IN (0x0001)	false
Jan 10, 2025 15:37:45.802334070 CET	192.168.2.4	1.1.1.1	0xc140	Standard query (0)	beirutrest.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Jan 10, 2025 15:37:44.469223976 CET	1.1.1.1	192.168.2.4	0xd3bf	No error (0)	api.ipify.org	104.26.13.205	A (IP address)	IN (0x0001)	false
Jan 10, 2025 15:37:44.469223976 CET	1.1.1.1	192.168.2.4	0xd3bf	No error (0)	api.ipify.org	104.26.12.205	A (IP address)	IN (0x0001)	false
Jan 10, 2025 15:37:44.469223976 CET	1.1.1.1	192.168.2.4	0xd3bf	No error (0)	api.ipify.org	172.67.74.152	A (IP address)	IN (0x0001)	false
Jan 10, 2025 15:37:46.092271090 CET	1.1.1.1	192.168.2.4	0xc140	No error (0)	beirutrest.com	50.87.144.157	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

api.ipify.org

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49732	104.26.13.205	443	1456	C:\Users\user\Desktop\9pIm5d0rsW.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-10 14:37:45 UTC	155	OUT	GET / HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0 Host: api.ipify.org Connection: Keep-Alive
2025-01-10 14:37:45 UTC	424	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 14:37:45 GMT Content-Type: text/plain Content-Length: 12 Connection: close Vary: Origin CF-Cache-Status: DYNAMIC Server: cloudflare CF-RAY: 8ffd6824cafc4376-EWR server-timing: cfL4;desc="?proto=TCP&rtt=1626&min_rtt=1607&rtt_var=616&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2819&recv_bytes=769&delivery_rate=1817050&cwnd=248&unsent_bytes=0&cid=d080abcc93a04092&ts=198&x=0"
2025-01-10 14:37:45 UTC	12	IN	Data Raw: 38 2e 34 36 2e 31 32 33 2e 31 38 39 Data Ascii: 8.46.123.189

Target ID:	0
Start time:	09:37:40
Start date:	10/01/2025
Path:	C:\Users\user\Desktop\9pIm5d0rsW.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\9pIm5d0rsW.exe"
Imagebase:	0x580000
File size:	880'640 bytes
MD5 hash:	AAC6E12F57C5E384767F42BA7809A66B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000002.1687610433.0000000006DE0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.1683264639.0000000003969000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.1683264639.0000000003969000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000002.1683264639.0000000003969000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	09:37:42
Start date:	10/01/2025
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\9pIm5d0rsW.exe"
Imagebase:	0x1f0000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	09:37:42
Start date:	10/01/2025
Path:	C:\Users\user\Desktop\9pIm5d0rsW.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\9pIm5d0rsW.exe"
Imagebase:	0xb00000
File size:	880'640 bytes
MD5 hash:	AAC6E12F57C5E384767F42BA7809A66B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000003.00000002.4122220015.0000000002F4C000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000003.00000002.4122220015.0000000002F21000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000003.00000002.4122220015.0000000002F21000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000003.00000002.4119886234.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000003.00000002.4119886234.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	4
Start time:	09:37:42
Start date:	10/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	09:37:44
Start date:	10/01/2025
Path:	C:\Windows\System32\wbem\WmiPrvSE.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Imagebase:	0x7ff693ab0000
File size:	496'640 bytes
MD5 hash:	60FF40CFD7FB8FE41EE4FE9AE5FE1C51
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	10.9%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	149
Total number of Limit Nodes:	10

Executed Functions

Function 07550040 Relevance: 8.5, Strings: 6, Instructions: 1022
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

TJpq, xrefs: 075501E5
poq, xrefs: 07550D09
xbnq, xrefs: 07550170
Tekq, xrefs: 07550894
4'kq, xrefs: 07550C31
<ov!, xrefs: 0755043C

Memory Dump Source

Source File: 00000000.00000002.1691318978.0000000007550000.00000040.00000800.00020000.00000000.sdmp, Offset: 07550000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7550000_9pIm5d0rsW.jbxd

Similarity

API ID:
String ID: 4'kq$<ov!$TJpq$Tekq$poq$xbnq
API String ID: 0-2107662943
Opcode ID: 3eb78a376e45166f60412459689556442ac9c285aaa68893bfb40d7691cf998f
Instruction ID: e37e1129895a2923a03f62783102fa633c29b980ac59dc41627c6a800fef9ae3
Opcode Fuzzy Hash: 3eb78a376e45166f60412459689556442ac9c285aaa68893bfb40d7691cf998f
Instruction Fuzzy Hash: 45B2B174A00629CFDB64CF69C984AD9BBB2FF89304F1581E9D50DAB265DB319E81CF40

Function 0BB923C9 Relevance: .4, Instructions: 400COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1694115173.000000000BB90000.00000040.00000800.00020000.00000000.sdmp, Offset: 0BB90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb90000_9pIm5d0rsW.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5d1dfb53a2e967e976c8086bbf5cfecff84771f43f8e763fcde26e547a0d71af
Instruction ID: 856f0bb5499875723cd26ee12567d072b686e3a461519f58681ec65c72d94849
Opcode Fuzzy Hash: 5d1dfb53a2e967e976c8086bbf5cfecff84771f43f8e763fcde26e547a0d71af
Instruction Fuzzy Hash: 20E1CD71B01600AFDB25DB79E850BAEB7FAEF89700F1444A9E145DB291DB38E806CB51

Function 07554000 Relevance: .2, Instructions: 198COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1691318978.0000000007550000.00000040.00000800.00020000.00000000.sdmp, Offset: 07550000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7550000_9pIm5d0rsW.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ebdffbe6533c4116502e3bfb5b9761e5d9bce0e92d505bbca2bca1bf05089af8
Instruction ID: f0d43ef86458e418e827f68b7656e4b0fc7e3c8a4df86dc1c2673804f6901ad5
Opcode Fuzzy Hash: ebdffbe6533c4116502e3bfb5b9761e5d9bce0e92d505bbca2bca1bf05089af8
Instruction Fuzzy Hash: 597118B4D09259CFDF14DFA9D5546EDBBB6FF8A300F20902AD809AB215D7345982CF40

Function 00FA6F92 Relevance: .1, Instructions: 139COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1679919278.0000000000FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fa0000_9pIm5d0rsW.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: feb6424a575daf4bead0e42d55254615644b71c65c5613d60858941daaac8987
Instruction ID: c88f0cdc0a4b0cda441366d648662943f6cdce0e722fa2a27c8df976f237ca52
Opcode Fuzzy Hash: feb6424a575daf4bead0e42d55254615644b71c65c5613d60858941daaac8987
Instruction Fuzzy Hash: 4E51B770E012189FDB09DFA9D9519EEBBB2FF89300F148429D405BB368DB355945DB50

Function 00FA4210 Relevance: .1, Instructions: 138COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1679919278.0000000000FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fa0000_9pIm5d0rsW.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 938aa2fc38869d9b2d2d2d61fdf597ab6d6aa1739209de7344cc210ca1c4829a
Instruction ID: d827fa64755f0393a17917d4f90f15abac2a01520eb45589fc2e09fa55dbb8a9
Opcode Fuzzy Hash: 938aa2fc38869d9b2d2d2d61fdf597ab6d6aa1739209de7344cc210ca1c4829a
Instruction Fuzzy Hash: 58519770E012189FDF09DFA9D9519EEBBB2FF89300F148429D409BB368DB359945DB50

Function 00FAD559 Relevance: 6.1, APIs: 4, Instructions: 132
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 00FAD5E6
GetCurrentThread.KERNEL32 ref: 00FAD623
GetCurrentProcess.KERNEL32 ref: 00FAD660
GetCurrentThreadId.KERNEL32 ref: 00FAD6B9

Memory Dump Source

Source File: 00000000.00000002.1679919278.0000000000FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fa0000_9pIm5d0rsW.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 467690c1d05f37d4821bd9ec6826838f497ed8ab89993e2ebd8fe73688d1a628
Instruction ID: 05eda05a3776d0e61a4630ef0bfceacb48dec0dd3b6743d08d234b944b0bcfcf
Opcode Fuzzy Hash: 467690c1d05f37d4821bd9ec6826838f497ed8ab89993e2ebd8fe73688d1a628
Instruction Fuzzy Hash: 255166B09003098FDB14DFA9D548BAEBBF1FF89314F208059E409A7361D7749944CF65

Function 00FAD568 Relevance: 6.1, APIs: 4, Instructions: 128
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 00FAD5E6
GetCurrentThread.KERNEL32 ref: 00FAD623
GetCurrentProcess.KERNEL32 ref: 00FAD660
GetCurrentThreadId.KERNEL32 ref: 00FAD6B9

Memory Dump Source

Source File: 00000000.00000002.1679919278.0000000000FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fa0000_9pIm5d0rsW.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 087279384ce6c8b805389ca9dfaf3917b55e96c3688f6f539d092b2794902d97
Instruction ID: 0e5425399378a351b57cb34f5b2947305c4f62cc14704f4819e0d5c3e2ec574c
Opcode Fuzzy Hash: 087279384ce6c8b805389ca9dfaf3917b55e96c3688f6f539d092b2794902d97
Instruction Fuzzy Hash: F85144B09003098FDB14DFAAD548BAEBBF1FF89314F248459E419A73A0D774A984CF65

Function 0755F4EC Relevance: 1.7, APIs: 1, Instructions: 246
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 0755F72E

Memory Dump Source

Source File: 00000000.00000002.1691318978.0000000007550000.00000040.00000800.00020000.00000000.sdmp, Offset: 07550000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7550000_9pIm5d0rsW.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 3bbd77d34f085d6079eee209fc5d02c4aaec676c606a92d9100bb154dc9d7ffa
Instruction ID: cbd3cfabec006b467bbe8b7a3c252056a79b9e5d281dd7c938c52efc02432845
Opcode Fuzzy Hash: 3bbd77d34f085d6079eee209fc5d02c4aaec676c606a92d9100bb154dc9d7ffa
Instruction Fuzzy Hash: 00A17CB1D0021ADFDB14CF68C850BEDBBB2FF48314F1485AAE849A7290DB749985CF91

Function 0755F4F8 Relevance: 1.7, APIs: 1, Instructions: 243
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 0755F72E

Memory Dump Source

Source File: 00000000.00000002.1691318978.0000000007550000.00000040.00000800.00020000.00000000.sdmp, Offset: 07550000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7550000_9pIm5d0rsW.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: f0bbde88dc528d4e27c19058c3749ca6b236bbd7ff7a9a82ecfb735bb8b16b23
Instruction ID: 7da442d5b572af83595941bb39c3de2dd2a40084bed5a0b3b2590a253ead1c13
Opcode Fuzzy Hash: f0bbde88dc528d4e27c19058c3749ca6b236bbd7ff7a9a82ecfb735bb8b16b23
Instruction Fuzzy Hash: 16916DB1D0021ADFDF14CF68C851BDDBBB2BF48314F1485AAE849A7290DB749985CF91

Function 00FAAEB7 Relevance: 1.7, APIs: 1, Instructions: 204
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 00FAB11E

Memory Dump Source

Source File: 00000000.00000002.1679919278.0000000000FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fa0000_9pIm5d0rsW.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 8804f7e33f85499183ff71182af085fa5c837c31d3893b7028658e5c2e29a8cb
Instruction ID: 9718b3e13560b78b9edb01708d87bbbb0e2ab368691a4dc687c17047c0d137ba
Opcode Fuzzy Hash: 8804f7e33f85499183ff71182af085fa5c837c31d3893b7028658e5c2e29a8cb
Instruction Fuzzy Hash: 4F8156B0A00B048FD724CF29D44579ABBF1FF89314F008A2DE48AD7A51D735E84ADB91

