Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
7DpzcPcsTS.exe

Overview

General Information

Sample name:7DpzcPcsTS.exe
renamed because original name is a hash value
Original sample name:e26b0860871046c78f03c38d50b4208dab3478c2decfd616ec8fcc4ed9986602.exe
Analysis ID:1587620
MD5:26c7aa73526769f273ed73844e684cd9
SHA1:538b444037fd8f77af00200e826a5e4aab917015
SHA256:e26b0860871046c78f03c38d50b4208dab3478c2decfd616ec8fcc4ed9986602
Tags:exeuser-adrian__luca
Infos:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected AgentTesla
Yara detected AntiVM3
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
Loading BitLocker PowerShell Module
Machine Learning detection for sample
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file / registry access)
Yara detected Generic Downloader
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious Outbound SMTP Connections
Uses 32bit PE files
Uses SMTP (mail sending)
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64
  • 7DpzcPcsTS.exe (PID: 2736 cmdline: "C:\Users\user\Desktop\7DpzcPcsTS.exe" MD5: 26C7AA73526769F273ED73844E684CD9)
    • powershell.exe (PID: 2884 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\7DpzcPcsTS.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 5636 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • WmiPrvSE.exe (PID: 5712 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)
    • 7DpzcPcsTS.exe (PID: 6592 cmdline: "C:\Users\user\Desktop\7DpzcPcsTS.exe" MD5: 26C7AA73526769F273ED73844E684CD9)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Agent Tesla, AgentTeslaA .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.
  • SWEED
https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Port": "587", "Host": "smtp.privateemail.com", "Username": "info@bondamit.shop", "Password": "payment1759"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000004.00000002.2710083020.00000000029CC000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    00000004.00000002.2708102365.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
      00000004.00000002.2708102365.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
        00000004.00000002.2710083020.00000000029A1000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
          00000004.00000002.2710083020.00000000029A1000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
            Click to see the 7 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            0.2.7DpzcPcsTS.exe.423b410.2.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
              0.2.7DpzcPcsTS.exe.423b410.2.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                0.2.7DpzcPcsTS.exe.423b410.2.unpackINDICATOR_SUSPICIOUS_EXE_VaultSchemaGUIDDetects executables referencing Windows vault credential objects. Observed in infostealersditekSHen
                • 0x31695:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5
                • 0x31707:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55
                • 0x31791:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F
                • 0x31823:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28
                • 0x3188d:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29
                • 0x318ff:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC
                • 0x31995:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B
                • 0x31a25:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
                0.2.7DpzcPcsTS.exe.42009f0.4.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
                  0.2.7DpzcPcsTS.exe.42009f0.4.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                    Click to see the 12 entries

                    Sigma Signatures

                    System Summary

                    barindex
                    Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
                    Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\7DpzcPcsTS.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\7DpzcPcsTS.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\7DpzcPcsTS.exe", ParentImage: C:\Users\user\Desktop\7DpzcPcsTS.exe, ParentProcessId: 2736, ParentProcessName: 7DpzcPcsTS.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\7DpzcPcsTS.exe", ProcessId: 2884, ProcessName: powershell.exe
                    Sigma detected: Powershell Defender Exclusion
                    Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\7DpzcPcsTS.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\7DpzcPcsTS.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\7DpzcPcsTS.exe", ParentImage: C:\Users\user\Desktop\7DpzcPcsTS.exe, ParentProcessId: 2736, ParentProcessName: 7DpzcPcsTS.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\7DpzcPcsTS.exe", ProcessId: 2884, ProcessName: powershell.exe
                    Sigma detected: Suspicious Outbound SMTP Connections
                    Source: Network ConnectionAuthor: frack113: Data: DestinationIp: 66.29.159.53, DestinationIsIpv6: false, DestinationPort: 587, EventID: 3, Image: C:\Users\user\Desktop\7DpzcPcsTS.exe, Initiated: true, ProcessId: 6592, Protocol: tcp, SourceIp: 192.168.2.8, SourceIsIpv6: false, SourcePort: 49708
                    Sigma detected: Non Interactive PowerShell Process Spawned
                    Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\7DpzcPcsTS.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\7DpzcPcsTS.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\7DpzcPcsTS.exe", ParentImage: C:\Users\user\Desktop\7DpzcPcsTS.exe, ParentProcessId: 2736, ParentProcessName: 7DpzcPcsTS.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\7DpzcPcsTS.exe", ProcessId: 2884, ProcessName: powershell.exe

                    Suricata Signatures

                    No Suricata rule has matched

                    Joe Sandbox Signatures

                    Click to jump to signature section

                    Show All Signature Results

                    AV Detection

                    barindex
                    Found malware configuration
                    Source: 4.2.7DpzcPcsTS.exe.400000.0.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Port": "587", "Host": "smtp.privateemail.com", "Username": "info@bondamit.shop", "Password": "payment1759"}
                    Multi AV Scanner detection for submitted file
                    Source: 7DpzcPcsTS.exeVirustotal: Detection: 54%Perma Link
                    Source: 7DpzcPcsTS.exeReversingLabs: Detection: 86%
                    AI detected suspicious sample
                    Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                    Machine Learning detection for sample
                    Source: 7DpzcPcsTS.exeJoe Sandbox ML: detected
                    Source: 7DpzcPcsTS.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                    Source: unknownHTTPS traffic detected: 172.67.74.152:443 -> 192.168.2.8:49706 version: TLS 1.2
                    Source: 7DpzcPcsTS.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                    Source: Binary string: FcLw.pdb source: 7DpzcPcsTS.exe
                    Source: Binary string: FcLw.pdbSHA2561 source: 7DpzcPcsTS.exe

                    Networking

                    barindex
                    Yara detected Generic Downloader
                    Source: Yara matchFile source: 0.2.7DpzcPcsTS.exe.423b410.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.7DpzcPcsTS.exe.42009f0.4.raw.unpack, type: UNPACKEDPE
                    Source: global trafficTCP traffic: 192.168.2.8:49708 -> 66.29.159.53:587
                    Source: Joe Sandbox ViewIP Address: 66.29.159.53 66.29.159.53
                    Source: Joe Sandbox ViewIP Address: 172.67.74.152 172.67.74.152
                    Source: Joe Sandbox ViewIP Address: 172.67.74.152 172.67.74.152
                    Source: Joe Sandbox ViewASN Name: ADVANTAGECOMUS ADVANTAGECOMUS
                    Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
                    Source: unknownDNS query: name: api.ipify.org
                    Source: unknownDNS query: name: api.ipify.org
                    Source: global trafficTCP traffic: 192.168.2.8:49708 -> 66.29.159.53:587
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
                    Source: global trafficDNS traffic detected: DNS query: api.ipify.org
                    Source: global trafficDNS traffic detected: DNS query: smtp.privateemail.com
                    Source: 7DpzcPcsTS.exe, 00000004.00000002.2708459949.0000000000C15000.00000004.00000020.00020000.00000000.sdmp, 7DpzcPcsTS.exe, 00000004.00000002.2710083020.00000000029D4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
                    Source: 7DpzcPcsTS.exe, 00000004.00000002.2708459949.0000000000C36000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
                    Source: 7DpzcPcsTS.exe, 00000004.00000002.2708459949.0000000000C36000.00000004.00000020.00020000.00000000.sdmp, 7DpzcPcsTS.exe, 00000004.00000002.2710083020.00000000029D4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#
                    Source: 7DpzcPcsTS.exe, 00000004.00000002.2708459949.0000000000C15000.00000004.00000020.00020000.00000000.sdmp, 7DpzcPcsTS.exe, 00000004.00000002.2710083020.00000000029D4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.comodoca.com0
                    Source: 7DpzcPcsTS.exe, 00000004.00000002.2708459949.0000000000C36000.00000004.00000020.00020000.00000000.sdmp, 7DpzcPcsTS.exe, 00000004.00000002.2710083020.00000000029D4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.sectigo.com0
                    Source: 7DpzcPcsTS.exe, 00000000.00000002.1483480261.0000000003214000.00000004.00000800.00020000.00000000.sdmp, 7DpzcPcsTS.exe, 00000004.00000002.2710083020.0000000002951000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                    Source: 7DpzcPcsTS.exe, 00000004.00000002.2710083020.00000000029CC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://smtp.privateemail.com
                    Source: 7DpzcPcsTS.exeString found in binary or memory: http://tempuri.org/DataSet1.xsdQdelete
                    Source: 7DpzcPcsTS.exe, 00000000.00000002.1485605622.00000000041E9000.00000004.00000800.00020000.00000000.sdmp, 7DpzcPcsTS.exe, 00000004.00000002.2708102365.0000000000402000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://account.dyn.com/
                    Source: 7DpzcPcsTS.exe, 00000000.00000002.1485605622.00000000041E9000.00000004.00000800.00020000.00000000.sdmp, 7DpzcPcsTS.exe, 00000004.00000002.2710083020.0000000002951000.00000004.00000800.00020000.00000000.sdmp, 7DpzcPcsTS.exe, 00000004.00000002.2708102365.0000000000402000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org
                    Source: 7DpzcPcsTS.exe, 00000004.00000002.2710083020.0000000002951000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org/
                    Source: 7DpzcPcsTS.exe, 00000004.00000002.2710083020.0000000002951000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org/t
                    Source: 7DpzcPcsTS.exe, 00000004.00000002.2708459949.0000000000C36000.00000004.00000020.00020000.00000000.sdmp, 7DpzcPcsTS.exe, 00000004.00000002.2710083020.00000000029D4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://sectigo.com/CPS0
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49706 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49706
                    Source: unknownHTTPS traffic detected: 172.67.74.152:443 -> 192.168.2.8:49706 version: TLS 1.2

                    System Summary

                    barindex
                    Malicious sample detected (through community Yara rule)
                    Source: 0.2.7DpzcPcsTS.exe.423b410.2.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 0.2.7DpzcPcsTS.exe.42009f0.4.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 4.2.7DpzcPcsTS.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 0.2.7DpzcPcsTS.exe.423b410.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 0.2.7DpzcPcsTS.exe.42009f0.4.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: C:\Users\user\Desktop\7DpzcPcsTS.exeCode function: 0_2_017CD5BC0_2_017CD5BC
                    Source: C:\Users\user\Desktop\7DpzcPcsTS.exeCode function: 0_2_0915C9200_2_0915C920
                    Source: C:\Users\user\Desktop\7DpzcPcsTS.exeCode function: 0_2_091584E80_2_091584E8
                    Source: C:\Users\user\Desktop\7DpzcPcsTS.exeCode function: 0_2_0915F9380_2_0915F938
                    Source: C:\Users\user\Desktop\7DpzcPcsTS.exeCode function: 0_2_0915F4FA0_2_0915F4FA
                    Source: C:\Users\user\Desktop\7DpzcPcsTS.exeCode function: 4_2_0282E2C14_2_0282E2C1
                    Source: C:\Users\user\Desktop\7DpzcPcsTS.exeCode function: 4_2_02824AA04_2_02824AA0
                    Source: C:\Users\user\Desktop\7DpzcPcsTS.exeCode function: 4_2_0282AA274_2_0282AA27
                    Source: C:\Users\user\Desktop\7DpzcPcsTS.exeCode function: 4_2_02823E884_2_02823E88
                    Source: C:\Users\user\Desktop\7DpzcPcsTS.exeCode function: 4_2_028241D04_2_028241D0
                    Source: C:\Users\user\Desktop\7DpzcPcsTS.exeCode function: 4_2_0663A4944_2_0663A494
                    Source: C:\Users\user\Desktop\7DpzcPcsTS.exeCode function: 4_2_0663A1784_2_0663A178
                    Source: C:\Users\user\Desktop\7DpzcPcsTS.exeCode function: 4_2_0663BA004_2_0663BA00
                    Source: C:\Users\user\Desktop\7DpzcPcsTS.exeCode function: 4_2_0663D8104_2_0663D810
                    Source: C:\Users\user\Desktop\7DpzcPcsTS.exeCode function: 4_2_066466784_2_06646678
                    Source: C:\Users\user\Desktop\7DpzcPcsTS.exeCode function: 4_2_066456304_2_06645630
                    Source: C:\Users\user\Desktop\7DpzcPcsTS.exeCode function: 4_2_0664C2204_2_0664C220
                    Source: C:\Users\user\Desktop\7DpzcPcsTS.exeCode function: 4_2_0664B2BA4_2_0664B2BA
                    Source: C:\Users\user\Desktop\7DpzcPcsTS.exeCode function: 4_2_066430F84_2_066430F8
                    Source: C:\Users\user\Desktop\7DpzcPcsTS.exeCode function: 4_2_06647E084_2_06647E08
                    Source: C:\Users\user\Desktop\7DpzcPcsTS.exeCode function: 4_2_066477284_2_06647728
                    Source: C:\Users\user\Desktop\7DpzcPcsTS.exeCode function: 4_2_0664E4484_2_0664E448
                    Source: C:\Users\user\Desktop\7DpzcPcsTS.exeCode function: 4_2_066400404_2_06640040
                    Source: C:\Users\user\Desktop\7DpzcPcsTS.exeCode function: 4_2_066400064_2_06640006
                    Source: C:\Users\user\Desktop\7DpzcPcsTS.exeCode function: 4_2_06645D674_2_06645D67
                    Source: 7DpzcPcsTS.exe, 00000000.00000002.1481735938.000000000122E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs 7DpzcPcsTS.exe
                    Source: 7DpzcPcsTS.exe, 00000000.00000000.1450618222.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameFcLw.exe8 vs 7DpzcPcsTS.exe
                    Source: 7DpzcPcsTS.exe, 00000000.00000002.1483480261.0000000003214000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamebb26f961-fadf-4425-9082-cde080536011.exe4 vs 7DpzcPcsTS.exe
                    Source: 7DpzcPcsTS.exe, 00000000.00000002.1485605622.00000000041E9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamebb26f961-fadf-4425-9082-cde080536011.exe4 vs 7DpzcPcsTS.exe
                    Source: 7DpzcPcsTS.exe, 00000000.00000002.1485605622.00000000041E9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameTyrone.dll8 vs 7DpzcPcsTS.exe
                    Source: 7DpzcPcsTS.exe, 00000000.00000002.1488936450.0000000007B00000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameTyrone.dll8 vs 7DpzcPcsTS.exe
                    Source: 7DpzcPcsTS.exe, 00000004.00000002.2708102365.0000000000402000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: OriginalFilenamebb26f961-fadf-4425-9082-cde080536011.exe4 vs 7DpzcPcsTS.exe
                    Source: 7DpzcPcsTS.exe, 00000004.00000002.2708398926.0000000000B39000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: OriginalFilenameUNKNOWN_FILET vs 7DpzcPcsTS.exe
                    Source: 7DpzcPcsTS.exeBinary or memory string: OriginalFilenameFcLw.exe8 vs 7DpzcPcsTS.exe
                    Source: 7DpzcPcsTS.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                    Source: 0.2.7DpzcPcsTS.exe.423b410.2.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 0.2.7DpzcPcsTS.exe.42009f0.4.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 4.2.7DpzcPcsTS.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 0.2.7DpzcPcsTS.exe.423b410.2.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 0.2.7DpzcPcsTS.exe.42009f0.4.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 7DpzcPcsTS.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@7/6@2/2
                    Source: C:\Users\user\Desktop\7DpzcPcsTS.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\7DpzcPcsTS.exe.logJump to behavior
                    Source: C:\Users\user\Desktop\7DpzcPcsTS.exeMutant created: NULL
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5636:120:WilError_03
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3a51dgjt.apm.ps1Jump to behavior
                    Source: 7DpzcPcsTS.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    Source: 7DpzcPcsTS.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                    Source: C:\Users\user\Desktop\7DpzcPcsTS.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Users\user\Desktop\7DpzcPcsTS.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\Desktop\7DpzcPcsTS.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                    Source: C:\Users\user\Desktop\7DpzcPcsTS.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                    Source: 7DpzcPcsTS.exeVirustotal: Detection: 54%
                    Source: 7DpzcPcsTS.exeReversingLabs: Detection: 86%
                    Source: 7DpzcPcsTS.exeString found in binary or memory: -Add Fertilizer Details
                    Source: 7DpzcPcsTS.exeString found in binary or memory: /Add Transaction Details!Transaction Name!Transaction Type/Transaction Description
                    Source: unknownProcess created: C:\Users\user\Desktop\7DpzcPcsTS.exe "C:\Users\user\Desktop\7DpzcPcsTS.exe"
                    Source: C:\Users\user\Desktop\7DpzcPcsTS.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\7DpzcPcsTS.exe"
                    Source: C:\Users\user\Desktop\7DpzcPcsTS.exeProcess created: C:\Users\user\Desktop\7DpzcPcsTS.exe "C:\Users\user\Desktop\7DpzcPcsTS.exe"
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                    Source: C:\Users\user\Desktop\7DpzcPcsTS.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\7DpzcPcsTS.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\7DpzcPcsTS.exeProcess created: C:\Users\user\Desktop\7DpzcPcsTS.exe "C:\Users\user\Desktop\7DpzcPcsTS.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\7DpzcPcsTS.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Users\user\Desktop\7DpzcPcsTS.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\Users\user\Desktop\7DpzcPcsTS.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\Desktop\7DpzcPcsTS.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\Desktop\7DpzcPcsTS.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\7DpzcPcsTS.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\7DpzcPcsTS.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\7DpzcPcsTS.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\Desktop\7DpzcPcsTS.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\Desktop\7DpzcPcsTS.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\Desktop\7DpzcPcsTS.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\7DpzcPcsTS.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Users\user\Desktop\7DpzcPcsTS.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Users\user\Desktop\7DpzcPcsTS.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Users\user\Desktop\7DpzcPcsTS.exeSection loaded: dwrite.dllJump to behavior
                    Source: C:\Users\user\Desktop\7DpzcPcsTS.exeSection loaded: windowscodecs.dllJump to behavior
                    Source: C:\Users\user\Desktop\7DpzcPcsTS.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\7DpzcPcsTS.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Users\user\Desktop\7DpzcPcsTS.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Users\user\Desktop\7DpzcPcsTS.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\7DpzcPcsTS.exeSection loaded: textshaping.dllJump to behavior
                    Source: C:\Users\user\Desktop\7DpzcPcsTS.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Users\user\Desktop\7DpzcPcsTS.exeSection loaded: edputil.dllJump to behavior
                    Source: C:\Users\user\Desktop\7DpzcPcsTS.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Users\user\Desktop\7DpzcPcsTS.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Users\user\Desktop\7DpzcPcsTS.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Users\user\Desktop\7DpzcPcsTS.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Users\user\Desktop\7DpzcPcsTS.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                    Source: C:\Users\user\Desktop\7DpzcPcsTS.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Users\user\Desktop\7DpzcPcsTS.exeSection loaded: wintypes.dllJump to behavior
                    Source: C:\Users\user\Desktop\7DpzcPcsTS.exeSection loaded: appresolver.dllJump to behavior
                    Source: C:\Users\user\Desktop\7DpzcPcsTS.exeSection loaded: bcp47langs.dllJump to behavior
                    Source: C:\Users\user\Desktop\7DpzcPcsTS.exeSection loaded: slc.dllJump to behavior
                    Source: C:\Users\user\Desktop\7DpzcPcsTS.exeSection loaded: sppc.dllJump to behavior
                    Source: C:\Users\user\Desktop\7DpzcPcsTS.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                    Source: C:\Users\user\Desktop\7DpzcPcsTS.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                    Source: C:\Users\user\Desktop\7DpzcPcsTS.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Users\user\Desktop\7DpzcPcsTS.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\Desktop\7DpzcPcsTS.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\Desktop\7DpzcPcsTS.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\7DpzcPcsTS.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\7DpzcPcsTS.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\7DpzcPcsTS.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\Desktop\7DpzcPcsTS.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\Desktop\7DpzcPcsTS.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\Desktop\7DpzcPcsTS.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\7DpzcPcsTS.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Users\user\Desktop\7DpzcPcsTS.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Users\user\Desktop\7DpzcPcsTS.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Users\user\Desktop\7DpzcPcsTS.exeSection loaded: wbemcomn.dllJump to behavior
                    Source: C:\Users\user\Desktop\7DpzcPcsTS.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\7DpzcPcsTS.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Users\user\Desktop\7DpzcPcsTS.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Users\user\Desktop\7DpzcPcsTS.exeSection loaded: rasapi32.dllJump to behavior
                    Source: C:\Users\user\Desktop\7DpzcPcsTS.exeSection loaded: rasman.dllJump to behavior
                    Source: C:\Users\user\Desktop\7DpzcPcsTS.exeSection loaded: rtutils.dllJump to behavior
                    Source: C:\Users\user\Desktop\7DpzcPcsTS.exeSection loaded: mswsock.dllJump to behavior
                    Source: C:\Users\user\Desktop\7DpzcPcsTS.exeSection loaded: winhttp.dllJump to behavior
                    Source: C:\Users\user\Desktop\7DpzcPcsTS.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                    Source: C:\Users\user\Desktop\7DpzcPcsTS.exeSection loaded: iphlpapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\7DpzcPcsTS.exeSection loaded: dhcpcsvc6.dllJump to behavior
                    Source: C:\Users\user\Desktop\7DpzcPcsTS.exeSection loaded: dhcpcsvc.dllJump to behavior
                    Source: C:\Users\user\Desktop\7DpzcPcsTS.exeSection loaded: dnsapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\7DpzcPcsTS.exeSection loaded: winnsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\7DpzcPcsTS.exeSection loaded: rasadhlp.dllJump to behavior
                    Source: C:\Users\user\Desktop\7DpzcPcsTS.exeSection loaded: fwpuclnt.dllJump to behavior
                    Source: C:\Users\user\Desktop\7DpzcPcsTS.exeSection loaded: secur32.dllJump to behavior
                    Source: C:\Users\user\Desktop\7DpzcPcsTS.exeSection loaded: schannel.dllJump to behavior
                    Source: C:\Users\user\Desktop\7DpzcPcsTS.exeSection loaded: mskeyprotect.dllJump to behavior
                    Source: C:\Users\user\Desktop\7DpzcPcsTS.exeSection loaded: ntasn1.dllJump to behavior
                    Source: C:\Users\user\Desktop\7DpzcPcsTS.exeSection loaded: ncrypt.dllJump to behavior
                    Source: C:\Users\user\Desktop\7DpzcPcsTS.exeSection loaded: ncryptsslp.dllJump to behavior
                    Source: C:\Users\user\Desktop\7DpzcPcsTS.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Users\user\Desktop\7DpzcPcsTS.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\7DpzcPcsTS.exeSection loaded: vaultcli.dllJump to behavior
                    Source: C:\Users\user\Desktop\7DpzcPcsTS.exeSection loaded: wintypes.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: fastprox.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: ncobjapi.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mpclient.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: version.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wmitomi.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mi.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\7DpzcPcsTS.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
                    Source: Window RecorderWindow detected: More than 3 window changes detected
                    Source: C:\Users\user\Desktop\7DpzcPcsTS.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                    Source: C:\Users\user\Desktop\7DpzcPcsTS.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\ProfilesJump to behavior
                    Source: 7DpzcPcsTS.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                    Source: 7DpzcPcsTS.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                    Source: 7DpzcPcsTS.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                    Source: Binary string: FcLw.pdb source: 7DpzcPcsTS.exe
                    Source: Binary string: FcLw.pdbSHA2561 source: 7DpzcPcsTS.exe
                    Source: 7DpzcPcsTS.exeStatic PE information: 0xECEC1038 [Fri Dec 16 17:07:04 2095 UTC]
                    Source: C:\Users\user\Desktop\7DpzcPcsTS.exeCode function: 4_2_02820C6D push edi; retf 4_2_02820C7A
                    Source: C:\Users\user\Desktop\7DpzcPcsTS.exeCode function: 4_2_0663FBCD push es; iretd 4_2_0663FBDC
                    Source: 7DpzcPcsTS.exeStatic PE information: section name: .text entropy: 7.542312672926484