Function 00FA590D Relevance: 1.6, APIs: 1, Instructions: 101
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 00FA59C9

Memory Dump Source

Source File: 00000000.00000002.1679919278.0000000000FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fa0000_9pIm5d0rsW.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 43f2a4a850f2f86219ee268a5401bab3320a411eff4942d022cc38686c7d3aac
Instruction ID: 400ef3c5d532eac36b4544b07bf97fa37d2e605257d8638c38bddb1ce5c8806a
Opcode Fuzzy Hash: 43f2a4a850f2f86219ee268a5401bab3320a411eff4942d022cc38686c7d3aac
Instruction Fuzzy Hash: 524104B0D00619CFDB24CFA9C884BCEBBF5BF49714F24816AD408AB251DB75594ACF90

Function 00FA44D4 Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 00FA59C9

Memory Dump Source

Source File: 00000000.00000002.1679919278.0000000000FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fa0000_9pIm5d0rsW.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 7db418a4a06ecfa922e64c1a1b0d4efd5eb6d4ac97268885af4e7dc90f07bc41
Instruction ID: 1de96967e30431b9b1413a7aea2326025eb8f7dff47e7f54fb9e1c65594b6ddc
Opcode Fuzzy Hash: 7db418a4a06ecfa922e64c1a1b0d4efd5eb6d4ac97268885af4e7dc90f07bc41
Instruction Fuzzy Hash: 5041F1B0D00719DBDB24CFA9C884B8EBBF5BF49704F20806AD409AB255DB756949CF90

Function 0755F268 Relevance: 1.6, APIs: 1, Instructions: 76
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 0755F300

Memory Dump Source

Source File: 00000000.00000002.1691318978.0000000007550000.00000040.00000800.00020000.00000000.sdmp, Offset: 07550000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7550000_9pIm5d0rsW.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 21dbbe0fb3ea12f4141964015e85d05f4d0e58aa950dbd6f16f343801cda020a
Instruction ID: 993da7b6f90c844809239ce40593b37b83485de5a76a10982c8a2692d231941e
Opcode Fuzzy Hash: 21dbbe0fb3ea12f4141964015e85d05f4d0e58aa950dbd6f16f343801cda020a
Instruction Fuzzy Hash: 59215CB59003199FDB10DFA9C881BDEBBF5FF48320F10842AE959A7250C7749944CFA0

Function 0755F0D0 Relevance: 1.6, APIs: 1, Instructions: 70
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 0755F156

Memory Dump Source

Source File: 00000000.00000002.1691318978.0000000007550000.00000040.00000800.00020000.00000000.sdmp, Offset: 07550000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7550000_9pIm5d0rsW.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 706cee0df5ab574be04d4600fdb64e4cdb1a99bade73908fa9ef907f3ab51ba5
Instruction ID: 4d24ed44988e883894f700d50ec4cbcec20ffcd8dea86fb6b8ff3948c9619673
Opcode Fuzzy Hash: 706cee0df5ab574be04d4600fdb64e4cdb1a99bade73908fa9ef907f3ab51ba5
Instruction Fuzzy Hash: AE2125B19002099FDB10DFAAC485BEFBBF5EB49324F10842AD459A7281CB789945CFA5

Function 0755F270 Relevance: 1.6, APIs: 1, Instructions: 69
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 0755F300

Memory Dump Source

Source File: 00000000.00000002.1691318978.0000000007550000.00000040.00000800.00020000.00000000.sdmp, Offset: 07550000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7550000_9pIm5d0rsW.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 5cd344806510931656ddb569669fa0458a32339d8adf278173832f92df08efc7
Instruction ID: e9bfa65b2031571ffaf30b14ef17517a2a0d25488ba5c5050a2a220863a6d451
Opcode Fuzzy Hash: 5cd344806510931656ddb569669fa0458a32339d8adf278173832f92df08efc7
Instruction Fuzzy Hash: CB2127B19003599FDB10CFA9C885BDEBBF5FF48310F10842AE959A7251C778A944CBA4

Function 0755F35A Relevance: 1.6, APIs: 1, Instructions: 68
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 0755F3E0

Memory Dump Source

Source File: 00000000.00000002.1691318978.0000000007550000.00000040.00000800.00020000.00000000.sdmp, Offset: 07550000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7550000_9pIm5d0rsW.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 56bf55cf61d8edf99165d6d10ebccf64d45a54b727e021ec529b82a0e33a8f71
Instruction ID: 6990870eef051fef7dcb0424f287f9ac8eb5831c674d77e06466f18b8da2817e
Opcode Fuzzy Hash: 56bf55cf61d8edf99165d6d10ebccf64d45a54b727e021ec529b82a0e33a8f71
Instruction Fuzzy Hash: 3C2119B19003599FDB10DFA9C881AEEFBF5FF48320F10842AE959A7250C7789544DBA5

Function 00FAD7A9 Relevance: 1.6, APIs: 1, Instructions: 64COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00FAD837

Memory Dump Source

Source File: 00000000.00000002.1679919278.0000000000FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fa0000_9pIm5d0rsW.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 2f2e5dab3d4593039b20fe4a305965f8a99174a7ae935fc9c128d08515ca1676
Instruction ID: 04c1ae0564482678189bc304d6de369f71689cc554f48102d591ebd82a2cf820
Opcode Fuzzy Hash: 2f2e5dab3d4593039b20fe4a305965f8a99174a7ae935fc9c128d08515ca1676
Instruction Fuzzy Hash: EC2114B5D00218EFDB10CFAAD484ADEFBF4EB48320F14801AE919A3311C378A940CFA1

Function 0755F360 Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 0755F3E0

Memory Dump Source

Source File: 00000000.00000002.1691318978.0000000007550000.00000040.00000800.00020000.00000000.sdmp, Offset: 07550000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7550000_9pIm5d0rsW.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 16380d93886f69b3ccb1443a03f45dc73a1908a373005ea89ec398e73b05136b
Instruction ID: 06b50ef9d51c8905c87d7f24d785eda4a7d29467c0331dea898db01d1084619c
Opcode Fuzzy Hash: 16380d93886f69b3ccb1443a03f45dc73a1908a373005ea89ec398e73b05136b
Instruction Fuzzy Hash: 9021FAB1D003599FDB10DFA9C885ADEFBF5FF48310F10842AE559A7250C7789544CBA5

Function 0755F0D8 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 0755F156

Memory Dump Source

Source File: 00000000.00000002.1691318978.0000000007550000.00000040.00000800.00020000.00000000.sdmp, Offset: 07550000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7550000_9pIm5d0rsW.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 828ca61b5d648af103843961865a4c636f0edd4c876ea9c1cbcfee7569aaf13c
Instruction ID: 6ec57aab5685e64042601e91b9c6df18e1f5c25023199d01edd6f1daaa463329
Opcode Fuzzy Hash: 828ca61b5d648af103843961865a4c636f0edd4c876ea9c1cbcfee7569aaf13c
Instruction Fuzzy Hash: C82118B1D003098FDB10DFAAC4857EEBBF4EF48324F14842AD459A7281CB789945CFA5

Function 00FAD7B0 Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00FAD837

Memory Dump Source

Source File: 00000000.00000002.1679919278.0000000000FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fa0000_9pIm5d0rsW.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 33d9d99dbeb5cdc368cc08657266b4fa0bfe2fdd9d6c1a53976100639c02d7af
Instruction ID: b5266084249e8b60c5ec28d5092fb6d22cf94b922883236040602c01d21ec345
Opcode Fuzzy Hash: 33d9d99dbeb5cdc368cc08657266b4fa0bfe2fdd9d6c1a53976100639c02d7af
Instruction Fuzzy Hash: 1321E4B5D00258DFDB10CFAAD584ADEFBF4EB48320F14801AE959A7351C378A940CFA5

Function 0755F1A8 Relevance: 1.6, APIs: 1, Instructions: 60memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 0755F21E

Memory Dump Source

Source File: 00000000.00000002.1691318978.0000000007550000.00000040.00000800.00020000.00000000.sdmp, Offset: 07550000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7550000_9pIm5d0rsW.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: a52e1cd07742d84ea1c0e2994d38ae660b1ae7bdc2feb3414ffe281f1c536459
Instruction ID: fcd04b161833481a2ac8e54383296d278f93a221718f92cf7126dc49cb95b387
Opcode Fuzzy Hash: a52e1cd07742d84ea1c0e2994d38ae660b1ae7bdc2feb3414ffe281f1c536459
Instruction Fuzzy Hash: DE1159B69002499FCB10DFA9D845BEFFFF5EB48320F10841AE555A7250C775A544CFA1

Function 0755F020 Relevance: 1.6, APIs: 1, Instructions: 55threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 0755F08A

Memory Dump Source

Source File: 00000000.00000002.1691318978.0000000007550000.00000040.00000800.00020000.00000000.sdmp, Offset: 07550000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7550000_9pIm5d0rsW.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 83a64d126bb3c7679dd36b3486d0dc46a77804eb3a127bc878458cffee195155
Instruction ID: 11aa7e8014a712054ac039021e46f53780f11629aa33c79d9bc58c2a96856b43
Opcode Fuzzy Hash: 83a64d126bb3c7679dd36b3486d0dc46a77804eb3a127bc878458cffee195155
Instruction Fuzzy Hash: 63115BB19003498FCB20DFAAD4457EFFBF9EB48320F24841AD459A7250CB796545CFA5

Function 0755F1B0 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 0755F21E

Memory Dump Source

Source File: 00000000.00000002.1691318978.0000000007550000.00000040.00000800.00020000.00000000.sdmp, Offset: 07550000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7550000_9pIm5d0rsW.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 2b7d99e1b2caf6fd8d16b106cfb24f931a5e0b1611f51e6e8f2feaf6cfa434eb
Instruction ID: b4830252135f835824574eb62e8912fd2f94eefb36abc02fe73d7a5cae20ad51
Opcode Fuzzy Hash: 2b7d99e1b2caf6fd8d16b106cfb24f931a5e0b1611f51e6e8f2feaf6cfa434eb
Instruction Fuzzy Hash: 661137B59002499FCB10DFAAC844BDEFFF5EF48320F10881AE555A7250C775A944CFA1

Function 0755F028 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 0755F08A

Memory Dump Source

Source File: 00000000.00000002.1691318978.0000000007550000.00000040.00000800.00020000.00000000.sdmp, Offset: 07550000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7550000_9pIm5d0rsW.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 880da58705dd4e5fe9d02447b309d1babd0aefa69ee2d457f5a664fa9da4aa33
Instruction ID: 5378bbd630aaa10016f883e080c7515eed017fdf6030da9e55258cc503dfee54
Opcode Fuzzy Hash: 880da58705dd4e5fe9d02447b309d1babd0aefa69ee2d457f5a664fa9da4aa33
Instruction Fuzzy Hash: 66113AB19003498FDB20DFAAC4457DEFBF5EB88324F24841AD559A7250C775A944CFA4

Function 00FAB0B8 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 00FAB11E

Memory Dump Source

Source File: 00000000.00000002.1679919278.0000000000FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fa0000_9pIm5d0rsW.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 68fbef1797cd6415dac15b8e02643021de5e5323d1e8b6514b73d84fd82287d7
Instruction ID: 847601fbb61924632db6a54360f1589ff630137e1cd6f0c23ebf0594225e22a8
Opcode Fuzzy Hash: 68fbef1797cd6415dac15b8e02643021de5e5323d1e8b6514b73d84fd82287d7
Instruction Fuzzy Hash: EC1110B5C002498FCB10CF9AC844ADEFBF4AB89324F10842AD459A7211D379A545CFA1

Function 0BB91651 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 0BB916B5

Memory Dump Source

Source File: 00000000.00000002.1694115173.000000000BB90000.00000040.00000800.00020000.00000000.sdmp, Offset: 0BB90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb90000_9pIm5d0rsW.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: e82f338acb69228eaa0779c99ea6339f659f4d2c1795c2abb6a862b153b9f5eb
Instruction ID: b289c2c3f0a4e5a804f920ab7f9b55f38ce0ff2f375a3f54f8edbcca95152bce
Opcode Fuzzy Hash: e82f338acb69228eaa0779c99ea6339f659f4d2c1795c2abb6a862b153b9f5eb
Instruction Fuzzy Hash: FD1122B58003499FCB20DF9AD984BDEFBF8EB48320F10845AE558A7600C375A984CFA1

Function 0BB91658 Relevance: 1.5, APIs: 1, Instructions: 44windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 0BB916B5

Memory Dump Source

Source File: 00000000.00000002.1694115173.000000000BB90000.00000040.00000800.00020000.00000000.sdmp, Offset: 0BB90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb90000_9pIm5d0rsW.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 07ac4fda3e5305b65143ad6c3c41287fc27c5bc948d0225420ff236ce1f4ad71
Instruction ID: 455b9836e98866fa13efdefaacda642bcb32770a520171eea5bf31297517dd12
Opcode Fuzzy Hash: 07ac4fda3e5305b65143ad6c3c41287fc27c5bc948d0225420ff236ce1f4ad71
Instruction Fuzzy Hash: A51112B5800349DFDB10DF9AD984BDEFBF8EB48320F10845AE558A7250C375A984CFA5

Function 00D4D110 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1678769667.0000000000D4D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D4D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d4d000_9pIm5d0rsW.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: db18c2d3a604a1a06bb4f479c376d84abd4258dfe3a2e1f9a8b984902d45eb4a
Instruction ID: bbed21cfba2224812bd64cae125ca84355fad44f7afde49793367cbcbf874484
Opcode Fuzzy Hash: db18c2d3a604a1a06bb4f479c376d84abd4258dfe3a2e1f9a8b984902d45eb4a
Instruction Fuzzy Hash: B4210071604340DFDB05DF14D9C0B27BF66FB98314F248169ED094B256C336D856CAB1

Function 00F5D1D4 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1679445472.0000000000F5D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F5D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f5d000_9pIm5d0rsW.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 19872b8f1867875800fea67301b0193812ef0c537b450fe805c43e506dff2775
Instruction ID: 729de95dd28f17a359056bbb691883d6fa26e40a660a4fcda4b721b708d973f6
Opcode Fuzzy Hash: 19872b8f1867875800fea67301b0193812ef0c537b450fe805c43e506dff2775
Instruction Fuzzy Hash: D0213471905200EFDB25DF14C9C0B26BBA5FB84325F20C66DEE094B292C336D84ADA61

Function 00F5D01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1679445472.0000000000F5D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F5D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f5d000_9pIm5d0rsW.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3275065078e4ad58c73601d7b2dd1aaca764d23e5bfa1982902ab200c6b5d6b7
Instruction ID: 46a78342b785448fa3080964408ada0ae96b14f0a7cdda8aa6003b1c60b8f8d7
Opcode Fuzzy Hash: 3275065078e4ad58c73601d7b2dd1aaca764d23e5bfa1982902ab200c6b5d6b7
Instruction Fuzzy Hash: BF21F271605200DFDB24DF14D9C4B26BBA5EB84325F20C569DE0A4B29AC33AD84BDA62

Function 00F5D005 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1679445472.0000000000F5D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F5D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f5d000_9pIm5d0rsW.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 18d40c72f4a88034d9bec141475b012adfe790c8ca10c15a7db04d205e8ce129
Instruction ID: 0a861d4185d247e6d42bebc1e33c969689dd5671b8146e5aa045dc3e01f8b83d
Opcode Fuzzy Hash: 18d40c72f4a88034d9bec141475b012adfe790c8ca10c15a7db04d205e8ce129
Instruction Fuzzy Hash: 80218E755093808FDB12CF24D994715BF71EB46324F28C5EAD9498F2A7C33A980ACB62

Function 00D4D10B Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1678769667.0000000000D4D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D4D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d4d000_9pIm5d0rsW.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
Instruction ID: 33d99aa3f3945b00c2ceae424e2bb61ba541be28679e0ef8cbe84a4da3a69596
Opcode Fuzzy Hash: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
Instruction Fuzzy Hash: 4E11AC76504280CFCB16CF10D9C4B16BF72FB94324F28C6A9DD094B256C33AD85ACBA2

Function 00F5D1CF Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1679445472.0000000000F5D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F5D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f5d000_9pIm5d0rsW.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
Instruction ID: 3e9577cd17e1cf5b547543662b06d56f7d95371e7fa02d9467cd86a98e515bd9
Opcode Fuzzy Hash: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
Instruction Fuzzy Hash: 5711BB75904280DFCB16CF10C9C4B15BBA1FB84324F24C6AEDD494B696C33AD84ADB61

Function 00D4D745 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1678769667.0000000000D4D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D4D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d4d000_9pIm5d0rsW.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7b526851cc384288d09454467cb062a3be8c59988c874c1590f84ed5405421e9
Instruction ID: 4f2775569b7c6c262bcff522980a90c48c8a3d1c141efe5328c59d26bdcf55a1
Opcode Fuzzy Hash: 7b526851cc384288d09454467cb062a3be8c59988c874c1590f84ed5405421e9
Instruction Fuzzy Hash: 6A01D6710083409BE7109F29CD88B67FF99EF45324F1CC56AED4A4E286D679DC40CAB1

Function 00D4D744 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1678769667.0000000000D4D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D4D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d4d000_9pIm5d0rsW.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e6653cdf1d39bfec93c960abb7823ed79446b1aa70c7a275df5f2821899eea07
Instruction ID: d5ba1ab4a32f21a26ca4218fe4599fe77174ee289d0b6b33fdf9b1bdd0653f15
Opcode Fuzzy Hash: e6653cdf1d39bfec93c960abb7823ed79446b1aa70c7a275df5f2821899eea07
Instruction Fuzzy Hash: F0F06D71408344ABEB108E1AC888B62FFA8EF95734F18C45AED494E286C2799C44CAB1

Non-executed Functions

Function 0755003A Relevance: 4.0, Strings: 3, Instructions: 237COMMON

Download Yara Rule

Strings

TJpq, xrefs: 075501E5
xbnq, xrefs: 07550170
Tekq, xrefs: 07550894

Memory Dump Source

Source File: 00000000.00000002.1691318978.0000000007550000.00000040.00000800.00020000.00000000.sdmp, Offset: 07550000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7550000_9pIm5d0rsW.jbxd

Similarity

API ID:
String ID: TJpq$Tekq$xbnq
API String ID: 0-3321955333
Opcode ID: 9c65c5f8b7306bee60f08bae6c3af23b0259e1c7e6828df9fea90cc9ed6793c2
Instruction ID: e6f19c96bf4a34ab9dd98c61d15d7fcbe6227678bd77e6cc92eaf5d8db1f8633
Opcode Fuzzy Hash: 9c65c5f8b7306bee60f08bae6c3af23b0259e1c7e6828df9fea90cc9ed6793c2
Instruction Fuzzy Hash: 4EB166B5E016188FDB58DF6AC9546DDBBF2BF89300F14C1EAD809AB364DB305A858F50

Function 0BB93C28 Relevance: 2.8, Strings: 2, Instructions: 298COMMON

Download Yara Rule

Strings

PHkq, xrefs: 0BB93E13
PHkq, xrefs: 0BB93EEB

Memory Dump Source

Source File: 00000000.00000002.1694115173.000000000BB90000.00000040.00000800.00020000.00000000.sdmp, Offset: 0BB90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb90000_9pIm5d0rsW.jbxd

Similarity

API ID:
String ID: PHkq$PHkq
API String ID: 0-119726883
Opcode ID: 6a3090a85dd414deff69a247a531e1609df02f8a36c1bb52cf306371fb085196
Instruction ID: f985ede3d26501c8d277010b724b8ccb95073df11c42e0c441a8f549ce9ba1cb
Opcode Fuzzy Hash: 6a3090a85dd414deff69a247a531e1609df02f8a36c1bb52cf306371fb085196
Instruction Fuzzy Hash: 5BD1A034A006098FDB18DF69D598AA9B7F1FF8D701F2580E8E516AB371DB31AD41CB60

Function 0755C889 Relevance: .3, Instructions: 320COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1691318978.0000000007550000.00000040.00000800.00020000.00000000.sdmp, Offset: 07550000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7550000_9pIm5d0rsW.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b52e96c5f4d291f4692189193e7a070b64fa254904887b50c704ba8b07ed8d6d
Instruction ID: 4a6b19ef5ed5fd3ec168fc0ee934fc57798f93dd35972aa0eecb96a97b076371
Opcode Fuzzy Hash: b52e96c5f4d291f4692189193e7a070b64fa254904887b50c704ba8b07ed8d6d
Instruction Fuzzy Hash: E4E1EDB4E0421A8FCB14DFA9C5909AEFBF2FF49304F24916AD815AB355DB31A941CF60

Function 0755E7B0 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1691318978.0000000007550000.00000040.00000800.00020000.00000000.sdmp, Offset: 07550000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7550000_9pIm5d0rsW.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 16a4d3f782438aa850b4aeeef0c73a645b2467d4b818ec4244215e59ec3f22bb
Instruction ID: eb774df1e660e2c3a90ef2300b5bb5452ac6f960f173ae4e39eb332cbdd0ed84
Opcode Fuzzy Hash: 16a4d3f782438aa850b4aeeef0c73a645b2467d4b818ec4244215e59ec3f22bb
Instruction Fuzzy Hash: B7E10AB4E041198FDB14DFA9C5919AEFBB2FF89304F24816AD815AB359DB30AD41CF60

Function 0755C460 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1691318978.0000000007550000.00000040.00000800.00020000.00000000.sdmp, Offset: 07550000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7550000_9pIm5d0rsW.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ef93bdea5f88211808a3b0971435d235e866d608160424f2cefcd8304264fecb
Instruction ID: 75e29bb076931f9ba8eec5f96d89977e80baf2ba36543bf883f39643b0912179
Opcode Fuzzy Hash: ef93bdea5f88211808a3b0971435d235e866d608160424f2cefcd8304264fecb
Instruction Fuzzy Hash: 05E1EDB4E0425A8FDB14DFA9C5909AEFBF2FF49304F24816AD814AB355DB31A941CF60

Function 0755E378 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1691318978.0000000007550000.00000040.00000800.00020000.00000000.sdmp, Offset: 07550000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7550000_9pIm5d0rsW.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ba38c18ce6d5b49f6c33c82151a0be32d76f7834b58cd9a8596139f66eb14255
Instruction ID: 09d57c2d2706ad64e172ff05be3760a426b67098e66fef47d25c9bb26fe6a749
Opcode Fuzzy Hash: ba38c18ce6d5b49f6c33c82151a0be32d76f7834b58cd9a8596139f66eb14255
Instruction Fuzzy Hash: 96E10EB4E041598FCB14DFA9C5919AEFBF2FF49304F24816AE814AB356DB30A941CF60