                    Hooking and other Techniques for Hiding and Protection

                    barindex
                    Loading BitLocker PowerShell Module
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Users\user\Desktop\7DpzcPcsTS.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRootJump to behavior
                    Source: C:\Users\user\Desktop\7DpzcPcsTS.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdateJump to behavior
                    Source: C:\Users\user\Desktop\7DpzcPcsTS.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRootJump to behavior
                    Source: C:\Users\user\Desktop\7DpzcPcsTS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\7DpzcPcsTS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\7DpzcPcsTS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\7DpzcPcsTS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\7DpzcPcsTS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\7DpzcPcsTS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\7DpzcPcsTS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\7DpzcPcsTS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\7DpzcPcsTS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\7DpzcPcsTS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\7DpzcPcsTS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\7DpzcPcsTS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\7DpzcPcsTS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\7DpzcPcsTS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\7DpzcPcsTS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\7DpzcPcsTS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\7DpzcPcsTS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\7DpzcPcsTS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\7DpzcPcsTS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\7DpzcPcsTS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\7DpzcPcsTS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\7DpzcPcsTS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\7DpzcPcsTS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\7DpzcPcsTS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\7DpzcPcsTS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\7DpzcPcsTS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\7DpzcPcsTS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\7DpzcPcsTS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\7DpzcPcsTS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\7DpzcPcsTS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\7DpzcPcsTS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\7DpzcPcsTS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\7DpzcPcsTS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\7DpzcPcsTS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\7DpzcPcsTS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\7DpzcPcsTS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\7DpzcPcsTS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\7DpzcPcsTS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\7DpzcPcsTS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\7DpzcPcsTS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\7DpzcPcsTS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\7DpzcPcsTS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\7DpzcPcsTS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\7DpzcPcsTS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\7DpzcPcsTS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\7DpzcPcsTS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\7DpzcPcsTS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\7DpzcPcsTS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\7DpzcPcsTS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\7DpzcPcsTS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\7DpzcPcsTS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\7DpzcPcsTS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\7DpzcPcsTS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\7DpzcPcsTS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\7DpzcPcsTS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\7DpzcPcsTS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\7DpzcPcsTS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\7DpzcPcsTS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\7DpzcPcsTS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\7DpzcPcsTS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\7DpzcPcsTS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\7DpzcPcsTS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\7DpzcPcsTS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\7DpzcPcsTS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\7DpzcPcsTS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\7DpzcPcsTS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\7DpzcPcsTS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\7DpzcPcsTS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\7DpzcPcsTS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\7DpzcPcsTS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\7DpzcPcsTS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\7DpzcPcsTS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\7DpzcPcsTS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\7DpzcPcsTS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\7DpzcPcsTS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\7DpzcPcsTS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\7DpzcPcsTS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\7DpzcPcsTS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\7DpzcPcsTS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\7DpzcPcsTS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\7DpzcPcsTS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\7DpzcPcsTS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\7DpzcPcsTS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\7DpzcPcsTS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\7DpzcPcsTS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\7DpzcPcsTS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\7DpzcPcsTS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\7DpzcPcsTS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\7DpzcPcsTS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\7DpzcPcsTS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\7DpzcPcsTS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\7DpzcPcsTS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\7DpzcPcsTS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\7DpzcPcsTS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\7DpzcPcsTS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\7DpzcPcsTS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\7DpzcPcsTS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\7DpzcPcsTS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\7DpzcPcsTS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\7DpzcPcsTS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\7DpzcPcsTS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\7DpzcPcsTS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\7DpzcPcsTS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\7DpzcPcsTS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                    Malware Analysis System Evasion

                    barindex
                    Yara detected AntiVM3
                    Source: Yara matchFile source: Process Memory Space: 7DpzcPcsTS.exe PID: 2736, type: MEMORYSTR
                    Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
                    Source: C:\Users\user\Desktop\7DpzcPcsTS.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                    Source: C:\Users\user\Desktop\7DpzcPcsTS.exeMemory allocated: 1720000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\7DpzcPcsTS.exeMemory allocated: 31E0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\7DpzcPcsTS.exeMemory allocated: 1720000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\7DpzcPcsTS.exeMemory allocated: 9160000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\7DpzcPcsTS.exeMemory allocated: A160000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\7DpzcPcsTS.exeMemory allocated: A360000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\7DpzcPcsTS.exeMemory allocated: B360000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\7DpzcPcsTS.exeMemory allocated: 2790000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\7DpzcPcsTS.exeMemory allocated: 2950000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\7DpzcPcsTS.exeMemory allocated: 4950000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\7DpzcPcsTS.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\Desktop\7DpzcPcsTS.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\Desktop\7DpzcPcsTS.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 7684Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2046Jump to behavior
                    Source: C:\Users\user\Desktop\7DpzcPcsTS.exeWindow / User API: threadDelayed 1373Jump to behavior
                    Source: C:\Users\user\Desktop\7DpzcPcsTS.exeWindow / User API: threadDelayed 2610Jump to behavior
                    Source: C:\Users\user\Desktop\7DpzcPcsTS.exe TID: 4840Thread sleep time: -922337203685477s >= -30000sJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5588Thread sleep time: -2767011611056431s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\7DpzcPcsTS.exe TID: 2112Thread sleep time: -12912720851596678s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\7DpzcPcsTS.exe TID: 2112Thread sleep time: -100000s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\7DpzcPcsTS.exe TID: 792Thread sleep count: 1373 > 30Jump to behavior
                    Source: C:\Users\user\Desktop\7DpzcPcsTS.exe TID: 2112Thread sleep time: -99874s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\7DpzcPcsTS.exe TID: 792Thread sleep count: 2610 > 30Jump to behavior
                    Source: C:\Users\user\Desktop\7DpzcPcsTS.exe TID: 2112Thread sleep time: -99765s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\7DpzcPcsTS.exe TID: 2112Thread sleep time: -99656s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\7DpzcPcsTS.exe TID: 2112Thread sleep time: -99547s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\7DpzcPcsTS.exe TID: 2112Thread sleep time: -99438s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\7DpzcPcsTS.exe TID: 2112Thread sleep time: -99313s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\7DpzcPcsTS.exe TID: 2112Thread sleep time: -99200s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\7DpzcPcsTS.exe TID: 2112Thread sleep time: -99078s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\7DpzcPcsTS.exe TID: 2112Thread sleep time: -98969s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\7DpzcPcsTS.exe TID: 2112Thread sleep time: -98859s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\7DpzcPcsTS.exe TID: 2112Thread sleep time: -98750s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\7DpzcPcsTS.exe TID: 2112Thread sleep time: -98641s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\7DpzcPcsTS.exe TID: 2112Thread sleep time: -98516s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\7DpzcPcsTS.exe TID: 2112Thread sleep time: -98391s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\7DpzcPcsTS.exe TID: 2112Thread sleep time: -98281s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\7DpzcPcsTS.exe TID: 2112Thread sleep time: -98166s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\7DpzcPcsTS.exe TID: 2112Thread sleep time: -98040s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\7DpzcPcsTS.exe TID: 2112Thread sleep time: -97922s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\7DpzcPcsTS.exe TID: 2112Thread sleep time: -97813s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\7DpzcPcsTS.exe TID: 2112Thread sleep time: -97690s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\7DpzcPcsTS.exe TID: 2112Thread sleep time: -922337203685477s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\7DpzcPcsTS.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                    Source: C:\Users\user\Desktop\7DpzcPcsTS.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Users\user\Desktop\7DpzcPcsTS.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\Desktop\7DpzcPcsTS.exeLast function: Thread delayed
                    Source: C:\Users\user\Desktop\7DpzcPcsTS.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\Desktop\7DpzcPcsTS.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\Desktop\7DpzcPcsTS.exeThread delayed: delay time: 100000Jump to behavior
                    Source: C:\Users\user\Desktop\7DpzcPcsTS.exeThread delayed: delay time: 99874Jump to behavior
                    Source: C:\Users\user\Desktop\7DpzcPcsTS.exeThread delayed: delay time: 99765Jump to behavior
                    Source: C:\Users\user\Desktop\7DpzcPcsTS.exeThread delayed: delay time: 99656Jump to behavior
                    Source: C:\Users\user\Desktop\7DpzcPcsTS.exeThread delayed: delay time: 99547Jump to behavior
                    Source: C:\Users\user\Desktop\7DpzcPcsTS.exeThread delayed: delay time: 99438Jump to behavior
                    Source: C:\Users\user\Desktop\7DpzcPcsTS.exeThread delayed: delay time: 99313Jump to behavior
                    Source: C:\Users\user\Desktop\7DpzcPcsTS.exeThread delayed: delay time: 99200Jump to behavior
                    Source: C:\Users\user\Desktop\7DpzcPcsTS.exeThread delayed: delay time: 99078Jump to behavior
                    Source: C:\Users\user\Desktop\7DpzcPcsTS.exeThread delayed: delay time: 98969Jump to behavior
                    Source: C:\Users\user\Desktop\7DpzcPcsTS.exeThread delayed: delay time: 98859Jump to behavior
                    Source: C:\Users\user\Desktop\7DpzcPcsTS.exeThread delayed: delay time: 98750Jump to behavior
                    Source: C:\Users\user\Desktop\7DpzcPcsTS.exeThread delayed: delay time: 98641Jump to behavior
                    Source: C:\Users\user\Desktop\7DpzcPcsTS.exeThread delayed: delay time: 98516Jump to behavior
                    Source: C:\Users\user\Desktop\7DpzcPcsTS.exeThread delayed: delay time: 98391Jump to behavior
                    Source: C:\Users\user\Desktop\7DpzcPcsTS.exeThread delayed: delay time: 98281Jump to behavior
                    Source: C:\Users\user\Desktop\7DpzcPcsTS.exeThread delayed: delay time: 98166Jump to behavior
                    Source: C:\Users\user\Desktop\7DpzcPcsTS.exeThread delayed: delay time: 98040Jump to behavior
                    Source: C:\Users\user\Desktop\7DpzcPcsTS.exeThread delayed: delay time: 97922Jump to behavior
                    Source: C:\Users\user\Desktop\7DpzcPcsTS.exeThread delayed: delay time: 97813Jump to behavior
                    Source: C:\Users\user\Desktop\7DpzcPcsTS.exeThread delayed: delay time: 97690Jump to behavior
                    Source: C:\Users\user\Desktop\7DpzcPcsTS.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: 7DpzcPcsTS.exe, 00000000.00000002.1485605622.00000000041E9000.00000004.00000800.00020000.00000000.sdmp, 7DpzcPcsTS.exe, 00000004.00000002.2708102365.0000000000402000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: hgfsZrw6
                    Source: 7DpzcPcsTS.exe, 00000004.00000002.2708459949.0000000000C36000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Users\user\Desktop\7DpzcPcsTS.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Users\user\Desktop\7DpzcPcsTS.exeMemory allocated: page read and write | page guardJump to behavior

                    HIPS / PFW / Operating System Protection Evasion

                    barindex
                    Adds a directory exclusion to Windows Defender
                    Source: C:\Users\user\Desktop\7DpzcPcsTS.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\7DpzcPcsTS.exe"
                    Source: C:\Users\user\Desktop\7DpzcPcsTS.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\7DpzcPcsTS.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\7DpzcPcsTS.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\7DpzcPcsTS.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\7DpzcPcsTS.exeProcess created: C:\Users\user\Desktop\7DpzcPcsTS.exe "C:\Users\user\Desktop\7DpzcPcsTS.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\7DpzcPcsTS.exeQueries volume information: C:\Users\user\Desktop\7DpzcPcsTS.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\7DpzcPcsTS.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\7DpzcPcsTS.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\7DpzcPcsTS.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\7DpzcPcsTS.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\7DpzcPcsTS.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\7DpzcPcsTS.exeQueries volume information: C:\Users\user\Desktop\7DpzcPcsTS.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\7DpzcPcsTS.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\7DpzcPcsTS.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\7DpzcPcsTS.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\7DpzcPcsTS.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\7DpzcPcsTS.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\7DpzcPcsTS.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                    Stealing of Sensitive Information

                    barindex
                    Yara detected AgentTesla
                    Source: Yara matchFile source: 0.2.7DpzcPcsTS.exe.423b410.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.7DpzcPcsTS.exe.42009f0.4.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.2.7DpzcPcsTS.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.7DpzcPcsTS.exe.423b410.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.7DpzcPcsTS.exe.42009f0.4.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000004.00000002.2710083020.00000000029CC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000004.00000002.2708102365.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000004.00000002.2710083020.00000000029A1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.1485605622.00000000041E9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: 7DpzcPcsTS.exe PID: 2736, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: 7DpzcPcsTS.exe PID: 6592, type: MEMORYSTR
                    Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
                    Source: C:\Users\user\Desktop\7DpzcPcsTS.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\SessionsJump to behavior
                    Tries to harvest and steal browser information (history, passwords, etc)
                    Source: C:\Users\user\Desktop\7DpzcPcsTS.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                    Source: C:\Users\user\Desktop\7DpzcPcsTS.exeFile opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.iniJump to behavior
                    Source: C:\Users\user\Desktop\7DpzcPcsTS.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                    Source: C:\Users\user\Desktop\7DpzcPcsTS.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                    Source: C:\Users\user\Desktop\7DpzcPcsTS.exeFile opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.iniJump to behavior
                    Tries to harvest and steal ftp login credentials
                    Source: C:\Users\user\Desktop\7DpzcPcsTS.exeFile opened: C:\FTP Navigator\Ftplist.txtJump to behavior
                    Tries to steal Mail credentials (via file / registry access)
                    Source: C:\Users\user\Desktop\7DpzcPcsTS.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                    Source: C:\Users\user\Desktop\7DpzcPcsTS.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                    Source: C:\Users\user\Desktop\7DpzcPcsTS.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\ProfilesJump to behavior
                    Source: C:\Users\user\Desktop\7DpzcPcsTS.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
                    Source: Yara matchFile source: 0.2.7DpzcPcsTS.exe.423b410.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.7DpzcPcsTS.exe.42009f0.4.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.2.7DpzcPcsTS.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.7DpzcPcsTS.exe.423b410.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.7DpzcPcsTS.exe.42009f0.4.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000004.00000002.2708102365.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000004.00000002.2710083020.00000000029A1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.1485605622.00000000041E9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: 7DpzcPcsTS.exe PID: 2736, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: 7DpzcPcsTS.exe PID: 6592, type: MEMORYSTR

                    Remote Access Functionality

                    barindex
                    Yara detected AgentTesla
                    Source: Yara matchFile source: 0.2.7DpzcPcsTS.exe.423b410.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.7DpzcPcsTS.exe.42009f0.4.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.2.7DpzcPcsTS.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.7DpzcPcsTS.exe.423b410.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.7DpzcPcsTS.exe.42009f0.4.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000004.00000002.2710083020.00000000029CC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000004.00000002.2708102365.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000004.00000002.2710083020.00000000029A1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.1485605622.00000000041E9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: 7DpzcPcsTS.exe PID: 2736, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: 7DpzcPcsTS.exe PID: 6592, type: MEMORYSTR

                    Mitre Att&ck Matrix

                    ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                    Gather Victim Identity InformationAcquire InfrastructureValid Accounts121
                    Windows Management Instrumentation                    		1
                    DLL Side-Loading                    		1
                    DLL Side-Loading                    		11
                    Disable or Modify Tools                    		2
                    OS Credential Dumping                    		1
                    File and Directory Discovery                    		Remote Services1
                    Archive Collected Data                    		1
                    Ingress Tool Transfer                    		Exfiltration Over Other Network MediumAbuse Accessibility Features
                    CredentialsDomainsDefault Accounts2
                    Command and Scripting Interpreter                    		Boot or Logon Initialization Scripts11
                    Process Injection                    		2
                    Obfuscated Files or Information                    		1
                    Credentials in Registry                    		24
                    System Information Discovery                    		Remote Desktop Protocol2
                    Data from Local System                    		11
                    Encrypted Channel                    		Exfiltration Over BluetoothNetwork Denial of Service
                    Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)2
                    Software Packing                    		Security Account Manager1
                    Query Registry                    		SMB/Windows Admin Shares1
                    Email Collection                    		1
                    Non-Standard Port                    		Automated ExfiltrationData Encrypted for Impact
                    Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
                    Timestomp                    		NTDS111
                    Security Software Discovery                    		Distributed Component Object ModelInput Capture2
                    Non-Application Layer Protocol                    		Traffic DuplicationData Destruction
                    Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                    DLL Side-Loading                    		LSA Secrets1
                    Process Discovery                    		SSHKeylogging23
                    Application Layer Protocol                    		Scheduled TransferData Encrypted for Impact
                    Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                    Masquerading                    		Cached Domain Credentials141
                    Virtualization/Sandbox Evasion                    		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                    DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items141
                    Virtualization/Sandbox Evasion                    		DCSync1
                    Application Window Discovery                    		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                    Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job11
                    Process Injection                    		Proc Filesystem1
                    System Network Configuration Discovery                    		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

                    Behavior Graph

                    Hide Legend

                    Legend:

                    • Process
                    • Signature
                    • Created File
                    • DNS/IP Info
                    • Is Dropped
                    • Is Windows Process
                    • Number of created Registry Values
                    • Number of created Files
                    • Visual Basic
                    • Delphi
                    • Java
                    • .Net C# or VB.NET
                    • C, C++ or other language
                    • Is malicious
                    • Internet
                    behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1587620 Sample: 7DpzcPcsTS.exe Startdate: 10/01/2025 Architecture: WINDOWS Score: 100 24 smtp.privateemail.com 2->24 26 api.ipify.org 2->26 32 Found malware configuration 2->32 34 Malicious sample detected (through community Yara rule) 2->34 36 Multi AV Scanner detection for submitted file 2->36 38 6 other signatures 2->38 8 7DpzcPcsTS.exe 4 2->8         started        signatures3 process4 file5 22 C:\Users\user\AppData\...\7DpzcPcsTS.exe.log, ASCII 8->22 dropped 40 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 8->40 42 Adds a directory exclusion to Windows Defender 8->42 12 7DpzcPcsTS.exe 15 2 8->12         started        16 powershell.exe 23 8->16         started        signatures6 process7 dnsIp8 28 smtp.privateemail.com 66.29.159.53, 49708, 587 ADVANTAGECOMUS United States 12->28 30 api.ipify.org 172.67.74.152, 443, 49706 CLOUDFLARENETUS United States 12->30 44 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 12->44 46 Tries to steal Mail credentials (via file / registry access) 12->46 48 Tries to harvest and steal ftp login credentials 12->48 50 Tries to harvest and steal browser information (history, passwords, etc) 12->50 52 Loading BitLocker PowerShell Module 16->52 18 conhost.exe 16->18         started        20 WmiPrvSE.exe 16->20         started        signatures9 process10

                    Screenshots

                    Thumbnails

                    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                    windows-stand