Function 0755CCD0 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1691318978.0000000007550000.00000040.00000800.00020000.00000000.sdmp, Offset: 07550000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7550000_9pIm5d0rsW.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d389438348600441d350684d472d4e473c1a7a439d25fb313629b191a4cad4ea
Instruction ID: 8f3061ac1799aaba96ff7b3d9885d996f42f71aa18ad46420f724ec248402b3c
Opcode Fuzzy Hash: d389438348600441d350684d472d4e473c1a7a439d25fb313629b191a4cad4ea
Instruction Fuzzy Hash: 6BE1F0B4E0025A8FCB14DFA9C5909ADFBF2FF49304F24816AD814AB355D731A941CF61

Function 07553878 Relevance: .3, Instructions: 275COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1691318978.0000000007550000.00000040.00000800.00020000.00000000.sdmp, Offset: 07550000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7550000_9pIm5d0rsW.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0420ef403cde006801bc7dbb7f3aaca9b92cc64b11a66c66bea0786b2bff78a6
Instruction ID: a6f1550d469bb909e002fbf934765fdb9943982173e84bec3fe4366e1e262cc3
Opcode Fuzzy Hash: 0420ef403cde006801bc7dbb7f3aaca9b92cc64b11a66c66bea0786b2bff78a6
Instruction Fuzzy Hash: 14D1F93191475A8ACB10EF68D9506D9F7B1FF95300F108B9AE1093B665EF70AAC8CF91

Function 00FAD524 Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1679919278.0000000000FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fa0000_9pIm5d0rsW.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2ca7380600063710ee7f14e95222c3c916fa141b2473a1d88808b9bbf100f27a
Instruction ID: 0fc8da316c361af98611f1e851d030b977a4835033109b4e96b761ee7e00ed41
Opcode Fuzzy Hash: 2ca7380600063710ee7f14e95222c3c916fa141b2473a1d88808b9bbf100f27a
Instruction Fuzzy Hash: 1EA15C76E00209CFCF05DFA4C94499EB7B2FF86310B25457AE805AF265DB35E90ADB80

Function 07553888 Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1691318978.0000000007550000.00000040.00000800.00020000.00000000.sdmp, Offset: 07550000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7550000_9pIm5d0rsW.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 07c334a7060fa808fabde708ede4d8263cd2c27b65072cc98f7af6f52ec409b0
Instruction ID: cb5c104e407b2472e6bd126c1e22525e7a2fb8867f691bb8c293282a52e305a1
Opcode Fuzzy Hash: 07c334a7060fa808fabde708ede4d8263cd2c27b65072cc98f7af6f52ec409b0
Instruction Fuzzy Hash: 41D1D83191075A8ACB10EF68D9506D9F7B1FF95300F208B9AD1093B665EF70AAD8CF91

Function 0755E367 Relevance: .1, Instructions: 138COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1691318978.0000000007550000.00000040.00000800.00020000.00000000.sdmp, Offset: 07550000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7550000_9pIm5d0rsW.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 966ce0f86a34f998aff1149179668ce7c27a515b2c9212f396eed89f8ec5a629
Instruction ID: a456c5b08a9e2a847e6aa3c407f5de84e8fef2fadef17649ba9728590dd82d8d
Opcode Fuzzy Hash: 966ce0f86a34f998aff1149179668ce7c27a515b2c9212f396eed89f8ec5a629
Instruction Fuzzy Hash: C7511FB4E042198BCB14CFA9C5515EEFBF2FF89304F2481AAD814AB256D7315A41CFA1

Analysis Process: 9pIm5d0rsW.exePID: 1456, Parent PID: 6260COMMON

Execution Graph

Execution Coverage:	10.9%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	173
Total number of Limit Nodes:	17

Executed Functions

Function 06BC2350 Relevance: 9.0, Strings: 6, Instructions: 1497COMMON

Download Yara Rule

Strings

$kq, xrefs: 06BC376B
$kq, xrefs: 06BC3794
$kq, xrefs: 06BC37AC
$kq, xrefs: 06BC3788
$kq, xrefs: 06BC37B8
$kq, xrefs: 06BC375F

Memory Dump Source

Source File: 00000003.00000002.4133276123.0000000006BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6bc0000_9pIm5d0rsW.jbxd

Similarity

API ID:
String ID: $kq$$kq$$kq$$kq$$kq$$kq
API String ID: 0-1342094364
Opcode ID: 46c48d6e583e6df63901c2bff6375dd0bb52efd6e8d5dc9c335609624238b8ea
Instruction ID: 8267d99c5f91bac1560e269e85ced01030b7f1dccffc91b645615ea9d035d3dd
Opcode Fuzzy Hash: 46c48d6e583e6df63901c2bff6375dd0bb52efd6e8d5dc9c335609624238b8ea
Instruction Fuzzy Hash: 71D24770E002098FCB64DB68C594A9DB7F2FF85310F64D5A9D449AB265DB34EE85CB80

Function 06BCB248 Relevance: 8.3, Strings: 6, Instructions: 763COMMON

Download Yara Rule

Strings

$kq, xrefs: 06BCBBDD
$kq, xrefs: 06BCBC1D
$kq, xrefs: 06BCBBB5
$kq, xrefs: 06BCBBE9
$kq, xrefs: 06BCBC11
$kq, xrefs: 06BCBBA9

Memory Dump Source

Source File: 00000003.00000002.4133276123.0000000006BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6bc0000_9pIm5d0rsW.jbxd

Similarity

API ID:
String ID: $kq$$kq$$kq$$kq$$kq$$kq
API String ID: 0-1342094364
Opcode ID: 220cf433b8acfaf28c640900f9a98cd0662aaf621eff76ab5d1b08fe19b9ae56
Instruction ID: 1853267a3d332db6c49fba7e071fa4856d21a0f723ad38cf6824dc19a6d82570
Opcode Fuzzy Hash: 220cf433b8acfaf28c640900f9a98cd0662aaf621eff76ab5d1b08fe19b9ae56
Instruction Fuzzy Hash: E452A1B0E002098FDF64DB68D5917AEB7B2FB85320F2095AAD405EB395DB34DD81CB91

Function 06BC7D80 Relevance: 3.0, Strings: 2, Instructions: 474
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$kq, xrefs: 06BC8327
$kq, xrefs: 06BC831B

Memory Dump Source

Source File: 00000003.00000002.4133276123.0000000006BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6bc0000_9pIm5d0rsW.jbxd

Similarity

API ID:
String ID: $kq$$kq
API String ID: 0-3550614674
Opcode ID: 1e2fdca4725cbf262990d629d893b7029f6dfa8970f4a0ef6790f26b7ca09070
Instruction ID: 740f4a6c78848bf8c2d05f2d04928ff86f282f4c20f12f55f2abd10ba59a95d7
Opcode Fuzzy Hash: 1e2fdca4725cbf262990d629d893b7029f6dfa8970f4a0ef6790f26b7ca09070
Instruction Fuzzy Hash: 3702AC70B0021A8FDF54DB69D554AAEBBE2FF84310F208569E415DB398DB35ED82CB90

Function 06BC55A0 Relevance: 1.8, Strings: 1, Instructions: 600
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$, xrefs: 06BC597B

Memory Dump Source

Source File: 00000003.00000002.4133276123.0000000006BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6bc0000_9pIm5d0rsW.jbxd

Similarity

API ID:
String ID: $
API String ID: 0-3993045852
Opcode ID: 9796b6e819cfa2db90e64e6d6a87e2e32b54d93808f673e2779d6b26fce79a7c
Instruction ID: 5886851c4dda7c68a11c9631628fb5eb9c667ab2aead0b44c842a4c1fe175e70
Opcode Fuzzy Hash: 9796b6e819cfa2db90e64e6d6a87e2e32b54d93808f673e2779d6b26fce79a7c
Instruction Fuzzy Hash: 5722B3B2F102158FDF70DB64C5846AEB7F6EF84320F2485A9D405AB354DA35ED91CB90

Function 06BC65F0 Relevance: .8, Instructions: 822COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4133276123.0000000006BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6bc0000_9pIm5d0rsW.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 37e0e6fc30d4ecce7986eaa86ca2d3d6eb0334c54f291405b89c76729eb980e1
Instruction ID: f2d136e7f8e4034898cbf626a77ae3d5850e31aed228c4b940775c345c0a05a6
Opcode Fuzzy Hash: 37e0e6fc30d4ecce7986eaa86ca2d3d6eb0334c54f291405b89c76729eb980e1
Instruction Fuzzy Hash: 98628D74B002058FDB54DB68D554AADB7F2EF88320F2494ADE806DB395EB35EE45CB80

Function 06BCC190 Relevance: .6, Instructions: 636COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4133276123.0000000006BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6bc0000_9pIm5d0rsW.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6747f35d50dae79b07c6fb2d59c55c416cfa1a5c44c456202208be6cfc26d12e
Instruction ID: a0f961c53475b32affebc564d61ad06e5e0f0e79d60de4e5995816b491a020c1
Opcode Fuzzy Hash: 6747f35d50dae79b07c6fb2d59c55c416cfa1a5c44c456202208be6cfc26d12e
Instruction Fuzzy Hash: 1232A170B001098FDF50DB69E994BAEBBB2FB98320F109569E409EB355DB35ED41CB90

Function 06BCACE0 Relevance: 10.4, Strings: 8, Instructions: 395
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$kq, xrefs: 06BCAE54
$kq, xrefs: 06BCAEB8
$kq, xrefs: 06BCAE60
$kq, xrefs: 06BCAE8F
$kq, xrefs: 06BCAE83
$kq, xrefs: 06BCAE01
$kq, xrefs: 06BCAE0D
$kq, xrefs: 06BCAEAC

Memory Dump Source

Source File: 00000003.00000002.4133276123.0000000006BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6bc0000_9pIm5d0rsW.jbxd

Similarity

API ID:
String ID: $kq$$kq$$kq$$kq$$kq$$kq$$kq$$kq
API String ID: 0-1078448309
Opcode ID: 3bb2377651020b75899b17013dc39cd9d394dfab84248e9b63e7a92c9aa7c08f
Instruction ID: e3d68c67d5320090b3c5b54a56c58376dd47ef172abc770e313e42e0ef47451b
Opcode Fuzzy Hash: 3bb2377651020b75899b17013dc39cd9d394dfab84248e9b63e7a92c9aa7c08f
Instruction Fuzzy Hash: 74E18C70E1021A8FCF65EB69D5906AEB7B2EF84310F20856DD405DB358DB34ED86CB90

Function 06BC9158 Relevance: 5.2, Strings: 4, Instructions: 231
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$kq, xrefs: 06BC91D4
$kq, xrefs: 06BC920F
$kq, xrefs: 06BC91C8
$kq, xrefs: 06BC9203

Memory Dump Source

Source File: 00000003.00000002.4133276123.0000000006BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6bc0000_9pIm5d0rsW.jbxd

Similarity

API ID:
String ID: $kq$$kq$$kq$$kq
API String ID: 0-2881790790
Opcode ID: 28d1ea4b687043a7bace2b0462ea75fe8068941177439d4aa4ce9d6068eabcf7
Instruction ID: d9c20f2cdad7be2fd7183681d1ca34bcd4526a325c34ffba0447b9368ada8d48
Opcode Fuzzy Hash: 28d1ea4b687043a7bace2b0462ea75fe8068941177439d4aa4ce9d6068eabcf7
Instruction Fuzzy Hash: D9915070B0021A8FDF64EB69D9607AE73B6FB85350F1085A9D8099B358EB31DD418B91

Function 06BCCF48 Relevance: 4.5, Strings: 3, Instructions: 797
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$kq, xrefs: 06BCD353
$kq, xrefs: 06BCD347
$kq, xrefs: 06BCD33F

Memory Dump Source

Source File: 00000003.00000002.4133276123.0000000006BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6bc0000_9pIm5d0rsW.jbxd

Similarity

API ID:
String ID: $kq$$kq$$kq
API String ID: 0-2086306503
Opcode ID: 0ec9ed2308edbe1401c9b578950eb97d8f673aabbccf806897b0caab1999485b
Instruction ID: 6d9582216605571f6246ce691e0eb4f355320779e17b9f31b177abf14ecec661
Opcode Fuzzy Hash: 0ec9ed2308edbe1401c9b578950eb97d8f673aabbccf806897b0caab1999485b
Instruction Fuzzy Hash: 87625234A002168FCB55EF69E990A5EB7B2FF84314F208678D4059F369DB75ED86CB80

Function 06BC4B70 Relevance: 3.9, Strings: 3, Instructions: 186
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

\Opq, xrefs: 06BC4D27
XPpq, xrefs: 06BC4C9D
fpq, xrefs: 06BC527D

Memory Dump Source

Source File: 00000003.00000002.4133276123.0000000006BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6bc0000_9pIm5d0rsW.jbxd

Similarity

API ID:
String ID: fpq$XPpq$\Opq
API String ID: 0-2571271785
Opcode ID: 4c12a2320229550b786dc2daf04fb34c9bdb27645d0377d0ebbf005532fa6366
Instruction ID: fffcbf414f71ecd96bd8cff849af7fb0aff3506136c0ba3858123dfdc129a879
Opcode Fuzzy Hash: 4c12a2320229550b786dc2daf04fb34c9bdb27645d0377d0ebbf005532fa6366
Instruction Fuzzy Hash: 7A618171F002199FEB549BA9C8247AEBBF6FF88710F20846DD106EB394DE759D418B50

Function 06BC9149 Relevance: 2.7, Strings: 2, Instructions: 166
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$kq, xrefs: 06BC91C8
$kq, xrefs: 06BC9203

Memory Dump Source

Source File: 00000003.00000002.4133276123.0000000006BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6bc0000_9pIm5d0rsW.jbxd

Similarity

API ID:
String ID: $kq$$kq
API String ID: 0-3550614674
Opcode ID: ea200bab084ffe8ec38b2b2c2a289caa5648ad2d5d00c0f29e9b8d9aa2476d0d
Instruction ID: 1b23888cc9d598183ad098dce19e234c1dee268cc472adce25452a4eab4c8e40
Opcode Fuzzy Hash: ea200bab084ffe8ec38b2b2c2a289caa5648ad2d5d00c0f29e9b8d9aa2476d0d
Instruction Fuzzy Hash: 86515F70B002198FEF54EB69D9A076E73F6EB89750F108469C809DB398EA31DD518B91

Function 06BBAF20 Relevance: 1.7, APIs: 1, Instructions: 201
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000003.00000002.4133189207.0000000006BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6bb0000_9pIm5d0rsW.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 6d4b6a7da068d2e288e44ce34198751324c6316c23e75327a2637b14d9794b20
Instruction ID: 3b81bac321ece708fc09800d49f3d6628630814e8cba8e9cdbfe40f7e44777b9
Opcode Fuzzy Hash: 6d4b6a7da068d2e288e44ce34198751324c6316c23e75327a2637b14d9794b20
Instruction Fuzzy Hash: 937157B0A00B058FD764DF2AD4407AABBF5FF88200F009A6DD49AD7A50DBB5E845CB90

Function 0142EA60 Relevance: 1.6, APIs: 1, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4121308498.0000000001420000.00000040.00000800.00020000.00000000.sdmp, Offset: 01420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1420000_9pIm5d0rsW.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 72293e75d6b8d66e2151493654b8ed6013f8186b47b6f8e36bf8dabb75ee6bd0
Instruction ID: 6e864c5e6e4369cedb52e9748324ab891906bf5bb6f7997d64ac4d816cffd671
Opcode Fuzzy Hash: 72293e75d6b8d66e2151493654b8ed6013f8186b47b6f8e36bf8dabb75ee6bd0
Instruction Fuzzy Hash: 7C41E372D103598FCB04DF69D4046AEBFB5AF89210F14866AD905A7351EB74A881CBE1

Function 06BBD0E7 Relevance: 1.6, APIs: 1, Instructions: 119COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 06BBD202

Memory Dump Source

Source File: 00000003.00000002.4133189207.0000000006BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6bb0000_9pIm5d0rsW.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: d3170c0b69c42038560e013f366b69b02d78a8f855002d8c5bc7c0efad13b3e9
Instruction ID: 047a0a71cd425b2108cc9ff6052a8b7caa9b0a984b16df152ae2b433a43cbf50
Opcode Fuzzy Hash: d3170c0b69c42038560e013f366b69b02d78a8f855002d8c5bc7c0efad13b3e9
Instruction Fuzzy Hash: 3851D0B1D003499FDB14CF99C984ADEBFB5FF88310F24812AE818AB214D7B59885CF90

Function 06BBD0F0 Relevance: 1.6, APIs: 1, Instructions: 113COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 06BBD202

Memory Dump Source

Source File: 00000003.00000002.4133189207.0000000006BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6bb0000_9pIm5d0rsW.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: add1b461bb121e626577635cc76af3c7d60c44e6809ad72f39c9a6080aa3bd7d
Instruction ID: e22f59a1321cf8d79752215f073ff9664fff2c45f0702fe1bfc3333e6ef1081d
Opcode Fuzzy Hash: add1b461bb121e626577635cc76af3c7d60c44e6809ad72f39c9a6080aa3bd7d
Instruction Fuzzy Hash: 3941CFB1D003599FDF14CF99C984ADEBBB5FF88310F24912AE818AB210D7B59885CF90

Function 06BBA5EC Relevance: 1.6, APIs: 1, Instructions: 97COMMON

Download Yara Rule

APIs

CallWindowProcW.USER32(?,?,?,?,?), ref: 06BBF8F1

Memory Dump Source

Source File: 00000003.00000002.4133189207.0000000006BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6bb0000_9pIm5d0rsW.jbxd

Similarity

API ID: CallProcWindow
String ID:
API String ID: 2714655100-0
Opcode ID: 2834f5dd255b27499e220449001708f6a15106f3f3f9efa4f3262c38f2eae0fc
Instruction ID: 19d07c88e06cf4c649dd15b1d527a42ec1179671fd4d5a3fc8a63844772e47ab
Opcode Fuzzy Hash: 2834f5dd255b27499e220449001708f6a15106f3f3f9efa4f3262c38f2eae0fc
Instruction Fuzzy Hash: 3F416DB4900309DFDB54CF59C848AAABBF9FF88314F24C498E459A7321C774A841CFA0

Function 06BB2AB8 Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 06BB2B47

Memory Dump Source

Source File: 00000003.00000002.4133189207.0000000006BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6bb0000_9pIm5d0rsW.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: c6a6536fa9c26d163e15629f790485c7b05debcc9d5384a35893e8ec2761acaa
Instruction ID: d35bab615033682c7fca98cc95cc7a42fd7e76763e7bc8680a70f870ab54fdab
Opcode Fuzzy Hash: c6a6536fa9c26d163e15629f790485c7b05debcc9d5384a35893e8ec2761acaa
Instruction Fuzzy Hash: 3921E4B5D00249DFDB10CFAAD984AEEBBF5FB48310F14805AE914A7310C378A940CFA4

Function 06BB2AC0 Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 06BB2B47

Memory Dump Source

Source File: 00000003.00000002.4133189207.0000000006BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6bb0000_9pIm5d0rsW.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 66f153daee6bf21c39e71b79d80068d5764209666ba79c4395808ed029b88008
Instruction ID: 1590129f521f976a301664b9728b25df819addb60caf5612420006c1b5127dec
Opcode Fuzzy Hash: 66f153daee6bf21c39e71b79d80068d5764209666ba79c4395808ed029b88008
Instruction Fuzzy Hash: 7D21E4B59002499FDB10CF9AD984AEEFBF8FB48310F14801AE914A7310C378A940CFA4

Function 0142E1C8 Relevance: 1.6, APIs: 1, Instructions: 55COMMON

Download Yara Rule

APIs

GlobalMemoryStatusEx.KERNELBASE(?,?,?,?,?,?,?,?,?,0142EAB2), ref: 0142EB9F

Memory Dump Source

Source File: 00000003.00000002.4121308498.0000000001420000.00000040.00000800.00020000.00000000.sdmp, Offset: 01420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1420000_9pIm5d0rsW.jbxd

Similarity

API ID: GlobalMemoryStatus
String ID:
API String ID: 1890195054-0
Opcode ID: 72106232aa57c55b0767680811c519215aea77339663df96623fd332c2d9dcc2
Instruction ID: 54ab5678016f11693fe1ae5bd2dba798a6b9727fb1407235a6471154eb4895d2
Opcode Fuzzy Hash: 72106232aa57c55b0767680811c519215aea77339663df96623fd332c2d9dcc2
Instruction Fuzzy Hash: B41112B1C006699BDB10DF9AC444BEEFBF4FB48320F10816AE818B7250D378A944CFA5

Function 0142EB30 Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

GlobalMemoryStatusEx.KERNELBASE(?,?,?,?,?,?,?,?,?,0142EAB2), ref: 0142EB9F

Memory Dump Source

Source File: 00000003.00000002.4121308498.0000000001420000.00000040.00000800.00020000.00000000.sdmp, Offset: 01420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1420000_9pIm5d0rsW.jbxd

Similarity

API ID: GlobalMemoryStatus
String ID:
API String ID: 1890195054-0
Opcode ID: 7a8e46ffffba7869e56f2be8d5e25254666cf2e1d3088b582d0da279a2f38def
Instruction ID: 002630cc45b1dd067104a9468e44fa3b2167876ff004027730a0055e4f930dbb
Opcode Fuzzy Hash: 7a8e46ffffba7869e56f2be8d5e25254666cf2e1d3088b582d0da279a2f38def
Instruction Fuzzy Hash: 4C1114B1C002699FDB10CF9AC444BDEFBF5AB48320F14816AD818B7350D378A944CFA5

Function 06BBA2E4 Relevance: 1.6, APIs: 1, Instructions: 50COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000,?,?,?,?,?,?,?,06BBAF3C), ref: 06BBB176

Memory Dump Source

Source File: 00000003.00000002.4133189207.0000000006BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6bb0000_9pIm5d0rsW.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 968345f244a332104dc8aef5286558723657263f6fd3ab24b331c4a1eb4641bd
Instruction ID: 02b52d3b0582a9cbee037a5e0f3e5d36282bb7bc2c70144289f7b3a5e2f64580
Opcode Fuzzy Hash: 968345f244a332104dc8aef5286558723657263f6fd3ab24b331c4a1eb4641bd
Instruction Fuzzy Hash: 231102B5C002598FDB10DF9AC844AEEFBF4EB49214F14846AE429B7310C7B9A545CFA5

Function 06BC4B60 Relevance: 1.4, Strings: 1, Instructions: 131COMMON

Download Yara Rule

Strings

XPpq, xrefs: 06BC4C9D

Memory Dump Source

Source File: 00000003.00000002.4133276123.0000000006BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6bc0000_9pIm5d0rsW.jbxd