                    Antivirus, Machine Learning and Genetic Malware Detection

                    Initial Sample

                    SourceDetectionScannerLabelLink
                    7DpzcPcsTS.exe55%VirustotalBrowse
                    7DpzcPcsTS.exe87%ReversingLabsByteCode-MSIL.Trojan.Remcos
                    7DpzcPcsTS.exe100%Joe Sandbox ML

                    Dropped Files

                    No Antivirus matches

                    Unpacked PE Files

                    No Antivirus matches

                    Domains

                    No Antivirus matches

                    URLs

                    SourceDetectionScannerLabelLink
                    http://smtp.privateemail.com0%Avira URL Cloudsafe

                    Domains and IPs

                    Contacted Domains

                    NameIPActiveMaliciousAntivirus DetectionReputation
                    api.ipify.org
                    		172.67.74.152
                    		truefalse
                      		high
                      smtp.privateemail.com
                      		66.29.159.53
                      		truetrue
                        		unknown

                        Contacted URLs

                        NameMaliciousAntivirus DetectionReputation
                        https://api.ipify.org/false
                          		high

                          URLs from Memory and Binaries

                          NameSourceMaliciousAntivirus DetectionReputation
                          http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#7DpzcPcsTS.exe, 00000004.00000002.2708459949.0000000000C36000.00000004.00000020.00020000.00000000.sdmp, 7DpzcPcsTS.exe, 00000004.00000002.2710083020.00000000029D4000.00000004.00000800.00020000.00000000.sdmpfalse
                            		high
                            https://api.ipify.org7DpzcPcsTS.exe, 00000000.00000002.1485605622.00000000041E9000.00000004.00000800.00020000.00000000.sdmp, 7DpzcPcsTS.exe, 00000004.00000002.2710083020.0000000002951000.00000004.00000800.00020000.00000000.sdmp, 7DpzcPcsTS.exe, 00000004.00000002.2708102365.0000000000402000.00000040.00000400.00020000.00000000.sdmpfalse
                              		high
                              https://sectigo.com/CPS07DpzcPcsTS.exe, 00000004.00000002.2708459949.0000000000C36000.00000004.00000020.00020000.00000000.sdmp, 7DpzcPcsTS.exe, 00000004.00000002.2710083020.00000000029D4000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                https://account.dyn.com/7DpzcPcsTS.exe, 00000000.00000002.1485605622.00000000041E9000.00000004.00000800.00020000.00000000.sdmp, 7DpzcPcsTS.exe, 00000004.00000002.2708102365.0000000000402000.00000040.00000400.00020000.00000000.sdmpfalse
                                  		high
                                  http://ocsp.sectigo.com07DpzcPcsTS.exe, 00000004.00000002.2708459949.0000000000C36000.00000004.00000020.00020000.00000000.sdmp, 7DpzcPcsTS.exe, 00000004.00000002.2710083020.00000000029D4000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high
                                    https://api.ipify.org/t7DpzcPcsTS.exe, 00000004.00000002.2710083020.0000000002951000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high
                                      http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name7DpzcPcsTS.exe, 00000000.00000002.1483480261.0000000003214000.00000004.00000800.00020000.00000000.sdmp, 7DpzcPcsTS.exe, 00000004.00000002.2710083020.0000000002951000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        http://tempuri.org/DataSet1.xsdQdelete7DpzcPcsTS.exefalse
                                          		high
                                          http://smtp.privateemail.com7DpzcPcsTS.exe, 00000004.00000002.2710083020.00000000029CC000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown

                                          World Map of Contacted IPs

                                          • No. of IPs < 25%
                                          • 25% < No. of IPs < 50%
                                          • 50% < No. of IPs < 75%
                                          • 75% < No. of IPs

                                          Public IPs

                                          IPDomainCountryFlagASNASN NameMalicious
                                          66.29.159.53
                                          		smtp.privateemail.comUnited States
                                          		19538ADVANTAGECOMUStrue
                                          172.67.74.152
                                          		api.ipify.orgUnited States
                                          		13335CLOUDFLARENETUSfalse

                                          General Information

                                          Joe Sandbox version:42.0.0 Malachite
                                          Analysis ID:1587620
                                          Start date and time:2025-01-10 15:52:33 +01:00
                                          Joe Sandbox product:CloudBasic
                                          Overall analysis duration:0h 5m 49s
                                          Hypervisor based Inspection enabled:false
                                          Report type:full
                                          Cookbook file name:default.jbs
                                          Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                          Number of analysed new started processes analysed:11
                                          Number of new started drivers analysed:0
                                          Number of existing processes analysed:0
                                          Number of existing drivers analysed:0
                                          Number of injected processes analysed:0
                                          Technologies:
                                          • HCA enabled
                                          • EGA enabled
                                          • AMSI enabled
                                          Analysis Mode:default
                                          Analysis stop reason:Timeout
                                          Sample name:7DpzcPcsTS.exe
                                          renamed because original name is a hash value
                                          Original Sample Name:e26b0860871046c78f03c38d50b4208dab3478c2decfd616ec8fcc4ed9986602.exe
                                          Detection:MAL
                                          Classification:mal100.troj.spyw.evad.winEXE@7/6@2/2
                                          EGA Information:
                                          • Successful, ratio: 100%
                                          HCA Information:
                                          • Successful, ratio: 99%
                                          • Number of executed functions: 75
                                          • Number of non-executed functions: 3
                                          Cookbook Comments:
                                          • Found application associated with file extension: .exe

                                          Warnings

                                          • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
                                          • Excluded IPs from analysis (whitelisted): 2.23.242.162, 20.109.210.53, 13.107.246.45
                                          • Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                          • Not all processes where analyzed, report is missing behavior information
                                          • Report size getting too big, too many NtCreateKey calls found.
                                          • Report size getting too big, too many NtOpenKeyEx calls found.
                                          • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                          • Report size getting too big, too many NtQueryValueKey calls found.

                                          Simulations

                                          Behavior and APIs

                                          TimeTypeDescription
                                          09:53:33API Interceptor23x Sleep call for process: 7DpzcPcsTS.exe modified
                                          09:53:36API Interceptor18x Sleep call for process: powershell.exe modified

                                          Joe Sandbox View / Context

                                          IPs

                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                          66.29.159.53C2jr42FUsv.exeGet hashmaliciousAgentTeslaBrowse
                                            DB_DHL_AWB_001833022AD.exeGet hashmaliciousAgentTeslaBrowse
                                              Remittance Receipt.exeGet hashmaliciousAgentTeslaBrowse
                                                Payment Slip.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                  HSBC Payment Advice_pdf.exeGet hashmaliciousAgentTeslaBrowse
                                                    Payment List.bat.exeGet hashmaliciousAgentTeslaBrowse
                                                      INQUIRY RE44535_pdf.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                        Texas_Tool_Purchase_Order#T18834-1.vbsGet hashmaliciousAgentTesla, GuLoaderBrowse
                                                          Swift_Message#1234323456.vbsGet hashmaliciousAgentTesla, GuLoaderBrowse
                                                            e-dekont_swift-details.vbsGet hashmaliciousAgentTesla, GuLoaderBrowse
                                                              172.67.74.152jgbC220X2U.exeGet hashmaliciousUnknownBrowse
                                                              • api.ipify.org/?format=text
                                                              malware.exeGet hashmaliciousTargeted Ransomware, TrojanRansomBrowse
                                                              • api.ipify.org/
                                                              Simple1.exeGet hashmaliciousUnknownBrowse
                                                              • api.ipify.org/
                                                              Simple2.exeGet hashmaliciousUnknownBrowse
                                                              • api.ipify.org/
                                                              systemConfigChecker.exeGet hashmaliciousUnknownBrowse
                                                              • api.ipify.org/
                                                              systemConfigChecker.exeGet hashmaliciousUnknownBrowse
                                                              • api.ipify.org/
                                                              2b7cu0KwZl.exeGet hashmaliciousUnknownBrowse
                                                              • api.ipify.org/
                                                              Zc9eO57fgF.elfGet hashmaliciousUnknownBrowse
                                                              • api.ipify.org/
                                                              67065b4c84713_Javiles.exeGet hashmaliciousRDPWrap ToolBrowse
                                                              • api.ipify.org/
                                                              Yc9hcFC1ux.exeGet hashmaliciousUnknownBrowse
                                                              • api.ipify.org/

                                                              Domains

                                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                              smtp.privateemail.comC2jr42FUsv.exeGet hashmaliciousAgentTeslaBrowse
                                                              • 66.29.159.53
                                                              DB_DHL_AWB_001833022AD.exeGet hashmaliciousAgentTeslaBrowse
                                                              • 66.29.159.53
                                                              Remittance Receipt.exeGet hashmaliciousAgentTeslaBrowse
                                                              • 66.29.159.53
                                                              Payment Slip.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                              • 66.29.159.53
                                                              HSBC Payment Advice_pdf.exeGet hashmaliciousAgentTeslaBrowse
                                                              • 66.29.159.53
                                                              Payment List.bat.exeGet hashmaliciousAgentTeslaBrowse
                                                              • 66.29.159.53
                                                              INQUIRY RE44535_pdf.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                              • 66.29.159.53
                                                              Texas_Tool_Purchase_Order#T18834-1.vbsGet hashmaliciousAgentTesla, GuLoaderBrowse
                                                              • 66.29.159.53
                                                              Swift_Message#1234323456.vbsGet hashmaliciousAgentTesla, GuLoaderBrowse
                                                              • 66.29.159.53
                                                              e-dekont_swift-details.vbsGet hashmaliciousAgentTesla, GuLoaderBrowse
                                                              • 66.29.159.53
                                                              api.ipify.orgB8FnDUj8hy.exeGet hashmaliciousAgentTeslaBrowse
                                                              • 104.26.13.205
                                                              FSRHC6mB16.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                              • 172.67.74.152
                                                              9pIm5d0rsW.exeGet hashmaliciousAgentTesla, PureLog Stealer, zgRATBrowse
                                                              • 104.26.13.205
                                                              VYLigyTDuW.exeGet hashmaliciousAgentTeslaBrowse
                                                              • 172.67.74.152
                                                              gem1.exeGet hashmaliciousCredGrabber, Meduza StealerBrowse
                                                              • 104.26.12.205
                                                              https://www.tremendous.com/email/activate/yE_yBdRtyVv4Xqgg7hu_Get hashmaliciousUnknownBrowse
                                                              • 172.67.74.152
                                                              https://marcuso-wq.github.io/home/Get hashmaliciousHTMLPhisherBrowse
                                                              • 172.67.74.152
                                                              drop1.exeGet hashmaliciousCredGrabber, Meduza StealerBrowse
                                                              • 172.67.74.152
                                                              https://vq6btbhdpo.nutignaera.shop/?email=YWxlamFuZHJvLmdhcnJpZG9Ac2VhYm9hcmRtYXJpbmUuY29tGet hashmaliciousEvilProxy, HTMLPhisherBrowse
                                                              • 104.26.12.205
                                                              EZZGTmJj4O.exeGet hashmaliciousAgentTeslaBrowse
                                                              • 104.26.13.205

                                                              ASNs

                                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                              ADVANTAGECOMUSDHL-DOC83972025-1.exeGet hashmaliciousFormBookBrowse
                                                              • 66.29.149.46
                                                              KSts9xW7qy.exeGet hashmaliciousFormBookBrowse
                                                              • 66.29.132.194
                                                              BP-50C26_20241220_082241.exeGet hashmaliciousFormBookBrowse
                                                              • 66.29.149.46
                                                              https://universidad-unidem.edu.mx/mah/i/amFjb2JAc3RlaW5ib3JuLmNvbQ==Get hashmaliciousHTMLPhisherBrowse
                                                              • 66.29.153.55
                                                              rDHL8350232025-2.exeGet hashmaliciousFormBookBrowse
                                                              • 66.29.149.46
                                                              DHL 8350232025-1.exeGet hashmaliciousFormBookBrowse
                                                              • 66.29.149.46
                                                              DHL 745-12302024.exeGet hashmaliciousFormBookBrowse
                                                              • 66.29.149.46
                                                              DHL 806-232024.exeGet hashmaliciousFormBookBrowse
                                                              • 66.29.149.46
                                                              DHL 0737-12182024.exeGet hashmaliciousFormBookBrowse
                                                              • 66.29.149.46
                                                              DHL 073412182024.exeGet hashmaliciousFormBookBrowse
                                                              • 66.29.149.46
                                                              CLOUDFLARENETUSB8FnDUj8hy.exeGet hashmaliciousAgentTeslaBrowse
                                                              • 104.26.13.205
                                                              B3aqD8srjF.exeGet hashmaliciousSnake KeyloggerBrowse
                                                              • 104.21.48.1
                                                              FSRHC6mB16.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                              • 172.67.74.152
                                                              9pIm5d0rsW.exeGet hashmaliciousAgentTesla, PureLog Stealer, zgRATBrowse
                                                              • 104.26.13.205
                                                              B7N48hmO78.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                              • 104.21.32.1
                                                              VIAmJUhQ54.exeGet hashmaliciousMassLogger RATBrowse
                                                              • 104.21.80.1
                                                              VYLigyTDuW.exeGet hashmaliciousAgentTeslaBrowse
                                                              • 172.67.74.152
                                                              bd9Gvqt6AK.exeGet hashmaliciousSnake KeyloggerBrowse
                                                              • 104.21.80.1
                                                              PO-0005082025 pdf.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                                              • 172.67.131.144
                                                              zrNcqxZRSM.exeGet hashmaliciousCobaltStrike, MetasploitBrowse
                                                              • 188.114.96.3

                                                              JA3 Fingerprints

                                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                              3b5074b1b5d032e5620f69f9f700ff0eB8FnDUj8hy.exeGet hashmaliciousAgentTeslaBrowse
                                                              • 172.67.74.152
                                                              FSRHC6mB16.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                              • 172.67.74.152
                                                              9pIm5d0rsW.exeGet hashmaliciousAgentTesla, PureLog Stealer, zgRATBrowse
                                                              • 172.67.74.152
                                                              B7N48hmO78.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                              • 172.67.74.152
                                                              VIAmJUhQ54.exeGet hashmaliciousMassLogger RATBrowse
                                                              • 172.67.74.152
                                                              VYLigyTDuW.exeGet hashmaliciousAgentTeslaBrowse
                                                              • 172.67.74.152
                                                              QUOTATION-9044456778.pdf (83kb).com.exeGet hashmaliciousPureLog Stealer, QuasarBrowse
                                                              • 172.67.74.152
                                                              PO#17971.exeGet hashmaliciousPureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                                              • 172.67.74.152
                                                              https://sign.zoho.com/zsguest?locale=en&sign_id=234b4d535f4956237c699124bb06f6840075804affff79070f72fbd27ec4885c3a2ba06657b8a52338eb80052baee9f74c4e2e0e7f85c073df939f1ac4dff75f76c95d46ac2361c7b14335e4f12c5c5d49c49b1d2f4c838a&action_type=SIGNGet hashmaliciousUnknownBrowse
                                                              • 172.67.74.152

                                                              Dropped Files

                                                              No context

                                                              Created / dropped Files

                                                              C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\7DpzcPcsTS.exe.log

                                                              Download File
                                                              Process:C:\Users\user\Desktop\7DpzcPcsTS.exe
                                                              File Type:ASCII text, with CRLF line terminators
                                                              Category:dropped
                                                              Size (bytes):1216
                                                              Entropy (8bit):5.34331486778365
                                                              Encrypted:false
                                                              SSDEEP:24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
                                                              MD5:1330C80CAAC9A0FB172F202485E9B1E8
                                                              SHA1:86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
                                                              SHA-256:B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
                                                              SHA-512:75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
                                                              Malicious:true
                                                              Reputation:high, very likely benign file
                                                              Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

                                                              C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                              Download File
                                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                              File Type:data
                                                              Category:dropped
                                                              Size (bytes):2232
                                                              Entropy (8bit):5.3785452578096224
                                                              Encrypted:false
                                                              SSDEEP:48:fWSU4y4RQmFoUeWmfgZ9tK8NPZHUm7u1iMuge//ZPUyufF:fLHyIFKL3IZ2KRH9OugbfF
                                                              MD5:6E4605A73E70C5DECB26660C6B35DAC8
                                                              SHA1:6EA7BCD64C17FC318F89E67E6863B52C82935D1B
                                                              SHA-256:BCEB0C7AAD4BCE81AC03D5DA59372611CBDA984B197A20E03316E41DB421F005
                                                              SHA-512:4D00C9D1725D18CB85DFBA5035666FFD85D9CF3C8CBB7958AB23E7D65C44240A6DF00F492105B5DA2F0E7DF5992F3DF21D9F1BA24922EDEEFA6AFC889042DA3F
                                                              Malicious:false
                                                              Reputation:low
                                                              Preview:@...e................................................@..........P................1]...E.....j.....(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..|f........System.Core.D...............4..7..D.#V.............System.Management.AutomationL.................*gQ?O.....x5.......#.Microsoft.Management.Infrastructure.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServices4.................%...K... ...........System.Xml..8..................1...L..U;V.<}........System.Numerics.4.....................@.[8]'.\........System.Data.<...............i..VdqF...|...........System.ConfigurationH................WY..2.M.&..g*(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

                                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_2ncfo4yi.mb4.psm1

                                                              Download File
                                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                              File Type:ASCII text, with no line terminators
                                                              Category:dropped
                                                              Size (bytes):60
                                                              Entropy (8bit):4.038920595031593
                                                              Encrypted:false
                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                              Malicious:false
                                                              Reputation:high, very likely benign file
                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3a51dgjt.apm.ps1

                                                              Download File
                                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                              File Type:ASCII text, with no line terminators
                                                              Category:dropped
                                                              Size (bytes):60
                                                              Entropy (8bit):4.038920595031593
                                                              Encrypted:false
                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                              Malicious:false
                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_lbnuvlib.pzf.ps1

                                                              Download File
                                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                              File Type:ASCII text, with no line terminators
                                                              Category:dropped
                                                              Size (bytes):60
                                                              Entropy (8bit):4.038920595031593
                                                              Encrypted:false
                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                              Malicious:false
                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_nmhcjyuv.di5.psm1

                                                              Download File
                                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                              File Type:ASCII text, with no line terminators
                                                              Category:dropped
                                                              Size (bytes):60
                                                              Entropy (8bit):4.038920595031593
                                                              Encrypted:false
                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                              Malicious:false
                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                              Static File Info

                                                              General

                                                              File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                              Entropy (8bit):7.53679494624098
                                                              TrID:
                                                              • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                                              • Win32 Executable (generic) a (10002005/4) 49.78%
                                                              • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                              • Generic Win/DOS Executable (2004/3) 0.01%
                                                              • DOS Executable Generic (2002/1) 0.01%
                                                              File name:7DpzcPcsTS.exe
                                                              File size:826'368 bytes
                                                              MD5:26c7aa73526769f273ed73844e684cd9
                                                              SHA1:538b444037fd8f77af00200e826a5e4aab917015
                                                              SHA256:e26b0860871046c78f03c38d50b4208dab3478c2decfd616ec8fcc4ed9986602
                                                              SHA512:a82f36d8b5b7f9fbe20cc599d01520d7299c452d287141b472d796c849db8faba85dace4c9f50dbc697b17cd5d93f02a73db5cec43aed12452c260cbd356d929
                                                              SSDEEP:12288:PNaaJeMNR5mHZCbvlIYihHbnLR1qQ9x5/sdmlx+BVimE5Yp:kluUCRpgHbn5b5NWV5E5a
                                                              TLSH:1B05BF146A548F53CA7487F57872E07013F85EAEA41EF2655EC17EEBB9A2F008950F83
                                                              File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...8.................0..~............... ........@.. ....................................@................................