Similarity

API ID:
String ID: XPpq
API String ID: 0-1266478781
Opcode ID: 2c6f587980447c6975120ec97e0f88fcae31b7bbf90103aa26dd691bdc7ed295
Instruction ID: 420751406b7e3d582f040584276c758f36e31c98d3df1347f7a008be4fe12caa
Opcode Fuzzy Hash: 2c6f587980447c6975120ec97e0f88fcae31b7bbf90103aa26dd691bdc7ed295
Instruction Fuzzy Hash: 43419171E102189FDB549FA9C914B9EBBF6FF88310F208569D106EB3A4DA709C018B90

Function 06BCDAD0 Relevance: 1.4, Strings: 1, Instructions: 117COMMON

Download Yara Rule

Strings

PHkq, xrefs: 06BCDC19

Memory Dump Source

Source File: 00000003.00000002.4133276123.0000000006BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6bc0000_9pIm5d0rsW.jbxd

Similarity

API ID:
String ID: PHkq
API String ID: 0-902561536
Opcode ID: d44c0db248131b61aeb26dbc52509fee0b513d25e2d9ced6c085ea97060231fe
Instruction ID: 6a7e8d9cc6a1533d267276b34b572f2ba8dcbc230bc0d61714395fa940496948
Opcode Fuzzy Hash: d44c0db248131b61aeb26dbc52509fee0b513d25e2d9ced6c085ea97060231fe
Instruction Fuzzy Hash: 78418EB4E002099FDB64DF65D58469EBBB6FF85310F20457DE406EB244EB70E946CB81

Function 06BCDABD Relevance: 1.4, Strings: 1, Instructions: 115COMMON

Download Yara Rule

Strings

PHkq, xrefs: 06BCDC19

Memory Dump Source

Source File: 00000003.00000002.4133276123.0000000006BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6bc0000_9pIm5d0rsW.jbxd

Similarity

API ID:
String ID: PHkq
API String ID: 0-902561536
Opcode ID: eaea86ed05ce31c1199468439e82fd5c36c83830da32abb23c1b8097819d2cde
Instruction ID: 4b37a3a0feb6383378931e51c769429fc3a000d029b911ea18fa0ed5aa708b37
Opcode Fuzzy Hash: eaea86ed05ce31c1199468439e82fd5c36c83830da32abb23c1b8097819d2cde
Instruction Fuzzy Hash: 40419A74E003099FCB65DF65C58469EBBB6FF85310F20456EE402EB284EB70EA46CB80

Function 06BC21B5 Relevance: 1.4, Strings: 1, Instructions: 110COMMON

Download Yara Rule

Strings

PHkq, xrefs: 06BC2303

Memory Dump Source

Source File: 00000003.00000002.4133276123.0000000006BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6bc0000_9pIm5d0rsW.jbxd

Similarity

API ID:
String ID: PHkq
API String ID: 0-902561536
Opcode ID: aeb9167c11f935dc00e19b79ea2d747fa7c1ab8a52b9666509210efde8cc9329
Instruction ID: 64627bf4332f4f16a2a9dcd2727e8b02f1c722ee0aecf093169e367a680b27c5
Opcode Fuzzy Hash: aeb9167c11f935dc00e19b79ea2d747fa7c1ab8a52b9666509210efde8cc9329
Instruction Fuzzy Hash: 3231D271B002058FCF68AB74D52466E7BE6FB89220F1445ACD402DB3A4DF35DE45CB91

Function 06BC21C8 Relevance: 1.4, Strings: 1, Instructions: 105COMMON

Download Yara Rule

Strings

PHkq, xrefs: 06BC2303

Memory Dump Source

Source File: 00000003.00000002.4133276123.0000000006BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6bc0000_9pIm5d0rsW.jbxd

Similarity

API ID:
String ID: PHkq
API String ID: 0-902561536
Opcode ID: 24004059a5054ed82ea32f5189a89d06230e271599d16f4bc69ca7369cf1a339
Instruction ID: 84c7a216d14f1a1e8af209ed2db44d3da2a26e21d56cd038e922bc4c9ef2df65
Opcode Fuzzy Hash: 24004059a5054ed82ea32f5189a89d06230e271599d16f4bc69ca7369cf1a339
Instruction Fuzzy Hash: 5331ED70B002058FCF68AB74D52466E7BE7FB88210F20846CD406DB3A8DE35DE45CB91

Function 06BC82D0 Relevance: 1.3, Strings: 1, Instructions: 40COMMON

Download Yara Rule

Strings

$kq, xrefs: 06BC831B

Memory Dump Source

Source File: 00000003.00000002.4133276123.0000000006BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6bc0000_9pIm5d0rsW.jbxd

Similarity

API ID:
String ID: $kq
API String ID: 0-3037731980
Opcode ID: d567565a4840429c24ce4fad2f93fe5a2e3982a35151b665c27b9706322f0214
Instruction ID: 7a6716b9c689cb3a6e95a9ca12c73f12edb3bfd59a237848a73575c6067db5a2
Opcode Fuzzy Hash: d567565a4840429c24ce4fad2f93fe5a2e3982a35151b665c27b9706322f0214
Instruction Fuzzy Hash: 27F0FFB1B00111CFDF749A99EA906AC7BA1EBC0220F1064AEE905CB354C732DB02C791

Function 06BCB238 Relevance: .3, Instructions: 299COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4133276123.0000000006BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6bc0000_9pIm5d0rsW.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ec51bc744987cc0b4c636f6e2ec5a2c3c5d0b28543830decc066e9f660a3f7e1
Instruction ID: f9d31fa2a2b49babbbb9f269bbcb1501612a2ebf677a16bea043f3c1bd2eb492
Opcode Fuzzy Hash: ec51bc744987cc0b4c636f6e2ec5a2c3c5d0b28543830decc066e9f660a3f7e1
Instruction Fuzzy Hash: 6BA1E7B0F001088FEF64DA6DD5A57AEBBB6FB85320F20446DE405EB3A5CA35DD818B51

Function 06BC61F0 Relevance: .2, Instructions: 229COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4133276123.0000000006BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6bc0000_9pIm5d0rsW.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ba7b42f5fc514e5ea2127785568378d6c08a60a888d2c9c2c7ef1ff00f816ba8
Instruction ID: 702daf6346fc32b7f3fc87c2eb1a7d29f530aa945c83aebfa462955af439b232
Opcode Fuzzy Hash: ba7b42f5fc514e5ea2127785568378d6c08a60a888d2c9c2c7ef1ff00f816ba8
Instruction Fuzzy Hash: 7861C3B2F001214FCF519A7DC850A6EBBDBEFD4620B154479E80ADB379EE65DD028781

Function 06BC42A1 Relevance: .2, Instructions: 221COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4133276123.0000000006BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6bc0000_9pIm5d0rsW.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ad87676d8e23145d54ec2a0dabbc0a5e20eb2d9af04bba06c9b75740ce839384
Instruction ID: a51def24a89986521371aaf77c437374c18279f69caf6d0a56344164351eceed
Opcode Fuzzy Hash: ad87676d8e23145d54ec2a0dabbc0a5e20eb2d9af04bba06c9b75740ce839384
Instruction Fuzzy Hash: CA816D70B002098FCF54DFA9C5646AEB7F6EF88310F108969D40ADB398EB34ED468B51

Function 06BC42B0 Relevance: .2, Instructions: 218COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4133276123.0000000006BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6bc0000_9pIm5d0rsW.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fa32726bf32f5d8f0ccc6ca6f585d1557dafad582b1023e6e27c8204d17dbeaa
Instruction ID: 6343bab7d2d898db389257069509156bd5d79edb7db331d78cf093cbab226f40
Opcode Fuzzy Hash: fa32726bf32f5d8f0ccc6ca6f585d1557dafad582b1023e6e27c8204d17dbeaa
Instruction Fuzzy Hash: DB816B70B102098FCF54DFA9D5646AEB7F6EB88310F108969D40ADB398EB34ED468B51

Function 06BC45C4 Relevance: .2, Instructions: 217COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4133276123.0000000006BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6bc0000_9pIm5d0rsW.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4647a07b1b65e9b27bad3bc8e5fe5d6c7b3deef7a5495e5aaa744d02e96ea567
Instruction ID: 78a548689448ff71e41b577b8b64dc8aca68ecc155636808745e1b4469944996
Opcode Fuzzy Hash: 4647a07b1b65e9b27bad3bc8e5fe5d6c7b3deef7a5495e5aaa744d02e96ea567
Instruction Fuzzy Hash: D9916C70E1061A8FDF60DF68C890B9DB7B1FF89310F208599D549AB395DB70AA85CF90

Function 06BC45D8 Relevance: .2, Instructions: 210COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4133276123.0000000006BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6bc0000_9pIm5d0rsW.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: de8f383eaae41d2894d1b559dac4b38b67b79bbf455da2b7c203b5cdabeff29e
Instruction ID: 7c4cd10a8b2e7cd61784a2d5f804c51944a04a31129768b502160ca22c17bf1d
Opcode Fuzzy Hash: de8f383eaae41d2894d1b559dac4b38b67b79bbf455da2b7c203b5cdabeff29e
Instruction Fuzzy Hash: 74914B70E1061A8BDF60DF68C890B9DB7B1FF89310F208599D549AB394DB70AE85CF90

Function 06BCEB28 Relevance: .2, Instructions: 201COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4133276123.0000000006BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6bc0000_9pIm5d0rsW.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 458ab7366cc8f29129d5eb06d48c10b2c5ddc5a2fb814bc87442066246cb4c84
Instruction ID: c82673a113783fd306a1fb7248f498f88e90076fb0ab44ad8813b3e535a1baa7
Opcode Fuzzy Hash: 458ab7366cc8f29129d5eb06d48c10b2c5ddc5a2fb814bc87442066246cb4c84
Instruction Fuzzy Hash: D6712A70A012099FDB54DFA9D980AAEBBF6FF88310F248569D015EB355DB30ED46CB50

Function 06BCEB1A Relevance: .2, Instructions: 199COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4133276123.0000000006BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6bc0000_9pIm5d0rsW.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a78452860bf9aa558dc324794b5a54d3c8667206379b27ad2ee6b07a9ba6fb95
Instruction ID: 2d88f8c8dda0c254b1e79cb798c39c8a431013b6c151a8da153260f4c36bafb0
Opcode Fuzzy Hash: a78452860bf9aa558dc324794b5a54d3c8667206379b27ad2ee6b07a9ba6fb95
Instruction Fuzzy Hash: A7713A70A002098FDB54DBA9D980AAEBBF6FF88314F248569D016EB355DB30ED46CB50

Function 06BCFBC8 Relevance: .2, Instructions: 171COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4133276123.0000000006BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6bc0000_9pIm5d0rsW.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d480ce05e06c6724d99dc49c823871b43228ca257ab6f895a9a36d9196c1c997
Instruction ID: 4c156eec6a12f92a1526d1ae223843ce7666af462cbfd2828ab50af01ac9ece7
Opcode Fuzzy Hash: d480ce05e06c6724d99dc49c823871b43228ca257ab6f895a9a36d9196c1c997
Instruction Fuzzy Hash: 0251B0B1F001059FCF24AB78E8446BEBBBBEF44321F1088ADE516D7254DB359A55CB80

Function 06BCF968 Relevance: .2, Instructions: 170COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4133276123.0000000006BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6bc0000_9pIm5d0rsW.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1fec5b7358134bebb51eebdccc9ae3d841e797891736fd59e632af79a5cd232d
Instruction ID: 124b59b65fcc363fde8b6b9220920df10da1b3a66636706ded138cd3a2e44fc9
Opcode Fuzzy Hash: 1fec5b7358134bebb51eebdccc9ae3d841e797891736fd59e632af79a5cd232d
Instruction Fuzzy Hash: 7051F5B0B102149FEF606668D95473F766FDB89320F2055AAF00AD33EACA69CD4547A2

Function 06BCF978 Relevance: .2, Instructions: 163COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4133276123.0000000006BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6bc0000_9pIm5d0rsW.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 37b8d9891a0d74ec3891271b4883033840159bd21d6b71a17b9c303bf924b43c
Instruction ID: 5bf47687a2a860f1ebb1b7e36d6a8be9c784ec3b17935a892d23c87d2acfe481
Opcode Fuzzy Hash: 37b8d9891a0d74ec3891271b4883033840159bd21d6b71a17b9c303bf924b43c
Instruction Fuzzy Hash: DA5108B0B102189FEF64666CD95473F366FDBC9320F2045AEF00AD33A9CA29CD4147A1

Function 06BC5428 Relevance: .1, Instructions: 126COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4133276123.0000000006BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6bc0000_9pIm5d0rsW.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70a8ba132176468bee7feaa5d21737ea4c34d70b5cf4ea2ff186f1cea6620912
Instruction ID: a2100fdcf24d6afbc3df5be8a7ca91f551fb46849ad4c625b1ed7cbdadd52e2c
Opcode Fuzzy Hash: 70a8ba132176468bee7feaa5d21737ea4c34d70b5cf4ea2ff186f1cea6620912
Instruction Fuzzy Hash: 694150B2E006098FCF70CE99D880AAFF7B6FB44320F10496AD216D7654D730FA658B91

Function 06BCFBB8 Relevance: .1, Instructions: 107COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4133276123.0000000006BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6bc0000_9pIm5d0rsW.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a370141c4e8fb911242df9cb6c73b62c7ee0b97a37937b526281bb792c8c8ae8
Instruction ID: 340f1e15178b575c0a587eba2c56c2a89349632811e99649b4233f7fd0221276
Opcode Fuzzy Hash: a370141c4e8fb911242df9cb6c73b62c7ee0b97a37937b526281bb792c8c8ae8
Instruction Fuzzy Hash: 11310F72E102058BCB14ABB8E8441AEBBBBFF84220F10C8BDE01697255DF36D9658790

Function 06BC207B Relevance: .1, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4133276123.0000000006BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6bc0000_9pIm5d0rsW.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9c4ba5391f86e5f549c64cd5fb6ad0aa377c8df89192b8455e1178fb753f6799
Instruction ID: c3e106e1f0ffc28120936fcd02c88b6353dbedcd32f2d2a11453cce3b7b453a4
Opcode Fuzzy Hash: 9c4ba5391f86e5f549c64cd5fb6ad0aa377c8df89192b8455e1178fb753f6799
Instruction Fuzzy Hash: B5318E74E102169FDB14CF69D85869EFBB2FF89310F108569E806EB350DB71AE46CB50

Function 06BCD970 Relevance: .1, Instructions: 97COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4133276123.0000000006BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6bc0000_9pIm5d0rsW.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: db50e192aade6193b0effd212449ec2d48296b1b0229270d2db1ce363b97261f
Instruction ID: 76b577cd31f81cc43bd4d160917ca5f25e51fed4933dfef3d0fbb70d2bf2f35f
Opcode Fuzzy Hash: db50e192aade6193b0effd212449ec2d48296b1b0229270d2db1ce363b97261f
Instruction Fuzzy Hash: 2131B074E1021A8FCF24DF68D98069EBBB6FF85214F108979E405EB355EB70E946CB90

Function 06BC2088 Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4133276123.0000000006BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6bc0000_9pIm5d0rsW.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6d404e6a7f113d5fe7d83c4efee1585e9a16a73664a369d35fac573430c7c0ac
Instruction ID: 31db15685c5a30cb22f6418434f13b61a17c3348e22ec52e0acd6f84e4b1ff18
Opcode Fuzzy Hash: 6d404e6a7f113d5fe7d83c4efee1585e9a16a73664a369d35fac573430c7c0ac
Instruction Fuzzy Hash: 59316974E102159FDB18CF68D99869EBBB2EF89310F108529E806E7354DB71AE46CB50

Function 06BC3AA1 Relevance: .1, Instructions: 80COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4133276123.0000000006BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6bc0000_9pIm5d0rsW.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c1fae782db422cffad9c4fcc2ed939b6e3d8e78168587155d44e01f80be20223
Instruction ID: dfffec5f54e2c5522d5f78415a254b223ecb9e688b729ccfea20e8290a8fdb16
Opcode Fuzzy Hash: c1fae782db422cffad9c4fcc2ed939b6e3d8e78168587155d44e01f80be20223
Instruction Fuzzy Hash: 7721C171F006199FDF40EF6AD980AAEB7F5EB48710F14806AE905E7395E730DA418F94

Function 06BC3AB0 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4133276123.0000000006BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6bc0000_9pIm5d0rsW.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9f48711a08b6343989dd0e60d5aafa2b71b843dd6c4a7c5df0ba49d23b1941da
Instruction ID: 63ca31906cfe384e8b0b505418f843fd393a9f878c9f926379a9dd0683f8f079
Opcode Fuzzy Hash: 9f48711a08b6343989dd0e60d5aafa2b71b843dd6c4a7c5df0ba49d23b1941da
Instruction Fuzzy Hash: 9C219075F006199FDF40DFAAD980AAEB7F1FB48720F14806AE905E7395E731DA408B94

Function 013DD030 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4121083798.00000000013DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 013DD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_13dd000_9pIm5d0rsW.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ec1ce400f5472dfb11cf757e0a7b0e974bb2420cef4908d091201e3716b68472
Instruction ID: 7ed2f304775f434c3e2bc57e87a204820a62eede97e531eb4aec8e5e3adfa9ac
Opcode Fuzzy Hash: ec1ce400f5472dfb11cf757e0a7b0e974bb2420cef4908d091201e3716b68472
Instruction Fuzzy Hash: BE210472504204DFDB15DFA8E9C0B26BBA5FBC4318F24C56DD9094B696C33AD447CA62

Function 013DD006 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4121083798.00000000013DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 013DD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_13dd000_9pIm5d0rsW.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9a8122f293f115a8fef5ae7fef6c690698b179f8d5b9b4cbb516fd11fd978fd7
Instruction ID: 88335d8503a0e23b5d4f9a0527debf3b2b54168ee9db67d34864f4846d396e29
Opcode Fuzzy Hash: 9a8122f293f115a8fef5ae7fef6c690698b179f8d5b9b4cbb516fd11fd978fd7
Instruction Fuzzy Hash: 4521817650D3C08FD703CF64D994715BF71AB46214F28C5EBD8898F6A7C23A980ACB62

Function 06BC3BC0 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4133276123.0000000006BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6bc0000_9pIm5d0rsW.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f2eb9e67bb7afa84a685e403cb4bf96dfee8fe81ff2953ad5b265915ba75e73f
Instruction ID: eed99fcdb502eec01e453261537f837042f221467a76dd6c96738e64a5c917fc
Opcode Fuzzy Hash: f2eb9e67bb7afa84a685e403cb4bf96dfee8fe81ff2953ad5b265915ba75e73f
Instruction Fuzzy Hash: 4011C071B141298FCF54AA78D9546AF73EAEBC8760F408579D80AE7358EE34DC028BD0

Function 06BC4200 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4133276123.0000000006BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6bc0000_9pIm5d0rsW.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9e37acd57641864a75b06bacd314c178b1bc4f3955e3994ca900e9751282d6b8
Instruction ID: a7ca3008ad60dd8a37e49941ae4e8b959e8c1674b56a5b6010a302bb8f8e52e7
Opcode Fuzzy Hash: 9e37acd57641864a75b06bacd314c178b1bc4f3955e3994ca900e9751282d6b8
Instruction Fuzzy Hash: AD01D472B101100FDB51D6BC9929B2FB7EAEBD9624F14887EE00BDB745E965CE024391

Function 06BC3BAF Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4133276123.0000000006BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6bc0000_9pIm5d0rsW.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 15e8ff3459f218f17335d9bf919605b5e2acd688184e019f2db0cefcc71724fa
Instruction ID: 77de46ed9c1844c98aada702809e9057148d5ee45de11789d4eccb0346ae8c63
Opcode Fuzzy Hash: 15e8ff3459f218f17335d9bf919605b5e2acd688184e019f2db0cefcc71724fa
Instruction Fuzzy Hash: 3601D431B141294BCF94AA6999242EF37EADBC8610F40817AD40AD7244FE60DC024BD1

Function 06BCA311 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4133276123.0000000006BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6bc0000_9pIm5d0rsW.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8f90a5f48290913b1b01f2bcad2ba35c8dd1347ca6ecca48739744149588c0c2
Instruction ID: ef7d48d6b314c02700f1d77e885d75c19660192d544573bac8be3924a1a58571
Opcode Fuzzy Hash: 8f90a5f48290913b1b01f2bcad2ba35c8dd1347ca6ecca48739744149588c0c2
Instruction Fuzzy Hash: 90018471B101244FCB65D67CE87471E7BE6EB8A760F10987DF44AC7395EA15ED018381

Function 06BC3880 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4133276123.0000000006BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6bc0000_9pIm5d0rsW.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4744551b3623ef39f700783d7b4dda84b0dafb8ea3105353f68a0ae2e5dc629a
Instruction ID: e88434280492bd4fe05184b04ffc84b3b3bce81e7cf3ea3fae90e2696388c271
Opcode Fuzzy Hash: 4744551b3623ef39f700783d7b4dda84b0dafb8ea3105353f68a0ae2e5dc629a
Instruction Fuzzy Hash: E711A2B5D01259AFCB00DF9AD884ADEFFB4FB49320F50816AE518A7240C375A554CFA5

Function 06BC4210 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4133276123.0000000006BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6bc0000_9pIm5d0rsW.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d3c708dfcfb8536531ef2f25533a5a32480c0e9ce1f4f32ed8b7ec78329bc763
Instruction ID: f0781a2828bd257049412de3023d9f621508bfc889608104b25e194a7f8a4fbb
Opcode Fuzzy Hash: d3c708dfcfb8536531ef2f25533a5a32480c0e9ce1f4f32ed8b7ec78329bc763
Instruction Fuzzy Hash: 65018131B204240BDB649ABDD465B2FB7DAEBD9B20F10983DE10BCB754EE61DE424391

Function 06BC3878 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4133276123.0000000006BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6bc0000_9pIm5d0rsW.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4d71774fc4c2012f4c5811f0d480bc5977e0ae288a245342098c1599b173e92f
Instruction ID: 8f138366f8a7cf0f5cc9955c0a19f9a283d3a2b04c93fa05ad28a1de47f7adc7
Opcode Fuzzy Hash: 4d71774fc4c2012f4c5811f0d480bc5977e0ae288a245342098c1599b173e92f
Instruction Fuzzy Hash: 2121C2B5D01259DFCB00DF99D984ADEFBB4FB08324F50856AE918B7200C375A554CFA4

Function 06BCED99 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4133276123.0000000006BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6bc0000_9pIm5d0rsW.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4a2541f643ff819cff260c4d5dd3821f79b458149926bedf7fae1fc3dc51a287
Instruction ID: 7ec2df9102b86f73dd959ed0372d40030c5e459ec39a1241d784dde1845d136b
Opcode Fuzzy Hash: 4a2541f643ff819cff260c4d5dd3821f79b458149926bedf7fae1fc3dc51a287
Instruction Fuzzy Hash: 7B018F72F100218BCB55DA7CA55472AB3E6EBC9621F10997DE10ADB345EA61ED028781