                                                              File Icon

                                                              Icon Hash:4f4b4c4c4c4a239f

                                                              Static PE Info

                                                              General

                                                              Entrypoint:0x4c9d96
                                                              Entrypoint Section:.text
                                                              Digitally signed:false
                                                              Imagebase:0x400000
                                                              Subsystem:windows gui
                                                              Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                              DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                              Time Stamp:0xECEC1038 [Fri Dec 16 17:07:04 2095 UTC]
                                                              TLS Callbacks:
                                                              CLR (.Net) Version:
                                                              OS Version Major:4
                                                              OS Version Minor:0
                                                              File Version Major:4
                                                              File Version Minor:0
                                                              Subsystem Version Major:4
                                                              Subsystem Version Minor:0
                                                              Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                              Entrypoint Preview

                                                              Instruction
                                                              jmp dword ptr [00402000h]
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al

                                                              Data Directories

                                                              NameVirtual AddressVirtual Size Is in Section
                                                              IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                              IMAGE_DIRECTORY_ENTRY_IMPORT0xc9d420x4f.text
                                                              IMAGE_DIRECTORY_ENTRY_RESOURCE0xca0000x1914.rsrc
                                                              IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                              IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                              IMAGE_DIRECTORY_ENTRY_BASERELOC0xcc0000xc.reloc
                                                              IMAGE_DIRECTORY_ENTRY_DEBUG0xc5d1c0x70.text
                                                              IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                              IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                              IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                              IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                              IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                              IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                              IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                              IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                              IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                              Sections

                                                              NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                              .text0x20000xc7d9c0xc7e00f90099b23ba3f9dc43dbf6a479953889False0.8110049249530957data7.542312672926484IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                              .rsrc0xca0000x19140x1a0058da8c773a504d8c33478f6d791ea553False0.7384314903846154data7.1529095290171645IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                              .reloc0xcc0000xc0x20080448a8162464f69bc13b537938c9788False0.044921875data0.09800417566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                              Resources

                                                              NameRVASizeTypeLanguageCountryZLIB Complexity
                                                              RT_ICON0xca1300x1255PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced0.8740677604943533
                                                              RT_GROUP_ICON0xcb3880x14data0.9
                                                              RT_VERSION0xcb39c0x38cPGP symmetric key encrypted data - Plaintext or unencrypted data0.42290748898678415
                                                              RT_MANIFEST0xcb7280x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5489795918367347

                                                              Imports

                                                              DLLImport
                                                              mscoree.dll_CorExeMain

                                                              Network Behavior

                                                              Network Port Distribution

                                                              TCP Packets

                                                              TimestampSource PortDest PortSource IPDest IP
                                                              Jan 10, 2025 15:53:37.643431902 CET49706443192.168.2.8172.67.74.152
                                                              Jan 10, 2025 15:53:37.643476963 CET44349706172.67.74.152192.168.2.8
                                                              Jan 10, 2025 15:53:37.643659115 CET49706443192.168.2.8172.67.74.152
                                                              Jan 10, 2025 15:53:37.683270931 CET49706443192.168.2.8172.67.74.152
                                                              Jan 10, 2025 15:53:37.683285952 CET44349706172.67.74.152192.168.2.8
                                                              Jan 10, 2025 15:53:38.172660112 CET44349706172.67.74.152192.168.2.8
                                                              Jan 10, 2025 15:53:38.172904015 CET49706443192.168.2.8172.67.74.152
                                                              Jan 10, 2025 15:53:38.176680088 CET49706443192.168.2.8172.67.74.152
                                                              Jan 10, 2025 15:53:38.176707029 CET44349706172.67.74.152192.168.2.8
                                                              Jan 10, 2025 15:53:38.177078009 CET44349706172.67.74.152192.168.2.8
                                                              Jan 10, 2025 15:53:38.224668980 CET49706443192.168.2.8172.67.74.152
                                                              Jan 10, 2025 15:53:38.348572016 CET49706443192.168.2.8172.67.74.152
                                                              Jan 10, 2025 15:53:38.391330957 CET44349706172.67.74.152192.168.2.8
                                                              Jan 10, 2025 15:53:38.463576078 CET44349706172.67.74.152192.168.2.8
                                                              Jan 10, 2025 15:53:38.463639975 CET44349706172.67.74.152192.168.2.8
                                                              Jan 10, 2025 15:53:38.464274883 CET49706443192.168.2.8172.67.74.152
                                                              Jan 10, 2025 15:53:38.487199068 CET49706443192.168.2.8172.67.74.152
                                                              Jan 10, 2025 15:53:39.944082022 CET49708587192.168.2.866.29.159.53
                                                              Jan 10, 2025 15:53:39.948909044 CET5874970866.29.159.53192.168.2.8
                                                              Jan 10, 2025 15:53:39.948971987 CET49708587192.168.2.866.29.159.53
                                                              Jan 10, 2025 15:53:40.725533009 CET5874970866.29.159.53192.168.2.8
                                                              Jan 10, 2025 15:53:40.725850105 CET49708587192.168.2.866.29.159.53
                                                              Jan 10, 2025 15:53:40.730686903 CET5874970866.29.159.53192.168.2.8
                                                              Jan 10, 2025 15:53:40.887244940 CET5874970866.29.159.53192.168.2.8
                                                              Jan 10, 2025 15:53:40.887427092 CET49708587192.168.2.866.29.159.53
                                                              Jan 10, 2025 15:53:40.895304918 CET5874970866.29.159.53192.168.2.8
                                                              Jan 10, 2025 15:53:41.049264908 CET5874970866.29.159.53192.168.2.8
                                                              Jan 10, 2025 15:53:41.049789906 CET49708587192.168.2.866.29.159.53
                                                              Jan 10, 2025 15:53:41.056091070 CET5874970866.29.159.53192.168.2.8
                                                              Jan 10, 2025 15:53:41.209187984 CET5874970866.29.159.53192.168.2.8
                                                              Jan 10, 2025 15:53:41.209208965 CET5874970866.29.159.53192.168.2.8
                                                              Jan 10, 2025 15:53:41.209220886 CET5874970866.29.159.53192.168.2.8
                                                              Jan 10, 2025 15:53:41.209232092 CET5874970866.29.159.53192.168.2.8
                                                              Jan 10, 2025 15:53:41.209245920 CET5874970866.29.159.53192.168.2.8
                                                              Jan 10, 2025 15:53:41.209265947 CET49708587192.168.2.866.29.159.53
                                                              Jan 10, 2025 15:53:41.209319115 CET49708587192.168.2.866.29.159.53
                                                              Jan 10, 2025 15:53:41.248248100 CET49708587192.168.2.866.29.159.53
                                                              Jan 10, 2025 15:53:41.253019094 CET5874970866.29.159.53192.168.2.8
                                                              Jan 10, 2025 15:53:41.407022953 CET5874970866.29.159.53192.168.2.8
                                                              Jan 10, 2025 15:53:41.411427021 CET49708587192.168.2.866.29.159.53
                                                              Jan 10, 2025 15:53:41.416260004 CET5874970866.29.159.53192.168.2.8
                                                              Jan 10, 2025 15:53:41.569399118 CET5874970866.29.159.53192.168.2.8
                                                              Jan 10, 2025 15:53:41.570607901 CET49708587192.168.2.866.29.159.53
                                                              Jan 10, 2025 15:53:41.575458050 CET5874970866.29.159.53192.168.2.8
                                                              Jan 10, 2025 15:53:41.729285002 CET5874970866.29.159.53192.168.2.8
                                                              Jan 10, 2025 15:53:41.730891943 CET49708587192.168.2.866.29.159.53
                                                              Jan 10, 2025 15:53:41.736326933 CET5874970866.29.159.53192.168.2.8
                                                              Jan 10, 2025 15:53:41.891336918 CET5874970866.29.159.53192.168.2.8
                                                              Jan 10, 2025 15:53:41.891643047 CET49708587192.168.2.866.29.159.53
                                                              Jan 10, 2025 15:53:41.896473885 CET5874970866.29.159.53192.168.2.8
                                                              Jan 10, 2025 15:53:42.051870108 CET5874970866.29.159.53192.168.2.8
                                                              Jan 10, 2025 15:53:42.052098036 CET49708587192.168.2.866.29.159.53
                                                              Jan 10, 2025 15:53:42.056881905 CET5874970866.29.159.53192.168.2.8
                                                              Jan 10, 2025 15:53:42.211827993 CET5874970866.29.159.53192.168.2.8
                                                              Jan 10, 2025 15:53:42.255968094 CET49708587192.168.2.866.29.159.53
                                                              Jan 10, 2025 15:53:42.257952929 CET49708587192.168.2.866.29.159.53
                                                              Jan 10, 2025 15:53:42.262973070 CET5874970866.29.159.53192.168.2.8
                                                              Jan 10, 2025 15:53:42.265307903 CET49708587192.168.2.866.29.159.53

                                                              UDP Packets

                                                              TimestampSource PortDest PortSource IPDest IP
                                                              Jan 10, 2025 15:53:37.628823042 CET5714753192.168.2.81.1.1.1
                                                              Jan 10, 2025 15:53:37.636075020 CET53571471.1.1.1192.168.2.8
                                                              Jan 10, 2025 15:53:39.932980061 CET6553153192.168.2.81.1.1.1
                                                              Jan 10, 2025 15:53:39.943351030 CET53655311.1.1.1192.168.2.8

                                                              DNS Queries

                                                              TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                              Jan 10, 2025 15:53:37.628823042 CET192.168.2.81.1.1.10x22e1Standard query (0)api.ipify.orgA (IP address)IN (0x0001)false
                                                              Jan 10, 2025 15:53:39.932980061 CET192.168.2.81.1.1.10x4b03Standard query (0)smtp.privateemail.comA (IP address)IN (0x0001)false

                                                              DNS Answers

                                                              TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                              Jan 10, 2025 15:53:37.636075020 CET1.1.1.1192.168.2.80x22e1No error (0)api.ipify.org172.67.74.152A (IP address)IN (0x0001)false
                                                              Jan 10, 2025 15:53:37.636075020 CET1.1.1.1192.168.2.80x22e1No error (0)api.ipify.org104.26.12.205A (IP address)IN (0x0001)false
                                                              Jan 10, 2025 15:53:37.636075020 CET1.1.1.1192.168.2.80x22e1No error (0)api.ipify.org104.26.13.205A (IP address)IN (0x0001)false
                                                              Jan 10, 2025 15:53:39.943351030 CET1.1.1.1192.168.2.80x4b03No error (0)smtp.privateemail.com66.29.159.53A (IP address)IN (0x0001)false

                                                              HTTP Request Dependency Graph

                                                              • api.ipify.org

                                                              HTTPS Proxied Packets

                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                              0192.168.2.849706172.67.74.1524436592C:\Users\user\Desktop\7DpzcPcsTS.exe
                                                              TimestampBytes transferredDirectionData
                                                              2025-01-10 14:53:38 UTC155OUTGET / HTTP/1.1
                                                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0
                                                              Host: api.ipify.org
                                                              Connection: Keep-Alive
                                                              2025-01-10 14:53:38 UTC424INHTTP/1.1 200 OK
                                                              Date: Fri, 10 Jan 2025 14:53:38 GMT
                                                              Content-Type: text/plain
                                                              Content-Length: 12
                                                              Connection: close
                                                              Vary: Origin
                                                              CF-Cache-Status: DYNAMIC
                                                              Server: cloudflare
                                                              CF-RAY: 8ffd7f6afb907288-EWR
                                                              server-timing: cfL4;desc="?proto=TCP&rtt=2104&min_rtt=2084&rtt_var=796&sent=6&recv=7&lost=0&retrans=0&sent_bytes=2820&recv_bytes=769&delivery_rate=1401151&cwnd=245&unsent_bytes=0&cid=b39fe27f5735f236&ts=303&x=0"
                                                              2025-01-10 14:53:38 UTC12INData Raw: 38 2e 34 36 2e 31 32 33 2e 31 38 39
                                                              Data Ascii: 8.46.123.189


                                                              SMTP Packets

                                                              TimestampSource PortDest PortSource IPDest IPCommands
                                                              Jan 10, 2025 15:53:40.725533009 CET5874970866.29.159.53192.168.2.8220 PrivateEmail.com prod Mail Node
                                                              Jan 10, 2025 15:53:40.725850105 CET49708587192.168.2.866.29.159.53EHLO 226533
                                                              Jan 10, 2025 15:53:40.887244940 CET5874970866.29.159.53192.168.2.8250-mta-07.privateemail.com
                                                              250-PIPELINING
                                                              250-SIZE 81788928
                                                              250-ETRN
                                                              250-AUTH PLAIN LOGIN
                                                              250-ENHANCEDSTATUSCODES
                                                              250-8BITMIME
                                                              250-CHUNKING
                                                              250 STARTTLS
                                                              Jan 10, 2025 15:53:40.887427092 CET49708587192.168.2.866.29.159.53STARTTLS
                                                              Jan 10, 2025 15:53:41.049264908 CET5874970866.29.159.53192.168.2.8220 Ready to start TLS

                                                              Statistics

                                                              CPU Usage

                                                              Click to jump to process

                                                              Memory Usage

                                                              Click to jump to process

                                                              High Level Behavior Distribution

                                                              Click to dive into process behavior distribution

                                                              Behavior

                                                              Click to jump to process

                                                              System Behavior

                                                              General

                                                              Target ID:0
                                                              Start time:09:53:32
                                                              Start date:10/01/2025
                                                              Path:C:\Users\user\Desktop\7DpzcPcsTS.exe
                                                              Wow64 process (32bit):true
                                                              Commandline:"C:\Users\user\Desktop\7DpzcPcsTS.exe"
                                                              Imagebase:0xcd0000
                                                              File size:826'368 bytes
                                                              MD5 hash:26C7AA73526769F273ED73844E684CD9
                                                              Has elevated privileges:true
                                                              Has administrator privileges:true
                                                              Programmed in:C, C++ or other language
                                                              Yara matches:
                                                              • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.1485605622.00000000041E9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                              • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.1485605622.00000000041E9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                              Reputation:low
                                                              Has exited:true

                                                              General

                                                              Target ID:3
                                                              Start time:09:53:35
                                                              Start date:10/01/2025
                                                              Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                              Wow64 process (32bit):true
                                                              Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\7DpzcPcsTS.exe"
                                                              Imagebase:0x580000
                                                              File size:433'152 bytes
                                                              MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                              Has elevated privileges:true
                                                              Has administrator privileges:true
                                                              Programmed in:C, C++ or other language
                                                              Reputation:high
                                                              Has exited:true

                                                              General

                                                              Target ID:4
                                                              Start time:09:53:35
                                                              Start date:10/01/2025
                                                              Path:C:\Users\user\Desktop\7DpzcPcsTS.exe
                                                              Wow64 process (32bit):true
                                                              Commandline:"C:\Users\user\Desktop\7DpzcPcsTS.exe"
                                                              Imagebase:0x6d0000
                                                              File size:826'368 bytes
                                                              MD5 hash:26C7AA73526769F273ED73844E684CD9
                                                              Has elevated privileges:true
                                                              Has administrator privileges:true
                                                              Programmed in:C, C++ or other language
                                                              Yara matches:
                                                              • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000004.00000002.2710083020.00000000029CC000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                              • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000004.00000002.2708102365.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                              • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000004.00000002.2708102365.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                              • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000004.00000002.2710083020.00000000029A1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                              • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000004.00000002.2710083020.00000000029A1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                              Reputation:low
                                                              Has exited:false

                                                              General

                                                              Target ID:5
                                                              Start time:09:53:35
                                                              Start date:10/01/2025
                                                              Path:C:\Windows\System32\conhost.exe
                                                              Wow64 process (32bit):false
                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                              Imagebase:0x7ff6ee680000
                                                              File size:862'208 bytes
                                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                              Has elevated privileges:true
                                                              Has administrator privileges:true
                                                              Programmed in:C, C++ or other language
                                                              Reputation:high
                                                              Has exited:true

                                                              General

                                                              Target ID:6
                                                              Start time:09:53:37
                                                              Start date:10/01/2025
                                                              Path:C:\Windows\System32\wbem\WmiPrvSE.exe
                                                              Wow64 process (32bit):false
                                                              Commandline:C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                                                              Imagebase:0x7ff605670000
                                                              File size:496'640 bytes
                                                              MD5 hash:60FF40CFD7FB8FE41EE4FE9AE5FE1C51
                                                              Has elevated privileges:true
                                                              Has administrator privileges:false
                                                              Programmed in:C, C++ or other language
                                                              Reputation:high
                                                              Has exited:false

                                                              Disassembly

                                                              Reset < >

                                                                Execution Graph

                                                                Execution Coverage:8.4%
                                                                Dynamic/Decrypted Code Coverage:100%
                                                                Signature Coverage:0%
                                                                Total number of Nodes:92
                                                                Total number of Limit Nodes:4
                                                                execution_graph 27071 17c4668 27072 17c467a 27071->27072 27073 17c4686 27072->27073 27077 17c4780 27072->27077 27082 17c3e34 27073->27082 27075 17c46b1 27078 17c47a5 27077->27078 27086 17c4890 27078->27086 27090 17c4881 27078->27090 27083 17c3e3f 27082->27083 27098 17c5c4c 27083->27098 27085 17c6feb 27085->27075 27087 17c48b7 27086->27087 27089 17c4994 27087->27089 27094 17c44b4 27087->27094 27092 17c48b7 27090->27092 27091 17c4994 27092->27091 27093 17c44b4 CreateActCtxA 27092->27093 27093->27091 27095 17c5920 CreateActCtxA 27094->27095 27097 17c59e3 27095->27097 27099 17c5c57 27098->27099 27102 17c5c6c 27099->27102 27101 17c70f5 27101->27085 27103 17c5c77 27102->27103 27106 17c5c9c 27103->27106 27105 17c71da 27105->27101 27107 17c5ca7 27106->27107 27110 17c5ccc 27107->27110 27109 17c72cd 27109->27105 27111 17c5cd7 27110->27111 27112 17c8370 27111->27112 27118 17c861a 27111->27118 27114 17c85cb 27112->27114 27125 17cac78 27112->27125 27113 17c8609 27113->27109 27114->27113 27129 17ccd69 27114->27129 27119 17c859f 27118->27119 27122 17c861e 27118->27122 27120 17c85cb 27119->27120 27124 17cac78 2 API calls 27119->27124 27121 17c8609 27120->27121 27123 17ccd69 2 API calls 27120->27123 27121->27112 27122->27112 27123->27121 27124->27120 27134 17cacb0 27125->27134 27137 17caca0 27125->27137 27126 17cac8e 27126->27114 27130 17ccd99 27129->27130 27131 17ccdbd 27130->27131 27153 17ccf28 27130->27153 27157 17ccf18 27130->27157 27131->27113 27141 17cada8 27134->27141 27135 17cacbf 27135->27126 27138 17cacb0 27137->27138 27140 17cada8 2 API calls 27138->27140 27139 17cacbf 27139->27126 27140->27139 27142 17cadb9 27141->27142 27143 17caddc 27141->27143 27142->27143 27144 17cadd4 27142->27144 27148 17cb031 27142->27148 27143->27135 27144->27143 27145 17cafe0 GetModuleHandleW 27144->27145 27146 17cb00d 27145->27146 27146->27135 27149 17cafd9 GetModuleHandleW 27148->27149 27152 17cb03a 27148->27152 27151 17cb00d 27149->27151 27151->27144 27152->27144 27154 17ccf35 27153->27154 27156 17ccf6f 27154->27156 27161 17cbae0 27154->27161 27156->27131 27158 17ccf35 27157->27158 27159 17ccf6f 27158->27159 27160 17cbae0 2 API calls 27158->27160 27159->27131 27160->27159 27162 17cbaeb 27161->27162 27164 17cdc88 27162->27164 27167 17cd2dc 27162->27167 27165 17c5ccc 2 API calls 27164->27165 27166 17cdcf7 27164->27166 27165->27166 27166->27156 27168 17cd2e7 27167->27168 27169 17c5ccc 2 API calls 27168->27169 27170 17cdcf7 27169->27170 27170->27164 27065 17cd690 DuplicateHandle 27066 17cd726 27065->27066 27171 17cd040 27172 17cd086 GetCurrentProcess 27171->27172 27174 17cd0d8 GetCurrentThread 27172->27174 27175 17cd0d1 27172->27175 27176 17cd10e 27174->27176 27177 17cd115 GetCurrentProcess 27174->27177 27175->27174 27176->27177 27178 17cd14b 27177->27178 27179 17cd173 GetCurrentThreadId 27178->27179 27180 17cd1a4 27179->27180 27067 9151fb8 27068 9151ffb 27067->27068 27069 9152019 MonitorFromPoint 27068->27069 27070 915204a 27068->27070 27069->27070

                                                                Executed Functions

                                                                Function 091584E8 Relevance: .3, Instructions: 318COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1490194981.0000000009150000.00000040.00000800.00020000.00000000.sdmp, Offset: 09150000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_9150000_7DpzcPcsTS.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: da8b1afc2802b02638e334e6fb705634fb7f3d74d2ba0b5ee6a1b19b450776be
                                                                • Instruction ID: 09ca96f950066a99026049ed8968de00643323f3ee2a2ee629e7aa59620bd39d
                                                                • Opcode Fuzzy Hash: da8b1afc2802b02638e334e6fb705634fb7f3d74d2ba0b5ee6a1b19b450776be
                                                                • Instruction Fuzzy Hash: EED1A0B0F05255CFCB14CBA5C8506BEBBB1BF44309F5685AAE8A7EB281D734D841CB91
                                                                Function 0915C920 Relevance: .2, Instructions: 190COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1490194981.0000000009150000.00000040.00000800.00020000.00000000.sdmp, Offset: 09150000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_9150000_7DpzcPcsTS.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: cd353d6da248798f2e6f5598c8924c2ec32abe1760aab42df434ed76d7404548
                                                                • Instruction ID: 152a74861235facf951c3d4ee09694c4d06061e9e75e95eefb4225635f986bfd
                                                                • Opcode Fuzzy Hash: cd353d6da248798f2e6f5598c8924c2ec32abe1760aab42df434ed76d7404548
                                                                • Instruction Fuzzy Hash: B0912874E05229CFDB64CFA5C884BEDBBB6FF89304F0285A5D81AA7255D7345A81CF80
                                                                Function 017CD031 Relevance: 6.1, APIs: 4, Instructions: 132threadCOMMON
                                                                Download Yara Rule

                                                                Control-flow Graph

                                                                APIs
                                                                • GetCurrentProcess.KERNEL32 ref: 017CD0BE
                                                                • GetCurrentThread.KERNEL32 ref: 017CD0FB
                                                                • GetCurrentProcess.KERNEL32 ref: 017CD138
                                                                • GetCurrentThreadId.KERNEL32 ref: 017CD191
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1482806832.00000000017C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017C0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_17c0000_7DpzcPcsTS.jbxd
                                                                Similarity
                                                                • API ID: Current$ProcessThread
                                                                • String ID:
                                                                • API String ID: 2063062207-0
                                                                • Opcode ID: 32871b945712e7fa9cba118738500892f46834352bc5b9246d896180ae10f6af
                                                                • Instruction ID: de972a36badf1af34d7db418176473c5e56311eb51bb0fb495d64e63acdcdffe
                                                                • Opcode Fuzzy Hash: 32871b945712e7fa9cba118738500892f46834352bc5b9246d896180ae10f6af
                                                                • Instruction Fuzzy Hash: F45145B0900349CFEB14DFAAD948B9EBBF1BB88314F20846DE419A7390DB345984CB65
                                                                Function 017CD040 Relevance: 6.1, APIs: 4, Instructions: 128threadCOMMON
                                                                Download Yara Rule

                                                                Control-flow Graph

                                                                APIs
                                                                • GetCurrentProcess.KERNEL32 ref: 017CD0BE
                                                                • GetCurrentThread.KERNEL32 ref: 017CD0FB
                                                                • GetCurrentProcess.KERNEL32 ref: 017CD138
                                                                • GetCurrentThreadId.KERNEL32 ref: 017CD191
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1482806832.00000000017C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017C0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_17c0000_7DpzcPcsTS.jbxd
                                                                Similarity
                                                                • API ID: Current$ProcessThread
                                                                • String ID:
                                                                • API String ID: 2063062207-0
                                                                • Opcode ID: 1a0a431dc866dd8999958b96698d8d5d876e77b899cf2b470a4b6198e0d0830d
                                                                • Instruction ID: 4d997fc7cc7f9e7086bab68eda247e30a04a7343290655207195a78ed2ae0cd0
                                                                • Opcode Fuzzy Hash: 1a0a431dc866dd8999958b96698d8d5d876e77b899cf2b470a4b6198e0d0830d
                                                                • Instruction Fuzzy Hash: 0E5137B0900349CFEB14DFAAD548B9EBBF1BB88714F20842DE419A7350DB749984CF65
                                                                Function 017CADA8 Relevance: 1.7, APIs: 1, Instructions: 210COMMON
                                                                Download Yara Rule

                                                                Control-flow Graph

                                                                • Executed
                                                                • Not Executed
                                                                control_flow_graph 44 17cada8-17cadb7 45 17cadb9-17cadc6 call 17ca0cc 44->45 46 17cade3-17cade7 44->46 52 17caddc 45->52 53 17cadc8 45->53 48 17cade9-17cadf3 46->48 49 17cadfb-17cae3c 46->49 48->49 55 17cae3e-17cae46 49->55 56 17cae49-17cae57 49->56 52->46 101 17cadce call 17cb040 53->101 102 17cadce call 17cb031 53->102 55->56 57 17cae59-17cae5e 56->57 58 17cae7b-17cae7d 56->58 60 17cae69 57->60 61 17cae60-17cae67 call 17ca0d8 57->61 63 17cae80-17cae87 58->63 59 17cadd4-17cadd6 59->52 62 17caf18-17caf94 59->62 65 17cae6b-17cae79 60->65 61->65 94 17caf96-17cafbe 62->94 95 17cafc0-17cafd8 62->95 66 17cae89-17cae91 63->66 67 17cae94-17cae9b 63->67 65->63 66->67 68 17cae9d-17caea5 67->68 69 17caea8-17caeaa call 17ca0e8 67->69 68->69 73 17caeaf-17caeb1 69->73 75 17caebe-17caec3 73->75 76 17caeb3-17caebb 73->76 77 17caec5-17caecc 75->77 78 17caee1-17caeee 75->78 76->75 77->78 80 17caece-17caede call 17ca0f8 call 17ca108 77->80 85 17caef0-17caf0e 78->85 86 17caf11-17caf17 78->86 80->78 85->86 94->95 96 17cafda-17cafdd 95->96 97 17cafe0-17cb00b GetModuleHandleW 95->97 96->97 98 17cb00d-17cb013 97->98 99 17cb014-17cb028 97->99 98->99 101->59 102->59
                                                                APIs
                                                                • GetModuleHandleW.KERNELBASE(00000000), ref: 017CAFFE
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1482806832.00000000017C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017C0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_17c0000_7DpzcPcsTS.jbxd
                                                                Similarity
                                                                • API ID: HandleModule
                                                                • String ID:
                                                                • API String ID: 4139908857-0
                                                                • Opcode ID: 4908302a4aaa50790da61c67ac7493d5aecde72f4535a88f67dde247cd21965a
                                                                • Instruction ID: 86c54a352e13a1ad981ee4090cf12a744759e5e53cec624710c72142e1333092
                                                                • Opcode Fuzzy Hash: 4908302a4aaa50790da61c67ac7493d5aecde72f4535a88f67dde247cd21965a
                                                                • Instruction Fuzzy Hash: 95813670A00B098FD724DF6AD44579AFBF1BF88705F008A2DD4869BA54E775E846CF90
                                                                Function 017C5914 Relevance: 1.6, APIs: 1, Instructions: 98COMMON
                                                                Download Yara Rule

                                                                Control-flow Graph

                                                                • Executed
                                                                • Not Executed
                                                                control_flow_graph 103 17c5914-17c59e1 CreateActCtxA 105 17c59ea-17c5a44 103->105 106 17c59e3-17c59e9 103->106 113 17c5a46-17c5a49 105->113 114 17c5a53-17c5a57 105->114 106->105 113->114 115 17c5a68 114->115 116 17c5a59-17c5a65 114->116 118 17c5a69 115->118 116->115 118->118
                                                                APIs
                                                                • CreateActCtxA.KERNEL32(?), ref: 017C59D1
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1482806832.00000000017C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017C0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_17c0000_7DpzcPcsTS.jbxd
                                                                Similarity
                                                                • API ID: Create
                                                                • String ID:
                                                                • API String ID: 2289755597-0
                                                                • Opcode ID: 46efd0136ba547530710d0e10c7d30c068ed866b29cbe6be9caf4c3dfda4c5ed
                                                                • Instruction ID: 5a0205e07804578310e517fcae4f78d08b5f9422016ea717255bf788435f6683
                                                                • Opcode Fuzzy Hash: 46efd0136ba547530710d0e10c7d30c068ed866b29cbe6be9caf4c3dfda4c5ed
                                                                • Instruction Fuzzy Hash: 7F41EF71D00719CFDB24DFAAC888BCEBBB1BF88714F20816AD418AB251DB716946CF50
                                                                Function 017C44B4 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                                Download Yara Rule

                                                                Control-flow Graph

                                                                • Executed
                                                                • Not Executed
                                                                control_flow_graph 119 17c44b4-17c59e1 CreateActCtxA 122 17c59ea-17c5a44 119->122 123 17c59e3-17c59e9 119->123 130 17c5a46-17c5a49 122->130 131 17c5a53-17c5a57 122->131 123->122 130->131 132 17c5a68 131->132 133 17c5a59-17c5a65 131->133 135 17c5a69 132->135 133->132 135->135
                                                                APIs
                                                                • CreateActCtxA.KERNEL32(?), ref: 017C59D1
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1482806832.00000000017C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017C0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_17c0000_7DpzcPcsTS.jbxd
                                                                Similarity
                                                                • API ID: Create
                                                                • String ID:
                                                                • API String ID: 2289755597-0
                                                                • Opcode ID: 06b4987b6cfd1103308a870eb96c23f018ed96c15d3fa086945834d29f83c12c
                                                                • Instruction ID: 9f0b75fdc140a39ceceff1847f466048a4235302a07f2f7c030b2cb8f1694c65
                                                                • Opcode Fuzzy Hash: 06b4987b6cfd1103308a870eb96c23f018ed96c15d3fa086945834d29f83c12c
                                                                • Instruction Fuzzy Hash: 0441EFB0D0071DCFDB24DFAAC848B8EBBB5BF89704F20816AD408AB251DB716945CF90
                                                                Function 017CD688 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                                                Download Yara Rule

                                                                Control-flow Graph

                                                                • Executed
                                                                • Not Executed
                                                                control_flow_graph 136 17cd688-17cd724 DuplicateHandle 137 17cd72d-17cd74a 136->137 138 17cd726-17cd72c 136->138 138->137
                                                                APIs
                                                                • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 017CD717
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1482806832.00000000017C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017C0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_17c0000_7DpzcPcsTS.jbxd
                                                                Similarity
                                                                • API ID: DuplicateHandle
                                                                • String ID:
                                                                • API String ID: 3793708945-0
                                                                • Opcode ID: 4f20c1c723daeb5284fcbe0c15111e5365f51facdbdb8f32a33370ba68f66594
                                                                • Instruction ID: c8a0e70c4a0a0181313de2b230356f9efbf290d6f7b415a172c6bfdbb07c8d15
                                                                • Opcode Fuzzy Hash: 4f20c1c723daeb5284fcbe0c15111e5365f51facdbdb8f32a33370ba68f66594
                                                                • Instruction Fuzzy Hash: 7321E6B5900249DFDB10CFAAD884ADEFBF5FB48714F14812AE918A7350C378A955CFA0
                                                                Function 09151FB8 Relevance: 1.6, APIs: 1, Instructions: 64COMMON
                                                                Download Yara Rule

                                                                Control-flow Graph

                                                                • Executed
                                                                • Not Executed
                                                                control_flow_graph 141 9151fb8-9152004 143 9152006-9152048 MonitorFromPoint 141->143 144 915206a-9152085 141->144 147 9152051-915205c 143->147 148 915204a-9152050 143->148 150 9152087-9152094 144->150 152 9152065-9152068 147->152 148->147 152->150
                                                                APIs
                                                                • MonitorFromPoint.USER32(?,?,00000002), ref: 09152037
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1490194981.0000000009150000.00000040.00000800.00020000.00000000.sdmp, Offset: 09150000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_9150000_7DpzcPcsTS.jbxd
                                                                Similarity
                                                                • API ID: FromMonitorPoint
                                                                • String ID:
                                                                • API String ID: 1566494148-0
                                                                • Opcode ID: a8c897a04d49fc8c3e43dad5e85b8bdba6ddcd73c9c8d90a94c7104ee9c36134
                                                                • Instruction ID: 35aaf5c9849bc002c1c17ccd2e5ae7f4aaa8bd9174ad5ef1e98cd6e79ab9e3cf
                                                                • Opcode Fuzzy Hash: a8c897a04d49fc8c3e43dad5e85b8bdba6ddcd73c9c8d90a94c7104ee9c36134
                                                                • Instruction Fuzzy Hash: B7218EB1A00209DFDB10EF9AD405BAEBBF5FB88710F108419E925BB384C775A945CFA0
                                                                Function 017CB031 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                                Download Yara Rule

                                                                Control-flow Graph

                                                                • Executed
                                                                • Not Executed
                                                                control_flow_graph 153 17cb031-17cb038 154 17cafd9-17cb00b GetModuleHandleW 153->154 155 17cb03a-17cb049 153->155 161 17cb00d-17cb013 154->161 162 17cb014-17cb028 154->162 157 17cb054-17cb056 155->157 158 17cb04f call 17ca0cc 155->158 159 17cb058-17cb069 call 17ca124 157->159 160 17cb086-17cb08b 157->160 158->157 166 17cb07d-17cb084 call 17ca13c 159->166 167 17cb06b-17cb074 call 17ca130 159->167 161->162 166->160 170 17cb079-17cb07b 167->170 170->160
                                                                APIs
                                                                • GetModuleHandleW.KERNELBASE(00000000), ref: 017CAFFE
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1482806832.00000000017C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017C0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_17c0000_7DpzcPcsTS.jbxd
                                                                Similarity
                                                                • API ID: HandleModule
                                                                • String ID:
                                                                • API String ID: 4139908857-0
                                                                • Opcode ID: 9770f7daeb8a349043056d66ff626f2a80636941daf96be1bf5eb86de5240d77
                                                                • Instruction ID: 840cda14c914151a9e13fe604a3a478f0ce3090065f032a492a66445b7ec1613
                                                                • Opcode Fuzzy Hash: 9770f7daeb8a349043056d66ff626f2a80636941daf96be1bf5eb86de5240d77
                                                                • Instruction Fuzzy Hash: DD11E6729002098FDB14DFAAD8447DAFBF5EBC4750F04805ED11997251D6359846CFA0
                                                                Function 017CD690 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                                Download Yara Rule

                                                                Control-flow Graph

                                                                • Executed
                                                                • Not Executed
                                                                control_flow_graph 172 17cd690-17cd724 DuplicateHandle 173 17cd72d-17cd74a 172->173 174 17cd726-17cd72c 172->174 174->173
                                                                APIs
                                                                • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 017CD717
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1482806832.00000000017C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017C0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_17c0000_7DpzcPcsTS.jbxd
                                                                Similarity
                                                                • API ID: DuplicateHandle
                                                                • String ID:
                                                                • API String ID: 3793708945-0
                                                                • Opcode ID: c93b4c0f29037d21b74ca106bfae984ea7c0693a8af4c11bca99f52453207b5a
                                                                • Instruction ID: b90bb8be0ad40afefa8cb3e3a04389583c46f0f617f88674216e4ee199e2b35c
                                                                • Opcode Fuzzy Hash: c93b4c0f29037d21b74ca106bfae984ea7c0693a8af4c11bca99f52453207b5a
                                                                • Instruction Fuzzy Hash: 6621E4B59002499FDB10CFAAD884ADEFBF8FB48710F14802AE918A3350D374A954CFA4
                                                                Function 09151FA9 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                                Download Yara Rule

                                                                Control-flow Graph

                                                                • Executed
                                                                • Not Executed
                                                                control_flow_graph 177 9151fa9-9152004 180 9152006-9152048 MonitorFromPoint 177->180 181 915206a-9152085 177->181 184 9152051-915205c 180->184 185 915204a-9152050 180->185 187 9152087-9152094 181->187 189 9152065-9152068 184->189 185->184 189->187
                                                                APIs
                                                                • MonitorFromPoint.USER32(?,?,00000002), ref: 09152037
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1490194981.0000000009150000.00000040.00000800.00020000.00000000.sdmp, Offset: 09150000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_9150000_7DpzcPcsTS.jbxd
                                                                Similarity
                                                                • API ID: FromMonitorPoint
                                                                • String ID:
                                                                • API String ID: 1566494148-0
                                                                • Opcode ID: 0988f42bc3f069abd82f36bf5fc6499755e62cf1b482981a1defa91a5c937aec
                                                                • Instruction ID: d13f31b6d11dbf1e350f1b19e11eb6db1888cd939e0dcbcd7694ff742b45eb3e
                                                                • Opcode Fuzzy Hash: 0988f42bc3f069abd82f36bf5fc6499755e62cf1b482981a1defa91a5c937aec
                                                                • Instruction Fuzzy Hash: 94217AB5900249DFDB10EF9AD445BEEBBB4EB48314F10841AE825B7681C735A945CFA1
                                                                Function 017CAF98 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                                Download Yara Rule

                                                                Control-flow Graph

                                                                • Executed
                                                                • Not Executed
                                                                control_flow_graph 190 17caf98-17cafd8 191 17cafda-17cafdd 190->191 192 17cafe0-17cb00b GetModuleHandleW 190->192 191->192 193 17cb00d-17cb013 192->193 194 17cb014-17cb028 192->194 193->194
                                                                APIs
                                                                • GetModuleHandleW.KERNELBASE(00000000), ref: 017CAFFE
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1482806832.00000000017C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017C0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_17c0000_7DpzcPcsTS.jbxd
                                                                Similarity
                                                                • API ID: HandleModule
                                                                • String ID:
                                                                • API String ID: 4139908857-0
                                                                • Opcode ID: 410674fa3e06c4b320252e96fd89226e89263292a6dec7c16078505828c45950
                                                                • Instruction ID: c493dca557818b55008c9a07674ed5c79ac1bbc61bfa82bb7dca5b69f5b9fa89
                                                                • Opcode Fuzzy Hash: 410674fa3e06c4b320252e96fd89226e89263292a6dec7c16078505828c45950
                                                                • Instruction Fuzzy Hash: 661110B5C003498FDB24CF9AC844BDEFBF4AB88724F10842ED529A7610D379A545CFA1
                                                                Function 0169D01C Relevance: .1, Instructions: 72COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1482485009.000000000169D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0169D000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_169d000_7DpzcPcsTS.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: e47453bde548a377625b5b6749cbb0546703f3ef7359e7fcbd02bca8577f6ede
                                                                • Instruction ID: f317750e0d5d2c6b184ae5e5daa0cb3d2001dc8217bf56611765860faadec407
                                                                • Opcode Fuzzy Hash: e47453bde548a377625b5b6749cbb0546703f3ef7359e7fcbd02bca8577f6ede
                                                                • Instruction Fuzzy Hash: BE21D075604304DFDF15DF64D984B26BB69FB84264F20C57DD84A4B386C33AD447CA62
                                                                Function 0169D1D4 Relevance: .1, Instructions: 72COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1482485009.000000000169D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0169D000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_169d000_7DpzcPcsTS.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 34f79e3b0c05a80fd0b838895c76c077630f13c86c7bf99e5faddf62f1b3d92c
                                                                • Instruction ID: 3e3dc11fc62d61f9df50a8e5c3ba36a4406d486a946fd565fc7418e1d59ba829
                                                                • Opcode Fuzzy Hash: 34f79e3b0c05a80fd0b838895c76c077630f13c86c7bf99e5faddf62f1b3d92c
                                                                • Instruction Fuzzy Hash: 1621D0B5604304AFDF05DF94D984B26BBA9FB84224F20C6BDEA494B396C336D446CA61
                                                                Function 0169D006 Relevance: .1, Instructions: 61COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1482485009.000000000169D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0169D000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_169d000_7DpzcPcsTS.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 8e9c366e9b0dfbe549bf6f4ab6b096bfabd6ea1ddac148f37298c9f78ab1d826
                                                                • Instruction ID: 090ea09ea4ca249516e170883f32d6273b435f8c8de3cf877bdf354215934b7a
                                                                • Opcode Fuzzy Hash: 8e9c366e9b0dfbe549bf6f4ab6b096bfabd6ea1ddac148f37298c9f78ab1d826
                                                                • Instruction Fuzzy Hash: 77219F755083809FDB02CF64D994B11BFB5FB46314F24C5EAD8498F2A7C33A9806CB62
                                                                Function 0169D1CF Relevance: .1, Instructions: 53COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1482485009.000000000169D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0169D000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_169d000_7DpzcPcsTS.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 8009cd9747851c6a16484d38da83a80e1112e09f0888f91abd329c0e09305381
                                                                • Instruction ID: b5c9c5743e5b6f720b41345647da201a8e26b2e049ef2267763f6d290f7638a9
                                                                • Opcode Fuzzy Hash: 8009cd9747851c6a16484d38da83a80e1112e09f0888f91abd329c0e09305381
                                                                • Instruction Fuzzy Hash: 0311BB75504280DFCB02CF54C9C0B15BBA2FB84224F24C6ADD9494B396C33AD40ACB61
                                                                Function 0168D745 Relevance: .0, Instructions: 45COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1482405954.000000000168D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0168D000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_168d000_7DpzcPcsTS.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: b167979888a9afc196f62ceeffdafceacc55158ca570bc9b3ba179f5b628e045
                                                                • Instruction ID: 2fdb6e03b02e9c18bf28dbf345f2c0cafaba8a9bc92af88b993ea41ae70d893b
                                                                • Opcode Fuzzy Hash: b167979888a9afc196f62ceeffdafceacc55158ca570bc9b3ba179f5b628e045
                                                                • Instruction Fuzzy Hash: 2F01F7710043849AF7107EA5CC84B36BF98DF81625F18C61AED080A2C2C7799401CB71
                                                                Function 0168D744 Relevance: .0, Instructions: 36COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1482405954.000000000168D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0168D000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_168d000_7DpzcPcsTS.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 4a4cd8d7edca47aeaefb2df65ab770b6cf3af2375f967c06224e861f2bfeabbd
                                                                • Instruction ID: a4fe726f2803cda6c495ef8a73bb758b5c6c03d73e5afbbadb82545650aa37ff
                                                                • Opcode Fuzzy Hash: 4a4cd8d7edca47aeaefb2df65ab770b6cf3af2375f967c06224e861f2bfeabbd
                                                                • Instruction Fuzzy Hash: 6BF062714043849EE710AE1ACC84B66FF98EB85634F18C55AED085A2D7C3799844CBB1

                                                                Non-executed Functions

                                                                Function 0915F938 Relevance: .3, Instructions: 312COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1490194981.0000000009150000.00000040.00000800.00020000.00000000.sdmp, Offset: 09150000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_9150000_7DpzcPcsTS.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: b42cbaf4650178f90e18aec5470cbdf4cc21e1fac53bc98cce7c90c79661a13a
                                                                • Instruction ID: eda2ce07ce87fa52434f5b9d78406ce95c07ee3e3afc15cf8450ae4c79e766c6
                                                                • Opcode Fuzzy Hash: b42cbaf4650178f90e18aec5470cbdf4cc21e1fac53bc98cce7c90c79661a13a
                                                                • Instruction Fuzzy Hash: E5E10A74E00219CFDB14DFA9C590AAEBBB2FF89305F248169D825AB355D730AD42CF61
                                                                Function 0915F4FA Relevance: .3, Instructions: 312COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1490194981.0000000009150000.00000040.00000800.00020000.00000000.sdmp, Offset: 09150000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_9150000_7DpzcPcsTS.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 0dd8edeb8fe347a2e00a792ec446ede530acaa3abea0259ccb78c984724bf875
                                                                • Instruction ID: 993ec4738e0700f57819569fdcedb76dee94601177f0bd3f8ec06f0b5e484217
                                                                • Opcode Fuzzy Hash: 0dd8edeb8fe347a2e00a792ec446ede530acaa3abea0259ccb78c984724bf875
                                                                • Instruction Fuzzy Hash: 09E1F974E00259CFDB14DFA9C580AAEBBB2FF89305F258169E815AB355D730AD42CF60
                                                                Function 017CD5BC Relevance: .3, Instructions: 264COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1482806832.00000000017C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017C0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_17c0000_7DpzcPcsTS.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 3d0fad3c53bc66a3fa742e8596f785093380c3a97bf7ee0f20df3bf104895d07
                                                                • Instruction ID: 748a71c8ea37ce9351ed5b3924fe250e38715dbd67b47081bc2c3abf53323a84
                                                                • Opcode Fuzzy Hash: 3d0fad3c53bc66a3fa742e8596f785093380c3a97bf7ee0f20df3bf104895d07
                                                                • Instruction Fuzzy Hash: F7A16C32E0021A8FCF19DFB5C84459EBBB3FF89700B15856EE905AB265DB31E955CB80

                                                                Execution Graph

                                                                Execution Coverage:11.1%
                                                                Dynamic/Decrypted Code Coverage:100%
                                                                Signature Coverage:0%
                                                                Total number of Nodes:140
                                                                Total number of Limit Nodes:13
                                                                execution_graph 39791 f5d044 39792 f5d05c 39791->39792 39793 f5d0b6 39792->39793 39799 663d6b7 39792->39799 39803 663a46c 39792->39803 39812 663d718 39792->39812 39816 663d6c8 39792->39816 39820 663e818 39792->39820 39800 663d6bc 39799->39800 39801 663a46c CallWindowProcW 39800->39801 39802 663d70f 39801->39802 39802->39793 39804 663a477 39803->39804 39805 663e889 39804->39805 39807 663e879 39804->39807 39845 663e49c 39805->39845 39829 663e9a0 39807->39829 39834 663e9b0 39807->39834 39839 663ea7c 39807->39839 39808 663e887 39813 663d707 39812->39813 39814 663d70f 39813->39814 39815 663a46c CallWindowProcW 39813->39815 39814->39793 39815->39814 39817 663d6ee 39816->39817 39818 663a46c CallWindowProcW 39817->39818 39819 663d70f 39818->39819 39819->39793 39821 663e81c 39820->39821 39822 663e889 39821->39822 39824 663e879 39821->39824 39823 663e49c CallWindowProcW 39822->39823 39825 663e887 39823->39825 39826 663e9a0 CallWindowProcW 39824->39826 39827 663e9b0 CallWindowProcW 39824->39827 39828 663ea7c CallWindowProcW 39824->39828 39826->39825 39827->39825 39828->39825 39830 663e9ac 39829->39830 39849 663ea68 39830->39849 39852 663ea58 39830->39852 39831 663ea50 39831->39808 39836 663e9b2 39834->39836 39835 663ea50 39835->39808 39837 663ea68 CallWindowProcW 39836->39837 39838 663ea58 CallWindowProcW 39836->39838 39837->39835 39838->39835 39840 663ea3a 39839->39840 39841 663ea8a 39839->39841 39843 663ea68 CallWindowProcW 39840->39843 39844 663ea58 CallWindowProcW 39840->39844 39842 663ea50 39842->39808 39843->39842 39844->39842 39846 663e4a7 39845->39846 39847 663fcea CallWindowProcW 39846->39847 39848 663fc99 39846->39848 39847->39848 39848->39808 39850 663ea79 39849->39850 39856 663fc2d 39849->39856 39850->39831 39853 663ea5c 39852->39853 39854 663ea79 39853->39854 39855 663fc2d CallWindowProcW 39853->39855 39854->39831 39855->39854 39857 663e49c CallWindowProcW 39856->39857 39858 663fc3a 39857->39858 39858->39850 39859 6633050 DuplicateHandle 39860 66330e6 39859->39860 39861 663d510 39862 663d578 CreateWindowExW 39861->39862 39864 663d634 39862->39864 39864->39864 39691 2820848 39693 282084e 39691->39693 39692 282091b 39693->39692 39697 6631d00 39693->39697 39701 6631cf0 39693->39701 39705 2821382 39693->39705 39698 6631d0f 39697->39698 39709 6631494 39698->39709 39702 6631d03 39701->39702 39703 6631494 GetModuleHandleW 39702->39703 39704 6631d30 39703->39704 39704->39693 39707 282138b 39705->39707 39706 2821488 39706->39693 39707->39706 39768 2827eb8 39707->39768 39710 663149f 39709->39710 39713 6632bf4 39710->39713 39712 66336b6 39712->39712 39714 6632bff 39713->39714 39715 6633ddc 39714->39715 39718 6635a68 39714->39718 39722 6635a58 39714->39722 39715->39712 39719 6635a89 39718->39719 39720 6635aad 39719->39720 39726 6635c18 39719->39726 39720->39715 39723 6635a5c 39722->39723 39724 6635aad 39723->39724 39725 6635c18 GetModuleHandleW 39723->39725 39724->39715 39725->39724 39727 6635c25 39726->39727 39728 6635c5e 39727->39728 39730 6634dc8 39727->39730 39728->39720 39731 6634dcd 39730->39731 39732 6635cd0 39731->39732 39734 6634dfc 39731->39734 39735 6634e07 39734->39735 39741 6634e0c 39735->39741 39737 6635d3f 39745 663b048 39737->39745 39750 663b060 39737->39750 39738 6635d79 39738->39732 39742 6634e17 39741->39742 39743 6636ee0 39742->39743 39744 6635a68 GetModuleHandleW 39742->39744 39743->39737 39744->39743 39746 663b058 39745->39746 39747 663b09d 39746->39747 39756 663b2c8 39746->39756 39760 663b2d8 39746->39760 39747->39738 39752 663b091 39750->39752 39753 663b0dd 39750->39753 39751 663b09d 39751->39738 39752->39751 39754 663b2c8 GetModuleHandleW 39752->39754 39755 663b2d8 GetModuleHandleW 39752->39755 39753->39738 39754->39753 39755->39753 39757 663b2d4 39756->39757 39763 663b318 39757->39763 39758 663b2e2 39758->39747 39761 663b2e2 39760->39761 39762 663b318 GetModuleHandleW 39760->39762 39761->39747 39762->39761 39765 663b31d 39763->39765 39764 663b35c 39764->39758 39765->39764 39766 663b560 GetModuleHandleW 39765->39766 39767 663b58d 39766->39767 39767->39758 39769 2827ec2 39768->39769 39770 2827edc 39769->39770 39773 664fae0 39769->39773 39777 664fad1 39769->39777 39770->39707 39774 664faf5 39773->39774 39775 664fd06 39774->39775 39776 664fd20 GlobalMemoryStatusEx 39774->39776 39775->39770 39776->39774 39778 664faf5 39777->39778 39779 664fd06 39778->39779 39780 664fd20 GlobalMemoryStatusEx 39778->39780 39779->39770 39780->39778 39781 6632e08 39782 6632e4e GetCurrentProcess 39781->39782 39784 6632ea0 GetCurrentThread 39782->39784 39785 6632e99 39782->39785 39786 6632ed6 39784->39786 39787 6632edd GetCurrentProcess 39784->39787 39785->39784 39786->39787 39788 6632f13 39787->39788 39789 6632f3b GetCurrentThreadId 39788->39789 39790 6632f6c 39789->39790

                                                                Executed Functions

                                                                Function 06645630 Relevance: 1.8, Strings: 1, Instructions: 597COMMON
                                                                Download Yara Rule

                                                                Control-flow Graph

                                                                • Executed
                                                                • Not Executed
                                                                control_flow_graph 554 6645630-664564d 555 664564f-6645652 554->555 556 6645654-664566a 555->556 557 664566f-6645672 555->557 556->557 558 6645674-6645678 557->558 559 6645683-6645686 557->559 560 66457f5-6645802 558->560 561 664567e 558->561 562 664569d-66456a0 559->562 563 6645688-6645698 559->563 561->559 565 66456a2-66456a7 562->565 566 66456aa-66456ad 562->566 563->562 565->566 568 66457b7-66457bd 566->568 569 66456b3-66456b6 566->569 570 6645780-6645786 568->570 571 66457bf 568->571 572 66456b8-66456be 569->572 573 66456c9-66456cc 569->573 577 6645803-6645833 570->577 578 6645788-6645793 570->578 574 66457c4-66457c7 571->574 575 66456c4 572->575 576 6645775-6645776 572->576 579 66456e4-66456e7 573->579 580 66456ce-66456df 573->580 583 66457e3-66457e5 574->583 584 66457c9-66457de 574->584 575->573 585 664577b-664577e 576->585 603 664583d-6645840 577->603 578->577 586 6645795-66457a2 578->586 581 66456ef-66456f2 579->581 582 66456e9-66456ea 579->582 580->579 587 66456f4-66456f6 581->587 588 66456f9-66456fc 581->588 582->581 589 66457e7 583->589 590 66457ec-66457ef 583->590 584->583 585->570 591 66457ad-66457b0 585->591 586->577 593 66457a4-66457a8 586->593 587->588 595 66456fe-6645704 588->595 596 6645709-664570c 588->596 589->590 590->555 590->560 598 6645766-6645769 591->598 599 66457b2-66457b5 591->599 593->591 595->596 600 664570e-664571c 596->600 601 664572b-664572e 596->601 598->600 602 664576b 598->602 599->568 599->574 613 6645723-6645726 600->613 605 6645730-6645739 601->605 606 664573a-664573d 601->606 604 6645770-6645773 602->604 607 6645854-6645857 603->607 608 6645842-6645849 603->608 604->576 604->585 614 6645761-6645764 606->614 615 664573f-664575c 606->615 611 6645879-664587c 607->611 612 6645859-664585d 607->612 609 664591e-6645925 608->609 610 664584f 608->610 610->607 618 6645894-6645897 611->618 619 664587e-664588f 611->619 616 6645926-6645964 612->616 617 6645863-664586b 612->617 613->601 614->598 614->604 615->614 628 6645966-6645969 616->628 617->616 621 6645871-6645874 617->621 622 66458a8-66458ab 618->622 623 6645899-66458a3 618->623 619->618 621->611 626 66458c5-66458c8 622->626 627 66458ad-66458b1 622->627 623->622 629 66458e2-66458e5 626->629 630 66458ca-66458ce 626->630 627->616 633 66458b3-66458bb 627->633 635 6645973-6645976 628->635 636 664596b-6645970 628->636 638 66458e7-66458ee 629->638 639 66458ef-66458f2 629->639 630->616 637 66458d0-66458d8 630->637 633->616 634 66458bd-66458c0 633->634 634->626 641 664597c-664597f 635->641 642 6645a19-6645bad 635->642 636->635 637->616 640 66458da-66458dd 637->640 643 66458f4-66458f8 639->643 644 664590c-664590e 639->644 640->629 645 6645997-664599a 641->645 646 6645981-6645994 641->646 703 6645ce3-6645cf6 642->703 704 6645bb3-6645bba 642->704 643->616 647 66458fa-6645902 643->647 648 6645915-6645918 644->648 649 6645910 644->649 650 664599c-66459a3 645->650 651 66459a8-66459ab 645->651 647->616 652 6645904-6645907 647->652 648->603 648->609 649->648 650->651 655 66459c5-66459c8 651->655 656 66459ad-66459be 651->656 652->644 658 66459e2-66459e5 655->658 659 66459ca-66459db 655->659 666 66459f8-6645a09 656->666 667 66459c0 656->667 660 66459e7-66459ee 658->660 661 66459f3-66459f6 658->661 659->650 668 66459dd 659->668 660->661 665 6645a10-6645a13 661->665 661->666 665->642 669 6645cf9-6645cfc 665->669 666->650 674 6645a0b 666->674 667->655 668->658 672 6645cfe-6645d0f 669->672 673 6645d1a-6645d1d 669->673 672->646 682 6645d15 672->682 673->642 675 6645d23-6645d26 673->675 674->665 676 6645d44-6645d46 675->676 677 6645d28-6645d39 675->677 680 6645d4d-6645d50 676->680 681 6645d48 676->681 677->650 686 6645d3f 677->686 680->628 684 6645d56-6645d5f 680->684 681->680 682->673 686->676 705 6645bc0-6645bf3 704->705 706 6645c6e-6645c75 704->706 716 6645bf5 705->716 717 6645bf8-6645c39 705->717 706->703 707 6645c77-6645caa 706->707 719 6645cac 707->719 720 6645caf-6645cdc 707->720 716->717 728 6645c51-6645c58 717->728 729 6645c3b-6645c4c 717->729 719->720 720->684 731 6645c60-6645c62 728->731 729->684 731->684
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.2714158867.0000000006640000.00000040.00000800.00020000.00000000.sdmp, Offset: 06640000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_6640000_7DpzcPcsTS.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: $
                                                                • API String ID: 0-3993045852
                                                                • Opcode ID: 97529228806074bd872d095aff63823020a6c870c985fa358160ec16760d7a6b
                                                                • Instruction ID: 4e5141fa9566161a614c9b73b5870776ceb1831f51926ebcb9ac0d5fa6edce52
                                                                • Opcode Fuzzy Hash: 97529228806074bd872d095aff63823020a6c870c985fa358160ec16760d7a6b
                                                                • Instruction Fuzzy Hash: 2C22D335E00255CFDF60EBA4C8806AEBBB2EF85320F24856AD446EB354DB35ED41CB90
                                                                Function 06646678 Relevance: .8, Instructions: 819COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.2714158867.0000000006640000.00000040.00000800.00020000.00000000.sdmp, Offset: 06640000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_6640000_7DpzcPcsTS.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 5c54ebbc3f0b355363d95587a094fe8a1f40188ee30007d16720f674a5cf9865
                                                                • Instruction ID: 5efa37d6b39f49ebb17a9ef3ce3505be56806134c5718f5ee97d644d7414160c
                                                                • Opcode Fuzzy Hash: 5c54ebbc3f0b355363d95587a094fe8a1f40188ee30007d16720f674a5cf9865
                                                                • Instruction Fuzzy Hash: FD629E34B00204DFDB64EB68D994AADBBF2EF85314F148469E806EB394DB35ED45CB90
                                                                Function 0664C220 Relevance: .6, Instructions: 644COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.2714158867.0000000006640000.00000040.00000800.00020000.00000000.sdmp, Offset: 06640000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_6640000_7DpzcPcsTS.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 964f646c9234090412cc20432bc5095de9830dbeaed22cc285f31d7590b75396
                                                                • Instruction ID: de4d54ca0277cb01dcb16face6844ab638ac374c6443b140d175ec7f0fde5250
                                                                • Opcode Fuzzy Hash: 964f646c9234090412cc20432bc5095de9830dbeaed22cc285f31d7590b75396
                                                                • Instruction Fuzzy Hash: C9326034B012199FDF54EB68D990BAEBBB2FB88310F148529D405EB355DB35EC41CB91
                                                                Function 0664B2BA Relevance: .6, Instructions: 578COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.2714158867.0000000006640000.00000040.00000800.00020000.00000000.sdmp, Offset: 06640000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_6640000_7DpzcPcsTS.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 217af04b7a2d6ffecc6779ab31de70e9cc597b168e223f52149b3e939bc5f481
                                                                • Instruction ID: 4d148398808b37da9c7b5abe873bdd47cb013a0cec47eb0978b936f4d4f7d50c
                                                                • Opcode Fuzzy Hash: 217af04b7a2d6ffecc6779ab31de70e9cc597b168e223f52149b3e939bc5f481
                                                                • Instruction Fuzzy Hash: 9A225330E102098FEF64EF59D9807AEBBB2EB89310F248526E405EB355DB35DC81DB91
                                                                Function 066430F8 Relevance: .5, Instructions: 545COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.2714158867.0000000006640000.00000040.00000800.00020000.00000000.sdmp, Offset: 06640000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_6640000_7DpzcPcsTS.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 9b22df3b4d2d22b921c4310a6d9cc444b9b2c58f961cc628ea7f129e1a5b7313
                                                                • Instruction ID: aa491d80b298f99550d43804fc9885a634ee2901fc42a4bfd68c4ffa0b7891ef
                                                                • Opcode Fuzzy Hash: 9b22df3b4d2d22b921c4310a6d9cc444b9b2c58f961cc628ea7f129e1a5b7313
                                                                • Instruction Fuzzy Hash: B7320B35E10619CFDB15EB69D89059DB7B2FFC9300F60C6AAD409AB354EF30A985CB90
                                                                Function 06647E08 Relevance: .5, Instructions: 476COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.2714158867.0000000006640000.00000040.00000800.00020000.00000000.sdmp, Offset: 06640000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_6640000_7DpzcPcsTS.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 8cf52ad3dfce48b9b28ba0a1b5d455221f5d0bf28148d4b5a2c66893ed5eb4a3
                                                                • Instruction ID: 7bb6cb4ea6c001b63b4fe6c0755b17e30047992fe925dc836e5026d31cd60198
                                                                • Opcode Fuzzy Hash: 8cf52ad3dfce48b9b28ba0a1b5d455221f5d0bf28148d4b5a2c66893ed5eb4a3
                                                                • Instruction Fuzzy Hash: B1028E31B002158FDB54EBA8D990BAEBBF2FF84740F148529D805AB355DB35ED42CB90
                                                                Function 06632E03 Relevance: 6.1, APIs: 4, Instructions: 132threadCOMMON
                                                                Download Yara Rule

                                                                Control-flow Graph

                                                                APIs
                                                                • GetCurrentProcess.KERNEL32 ref: 06632E86
                                                                • GetCurrentThread.KERNEL32 ref: 06632EC3
                                                                • GetCurrentProcess.KERNEL32 ref: 06632F00
                                                                • GetCurrentThreadId.KERNEL32 ref: 06632F59
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.2714114801.0000000006630000.00000040.00000800.00020000.00000000.sdmp, Offset: 06630000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_6630000_7DpzcPcsTS.jbxd
                                                                Similarity
                                                                • API ID: Current$ProcessThread
                                                                • String ID:
                                                                • API String ID: 2063062207-0
                                                                • Opcode ID: 8300e6f35235ee687354b2f76560aefb50bf177627ed0c96e465e764ee5298ff
                                                                • Instruction ID: ce60f24a724499065f72b72efdedff73927a142e84866cf398ae56833e42b1f6
                                                                • Opcode Fuzzy Hash: 8300e6f35235ee687354b2f76560aefb50bf177627ed0c96e465e764ee5298ff
                                                                • Instruction Fuzzy Hash: EA5145B090074A8FDB94DFAAD948B9EBBF6FF88314F208159E409A7390D7346944CF65
                                                                Function 06632E08 Relevance: 6.1, APIs: 4, Instructions: 128threadCOMMON
                                                                Download Yara Rule

                                                                Control-flow Graph

                                                                APIs
                                                                • GetCurrentProcess.KERNEL32 ref: 06632E86
                                                                • GetCurrentThread.KERNEL32 ref: 06632EC3
                                                                • GetCurrentProcess.KERNEL32 ref: 06632F00
                                                                • GetCurrentThreadId.KERNEL32 ref: 06632F59
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.2714114801.0000000006630000.00000040.00000800.00020000.00000000.sdmp, Offset: 06630000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_6630000_7DpzcPcsTS.jbxd
                                                                Similarity
                                                                • API ID: Current$ProcessThread
                                                                • String ID:
                                                                • API String ID: 2063062207-0
                                                                • Opcode ID: be41f6b8ee4dfa9bd63de5c1dd1f2777111ddbd40e975d9b3a51d4c243e85164
                                                                • Instruction ID: 56a1782454a520f3dbb87015235a29fa538240fc303fa1984f336e997154edfa
                                                                • Opcode Fuzzy Hash: be41f6b8ee4dfa9bd63de5c1dd1f2777111ddbd40e975d9b3a51d4c243e85164
                                                                • Instruction Fuzzy Hash: FE5155B090074A8FDB94DFAAD948B9EBBF6FF88314F208159E409A7390D7346944CF65
                                                                Function 0663B318 Relevance: 1.7, APIs: 1, Instructions: 207COMMON
                                                                Download Yara Rule

                                                                Control-flow Graph

                                                                • Executed
                                                                • Not Executed
                                                                control_flow_graph 732 663b318-663b337 734 663b363-663b367 732->734 735 663b339-663b346 call 663a28c 732->735 737 663b37b-663b3bc 734->737 738 663b369-663b373 734->738 740 663b348 735->740 741 663b35c 735->741 744 663b3c9-663b3d7 737->744 745 663b3be-663b3c6 737->745 738->737 789 663b34e call 663b5b3 740->789 790 663b34e call 663b5c0 740->790 741->734 746 663b3fb-663b3fd 744->746 747 663b3d9-663b3de 744->747 745->744 752 663b400-663b407 746->752 749 663b3e0-663b3e7 call 663a298 747->749 750 663b3e9 747->750 748 663b354-663b356 748->741 751 663b498-663b558 748->751 754 663b3eb-663b3f9 749->754 750->754 784 663b560-663b58b GetModuleHandleW 751->784 785 663b55a-663b55d 751->785 755 663b414-663b41b 752->755 756 663b409-663b411 752->756 754->752 758 663b428-663b431 call 663395c 755->758 759 663b41d-663b425 755->759 756->755 764 663b433-663b43b 758->764 765 663b43e-663b443 758->765 759->758 764->765 766 663b461-663b46e 765->766 767 663b445-663b44c 765->767 774 663b491-663b497 766->774 775 663b470-663b48e 766->775 767->766 769 663b44e-663b45e call 6638204 call 663a2a8 767->769 769->766 775->774 786 663b594-663b5a8 784->786 787 663b58d-663b593 784->787 785->784 787->786 789->748 790->748
                                                                APIs
                                                                • GetModuleHandleW.KERNELBASE(00000000), ref: 0663B57E
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.2714114801.0000000006630000.00000040.00000800.00020000.00000000.sdmp, Offset: 06630000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_6630000_7DpzcPcsTS.jbxd
                                                                Similarity
                                                                • API ID: HandleModule
                                                                • String ID:
                                                                • API String ID: 4139908857-0
                                                                • Opcode ID: a93a7f1e16aa8c350edd6e4928b70a4ca7f4fa9b5548d47ad383cad6d70deba9
                                                                • Instruction ID: 8d75598bdee5b6f7f24f27a96892174ab370461456b4cc67262cc43c77a9e865
                                                                • Opcode Fuzzy Hash: a93a7f1e16aa8c350edd6e4928b70a4ca7f4fa9b5548d47ad383cad6d70deba9
                                                                • Instruction Fuzzy Hash: 4D813470A00B158FEB64DF2AD44475ABBF1FF88304F048A2DD48AC7A50DB35E945CB95
                                                                Function 0282EB58 Relevance: 1.6, APIs: 1, Instructions: 147COMMON
                                                                Download Yara Rule

                                                                Control-flow Graph

                                                                • Executed
                                                                • Not Executed
                                                                control_flow_graph 791 282eb58-282eb60 792 282eb62-282eb73 791->792 793 282eb1f-282eb30 791->793 794 282eb75-282eb9c 792->794 795 282eb9d-282ebbc call 282e758 792->795 801 282ebc2-282ec21 795->801 802 282ebbe-282ebc1 795->802 809 282ec23-282ec26 801->809 810 282ec27-282ecb4 GlobalMemoryStatusEx 801->810 814 282ecb6-282ecbc 810->814 815 282ecbd-282ece5 810->815 814->815
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.2709980924.0000000002820000.00000040.00000800.00020000.00000000.sdmp, Offset: 02820000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_2820000_7DpzcPcsTS.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 86b48fcd6086d650fdb231246f2feb6b7dfa14217d7d670f70a5683113eeddfb
                                                                • Instruction ID: 6d63b87020323014825d6764ee9b8f4af7b1c7e05797c8c976e1dc42ceb656c9
                                                                • Opcode Fuzzy Hash: 86b48fcd6086d650fdb231246f2feb6b7dfa14217d7d670f70a5683113eeddfb
                                                                • Instruction Fuzzy Hash: 2F412576D003599FDB10DFAAE8007EABBF5EF89210F10856AD409E7241DB74A885CBE5
                                                                Function 0663D504 Relevance: 1.6, APIs: 1, Instructions: 120COMMON
                                                                Download Yara Rule

                                                                Control-flow Graph

                                                                • Executed
                                                                • Not Executed
                                                                control_flow_graph 818 663d504-663d506 819 663d508-663d50c 818->819 820 663d50e-663d576 818->820 819->820 822 663d581-663d588 820->822 823 663d578-663d57e 820->823 824 663d593-663d5cb 822->824 825 663d58a-663d590 822->825 823->822 826 663d5d3-663d632 CreateWindowExW 824->826 825->824 827 663d634-663d63a 826->827 828 663d63b-663d673 826->828 827->828 832 663d680 828->832 833 663d675-663d678 828->833 834 663d681 832->834 833->832 834->834
                                                                APIs
                                                                • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 0663D622
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.2714114801.0000000006630000.00000040.00000800.00020000.00000000.sdmp, Offset: 06630000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_6630000_7DpzcPcsTS.jbxd
                                                                Similarity
                                                                • API ID: CreateWindow
                                                                • String ID:
                                                                • API String ID: 716092398-0
                                                                • Opcode ID: ad86b0eae785f79e8f10a36e1062952e2bff1ff48cf34f0a692168c7211effd6
                                                                • Instruction ID: c983258f5c9f07a8024d1607b00a87e8d61b4a1a99f8eebff343b57036407d71
                                                                • Opcode Fuzzy Hash: ad86b0eae785f79e8f10a36e1062952e2bff1ff48cf34f0a692168c7211effd6
                                                                • Instruction Fuzzy Hash: A651C0B1D10359EFDB14CFAAC884ADEBFB5BF49310F24812AE819AB250D7719845CF90
                                                                Function 0663D510 Relevance: 1.6, APIs: 1, Instructions: 113COMMON
                                                                Download Yara Rule

                                                                Control-flow Graph

                                                                • Executed
                                                                • Not Executed
                                                                control_flow_graph 835 663d510-663d576 836 663d581-663d588 835->836 837 663d578-663d57e 835->837 838 663d593-663d632 CreateWindowExW 836->838 839 663d58a-663d590 836->839 837->836 841 663d634-663d63a 838->841 842 663d63b-663d673 838->842 839->838 841->842 846 663d680 842->846 847 663d675-663d678 842->847 848 663d681 846->848 847->846 848->848
                                                                APIs
                                                                • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 0663D622
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.2714114801.0000000006630000.00000040.00000800.00020000.00000000.sdmp, Offset: 06630000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_6630000_7DpzcPcsTS.jbxd
                                                                Similarity
                                                                • API ID: CreateWindow
                                                                • String ID:
                                                                • API String ID: 716092398-0
                                                                • Opcode ID: a09d8cc306329ae66046cc50ed6f40356588311b28022b2ab1ea090d47c4f088
                                                                • Instruction ID: 7231b90047a3322a2c7b7ecd7a14d410bfbecd808ef6844f2eae43a417622f02
                                                                • Opcode Fuzzy Hash: a09d8cc306329ae66046cc50ed6f40356588311b28022b2ab1ea090d47c4f088
                                                                • Instruction Fuzzy Hash: DE41B0B1D10319DFDB14CFAAC884ADEBBB5BF49310F24812AE819AB210D7759845CF90
                                                                Function 0663E49C Relevance: 1.6, APIs: 1, Instructions: 97COMMON
                                                                Download Yara Rule

                                                                Control-flow Graph

                                                                • Executed
                                                                • Not Executed
                                                                control_flow_graph 849 663e49c-663fc8c 852 663fc92-663fc97 849->852 853 663fd3c-663fd5c call 663a46c 849->853 855 663fcea-663fd22 CallWindowProcW 852->855 856 663fc99-663fcd0 852->856 860 663fd5f-663fd6c 853->860 858 663fd24-663fd2a 855->858 859 663fd2b-663fd3a 855->859 862 663fcd2-663fcd8 856->862 863 663fcd9-663fce8 856->863 858->859 859->860 862->863 863->860
                                                                APIs
                                                                • CallWindowProcW.USER32(?,?,?,?,?), ref: 0663FD11
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.2714114801.0000000006630000.00000040.00000800.00020000.00000000.sdmp, Offset: 06630000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_6630000_7DpzcPcsTS.jbxd
                                                                Similarity
                                                                • API ID: CallProcWindow
                                                                • String ID:
                                                                • API String ID: 2714655100-0
                                                                • Opcode ID: 76bc8bf56588bca9db40e6b11d820e2d23339d51b5485f3720d48ff240fb9e88
                                                                • Instruction ID: 9a89beb820bcbd3e509c86bea8b6fe1b9170c1d6b597d64f651481c5e1f8bd05
                                                                • Opcode Fuzzy Hash: 76bc8bf56588bca9db40e6b11d820e2d23339d51b5485f3720d48ff240fb9e88
                                                                • Instruction Fuzzy Hash: 644158B4D00319CFDB54DF9AC888AAABBF5FF88314F248459D519AB321C774A841CFA0
                                                                Function 06633048 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                                                Download Yara Rule

                                                                Control-flow Graph

                                                                • Executed
                                                                • Not Executed
                                                                control_flow_graph 866 6633048-663304e 867 6633050-66330e4 DuplicateHandle 866->867 868 66330e6-66330ec 867->868 869 66330ed-663310a 867->869 868->869
                                                                APIs
                                                                • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 066330D7
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.2714114801.0000000006630000.00000040.00000800.00020000.00000000.sdmp, Offset: 06630000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_6630000_7DpzcPcsTS.jbxd
                                                                Similarity
                                                                • API ID: DuplicateHandle
                                                                • String ID:
                                                                • API String ID: 3793708945-0
                                                                • Opcode ID: bb4da522cf22b4337f3085ce2b87f78f0d58bc4b6b10b457b38b24b180b98304
                                                                • Instruction ID: 5c499a0262b22e889bf9aa8294d1212ed596b5891f597fee75a2912031e06138
                                                                • Opcode Fuzzy Hash: bb4da522cf22b4337f3085ce2b87f78f0d58bc4b6b10b457b38b24b180b98304
                                                                • Instruction Fuzzy Hash: 8021D4B5D002499FDB10CFAAD984ADEFBF8EF48310F14841AE954A3350D375A954CFA5
                                                                Function 06633050 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                                Download Yara Rule

                                                                Control-flow Graph

                                                                • Executed
                                                                • Not Executed
                                                                control_flow_graph 872 6633050-66330e4 DuplicateHandle 873 66330e6-66330ec 872->873 874 66330ed-663310a 872->874 873->874
                                                                APIs
                                                                • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 066330D7
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.2714114801.0000000006630000.00000040.00000800.00020000.00000000.sdmp, Offset: 06630000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_6630000_7DpzcPcsTS.jbxd
                                                                Similarity
                                                                • API ID: DuplicateHandle
                                                                • String ID:
                                                                • API String ID: 3793708945-0
                                                                • Opcode ID: 7b4ccea4df921be952a172ee0803ea4a97eb059a6a48690043abfb54e0f6c2fe
                                                                • Instruction ID: 7809f9d6ba1d38be5651f8f0c965147f038bbcbcd843d02a912361c3454428d6
                                                                • Opcode Fuzzy Hash: 7b4ccea4df921be952a172ee0803ea4a97eb059a6a48690043abfb54e0f6c2fe
                                                                • Instruction Fuzzy Hash: C021E3B59002499FDB10CFAAD884ADEFBF8EB48310F14801AE914A3350C375A944CFA4
                                                                Function 0282EC40 Relevance: 1.6, APIs: 1, Instructions: 52COMMON
                                                                Download Yara Rule

                                                                Control-flow Graph

                                                                • Executed
                                                                • Not Executed
                                                                control_flow_graph 877 282ec40-282ec7e 878 282ec86-282ecb4 GlobalMemoryStatusEx 877->878 879 282ecb6-282ecbc 878->879 880 282ecbd-282ece5 878->880 879->880
                                                                APIs
                                                                • GlobalMemoryStatusEx.KERNELBASE ref: 0282ECA7
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.2709980924.0000000002820000.00000040.00000800.00020000.00000000.sdmp, Offset: 02820000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_2820000_7DpzcPcsTS.jbxd
                                                                Similarity
                                                                • API ID: GlobalMemoryStatus
                                                                • String ID:
                                                                • API String ID: 1890195054-0
                                                                • Opcode ID: 0e4b2f4dfcb15624d111fac33db883af6d8455b2f54f773065542613fcc67f08
                                                                • Instruction ID: 278c062195cb0a628cae8c47a529abcc350ac68c11c20a95f9b18914ebe01bb0
                                                                • Opcode Fuzzy Hash: 0e4b2f4dfcb15624d111fac33db883af6d8455b2f54f773065542613fcc67f08
                                                                • Instruction Fuzzy Hash: 101150B5C0026A9FDB10CFAAC444BDEFBF4BF48220F10812AD818A3240D378A944CFA5
                                                                Function 0663B518 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                                Download Yara Rule

                                                                Control-flow Graph

                                                                • Executed
                                                                • Not Executed
                                                                control_flow_graph 883 663b518-663b558 884 663b560-663b58b GetModuleHandleW 883->884 885 663b55a-663b55d 883->885 886 663b594-663b5a8 884->886 887 663b58d-663b593 884->887 885->884 887->886
                                                                APIs
                                                                • GetModuleHandleW.KERNELBASE(00000000), ref: 0663B57E
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.2714114801.0000000006630000.00000040.00000800.00020000.00000000.sdmp, Offset: 06630000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_6630000_7DpzcPcsTS.jbxd
                                                                Similarity
                                                                • API ID: HandleModule
                                                                • String ID:
                                                                • API String ID: 4139908857-0
                                                                • Opcode ID: b28d6c63a64445a2d0438a4932087c5c66ee1d16b0a858969e4af4af152b5235
                                                                • Instruction ID: 67031c2e9b4a4a8eb664540bb9d21609902d5f53a4f4fbc72f6470e0d438affb
                                                                • Opcode Fuzzy Hash: b28d6c63a64445a2d0438a4932087c5c66ee1d16b0a858969e4af4af152b5235
                                                                • Instruction Fuzzy Hash: 33110FB6C003498FCB20CF9AC844BDEFBF4AB88320F14841AD419A7210D379A545CFA1
                                                                Function 0664CFE8 Relevance: .8, Instructions: 804COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.2714158867.0000000006640000.00000040.00000800.00020000.00000000.sdmp, Offset: 06640000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_6640000_7DpzcPcsTS.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: ccd38feed598a6cead1b7e8b15f733f8739f9c28c737b9d1c1b7b85fe6fcece2
                                                                • Instruction ID: 9968bde1583d66f736315c288b7c355b4ea7df28a4e2e7f12b40eda8cdadf764
                                                                • Opcode Fuzzy Hash: ccd38feed598a6cead1b7e8b15f733f8739f9c28c737b9d1c1b7b85fe6fcece2
                                                                • Instruction Fuzzy Hash: F7625F30A00316CFEB55EF68D980A5DB7B2FF85704B208A68D8059F359DB75ED86CB81
                                                                Function 0664B6E0 Relevance: .5, Instructions: 473COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.2714158867.0000000006640000.00000040.00000800.00020000.00000000.sdmp, Offset: 06640000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_6640000_7DpzcPcsTS.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 8dc17040bfca8524fe00c1952ffb476a1de1c7d6e8aa7efd9747ed4fdb189c92
                                                                • Instruction ID: 90797999cae611ea30a72b44e8b33da273e23b4870531e00170ab1c83fd9a36a
                                                                • Opcode Fuzzy Hash: 8dc17040bfca8524fe00c1952ffb476a1de1c7d6e8aa7efd9747ed4fdb189c92
                                                                • Instruction Fuzzy Hash: F5025E30E002098FEB64EFA8D5806ADB7B2FF85310F24896AD405EB355DB35ED85CB91
                                                                Function 06642B7B Relevance: .5, Instructions: 463COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.2714158867.0000000006640000.00000040.00000800.00020000.00000000.sdmp, Offset: 06640000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_6640000_7DpzcPcsTS.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 7caaae7bf623aba5ec0b0f7e5cef9af2442ed51a05661c580f078b4436989900
                                                                • Instruction ID: ccc6328d08637142b565550d4f710d660c8ecfac590482b718646dbd8e3080ea
                                                                • Opcode Fuzzy Hash: 7caaae7bf623aba5ec0b0f7e5cef9af2442ed51a05661c580f078b4436989900
                                                                • Instruction Fuzzy Hash: 3E025930A00204CFDBA4EB68C558A9DBBF2EF85315F5485A9E40AAB351DB35ED85CB90
                                                                Function 0664AD60 Relevance: .4, Instructions: 394COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.2714158867.0000000006640000.00000040.00000800.00020000.00000000.sdmp, Offset: 06640000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_6640000_7DpzcPcsTS.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 408f3a2ba1e4e6010f902bf6a824fc19cf30b131c18b15b7bc34242ed0100c73
                                                                • Instruction ID: 2f6cca0dc12ab45fbb27b55ad2d7cf6db66c6475da779e9b683bec8fdfb2c55c
                                                                • Opcode Fuzzy Hash: 408f3a2ba1e4e6010f902bf6a824fc19cf30b131c18b15b7bc34242ed0100c73
                                                                • Instruction Fuzzy Hash: D8E16F34E003159FDF65EBA8D8906AEB7B2FF85300F208529E815EB358DB75D846CB91
                                                                Function 066491D8 Relevance: .2, Instructions: 230COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.2714158867.0000000006640000.00000040.00000800.00020000.00000000.sdmp, Offset: 06640000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_6640000_7DpzcPcsTS.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 15d6e31116bb9fc1dceff91076e0210c374279184c126f1e33739dc74d883c59
                                                                • Instruction ID: bb2af414e8f42517da2ed800c8b1cbef41c2af7b0a4aac9c37473f3e984b7517
                                                                • Opcode Fuzzy Hash: 15d6e31116bb9fc1dceff91076e0210c374279184c126f1e33739dc74d883c59
                                                                • Instruction Fuzzy Hash: B6914230B5021ACFDB54EF68D9507AF77F2AF89700F108569D809AB348EF71AC419B90
                                                                Function 06646270 Relevance: .2, Instructions: 229COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.2714158867.0000000006640000.00000040.00000800.00020000.00000000.sdmp, Offset: 06640000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_6640000_7DpzcPcsTS.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: b5527dcd773db1d736cadae4e288b25113ee29ae18426e9f909daa418407e8c3
                                                                • Instruction ID: 3302954d2ec5f1927b4837d1ddb816c4e14ed3f303d1a2c28cc9874006f32cbc
                                                                • Opcode Fuzzy Hash: b5527dcd773db1d736cadae4e288b25113ee29ae18426e9f909daa418407e8c3
                                                                • Instruction Fuzzy Hash: 6A61F571F001214BDF51AB7EC94465FBADBAFC5620B144439D80ADB360DEB5ED028BC5
                                                                Function 06644658 Relevance: .2, Instructions: 223COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.2714158867.0000000006640000.00000040.00000800.00020000.00000000.sdmp, Offset: 06640000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_6640000_7DpzcPcsTS.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 4191f7c5309f57ff8596b9a455c48dd3f220f01b42325c268038d202f1436899
                                                                • Instruction ID: 400a236328ef1ef444d5eab1c3aeb5f24b35eac32bf5cb178b9ca329e9e12c04
                                                                • Opcode Fuzzy Hash: 4191f7c5309f57ff8596b9a455c48dd3f220f01b42325c268038d202f1436899
                                                                • Instruction Fuzzy Hash: 6D913D34E002198FDF60DF68C890B99BBB1FF89310F208599D549BB395DB71AA85CF91
                                                                Function 06644347 Relevance: .2, Instructions: 218COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.2714158867.0000000006640000.00000040.00000800.00020000.00000000.sdmp, Offset: 06640000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_6640000_7DpzcPcsTS.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 2f16e870c24b00ef8dec3afbec7dccecb8e38fb37f48cb4dbe6737bbfde644db
                                                                • Instruction ID: 2433e6a07157adede64f18c26c00d71e29f569a7e25d61151dc2156ef69bce03
                                                                • Opcode Fuzzy Hash: 2f16e870c24b00ef8dec3afbec7dccecb8e38fb37f48cb4dbe6737bbfde644db
                                                                • Instruction Fuzzy Hash: 28811D30B002058BDF54EFA9D55176EBBF2EB89700F208529D50AEB355EF35DC429B91
                                                                Function 06644670 Relevance: .2, Instructions: 210COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.2714158867.0000000006640000.00000040.00000800.00020000.00000000.sdmp, Offset: 06640000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_6640000_7DpzcPcsTS.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 53902d84a8cef7ae4d86bb65a7c00c541bd1a6fbb4f5cd266eafd37be442798d
                                                                • Instruction ID: 44820947962079138adb90afb09cfb8b74a7dbdf054523dc0367b38227064386
                                                                • Opcode Fuzzy Hash: 53902d84a8cef7ae4d86bb65a7c00c541bd1a6fbb4f5cd266eafd37be442798d
                                                                • Instruction Fuzzy Hash: 9C912D34E106198BDF60DF68C890B9DB7B1FF89310F208699D549BB385DB71AA85CF90
                                                                Function 0664EBB0 Relevance: .2, Instructions: 209COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.2714158867.0000000006640000.00000040.00000800.00020000.00000000.sdmp, Offset: 06640000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_6640000_7DpzcPcsTS.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 868531b87cf73acda38b45e673bdfd786672372d29029ed60685b29096af589d
                                                                • Instruction ID: 3bbd82b79d5dc934d491a39eb3c870e7f2cbf9856da8c2b61972062c2159d6ed
                                                                • Opcode Fuzzy Hash: 868531b87cf73acda38b45e673bdfd786672372d29029ed60685b29096af589d
                                                                • Instruction Fuzzy Hash: 23814B35A002099FDB54EFA8D980AADBBF6FF88304F248529D405EB355DB31ED46CB51
                                                                Function 0664EBC0 Relevance: .2, Instructions: 201COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.2714158867.0000000006640000.00000040.00000800.00020000.00000000.sdmp, Offset: 06640000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_6640000_7DpzcPcsTS.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 865d8b957faaddc4077e4c927ef21164bf1da8971c0f14f3a13ddd5b78b060e6
                                                                • Instruction ID: 0cd119db1fca0de44e3d857ec6e26195f86df68d02bf9432e4f65b2ff72fc07b
                                                                • Opcode Fuzzy Hash: 865d8b957faaddc4077e4c927ef21164bf1da8971c0f14f3a13ddd5b78b060e6
                                                                • Instruction Fuzzy Hash: E6712934A002099FDB54EFA9C980A9DBBF6FF88304F248529E419EB355DB31ED46CB51
                                                                Function 06644C08 Relevance: .2, Instructions: 186COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.2714158867.0000000006640000.00000040.00000800.00020000.00000000.sdmp, Offset: 06640000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_6640000_7DpzcPcsTS.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 18a90d2b810dd702898df0612c1d8499055d20b883d4520dd0ee75932abffc38
                                                                • Instruction ID: 40a30c9fc4a46bdcd6e8bf212f1d6044ff5e49b13ce4b68f093b423c4f84c96a
                                                                • Opcode Fuzzy Hash: 18a90d2b810dd702898df0612c1d8499055d20b883d4520dd0ee75932abffc38
                                                                • Instruction Fuzzy Hash: 6B618370F002189FEB549BA8C8557AEBBF6EF88700F208429D506EB395DF759D458B90
                                                                Function 0664FD20 Relevance: .2, Instructions: 181COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.2714158867.0000000006640000.00000040.00000800.00020000.00000000.sdmp, Offset: 06640000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_6640000_7DpzcPcsTS.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 3affb548843a51946937b32aae0a77de2f31d9c07ead6de5effd086caef71790
                                                                • Instruction ID: 0a8854b9772eb17501a6c6f78d5880b938b7ef6c1d15c767186b737430e6bf53
                                                                • Opcode Fuzzy Hash: 3affb548843a51946937b32aae0a77de2f31d9c07ead6de5effd086caef71790
                                                                • Instruction Fuzzy Hash: AC51CF31E01209DFDF54BB78E8946AEBBB2FBC5315F208869E106D7351DB358855CB81
                                                                Function 0664FAD1 Relevance: .2, Instructions: 171COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.2714158867.0000000006640000.00000040.00000800.00020000.00000000.sdmp, Offset: 06640000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_6640000_7DpzcPcsTS.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 6480a4b0781c4330a951fa3145326edf2405217a1f10e45df2f3b863fb9a3e8f
                                                                • Instruction ID: b20e88efe80696a086b793a775507f17b5545caae6c29c9c85dcf0d6d668cd15
                                                                • Opcode Fuzzy Hash: 6480a4b0781c4330a951fa3145326edf2405217a1f10e45df2f3b863fb9a3e8f
                                                                • Instruction Fuzzy Hash: 2D51B230B113148BFF607668D85476F7A5ADBCA711F60442AE90ACB794CF79CC8593A2
                                                                Function 0664FAE0 Relevance: .2, Instructions: 163COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.2714158867.0000000006640000.00000040.00000800.00020000.00000000.sdmp, Offset: 06640000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_6640000_7DpzcPcsTS.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: b5d2f6095519eadc7d44671548f2c5c17356fc228f280b7cbe926717ba5a6a01
                                                                • Instruction ID: 653b5bb7a6473d11655fb99e488b2adbcd936c226975ec25bf06facf7737b894
                                                                • Opcode Fuzzy Hash: b5d2f6095519eadc7d44671548f2c5c17356fc228f280b7cbe926717ba5a6a01
                                                                • Instruction Fuzzy Hash: 9F51AF30B113148BFFA0766CD894B2F665AD7CA711F60442AE50ACB794CF79CC8553A2
                                                                Function 066491D6 Relevance: .2, Instructions: 152COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.2714158867.0000000006640000.00000040.00000800.00020000.00000000.sdmp, Offset: 06640000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_6640000_7DpzcPcsTS.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 2c0fb91735a3324691d876c02a45f65d3ad1c869c904d067f8f62d570149fae7
                                                                • Instruction ID: 829a0ac349db6da30c3ba7e95b85014197f8b74d10fd6884c7cdd2bd93133a1b
                                                                • Opcode Fuzzy Hash: 2c0fb91735a3324691d876c02a45f65d3ad1c869c904d067f8f62d570149fae7
                                                                • Instruction Fuzzy Hash: 2E511130B502158FDB54EF78D990B6F77F2AB89710F14856AC40ADB388EE71EC519BA0
                                                                Function 06644BF8 Relevance: .1, Instructions: 139COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.2714158867.0000000006640000.00000040.00000800.00020000.00000000.sdmp, Offset: 06640000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_6640000_7DpzcPcsTS.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: c12c2a11a3de0d74e75c0090c746bd3350abfc6476d17c5583b2e1b53c0e0c2a
                                                                • Instruction ID: 1c9e1f7376756be171283f2f910d6923de161aa7ec45e8c9261bee852c18603a
                                                                • Opcode Fuzzy Hash: c12c2a11a3de0d74e75c0090c746bd3350abfc6476d17c5583b2e1b53c0e0c2a
                                                                • Instruction Fuzzy Hash: 36519230F002089FEB549FA9C8547AEBBF6FF88700F208529E506AB395DE759C00CB90
                                                                Function 066454B1 Relevance: .1, Instructions: 131COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.2714158867.0000000006640000.00000040.00000800.00020000.00000000.sdmp, Offset: 06640000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_6640000_7DpzcPcsTS.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 4ef30f544042134a6abe6ecba2c096834096414381441ee0e159a6aec3780091
                                                                • Instruction ID: f9e01e491ef8ff7fedc77a343fa6f640c9e28efcdaece8d3e31b3d6f05e26d53
                                                                • Opcode Fuzzy Hash: 4ef30f544042134a6abe6ecba2c096834096414381441ee0e159a6aec3780091
                                                                • Instruction Fuzzy Hash: F4415971E006099FDB70DFA9D880ABFFBB2EB85310F20492AE156D7651D330E959CB91
                                                                Function 0664DB5D Relevance: .1, Instructions: 126COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.2714158867.0000000006640000.00000040.00000800.00020000.00000000.sdmp, Offset: 06640000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_6640000_7DpzcPcsTS.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 943d25a6b83970c846d04557412e9a1081c8c1c6bc2a3e8bea813fd09c11a0b7
                                                                • Instruction ID: 8278b7f3072e72a186ffc49d58e38b96c4251805b06aeaa3381385e11c393547
                                                                • Opcode Fuzzy Hash: 943d25a6b83970c846d04557412e9a1081c8c1c6bc2a3e8bea813fd09c11a0b7
                                                                • Instruction Fuzzy Hash: 6A41A170E0030ADFDB65EFA9C49469EBBB6BF85700F208529E805EB340DB70D946CB91
                                                                Function 06642298 Relevance: .1, Instructions: 105COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.2714158867.0000000006640000.00000040.00000800.00020000.00000000.sdmp, Offset: 06640000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_6640000_7DpzcPcsTS.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 98cebdebacc7c761a91ba30bfd64a6dcab9aa0b2b16a4a94387f6c9e00dd796d
                                                                • Instruction ID: 257bfca565532fbb1f72680b6efcfada24a647e4bd8fb66a6f29a05f234074d7
                                                                • Opcode Fuzzy Hash: 98cebdebacc7c761a91ba30bfd64a6dcab9aa0b2b16a4a94387f6c9e00dd796d
                                                                • Instruction Fuzzy Hash: 1F31AF30B002058FDB59AB78C96476F7BB6BF89604F248528E806DB385EF35DD46CB91
                                                                Function 06645620 Relevance: .1, Instructions: 98COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.2714158867.0000000006640000.00000040.00000800.00020000.00000000.sdmp, Offset: 06640000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_6640000_7DpzcPcsTS.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: b3b04e80ca07685af9403b31558878b994939eb6c04e12fbb1ada8b166a34ace
                                                                • Instruction ID: 5538ca85ddb2056b78e5f6d71237ca5e98a3caa72ec6b9f993ee3fecb1df9ed3
                                                                • Opcode Fuzzy Hash: b3b04e80ca07685af9403b31558878b994939eb6c04e12fbb1ada8b166a34ace
                                                                • Instruction Fuzzy Hash: 88315071E102058FDF60EFAAD881AAFFBB1EB45310F20893AD516D7351D635E941CB91
                                                                Function 06642153 Relevance: .1, Instructions: 93COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.2714158867.0000000006640000.00000040.00000800.00020000.00000000.sdmp, Offset: 06640000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_6640000_7DpzcPcsTS.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 6465a6294cd095d7cb22618e340f84eeb954eede97348c0ea6c7d1d4c4b833bb
                                                                • Instruction ID: 8bbfd554b7496d234eac3e8305b6a418e68f8b9ed2a57b30451fea7f4a18faa0
                                                                • Opcode Fuzzy Hash: 6465a6294cd095d7cb22618e340f84eeb954eede97348c0ea6c7d1d4c4b833bb
                                                                • Instruction Fuzzy Hash: 92317030E10209DBDB59DFA8D8A469EB7F6FF89300F208519E916E7350DB71AD42CB60
                                                                Function 06642158 Relevance: .1, Instructions: 91COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.2714158867.0000000006640000.00000040.00000800.00020000.00000000.sdmp, Offset: 06640000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_6640000_7DpzcPcsTS.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: f8b5cea490a32bbaaa9434d7cc59d7175806575b78f3fe4dedd303bb77f455ae
                                                                • Instruction ID: 162f6bea449f6c13dc6353a4e8e08a6167949de92e3a3ebd5b63825257b3a612
                                                                • Opcode Fuzzy Hash: f8b5cea490a32bbaaa9434d7cc59d7175806575b78f3fe4dedd303bb77f455ae
                                                                • Instruction Fuzzy Hash: B4316330E10209DBDB59DFA8D8A469EB7F6FF89300F208519E916E7350DB71AD46CB60
                                                                Function 06643B38 Relevance: .1, Instructions: 85COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.2714158867.0000000006640000.00000040.00000800.00020000.00000000.sdmp, Offset: 06640000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_6640000_7DpzcPcsTS.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: ddb229fac2299ec5fbc2f78834cd156f9a4a35f6dce148e811f4ebc9800175d4
                                                                • Instruction ID: 18b7acd9433e63280995b04ddcd9b11595910d2945883def11073987ca469090
                                                                • Opcode Fuzzy Hash: ddb229fac2299ec5fbc2f78834cd156f9a4a35f6dce148e811f4ebc9800175d4
                                                                • Instruction Fuzzy Hash: 3D218D75E002159FDB40EF6DD940AEEBBF5EB48720F108126EA11EB395E731E9418B90
                                                                Function 06643B48 Relevance: .1, Instructions: 78COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.2714158867.0000000006640000.00000040.00000800.00020000.00000000.sdmp, Offset: 06640000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_6640000_7DpzcPcsTS.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 0f82f17dacc7dc6865f0d599743a305ea9368580ea314009c57eb03a007e2a2d
                                                                • Instruction ID: 71a2943252cc062340153c8a780e511adace56a602b1bfc42c88b3c57c6199ff
                                                                • Opcode Fuzzy Hash: 0f82f17dacc7dc6865f0d599743a305ea9368580ea314009c57eb03a007e2a2d
                                                                • Instruction Fuzzy Hash: 02217F75F006159FDB50DF69D980AAEBBF5FB48710F108029E905EB395EB31E8418B94
                                                                Function 00F5D044 Relevance: .1, Instructions: 72COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.2709653450.0000000000F5D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F5D000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_f5d000_7DpzcPcsTS.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: c628ba89ec77e1febeed1291f0552483731f56235631b54f17c6c5e3f36f198f
                                                                • Instruction ID: 22f093db1f4b92330f9d952c4cfef55f2d2d294a7174c259d03c887314d37c9a
                                                                • Opcode Fuzzy Hash: c628ba89ec77e1febeed1291f0552483731f56235631b54f17c6c5e3f36f198f
                                                                • Instruction Fuzzy Hash: 472103716053049FDB20DF10C884B26BB65FB84325F20C569EE490B286C736D84AEA62
                                                                Function 06643C48 Relevance: .1, Instructions: 60COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.2714158867.0000000006640000.00000040.00000800.00020000.00000000.sdmp, Offset: 06640000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_6640000_7DpzcPcsTS.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 2fb8c6217eef399d7e265281246c37c5f87cdf6fe51e8caec62970800af304b0
                                                                • Instruction ID: a868f32044f3454e7d3bd377f08ada735284b38748b4574ccddcf48caab6bc29
                                                                • Opcode Fuzzy Hash: 2fb8c6217eef399d7e265281246c37c5f87cdf6fe51e8caec62970800af304b0
                                                                • Instruction Fuzzy Hash: 1A01D236B101255BCF54A67EEC20BEB7BAADBC6661F140136D915EB394EE11CC0147E2
                                                                Function 06643C58 Relevance: .1, Instructions: 59COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.2714158867.0000000006640000.00000040.00000800.00020000.00000000.sdmp, Offset: 06640000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_6640000_7DpzcPcsTS.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 74a75cb74f5a3f105f9778a4e4ae7948fab124dfc5dff9188b9d7355071b27c6
                                                                • Instruction ID: e82776b249cedfc8fdbd3eb8b9bcafe8878cc85b9e7d300c504f10c64cd13788
                                                                • Opcode Fuzzy Hash: 74a75cb74f5a3f105f9778a4e4ae7948fab124dfc5dff9188b9d7355071b27c6
                                                                • Instruction Fuzzy Hash: 8311CE31B004258BCF94AA69D8146AF77FAEBC9711F004139C906E7344EF25DC029B90
                                                                Function 0664429A Relevance: .1, Instructions: 58COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.2714158867.0000000006640000.00000040.00000800.00020000.00000000.sdmp, Offset: 06640000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_6640000_7DpzcPcsTS.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 076d81d8d05000224a1ede25074eb68273ce7c10d927d53a2aec31a1dc5507c4
                                                                • Instruction ID: 176d058e421e57b8806446f192292d3f007743718a42b2ec5c4ae3c67f709137
                                                                • Opcode Fuzzy Hash: 076d81d8d05000224a1ede25074eb68273ce7c10d927d53a2aec31a1dc5507c4
                                                                • Instruction Fuzzy Hash: 4901B130B002600FDB61A67ED8517AF7BD6DBCA721F14852AE01ACB39ADD65DC0143E2
                                                                Function 06643910 Relevance: .1, Instructions: 56COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.2714158867.0000000006640000.00000040.00000800.00020000.00000000.sdmp, Offset: 06640000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_6640000_7DpzcPcsTS.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 0b06bf2f197280a5889bf6fd7b871604c8be2e03a8fc7167346d3710c590fd82
                                                                • Instruction ID: b24e2d836b23d701c1acff01e857a3598fd5b451828f19cc2d4999e6d57dd95b
                                                                • Opcode Fuzzy Hash: 0b06bf2f197280a5889bf6fd7b871604c8be2e03a8fc7167346d3710c590fd82
                                                                • Instruction Fuzzy Hash: A821E0B1D01219AFCB10DF9AD884ADEFBF4FB48224F10822AE518A7340D3756944CBA5
                                                                Function 0664EE31 Relevance: .1, Instructions: 55COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.2714158867.0000000006640000.00000040.00000800.00020000.00000000.sdmp, Offset: 06640000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_6640000_7DpzcPcsTS.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 987dc645f531c62ddd54fe8e3166c1cf26c758f8820513e398449de022165c18
                                                                • Instruction ID: 9ba31cc909aa5acc1d4e4de404c18fb37c45271c144595c16926e370e8d54dd8
                                                                • Opcode Fuzzy Hash: 987dc645f531c62ddd54fe8e3166c1cf26c758f8820513e398449de022165c18
                                                                • Instruction Fuzzy Hash: F601B530B002544FEB65EA7CD4D0B2F77D6EBC9714F14846AE50ACB381DA26EC0143A1
                                                                Function 0664A398 Relevance: .1, Instructions: 54COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.2714158867.0000000006640000.00000040.00000800.00020000.00000000.sdmp, Offset: 06640000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_6640000_7DpzcPcsTS.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 7af91b3f8ee31047156a5bfd56e5d2f776773a95a23e654e2b31cc50e552bd32
                                                                • Instruction ID: 5e6b1e67c6adf803b2ab92c3f512990cbe09c821f82f489c312baebf1748f98d
                                                                • Opcode Fuzzy Hash: 7af91b3f8ee31047156a5bfd56e5d2f776773a95a23e654e2b31cc50e552bd32
                                                                • Instruction Fuzzy Hash: CA01D8347042102FD761EABCE45475F77E2EB8A720F10442AE10ACB385EE11ED418791
                                                                Function 00F5D03F Relevance: .1, Instructions: 53COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.2709653450.0000000000F5D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F5D000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_f5d000_7DpzcPcsTS.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 8009cd9747851c6a16484d38da83a80e1112e09f0888f91abd329c0e09305381
                                                                • Instruction ID: d9e597df8d3d2f1b4c8943ce770de861f614680803b8f7d0fb81c8f271e8b2b8
                                                                • Opcode Fuzzy Hash: 8009cd9747851c6a16484d38da83a80e1112e09f0888f91abd329c0e09305381
                                                                • Instruction Fuzzy Hash: 4311D075904244CFDB11CF10C5C4B15BB62FB44325F24C6ADDD494B296C33AD84ADF51
                                                                Function 06643918 Relevance: .1, Instructions: 52COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.2714158867.0000000006640000.00000040.00000800.00020000.00000000.sdmp, Offset: 06640000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_6640000_7DpzcPcsTS.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 58ad7e89130b7c67a5f77c34ec5cf281d14f0c97170c11906691eca2058ddabe
                                                                • Instruction ID: 5504953b0797104f862c8a853f912b41fdacfb96a0d1c3a74021f72e5755e2e5
                                                                • Opcode Fuzzy Hash: 58ad7e89130b7c67a5f77c34ec5cf281d14f0c97170c11906691eca2058ddabe
                                                                • Instruction Fuzzy Hash: 5411CEB1D01259AFCB00DF9AD884ADEFBB4BB48210F10822AE918A7340D375A954CBA5
                                                                Function 066442A8 Relevance: .1, Instructions: 51COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.2714158867.0000000006640000.00000040.00000800.00020000.00000000.sdmp, Offset: 06640000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_6640000_7DpzcPcsTS.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: f1175b5dd87e846ee5285f321772cac38b29a998364c9d969f5daca250fdbf75
                                                                • Instruction ID: ba2fbcf04267740212237fd4998f53b103fae0979021146372416ef931cd758b
                                                                • Opcode Fuzzy Hash: f1175b5dd87e846ee5285f321772cac38b29a998364c9d969f5daca250fdbf75
                                                                • Instruction Fuzzy Hash: 32018131B001100BEB65A5AED451B6FB6DADBC9B21F20843AE50EC734ADE65DC0247D1
                                                                Function 0664EE40 Relevance: .0, Instructions: 49COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.2714158867.0000000006640000.00000040.00000800.00020000.00000000.sdmp, Offset: 06640000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_6640000_7DpzcPcsTS.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: ac021c5057a411553f76248676edb9192fbaa2a59a630b35322a11699c650c0a
                                                                • Instruction ID: 96bfe55a3c5059c0fc76f237e2baf5b87dab0a591f862532cd2d3d56b101fa10
                                                                • Opcode Fuzzy Hash: ac021c5057a411553f76248676edb9192fbaa2a59a630b35322a11699c650c0a
                                                                • Instruction Fuzzy Hash: AA014431B005144BEB65E67DD490B2F77D6EBC9B21F14843AE50AC7381EE26EC024395
                                                                Function 0664A3A8 Relevance: .0, Instructions: 46COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.2714158867.0000000006640000.00000040.00000800.00020000.00000000.sdmp, Offset: 06640000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_6640000_7DpzcPcsTS.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 7a9f940777cf0b2f8d7bdeb3078b5e2366b8d9fe7e2e33bda17520a18b68015b
                                                                • Instruction ID: d869a0ab88ec2aed67c0c49fd0e37f0cfb0cf86940241418aca4fc5967536178
                                                                • Opcode Fuzzy Hash: 7a9f940777cf0b2f8d7bdeb3078b5e2366b8d9fe7e2e33bda17520a18b68015b
                                                                • Instruction Fuzzy Hash: E5018134B101145FDBA1EAACD454B2F77D6EB89720F108429E50BCB389EE21EC414791
                                                                Function 0664AFB0 Relevance: .0, Instructions: 34COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.2714158867.0000000006640000.00000040.00000800.00020000.00000000.sdmp, Offset: 06640000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_6640000_7DpzcPcsTS.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 28a05a5860af71807c90927390dc68544b8bd6367e8ca4a62330aff1b28abd2a
                                                                • Instruction ID: 7571c48c55992491fba7894f81375c944cd662311fe570b820182c523dcbaa7b
                                                                • Opcode Fuzzy Hash: 28a05a5860af71807c90927390dc68544b8bd6367e8ca4a62330aff1b28abd2a
                                                                • Instruction Fuzzy Hash: 75F0A072E102189BEFB0A9A8D804B9EB7A9E785761F00483BE91AE7740D631DC958781
                                                                Function 066464F9 Relevance: .0, Instructions: 28COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.2714158867.0000000006640000.00000040.00000800.00020000.00000000.sdmp, Offset: 06640000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_6640000_7DpzcPcsTS.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 0e8c3883ad6e1442c53744ed062f3f98fb6c279e94d06607bb6c18db9d86a9ef
                                                                • Instruction ID: 9a4211d19ce7deb3b2f08223bf8f8d492f52858e0a69f3fe6fe3abe2f38acbdd
                                                                • Opcode Fuzzy Hash: 0e8c3883ad6e1442c53744ed062f3f98fb6c279e94d06607bb6c18db9d86a9ef
                                                                • Instruction Fuzzy Hash: 77E0DFB1E252486FEF60EE70D94579B7FACD742218F2088A7E408DB242E13ACD01CB90