Function 06BCEDA8 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4133276123.0000000006BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6bc0000_9pIm5d0rsW.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: addac8d637db0ecc90805f8cc42e5dbeaa94792032e2e0340726900dbc401a60
Instruction ID: a4d2bf7dfd199568e532ec02665f82aba4a1095b62192f7b505cf54d0884ba3d
Opcode Fuzzy Hash: addac8d637db0ecc90805f8cc42e5dbeaa94792032e2e0340726900dbc401a60
Instruction Fuzzy Hash: A0018C31F100258BCB64AA7DA45472EB7EADBC9A20F10D83DE10AC7344EE62ED034392

Function 06BCA320 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4133276123.0000000006BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6bc0000_9pIm5d0rsW.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7c5102cde6633715a969b2ed136f32213c60f510dc43673052effb8980459c7a
Instruction ID: d108d8f96ada1c14464c4c282515e2e80c154addd210d1df92e5218f3af0a2d8
Opcode Fuzzy Hash: 7c5102cde6633715a969b2ed136f32213c60f510dc43673052effb8980459c7a
Instruction Fuzzy Hash: F9016D30B101284FCB64DABCE86472E77D6EBCA760F10983DE40AC7354EA22ED018381

Function 06BC6470 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4133276123.0000000006BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6bc0000_9pIm5d0rsW.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 45e2fc1a4754402cf8b594a16ac6e027f989349b015eff8975cab6fd5b9d387d
Instruction ID: 0ad03e3166fdf7f89b15933fa6fbb5274f444df3b7ea937ec63fde770e32b226
Opcode Fuzzy Hash: 45e2fc1a4754402cf8b594a16ac6e027f989349b015eff8975cab6fd5b9d387d
Instruction Fuzzy Hash: C8E0D8B1E14208ABDF50CEB0CD55B4E7BACDB01225F1048E9D804C7182F136DE018350

Function 06BC6480 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4133276123.0000000006BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6bc0000_9pIm5d0rsW.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aa976699a50b98a0a6b50c08d3026a88d70fc42e5459dfcadbf44bb0d2ea6d04
Instruction ID: 42cc67e653dba2c64ec243aa646fad1074885d8ea4ed26762121c57ff5a788f1
Opcode Fuzzy Hash: aa976699a50b98a0a6b50c08d3026a88d70fc42e5459dfcadbf44bb0d2ea6d04
Instruction Fuzzy Hash: 42E0C2F0E20108ABDF50CEB0CA85B5A73ADD705224F2088E8D408C7201F133DF018390

Non-executed Functions

Function 06BC76A0 Relevance: 13.0, Strings: 10, Instructions: 468COMMON

Download Yara Rule

Strings

$kq, xrefs: 06BC7C52
$kq, xrefs: 06BC7C3C
$kq, xrefs: 06BC7811
$kq, xrefs: 06BC7805
$kq, xrefs: 06BC7C46
$kq, xrefs: 06BC7B9D
$kq, xrefs: 06BC7C30
$kq, xrefs: 06BC77E0
$kq, xrefs: 06BC77D4
$kq, xrefs: 06BC7B91

Memory Dump Source

Source File: 00000003.00000002.4133276123.0000000006BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6bc0000_9pIm5d0rsW.jbxd

Similarity

API ID:
String ID: $kq$$kq$$kq$$kq$$kq$$kq$$kq$$kq$$kq$$kq
API String ID: 0-1324371161
Opcode ID: fa65eccba874de59d8ec6c9fcc9fc81da4ba4c5baf2f2e6c6bf898ac6049d6f8
Instruction ID: 17b12282d806e30999915123c6642d31d4521e03a9699f88c83cbe29dcc53cd3
Opcode Fuzzy Hash: fa65eccba874de59d8ec6c9fcc9fc81da4ba4c5baf2f2e6c6bf898ac6049d6f8
Instruction Fuzzy Hash: 01120A70E0121A8FDB64DF65C954AAEB7B2BF84310F2085ADD409AB364DF359E85CF90

Function 06BCA948 Relevance: 10.2, Strings: 8, Instructions: 229COMMON

Download Yara Rule

Strings

$kq, xrefs: 06BCAA3E
$kq, xrefs: 06BCAB06
$kq, xrefs: 06BCAAD0
$kq, xrefs: 06BCAAFA
$kq, xrefs: 06BCAAC4
$kq, xrefs: 06BCAAA5
$kq, xrefs: 06BCAA99
$kq, xrefs: 06BCAA4A

Memory Dump Source

Source File: 00000003.00000002.4133276123.0000000006BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6bc0000_9pIm5d0rsW.jbxd

Similarity

API ID:
String ID: $kq$$kq$$kq$$kq$$kq$$kq$$kq$$kq
API String ID: 0-1078448309
Opcode ID: c5381f7582d2697bfa4c88ae22e51aece95aed46a0d1cfffb000b17086136c12
Instruction ID: e888dcbb479a44f4479464e3a3b1c3d76f8699003cb3587bff581cfa64e81985
Opcode Fuzzy Hash: c5381f7582d2697bfa4c88ae22e51aece95aed46a0d1cfffb000b17086136c12
Instruction Fuzzy Hash: BB918070A1020D9FDB68EB65DA5476EBBF2FF84310F20856DE401973A4DB799E41CB90

Function 06BC70A0 Relevance: 7.9, Strings: 6, Instructions: 405COMMON

Download Yara Rule

Strings

$kq, xrefs: 06BC7382
$kq, xrefs: 06BC75B4
$kq, xrefs: 06BC75A8
$kq, xrefs: 06BC753C
$kq, xrefs: 06BC73DC
$kq, xrefs: 06BC73E8

Memory Dump Source

Source File: 00000003.00000002.4133276123.0000000006BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6bc0000_9pIm5d0rsW.jbxd

Similarity

API ID:
String ID: $kq$$kq$$kq$$kq$$kq$$kq
API String ID: 0-1342094364
Opcode ID: 36353a8444f7daf78edb650b0b348a7084a3ffec9af7530b33d54484b3145d16
Instruction ID: 447110e35a2030274787d62f72059315a645cae13482c03daeb59e384c8f4964
Opcode Fuzzy Hash: 36353a8444f7daf78edb650b0b348a7084a3ffec9af7530b33d54484b3145d16
Instruction Fuzzy Hash: 5FF16870A01209CFDB58EBA9D554A6EB7B7FB94310F24856DD4059B3A8CF35ED82CB80

Function 06BC83D8 Relevance: 5.3, Strings: 4, Instructions: 282COMMON

Download Yara Rule

Strings

$kq, xrefs: 06BC8632
$kq, xrefs: 06BC86A3
$kq, xrefs: 06BC8697
$kq, xrefs: 06BC863E

Memory Dump Source

Source File: 00000003.00000002.4133276123.0000000006BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6bc0000_9pIm5d0rsW.jbxd

Similarity

API ID:
String ID: $kq$$kq$$kq$$kq
API String ID: 0-2881790790
Opcode ID: 254bb1e1003a8f2a84d2a10dd3ca838541e5c03ff0311889d06b0ab91597f73f
Instruction ID: 148a54cfc61d422279831b165e8995f31ba9eaf9ced27a02bd510d8b42c16871
Opcode Fuzzy Hash: 254bb1e1003a8f2a84d2a10dd3ca838541e5c03ff0311889d06b0ab91597f73f
Instruction Fuzzy Hash: 60B16A70B102198FCB64EF69D5506AEBBB2FF94310F24846ED0059B3A4DB35DD82CB80

Function 06BCACD0 Relevance: 5.2, Strings: 4, Instructions: 171COMMON

Download Yara Rule

Strings

$kq, xrefs: 06BCAE54
$kq, xrefs: 06BCAE83
$kq, xrefs: 06BCAE01
$kq, xrefs: 06BCAEAC

Memory Dump Source

Source File: 00000003.00000002.4133276123.0000000006BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6bc0000_9pIm5d0rsW.jbxd

Similarity

API ID:
String ID: $kq$$kq$$kq$$kq
API String ID: 0-2881790790
Opcode ID: cc9ad8fc95e9fbae3d3e27d3a38c23fee87cbb22ef1f8d1ca05c8c94e78ef1ef
Instruction ID: ef27645713e37a67a6ee36d7a9a0e280477f8edb11515d90ccb7f89cbd12e767
Opcode Fuzzy Hash: cc9ad8fc95e9fbae3d3e27d3a38c23fee87cbb22ef1f8d1ca05c8c94e78ef1ef
Instruction Fuzzy Hash: 4551B170E2021D8FCF65EB69E5906AEB7B2EB84321F2095AED401D7364DB34ED41CB90

Function 06BC87F0 Relevance: 5.2, Strings: 4, Instructions: 168COMMON

Download Yara Rule

Strings

$kq, xrefs: 06BC886F
$kq, xrefs: 06BC887B
LRkq, xrefs: 06BC8932
LRkq, xrefs: 06BC88E3

Memory Dump Source

Source File: 00000003.00000002.4133276123.0000000006BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6bc0000_9pIm5d0rsW.jbxd

Similarity

API ID:
String ID: LRkq$LRkq$$kq$$kq
API String ID: 0-2392252538
Opcode ID: af9fd1508db9cdd785e168dc710dcd53cda655f9c12a92f94a65ca39a6c00db6
Instruction ID: dbfb2e29908eb643904dbe155bf8958c3d651f0f652bbcb4d43616a4546d0795
Opcode Fuzzy Hash: af9fd1508db9cdd785e168dc710dcd53cda655f9c12a92f94a65ca39a6c00db6
Instruction Fuzzy Hash: 0851D770B002058FDB54EB29D950A6A7BE6FF84314F1485ADE4129B3A5DB31ED40C791

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata, File: File Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search the Registry on compromised systems for insecurely stored credentials. The Windows Registry stores configuration information that can be used by the system or other programs. Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services. Sometimes these credentials are used for automatic logons.
Tactics:	Credential Access
Data Sources:	Command: Command Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report 9pIm5d0rsW.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Agenttesla

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\9pIm5d0rsW.exe.log

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_0vpz1lzz.bql.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_cazrgh0j.utj.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_cxkl0lc5.mzr.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_zuzp3u5l.lgq.ps1

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Network Behavior

Windows Analysis Report
9pIm5d0rsW.exe

Function 07550040 Relevance: 8.5, Strings: 6, Instructions: 1022
COMMON

Function 00FAD559 Relevance: 6.1, APIs: 4, Instructions: 132
threadCOMMON

Function 00FAD568 Relevance: 6.1, APIs: 4, Instructions: 128
threadCOMMON

Function 0755F4EC Relevance: 1.7, APIs: 1, Instructions: 246
processCOMMON

Function 0755F4F8 Relevance: 1.7, APIs: 1, Instructions: 243
processCOMMON

Function 00FAAEB7 Relevance: 1.7, APIs: 1, Instructions: 204
COMMON

Function 00FA590D Relevance: 1.6, APIs: 1, Instructions: 101
COMMON

Function 00FA44D4 Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Function 0755F268 Relevance: 1.6, APIs: 1, Instructions: 76
injectionCOMMON

Function 0755F0D0 Relevance: 1.6, APIs: 1, Instructions: 70
threadCOMMON

Function 0755F270 Relevance: 1.6, APIs: 1, Instructions: 69
injectionCOMMON

Function 0755F35A Relevance: 1.6, APIs: 1, Instructions: 68
COMMON

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre