Edit tour

Windows Analysis Report
tx4pkcHL9o.exe

Overview

General Information

Sample name:	tx4pkcHL9o.exe renamed because original name is a hash value
Original sample name:	987d80fbc03ed5f7612a742982367ae5f354237968d23b2fe1cbe9440946497d.exe
Analysis ID:	1587667
MD5:	e6884ed9330553c602104752d461f363
SHA1:	6c10a1bf2148d830df770f77f42779f87d80fc39
SHA256:	987d80fbc03ed5f7612a742982367ae5f354237968d23b2fe1cbe9440946497d
Tags:	exeuser-adrian__luca
Infos:

Detection

MassLogger RAT

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Scheduled temp file as task from temp location

Yara detected AntiVM3

Yara detected MassLogger RAT

Yara detected Telegram RAT

AI detected suspicious sample

Adds a directory exclusion to Windows Defender

Injects a PE file into a foreign processes

Loading BitLocker PowerShell Module

Machine Learning detection for dropped file

Machine Learning detection for sample

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Tries to detect the country of the analysis system (by using the IP)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Uses schtasks.exe or at.exe to add and modify task schedules

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

HTTP GET or POST without a user agent

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

PE / OLE file has an invalid certificate

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Powershell Defender Exclusion

Sigma detected: Suspicious Add Scheduled Task Parent

Sigma detected: Suspicious Schtasks From Env Var Folder

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Uses insecure TLS / SSL version for HTTPS connection

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

tx4pkcHL9o.exe (PID: 7260 cmdline: "C:\Users\user\Desktop\tx4pkcHL9o.exe" MD5: E6884ED9330553C602104752D461F363)

powershell.exe (PID: 7460 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\tx4pkcHL9o.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 7468 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 7512 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\VyaPZFtSeDDse.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 7524 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WmiPrvSE.exe (PID: 7932 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)

schtasks.exe (PID: 7540 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\VyaPZFtSeDDse" /XML "C:\Users\user\AppData\Local\Temp\tmp86BB.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 7584 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

tx4pkcHL9o.exe (PID: 7748 cmdline: "C:\Users\user\Desktop\tx4pkcHL9o.exe" MD5: E6884ED9330553C602104752D461F363)

tx4pkcHL9o.exe (PID: 7756 cmdline: "C:\Users\user\Desktop\tx4pkcHL9o.exe" MD5: E6884ED9330553C602104752D461F363)

VyaPZFtSeDDse.exe (PID: 7880 cmdline: C:\Users\user\AppData\Roaming\VyaPZFtSeDDse.exe MD5: E6884ED9330553C602104752D461F363)

schtasks.exe (PID: 8124 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\VyaPZFtSeDDse" /XML "C:\Users\user\AppData\Local\Temp\tmp9B0E.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 8156 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

VyaPZFtSeDDse.exe (PID: 2192 cmdline: "C:\Users\user\AppData\Roaming\VyaPZFtSeDDse.exe" MD5: E6884ED9330553C602104752D461F363)

VyaPZFtSeDDse.exe (PID: 5740 cmdline: "C:\Users\user\AppData\Roaming\VyaPZFtSeDDse.exe" MD5: E6884ED9330553C602104752D461F363)

cleanup

Malware Configuration

Threatname: MassLogger

{"EXfil Mode": "SMTP", "From": "kingnovasend@zqamcx.com", "Password": "Anambraeast", "Server": "zqamcx.com", "To": "kingnovaresult@zqamcx.com", "Port": 587}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
0000000A.00000002.2631125232.0000000000403000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
0000000A.00000002.2631125232.0000000000403000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000A.00000002.2631125232.0000000000403000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0000000A.00000002.2631125232.0000000000403000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xdfa7:$a1: get_encryptedPassword 0xe2cf:$a2: get_encryptedUsername 0xdd42:$a3: get_timePasswordChanged 0xde63:$a4: get_passwordField 0xdfbd:$a5: set_encryptedPassword 0xf919:$a7: get_logins 0xf5ca:$a8: GetOutlookPasswords 0xf3bc:$a9: StartKeylogger 0xf869:$a10: KeyLoggerEventArgs 0xf419:$a11: KeyLoggerEventArgsEventHandler
00000011.00000002.2633387402.0000000002A83000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.1403720087.0000000003809000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
00000000.00000002.1403720087.0000000003809000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.1403720087.0000000003809000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000000.00000002.1403720087.0000000003809000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x612df:$a1: get_encryptedPassword 0x780ff:$a1: get_encryptedPassword 0x8ed1f:$a1: get_encryptedPassword 0x61607:$a2: get_encryptedUsername 0x78427:$a2: get_encryptedUsername 0x8f047:$a2: get_encryptedUsername 0x6107a:$a3: get_timePasswordChanged 0x77e9a:$a3: get_timePasswordChanged 0x8eaba:$a3: get_timePasswordChanged 0x6119b:$a4: get_passwordField 0x77fbb:$a4: get_passwordField 0x8ebdb:$a4: get_passwordField 0x612f5:$a5: set_encryptedPassword 0x78115:$a5: set_encryptedPassword 0x8ed35:$a5: set_encryptedPassword 0x62c51:$a7: get_logins 0x79a71:$a7: get_logins 0x90691:$a7: get_logins 0x62902:$a8: GetOutlookPasswords 0x79722:$a8: GetOutlookPasswords 0x90342:$a8: GetOutlookPasswords
0000000A.00000002.2633318751.0000000002C53000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: tx4pkcHL9o.exe PID: 7260	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
Process Memory Space: tx4pkcHL9o.exe PID: 7260	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: tx4pkcHL9o.exe PID: 7260	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: tx4pkcHL9o.exe PID: 7260	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: tx4pkcHL9o.exe PID: 7260	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xd6e18:$a1: get_encryptedPassword 0xd7131:$a2: get_encryptedUsername 0xd6bc7:$a3: get_timePasswordChanged 0xd6ce8:$a4: get_passwordField 0xd6e2e:$a5: set_encryptedPassword 0xd8731:$a7: get_logins 0xd83e2:$a8: GetOutlookPasswords 0xd81d4:$a9: StartKeylogger 0xd8681:$a10: KeyLoggerEventArgs 0xd8231:$a11: KeyLoggerEventArgsEventHandler
Process Memory Space: tx4pkcHL9o.exe PID: 7756	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
Process Memory Space: tx4pkcHL9o.exe PID: 7756	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: tx4pkcHL9o.exe PID: 7756	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: tx4pkcHL9o.exe PID: 7756	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x21d74:$a1: get_encryptedPassword 0x2208d:$a2: get_encryptedUsername 0x21b23:$a3: get_timePasswordChanged 0x21c44:$a4: get_passwordField 0x21d8a:$a5: set_encryptedPassword 0x2368d:$a7: get_logins 0x2333e:$a8: GetOutlookPasswords 0x23130:$a9: StartKeylogger 0x235dd:$a10: KeyLoggerEventArgs 0x2318d:$a11: KeyLoggerEventArgsEventHandler
Process Memory Space: VyaPZFtSeDDse.exe PID: 7880	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: VyaPZFtSeDDse.exe PID: 5740	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Click to see the 16 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.tx4pkcHL9o.exe.3871f58.7.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
0.2.tx4pkcHL9o.exe.3871f58.7.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.tx4pkcHL9o.exe.3871f58.7.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0.2.tx4pkcHL9o.exe.3871f58.7.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xd3a7:$a1: get_encryptedPassword 0xd6cf:$a2: get_encryptedUsername 0xd142:$a3: get_timePasswordChanged 0xd263:$a4: get_passwordField 0xd3bd:$a5: set_encryptedPassword 0xed19:$a7: get_logins 0xe9ca:$a8: GetOutlookPasswords 0xe7bc:$a9: StartKeylogger 0xec69:$a10: KeyLoggerEventArgs 0xe819:$a11: KeyLoggerEventArgsEventHandler
0.2.tx4pkcHL9o.exe.3871f58.7.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1234b:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x11849:$a3: \Google\Chrome\User Data\Default\Login Data 0x11b57:$a4: \Orbitum\User Data\Default\Login Data 0x1294f:$a5: \Kometa\User Data\Default\Login Data
0.2.tx4pkcHL9o.exe.385b138.6.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
0.2.tx4pkcHL9o.exe.385b138.6.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.tx4pkcHL9o.exe.385b138.6.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0.2.tx4pkcHL9o.exe.385b138.6.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xd3a7:$a1: get_encryptedPassword 0xd6cf:$a2: get_encryptedUsername 0xd142:$a3: get_timePasswordChanged 0xd263:$a4: get_passwordField 0xd3bd:$a5: set_encryptedPassword 0xed19:$a7: get_logins 0xe9ca:$a8: GetOutlookPasswords 0xe7bc:$a9: StartKeylogger 0xec69:$a10: KeyLoggerEventArgs 0xe819:$a11: KeyLoggerEventArgsEventHandler
0.2.tx4pkcHL9o.exe.385b138.6.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1234b:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x11849:$a3: \Google\Chrome\User Data\Default\Login Data 0x11b57:$a4: \Orbitum\User Data\Default\Login Data 0x1294f:$a5: \Kometa\User Data\Default\Login Data
0.2.tx4pkcHL9o.exe.3871f58.7.raw.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
0.2.tx4pkcHL9o.exe.3871f58.7.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.tx4pkcHL9o.exe.3871f58.7.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0.2.tx4pkcHL9o.exe.3871f58.7.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xf1a7:$a1: get_encryptedPassword 0x25dc7:$a1: get_encryptedPassword 0xf4cf:$a2: get_encryptedUsername 0x260ef:$a2: get_encryptedUsername 0xef42:$a3: get_timePasswordChanged 0x25b62:$a3: get_timePasswordChanged 0xf063:$a4: get_passwordField 0x25c83:$a4: get_passwordField 0xf1bd:$a5: set_encryptedPassword 0x25ddd:$a5: set_encryptedPassword 0x10b19:$a7: get_logins 0x27739:$a7: get_logins 0x107ca:$a8: GetOutlookPasswords 0x273ea:$a8: GetOutlookPasswords 0x105bc:$a9: StartKeylogger 0x271dc:$a9: StartKeylogger 0x10a69:$a10: KeyLoggerEventArgs 0x27689:$a10: KeyLoggerEventArgs 0x10619:$a11: KeyLoggerEventArgsEventHandler 0x27239:$a11: KeyLoggerEventArgsEventHandler
0.2.tx4pkcHL9o.exe.3871f58.7.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1414b:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x2ad6b:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x13649:$a3: \Google\Chrome\User Data\Default\Login Data 0x2a269:$a3: \Google\Chrome\User Data\Default\Login Data 0x13957:$a4: \Orbitum\User Data\Default\Login Data 0x2a577:$a4: \Orbitum\User Data\Default\Login Data 0x1474f:$a5: \Kometa\User Data\Default\Login Data 0x2b36f:$a5: \Kometa\User Data\Default\Login Data
10.2.tx4pkcHL9o.exe.400000.0.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
10.2.tx4pkcHL9o.exe.400000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
10.2.tx4pkcHL9o.exe.400000.0.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
10.2.tx4pkcHL9o.exe.400000.0.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xf1a7:$a1: get_encryptedPassword 0xf4cf:$a2: get_encryptedUsername 0xef42:$a3: get_timePasswordChanged 0xf063:$a4: get_passwordField 0xf1bd:$a5: set_encryptedPassword 0x10b19:$a7: get_logins 0x107ca:$a8: GetOutlookPasswords 0x105bc:$a9: StartKeylogger 0x10a69:$a10: KeyLoggerEventArgs 0x10619:$a11: KeyLoggerEventArgsEventHandler
10.2.tx4pkcHL9o.exe.400000.0.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1414b:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x13649:$a3: \Google\Chrome\User Data\Default\Login Data 0x13957:$a4: \Orbitum\User Data\Default\Login Data 0x1474f:$a5: \Kometa\User Data\Default\Login Data
0.2.tx4pkcHL9o.exe.385b138.6.raw.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
0.2.tx4pkcHL9o.exe.385b138.6.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.tx4pkcHL9o.exe.385b138.6.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0.2.tx4pkcHL9o.exe.385b138.6.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xf1a7:$a1: get_encryptedPassword 0x25fc7:$a1: get_encryptedPassword 0x3cbe7:$a1: get_encryptedPassword 0xf4cf:$a2: get_encryptedUsername 0x262ef:$a2: get_encryptedUsername 0x3cf0f:$a2: get_encryptedUsername 0xef42:$a3: get_timePasswordChanged 0x25d62:$a3: get_timePasswordChanged 0x3c982:$a3: get_timePasswordChanged 0xf063:$a4: get_passwordField 0x25e83:$a4: get_passwordField 0x3caa3:$a4: get_passwordField 0xf1bd:$a5: set_encryptedPassword 0x25fdd:$a5: set_encryptedPassword 0x3cbfd:$a5: set_encryptedPassword 0x10b19:$a7: get_logins 0x27939:$a7: get_logins 0x3e559:$a7: get_logins 0x107ca:$a8: GetOutlookPasswords 0x275ea:$a8: GetOutlookPasswords 0x3e20a:$a8: GetOutlookPasswords
0.2.tx4pkcHL9o.exe.385b138.6.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1414b:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x2af6b:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x41b8b:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x13649:$a3: \Google\Chrome\User Data\Default\Login Data 0x2a469:$a3: \Google\Chrome\User Data\Default\Login Data 0x41089:$a3: \Google\Chrome\User Data\Default\Login Data 0x13957:$a4: \Orbitum\User Data\Default\Login Data 0x2a777:$a4: \Orbitum\User Data\Default\Login Data 0x41397:$a4: \Orbitum\User Data\Default\Login Data 0x1474f:$a5: \Kometa\User Data\Default\Login Data 0x2b56f:$a5: \Kometa\User Data\Default\Login Data 0x4218f:$a5: \Kometa\User Data\Default\Login Data
Click to see the 20 entries

Sigma Signatures

System Summary

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\tx4pkcHL9o.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\tx4pkcHL9o.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\tx4pkcHL9o.exe", ParentImage: C:\Users\user\Desktop\tx4pkcHL9o.exe, ParentProcessId: 7260, ParentProcessName: tx4pkcHL9o.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\tx4pkcHL9o.exe", ProcessId: 7460, ProcessName: powershell.exe

Sigma detected: Powershell Defender Exclusion

Source: Process started

Sigma detected: Suspicious Add Scheduled Task Parent

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\VyaPZFtSeDDse" /XML "C:\Users\user\AppData\Local\Temp\tmp9B0E.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\VyaPZFtSeDDse" /XML "C:\Users\user\AppData\Local\Temp\tmp9B0E.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: C:\Users\user\AppData\Roaming\VyaPZFtSeDDse.exe, ParentImage: C:\Users\user\AppData\Roaming\VyaPZFtSeDDse.exe, ParentProcessId: 7880, ParentProcessName: VyaPZFtSeDDse.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\VyaPZFtSeDDse" /XML "C:\Users\user\AppData\Local\Temp\tmp9B0E.tmp", ProcessId: 8124, ProcessName: schtasks.exe

Sigma detected: Suspicious Schtasks From Env Var Folder

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\VyaPZFtSeDDse" /XML "C:\Users\user\AppData\Local\Temp\tmp86BB.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\VyaPZFtSeDDse" /XML "C:\Users\user\AppData\Local\Temp\tmp86BB.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\tx4pkcHL9o.exe", ParentImage: C:\Users\user\Desktop\tx4pkcHL9o.exe, ParentProcessId: 7260, ParentProcessName: tx4pkcHL9o.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\VyaPZFtSeDDse" /XML "C:\Users\user\AppData\Local\Temp\tmp86BB.tmp", ProcessId: 7540, ProcessName: schtasks.exe

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\tx4pkcHL9o.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\tx4pkcHL9o.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\tx4pkcHL9o.exe", ParentImage: C:\Users\user\Desktop\tx4pkcHL9o.exe, ParentProcessId: 7260, ParentProcessName: tx4pkcHL9o.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\tx4pkcHL9o.exe", ProcessId: 7460, ProcessName: powershell.exe

Persistence and Installation Behavior

Sigma detected: Scheduled temp file as task from temp location

Source: Process started

Author: Joe Security: Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\VyaPZFtSeDDse" /XML "C:\Users\user\AppData\Local\Temp\tmp86BB.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\VyaPZFtSeDDse" /XML "C:\Users\user\AppData\Local\Temp\tmp86BB.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\tx4pkcHL9o.exe", ParentImage: C:\Users\user\Desktop\tx4pkcHL9o.exe, ParentProcessId: 7260, ParentProcessName: tx4pkcHL9o.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\VyaPZFtSeDDse" /XML "C:\Users\user\AppData\Local\Temp\tmp86BB.tmp", ProcessId: 7540, ProcessName: schtasks.exe

Suricata Signatures

ETPRO MALWARE Common Downloader Header Pattern UH

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-10T16:38:55.879539+0100	2803274	2	Potentially Bad Traffic	192.168.2.7	49740	158.101.44.242	80	TCP
2025-01-10T16:38:59.380324+0100	2803274	2	Potentially Bad Traffic	192.168.2.7	49778	158.101.44.242	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 0.2.tx4pkcHL9o.exe.385b138.6.raw.unpack

Malware Configuration Extractor: MassLogger {"EXfil Mode": "SMTP", "From": "kingnovasend@zqamcx.com", "Password": "Anambraeast", "Server": "zqamcx.com", "To": "kingnovaresult@zqamcx.com", "Port": 587}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\VyaPZFtSeDDse.exe

ReversingLabs: Detection: 81%

Multi AV Scanner detection for submitted file

Source: tx4pkcHL9o.exe	ReversingLabs: Detection: 81%
Source: tx4pkcHL9o.exe	Virustotal: Detection: 79%			Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\VyaPZFtSeDDse.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: tx4pkcHL9o.exe

Joe Sandbox ML: detected

Location Tracking

Tries to detect the country of the analysis system (by using the IP)

Source: unknown

DNS query: name: reallyfreegeoip.org

Source: tx4pkcHL9o.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 104.21.32.1:443 -> 192.168.2.7:49762 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 104.21.32.1:443 -> 192.168.2.7:49785 version: TLS 1.0

Source: tx4pkcHL9o.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: rFePR.pdb source: tx4pkcHL9o.exe, VyaPZFtSeDDse.exe.0.dr
Source:	Binary string: rFePR.pdbSHA256 source: tx4pkcHL9o.exe, VyaPZFtSeDDse.exe.0.dr

Source: C:\Users\user\Desktop\tx4pkcHL9o.exe	Code function: 4x nop then jmp 01019731h	10_2_01019480
Source: C:\Users\user\Desktop\tx4pkcHL9o.exe	Code function: 4x nop then jmp 01019E5Ah	10_2_01019A30
Source: C:\Users\user\Desktop\tx4pkcHL9o.exe	Code function: 4x nop then jmp 01019E5Ah	10_2_01019D87
Source: C:\Users\user\Desktop\tx4pkcHL9o.exe	Code function: 4x nop then jmp 056A47C9h	10_2_056A4520
Source: C:\Users\user\Desktop\tx4pkcHL9o.exe	Code function: 4x nop then jmp 056A8830h	10_2_056A8588
Source: C:\Users\user\Desktop\tx4pkcHL9o.exe	Code function: 4x nop then jmp 056AF700h	10_2_056AF458
Source: C:\Users\user\Desktop\tx4pkcHL9o.exe	Code function: 4x nop then jmp 056A76D0h	10_2_056A7428
Source: C:\Users\user\Desktop\tx4pkcHL9o.exe	Code function: 4x nop then jmp 056AE9F8h	10_2_056AE750
Source: C:\Users\user\Desktop\tx4pkcHL9o.exe	Code function: 4x nop then jmp 056A5929h	10_2_056A5680
Source: C:\Users\user\Desktop\tx4pkcHL9o.exe	Code function: 4x nop then jmp 056A83D8h	10_2_056A8130
Source: C:\Users\user\Desktop\tx4pkcHL9o.exe	Code function: 4x nop then jmp 056AE5A0h	10_2_056AE180
Source: C:\Users\user\Desktop\tx4pkcHL9o.exe	Code function: 4x nop then jmp 056AF2A8h	10_2_056AF000
Source: C:\Users\user\Desktop\tx4pkcHL9o.exe	Code function: 4x nop then jmp 056A54D1h	10_2_056A5228
Source: C:\Users\user\Desktop\tx4pkcHL9o.exe	Code function: 4x nop then jmp 056A5079h	10_2_056A4DD0
Source: C:\Users\user\Desktop\tx4pkcHL9o.exe	Code function: 4x nop then jmp 056A7F80h	10_2_056A7CD8
Source: C:\Users\user\Desktop\tx4pkcHL9o.exe	Code function: 4x nop then jmp 056A7278h	10_2_056A6FD0
Source: C:\Users\user\Desktop\tx4pkcHL9o.exe	Code function: 4x nop then jmp 056A4C21h	10_2_056A4978
Source: C:\Users\user\Desktop\tx4pkcHL9o.exe	Code function: 4x nop then jmp 056AFB58h	10_2_056AF8B0
Source: C:\Users\user\Desktop\tx4pkcHL9o.exe	Code function: 4x nop then jmp 056A7B28h	10_2_056A7880
Source: C:\Users\user\Desktop\tx4pkcHL9o.exe	Code function: 4x nop then jmp 056AEE50h	10_2_056AEBA8
Source: C:\Users\user\Desktop\tx4pkcHL9o.exe	Code function: 4x nop then jmp 056A5E15h	10_2_056A5AD8
Source: C:\Users\user\AppData\Roaming\VyaPZFtSeDDse.exe	Code function: 4x nop then jmp 00C69731h	17_2_00C69480
Source: C:\Users\user\AppData\Roaming\VyaPZFtSeDDse.exe	Code function: 4x nop then jmp 00C69E5Ah	17_2_00C69A30
Source: C:\Users\user\AppData\Roaming\VyaPZFtSeDDse.exe	Code function: 4x nop then jmp 00C69E5Ah	17_2_00C69D87

Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive

Source: Joe Sandbox View	IP Address: 104.21.32.1 104.21.32.1
Source: Joe Sandbox View	IP Address: 158.101.44.242 158.101.44.242

Source: Joe Sandbox View

JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad

Source: unknown	DNS query: name: checkip.dyndns.org
Source: unknown	DNS query: name: reallyfreegeoip.org

Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.7:49740 -> 158.101.44.242:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.7:49778 -> 158.101.44.242:80

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org

Source: unknown	HTTPS traffic detected: 104.21.32.1:443 -> 192.168.2.7:49762 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 104.21.32.1:443 -> 192.168.2.7:49785 version: TLS 1.0

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org

Source: global traffic	DNS traffic detected: DNS query: time.windows.com
Source: global traffic	DNS traffic detected: DNS query: checkip.dyndns.org
Source: global traffic	DNS traffic detected: DNS query: reallyfreegeoip.org

Source: tx4pkcHL9o.exe, 0000000A.00000002.2633318751.0000000002BAE000.00000004.00000800.00020000.00000000.sdmp, VyaPZFtSeDDse.exe, 00000011.00000002.2633387402.00000000029DE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.com
Source: tx4pkcHL9o.exe, 0000000A.00000002.2633318751.0000000002BAE000.00000004.00000800.00020000.00000000.sdmp, VyaPZFtSeDDse.exe, 00000011.00000002.2633387402.00000000029DE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.comd
Source: tx4pkcHL9o.exe, 0000000A.00000002.2633318751.0000000002BAE000.00000004.00000800.00020000.00000000.sdmp, tx4pkcHL9o.exe, 0000000A.00000002.2633318751.0000000002B9C000.00000004.00000800.00020000.00000000.sdmp, VyaPZFtSeDDse.exe, 00000011.00000002.2633387402.00000000029CC000.00000004.00000800.00020000.00000000.sdmp, VyaPZFtSeDDse.exe, 00000011.00000002.2633387402.00000000029DE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org
Source: tx4pkcHL9o.exe, 0000000A.00000002.2633318751.0000000002B31000.00000004.00000800.00020000.00000000.sdmp, VyaPZFtSeDDse.exe, 00000011.00000002.2633387402.0000000002961000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/
Source: tx4pkcHL9o.exe, 0000000A.00000002.2633318751.0000000002BAE000.00000004.00000800.00020000.00000000.sdmp, VyaPZFtSeDDse.exe, 00000011.00000002.2633387402.00000000029DE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/d
Source: tx4pkcHL9o.exe, 00000000.00000002.1403720087.0000000003809000.00000004.00000800.00020000.00000000.sdmp, tx4pkcHL9o.exe, 0000000A.00000002.2631125232.0000000000403000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/q
Source: tx4pkcHL9o.exe, 0000000A.00000002.2633318751.0000000002BAE000.00000004.00000800.00020000.00000000.sdmp, VyaPZFtSeDDse.exe, 00000011.00000002.2633387402.00000000029DE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.orgd
Source: tx4pkcHL9o.exe, VyaPZFtSeDDse.exe.0.dr	String found in binary or memory: http://crl.comodoca.com/COMODORSACertificationAuthority.crl0q
Source: tx4pkcHL9o.exe, VyaPZFtSeDDse.exe.0.dr	String found in binary or memory: http://crl.comodoca.com/COMODORSACodeSigningCA.crl0t
Source: tx4pkcHL9o.exe, VyaPZFtSeDDse.exe.0.dr	String found in binary or memory: http://ocsp.comodoca.com0
Source: tx4pkcHL9o.exe, 0000000A.00000002.2633318751.0000000002BCB000.00000004.00000800.00020000.00000000.sdmp, VyaPZFtSeDDse.exe, 00000011.00000002.2633387402.00000000029FB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://reallyfreegeoip.org
Source: tx4pkcHL9o.exe, 0000000A.00000002.2633318751.0000000002BCB000.00000004.00000800.00020000.00000000.sdmp, VyaPZFtSeDDse.exe, 00000011.00000002.2633387402.00000000029FB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://reallyfreegeoip.orgd
Source: tx4pkcHL9o.exe, 00000000.00000002.1401358796.000000000285F000.00000004.00000800.00020000.00000000.sdmp, tx4pkcHL9o.exe, 0000000A.00000002.2633318751.0000000002B31000.00000004.00000800.00020000.00000000.sdmp, VyaPZFtSeDDse.exe, 0000000B.00000002.1465165627.0000000002E9F000.00000004.00000800.00020000.00000000.sdmp, VyaPZFtSeDDse.exe, 00000011.00000002.2633387402.0000000002961000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: tx4pkcHL9o.exe, 00000000.00000002.1403720087.0000000003809000.00000004.00000800.00020000.00000000.sdmp, tx4pkcHL9o.exe, 0000000A.00000002.2631125232.0000000000403000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot-/sendDocument?chat_id=
Source: tx4pkcHL9o.exe, 0000000A.00000002.2633318751.0000000002BAE000.00000004.00000800.00020000.00000000.sdmp, VyaPZFtSeDDse.exe, 00000011.00000002.2633387402.00000000029DE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org
Source: VyaPZFtSeDDse.exe, 00000011.00000002.2632283324.0000000000D01000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/
Source: tx4pkcHL9o.exe, 00000000.00000002.1403720087.0000000003809000.00000004.00000800.00020000.00000000.sdmp, tx4pkcHL9o.exe, 0000000A.00000002.2631125232.0000000000403000.00000040.00000400.00020000.00000000.sdmp, tx4pkcHL9o.exe, 0000000A.00000002.2633318751.0000000002BAE000.00000004.00000800.00020000.00000000.sdmp, VyaPZFtSeDDse.exe, 00000011.00000002.2633387402.00000000029DE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/
Source: tx4pkcHL9o.exe, 0000000A.00000002.2633318751.0000000002BAE000.00000004.00000800.00020000.00000000.sdmp, VyaPZFtSeDDse.exe, 00000011.00000002.2633387402.00000000029DE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189d
Source: tx4pkcHL9o.exe, 0000000A.00000002.2633318751.0000000002BAE000.00000004.00000800.00020000.00000000.sdmp, VyaPZFtSeDDse.exe, 00000011.00000002.2633387402.00000000029DE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189l
Source: tx4pkcHL9o.exe, 00000000.00000002.1419720378.0000000006ABB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.chiark.greenend
Source: tx4pkcHL9o.exe, VyaPZFtSeDDse.exe.0.dr	String found in binary or memory: https://www.chiark.greenend.org.uk/~sgtatham/putty/0

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49785
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49762
Source: unknown	Network traffic detected: HTTP traffic on port 49785 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49762 -> 443

System Summary

Malicious sample detected (through community Yara rule)

Source: 0.2.tx4pkcHL9o.exe.3871f58.7.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.tx4pkcHL9o.exe.3871f58.7.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.tx4pkcHL9o.exe.385b138.6.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.tx4pkcHL9o.exe.385b138.6.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.tx4pkcHL9o.exe.3871f58.7.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.tx4pkcHL9o.exe.3871f58.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 10.2.tx4pkcHL9o.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 10.2.tx4pkcHL9o.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.tx4pkcHL9o.exe.385b138.6.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.tx4pkcHL9o.exe.385b138.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0000000A.00000002.2631125232.0000000000403000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000000.00000002.1403720087.0000000003809000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: tx4pkcHL9o.exe PID: 7260, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: tx4pkcHL9o.exe PID: 7756, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown

Source: C:\Users\user\Desktop\tx4pkcHL9o.exe	Code function: 0_2_025C4218	0_2_025C4218
Source: C:\Users\user\Desktop\tx4pkcHL9o.exe	Code function: 0_2_025C6F90	0_2_025C6F90
Source: C:\Users\user\Desktop\tx4pkcHL9o.exe	Code function: 0_2_025CD424	0_2_025CD424
Source: C:\Users\user\Desktop\tx4pkcHL9o.exe	Code function: 0_2_06DC2670	0_2_06DC2670
Source: C:\Users\user\Desktop\tx4pkcHL9o.exe	Code function: 0_2_06DC4780	0_2_06DC4780
Source: C:\Users\user\Desktop\tx4pkcHL9o.exe	Code function: 0_2_06DC476F	0_2_06DC476F
Source: C:\Users\user\Desktop\tx4pkcHL9o.exe	Code function: 0_2_06DC3F10	0_2_06DC3F10
Source: C:\Users\user\Desktop\tx4pkcHL9o.exe	Code function: 0_2_06DC2AA8	0_2_06DC2AA8
Source: C:\Users\user\Desktop\tx4pkcHL9o.exe	Code function: 0_2_06DC4348	0_2_06DC4348
Source: C:\Users\user\Desktop\tx4pkcHL9o.exe	Code function: 0_2_06DCB318	0_2_06DCB318
Source: C:\Users\user\Desktop\tx4pkcHL9o.exe	Code function: 0_2_082B0FE8	0_2_082B0FE8
Source: C:\Users\user\Desktop\tx4pkcHL9o.exe	Code function: 0_2_082B0FF8	0_2_082B0FF8
Source: C:\Users\user\Desktop\tx4pkcHL9o.exe	Code function: 10_2_0101C530	10_2_0101C530
Source: C:\Users\user\Desktop\tx4pkcHL9o.exe	Code function: 10_2_010127B9	10_2_010127B9
Source: C:\Users\user\Desktop\tx4pkcHL9o.exe	Code function: 10_2_01019480	10_2_01019480
Source: C:\Users\user\Desktop\tx4pkcHL9o.exe	Code function: 10_2_0101C521	10_2_0101C521
Source: C:\Users\user\Desktop\tx4pkcHL9o.exe	Code function: 10_2_01012DD1	10_2_01012DD1
Source: C:\Users\user\Desktop\tx4pkcHL9o.exe	Code function: 10_2_0101946F	10_2_0101946F
Source: C:\Users\user\Desktop\tx4pkcHL9o.exe	Code function: 10_2_056A6138	10_2_056A6138
Source: C:\Users\user\Desktop\tx4pkcHL9o.exe	Code function: 10_2_056ABC60	10_2_056ABC60
Source: C:\Users\user\Desktop\tx4pkcHL9o.exe	Code function: 10_2_056AAF00	10_2_056AAF00
Source: C:\Users\user\Desktop\tx4pkcHL9o.exe	Code function: 10_2_056A89E0	10_2_056A89E0
Source: C:\Users\user\Desktop\tx4pkcHL9o.exe	Code function: 10_2_056A8579	10_2_056A8579
Source: C:\Users\user\Desktop\tx4pkcHL9o.exe	Code function: 10_2_056A4520	10_2_056A4520
Source: C:\Users\user\Desktop\tx4pkcHL9o.exe	Code function: 10_2_056A450F	10_2_056A450F
Source: C:\Users\user\Desktop\tx4pkcHL9o.exe	Code function: 10_2_056A8588	10_2_056A8588
Source: C:\Users\user\Desktop\tx4pkcHL9o.exe	Code function: 10_2_056AF448	10_2_056AF448
Source: C:\Users\user\Desktop\tx4pkcHL9o.exe	Code function: 10_2_056AF458	10_2_056AF458
Source: C:\Users\user\Desktop\tx4pkcHL9o.exe	Code function: 10_2_056A7428	10_2_056A7428
Source: C:\Users\user\Desktop\tx4pkcHL9o.exe	Code function: 10_2_056A7418	10_2_056A7418
Source: C:\Users\user\Desktop\tx4pkcHL9o.exe	Code function: 10_2_056AE740	10_2_056AE740
Source: C:\Users\user\Desktop\tx4pkcHL9o.exe	Code function: 10_2_056AE750	10_2_056AE750
Source: C:\Users\user\Desktop\tx4pkcHL9o.exe	Code function: 10_2_056A566F	10_2_056A566F
Source: C:\Users\user\Desktop\tx4pkcHL9o.exe	Code function: 10_2_056A5680	10_2_056A5680
Source: C:\Users\user\Desktop\tx4pkcHL9o.exe	Code function: 10_2_056A8120	10_2_056A8120
Source: C:\Users\user\Desktop\tx4pkcHL9o.exe	Code function: 10_2_056A8130	10_2_056A8130
Source: C:\Users\user\Desktop\tx4pkcHL9o.exe	Code function: 10_2_056AE180	10_2_056AE180
Source: C:\Users\user\Desktop\tx4pkcHL9o.exe	Code function: 10_2_056AF000	10_2_056AF000
Source: C:\Users\user\Desktop\tx4pkcHL9o.exe	Code function: 10_2_056A0320	10_2_056A0320
Source: C:\Users\user\Desktop\tx4pkcHL9o.exe	Code function: 10_2_056A0330	10_2_056A0330
Source: C:\Users\user\Desktop\tx4pkcHL9o.exe	Code function: 10_2_056A5228	10_2_056A5228
Source: C:\Users\user\Desktop\tx4pkcHL9o.exe	Code function: 10_2_056A521A	10_2_056A521A
Source: C:\Users\user\Desktop\tx4pkcHL9o.exe	Code function: 10_2_056A4DC0	10_2_056A4DC0
Source: C:\Users\user\Desktop\tx4pkcHL9o.exe	Code function: 10_2_056A4DD0	10_2_056A4DD0
Source: C:\Users\user\Desktop\tx4pkcHL9o.exe	Code function: 10_2_056A7CC8	10_2_056A7CC8
Source: C:\Users\user\Desktop\tx4pkcHL9o.exe	Code function: 10_2_056A0CD8	10_2_056A0CD8
Source: C:\Users\user\Desktop\tx4pkcHL9o.exe	Code function: 10_2_056A7CD8	10_2_056A7CD8
Source: C:\Users\user\Desktop\tx4pkcHL9o.exe	Code function: 10_2_056AEFF0	10_2_056AEFF0
Source: C:\Users\user\Desktop\tx4pkcHL9o.exe	Code function: 10_2_056A6FC3	10_2_056A6FC3
Source: C:\Users\user\Desktop\tx4pkcHL9o.exe	Code function: 10_2_056A6FC1	10_2_056A6FC1
Source: C:\Users\user\Desktop\tx4pkcHL9o.exe	Code function: 10_2_056A6FD0	10_2_056A6FD0
Source: C:\Users\user\Desktop\tx4pkcHL9o.exe	Code function: 10_2_056A4969	10_2_056A4969
Source: C:\Users\user\Desktop\tx4pkcHL9o.exe	Code function: 10_2_056A4978	10_2_056A4978
Source: C:\Users\user\Desktop\tx4pkcHL9o.exe	Code function: 10_2_056A89D0	10_2_056A89D0
Source: C:\Users\user\Desktop\tx4pkcHL9o.exe	Code function: 10_2_056A7871	10_2_056A7871
Source: C:\Users\user\Desktop\tx4pkcHL9o.exe	Code function: 10_2_056AF8A1	10_2_056AF8A1
Source: C:\Users\user\Desktop\tx4pkcHL9o.exe	Code function: 10_2_056AF8B0	10_2_056AF8B0
Source: C:\Users\user\Desktop\tx4pkcHL9o.exe	Code function: 10_2_056A7880	10_2_056A7880
Source: C:\Users\user\Desktop\tx4pkcHL9o.exe	Code function: 10_2_056AEBA8	10_2_056AEBA8
Source: C:\Users\user\Desktop\tx4pkcHL9o.exe	Code function: 10_2_056AEB98	10_2_056AEB98
Source: C:\Users\user\Desktop\tx4pkcHL9o.exe	Code function: 10_2_056A5ACA	10_2_056A5ACA
Source: C:\Users\user\Desktop\tx4pkcHL9o.exe	Code function: 10_2_056A5AD8	10_2_056A5AD8
Source: C:\Users\user\Desktop\tx4pkcHL9o.exe	Code function: 10_2_056A0AB8	10_2_056A0AB8
Source: C:\Users\user\AppData\Roaming\VyaPZFtSeDDse.exe	Code function: 11_2_01204218	11_2_01204218
Source: C:\Users\user\AppData\Roaming\VyaPZFtSeDDse.exe	Code function: 11_2_01206F92	11_2_01206F92
Source: C:\Users\user\AppData\Roaming\VyaPZFtSeDDse.exe	Code function: 11_2_0120D424	11_2_0120D424
Source: C:\Users\user\AppData\Roaming\VyaPZFtSeDDse.exe	Code function: 11_2_02E17C88	11_2_02E17C88
Source: C:\Users\user\AppData\Roaming\VyaPZFtSeDDse.exe	Code function: 11_2_02E10088	11_2_02E10088
Source: C:\Users\user\AppData\Roaming\VyaPZFtSeDDse.exe	Code function: 11_2_02E10078	11_2_02E10078
Source: C:\Users\user\AppData\Roaming\VyaPZFtSeDDse.exe	Code function: 11_2_02E17C78	11_2_02E17C78
Source: C:\Users\user\AppData\Roaming\VyaPZFtSeDDse.exe	Code function: 11_2_05496DB8	11_2_05496DB8
Source: C:\Users\user\AppData\Roaming\VyaPZFtSeDDse.exe	Code function: 11_2_07083F10	11_2_07083F10
Source: C:\Users\user\AppData\Roaming\VyaPZFtSeDDse.exe	Code function: 11_2_07084780	11_2_07084780
Source: C:\Users\user\AppData\Roaming\VyaPZFtSeDDse.exe	Code function: 11_2_07082670	11_2_07082670
Source: C:\Users\user\AppData\Roaming\VyaPZFtSeDDse.exe	Code function: 11_2_0708A5FA	11_2_0708A5FA
Source: C:\Users\user\AppData\Roaming\VyaPZFtSeDDse.exe	Code function: 11_2_07084348	11_2_07084348
Source: C:\Users\user\AppData\Roaming\VyaPZFtSeDDse.exe	Code function: 11_2_07082AA8	11_2_07082AA8
Source: C:\Users\user\AppData\Roaming\VyaPZFtSeDDse.exe	Code function: 17_2_00C6C530	17_2_00C6C530
Source: C:\Users\user\AppData\Roaming\VyaPZFtSeDDse.exe	Code function: 17_2_00C62DD1	17_2_00C62DD1
Source: C:\Users\user\AppData\Roaming\VyaPZFtSeDDse.exe	Code function: 17_2_00C69480	17_2_00C69480
Source: C:\Users\user\AppData\Roaming\VyaPZFtSeDDse.exe	Code function: 17_2_00C6C49F	17_2_00C6C49F
Source: C:\Users\user\AppData\Roaming\VyaPZFtSeDDse.exe	Code function: 17_2_00C6C521	17_2_00C6C521
Source: C:\Users\user\AppData\Roaming\VyaPZFtSeDDse.exe	Code function: 17_2_00C6946F	17_2_00C6946F

Source: tx4pkcHL9o.exe

Static PE information: invalid certificate

Source: tx4pkcHL9o.exe, 00000000.00000002.1420287493.0000000006E20000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameMontero.dll8 vs tx4pkcHL9o.exe
Source: tx4pkcHL9o.exe, 00000000.00000002.1401358796.000000000285F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCloudServices.exe< vs tx4pkcHL9o.exe
Source: tx4pkcHL9o.exe, 00000000.00000002.1396766277.0000000000B2E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs tx4pkcHL9o.exe
Source: tx4pkcHL9o.exe, 00000000.00000002.1403720087.00000000038DB000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameArthur.dll" vs tx4pkcHL9o.exe
Source: tx4pkcHL9o.exe, 00000000.00000002.1403720087.00000000038DB000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMontero.dll8 vs tx4pkcHL9o.exe
Source: tx4pkcHL9o.exe, 00000000.00000000.1356204353.0000000000448000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamerFePR.exe> vs tx4pkcHL9o.exe
Source: tx4pkcHL9o.exe, 00000000.00000002.1419720378.0000000006ABB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamePowerShell.EXEj% vs tx4pkcHL9o.exe
Source: tx4pkcHL9o.exe, 00000000.00000002.1419177011.0000000006A10000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameArthur.dll" vs tx4pkcHL9o.exe
Source: tx4pkcHL9o.exe, 00000000.00000002.1403720087.0000000003809000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCloudServices.exe< vs tx4pkcHL9o.exe
Source: tx4pkcHL9o.exe, 00000000.00000002.1403720087.0000000003809000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameArthur.dll" vs tx4pkcHL9o.exe
Source: tx4pkcHL9o.exe, 0000000A.00000002.2631296214.0000000000B87000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameUNKNOWN_FILET vs tx4pkcHL9o.exe
Source: tx4pkcHL9o.exe	Binary or memory string: OriginalFilenamerFePR.exe> vs tx4pkcHL9o.exe

Source: tx4pkcHL9o.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 0.2.tx4pkcHL9o.exe.3871f58.7.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.tx4pkcHL9o.exe.3871f58.7.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.tx4pkcHL9o.exe.385b138.6.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.tx4pkcHL9o.exe.385b138.6.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.tx4pkcHL9o.exe.3871f58.7.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.tx4pkcHL9o.exe.3871f58.7.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 10.2.tx4pkcHL9o.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 10.2.tx4pkcHL9o.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.tx4pkcHL9o.exe.385b138.6.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.tx4pkcHL9o.exe.385b138.6.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0000000A.00000002.2631125232.0000000000403000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000000.00000002.1403720087.0000000003809000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: tx4pkcHL9o.exe PID: 7260, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: tx4pkcHL9o.exe PID: 7756, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@23/15@3/2

Source: C:\Users\user\Desktop\tx4pkcHL9o.exe

File created: C:\Users\user\AppData\Roaming\VyaPZFtSeDDse.exe

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7584:120:WilError_03
Source: C:\Users\user\AppData\Roaming\VyaPZFtSeDDse.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7524:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8156:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7468:120:WilError_03

Source: C:\Users\user\Desktop\tx4pkcHL9o.exe

File created: C:\Users\user\AppData\Local\Temp\tmp86BB.tmp

Jump to behavior

Source: tx4pkcHL9o.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: tx4pkcHL9o.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.98%

Source: C:\Users\user\Desktop\tx4pkcHL9o.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\tx4pkcHL9o.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: tx4pkcHL9o.exe, 0000000A.00000002.2633318751.0000000002C0E000.00000004.00000800.00020000.00000000.sdmp, tx4pkcHL9o.exe, 0000000A.00000002.2633318751.0000000002C41000.00000004.00000800.00020000.00000000.sdmp, tx4pkcHL9o.exe, 0000000A.00000002.2633318751.0000000002C2C000.00000004.00000800.00020000.00000000.sdmp, tx4pkcHL9o.exe, 0000000A.00000002.2633318751.0000000002C4D000.00000004.00000800.00020000.00000000.sdmp, tx4pkcHL9o.exe, 0000000A.00000002.2635342685.0000000003B5D000.00000004.00000800.00020000.00000000.sdmp, tx4pkcHL9o.exe, 0000000A.00000002.2633318751.0000000002C1E000.00000004.00000800.00020000.00000000.sdmp, VyaPZFtSeDDse.exe, 00000011.00000002.2633387402.0000000002A4E000.00000004.00000800.00020000.00000000.sdmp, VyaPZFtSeDDse.exe, 00000011.00000002.2633387402.0000000002A7D000.00000004.00000800.00020000.00000000.sdmp, VyaPZFtSeDDse.exe, 00000011.00000002.2633387402.0000000002A5C000.00000004.00000800.00020000.00000000.sdmp, VyaPZFtSeDDse.exe, 00000011.00000002.2633387402.0000000002A71000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: tx4pkcHL9o.exe	ReversingLabs: Detection: 81%
Source: tx4pkcHL9o.exe	Virustotal: Detection: 79%

Source: C:\Users\user\Desktop\tx4pkcHL9o.exe

File read: C:\Users\user\Desktop\tx4pkcHL9o.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\tx4pkcHL9o.exe "C:\Users\user\Desktop\tx4pkcHL9o.exe"
Source: C:\Users\user\Desktop\tx4pkcHL9o.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\tx4pkcHL9o.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\tx4pkcHL9o.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\VyaPZFtSeDDse.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\tx4pkcHL9o.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\VyaPZFtSeDDse" /XML "C:\Users\user\AppData\Local\Temp\tmp86BB.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\tx4pkcHL9o.exe	Process created: C:\Users\user\Desktop\tx4pkcHL9o.exe "C:\Users\user\Desktop\tx4pkcHL9o.exe"
Source: C:\Users\user\Desktop\tx4pkcHL9o.exe	Process created: C:\Users\user\Desktop\tx4pkcHL9o.exe "C:\Users\user\Desktop\tx4pkcHL9o.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\VyaPZFtSeDDse.exe C:\Users\user\AppData\Roaming\VyaPZFtSeDDse.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: C:\Users\user\AppData\Roaming\VyaPZFtSeDDse.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\VyaPZFtSeDDse" /XML "C:\Users\user\AppData\Local\Temp\tmp9B0E.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\VyaPZFtSeDDse.exe	Process created: C:\Users\user\AppData\Roaming\VyaPZFtSeDDse.exe "C:\Users\user\AppData\Roaming\VyaPZFtSeDDse.exe"
Source: C:\Users\user\AppData\Roaming\VyaPZFtSeDDse.exe	Process created: C:\Users\user\AppData\Roaming\VyaPZFtSeDDse.exe "C:\Users\user\AppData\Roaming\VyaPZFtSeDDse.exe"
Source: C:\Users\user\Desktop\tx4pkcHL9o.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\tx4pkcHL9o.exe"	Jump to behavior
Source: C:\Users\user\Desktop\tx4pkcHL9o.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\VyaPZFtSeDDse.exe"	Jump to behavior
Source: C:\Users\user\Desktop\tx4pkcHL9o.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\VyaPZFtSeDDse" /XML "C:\Users\user\AppData\Local\Temp\tmp86BB.tmp"	Jump to behavior
Source: C:\Users\user\Desktop\tx4pkcHL9o.exe	Process created: C:\Users\user\Desktop\tx4pkcHL9o.exe "C:\Users\user\Desktop\tx4pkcHL9o.exe"	Jump to behavior
Source: C:\Users\user\Desktop\tx4pkcHL9o.exe	Process created: C:\Users\user\Desktop\tx4pkcHL9o.exe "C:\Users\user\Desktop\tx4pkcHL9o.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VyaPZFtSeDDse.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\VyaPZFtSeDDse" /XML "C:\Users\user\AppData\Local\Temp\tmp9B0E.tmp"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VyaPZFtSeDDse.exe	Process created: C:\Users\user\AppData\Roaming\VyaPZFtSeDDse.exe "C:\Users\user\AppData\Roaming\VyaPZFtSeDDse.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VyaPZFtSeDDse.exe	Process created: C:\Users\user\AppData\Roaming\VyaPZFtSeDDse.exe "C:\Users\user\AppData\Roaming\VyaPZFtSeDDse.exe"	Jump to behavior

Source: C:\Users\user\Desktop\tx4pkcHL9o.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\tx4pkcHL9o.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\tx4pkcHL9o.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\tx4pkcHL9o.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\tx4pkcHL9o.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\tx4pkcHL9o.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\tx4pkcHL9o.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\tx4pkcHL9o.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\tx4pkcHL9o.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\tx4pkcHL9o.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\tx4pkcHL9o.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\tx4pkcHL9o.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\tx4pkcHL9o.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\tx4pkcHL9o.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\tx4pkcHL9o.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\tx4pkcHL9o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\tx4pkcHL9o.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\tx4pkcHL9o.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\tx4pkcHL9o.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\tx4pkcHL9o.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\tx4pkcHL9o.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\tx4pkcHL9o.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\tx4pkcHL9o.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\tx4pkcHL9o.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\tx4pkcHL9o.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\tx4pkcHL9o.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\tx4pkcHL9o.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\tx4pkcHL9o.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\tx4pkcHL9o.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\tx4pkcHL9o.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\tx4pkcHL9o.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\tx4pkcHL9o.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\tx4pkcHL9o.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\tx4pkcHL9o.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\tx4pkcHL9o.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\tx4pkcHL9o.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\tx4pkcHL9o.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\tx4pkcHL9o.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\tx4pkcHL9o.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\tx4pkcHL9o.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\tx4pkcHL9o.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\tx4pkcHL9o.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\tx4pkcHL9o.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\tx4pkcHL9o.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\tx4pkcHL9o.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\tx4pkcHL9o.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\tx4pkcHL9o.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\tx4pkcHL9o.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\tx4pkcHL9o.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\tx4pkcHL9o.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\tx4pkcHL9o.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\tx4pkcHL9o.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\tx4pkcHL9o.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\tx4pkcHL9o.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\tx4pkcHL9o.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\tx4pkcHL9o.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\tx4pkcHL9o.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\tx4pkcHL9o.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\tx4pkcHL9o.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\tx4pkcHL9o.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\tx4pkcHL9o.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\tx4pkcHL9o.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\tx4pkcHL9o.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\tx4pkcHL9o.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\tx4pkcHL9o.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\tx4pkcHL9o.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\tx4pkcHL9o.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\tx4pkcHL9o.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\tx4pkcHL9o.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\tx4pkcHL9o.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\tx4pkcHL9o.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\tx4pkcHL9o.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\tx4pkcHL9o.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VyaPZFtSeDDse.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VyaPZFtSeDDse.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VyaPZFtSeDDse.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VyaPZFtSeDDse.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VyaPZFtSeDDse.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VyaPZFtSeDDse.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VyaPZFtSeDDse.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VyaPZFtSeDDse.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VyaPZFtSeDDse.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VyaPZFtSeDDse.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VyaPZFtSeDDse.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VyaPZFtSeDDse.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VyaPZFtSeDDse.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VyaPZFtSeDDse.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VyaPZFtSeDDse.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VyaPZFtSeDDse.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VyaPZFtSeDDse.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VyaPZFtSeDDse.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VyaPZFtSeDDse.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VyaPZFtSeDDse.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VyaPZFtSeDDse.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VyaPZFtSeDDse.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VyaPZFtSeDDse.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VyaPZFtSeDDse.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VyaPZFtSeDDse.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VyaPZFtSeDDse.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VyaPZFtSeDDse.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VyaPZFtSeDDse.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VyaPZFtSeDDse.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VyaPZFtSeDDse.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VyaPZFtSeDDse.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VyaPZFtSeDDse.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VyaPZFtSeDDse.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VyaPZFtSeDDse.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VyaPZFtSeDDse.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: fastprox.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: ncobjapi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mpclient.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: version.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wmitomi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: gpapi.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\VyaPZFtSeDDse.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\VyaPZFtSeDDse.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\VyaPZFtSeDDse.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\VyaPZFtSeDDse.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\VyaPZFtSeDDse.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\VyaPZFtSeDDse.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\VyaPZFtSeDDse.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\VyaPZFtSeDDse.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\VyaPZFtSeDDse.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\VyaPZFtSeDDse.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\VyaPZFtSeDDse.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\VyaPZFtSeDDse.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\VyaPZFtSeDDse.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\VyaPZFtSeDDse.exe	Section loaded: rasapi32.dll
Source: C:\Users\user\AppData\Roaming\VyaPZFtSeDDse.exe	Section loaded: rasman.dll
Source: C:\Users\user\AppData\Roaming\VyaPZFtSeDDse.exe	Section loaded: rtutils.dll
Source: C:\Users\user\AppData\Roaming\VyaPZFtSeDDse.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Roaming\VyaPZFtSeDDse.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Roaming\VyaPZFtSeDDse.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Roaming\VyaPZFtSeDDse.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Roaming\VyaPZFtSeDDse.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Users\user\AppData\Roaming\VyaPZFtSeDDse.exe	Section loaded: dhcpcsvc.dll
Source: C:\Users\user\AppData\Roaming\VyaPZFtSeDDse.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Roaming\VyaPZFtSeDDse.exe	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Roaming\VyaPZFtSeDDse.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Roaming\VyaPZFtSeDDse.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Roaming\VyaPZFtSeDDse.exe	Section loaded: secur32.dll
Source: C:\Users\user\AppData\Roaming\VyaPZFtSeDDse.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\VyaPZFtSeDDse.exe	Section loaded: schannel.dll
Source: C:\Users\user\AppData\Roaming\VyaPZFtSeDDse.exe	Section loaded: mskeyprotect.dll
Source: C:\Users\user\AppData\Roaming\VyaPZFtSeDDse.exe	Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Roaming\VyaPZFtSeDDse.exe	Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Roaming\VyaPZFtSeDDse.exe	Section loaded: ncryptsslp.dll
Source: C:\Users\user\AppData\Roaming\VyaPZFtSeDDse.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Roaming\VyaPZFtSeDDse.exe	Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Roaming\VyaPZFtSeDDse.exe	Section loaded: dpapi.dll

Source: C:\Users\user\Desktop\tx4pkcHL9o.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\tx4pkcHL9o.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Users\user\Desktop\tx4pkcHL9o.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: tx4pkcHL9o.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: tx4pkcHL9o.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: tx4pkcHL9o.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: rFePR.pdb source: tx4pkcHL9o.exe, VyaPZFtSeDDse.exe.0.dr
Source:	Binary string: rFePR.pdbSHA256 source: tx4pkcHL9o.exe, VyaPZFtSeDDse.exe.0.dr

Source: tx4pkcHL9o.exe

Static PE information: 0xE4ED3715 [Sun Sep 16 03:23:01 2091 UTC]

Source: C:\Users\user\Desktop\tx4pkcHL9o.exe	Code function: 0_2_06DC3BB0 push 1406E9CBh; retf	0_2_06DC3BB5
Source: C:\Users\user\Desktop\tx4pkcHL9o.exe	Code function: 0_2_082BF8B0 push esp; retf	0_2_082BF8B1
Source: C:\Users\user\Desktop\tx4pkcHL9o.exe	Code function: 10_2_056A3C4F push 00000005h; ret	10_2_056A3C80
Source: C:\Users\user\AppData\Roaming\VyaPZFtSeDDse.exe	Code function: 11_2_07083BB0 push 140707CBh; retf	11_2_07083BB5

Source: C:\Users\user\Desktop\tx4pkcHL9o.exe

File created: C:\Users\user\AppData\Roaming\VyaPZFtSeDDse.exe

Jump to dropped file

Boot Survival

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Users\user\Desktop\tx4pkcHL9o.exe

Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\VyaPZFtSeDDse" /XML "C:\Users\user\AppData\Local\Temp\tmp86BB.tmp"

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior

Source: C:\Users\user\Desktop\tx4pkcHL9o.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate			Jump to behavior
Source: C:\Users\user\Desktop\tx4pkcHL9o.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot			Jump to behavior

Source: C:\Users\user\Desktop\tx4pkcHL9o.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tx4pkcHL9o.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tx4pkcHL9o.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tx4pkcHL9o.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tx4pkcHL9o.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tx4pkcHL9o.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tx4pkcHL9o.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tx4pkcHL9o.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tx4pkcHL9o.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tx4pkcHL9o.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tx4pkcHL9o.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tx4pkcHL9o.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tx4pkcHL9o.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tx4pkcHL9o.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tx4pkcHL9o.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tx4pkcHL9o.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tx4pkcHL9o.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tx4pkcHL9o.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tx4pkcHL9o.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tx4pkcHL9o.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tx4pkcHL9o.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tx4pkcHL9o.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tx4pkcHL9o.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tx4pkcHL9o.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tx4pkcHL9o.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tx4pkcHL9o.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tx4pkcHL9o.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tx4pkcHL9o.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tx4pkcHL9o.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tx4pkcHL9o.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tx4pkcHL9o.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tx4pkcHL9o.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tx4pkcHL9o.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tx4pkcHL9o.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tx4pkcHL9o.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tx4pkcHL9o.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tx4pkcHL9o.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tx4pkcHL9o.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tx4pkcHL9o.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tx4pkcHL9o.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tx4pkcHL9o.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tx4pkcHL9o.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tx4pkcHL9o.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tx4pkcHL9o.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tx4pkcHL9o.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tx4pkcHL9o.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tx4pkcHL9o.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tx4pkcHL9o.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tx4pkcHL9o.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tx4pkcHL9o.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tx4pkcHL9o.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tx4pkcHL9o.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tx4pkcHL9o.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tx4pkcHL9o.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tx4pkcHL9o.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tx4pkcHL9o.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tx4pkcHL9o.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tx4pkcHL9o.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tx4pkcHL9o.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tx4pkcHL9o.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tx4pkcHL9o.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tx4pkcHL9o.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tx4pkcHL9o.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tx4pkcHL9o.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tx4pkcHL9o.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tx4pkcHL9o.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tx4pkcHL9o.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tx4pkcHL9o.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tx4pkcHL9o.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tx4pkcHL9o.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tx4pkcHL9o.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tx4pkcHL9o.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tx4pkcHL9o.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tx4pkcHL9o.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tx4pkcHL9o.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tx4pkcHL9o.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tx4pkcHL9o.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tx4pkcHL9o.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tx4pkcHL9o.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tx4pkcHL9o.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tx4pkcHL9o.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tx4pkcHL9o.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tx4pkcHL9o.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tx4pkcHL9o.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tx4pkcHL9o.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tx4pkcHL9o.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tx4pkcHL9o.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tx4pkcHL9o.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tx4pkcHL9o.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tx4pkcHL9o.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tx4pkcHL9o.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tx4pkcHL9o.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tx4pkcHL9o.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tx4pkcHL9o.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tx4pkcHL9o.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tx4pkcHL9o.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tx4pkcHL9o.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tx4pkcHL9o.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tx4pkcHL9o.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tx4pkcHL9o.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VyaPZFtSeDDse.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VyaPZFtSeDDse.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VyaPZFtSeDDse.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VyaPZFtSeDDse.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VyaPZFtSeDDse.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VyaPZFtSeDDse.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VyaPZFtSeDDse.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VyaPZFtSeDDse.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VyaPZFtSeDDse.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VyaPZFtSeDDse.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VyaPZFtSeDDse.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VyaPZFtSeDDse.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VyaPZFtSeDDse.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VyaPZFtSeDDse.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VyaPZFtSeDDse.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VyaPZFtSeDDse.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VyaPZFtSeDDse.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VyaPZFtSeDDse.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VyaPZFtSeDDse.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VyaPZFtSeDDse.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VyaPZFtSeDDse.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VyaPZFtSeDDse.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VyaPZFtSeDDse.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VyaPZFtSeDDse.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VyaPZFtSeDDse.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VyaPZFtSeDDse.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VyaPZFtSeDDse.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VyaPZFtSeDDse.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VyaPZFtSeDDse.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VyaPZFtSeDDse.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VyaPZFtSeDDse.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VyaPZFtSeDDse.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VyaPZFtSeDDse.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VyaPZFtSeDDse.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VyaPZFtSeDDse.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VyaPZFtSeDDse.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VyaPZFtSeDDse.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VyaPZFtSeDDse.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VyaPZFtSeDDse.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VyaPZFtSeDDse.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VyaPZFtSeDDse.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VyaPZFtSeDDse.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VyaPZFtSeDDse.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VyaPZFtSeDDse.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\VyaPZFtSeDDse.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\VyaPZFtSeDDse.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\VyaPZFtSeDDse.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\VyaPZFtSeDDse.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\VyaPZFtSeDDse.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\VyaPZFtSeDDse.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\VyaPZFtSeDDse.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\VyaPZFtSeDDse.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\VyaPZFtSeDDse.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\VyaPZFtSeDDse.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\VyaPZFtSeDDse.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\VyaPZFtSeDDse.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\VyaPZFtSeDDse.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\VyaPZFtSeDDse.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\VyaPZFtSeDDse.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\VyaPZFtSeDDse.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\VyaPZFtSeDDse.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\VyaPZFtSeDDse.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\VyaPZFtSeDDse.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\VyaPZFtSeDDse.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\VyaPZFtSeDDse.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\VyaPZFtSeDDse.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\VyaPZFtSeDDse.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\VyaPZFtSeDDse.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\VyaPZFtSeDDse.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\VyaPZFtSeDDse.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\VyaPZFtSeDDse.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\VyaPZFtSeDDse.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\VyaPZFtSeDDse.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\VyaPZFtSeDDse.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\VyaPZFtSeDDse.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\VyaPZFtSeDDse.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\VyaPZFtSeDDse.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\VyaPZFtSeDDse.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\VyaPZFtSeDDse.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\VyaPZFtSeDDse.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\VyaPZFtSeDDse.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\VyaPZFtSeDDse.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\VyaPZFtSeDDse.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\VyaPZFtSeDDse.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\VyaPZFtSeDDse.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\VyaPZFtSeDDse.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\VyaPZFtSeDDse.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\VyaPZFtSeDDse.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\VyaPZFtSeDDse.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\VyaPZFtSeDDse.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\VyaPZFtSeDDse.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\VyaPZFtSeDDse.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\VyaPZFtSeDDse.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\VyaPZFtSeDDse.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\VyaPZFtSeDDse.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\VyaPZFtSeDDse.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\VyaPZFtSeDDse.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\VyaPZFtSeDDse.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\VyaPZFtSeDDse.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match	File source: Process Memory Space: tx4pkcHL9o.exe PID: 7260, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: VyaPZFtSeDDse.exe PID: 7880, type: MEMORYSTR

Source: C:\Users\user\Desktop\tx4pkcHL9o.exe	Memory allocated: 2560000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\tx4pkcHL9o.exe	Memory allocated: 2800000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\tx4pkcHL9o.exe	Memory allocated: 2700000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\tx4pkcHL9o.exe	Memory allocated: 82D0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\tx4pkcHL9o.exe	Memory allocated: 92D0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\tx4pkcHL9o.exe	Memory allocated: 94C0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\tx4pkcHL9o.exe	Memory allocated: A4C0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\tx4pkcHL9o.exe	Memory allocated: 1010000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\tx4pkcHL9o.exe	Memory allocated: 2B30000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\tx4pkcHL9o.exe	Memory allocated: 11D0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VyaPZFtSeDDse.exe	Memory allocated: 1200000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VyaPZFtSeDDse.exe	Memory allocated: 2E40000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VyaPZFtSeDDse.exe	Memory allocated: 4E40000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VyaPZFtSeDDse.exe	Memory allocated: 8B90000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VyaPZFtSeDDse.exe	Memory allocated: 71D0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VyaPZFtSeDDse.exe	Memory allocated: 9B90000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VyaPZFtSeDDse.exe	Memory allocated: AB90000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VyaPZFtSeDDse.exe	Memory allocated: C60000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\VyaPZFtSeDDse.exe	Memory allocated: 2960000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\VyaPZFtSeDDse.exe	Memory allocated: 28A0000 memory reserve \| memory write watch

Source: C:\Users\user\Desktop\tx4pkcHL9o.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VyaPZFtSeDDse.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 7209	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1028	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6076	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 855	Jump to behavior

Source: C:\Users\user\Desktop\tx4pkcHL9o.exe TID: 7320	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7664	Thread sleep count: 7209 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7744	Thread sleep time: -6456360425798339s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7640	Thread sleep count: 1028 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7700	Thread sleep time: -1844674407370954s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7740	Thread sleep time: -7378697629483816s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7708	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VyaPZFtSeDDse.exe TID: 7992	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\tx4pkcHL9o.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VyaPZFtSeDDse.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: VyaPZFtSeDDse.exe, 0000000B.00000002.1461275366.0000000001334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Device\CdRom0\??\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\DosDevices\D:]
Source: tx4pkcHL9o.exe, 0000000A.00000002.2631725953.0000000000E04000.00000004.00000020.00020000.00000000.sdmp, VyaPZFtSeDDse.exe, 00000011.00000002.2632283324.0000000000CB8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\tx4pkcHL9o.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\tx4pkcHL9o.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\Desktop\tx4pkcHL9o.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Users\user\Desktop\tx4pkcHL9o.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Adds a directory exclusion to Windows Defender

Source: C:\Users\user\Desktop\tx4pkcHL9o.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\tx4pkcHL9o.exe"
Source: C:\Users\user\Desktop\tx4pkcHL9o.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\VyaPZFtSeDDse.exe"
Source: C:\Users\user\Desktop\tx4pkcHL9o.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\tx4pkcHL9o.exe"	Jump to behavior
Source: C:\Users\user\Desktop\tx4pkcHL9o.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\VyaPZFtSeDDse.exe"	Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\tx4pkcHL9o.exe	Memory written: C:\Users\user\Desktop\tx4pkcHL9o.exe base: 400000 value starts with: 4D5A			Jump to behavior
Source: C:\Users\user\AppData\Roaming\VyaPZFtSeDDse.exe	Memory written: C:\Users\user\AppData\Roaming\VyaPZFtSeDDse.exe base: 400000 value starts with: 4D5A			Jump to behavior

Source: C:\Users\user\Desktop\tx4pkcHL9o.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\tx4pkcHL9o.exe"	Jump to behavior
Source: C:\Users\user\Desktop\tx4pkcHL9o.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\VyaPZFtSeDDse.exe"	Jump to behavior
Source: C:\Users\user\Desktop\tx4pkcHL9o.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\VyaPZFtSeDDse" /XML "C:\Users\user\AppData\Local\Temp\tmp86BB.tmp"	Jump to behavior
Source: C:\Users\user\Desktop\tx4pkcHL9o.exe	Process created: C:\Users\user\Desktop\tx4pkcHL9o.exe "C:\Users\user\Desktop\tx4pkcHL9o.exe"	Jump to behavior
Source: C:\Users\user\Desktop\tx4pkcHL9o.exe	Process created: C:\Users\user\Desktop\tx4pkcHL9o.exe "C:\Users\user\Desktop\tx4pkcHL9o.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VyaPZFtSeDDse.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\VyaPZFtSeDDse" /XML "C:\Users\user\AppData\Local\Temp\tmp9B0E.tmp"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VyaPZFtSeDDse.exe	Process created: C:\Users\user\AppData\Roaming\VyaPZFtSeDDse.exe "C:\Users\user\AppData\Roaming\VyaPZFtSeDDse.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VyaPZFtSeDDse.exe	Process created: C:\Users\user\AppData\Roaming\VyaPZFtSeDDse.exe "C:\Users\user\AppData\Roaming\VyaPZFtSeDDse.exe"	Jump to behavior

Source: C:\Users\user\Desktop\tx4pkcHL9o.exe	Queries volume information: C:\Users\user\Desktop\tx4pkcHL9o.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\tx4pkcHL9o.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\tx4pkcHL9o.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\tx4pkcHL9o.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\tx4pkcHL9o.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\tx4pkcHL9o.exe	Queries volume information: C:\Users\user\Desktop\tx4pkcHL9o.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\tx4pkcHL9o.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\tx4pkcHL9o.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\tx4pkcHL9o.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\tx4pkcHL9o.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\tx4pkcHL9o.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\tx4pkcHL9o.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VyaPZFtSeDDse.exe	Queries volume information: C:\Users\user\AppData\Roaming\VyaPZFtSeDDse.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VyaPZFtSeDDse.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VyaPZFtSeDDse.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VyaPZFtSeDDse.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VyaPZFtSeDDse.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VyaPZFtSeDDse.exe	Queries volume information: C:\Users\user\AppData\Roaming\VyaPZFtSeDDse.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\VyaPZFtSeDDse.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\VyaPZFtSeDDse.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\VyaPZFtSeDDse.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\VyaPZFtSeDDse.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\VyaPZFtSeDDse.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\VyaPZFtSeDDse.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation

Source: C:\Users\user\Desktop\tx4pkcHL9o.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected MassLogger RAT

Source: Yara match	File source: 0.2.tx4pkcHL9o.exe.3871f58.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.tx4pkcHL9o.exe.385b138.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.tx4pkcHL9o.exe.3871f58.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.tx4pkcHL9o.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.tx4pkcHL9o.exe.385b138.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000A.00000002.2631125232.0000000000403000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1403720087.0000000003809000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: tx4pkcHL9o.exe PID: 7260, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: tx4pkcHL9o.exe PID: 7756, type: MEMORYSTR

Yara detected Telegram RAT

Source: Yara match	File source: 0.2.tx4pkcHL9o.exe.3871f58.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.tx4pkcHL9o.exe.385b138.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.tx4pkcHL9o.exe.3871f58.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.tx4pkcHL9o.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.tx4pkcHL9o.exe.385b138.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000A.00000002.2631125232.0000000000403000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1403720087.0000000003809000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: tx4pkcHL9o.exe PID: 7260, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: tx4pkcHL9o.exe PID: 7756, type: MEMORYSTR

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\AppData\Roaming\VyaPZFtSeDDse.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
Source: C:\Users\user\AppData\Roaming\VyaPZFtSeDDse.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\Desktop\tx4pkcHL9o.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676			Jump to behavior
Source: C:\Users\user\AppData\Roaming\VyaPZFtSeDDse.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Source: Yara match	File source: 0.2.tx4pkcHL9o.exe.3871f58.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.tx4pkcHL9o.exe.385b138.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.tx4pkcHL9o.exe.3871f58.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.tx4pkcHL9o.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.tx4pkcHL9o.exe.385b138.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000A.00000002.2631125232.0000000000403000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.2633387402.0000000002A83000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1403720087.0000000003809000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2633318751.0000000002C53000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: tx4pkcHL9o.exe PID: 7260, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: tx4pkcHL9o.exe PID: 7756, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: VyaPZFtSeDDse.exe PID: 5740, type: MEMORYSTR

Remote Access Functionality

Yara detected MassLogger RAT

Source: Yara match	File source: 0.2.tx4pkcHL9o.exe.3871f58.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.tx4pkcHL9o.exe.385b138.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.tx4pkcHL9o.exe.3871f58.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.tx4pkcHL9o.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.tx4pkcHL9o.exe.385b138.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000A.00000002.2631125232.0000000000403000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1403720087.0000000003809000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: tx4pkcHL9o.exe PID: 7260, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: tx4pkcHL9o.exe PID: 7756, type: MEMORYSTR

Yara detected Telegram RAT

Source: Yara match	File source: 0.2.tx4pkcHL9o.exe.3871f58.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.tx4pkcHL9o.exe.385b138.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.tx4pkcHL9o.exe.3871f58.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.tx4pkcHL9o.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.tx4pkcHL9o.exe.385b138.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000A.00000002.2631125232.0000000000403000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1403720087.0000000003809000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: tx4pkcHL9o.exe PID: 7260, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: tx4pkcHL9o.exe PID: 7756, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Scheduled Task/Job	1 Scheduled Task/Job	111 Process Injection	1 Masquerading	1 OS Credential Dumping	1 Query Registry	Remote Services	1 Email Collection	11 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 DLL Side-Loading	1 Scheduled Task/Job	11 Disable or Modify Tools	LSASS Memory	11 Security Software Discovery	Remote Desktop Protocol	1 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 DLL Side-Loading	31 Virtualization/Sandbox Evasion	Security Account Manager	1 Process Discovery	SMB/Windows Admin Shares	1 Data from Local System	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	111 Process Injection	NTDS	31 Virtualization/Sandbox Evasion	Distributed Component Object Model	Input Capture	13 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	2 Obfuscated Files or Information	LSA Secrets	1 Application Window Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Timestomp	Cached Domain Credentials	1 System Network Configuration Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 DLL Side-Loading	DCSync	1 File and Directory Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	Indicator Removal from Tools	Proc Filesystem	13 System Information Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
tx4pkcHL9o.exe	82%	ReversingLabs	ByteCode-MSIL.Trojan.AgentTesla
tx4pkcHL9o.exe	79%	Virustotal		Browse
tx4pkcHL9o.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Roaming\VyaPZFtSeDDse.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\VyaPZFtSeDDse.exe	82%	ReversingLabs	ByteCode-MSIL.Trojan.AgentTesla

Source	Detection	Scanner	Label	Link
https://www.chiark.greenend	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
s-part-0017.t-0009.t-msedge.net	13.107.246.45	true	false	high
reallyfreegeoip.org	104.21.32.1	true	false	high
checkip.dyndns.com	158.101.44.242	true	false	high
checkip.dyndns.org	unknown	unknown	false	high
time.windows.com	unknown	unknown	false	high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://checkip.dyndns.org/	false		high
https://reallyfreegeoip.org/xml/8.46.123.189	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://reallyfreegeoip.org/xml/8.46.123.189l	tx4pkcHL9o.exe, 0000000A.00000002.2633318751.0000000002BAE000.00000004.00000800.00020000.00000000.sdmp, VyaPZFtSeDDse.exe, 00000011.00000002.2633387402.00000000029DE000.00000004.00000800.00020000.00000000.sdmp	false		high
http://checkip.dyndns.comd	tx4pkcHL9o.exe, 0000000A.00000002.2633318751.0000000002BAE000.00000004.00000800.00020000.00000000.sdmp, VyaPZFtSeDDse.exe, 00000011.00000002.2633387402.00000000029DE000.00000004.00000800.00020000.00000000.sdmp	false		high
https://reallyfreegeoip.org/	VyaPZFtSeDDse.exe, 00000011.00000002.2632283324.0000000000D01000.00000004.00000020.00020000.00000000.sdmp	false		high
http://checkip.dyndns.org/q	tx4pkcHL9o.exe, 00000000.00000002.1403720087.0000000003809000.00000004.00000800.00020000.00000000.sdmp, tx4pkcHL9o.exe, 0000000A.00000002.2631125232.0000000000403000.00000040.00000400.00020000.00000000.sdmp	false		high
http://reallyfreegeoip.orgd	tx4pkcHL9o.exe, 0000000A.00000002.2633318751.0000000002BCB000.00000004.00000800.00020000.00000000.sdmp, VyaPZFtSeDDse.exe, 00000011.00000002.2633387402.00000000029FB000.00000004.00000800.00020000.00000000.sdmp	false		high
https://reallyfreegeoip.org/xml/8.46.123.189d	tx4pkcHL9o.exe, 0000000A.00000002.2633318751.0000000002BAE000.00000004.00000800.00020000.00000000.sdmp, VyaPZFtSeDDse.exe, 00000011.00000002.2633387402.00000000029DE000.00000004.00000800.00020000.00000000.sdmp	false		high
http://reallyfreegeoip.org	tx4pkcHL9o.exe, 0000000A.00000002.2633318751.0000000002BCB000.00000004.00000800.00020000.00000000.sdmp, VyaPZFtSeDDse.exe, 00000011.00000002.2633387402.00000000029FB000.00000004.00000800.00020000.00000000.sdmp	false		high
http://checkip.dyndns.orgd	tx4pkcHL9o.exe, 0000000A.00000002.2633318751.0000000002BAE000.00000004.00000800.00020000.00000000.sdmp, VyaPZFtSeDDse.exe, 00000011.00000002.2633387402.00000000029DE000.00000004.00000800.00020000.00000000.sdmp	false		high
https://reallyfreegeoip.org	tx4pkcHL9o.exe, 0000000A.00000002.2633318751.0000000002BAE000.00000004.00000800.00020000.00000000.sdmp, VyaPZFtSeDDse.exe, 00000011.00000002.2633387402.00000000029DE000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.chiark.greenend	tx4pkcHL9o.exe, 00000000.00000002.1419720378.0000000006ABB000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://checkip.dyndns.org	tx4pkcHL9o.exe, 0000000A.00000002.2633318751.0000000002BAE000.00000004.00000800.00020000.00000000.sdmp, tx4pkcHL9o.exe, 0000000A.00000002.2633318751.0000000002B9C000.00000004.00000800.00020000.00000000.sdmp, VyaPZFtSeDDse.exe, 00000011.00000002.2633387402.00000000029CC000.00000004.00000800.00020000.00000000.sdmp, VyaPZFtSeDDse.exe, 00000011.00000002.2633387402.00000000029DE000.00000004.00000800.00020000.00000000.sdmp	false		high
http://checkip.dyndns.com	tx4pkcHL9o.exe, 0000000A.00000002.2633318751.0000000002BAE000.00000004.00000800.00020000.00000000.sdmp, VyaPZFtSeDDse.exe, 00000011.00000002.2633387402.00000000029DE000.00000004.00000800.00020000.00000000.sdmp	false		high
http://checkip.dyndns.org/d	tx4pkcHL9o.exe, 0000000A.00000002.2633318751.0000000002BAE000.00000004.00000800.00020000.00000000.sdmp, VyaPZFtSeDDse.exe, 00000011.00000002.2633387402.00000000029DE000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	tx4pkcHL9o.exe, 00000000.00000002.1401358796.000000000285F000.00000004.00000800.00020000.00000000.sdmp, tx4pkcHL9o.exe, 0000000A.00000002.2633318751.0000000002B31000.00000004.00000800.00020000.00000000.sdmp, VyaPZFtSeDDse.exe, 0000000B.00000002.1465165627.0000000002E9F000.00000004.00000800.00020000.00000000.sdmp, VyaPZFtSeDDse.exe, 00000011.00000002.2633387402.0000000002961000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.chiark.greenend.org.uk/~sgtatham/putty/0	tx4pkcHL9o.exe, VyaPZFtSeDDse.exe.0.dr	false		high
https://api.telegram.org/bot-/sendDocument?chat_id=	tx4pkcHL9o.exe, 00000000.00000002.1403720087.0000000003809000.00000004.00000800.00020000.00000000.sdmp, tx4pkcHL9o.exe, 0000000A.00000002.2631125232.0000000000403000.00000040.00000400.00020000.00000000.sdmp	false		high
https://reallyfreegeoip.org/xml/	tx4pkcHL9o.exe, 00000000.00000002.1403720087.0000000003809000.00000004.00000800.00020000.00000000.sdmp, tx4pkcHL9o.exe, 0000000A.00000002.2631125232.0000000000403000.00000040.00000400.00020000.00000000.sdmp, tx4pkcHL9o.exe, 0000000A.00000002.2633318751.0000000002BAE000.00000004.00000800.00020000.00000000.sdmp, VyaPZFtSeDDse.exe, 00000011.00000002.2633387402.00000000029DE000.00000004.00000800.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
104.21.32.1	reallyfreegeoip.org	United States		13335	CLOUDFLARENETUS	false
158.101.44.242	checkip.dyndns.com	United States		31898	ORACLE-BMC-31898US	false

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1587667
Start date and time:	2025-01-10 16:37:42 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 7m 23s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	21
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	tx4pkcHL9o.exe renamed because original name is a hash value
Original Sample Name:	987d80fbc03ed5f7612a742982367ae5f354237968d23b2fe1cbe9440946497d.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@23/15@3/2
EGA Information:	Successful, ratio: 50%
HCA Information:	Successful, ratio: 98% Number of executed functions: 184 Number of non-executed functions: 34
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 20.101.57.9, 13.107.246.45, 2.23.242.162, 4.175.87.197
Excluded domains from analysis (whitelisted): fs.microsoft.com, slscr.update.microsoft.com, otelrules.azureedge.net, twc.trafficmanager.net, otelrules.afd.azureedge.net, ctldl.windowsupdate.com, azureedge-t-prod.trafficmanager.net, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target VyaPZFtSeDDse.exe, PID 5740 because it is empty
Execution Graph export aborted for target tx4pkcHL9o.exe, PID 7756 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.

Simulations

Behavior and APIs

Time	Type	Description
10:38:47	API Interceptor	2x Sleep call for process: tx4pkcHL9o.exe modified
10:38:50	API Interceptor	46x Sleep call for process: powershell.exe modified
10:38:54	API Interceptor	2x Sleep call for process: VyaPZFtSeDDse.exe modified
16:38:52	Task Scheduler	Run new task: VyaPZFtSeDDse path: C:\Users\user\AppData\Roaming\VyaPZFtSeDDse.exe

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
104.21.32.1	QUOTATION#050125.exe	Get hash	malicious	FormBook	Browse	www.mzkd6gp5.top/3u0p/
104.21.32.1	SH8ZyOWNi2.exe	Get hash	malicious	CMSBrute	Browse	redroomaudio.com/administrator/index.php
158.101.44.242	PO#17971.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	PO#3_RKG367.bat	Get hash	malicious	DBatLoader, MassLogger RAT, PureLog Stealer	Browse	checkip.dyndns.org/
	BgroUcYHpy.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	FORTUNE RICH_PARTICULARS.pdf.scr.exe	Get hash	malicious	MassLogger RAT	Browse	checkip.dyndns.org/
	fiyati_teklif 615TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	PI ITS15235.doc	Get hash	malicious	DBatLoader, PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	PO#5_Tower_049.bat	Get hash	malicious	DBatLoader, MassLogger RAT, PureLog Stealer	Browse	checkip.dyndns.org/
	file.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	PO_4027_from_IC_Tech_Inc_6908.exe	Get hash	malicious	MassLogger RAT	Browse	checkip.dyndns.org/
	ZOYGRL1ePa.exe	Get hash	malicious	Agent Tesla, AgentTesla	Browse	checkip.dyndns.org/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
reallyfreegeoip.org	New Order-090125.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	104.21.64.1
	4iDzhJBJVv.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.96.1
	ln5S7fIBkY.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	104.21.112.1
	B3aqD8srjF.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.48.1
	B7N48hmO78.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.32.1
	VIAmJUhQ54.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.80.1
	bd9Gvqt6AK.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.80.1
	Salary Payment Information Discrepancy_pdf.pif.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	104.21.48.1
	PO#17971.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	104.21.96.1
	IMG_10503677.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.64.1
checkip.dyndns.com	New Order-090125.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	132.226.247.73
	4iDzhJBJVv.exe	Get hash	malicious	Snake Keylogger	Browse	193.122.6.168
	ln5S7fIBkY.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	193.122.6.168
	B3aqD8srjF.exe	Get hash	malicious	Snake Keylogger	Browse	193.122.130.0
	B7N48hmO78.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	132.226.247.73
	VIAmJUhQ54.exe	Get hash	malicious	MassLogger RAT	Browse	193.122.130.0
	bd9Gvqt6AK.exe	Get hash	malicious	Snake Keylogger	Browse	193.122.130.0
	Salary Payment Information Discrepancy_pdf.pif.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	193.122.130.0
	PO#17971.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	158.101.44.242
	IMG_10503677.exe	Get hash	malicious	MassLogger RAT	Browse	193.122.6.168
s-part-0017.t-0009.t-msedge.net	WF2DL1l7E8.exe	Get hash	malicious	FormBook	Browse	13.107.246.45
	Play_VM-NowTingrammAudiowav011.html	Get hash	malicious	Unknown	Browse	13.107.246.45
	launcher.exe.bin.exe	Get hash	malicious	PureLog Stealer, Xmrig, zgRAT	Browse	13.107.246.45
	FGTFTj8GLM.exe	Get hash	malicious	FormBook	Browse	13.107.246.45
	30562134305434372.js	Get hash	malicious	Strela Downloader	Browse	13.107.246.45
	Mmm7GmDcR4.exe	Get hash	malicious	LummaC	Browse	13.107.246.45
	https://na4.docusign.net/Signing/EmailStart.aspx?a=ffa78034-d960-4bb3-b2a2-bb62a1fc4a65&etti=24&acct=86dab687-685e-40aa-af52-e5c3fc07b508&er=04714c6d-cc25-4a21-be91-01e1c43a5f3f	Get hash	malicious	HTMLPhisher	Browse	13.107.246.45
	hCkkM0lH0P.exe	Get hash	malicious	AgentTesla	Browse	13.107.246.45
	RSLMZxqebl.exe	Get hash	malicious	FormBook	Browse	13.107.246.45
	nRNzqQOQwk.exe	Get hash	malicious	GuLoader	Browse	13.107.246.45

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
ORACLE-BMC-31898US	4iDzhJBJVv.exe	Get hash	malicious	Snake Keylogger	Browse	193.122.6.168
	ln5S7fIBkY.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	193.122.6.168
	B3aqD8srjF.exe	Get hash	malicious	Snake Keylogger	Browse	193.122.130.0
	VIAmJUhQ54.exe	Get hash	malicious	MassLogger RAT	Browse	193.122.130.0
	bd9Gvqt6AK.exe	Get hash	malicious	Snake Keylogger	Browse	193.122.130.0
	Salary Payment Information Discrepancy_pdf.pif.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	193.122.130.0
	PO#17971.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	158.101.44.242
	IMG_10503677.exe	Get hash	malicious	MassLogger RAT	Browse	193.122.6.168
	RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exe	Get hash	malicious	DarkTortilla, Snake Keylogger, VIP Keylogger	Browse	193.122.130.0
	Tepe - 20000000826476479.exe	Get hash	malicious	MassLogger RAT	Browse	193.122.130.0
CLOUDFLARENETUS	https://zfrmz.com/3GiGYUP4BArW2NBgkPU3	Get hash	malicious	Unknown	Browse	104.18.94.41
	Play_VM-NowTingrammAudiowav011.html	Get hash	malicious	Unknown	Browse	104.17.25.14
	https://theleadking2435063.emlnk.com/lt.php?x=3DZy~GDHJaLL5a37-gxLhhGf13JRv_MkkPo2jHPMKXOh5XR.-Uy.xuO-2I2imNf	Get hash	malicious	Unknown	Browse	104.17.203.31
	New Order-090125.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	104.21.64.1
	4iDzhJBJVv.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.96.1
	Mmm7GmDcR4.exe	Get hash	malicious	LummaC	Browse	104.21.56.70
	https://na4.docusign.net/Signing/EmailStart.aspx?a=ffa78034-d960-4bb3-b2a2-bb62a1fc4a65&etti=24&acct=86dab687-685e-40aa-af52-e5c3fc07b508&er=04714c6d-cc25-4a21-be91-01e1c43a5f3f	Get hash	malicious	HTMLPhisher	Browse	188.114.96.3
	DpTbBYeE7J.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	104.26.12.205
	RJKUWSGxej.exe	Get hash	malicious	AgentTesla, RedLine	Browse	104.26.13.205
	ln5S7fIBkY.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	104.21.112.1

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
54328bd36c14bd82ddaa0c04b25ed9ad	New Order-090125.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	104.21.32.1
	4iDzhJBJVv.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.32.1
	ln5S7fIBkY.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	104.21.32.1
	B3aqD8srjF.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.32.1
	B7N48hmO78.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.32.1
	VIAmJUhQ54.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.32.1
	bd9Gvqt6AK.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.32.1
	Salary Payment Information Discrepancy_pdf.pif.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	104.21.32.1
	PO#17971.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	104.21.32.1
	IMG_10503677.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.32.1

Process:	C:\Users\user\AppData\Roaming\VyaPZFtSeDDse.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1216
Entropy (8bit):	5.34331486778365
Encrypted:	false
SSDEEP:	24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
MD5:	1330C80CAAC9A0FB172F202485E9B1E8
SHA1:	86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
SHA-256:	B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
SHA-512:	75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\tx4pkcHL9o.exe.log

Download File

Process:	C:\Users\user\Desktop\tx4pkcHL9o.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1216
Entropy (8bit):	5.34331486778365
Encrypted:	false
SSDEEP:	24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
MD5:	1330C80CAAC9A0FB172F202485E9B1E8
SHA1:	86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
SHA-256:	B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
SHA-512:	75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
Malicious:	true
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	2232
Entropy (8bit):	5.379401388151058
Encrypted:	false
SSDEEP:	48:fWSU4xc4RTmaoUeW+gZ9tK8NPZHUxL7u1iMuge//YPUyus:fLHxcIalLgZ2KRHWLOugQs
MD5:	76231FA02D2B68526FF7373F6EB0E573
SHA1:	D55C61E3E95F938EDA307C322E4A5B559A18796B
SHA-256:	9DF1DBB624804FE23603854F6BDD86F7B1CCA5F66A8AD9C89B3DB7F4C2AE525A
SHA-512:	53DE6D5171058E5B3BFD4E7CB23D6E5B92D386FD5AB16ECB38975EF2CC810C71A3D3DC47B4C52879E57D4C66C2371E6421BFAD6FB6B8AD4673BE9F7FC45AC785
Malicious:	false
Preview:	@...e................................................@..........P................1]...E.....j.....(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..\|f........System.Core.D...............4..7..D.#V.............System.Management.Automation<...............i..VdqF...\|...........System.ConfigurationL.................gQ?O.....x5.......#.Microsoft.Management.Infrastructure.4.................%...K... ...........System.Xml..<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServices8..................1...L..U;V.<}........System.Numerics.4.....................@.[8]'.\........System.Data.H................WY..2.M.&..g(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1pwksqjp.01n.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_advxwvlj.lrh.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ffirf2ll.3rd.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_fhzsa5mk.tmy.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_gnoxec5r.vxs.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_knpie4pn.prt.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_l4yt2vq2.wap.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_sa2mx2rc.0cx.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\tmp86BB.tmp

Download File

Process:	C:\Users\user\Desktop\tx4pkcHL9o.exe
File Type:	XML 1.0 document, ASCII text
Category:	dropped
Size (bytes):	1607
Entropy (8bit):	5.1242290102564425
Encrypted:	false
SSDEEP:	24:2di4+S2qhH1jy1m4UnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtPxvn:cgeHgYrFdOFzOzN33ODOiDdKrsuTJv
MD5:	2CFCE326694EB29324009387D6AFC9BA
SHA1:	F6934852AD4570EE7AAC6123DD37FBFAD68F982F
SHA-256:	DEAA1DAE1A3F073634B02E9DFC556BE835ED429D4B50C981BE39E12AB924BB3A
SHA-512:	2B6F9BAA300D31D67BF94371DF4A588FC2D1C8F3043B763BB40803DA32FF6198C94909CE374B1BC98980ED6CB77C6AF96EF9C6EE0E8ED632F8EFBF2F1548A148
Malicious:	true
Preview:	<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>.

C:\Users\user\AppData\Local\Temp\tmp9B0E.tmp

Download File

Process:	C:\Users\user\AppData\Roaming\VyaPZFtSeDDse.exe
File Type:	XML 1.0 document, ASCII text
Category:	dropped
Size (bytes):	1607
Entropy (8bit):	5.1242290102564425
Encrypted:	false
SSDEEP:	24:2di4+S2qhH1jy1m4UnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtPxvn:cgeHgYrFdOFzOzN33ODOiDdKrsuTJv
MD5:	2CFCE326694EB29324009387D6AFC9BA
SHA1:	F6934852AD4570EE7AAC6123DD37FBFAD68F982F
SHA-256:	DEAA1DAE1A3F073634B02E9DFC556BE835ED429D4B50C981BE39E12AB924BB3A
SHA-512:	2B6F9BAA300D31D67BF94371DF4A588FC2D1C8F3043B763BB40803DA32FF6198C94909CE374B1BC98980ED6CB77C6AF96EF9C6EE0E8ED632F8EFBF2F1548A148
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>.

C:\Users\user\AppData\Roaming\VyaPZFtSeDDse.exe

Download File

Process:	C:\Users\user\Desktop\tx4pkcHL9o.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	822280
Entropy (8bit):	6.5920070597534535
Encrypted:	false
SSDEEP:	12288:8Y2115Xb/J5Rbur4PBV8ij3rvCUAz3cdrmcSoHYfz5vSkR:xYHXFzbrpV8MOUAzamcwLD
MD5:	E6884ED9330553C602104752D461F363
SHA1:	6C10A1BF2148D830DF770F77F42779F87D80FC39
SHA-256:	987D80FBC03ED5F7612A742982367AE5F354237968D23B2FE1CBE9440946497D
SHA-512:	9164E377EEDA8BA4D0C4A35E8C0F849A97C04982F8F2EAA507F60AF7D28C5A182627C626319394B92A6CAF8AC23F297394CA337C501B87C16A50ECC3F7C26AB9
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 82%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....7................0..L...........j... ........@.. ....................................@..................................j..O....................V...6..........DR..p............................................ ............... ..H............text....J... ...L.................. ..`.rsrc................N..............@..@.reloc...............T..............@..B.................j......H............R......J........s...........................................0............}......}.....(.......(......{...........%.r...p(....s.....%.r...p(....s.....%.r%..p(....s.......o.......(...+....-....o....&..0...........s2.....o.......0...........sA.....o.......0...........s/.....o.......0...........s8.....o.......0...........s;.....o.......0...........s>.....o.......0...........s5.....o.......0...........sD.....o.......0...........sG.....o.......0...........s .

C:\Users\user\AppData\Roaming\VyaPZFtSeDDse.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\tx4pkcHL9o.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Preview:	[ZoneTransfer]....ZoneId=0

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	6.5920070597534535
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.98% Win32 Executable (generic) a (10002005/4) 49.93% Windows Screen Saver (13104/52) 0.07% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	tx4pkcHL9o.exe
File size:	822'280 bytes
MD5:	e6884ed9330553c602104752d461f363
SHA1:	6c10a1bf2148d830df770f77f42779f87d80fc39
SHA256:	987d80fbc03ed5f7612a742982367ae5f354237968d23b2fe1cbe9440946497d
SHA512:	9164e377eeda8ba4d0c4a35e8c0f849a97c04982f8f2eaa507f60af7d28c5a182627c626319394b92a6caf8ac23f297394ca337c501b87c16a50ecc3f7c26ab9
SSDEEP:	12288:8Y2115Xb/J5Rbur4PBV8ij3rvCUAz3cdrmcSoHYfz5vSkR:xYHXFzbrpV8MOUAzamcwLD
TLSH:	EC05723D09BD22EB81A5C79DCBE89827F610A46FB150ADA494C647A57347F4B34C323E
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....7................0..L...........j... ........@.. ....................................@................................

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x4c6ae6
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0xE4ED3715 [Sun Sep 16 03:23:01 2091 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Authenticode Signature

Signature Valid:	false
Signature Issuer:	CN=COMODO RSA Code Signing CA, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB
Signature Validation Error:	The digital signature of the object did not verify
Error Number:	-2146869232
Not Before, Not After	13/11/2018 01:00:00 09/11/2021 00:59:59
Subject Chain	CN=Simon Tatham, O=Simon Tatham, L=Cambridge, S=Cambridgeshire, C=GB
Version:	3
Thumbprint MD5:	DABD77E44EF6B3BB91740FA46696B779
Thumbprint SHA-1:	5B9E273CF11941FD8C6BE3F038C4797BBE884268
Thumbprint SHA-256:	4CD3325617EBB63319BA6E8F2A74B0B8CCA58920B48D8026EBCA2C756630D570
Serial:	7C1118CBBADC95DA3752C46E47A27438

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xc6a92	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xc8000	0x5c4	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0xc5600	0x3608
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xca000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0xc5244	0x70	.text
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0xc4aec	0xc4c00	4f455312dd53e5d817938b5c9fc88470	False	0.6204174773665819	OpenPGP Public Key	6.568804655324774	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0xc8000	0x5c4	0x600	84ff2f389b9c5e52c37d8f1a0a3209e6	False	0.4296875	data	4.113089669875473	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xca000	0xc	0x200	769673657a91c1b35dadccdc40c9b650	False	0.044921875	data	0.09800417566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0xc8090	0x334	data			0.4378048780487805
RT_MANIFEST	0xc83d4	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators			0.5489795918367347

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2025-01-10T16:38:55.879539+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.7	49740	158.101.44.242	80	TCP
2025-01-10T16:38:59.380324+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.7	49778	158.101.44.242	80	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 10, 2025 16:38:52.152780056 CET	49740	80	192.168.2.7	158.101.44.242
Jan 10, 2025 16:38:52.157560110 CET	80	49740	158.101.44.242	192.168.2.7
Jan 10, 2025 16:38:52.157752991 CET	49740	80	192.168.2.7	158.101.44.242
Jan 10, 2025 16:38:52.157922983 CET	49740	80	192.168.2.7	158.101.44.242
Jan 10, 2025 16:38:52.162646055 CET	80	49740	158.101.44.242	192.168.2.7
Jan 10, 2025 16:38:53.929609060 CET	80	49740	158.101.44.242	192.168.2.7
Jan 10, 2025 16:38:54.061778069 CET	49740	80	192.168.2.7	158.101.44.242
Jan 10, 2025 16:38:54.066972017 CET	80	49740	158.101.44.242	192.168.2.7
Jan 10, 2025 16:38:55.807977915 CET	80	49740	158.101.44.242	192.168.2.7
Jan 10, 2025 16:38:55.818195105 CET	49762	443	192.168.2.7	104.21.32.1
Jan 10, 2025 16:38:55.818223000 CET	443	49762	104.21.32.1	192.168.2.7
Jan 10, 2025 16:38:55.818283081 CET	49762	443	192.168.2.7	104.21.32.1
Jan 10, 2025 16:38:55.835015059 CET	49762	443	192.168.2.7	104.21.32.1
Jan 10, 2025 16:38:55.835041046 CET	443	49762	104.21.32.1	192.168.2.7
Jan 10, 2025 16:38:55.879539013 CET	49740	80	192.168.2.7	158.101.44.242
Jan 10, 2025 16:38:56.320561886 CET	443	49762	104.21.32.1	192.168.2.7
Jan 10, 2025 16:38:56.320642948 CET	49762	443	192.168.2.7	104.21.32.1
Jan 10, 2025 16:38:56.578999996 CET	49762	443	192.168.2.7	104.21.32.1
Jan 10, 2025 16:38:56.579036951 CET	443	49762	104.21.32.1	192.168.2.7
Jan 10, 2025 16:38:56.579550982 CET	443	49762	104.21.32.1	192.168.2.7
Jan 10, 2025 16:38:56.692054033 CET	49762	443	192.168.2.7	104.21.32.1
Jan 10, 2025 16:38:57.218549967 CET	49762	443	192.168.2.7	104.21.32.1
Jan 10, 2025 16:38:57.259324074 CET	443	49762	104.21.32.1	192.168.2.7
Jan 10, 2025 16:38:57.334336996 CET	443	49762	104.21.32.1	192.168.2.7
Jan 10, 2025 16:38:57.334403038 CET	443	49762	104.21.32.1	192.168.2.7
Jan 10, 2025 16:38:57.334450960 CET	49762	443	192.168.2.7	104.21.32.1
Jan 10, 2025 16:38:57.341288090 CET	49762	443	192.168.2.7	104.21.32.1
Jan 10, 2025 16:38:58.564089060 CET	49778	80	192.168.2.7	158.101.44.242
Jan 10, 2025 16:38:58.568943977 CET	80	49778	158.101.44.242	192.168.2.7
Jan 10, 2025 16:38:58.569036007 CET	49778	80	192.168.2.7	158.101.44.242
Jan 10, 2025 16:38:58.569259882 CET	49778	80	192.168.2.7	158.101.44.242
Jan 10, 2025 16:38:58.574033976 CET	80	49778	158.101.44.242	192.168.2.7
Jan 10, 2025 16:38:59.143071890 CET	80	49778	158.101.44.242	192.168.2.7
Jan 10, 2025 16:38:59.147413969 CET	49778	80	192.168.2.7	158.101.44.242
Jan 10, 2025 16:38:59.154064894 CET	80	49778	158.101.44.242	192.168.2.7
Jan 10, 2025 16:38:59.325865984 CET	80	49778	158.101.44.242	192.168.2.7
Jan 10, 2025 16:38:59.328547001 CET	49785	443	192.168.2.7	104.21.32.1
Jan 10, 2025 16:38:59.328591108 CET	443	49785	104.21.32.1	192.168.2.7
Jan 10, 2025 16:38:59.329260111 CET	49785	443	192.168.2.7	104.21.32.1
Jan 10, 2025 16:38:59.335309029 CET	49785	443	192.168.2.7	104.21.32.1
Jan 10, 2025 16:38:59.335350037 CET	443	49785	104.21.32.1	192.168.2.7
Jan 10, 2025 16:38:59.380323887 CET	49778	80	192.168.2.7	158.101.44.242
Jan 10, 2025 16:38:59.796946049 CET	443	49785	104.21.32.1	192.168.2.7
Jan 10, 2025 16:38:59.797019958 CET	49785	443	192.168.2.7	104.21.32.1
Jan 10, 2025 16:38:59.798871994 CET	49785	443	192.168.2.7	104.21.32.1
Jan 10, 2025 16:38:59.798878908 CET	443	49785	104.21.32.1	192.168.2.7
Jan 10, 2025 16:38:59.799266100 CET	443	49785	104.21.32.1	192.168.2.7
Jan 10, 2025 16:38:59.871541023 CET	49785	443	192.168.2.7	104.21.32.1
Jan 10, 2025 16:38:59.973129988 CET	49785	443	192.168.2.7	104.21.32.1
Jan 10, 2025 16:39:00.015324116 CET	443	49785	104.21.32.1	192.168.2.7
Jan 10, 2025 16:39:00.101932049 CET	443	49785	104.21.32.1	192.168.2.7
Jan 10, 2025 16:39:00.102099895 CET	443	49785	104.21.32.1	192.168.2.7
Jan 10, 2025 16:39:00.102159977 CET	49785	443	192.168.2.7	104.21.32.1
Jan 10, 2025 16:39:00.112073898 CET	49785	443	192.168.2.7	104.21.32.1
Jan 10, 2025 16:40:00.940532923 CET	80	49740	158.101.44.242	192.168.2.7
Jan 10, 2025 16:40:00.940658092 CET	49740	80	192.168.2.7	158.101.44.242
Jan 10, 2025 16:40:04.325807095 CET	80	49778	158.101.44.242	192.168.2.7
Jan 10, 2025 16:40:04.326004982 CET	49778	80	192.168.2.7	158.101.44.242
Jan 10, 2025 16:40:35.817625046 CET	49740	80	192.168.2.7	158.101.44.242
Jan 10, 2025 16:40:35.822427034 CET	80	49740	158.101.44.242	192.168.2.7
Jan 10, 2025 16:40:39.334790945 CET	49778	80	192.168.2.7	158.101.44.242
Jan 10, 2025 16:40:39.339668989 CET	80	49778	158.101.44.242	192.168.2.7

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 10, 2025 16:38:43.931165934 CET	55751	53	192.168.2.7	1.1.1.1
Jan 10, 2025 16:38:52.119064093 CET	53797	53	192.168.2.7	1.1.1.1
Jan 10, 2025 16:38:52.126993895 CET	53	53797	1.1.1.1	192.168.2.7
Jan 10, 2025 16:38:55.809381008 CET	54877	53	192.168.2.7	1.1.1.1
Jan 10, 2025 16:38:55.816875935 CET	53	54877	1.1.1.1	192.168.2.7

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jan 10, 2025 16:38:43.931165934 CET	192.168.2.7	1.1.1.1	0xd799	Standard query (0)	time.windows.com	A (IP address)	IN (0x0001)	false
Jan 10, 2025 16:38:52.119064093 CET	192.168.2.7	1.1.1.1	0xa80b	Standard query (0)	checkip.dyndns.org	A (IP address)	IN (0x0001)	false
Jan 10, 2025 16:38:55.809381008 CET	192.168.2.7	1.1.1.1	0xf358	Standard query (0)	reallyfreegeoip.org	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jan 10, 2025 16:38:43.937880039 CET	1.1.1.1	192.168.2.7	0xd799	No error (0)	time.windows.com	twc.trafficmanager.net		CNAME (Canonical name)	IN (0x0001)	false
Jan 10, 2025 16:38:44.293667078 CET	1.1.1.1	192.168.2.7	0xfef2	No error (0)	shed.dual-low.s-part-0017.t-0009.t-msedge.net	s-part-0017.t-0009.t-msedge.net		CNAME (Canonical name)	IN (0x0001)	false
Jan 10, 2025 16:38:44.293667078 CET	1.1.1.1	192.168.2.7	0xfef2	No error (0)	s-part-0017.t-0009.t-msedge.net		13.107.246.45	A (IP address)	IN (0x0001)	false
Jan 10, 2025 16:38:52.126993895 CET	1.1.1.1	192.168.2.7	0xa80b	No error (0)	checkip.dyndns.org	checkip.dyndns.com		CNAME (Canonical name)	IN (0x0001)	false
Jan 10, 2025 16:38:52.126993895 CET	1.1.1.1	192.168.2.7	0xa80b	No error (0)	checkip.dyndns.com		158.101.44.242	A (IP address)	IN (0x0001)	false
Jan 10, 2025 16:38:52.126993895 CET	1.1.1.1	192.168.2.7	0xa80b	No error (0)	checkip.dyndns.com		132.226.247.73	A (IP address)	IN (0x0001)	false
Jan 10, 2025 16:38:52.126993895 CET	1.1.1.1	192.168.2.7	0xa80b	No error (0)	checkip.dyndns.com		193.122.130.0	A (IP address)	IN (0x0001)	false
Jan 10, 2025 16:38:52.126993895 CET	1.1.1.1	192.168.2.7	0xa80b	No error (0)	checkip.dyndns.com		193.122.6.168	A (IP address)	IN (0x0001)	false
Jan 10, 2025 16:38:52.126993895 CET	1.1.1.1	192.168.2.7	0xa80b	No error (0)	checkip.dyndns.com		132.226.8.169	A (IP address)	IN (0x0001)	false
Jan 10, 2025 16:38:55.816875935 CET	1.1.1.1	192.168.2.7	0xf358	No error (0)	reallyfreegeoip.org		104.21.32.1	A (IP address)	IN (0x0001)	false
Jan 10, 2025 16:38:55.816875935 CET	1.1.1.1	192.168.2.7	0xf358	No error (0)	reallyfreegeoip.org		104.21.80.1	A (IP address)	IN (0x0001)	false
Jan 10, 2025 16:38:55.816875935 CET	1.1.1.1	192.168.2.7	0xf358	No error (0)	reallyfreegeoip.org		104.21.112.1	A (IP address)	IN (0x0001)	false
Jan 10, 2025 16:38:55.816875935 CET	1.1.1.1	192.168.2.7	0xf358	No error (0)	reallyfreegeoip.org		104.21.64.1	A (IP address)	IN (0x0001)	false
Jan 10, 2025 16:38:55.816875935 CET	1.1.1.1	192.168.2.7	0xf358	No error (0)	reallyfreegeoip.org		104.21.48.1	A (IP address)	IN (0x0001)	false
Jan 10, 2025 16:38:55.816875935 CET	1.1.1.1	192.168.2.7	0xf358	No error (0)	reallyfreegeoip.org		104.21.96.1	A (IP address)	IN (0x0001)	false
Jan 10, 2025 16:38:55.816875935 CET	1.1.1.1	192.168.2.7	0xf358	No error (0)	reallyfreegeoip.org		104.21.16.1	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

reallyfreegeoip.org

checkip.dyndns.org

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.7	49740	158.101.44.242	80	7756	C:\Users\user\Desktop\tx4pkcHL9o.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 16:38:52.157922983 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 10, 2025 16:38:53.929609060 CET	321	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 15:38:53 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: e10ce630c6050b918a5a2e463cffba33 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
Jan 10, 2025 16:38:54.061778069 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Jan 10, 2025 16:38:55.807977915 CET	321	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 15:38:55 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 2ea68273063cb2781589e03bf695e66b Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.7	49778	158.101.44.242	80	5740	C:\Users\user\AppData\Roaming\VyaPZFtSeDDse.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 16:38:58.569259882 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 10, 2025 16:38:59.143071890 CET	321	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 15:38:59 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 5b03eb0109313e1b65b0df315dd73516 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
Jan 10, 2025 16:38:59.147413969 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Jan 10, 2025 16:38:59.325865984 CET	321	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 15:38:59 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 7063df7f221d6beb8d790cbbd184038f Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.7	49762	104.21.32.1	443	7756	C:\Users\user\Desktop\tx4pkcHL9o.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-10 15:38:57 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2025-01-10 15:38:57 UTC	860	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 15:38:57 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1838326 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=fp%2BNBRSZ3mbbF6zEv8f5pBTivHxUwgho1buy3Rzv1l%2B3wrYGW67ohTjv4YB%2FQSXm3QQwqnGm1uU4V38pSESmfW1ioF2hRN%2BmXWM5VNFLo7wGpL%2BfbIzjFI3A2YuLuM6CvHZAtDpP"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ffdc1cbfd851875-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1624&min_rtt=1621&rtt_var=615&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1769696&cwnd=153&unsent_bytes=0&cid=291a5ccf4c9d29ad&ts=1034&x=0"
2025-01-10 15:38:57 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.7	49785	104.21.32.1	443	5740	C:\Users\user\AppData\Roaming\VyaPZFtSeDDse.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-10 15:38:59 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2025-01-10 15:39:00 UTC	867	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 15:39:00 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1838329 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=dxUYNv%2BIP%2FR%2F3BwVSQ%2BV0TyDBtiRs7tRprfGl8E60sVtY7L35oLqrDUl%2FmaV4wJzUOiGLXlw%2FywdM4KTZ7Zz6CpjFvF%2F6N6xIBuCFDi6%2FuadTOAwEuG%2BkbEv1jRDEPhE1yuv1ZRo"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ffdc1dd2946c327-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1647&min_rtt=1640&rtt_var=629&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2847&recv_bytes=699&delivery_rate=1719670&cwnd=189&unsent_bytes=0&cid=385ee4909ccf8ffc&ts=314&x=0"
2025-01-10 15:39:00 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Target ID:	0
Start time:	10:38:47
Start date:	10/01/2025
Path:	C:\Users\user\Desktop\tx4pkcHL9o.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\tx4pkcHL9o.exe"
Imagebase:	0x380000
File size:	822'280 bytes
MD5 hash:	E6884ED9330553C602104752D461F363
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_MassLogger, Description: Yara detected MassLogger RAT, Source: 00000000.00000002.1403720087.0000000003809000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.1403720087.0000000003809000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000000.00000002.1403720087.0000000003809000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000000.00000002.1403720087.0000000003809000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	10:38:49
Start date:	10/01/2025
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\tx4pkcHL9o.exe"
Imagebase:	0x810000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	10:38:49
Start date:	10/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff75da10000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	10:38:49
Start date:	10/01/2025
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\VyaPZFtSeDDse.exe"
Imagebase:	0x810000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	10:38:49
Start date:	10/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff75da10000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	10:38:49
Start date:	10/01/2025
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\VyaPZFtSeDDse" /XML "C:\Users\user\AppData\Local\Temp\tmp86BB.tmp"
Imagebase:	0x610000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	10:38:50
Start date:	10/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff75da10000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	10:38:50
Start date:	10/01/2025
Path:	C:\Users\user\Desktop\tx4pkcHL9o.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\tx4pkcHL9o.exe"
Imagebase:	0x170000
File size:	822'280 bytes
MD5 hash:	E6884ED9330553C602104752D461F363
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	10:38:50
Start date:	10/01/2025
Path:	C:\Users\user\Desktop\tx4pkcHL9o.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\tx4pkcHL9o.exe"
Imagebase:	0x730000
File size:	822'280 bytes
MD5 hash:	E6884ED9330553C602104752D461F363
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_MassLogger, Description: Yara detected MassLogger RAT, Source: 0000000A.00000002.2631125232.0000000000403000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000A.00000002.2631125232.0000000000403000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 0000000A.00000002.2631125232.0000000000403000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 0000000A.00000002.2631125232.0000000000403000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000A.00000002.2633318751.0000000002C53000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	11
Start time:	10:38:52
Start date:	10/01/2025
Path:	C:\Users\user\AppData\Roaming\VyaPZFtSeDDse.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Roaming\VyaPZFtSeDDse.exe
Imagebase:	0x9d0000
File size:	822'280 bytes
MD5 hash:	E6884ED9330553C602104752D461F363
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 100%, Joe Sandbox ML Detection: 82%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	10:38:53
Start date:	10/01/2025
Path:	C:\Windows\System32\wbem\WmiPrvSE.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Imagebase:	0x7ff7fb730000
File size:	496'640 bytes
MD5 hash:	60FF40CFD7FB8FE41EE4FE9AE5FE1C51
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	14
Start time:	10:38:56
Start date:	10/01/2025
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\VyaPZFtSeDDse" /XML "C:\Users\user\AppData\Local\Temp\tmp9B0E.tmp"
Imagebase:	0x610000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	15
Start time:	10:38:56
Start date:	10/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff75da10000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	16
Start time:	10:38:57
Start date:	10/01/2025
Path:	C:\Users\user\AppData\Roaming\VyaPZFtSeDDse.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\AppData\Roaming\VyaPZFtSeDDse.exe"
Imagebase:	0x340000
File size:	822'280 bytes
MD5 hash:	E6884ED9330553C602104752D461F363
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	17
Start time:	10:38:57
Start date:	10/01/2025
Path:	C:\Users\user\AppData\Roaming\VyaPZFtSeDDse.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\VyaPZFtSeDDse.exe"
Imagebase:	0x520000
File size:	822'280 bytes
MD5 hash:	E6884ED9330553C602104752D461F363
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000011.00000002.2633387402.0000000002A83000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	10.9%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	233
Total number of Limit Nodes:	13

Executed Functions

Function 025C6F90 Relevance: .1, Instructions: 124COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1399945932.00000000025C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 025C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_25c0000_tx4pkcHL9o.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c5b82e131611269be6b75b89de43b2408fed92c7cdf93f769b42c4b86634438e
Instruction ID: 05aec2358aec069ab8877c46a7509b9f2ef53f1eb30f694d89a9a7f0620d854f
Opcode Fuzzy Hash: c5b82e131611269be6b75b89de43b2408fed92c7cdf93f769b42c4b86634438e
Instruction Fuzzy Hash: 2151A770E012089FDB08DFA9D8556EEBBF2FF88300F14846AD415AB364EB359942CF54

Function 025C4218 Relevance: .1, Instructions: 122COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1399945932.00000000025C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 025C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_25c0000_tx4pkcHL9o.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 941e6c82510deb1eb4a20ffa6c38c64ffd2a28b5782763fbc8b47b475517745f
Instruction ID: 29233836ae6a9d803c531cbf350e90312564fa978b95ce461240a1fd3ecad171
Opcode Fuzzy Hash: 941e6c82510deb1eb4a20ffa6c38c64ffd2a28b5782763fbc8b47b475517745f
Instruction Fuzzy Hash: F751A770E012099FDB18DFA9D854AEEBBF2FF88310F148469D415AB364EB359942CF54

Function 025CD4E8 Relevance: 6.1, APIs: 4, Instructions: 133
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 025CD576
GetCurrentThread.KERNEL32 ref: 025CD5B3
GetCurrentProcess.KERNEL32 ref: 025CD5F0
GetCurrentThreadId.KERNEL32 ref: 025CD649

Memory Dump Source

Source File: 00000000.00000002.1399945932.00000000025C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 025C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_25c0000_tx4pkcHL9o.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 8087046f5a213d9b155a38d6b8011f4b59aeed4a1f05f71d9f31572d32d1acca
Instruction ID: 9499380f40ef85be8384492d0f2552541f14c96dff7775ab7cdbbf5457c059ca
Opcode Fuzzy Hash: 8087046f5a213d9b155a38d6b8011f4b59aeed4a1f05f71d9f31572d32d1acca
Instruction Fuzzy Hash: EB5148B0901349CFEB14DFA9D548BDEBBF1FB88304F24845DD409A72A1D7359984CB6A

Function 025CD4F8 Relevance: 6.1, APIs: 4, Instructions: 128
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 025CD576
GetCurrentThread.KERNEL32 ref: 025CD5B3
GetCurrentProcess.KERNEL32 ref: 025CD5F0
GetCurrentThreadId.KERNEL32 ref: 025CD649

Memory Dump Source

Source File: 00000000.00000002.1399945932.00000000025C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 025C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_25c0000_tx4pkcHL9o.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 20feb63361978d624e2106e221536011f3667e855e0ef0d1d69be724b5023eb6
Instruction ID: ea563dcf2232add5b0c844f0a901b5039554cdb25f711e46dee7ca103a231811
Opcode Fuzzy Hash: 20feb63361978d624e2106e221536011f3667e855e0ef0d1d69be724b5023eb6
Instruction Fuzzy Hash: ED5147B1901309CFEB14DFA9D548B9EBBF1FB88304F20845DE409A7360D775A984CB6A

Function 082B6818 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 201
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentThreadId.KERNEL32 ref: 082B67E4

Strings

Hq, xrefs: 082B68F3
Hq, xrefs: 082B68AA

Memory Dump Source

Source File: 00000000.00000002.1420575561.00000000082B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 082B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_82b0000_tx4pkcHL9o.jbxd

Similarity

API ID: CurrentThread
String ID: Hq$Hq
API String ID: 2882836952-925789375
Opcode ID: 091f9209d4371730fe40beab7c93583431b442c0b2e2e1668ccc1655c6bcc51b
Instruction ID: 2fc639150f4d8b38ae688063d439887600cf1d18998455537c21cdefdea98390
Opcode Fuzzy Hash: 091f9209d4371730fe40beab7c93583431b442c0b2e2e1668ccc1655c6bcc51b
Instruction Fuzzy Hash: BC61AD35B112118FCB149B78D498AAEBBB2EFC8745B14846DE906DB361EB31DC06CB81

Function 06DC58CF Relevance: 1.7, APIs: 1, Instructions: 244processCOMMON

Download Yara Rule

APIs

CreateProcessA.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 06DC5B06

Memory Dump Source

Source File: 00000000.00000002.1420225968.0000000006DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6dc0000_tx4pkcHL9o.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: c1d678fa6d69f0860762a978b1cd0e283d31c665a64f11d90317264db3d3bc9e
Instruction ID: 56de45deca77392416ebfa2a6f42deb974f748052af936ea9d719e54ca1c3435
Opcode Fuzzy Hash: c1d678fa6d69f0860762a978b1cd0e283d31c665a64f11d90317264db3d3bc9e
Instruction Fuzzy Hash: 5D914C71D0031ECFEB64DF69D841B9DBBB2AB48320F1485A9E809A7240DB74A995CF91

Function 06DC58D0 Relevance: 1.7, APIs: 1, Instructions: 243processCOMMON

Download Yara Rule

APIs

CreateProcessA.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 06DC5B06

Memory Dump Source

Source File: 00000000.00000002.1420225968.0000000006DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6dc0000_tx4pkcHL9o.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 198c32781dc2b0895557dccb591050ca10ce25d7a2462ef314c9551643df9057
Instruction ID: a46ba154b4ee3ff4159834fcca947d52f156d3cc35e39c9757772614c05e6913
Opcode Fuzzy Hash: 198c32781dc2b0895557dccb591050ca10ce25d7a2462ef314c9551643df9057
Instruction Fuzzy Hash: C3914C71D0031ECFEB54DF69D841B9DBBB2BF48320F1485A9E809A7240DB74A995CF91

Function 025CAE59 Relevance: 1.7, APIs: 1, Instructions: 237COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000), ref: 025CB0BE

Memory Dump Source

Source File: 00000000.00000002.1399945932.00000000025C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 025C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_25c0000_tx4pkcHL9o.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 10f01a235ca63ac59fcc3c0213b998a7c6834a0509fd125e2470453dd412b669
Instruction ID: 83dceb31bf7f2afff19fcba95cc1933a7dcfbeba486278b5e004d67089b2ba58
Opcode Fuzzy Hash: 10f01a235ca63ac59fcc3c0213b998a7c6834a0509fd125e2470453dd412b669
Instruction Fuzzy Hash: DC9168B0A00B498FD725DF79D45079ABBF1FF84204F14892ED08ACBA51E735E80ACB95

Function 025C44E0 Relevance: 1.6, APIs: 1, Instructions: 96COMMON

Download Yara Rule

APIs

CreateActCtxA.KERNEL32(?), ref: 025C59C9

Memory Dump Source

Source File: 00000000.00000002.1399945932.00000000025C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 025C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_25c0000_tx4pkcHL9o.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 7ea9859be9416e0a5b767565e8df2105a0d8e900b15d01380b76ec09bd007e0a
Instruction ID: 2cc975eaccec2483b4c1c9d6ec800ace6b07b48f3c612af6dcc9fdc1ef46b7ec
Opcode Fuzzy Hash: 7ea9859be9416e0a5b767565e8df2105a0d8e900b15d01380b76ec09bd007e0a
Instruction Fuzzy Hash: CD41D2B0D00719CFEB28DFAAC844B8DFBB5BF49304F60816AD408AB251EB756946CF54

Function 025C590D Relevance: 1.6, APIs: 1, Instructions: 95COMMON

Download Yara Rule

APIs

CreateActCtxA.KERNEL32(?), ref: 025C59C9

Memory Dump Source

Source File: 00000000.00000002.1399945932.00000000025C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 025C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_25c0000_tx4pkcHL9o.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: f8a937c18fb20e1b503c9ec0a9224098540a4d9dc1cdfd39e79cbee4757f2d2a
Instruction ID: a95132d5f09f96ba83a2c605dc764c28dd2d887bac1d531446d52f07aab60e1d
Opcode Fuzzy Hash: f8a937c18fb20e1b503c9ec0a9224098540a4d9dc1cdfd39e79cbee4757f2d2a
Instruction Fuzzy Hash: 5E41E371D00719CFEB28DFA9C8847CDBBB2BF48304F60806AD409AB251EB75694ACF54

Function 06DC5247 Relevance: 1.6, APIs: 1, Instructions: 70injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNEL32(?,?,00000000,?,?), ref: 06DC52D8

Memory Dump Source

Source File: 00000000.00000002.1420225968.0000000006DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6dc0000_tx4pkcHL9o.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: d2bee8f98e6c378e1edac06a425ff2df779d21befa8ab8bfe4909ae8f2e280a2
Instruction ID: 49bb29c1d031a8960715b0d7abc0244ae4eff3ff1ad8dac0f307c8e05ddc512b
Opcode Fuzzy Hash: d2bee8f98e6c378e1edac06a425ff2df779d21befa8ab8bfe4909ae8f2e280a2
Instruction Fuzzy Hash: 4D212675D003499FDB14CFAAC881BDEBBF5FF48310F10842AE918A7240C779A950CBA5

Function 06DC5248 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNEL32(?,?,00000000,?,?), ref: 06DC52D8

Memory Dump Source

Source File: 00000000.00000002.1420225968.0000000006DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6dc0000_tx4pkcHL9o.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 899793b2f9984602cb20d5dac1ef4dace9b1b16e5cf63ea3ef8db5dc035f6792
Instruction ID: e0ef49ec8b300a77797e0ed5ea74d35189b551ecf6e28dc6a92b2772e602b74c
Opcode Fuzzy Hash: 899793b2f9984602cb20d5dac1ef4dace9b1b16e5cf63ea3ef8db5dc035f6792
Instruction Fuzzy Hash: 59212671D003499FDB14CFAAC880BDEBBF5FF48310F10842AE918A7240C779A950CBA4

Function 06DC50A8 Relevance: 1.6, APIs: 1, Instructions: 65threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 06DC512E

Memory Dump Source

Source File: 00000000.00000002.1420225968.0000000006DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6dc0000_tx4pkcHL9o.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 2658642e30daa53deed6fe60b1bc05e0f5b6bffcd71fd10f6c7d39c685734fe2
Instruction ID: 251d4923c96a50dc027d13700e5f1eca083f05724115090ee65dea1377250259
Opcode Fuzzy Hash: 2658642e30daa53deed6fe60b1bc05e0f5b6bffcd71fd10f6c7d39c685734fe2
Instruction Fuzzy Hash: A6213A75D003098FDB14DFAAC884BEEBBF4EF48220F14852DD519A7280CB789645CFA4

Function 06DC5337 Relevance: 1.6, APIs: 1, Instructions: 64COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNEL32(?,?,?,?,?), ref: 06DC53B8

Memory Dump Source

Source File: 00000000.00000002.1420225968.0000000006DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6dc0000_tx4pkcHL9o.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: aa3fbd1bddc244e978cbef1fd61f9878ff32f8643d40221bd8785b312a74af09
Instruction ID: 80e1d1c61f31e211425b692b8a2a7b2705c5a10d59a960535a917da968930165
Opcode Fuzzy Hash: aa3fbd1bddc244e978cbef1fd61f9878ff32f8643d40221bd8785b312a74af09
Instruction Fuzzy Hash: DA21E5718003499FDB14DFAAD841BEEBBF5FF48310F10842AE519A7240C779A551DBA5

Function 06DC5338 Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNEL32(?,?,?,?,?), ref: 06DC53B8

Memory Dump Source

Source File: 00000000.00000002.1420225968.0000000006DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6dc0000_tx4pkcHL9o.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 7908a98b6a1199f778a70d429267d455ee5b59b1ccca989ecaeadd4799abcedd
Instruction ID: 376c54d7b145fe6b20f8649cf8dbd3d185ba1fe5512fc47b8a0e351e1a264c07
Opcode Fuzzy Hash: 7908a98b6a1199f778a70d429267d455ee5b59b1ccca989ecaeadd4799abcedd
Instruction Fuzzy Hash: 0C21E5718003499FDB14DFAAC840BEEBBF5FF48310F10842AE519A7240C779A551DBA5

Function 06DC50B0 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 06DC512E

Memory Dump Source

Source File: 00000000.00000002.1420225968.0000000006DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6dc0000_tx4pkcHL9o.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 75e5ef22f9506f40fe20df31ba26c6e6e1efa902e721d6f4d78bd0595e1f5b1f
Instruction ID: ea39d1c508d3e88e77d4cc42fce3e939aa9ca1e33ee51f940690bb88726311dd
Opcode Fuzzy Hash: 75e5ef22f9506f40fe20df31ba26c6e6e1efa902e721d6f4d78bd0595e1f5b1f
Instruction Fuzzy Hash: 7F211871D003098FDB14DFAAC885BEEBBF4EF48224F14842ED559A7240CB78A945CFA5

Function 025CD740 Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 025CD7C7

Memory Dump Source

Source File: 00000000.00000002.1399945932.00000000025C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 025C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_25c0000_tx4pkcHL9o.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: bf28cabb9d08fbf7b95cb576f33b03f0bc75a4ba70c210cb472c773387bddf74
Instruction ID: a46fec5bc80a5920b0229d91cd9f0a3b37ccbc1be8fdba46c11fcf41e0c81695
Opcode Fuzzy Hash: bf28cabb9d08fbf7b95cb576f33b03f0bc75a4ba70c210cb472c773387bddf74
Instruction Fuzzy Hash: 1B21E3B5900248DFDB10CFAAD584ADEFBF8FB48310F14842AE914A7350D378A950CF65

Function 06DC4FF9 Relevance: 1.6, APIs: 1, Instructions: 62threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNEL32 ref: 06DC5062

Memory Dump Source

Source File: 00000000.00000002.1420225968.0000000006DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6dc0000_tx4pkcHL9o.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 85d32c412db6fd08c956f16c12400c31ee0f2b55c6c8d59ef39eb8dcd8d01377
Instruction ID: 6f5bf14739a65300fbd1136d818fdb7650a267dcafbf721ff162a0dc512ad92c
Opcode Fuzzy Hash: 85d32c412db6fd08c956f16c12400c31ee0f2b55c6c8d59ef39eb8dcd8d01377
Instruction Fuzzy Hash: 8F213875D003498FDB24DFAAD844B9EFBF5EF48224F108559D529A7280CB756940CB94

Function 025CD738 Relevance: 1.6, APIs: 1, Instructions: 59COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 025CD7C7

Memory Dump Source

Source File: 00000000.00000002.1399945932.00000000025C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 025C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_25c0000_tx4pkcHL9o.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 0ec376c33aa0e4ce2cfdbc4cbb341b208f8e82631c195e487047929c2489275e
Instruction ID: cbcce82eae4043df9726168c96b887bca7ad2f1ef28b1530e8d3fcf8519a92a3
Opcode Fuzzy Hash: 0ec376c33aa0e4ce2cfdbc4cbb341b208f8e82631c195e487047929c2489275e
Instruction Fuzzy Hash: 5B21E0B5D00248DFDB10CFA9D580ADEBBF5FB48310F14842AE958A7350D378AA50CF64

Function 06DC5181 Relevance: 1.6, APIs: 1, Instructions: 55memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNEL32(?,?,?,?,?), ref: 06DC51F6

Memory Dump Source

Source File: 00000000.00000002.1420225968.0000000006DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6dc0000_tx4pkcHL9o.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 1209f26e3f690ae2ae15df7011826661190847b4d1b9baa8d9043095e4796f02
Instruction ID: 62a4e0ef7b5ec3d99212c7bfcfc000a11d40d02fce8ce1a848d9eacec725f605
Opcode Fuzzy Hash: 1209f26e3f690ae2ae15df7011826661190847b4d1b9baa8d9043095e4796f02
Instruction Fuzzy Hash: 4B1117768002499FDB24DFAAD844BDEFBF5EB48320F148419E919A7250C7759550CBA1

Function 06DC5188 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNEL32(?,?,?,?,?), ref: 06DC51F6

Memory Dump Source

Source File: 00000000.00000002.1420225968.0000000006DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6dc0000_tx4pkcHL9o.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 9bb2d6ee0c08d9544638cfc963a0843d8300cc817b599fa6941a2de5911f2126
Instruction ID: 0daf34c895f637976191e80439149781517a2eef06a5c821d4ff3e03340555d4
Opcode Fuzzy Hash: 9bb2d6ee0c08d9544638cfc963a0843d8300cc817b599fa6941a2de5911f2126
Instruction Fuzzy Hash: 641126768003499FDB24DFAAC844BDEFBF5EF48320F148419E515A7250CB79A550CBA5

Function 06DC5000 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNEL32 ref: 06DC5062

Memory Dump Source

Source File: 00000000.00000002.1420225968.0000000006DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6dc0000_tx4pkcHL9o.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: ec7243c3563136da8ea383035e4515a8aec79936fcd1b8c5be9d3aa6155d61ab
Instruction ID: cc5b28cfd087930e60b1efc248d770282a7411fdca6cd2833ce6245f54ae1b5e
Opcode Fuzzy Hash: ec7243c3563136da8ea383035e4515a8aec79936fcd1b8c5be9d3aa6155d61ab
Instruction Fuzzy Hash: DB112871D003498FDB24DFAAC4457EEFBF5EF48224F14841DD519A7240CA79A544CBA5

Function 025CB058 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000), ref: 025CB0BE

Memory Dump Source

Source File: 00000000.00000002.1399945932.00000000025C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 025C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_25c0000_tx4pkcHL9o.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 4f56956f43f9ce37639a01872c632a77553c41d36ca95180958e6d846122ca2d
Instruction ID: 1a5e3351a9136dd118b7dfd12714d7c4e52f4eedcb1756a2a8abbd2a7e7f0486
Opcode Fuzzy Hash: 4f56956f43f9ce37639a01872c632a77553c41d36ca95180958e6d846122ca2d
Instruction Fuzzy Hash: 18110FB6C002498FDB20CF9AC444BDEFBF8FB88224F20841AD428A7640D379A545CFA5

Function 06DC97E8 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 06DC984D

Memory Dump Source

Source File: 00000000.00000002.1420225968.0000000006DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6dc0000_tx4pkcHL9o.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: d4bef181e9d4a71c37b28bddf87553d3548b33ce6242fac06e5356a2de19b392
Instruction ID: 2e60475474cb497e8e37e57779113e57f3d8e8590ad71f6cdd4eb18a8d8db13c
Opcode Fuzzy Hash: d4bef181e9d4a71c37b28bddf87553d3548b33ce6242fac06e5356a2de19b392
Instruction Fuzzy Hash: D11106B5800249DFDB10DF9AD844BDEFBF8EB48320F10851AE528A7340C379A544CFA1

Function 06DC552C Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 06DC984D

Memory Dump Source

Source File: 00000000.00000002.1420225968.0000000006DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6dc0000_tx4pkcHL9o.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: ce83efd7194315ab1e4794302aa73d7d3fc1eeeacf0d85def7e8d3de47dd2c47
Instruction ID: 0496942d753587a89d87eb6a1d67758f0ec96f1d7d5a25dae3690cc6fe7949aa
Opcode Fuzzy Hash: ce83efd7194315ab1e4794302aa73d7d3fc1eeeacf0d85def7e8d3de47dd2c47
Instruction Fuzzy Hash: 8411E3B5800249DFDB10DF9AC484BDEBBF8EB48320F108419E558A7250C375A954CFA5

Function 009CD3D8 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1394938436.00000000009CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 009CD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9cd000_tx4pkcHL9o.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9657226e283172d5c13917ad41f9561d1a8295000b550a94e5e9b8983fb6788c
Instruction ID: 9024bc7c43c484b6bceef00292d5e222f2af7d62981127ac39f1e3231d537228
Opcode Fuzzy Hash: 9657226e283172d5c13917ad41f9561d1a8295000b550a94e5e9b8983fb6788c
Instruction Fuzzy Hash: BA21F771900204DFDB18DF14D9C0F26BB65FB94314F20C57DEA090B2A6C33AE856CAA3

Function 00D2D1D4 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1399263470.0000000000D2D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D2D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d2d000_tx4pkcHL9o.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 480095ceebaaa6fa96322ee935efc15d74a9f9a08da834b5ddd0d580c292fe3c
Instruction ID: f11f150689f4d03057a626e95db34550207115acb85bb07bc315465f8a2f1081
Opcode Fuzzy Hash: 480095ceebaaa6fa96322ee935efc15d74a9f9a08da834b5ddd0d580c292fe3c
Instruction Fuzzy Hash: 0721D071904200EFDB15DF24E9C0B26BBA6FF94318F24C5ADE8494B292C336D846CA76

Function 00D2D01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1399263470.0000000000D2D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D2D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d2d000_tx4pkcHL9o.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e62cb12bfddf27b214c83b9223165989318dc93396a7350e96845ced8cb69232
Instruction ID: 58d935462f925695e8303eb7c753f336626c6b9ef87bd5bdb9161c7ff0a13c2f
Opcode Fuzzy Hash: e62cb12bfddf27b214c83b9223165989318dc93396a7350e96845ced8cb69232
Instruction Fuzzy Hash: D421F571504340DFDB24DF24E6C4B16BB66FB94318F24C56DE94A4B2A6C336D847CA72

Function 00D2D005 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1399263470.0000000000D2D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D2D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d2d000_tx4pkcHL9o.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 50aa59b3d5edd9f1182cc5bb80a0e3f30410df44922c77230b9e58b5bf981073
Instruction ID: 6be865df185ab67311884ffa3e0f115394376941eee2c0d97652dd3fc5f41725
Opcode Fuzzy Hash: 50aa59b3d5edd9f1182cc5bb80a0e3f30410df44922c77230b9e58b5bf981073
Instruction Fuzzy Hash: A12192755093C09FCB12CF24D990715BF72EB46314F28C5EAD8498F6A7C33A980ACB62

Function 009CD3D3 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1394938436.00000000009CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 009CD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9cd000_tx4pkcHL9o.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0d9143a8ff6c40554208124bd87d7ebbaad978752f52efe449982275cc027c51
Instruction ID: e64c6d1ae4c54e4cc03d8a3c9b944d9e6f15842ebadb3577e70d828ec5851b0c
Opcode Fuzzy Hash: 0d9143a8ff6c40554208124bd87d7ebbaad978752f52efe449982275cc027c51
Instruction Fuzzy Hash: 9611D676904240DFDB15CF10D5C4B16BF71FB94314F24C6ADD9094B6A6C33AD456CB92

Function 00D2D1CF Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1399263470.0000000000D2D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D2D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d2d000_tx4pkcHL9o.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9e088ad8a07711d9d3566a887b1f888bc4d4e2f61ff705deeaaa2a632ac83149
Instruction ID: 09ec2f5fbd8fd3dc659dda309b1fde7c77e4c042e96609519c53cb1642fdd4c0
Opcode Fuzzy Hash: 9e088ad8a07711d9d3566a887b1f888bc4d4e2f61ff705deeaaa2a632ac83149
Instruction Fuzzy Hash: E6118B75904280DFDB15CF10E5C4B15FBA2FF94318F28C6A9D8494B696C33AD84ACB62

Function 009CD745 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1394938436.00000000009CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 009CD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9cd000_tx4pkcHL9o.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e34991ac38cb1d0a99a3c65ef3efc0c625219828af13929efca348ae322f30e7
Instruction ID: ccbd1179e39bfe28412c1994140334c91788a8c59ff9e318558abc361bd0161d
Opcode Fuzzy Hash: e34991ac38cb1d0a99a3c65ef3efc0c625219828af13929efca348ae322f30e7
Instruction Fuzzy Hash: D801F7B1805340ABF7205E25CD84F66BB9CEF41360F14852EED080E282D2799841CAB3

Function 009CD744 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1394938436.00000000009CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 009CD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9cd000_tx4pkcHL9o.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be4fd2edacc75107dbcf65d378f6f6fe4e4493d723a0aa201acf13e6c46fa19c
Instruction ID: 9326465fe602ea771b7f575127a98e578c532d634e7f2a1ca4b7f377685dca2c
Opcode Fuzzy Hash: be4fd2edacc75107dbcf65d378f6f6fe4e4493d723a0aa201acf13e6c46fa19c
Instruction Fuzzy Hash: DCF06271405344AEEB248E15C988F62FF9CEB51734F18C55EED084F286C2799944CAB2

Non-executed Functions

Function 06DCB318 Relevance: .4, Instructions: 422COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1420225968.0000000006DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6dc0000_tx4pkcHL9o.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fd595d25a2703ff95f202560a541f875b2fea575d86d130e799d20e19986b2e8
Instruction ID: 8e52273a10203190cc93d7992ae753b007e6956eef8abd9ed46dde96f7abf889
Opcode Fuzzy Hash: fd595d25a2703ff95f202560a541f875b2fea575d86d130e799d20e19986b2e8
Instruction Fuzzy Hash: 01E1AC71B0170A8FEB65DB76C860B6AB7F6EFC9710F14446EE1468B290DB35D802CB91

Function 06DC2670 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1420225968.0000000006DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6dc0000_tx4pkcHL9o.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 16c9353e9eb2ee62a3f3fc117ea9bb8331b0f4c3a2ec0ea94fdf777d3904c393
Instruction ID: 470856ee49fbc19e265e711c23236cde06616748c1969351a85f401a01191e91
Opcode Fuzzy Hash: 16c9353e9eb2ee62a3f3fc117ea9bb8331b0f4c3a2ec0ea94fdf777d3904c393
Instruction Fuzzy Hash: 4EE11C74E0025A8FDB54DF99C580AAEFBF2FF89315F248159D814AB356D730A941CFA0

Function 06DC4780 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1420225968.0000000006DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6dc0000_tx4pkcHL9o.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 764b440f18b8dac7db2e2ad93802ebd434cb7ffa45141b6d1c14e7983976e8fe
Instruction ID: ba4cecb914a39bf24ff619010bfaa2e3cab79c346b579fe0aca5416a3df69931
Opcode Fuzzy Hash: 764b440f18b8dac7db2e2ad93802ebd434cb7ffa45141b6d1c14e7983976e8fe
Instruction Fuzzy Hash: A6E12C74E0025A8FDB54DF99C590AAEFBF2FF89315F248169D814AB316D730A941CFA0

Function 06DC3F10 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1420225968.0000000006DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6dc0000_tx4pkcHL9o.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 42fd84dac23068b46042e5568387ba7c310c2b14bbc691d58df0ad395411cd51
Instruction ID: a565c5d3c95955794c22d7f6d5385c668636e86be7af9398896da917338d7710
Opcode Fuzzy Hash: 42fd84dac23068b46042e5568387ba7c310c2b14bbc691d58df0ad395411cd51
Instruction Fuzzy Hash: A4E13C74E0021A8FDB54DFA9C590AAEFBF2FF89315F248159D844AB316C730A941CFA0

Function 06DC2AA8 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1420225968.0000000006DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6dc0000_tx4pkcHL9o.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9b473f2516ea5fe760d0b86168d7c4dd647a5cbc7f8e0897e36c00550be5d27d
Instruction ID: b207c194c92dad765ee8c70a9cc88fe8c33f622f9880712a2e61da2c0da87d01
Opcode Fuzzy Hash: 9b473f2516ea5fe760d0b86168d7c4dd647a5cbc7f8e0897e36c00550be5d27d
Instruction Fuzzy Hash: FDE11E74E0025A8FDB54DFA9C580AAEFBF2FF88315F248159D854AB356D730A941CFA0

Function 06DC4348 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1420225968.0000000006DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6dc0000_tx4pkcHL9o.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1f582b0237aec3dbc8bd97526e14693975322546649e3faac7462fb82484f801
Instruction ID: 8daa2ce121d2e6330cd9c33295258fdd17720351a9b26b8ef5a62fcd30396425
Opcode Fuzzy Hash: 1f582b0237aec3dbc8bd97526e14693975322546649e3faac7462fb82484f801
Instruction Fuzzy Hash: 38E12E74E002198FDB54DFA9C590AAEFBF2FF89315F248169D414AB356D730A941CFA0

Function 082B0FE8 Relevance: .3, Instructions: 273COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1420575561.00000000082B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 082B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_82b0000_tx4pkcHL9o.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7e6f241aff80f81976d8cf5968c4f4f77c03f218484af50d1970d0a427e03175
Instruction ID: 10058dfa4e4e77a58fdc1c0cf01a06c47fe4452ec0cb5a3cb9bef94372c0040b
Opcode Fuzzy Hash: 7e6f241aff80f81976d8cf5968c4f4f77c03f218484af50d1970d0a427e03175
Instruction Fuzzy Hash: 7BD10735D10B5A8ACB15EB64D890B99B7B1FF95300F20C79AE1093B215FF70AAC5DB81

Function 025CD424 Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1399945932.00000000025C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 025C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_25c0000_tx4pkcHL9o.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 370f5c4476850dba5a215d5f86dc51725ee54bb34232734e9adfa2e764789a31
Instruction ID: 59c19879c0835563e37042290acebcd36140f10917a6263a73396664f920a121
Opcode Fuzzy Hash: 370f5c4476850dba5a215d5f86dc51725ee54bb34232734e9adfa2e764789a31
Instruction Fuzzy Hash: 42A15B36E002068FCF09DFA5C84059EBBB3FF85304B25856EE805AB265EB71E956CF44

Function 082B0FF8 Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1420575561.00000000082B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 082B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_82b0000_tx4pkcHL9o.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 37fc423072e0765a1775642ec48344337cd51375ea4968db006209d8fd77fe1a
Instruction ID: 5416b70cd0145789b7a3bdd6299b6703a78d163c64d5a55b5b394d4569d58e41
Opcode Fuzzy Hash: 37fc423072e0765a1775642ec48344337cd51375ea4968db006209d8fd77fe1a
Instruction Fuzzy Hash: C6D1F735D10B5A8ACB15EB64D890B99B7B1FF95300F20C79AE1093B215FF70AAC5DB81

Function 06DC476F Relevance: .1, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1420225968.0000000006DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6dc0000_tx4pkcHL9o.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9a6e6d30a97eedd5b8329e570c2e5cb36ccf326c707d24b0dcbe539a62a4bf08
Instruction ID: 8b688fc24f388b060d20971d402bd98f5afe3f8a8c22e5ace20d1fc514c19dcc
Opcode Fuzzy Hash: 9a6e6d30a97eedd5b8329e570c2e5cb36ccf326c707d24b0dcbe539a62a4bf08
Instruction Fuzzy Hash: 74514C74E002598FDB54CFA9C5905AEFBF2FF89314F2481A9D418AB356D7309942CFA1

Analysis Process: tx4pkcHL9o.exePID: 7756, Parent PID: 7260COMMON

Executed Functions

Function 056ABC60 Relevance: 12.1, Strings: 9, Instructions: 885COMMON

Download Yara Rule

Strings

(oq, xrefs: 056ABD75
(oq, xrefs: 056AC15F
,q, xrefs: 056AC0F0
(oq, xrefs: 056ABD49
(oq, xrefs: 056ABE12
(oq, xrefs: 056AC221
,q, xrefs: 056AC100
(oq, xrefs: 056AC16F
(oq, xrefs: 056ABC8E

Memory Dump Source

Source File: 0000000A.00000002.2637183812.00000000056A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_56a0000_tx4pkcHL9o.jbxd

Similarity

API ID:
String ID: (oq$(oq$(oq$(oq$(oq$(oq$(oq$,q$,q
API String ID: 0-746337618
Opcode ID: 5620af2616311bb017edb2fe225d37ec478a086166d004e407943e5e02096b94
Instruction ID: d03b92ac61a31ac8cec7e80018a13e15e7fa443c2867a3d401e46c3cf434999e
Opcode Fuzzy Hash: 5620af2616311bb017edb2fe225d37ec478a086166d004e407943e5e02096b94
Instruction Fuzzy Hash: 4C823835A04209DFDB25CF68C984AAEBBF2BF88300F158559F516AB661D731ED81CF90

Function 056AAF00 Relevance: 9.6, Strings: 7, Instructions: 897COMMON

Download Yara Rule

Strings

Hq, xrefs: 056AB302
,q, xrefs: 056AB7F8
(oq, xrefs: 056AB772
(oq, xrefs: 056AB780
(oq, xrefs: 056AB436
,q, xrefs: 056AB7EA
(oq, xrefs: 056ABA9D

Memory Dump Source

Source File: 0000000A.00000002.2637183812.00000000056A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_56a0000_tx4pkcHL9o.jbxd

Similarity

API ID:
String ID: (oq$(oq$(oq$(oq$,q$,q$Hq
API String ID: 0-2858405300
Opcode ID: a1730d32a3ab70a8c64d56ad1c257ed5300eae61ed151bc90ff4da6499e00e5a
Instruction ID: 4688363cff3b752469cfa3169783db5039397df21ecfe78da6c42ad946d65e13
Opcode Fuzzy Hash: a1730d32a3ab70a8c64d56ad1c257ed5300eae61ed151bc90ff4da6499e00e5a
Instruction Fuzzy Hash: 6D726F71A002199FDB14DF69C854AAEBBF6FF89300F148169E916AB3A5DB30DD41CF90

Function 0101C530 Relevance: 4.3, Strings: 1, Instructions: 3069COMMON

Download Yara Rule

Strings

N, xrefs: 0101F910

Memory Dump Source

Source File: 0000000A.00000002.2632659726.0000000001010000.00000040.00000800.00020000.00000000.sdmp, Offset: 01010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1010000_tx4pkcHL9o.jbxd

Similarity

API ID:
String ID: N
API String ID: 0-1130791706
Opcode ID: 0e5dd6b75f2aecadb2ae6fec39644919b9771b665c8e55b224725bf76f48bca6
Instruction ID: 0a96fec3569d3ab2feeff425f39e36070f615606b05e5a5627922c5fd6bcd832
Opcode Fuzzy Hash: 0e5dd6b75f2aecadb2ae6fec39644919b9771b665c8e55b224725bf76f48bca6
Instruction Fuzzy Hash: C473E431D1075A8EDB11EF68C944A99FBB1FF99300F51C6DAE44867225EB70AAC4CF81

Function 010127B9 Relevance: 3.2, Strings: 2, Instructions: 687COMMON

Download Yara Rule

Strings

Xq, xrefs: 01012C95
Xq, xrefs: 01012CBE

Memory Dump Source

Source File: 0000000A.00000002.2632659726.0000000001010000.00000040.00000800.00020000.00000000.sdmp, Offset: 01010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1010000_tx4pkcHL9o.jbxd

Similarity

API ID:
String ID: Xq$Xq
API String ID: 0-1556399337
Opcode ID: 2d9fc824fd8c6bdccf460c1f75afce38aaf4d32b04b9f527d027ea9ae18d97a1
Instruction ID: 9f2576ee7627f7b342fd7ec816dc72e55e08ffaa2fc036a6a3a2b4d8e9bebe2d
Opcode Fuzzy Hash: 2d9fc824fd8c6bdccf460c1f75afce38aaf4d32b04b9f527d027ea9ae18d97a1
Instruction Fuzzy Hash: E842F7729563A59FC7875B78C8552943BF1AF6B32C37808EDD0C1CA166F26B1983CB06

Function 056A6138 Relevance: 2.7, Strings: 2, Instructions: 182COMMON

Download Yara Rule

Strings

PHq, xrefs: 056A6372
PHq, xrefs: 056A6383

Memory Dump Source

Source File: 0000000A.00000002.2637183812.00000000056A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_56a0000_tx4pkcHL9o.jbxd

Similarity

API ID:
String ID: PHq$PHq
API String ID: 0-1274609152
Opcode ID: 0c35e3ea14b0b8d1be1c543ecec26ff8fe4b631b1f5aba7176960edcbbd8d050
Instruction ID: 53d1abdcf826175b9b206f32b9dc97eef59cd32dc5b3e896142433954eabe280
Opcode Fuzzy Hash: 0c35e3ea14b0b8d1be1c543ecec26ff8fe4b631b1f5aba7176960edcbbd8d050
Instruction Fuzzy Hash: EC81D075E00218CFDB28DFAAC9547ADBBF2BF89300F24816AD41AAB354DB305946CF50

Function 056A89E0 Relevance: .7, Instructions: 745COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2637183812.00000000056A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_56a0000_tx4pkcHL9o.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 55325494442c971e5be0043c9fb0b74d7561060f1cd44ab74f03e880b3a2e235
Instruction ID: a9978cb454e530c6a5368123867bb5f2755984f5fb714fb09a0df0af0e5ce093
Opcode Fuzzy Hash: 55325494442c971e5be0043c9fb0b74d7561060f1cd44ab74f03e880b3a2e235
Instruction Fuzzy Hash: AF827B74E012288FDBA5DF69C998BDDBBB2BF89300F1481E9A40DA7254DB315E81CF51

Function 01019480 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2632659726.0000000001010000.00000040.00000800.00020000.00000000.sdmp, Offset: 01010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1010000_tx4pkcHL9o.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 07b181c816a0f15d26da1f7a9c35d03809b2055567887b4302850cf258ffebf4
Instruction ID: 126289049ba67916f7f738f659c13b61df5f8cb7c8c6d6ccf39dd613fb0a6012
Opcode Fuzzy Hash: 07b181c816a0f15d26da1f7a9c35d03809b2055567887b4302850cf258ffebf4
Instruction Fuzzy Hash: 25C1B174E01218CFDB14DFA9D994B9DBBB2FF88304F2081A9E809AB354DB355A85CF50

Function 0101C521 Relevance: .2, Instructions: 226COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2632659726.0000000001010000.00000040.00000800.00020000.00000000.sdmp, Offset: 01010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1010000_tx4pkcHL9o.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b40cef9af53f383a87ad9c5f73a7388fd4d4b6c6ef4b8246e983129160fce6d2
Instruction ID: c0ae081d2d122f7f8106edceae453a20bd8d4b178052c9c785032cf5ac444db6
Opcode Fuzzy Hash: b40cef9af53f383a87ad9c5f73a7388fd4d4b6c6ef4b8246e983129160fce6d2
Instruction Fuzzy Hash: DAA12571D0061A8FEB10DFA9C9847DDFBB1EF89300F14C2AAE44867265EB749A85CF41

Function 01019A30 Relevance: .2, Instructions: 226COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2632659726.0000000001010000.00000040.00000800.00020000.00000000.sdmp, Offset: 01010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1010000_tx4pkcHL9o.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bfb005fe43aca9868300fb946d3dc999e8867d6fe03865eaab55b64b6a6be475
Instruction ID: eed678f21b0806a4858521181a63b08e39b92608e95b122f84fe31fa7c985390
Opcode Fuzzy Hash: bfb005fe43aca9868300fb946d3dc999e8867d6fe03865eaab55b64b6a6be475
Instruction Fuzzy Hash: 11A12570D00208CFEB14DFA9C998BDDBBB1FF88314F248269E448AB295DB745985CF64

Function 01019D87 Relevance: .2, Instructions: 202COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2632659726.0000000001010000.00000040.00000800.00020000.00000000.sdmp, Offset: 01010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1010000_tx4pkcHL9o.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 02cf6ec3d00c4d1bf28cc8dc5c5f98eab14b08da19c57624fd16abd9490f3929
Instruction ID: 10ad0fd902f719427e5a371255efdd5f0567781aadac826845c980f7c05fa27e
Opcode Fuzzy Hash: 02cf6ec3d00c4d1bf28cc8dc5c5f98eab14b08da19c57624fd16abd9490f3929
Instruction Fuzzy Hash: C291F270D00208CFEB10DFA8C598BDCBBB1FF49314F248299E449AB295DB799985CF54

Function 056A89D0 Relevance: .2, Instructions: 175COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2637183812.00000000056A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_56a0000_tx4pkcHL9o.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e2a8bedb1bfaee0a4211d9cd3a648e263008e2d30d263190eea9304e4db41956
Instruction ID: 54587e05169c7b84cc8c290dc7d009da1e85108a2f2930c533dce2edae552e24
Opcode Fuzzy Hash: e2a8bedb1bfaee0a4211d9cd3a648e263008e2d30d263190eea9304e4db41956
Instruction Fuzzy Hash: 8681C174E412288FDB65DF29D990BDDBBB2BB89300F1080EAE949A7354DB315E81CF40

Function 0101946F Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2632659726.0000000001010000.00000040.00000800.00020000.00000000.sdmp, Offset: 01010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1010000_tx4pkcHL9o.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8f8071fd56846f1e9a3b8fee0259a7aede4d0adbd524c6f24f52edaaac369416
Instruction ID: 8a59627cdc84b28cc3cf31ada349355328bd94c6584c1dbe57918017b57a00fe
Opcode Fuzzy Hash: 8f8071fd56846f1e9a3b8fee0259a7aede4d0adbd524c6f24f52edaaac369416
Instruction Fuzzy Hash: 5441E174D00208CBEB18CFAAD95469DFBF2BF88304F24C02AD815AB359EB385945CF54

Function 0101B500 Relevance: 6.6, Strings: 5, Instructions: 386COMMON

Download Yara Rule

Strings

8q, xrefs: 0101B941
TJq, xrefs: 0101B97A
Hq, xrefs: 0101B6EA
Hq, xrefs: 0101B749
Hq, xrefs: 0101B54E

Memory Dump Source

Source File: 0000000A.00000002.2632659726.0000000001010000.00000040.00000800.00020000.00000000.sdmp, Offset: 01010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1010000_tx4pkcHL9o.jbxd

Similarity

API ID:
String ID: 8q$Hq$Hq$Hq$TJq
API String ID: 0-768243005
Opcode ID: 2efb709d0beeda82e75a5ba4e1ed30dc19612bbc8581499914ddc8cacfe8bcb5
Instruction ID: d11475798118206a936b2fa5546e7ce61c0ce3b0057278c6071885603fa3368f
Opcode Fuzzy Hash: 2efb709d0beeda82e75a5ba4e1ed30dc19612bbc8581499914ddc8cacfe8bcb5
Instruction Fuzzy Hash: 92D1D031B002048FDB159B6CD491AAD7BF6EF89320F184465E546EB3A5DB39DC42CBA1

Function 01013F78 Relevance: 6.4, Strings: 5, Instructions: 127COMMON

Download Yara Rule

Strings

PHq, xrefs: 010140E1
PHq, xrefs: 010140F2
LjKp, xrefs: 01014088
LjKp, xrefs: 01014078
0oKp, xrefs: 01013FDA

Memory Dump Source

Source File: 0000000A.00000002.2632659726.0000000001010000.00000040.00000800.00020000.00000000.sdmp, Offset: 01010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1010000_tx4pkcHL9o.jbxd

Similarity

API ID:
String ID: 0oKp$LjKp$LjKp$PHq$PHq
API String ID: 0-2065946399
Opcode ID: db73fc402fd9585c7faeb0e2b3db0e0806f625ffd124d4b5df9bcecc9f7ba00a
Instruction ID: cdf48df7a9852ef1efd313bfc63a59ccf70a9213f88a9aac039e9bc1c2854c72
Opcode Fuzzy Hash: db73fc402fd9585c7faeb0e2b3db0e0806f625ffd124d4b5df9bcecc9f7ba00a
Instruction Fuzzy Hash: 5151A474E00608DFDB44DFAAD984A9DBBF2FF89310F148469E815AB368DB34A941CF50

Function 0101AD3D Relevance: 5.5, Strings: 4, Instructions: 506COMMON

Download Yara Rule

Strings

Hq, xrefs: 0101B239
, xrefs: 0101B065
Hq, xrefs: 0101B1D3
Hq, xrefs: 0101B206

Memory Dump Source

Source File: 0000000A.00000002.2632659726.0000000001010000.00000040.00000800.00020000.00000000.sdmp, Offset: 01010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1010000_tx4pkcHL9o.jbxd

Similarity

API ID:
String ID: $Hq$Hq$Hq
API String ID: 0-1373062214
Opcode ID: ce8e7460cbc99de88b5e15f7bbde4c9c2865e95ee724546fae3b799bfd2917f5
Instruction ID: 7fd37e1132cd6e8508460f3bae08dbfec4b27a26be85ac605419c4b34d6e445f
Opcode Fuzzy Hash: ce8e7460cbc99de88b5e15f7bbde4c9c2865e95ee724546fae3b799bfd2917f5
Instruction Fuzzy Hash: E181F4317006009BEB666F78E85926D7AF2EFC5320F64421AF966973D5CF398D02C7A1

Function 010119B8 Relevance: 5.3, Strings: 4, Instructions: 322COMMON

Download Yara Rule

Strings

Xq, xrefs: 01011A76
Xq, xrefs: 01011B2F
Xq, xrefs: 01011AB0
Xq, xrefs: 01011B7C

Memory Dump Source

Source File: 0000000A.00000002.2632659726.0000000001010000.00000040.00000800.00020000.00000000.sdmp, Offset: 01010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1010000_tx4pkcHL9o.jbxd

Similarity

API ID:
String ID: Xq$Xq$Xq$Xq
API String ID: 0-3965792415
Opcode ID: ebab1ffe6a210c4e17240770a9d6d788971ce88464a5882d69162748e2549c70
Instruction ID: a9fe4dd40038de2c2c5c98f9dbd7e960dda00eaa723409cbfe4d9b3b72233ba7
Opcode Fuzzy Hash: ebab1ffe6a210c4e17240770a9d6d788971ce88464a5882d69162748e2549c70
Instruction Fuzzy Hash: B8C19072D013299FCB9A9B7888843D977F2FF69324F6048A9D0859B154F7364E87CB42

Function 056AA620 Relevance: 4.1, Strings: 3, Instructions: 345COMMON

Download Yara Rule

Strings

Hq, xrefs: 056AA70B
Hq, xrefs: 056AA73E
HP, xrefs: 056AA9D2, 056AA9EF

Memory Dump Source

Source File: 0000000A.00000002.2637183812.00000000056A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_56a0000_tx4pkcHL9o.jbxd

Similarity

API ID:
String ID: HP$Hq$Hq
API String ID: 0-3563213078
Opcode ID: 07771bfb56f9b0dcd5543079aced9bc83fb92c6deb7771483f3078daff2f5e3d
Instruction ID: 81ff4664c49ed2de2eeab379d866867c8c5791faff49e0740054fd684cd59663
Opcode Fuzzy Hash: 07771bfb56f9b0dcd5543079aced9bc83fb92c6deb7771483f3078daff2f5e3d
Instruction Fuzzy Hash: 7BC1CF367042118FDB269FA4D858B6E7BB7FF88300F14842AE5468B395DB35DC42CBA0

Function 056AAAE0 Relevance: 4.0, Strings: 3, Instructions: 237COMMON

Download Yara Rule

Strings

,q, xrefs: 056AABC0
,q, xrefs: 056AABB6
HP, xrefs: 056AAD36

Memory Dump Source

Source File: 0000000A.00000002.2637183812.00000000056A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_56a0000_tx4pkcHL9o.jbxd

Similarity

API ID:
String ID: ,q$,q$HP
API String ID: 0-3201807503
Opcode ID: c9063788f1c5c1418b4d400e36b3b454bb1a99a6f646165b916289a64ceef826
Instruction ID: 45213b8c1a7a0672ede61d3157913aafefd1a125949839ac05a2bebd99c27d9d
Opcode Fuzzy Hash: c9063788f1c5c1418b4d400e36b3b454bb1a99a6f646165b916289a64ceef826
Instruction Fuzzy Hash: 7991A236B04115CFDB14DFA9C884A7AB7B2FF89215B18816AD406EB765DB31EC41CFA0

Function 056ACD28 Relevance: 3.3, Strings: 2, Instructions: 807COMMON

Download Yara Rule

Strings

$q, xrefs: 056AD84C
$q, xrefs: 056AD86F

Memory Dump Source

Source File: 0000000A.00000002.2637183812.00000000056A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_56a0000_tx4pkcHL9o.jbxd

Similarity

API ID:
String ID: $q$$q
API String ID: 0-3126353813
Opcode ID: 235a97f53a6a3734255db760a660f4582eb8e227dc2db77c830177b9b32d5244
Instruction ID: cf96d2435c2ab784d6319fc71bb06b897d390a5faf3c986a7df40ad861187f84
Opcode Fuzzy Hash: 235a97f53a6a3734255db760a660f4582eb8e227dc2db77c830177b9b32d5244
Instruction Fuzzy Hash: AC622134A00218CFEB699BA4C864B9EBB72EF85300F1080ADD10B6B795DF359D45DFA5

Function 056A69E8 Relevance: 2.7, Strings: 2, Instructions: 210COMMON

Download Yara Rule

Strings

(q, xrefs: 056A6BC2
(&q, xrefs: 056A6B03

Memory Dump Source

Source File: 0000000A.00000002.2637183812.00000000056A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_56a0000_tx4pkcHL9o.jbxd

Similarity

API ID:
String ID: (&q$(q
API String ID: 0-2464455664
Opcode ID: af8dab6c782b4e8fc146922f6519dfc1551db40b082642bb0b7bc4f5345fe3a0
Instruction ID: 40c9dcf91c4c5038f040f0ebcd07bc8268f788a355aa762be833e4ed7c02b106
Opcode Fuzzy Hash: af8dab6c782b4e8fc146922f6519dfc1551db40b082642bb0b7bc4f5345fe3a0
Instruction Fuzzy Hash: 48718232F042199BDB15DFA8D8507AEBBF6AFC9700F188529E406A7384DF309D45CBA5

Function 0101B869 Relevance: 2.6, Strings: 2, Instructions: 101COMMON

Download Yara Rule

Strings

8q, xrefs: 0101B941
TJq, xrefs: 0101B97A

Memory Dump Source

Source File: 0000000A.00000002.2632659726.0000000001010000.00000040.00000800.00020000.00000000.sdmp, Offset: 01010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1010000_tx4pkcHL9o.jbxd

Similarity

API ID:
String ID: 8q$TJq
API String ID: 0-1436491226
Opcode ID: 6f17850424b3e042a95bacc313fc840e3b5b6085d4e40bea61f23031ef8680e2
Instruction ID: f80c02dc30dfaaa7d3291ef943fab411b57d508c605e2933c91fa16fdf00e6b9
Opcode Fuzzy Hash: 6f17850424b3e042a95bacc313fc840e3b5b6085d4e40bea61f23031ef8680e2
Instruction Fuzzy Hash: 2E310535B002088FDB55EFA8D491EDDBBB2EF88220F195094E501AF365DA75EC428BA1

Function 0101B89D Relevance: 2.6, Strings: 2, Instructions: 100COMMON

Download Yara Rule

Strings

8q, xrefs: 0101B941
TJq, xrefs: 0101B97A

Memory Dump Source

Source File: 0000000A.00000002.2632659726.0000000001010000.00000040.00000800.00020000.00000000.sdmp, Offset: 01010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1010000_tx4pkcHL9o.jbxd

Similarity

API ID:
String ID: 8q$TJq
API String ID: 0-1436491226
Opcode ID: c0f15fc1599024cf23cc3ffa8be0be2263bc6015b033d67294d98592903182c6
Instruction ID: 17dc602a2db358012dd5f70de91773d9dc0b5ff595822cfa94c663256f7689ba
Opcode Fuzzy Hash: c0f15fc1599024cf23cc3ffa8be0be2263bc6015b033d67294d98592903182c6
Instruction Fuzzy Hash: 8A311735B002088FDB55EFA8D491EDDBBF2EF88220F194094E501AF365DA75EC428BA1

Function 01010B20 Relevance: 1.5, Strings: 1, Instructions: 210COMMON

Download Yara Rule

Strings

LRq, xrefs: 01010B62

Memory Dump Source

Source File: 0000000A.00000002.2632659726.0000000001010000.00000040.00000800.00020000.00000000.sdmp, Offset: 01010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1010000_tx4pkcHL9o.jbxd

Similarity

API ID:
String ID: LRq
API String ID: 0-3187445251
Opcode ID: 646bc001d612ba4539ad797a1d78a2d23737e9cef5b1521a9941041ef8c5a9ca
Instruction ID: c221f4c8605c2a894a5db7c6376865260e2dbf878b7cb046422176cdd39cea84
Opcode Fuzzy Hash: 646bc001d612ba4539ad797a1d78a2d23737e9cef5b1521a9941041ef8c5a9ca
Instruction Fuzzy Hash: 5CA1C978E0031ACFCB15EFA8EA849DDBBB1FF48305B104529E405AB769DB306946CF91

Function 01010B30 Relevance: 1.4, Strings: 1, Instructions: 200COMMON

Download Yara Rule

Strings

LRq, xrefs: 01010B62

Memory Dump Source

Source File: 0000000A.00000002.2632659726.0000000001010000.00000040.00000800.00020000.00000000.sdmp, Offset: 01010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1010000_tx4pkcHL9o.jbxd

Similarity

API ID:
String ID: LRq
API String ID: 0-3187445251
Opcode ID: 648bd9df65eeaf7598b385613ca411cc3d7f8e4a9c303f52cfa8bbe7b8f67b90
Instruction ID: 5f5e241dc601ae19dadafca72b19da64db60c0efb90901763939ac223cfbcc47
Opcode Fuzzy Hash: 648bd9df65eeaf7598b385613ca411cc3d7f8e4a9c303f52cfa8bbe7b8f67b90
Instruction Fuzzy Hash: 4AA1B978E0031ACFCF15EFA8EA8499DBBB1FF48305B104525E415AB769DB306946CF91

Function 0101BC98 Relevance: 1.4, Strings: 1, Instructions: 114COMMON

Download Yara Rule

Strings

Hq, xrefs: 0101BD2D

Memory Dump Source

Source File: 0000000A.00000002.2632659726.0000000001010000.00000040.00000800.00020000.00000000.sdmp, Offset: 01010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1010000_tx4pkcHL9o.jbxd

Similarity

API ID:
String ID: Hq
API String ID: 0-1594803414
Opcode ID: 33238ba8d6b124145bc9c6584bd993f090bb3e8efd4b369a9f364ba47b6ab594
Instruction ID: a88cedefca61dcf39ec44253ba5e4b469e45aeffdeb714dd67f7ed73d056787f
Opcode Fuzzy Hash: 33238ba8d6b124145bc9c6584bd993f090bb3e8efd4b369a9f364ba47b6ab594
Instruction Fuzzy Hash: 3C31A131B002089FDB04EFB9D856AAEBBFAEF89211F544479E549D7345DE349D02CBA0

Function 056AC7E8 Relevance: 1.4, Strings: 1, Instructions: 110COMMON

Download Yara Rule

Strings

4'q, xrefs: 056AC863

Memory Dump Source

Source File: 0000000A.00000002.2637183812.00000000056A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_56a0000_tx4pkcHL9o.jbxd

Similarity

API ID:
String ID: 4'q
API String ID: 0-1807707664
Opcode ID: 3a7acbcd0e69eb9dc2ff010c56a27fa195421a9818390680a8516462fc47ec81
Instruction ID: 4ed454748c939681b8f8a80d5ffb618ef501c975701dc9956792aff44a16c186
Opcode Fuzzy Hash: 3a7acbcd0e69eb9dc2ff010c56a27fa195421a9818390680a8516462fc47ec81
Instruction Fuzzy Hash: 124114766041159FDB54DF69C988AAA7BB6FF48310F100069FA069B3A1CB71DD41CFA1

Function 056A9D48 Relevance: 1.4, Strings: 1, Instructions: 101COMMON

Download Yara Rule

Strings

HP, xrefs: 056A9D59, 056A9D76, 056A9D93, 056A9E29

Memory Dump Source

Source File: 0000000A.00000002.2637183812.00000000056A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_56a0000_tx4pkcHL9o.jbxd

Similarity

API ID:
String ID: HP
API String ID: 0-295633388
Opcode ID: 052d4f9fda11bfd6fe061aab0a06386bce2eac9535a3fd2923a200b0f29e29fa
Instruction ID: ae2b9e41f9d76938e50ed04c35c98f9a2a92701486858adeb22cf73997928d3f
Opcode Fuzzy Hash: 052d4f9fda11bfd6fe061aab0a06386bce2eac9535a3fd2923a200b0f29e29fa
Instruction Fuzzy Hash: B8318F3160415EAFCF15AF64D954AAE3BA6FF89300F208029FA1687395CB35DD61DBA0

Function 056ACC09 Relevance: 1.3, Strings: 1, Instructions: 91COMMON

Download Yara Rule

Strings

HP, xrefs: 056ACC22

Memory Dump Source

Source File: 0000000A.00000002.2637183812.00000000056A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_56a0000_tx4pkcHL9o.jbxd

Similarity

API ID:
String ID: HP
API String ID: 0-295633388
Opcode ID: de4abd859f42e89640fa339b19d97c00f804937217ede82a7fd4e576028f9a08
Instruction ID: 528df3ad53ad4b825cba50856ae4310b408f6c71f05a49624766d36ecc4635b3
Opcode Fuzzy Hash: de4abd859f42e89640fa339b19d97c00f804937217ede82a7fd4e576028f9a08
Instruction Fuzzy Hash: F52104327002004BFB25A73A9859A3E7A9BFFC5714B248079F407CB795EE25CC42DB91

Function 0101BDD9 Relevance: 1.3, Strings: 1, Instructions: 87COMMON

Download Yara Rule

Strings

Hq, xrefs: 0101BE36

Memory Dump Source

Source File: 0000000A.00000002.2632659726.0000000001010000.00000040.00000800.00020000.00000000.sdmp, Offset: 01010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1010000_tx4pkcHL9o.jbxd

Similarity

API ID:
String ID: Hq
API String ID: 0-1594803414
Opcode ID: 0b2ab89094f61add2c21b1bfb94da0742bc78d34285b993b6135220b9e1d221b
Instruction ID: d4f7c07f6228e8a7daca67c84517e0a6c40f17971de8104427da4909d1fad508
Opcode Fuzzy Hash: 0b2ab89094f61add2c21b1bfb94da0742bc78d34285b993b6135220b9e1d221b
Instruction Fuzzy Hash: 1921A0317002049FDB18AF68D995B6EBBB6EF84310F648069E54697355DB359D02C7A0

Function 056ACC18 Relevance: 1.3, Strings: 1, Instructions: 87COMMON

Download Yara Rule

Strings

HP, xrefs: 056ACC22

Memory Dump Source

Source File: 0000000A.00000002.2637183812.00000000056A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_56a0000_tx4pkcHL9o.jbxd

Similarity

API ID:
String ID: HP
API String ID: 0-295633388
Opcode ID: 6c3540079953773db66c95c91fed4404ccaee28c85c05433c45528c9fa91cc75
Instruction ID: f2a908b09cb64819a5f66e7133f9959c8605d2a14c31a96f41b854592ad341c2
Opcode Fuzzy Hash: 6c3540079953773db66c95c91fed4404ccaee28c85c05433c45528c9fa91cc75
Instruction Fuzzy Hash: 9C218E327042004BFB25A62A9855B3E7A9BBFC5714F248079F507CBB98EE65CC42DB90

Function 056A9CB7 Relevance: 1.3, Strings: 1, Instructions: 87COMMON

Download Yara Rule

Strings

HP, xrefs: 056A9D59, 056A9D76, 056A9D93

Memory Dump Source

Source File: 0000000A.00000002.2637183812.00000000056A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_56a0000_tx4pkcHL9o.jbxd

Similarity

API ID:
String ID: HP
API String ID: 0-295633388
Opcode ID: 13cdaaa188e5f62b9c801bd18c8b0b5c11342acbfdcd01d465240e303a7acb5c
Instruction ID: ed056d976e57c04484580339c9c3406f15174775d2a229736446c33236fba3c7
Opcode Fuzzy Hash: 13cdaaa188e5f62b9c801bd18c8b0b5c11342acbfdcd01d465240e303a7acb5c
Instruction Fuzzy Hash: 1021E6316092995FCB12AF34D854AAB3FA6EF46314F2440AAF5458B352CA348D65CBF1

Function 056ACB20 Relevance: 1.3, Strings: 1, Instructions: 86COMMON

Download Yara Rule

Strings

4'q, xrefs: 056ACB9A

Memory Dump Source

Source File: 0000000A.00000002.2637183812.00000000056A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_56a0000_tx4pkcHL9o.jbxd

Similarity

API ID:
String ID: 4'q
API String ID: 0-1807707664
Opcode ID: 64beb41bfbea10a20e7b8d792b2be1327b3389dc84e2f66b4c53648c4a61fae5
Instruction ID: 4d0c83ddd10060977854be821605707d097e763a25825124ed2ba7d95ee87671
Opcode Fuzzy Hash: 64beb41bfbea10a20e7b8d792b2be1327b3389dc84e2f66b4c53648c4a61fae5
Instruction Fuzzy Hash: 6C2151327081598FEB14DE6A998076B7BEAFB89210B048476F912CB744DB72DC41CFA0

Function 056ADA68 Relevance: .4, Instructions: 409COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2637183812.00000000056A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_56a0000_tx4pkcHL9o.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 61222422b31322b1108cab8d2e0d65bb95fcc13b6f27016628b4e372a9262f6e
Instruction ID: 201b18200cc609a60425635fba5ea39ef89acd0e83bc56e186712648169a64b0
Opcode Fuzzy Hash: 61222422b31322b1108cab8d2e0d65bb95fcc13b6f27016628b4e372a9262f6e
Instruction Fuzzy Hash: 28F12E72A00215DFCB14DF69C9889ADBBF6FF88310B198099E516AB762D731EC41CF54

Function 0101BF6F Relevance: .2, Instructions: 206COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2632659726.0000000001010000.00000040.00000800.00020000.00000000.sdmp, Offset: 01010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1010000_tx4pkcHL9o.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a877711199e905763775d9e86bd7830afab5b172a7f7c9313b6d100b5f8256e7
Instruction ID: 6cbeebda7dd441b7880bae8a40ab2d855396572e6e3c4395868a97b4530714e4
Opcode Fuzzy Hash: a877711199e905763775d9e86bd7830afab5b172a7f7c9313b6d100b5f8256e7
Instruction Fuzzy Hash: 6F511472B403059FD7158A6CD844AABBBF9EBCA320F14852EF599C7340D635D80187A0

Function 056AC9D9 Relevance: .2, Instructions: 184COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2637183812.00000000056A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_56a0000_tx4pkcHL9o.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6e299cf061f64095a23a6785b8af73bc1bf105dcfc6fa0b62c71fee7010eee60
Instruction ID: d9373ac1142c2fe33b211df1e15a720325df21a812d687f731cb85c3a536caee
Opcode Fuzzy Hash: 6e299cf061f64095a23a6785b8af73bc1bf105dcfc6fa0b62c71fee7010eee60
Instruction Fuzzy Hash: 485169327182558FEB14DF39C884A7ABBEABF4961030544BAF51ADB765EB31DC01CB90

Function 056A69D8 Relevance: .1, Instructions: 120COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2637183812.00000000056A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_56a0000_tx4pkcHL9o.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 60e98504d19816950ba435b4e98ef8f355e893ec181dfd5148ef3fc12ad8b5d7
Instruction ID: cd0c488a5ca5f30a63f43a0363cbabdc92cacab076ddb7a8ada0b2f2bd1518d1
Opcode Fuzzy Hash: 60e98504d19816950ba435b4e98ef8f355e893ec181dfd5148ef3fc12ad8b5d7
Instruction Fuzzy Hash: 74412032E103199BDB14DFA5C891BDEBBB5BF88710F288129E412B7354EB70AD45CB90

Function 01013168 Relevance: .1, Instructions: 109COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2632659726.0000000001010000.00000040.00000800.00020000.00000000.sdmp, Offset: 01010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1010000_tx4pkcHL9o.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e8166b54be1d39cf4d0dce15b50866194a2d22452c06924fea5612fa4548e6a5
Instruction ID: d49574ec29137c90d3e4652be8995910c3ac044da53054c07369f44d06037404
Opcode Fuzzy Hash: e8166b54be1d39cf4d0dce15b50866194a2d22452c06924fea5612fa4548e6a5
Instruction Fuzzy Hash: A741B274E012089FDB08DFAAD9849DDBBF2BF89310F249429E405BB368DB345841CF14

Function 01019249 Relevance: .1, Instructions: 107COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2632659726.0000000001010000.00000040.00000800.00020000.00000000.sdmp, Offset: 01010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1010000_tx4pkcHL9o.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 983aaa1706776e41b0fc6503495cdd04b5d5e9974583773984f3cfcb0193ad97
Instruction ID: e1224a77a0998847357c3ec8d73f55aff5871528917c98e4487d297f4489e2be
Opcode Fuzzy Hash: 983aaa1706776e41b0fc6503495cdd04b5d5e9974583773984f3cfcb0193ad97
Instruction Fuzzy Hash: F631B93503328B9FD6003B25A9AE67EBFA0EB0F7337466D08F80A805149F784086CE34

Function 056ADA58 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2637183812.00000000056A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_56a0000_tx4pkcHL9o.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e5c8cb2ef9351a05960bc10407ab4ed6134f5aadd1ffc41cc0307a3c55edeace
Instruction ID: 225ea5b386ff2ebfaf08cf3cb3076d36d8e9ab3a9bf7f1e15bcd3b37d7bb30a1
Opcode Fuzzy Hash: e5c8cb2ef9351a05960bc10407ab4ed6134f5aadd1ffc41cc0307a3c55edeace
Instruction Fuzzy Hash: D8316171A046058FCB14CF6CC888AAEBBF6FF85310B198159E516A77A5CB30ED41CFA4

Function 010118C8 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2632659726.0000000001010000.00000040.00000800.00020000.00000000.sdmp, Offset: 01010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1010000_tx4pkcHL9o.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 97f36edd291a3666f863d766b7d9b005446e9cd345ab95acce2053326e9934c9
Instruction ID: 5d08ad2c5be8eaf9b5072535ed21b888def66f6b06c22dc44630f547069716e7
Opcode Fuzzy Hash: 97f36edd291a3666f863d766b7d9b005446e9cd345ab95acce2053326e9934c9
Instruction Fuzzy Hash: 0C21C731A002159FCF55DF3CC840AAE3BB6EB89350B50C159DA699B388DB35EE05CBC1

Function 00DCD030 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2631696642.0000000000DCD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DCD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_dcd000_tx4pkcHL9o.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dccbf706ec05b3b9eaa1597d42d2305145921d4c7b1beecc9b038bc92c34996c
Instruction ID: 56a4d9ad143ac6ea3eece9ce94f39fe1f7f0bf4bfca511db829c46e19ce8440b
Opcode Fuzzy Hash: dccbf706ec05b3b9eaa1597d42d2305145921d4c7b1beecc9b038bc92c34996c
Instruction Fuzzy Hash: 5421CF71504204EFDB14DF18D980F26BBA6EB84314F24C56DE84A4B292C336D847DA72

Function 01010EC8 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2632659726.0000000001010000.00000040.00000800.00020000.00000000.sdmp, Offset: 01010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1010000_tx4pkcHL9o.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d2321353ac733109d29a89b7fbc5e7e499376b00ca912a6299253a3a4486453f
Instruction ID: b64bfa3c7b2b5c4145d5e4adcc37ab3e21c1421745c12668cd9d3f00562fd3b4
Opcode Fuzzy Hash: d2321353ac733109d29a89b7fbc5e7e499376b00ca912a6299253a3a4486453f
Instruction Fuzzy Hash: 9E218E30E00319DFE705EFB9C4117AEB7B2EF85304F0084A9A4549B748DB789A41CF61

Function 00DCD005 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2631696642.0000000000DCD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DCD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_dcd000_tx4pkcHL9o.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c67e43b3caae8d1721b95cdd19a0df62698cdf43a98a90013881a05647eb41e9
Instruction ID: 8f34dd59a42d648e77c18fc83740043ac7eadf2e9e2560a38de1b7b437245160
Opcode Fuzzy Hash: c67e43b3caae8d1721b95cdd19a0df62698cdf43a98a90013881a05647eb41e9
Instruction Fuzzy Hash: 50215E7550D3C09FD713CB24C990B11BF71AB46214F29C5EBD8898F6A3C33A980ACB62

Function 056A6BC8 Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2637183812.00000000056A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_56a0000_tx4pkcHL9o.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9264fd1f9cc6f658c227b08c9e81f307ad4cbb5529f5eb28ca7aa47897561740
Instruction ID: 247f2c1bd0cf45a32b69861bd16f979766d4bbdfab375ab707011f1a8ed7a538
Opcode Fuzzy Hash: 9264fd1f9cc6f658c227b08c9e81f307ad4cbb5529f5eb28ca7aa47897561740
Instruction Fuzzy Hash: 8A1103327083945FDB466F7898142AE7FB7EFCA200B14446AE506CB392CE348C0687E2

Function 056AB518 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2637183812.00000000056A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_56a0000_tx4pkcHL9o.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e09423358ca2adb5aee2df5e680508d846bcfef08356d476bc8fc5d2de7573a8
Instruction ID: eb2b34ee23489be5ed2196f1d666caf02361a9f4c97ce624dd82c83786ae8380
Opcode Fuzzy Hash: e09423358ca2adb5aee2df5e680508d846bcfef08356d476bc8fc5d2de7573a8
Instruction Fuzzy Hash: 92219D729002089FCB24CF54C948FAABBF6FB44310F00816EE55A9B661E771DD54CF90

Function 010117B8 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2632659726.0000000001010000.00000040.00000800.00020000.00000000.sdmp, Offset: 01010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1010000_tx4pkcHL9o.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ffd1dcb15deeba0f0859fbb4b3912933f75880e7448b347dbd2e0ce7249ee1c5
Instruction ID: 1c8ed08745d149ce5c7efc64ee3a68d93be29297588364370475c02a984ee1bb
Opcode Fuzzy Hash: ffd1dcb15deeba0f0859fbb4b3912933f75880e7448b347dbd2e0ce7249ee1c5
Instruction Fuzzy Hash: F721FF70C0520A8FCB05EFB8C9445EEBFF0EF4A314F0041AAD845BB265EB355A85CBA5

Function 0101BB48 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2632659726.0000000001010000.00000040.00000800.00020000.00000000.sdmp, Offset: 01010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1010000_tx4pkcHL9o.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 662371b659ee9f8532df8f027eecba5b63a16a46336322209f614d1b81ad9372
Instruction ID: 97aac71f2092892dce7cd86cdc857049354b94106cdbdd528b6a4621c630bc56
Opcode Fuzzy Hash: 662371b659ee9f8532df8f027eecba5b63a16a46336322209f614d1b81ad9372
Instruction Fuzzy Hash: 03114F76700204CFD764DB6DD994A5AB7F6FF88721B1180A9E14A8B769CBB1EC01CB60

Function 0101C108 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2632659726.0000000001010000.00000040.00000800.00020000.00000000.sdmp, Offset: 01010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1010000_tx4pkcHL9o.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: de6b0d8425f4a401517caf8ae8546498edb9db867d285b8d71ce643bc9695ea5
Instruction ID: 510d223ee9a90ed68bd2c65e7f9495c55625439d7d9993e27e6572c8003ba966
Opcode Fuzzy Hash: de6b0d8425f4a401517caf8ae8546498edb9db867d285b8d71ce643bc9695ea5
Instruction Fuzzy Hash: FA11A335E802158BEB54EFB8D5546EEBFF5AF89214B040539D448A3204DB39DC01CBE1

Function 056A67A0 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2637183812.00000000056A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_56a0000_tx4pkcHL9o.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 134fad6eb34f7901c6133d0d3177dcfc895d7c300f6d76c5613ec2c438ce1f0b
Instruction ID: 2ce2f62921aacad9379ee7d8cc790ca45809ecb14bbdaf446bbda1ce174aeada
Opcode Fuzzy Hash: 134fad6eb34f7901c6133d0d3177dcfc895d7c300f6d76c5613ec2c438ce1f0b
Instruction Fuzzy Hash: 6B116476800249DFDB20CF9AC844BEEBBF4FF48320F148419EA18A7251C339A950CFA5

Function 056A6E70 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2637183812.00000000056A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_56a0000_tx4pkcHL9o.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c2ed4ec0350e84b080b2fcb37f1bde22803f2c1ad2d03c541b5c54601d553121
Instruction ID: f90320248183775367bc1819b6d90d1739a7f7055fc9fe1dd5391750bde8d2f8
Opcode Fuzzy Hash: c2ed4ec0350e84b080b2fcb37f1bde22803f2c1ad2d03c541b5c54601d553121
Instruction Fuzzy Hash: 93115676800249DFDB10DF99D945BDEBBF4FF48320F148419E618A7251C339AA50DFA5

Function 01014850 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2632659726.0000000001010000.00000040.00000800.00020000.00000000.sdmp, Offset: 01010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1010000_tx4pkcHL9o.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2247cd002c9710e5bc45e1074d7bd241b2b990d7a7111b0c4c025d6af2e71b50
Instruction ID: 0af4a358e0c1089f2db7cc0c2603be7bbca28789ba94215c53adcd6a056b2401
Opcode Fuzzy Hash: 2247cd002c9710e5bc45e1074d7bd241b2b990d7a7111b0c4c025d6af2e71b50
Instruction Fuzzy Hash: 99019E72F043040FDB24ABB9985466F7BEAAB84750715447ADD45C72A9FE69CC008791

Function 056A6399 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2637183812.00000000056A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_56a0000_tx4pkcHL9o.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1aa944c038d890c6a5d465e0920b6b308b6774a30e5cf002659561de87d4f453
Instruction ID: 3f56771f65ee4ab57b0165ed0fd3c44af091cadd2d6a9bd7acb9c97a7143376a
Opcode Fuzzy Hash: 1aa944c038d890c6a5d465e0920b6b308b6774a30e5cf002659561de87d4f453
Instruction Fuzzy Hash: 5F112A75E002498FDB04DFB8D954BAEBBB6EF58311F059065E809AB349EA309D42CF60

Function 01014860 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2632659726.0000000001010000.00000040.00000800.00020000.00000000.sdmp, Offset: 01010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1010000_tx4pkcHL9o.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1ace4ef65f8ed7e2b51530b28821dcfb5ebc89ef343836d574e3943d2f3f58a5
Instruction ID: 68a78d0ecb386f99fda2e1c492530de3ddd852c7e0a1d9449000f8775772a57e
Opcode Fuzzy Hash: 1ace4ef65f8ed7e2b51530b28821dcfb5ebc89ef343836d574e3943d2f3f58a5
Instruction Fuzzy Hash: D8014B32F003144B9B24ABBE885466F7AEBAF887603144479DD49DB369FE75CC0187A1

Function 0101BEE9 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2632659726.0000000001010000.00000040.00000800.00020000.00000000.sdmp, Offset: 01010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1010000_tx4pkcHL9o.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a731b3ea2f22d3f1adca330e93276ab950f1fed2ab3031e2897f5dd7a341b684
Instruction ID: 40585935e1d5c5be9d6aa01d1f59fc189c30e1a06230d37bc19e4ebd09d0b3ba
Opcode Fuzzy Hash: a731b3ea2f22d3f1adca330e93276ab950f1fed2ab3031e2897f5dd7a341b684
Instruction Fuzzy Hash: AE01DB337042049BC7156A78E85A66D7FEBEBC9321F18046EFA46C7345DE29D902C7A0

Function 056AA580 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2637183812.00000000056A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_56a0000_tx4pkcHL9o.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 726477672303c6653b28b04e82228f8db7e9d887fce3292761a6417b13fc1be7
Instruction ID: 0a0c92319153bfec69860f2b17ac4a47d493800fa46b327225756f736b880cb6
Opcode Fuzzy Hash: 726477672303c6653b28b04e82228f8db7e9d887fce3292761a6417b13fc1be7
Instruction Fuzzy Hash: 1401A2366081597BCB119E95DC00ADF3FAAEB89790F148066FA06C7241DA358D16DBE1

Function 0101A508 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2632659726.0000000001010000.00000040.00000800.00020000.00000000.sdmp, Offset: 01010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1010000_tx4pkcHL9o.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f7155e79410b6e60ce3a11200c9af700e31a0af4fc6a39aa6768911b55524c1e
Instruction ID: 47b7c6dc3ee1f27af3c9c68bccb2f8ecb3c426c055406b315ccb3f3c0c90e502
Opcode Fuzzy Hash: f7155e79410b6e60ce3a11200c9af700e31a0af4fc6a39aa6768911b55524c1e
Instruction Fuzzy Hash: FD018C75A012099BCB10DF69E8496AE7FB5FF88220B40402AFD5A93240DF388D11CBA1

Function 056AA590 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2637183812.00000000056A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_56a0000_tx4pkcHL9o.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2612dc61d574a04e381990ff9c1e3c2a3746683af25b0518eda784eafa6dc937
Instruction ID: 8fd0fa64bc3b5de98299ca712e01d0babbcc8563b386ef3adb265c890bc87c8d
Opcode Fuzzy Hash: 2612dc61d574a04e381990ff9c1e3c2a3746683af25b0518eda784eafa6dc937
Instruction Fuzzy Hash: EA01AD36B041296B8B159E99D800AAF3BABEBC9750F14802AF606D7380DE71DD11DBE4

Function 0101A4F9 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2632659726.0000000001010000.00000040.00000800.00020000.00000000.sdmp, Offset: 01010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1010000_tx4pkcHL9o.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2709f5654fc1b45dce504977549087e9565b39b6ec3740449c9b2531db4983d2
Instruction ID: c6901bfb089bc2f98ce212d05a406bb0d39b2cd64dddeb70cf50036b649b6f8a
Opcode Fuzzy Hash: 2709f5654fc1b45dce504977549087e9565b39b6ec3740449c9b2531db4983d2
Instruction Fuzzy Hash: 22017C71A0524AAFCB15DF68D8549AE7FB5FF88320B50412AFD59D3240DB348911CBA1

Function 0101C1A0 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2632659726.0000000001010000.00000040.00000800.00020000.00000000.sdmp, Offset: 01010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1010000_tx4pkcHL9o.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f9b9690619a6dab4641d998e14bf4239962746a392d884b48f11a59c86c4568c
Instruction ID: 91ec19ad215546ff2fb1154cc7cc6e67484595b614c0b38fcee74998556d310c
Opcode Fuzzy Hash: f9b9690619a6dab4641d998e14bf4239962746a392d884b48f11a59c86c4568c
Instruction Fuzzy Hash: DDF0E232B801128BDB15567DEA14AAEBBA6EFC9231B1400BAF109E7754CF79C9028750

Function 0101B9EA Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2632659726.0000000001010000.00000040.00000800.00020000.00000000.sdmp, Offset: 01010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1010000_tx4pkcHL9o.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d7b3e9158205f6fb9ebe8e40219ab0bb19d9efa526b5e210352e305d0a3d8a95
Instruction ID: 34fef6090bfcda982e6ed07f45de0ab821a16ac413643f9bf83b059eca0ce4bb
Opcode Fuzzy Hash: d7b3e9158205f6fb9ebe8e40219ab0bb19d9efa526b5e210352e305d0a3d8a95
Instruction Fuzzy Hash: 6EF09676900209AFCB60DF6DD8419DFBBF9FB58250B54412AE545D3301D774951187E1

Function 0101BE98 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2632659726.0000000001010000.00000040.00000800.00020000.00000000.sdmp, Offset: 01010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1010000_tx4pkcHL9o.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b610ada04a377bcf30bc4a0c168e4372d21e391b7c6a7da4788db85d01c7a016
Instruction ID: e49638be104fdbbc03a008f6c0a8cabad2599f666433886188a9767493dc9cc4
Opcode Fuzzy Hash: b610ada04a377bcf30bc4a0c168e4372d21e391b7c6a7da4788db85d01c7a016
Instruction Fuzzy Hash: BCF03A35301205DFC700CF59D484D6ABBEAFF887257504069EA098B331CB719C11CB90

Function 010146C9 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2632659726.0000000001010000.00000040.00000800.00020000.00000000.sdmp, Offset: 01010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1010000_tx4pkcHL9o.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ce1002f2c8204b0ef3bd490eb3b14f6509b8751999246442eb785ed84fd9b2dd
Instruction ID: 1ae962124a48fb1bc006f10acdeadea94bd7b009553fbeb4639166b4f4b05c10
Opcode Fuzzy Hash: ce1002f2c8204b0ef3bd490eb3b14f6509b8751999246442eb785ed84fd9b2dd
Instruction Fuzzy Hash: C7E0A531065B43CFE7106F64BDACB2A7BB4EB0B313B842C40E04AC1279CB7470848B25

Function 010146D8 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2632659726.0000000001010000.00000040.00000800.00020000.00000000.sdmp, Offset: 01010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1010000_tx4pkcHL9o.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 95a93e8e5b777bfecd046bff03677201b59da80d58fdbd79b02ecf59e6c995a2
Instruction ID: 0fcc4b80535f99d60b94e520fc68ca6358506d9846658010d8dda03298420bc4
Opcode Fuzzy Hash: 95a93e8e5b777bfecd046bff03677201b59da80d58fdbd79b02ecf59e6c995a2
Instruction Fuzzy Hash: A8E00235061B47CFEB102F64B9ACA3ABAB5EB0B317B806D00E15ED12398F7574848A65

Function 01011877 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2632659726.0000000001010000.00000040.00000800.00020000.00000000.sdmp, Offset: 01010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1010000_tx4pkcHL9o.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ac34d52140e08c681ce788f403c04350255009c92006890b35d278d17cd14064
Instruction ID: eff1dd0f0e4a1d0e1961d50101175d73d82373dd7d944809ad67eb454b332a91
Opcode Fuzzy Hash: ac34d52140e08c681ce788f403c04350255009c92006890b35d278d17cd14064
Instruction Fuzzy Hash: 2FE0DF35D103278BC701EBB0DC010EDBBB4AE81320B558262D0243A190EB349A9A8AA2

Function 056AAD81 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2637183812.00000000056A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_56a0000_tx4pkcHL9o.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 522903c0f3e86126b7b280ec7a1e77c5b1795ce5d1580f43bcdce758cde14496
Instruction ID: 7fcbd00b95a0a7eb086e0d4bd2d321fd297e8bbdab3d2e7f1e4b82a60a066c46
Opcode Fuzzy Hash: 522903c0f3e86126b7b280ec7a1e77c5b1795ce5d1580f43bcdce758cde14496
Instruction Fuzzy Hash: B8E072340093A81FC723A339AC84AC73F6DCE8214070246A6F0C60E15BE970188BC7F1

Function 01011888 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2632659726.0000000001010000.00000040.00000800.00020000.00000000.sdmp, Offset: 01010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1010000_tx4pkcHL9o.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0f3c1e322e8b55bb184ef993e1393b618198d120126c9a9bbed5a67e58cc1824
Instruction ID: 01bee33d49dbe891f419d92e91c8902dac4829102c03bb42200e91b9da9e6017
Opcode Fuzzy Hash: 0f3c1e322e8b55bb184ef993e1393b618198d120126c9a9bbed5a67e58cc1824
Instruction Fuzzy Hash: 46D05B31D2033A57CB10E7A5DC044DFFB38EED5321B514666D51437144FB706659C6E1

Function 0101BF48 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2632659726.0000000001010000.00000040.00000800.00020000.00000000.sdmp, Offset: 01010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1010000_tx4pkcHL9o.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 42bdd7cd06331bbfb023016ceee77e82d84d4ba81e72b1e305640296e507e8cf
Instruction ID: b8c2c5f047f6e0098e4ecbf56234826adf2be60e247d070219c58ed3730462d1
Opcode Fuzzy Hash: 42bdd7cd06331bbfb023016ceee77e82d84d4ba81e72b1e305640296e507e8cf
Instruction Fuzzy Hash: 7AD0C737311124774B151A49A8058AE7F5EE7CD7717048026FD1583340CE758D1297E5

Function 056AD95D Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2637183812.00000000056A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_56a0000_tx4pkcHL9o.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1f6477a9267f1f8f9d47bda01a46c646fdb36bf855e7a88ea6e6d021398494de
Instruction ID: e5cc9c4742893a3a06e035e3b3ffc3543a6507d47c0b587d85260e9481308ab2
Opcode Fuzzy Hash: 1f6477a9267f1f8f9d47bda01a46c646fdb36bf855e7a88ea6e6d021398494de
Instruction Fuzzy Hash: 98D0677BB40008AFCB149F98EC509DDF7BAFB98221B548116EA15A3264C6319925DB90

Function 056AAD90 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2637183812.00000000056A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_56a0000_tx4pkcHL9o.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 86ee5a10946c1c365015c8a6312faf7c24afb04cd638f15af35cbb170ee51655
Instruction ID: d077b0c3048fa009601eaa909546f540d904af4cff56891299da3f7d3b459b22
Opcode Fuzzy Hash: 86ee5a10946c1c365015c8a6312faf7c24afb04cd638f15af35cbb170ee51655
Instruction Fuzzy Hash: 5CC0123440032D4BD555F779E985699336EDAC0209B408531B1050E65EBEB45D4A56B1

Function 01014831 Relevance: .0, Instructions: 7COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2632659726.0000000001010000.00000040.00000800.00020000.00000000.sdmp, Offset: 01010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1010000_tx4pkcHL9o.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 52d48424a5a2c9fecbdb7cad5e07da21116622ba6b05654fa719eaf5ea2b5095
Instruction ID: ceb0f518b4399f64997a0986f5054e657cb3cd5e443456452f046e3e85318d96
Opcode Fuzzy Hash: 52d48424a5a2c9fecbdb7cad5e07da21116622ba6b05654fa719eaf5ea2b5095
Instruction Fuzzy Hash: 8AB092B6D003844AEF360220D51B7753B10AB52204F0A04998D82C118AE95980008610

Non-executed Functions

Function 056AE180 Relevance: .4, Instructions: 396COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2637183812.00000000056A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_56a0000_tx4pkcHL9o.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ab43259d2030f07cea133bf7180f342d42cf418e9f246df5fb41f0a8fa8e08bc
Instruction ID: a68f4f4b905f2b06329c3de041e79bda56c8e8357da9aedf9db29debb5118261
Opcode Fuzzy Hash: ab43259d2030f07cea133bf7180f342d42cf418e9f246df5fb41f0a8fa8e08bc
Instruction Fuzzy Hash: A202B575E00218CFDB24DFA9C984B9DBBB6BF49300F1580A9E809AB355DB35AD81CF50

Function 056A5AD8 Relevance: .3, Instructions: 296COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2637183812.00000000056A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_56a0000_tx4pkcHL9o.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8061f00d7961db184ce58224ea7e6de1d680b60b2722ece242ee9894ce4cd5a2
Instruction ID: 9b0b0602779ba93cd5f3053d0d7c4dccea82dda6980c22cb3316930d5a31495a
Opcode Fuzzy Hash: 8061f00d7961db184ce58224ea7e6de1d680b60b2722ece242ee9894ce4cd5a2
Instruction Fuzzy Hash: E8E1C274E01218CFEB24DFA9C944B9DBBB2BF49304F2081A9E409AB394DB355E85CF54

Function 056A4978 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2637183812.00000000056A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_56a0000_tx4pkcHL9o.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3db6d6990af5c5b82d0811bb8bbfdb2242c475357f9ceb2b09cd51ceab921a44
Instruction ID: 7256cd1482cc109f8f35acd781f98ead12dce77695d3d029d3eb77e4f5aaa683
Opcode Fuzzy Hash: 3db6d6990af5c5b82d0811bb8bbfdb2242c475357f9ceb2b09cd51ceab921a44
Instruction Fuzzy Hash: 77C19F75E00218CFDB14DFA9C994B9DBBB2BF89305F2080A9E809AB355DB355E85CF50

Function 056A4520 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2637183812.00000000056A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_56a0000_tx4pkcHL9o.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1993ca79c3d6c5e5d86a477a2863025b83b225b7b251818f9d67d72d4ab4e123
Instruction ID: c33fc3d1b6e1b4ec198be5ed3526440470e46be633093b8050f5522ec5a11b85
Opcode Fuzzy Hash: 1993ca79c3d6c5e5d86a477a2863025b83b225b7b251818f9d67d72d4ab4e123
Instruction Fuzzy Hash: ABC19075E00218CFDB14DFA9C994B9DBBB2BF89305F2080A9E809AB355DB355E85CF50

Function 056A8130 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2637183812.00000000056A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_56a0000_tx4pkcHL9o.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7c5ddfa21736667e2b20a688104c6b7f85d8f2ff588d7973bb33f7caebd3a2fe
Instruction ID: 20b7e5a31ceefc3e43342fa4b4ec2fbc58ea55568fc6c6f0b3cd94654be70343
Opcode Fuzzy Hash: 7c5ddfa21736667e2b20a688104c6b7f85d8f2ff588d7973bb33f7caebd3a2fe
Instruction Fuzzy Hash: 69C19E75E00218CFDB54DFA9C994B9DBBB2BF89304F2080A9D809AB355DB349E85CF50

Function 056A4DD0 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2637183812.00000000056A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_56a0000_tx4pkcHL9o.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf94a056743387eb1de2a3e51abc58ab450a4016eff13d20de3440b38d511097
Instruction ID: 64809ac4958ec293b3d58d9bfcbd8b1ee85b1a64639a41dbf3a0d1f0fb5197ca
Opcode Fuzzy Hash: bf94a056743387eb1de2a3e51abc58ab450a4016eff13d20de3440b38d511097
Instruction Fuzzy Hash: DDC19F75E00218CFDB14DFA9C994B9DBBB2BF89304F2080A9E809AB355DB355E85CF51

Function 056A8588 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2637183812.00000000056A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_56a0000_tx4pkcHL9o.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2836c3ea1125c13565fe3db17379f73063f6631536bf006856985d6b1dcf891a
Instruction ID: cfcd578f1e99da5ed3e134db101509281404443198e3b0e3d9310de8416a6f41
Opcode Fuzzy Hash: 2836c3ea1125c13565fe3db17379f73063f6631536bf006856985d6b1dcf891a
Instruction Fuzzy Hash: 88C19E75E00218CFDB54DFA9C994B9DBBB2BF89304F2080A9D809AB355DB349E85CF51

Function 056AF458 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2637183812.00000000056A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_56a0000_tx4pkcHL9o.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 23973eac322c07020cd55fa27a1082e82e32d35cb7b60b5d26072bf760da9a42
Instruction ID: 7227fda45c5d9d9f3e452463cf5a9476049060078f4d26e124fe86c54620cbcf
Opcode Fuzzy Hash: 23973eac322c07020cd55fa27a1082e82e32d35cb7b60b5d26072bf760da9a42
Instruction Fuzzy Hash: 30C1AF75E00218CFDB54DFA9C994B9DBBB2BF89304F2080A9D809AB355DB349E85CF51

Function 056A7428 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2637183812.00000000056A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_56a0000_tx4pkcHL9o.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: df90b1efada0df83aa3d792509c0b69973f564c4c85211f50622cea14d44c3c2
Instruction ID: ecf1491433e03b736bc8d7735ab1e6218f2c24a4008ddcc3877375e87a56a085
Opcode Fuzzy Hash: df90b1efada0df83aa3d792509c0b69973f564c4c85211f50622cea14d44c3c2
Instruction Fuzzy Hash: 34C18D75E00218CFDB54DFA9C994B9DBBB2EF89304F2080A9D809AB355DB349E85CF51

Function 056AF000 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2637183812.00000000056A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_56a0000_tx4pkcHL9o.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1fab63bed6e2e18d93a05a7ceefa27baa9529a80ac73ea2350dcc1642aba5588
Instruction ID: 92f2ee1edd949a868338b50a1078bcd850a301ba7435554ed39cb56620cda40a
Opcode Fuzzy Hash: 1fab63bed6e2e18d93a05a7ceefa27baa9529a80ac73ea2350dcc1642aba5588
Instruction Fuzzy Hash: 0CC1AD75E00218CFDB14DFA9C994B9DBBB2EF89304F2080A9D809AB355DB349E85CF51

Function 056A7CD8 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2637183812.00000000056A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_56a0000_tx4pkcHL9o.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0cf078d7954c9c22897b61b2b51d339a162c6638f0a7b5db33c1234a8999d86e
Instruction ID: a98d2e375aadbfc6e92b20eda3b56bda8f37b4d2e5558801b3dcb7d6999053c9
Opcode Fuzzy Hash: 0cf078d7954c9c22897b61b2b51d339a162c6638f0a7b5db33c1234a8999d86e
Instruction Fuzzy Hash: 90C18E75E00218CFDB14DFA9C994B9DBBB2BF89304F2080A9D809AB355DB355E85CF50

Function 056AF8B0 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2637183812.00000000056A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_56a0000_tx4pkcHL9o.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3a4b24c1439414f3b0706ca09af3fec428fce7f333c47a8662856969cec51fb9
Instruction ID: 87210525d62d01119e9c4eba1a9f065e72550e8d23d14c333c554dbb238dd5fc
Opcode Fuzzy Hash: 3a4b24c1439414f3b0706ca09af3fec428fce7f333c47a8662856969cec51fb9
Instruction Fuzzy Hash: 85C19E75E00218CFDB54DFA9C994B9DBBB2BF89304F2080A9D809AB355DB349E85CF51

Function 056A7880 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2637183812.00000000056A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_56a0000_tx4pkcHL9o.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d4aae2d2bdced3f03306d92f8e0ee3cddd91797b247401bb63ada0edb73aa104
Instruction ID: fd649edac0a391b1d408244061919d2be189abb3d08fb7434fe36845bc674866
Opcode Fuzzy Hash: d4aae2d2bdced3f03306d92f8e0ee3cddd91797b247401bb63ada0edb73aa104
Instruction Fuzzy Hash: 06C18E75E00218CFDB14DFA9C994B9DBBB2EF89304F2080A9D809AB355DB355E85CF50

Function 056AE750 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2637183812.00000000056A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_56a0000_tx4pkcHL9o.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8e4b19aaf9a817b495870099bfd2a197b0c2377bf562c50cc173d8fb51c26ecf
Instruction ID: 881489d83fc0e012cef0681146e0d6aae44e086e8d8589a54ff4f29d6c33a8f2
Opcode Fuzzy Hash: 8e4b19aaf9a817b495870099bfd2a197b0c2377bf562c50cc173d8fb51c26ecf
Instruction Fuzzy Hash: B8C1AE75E01218CFDB54DFA9C994B9DBBB2BF89304F2080A9D809AB354DB359E85CF50

Function 056A6FD0 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2637183812.00000000056A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_56a0000_tx4pkcHL9o.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4b54ad0d5130091d0e648d0a701ed21cf32b36fe1d01a039bfc8694c773803d4
Instruction ID: cb972d0b3d36f761ad9755bf97e9b8455b4be33f003b1637d480c2f8b54a00f8
Opcode Fuzzy Hash: 4b54ad0d5130091d0e648d0a701ed21cf32b36fe1d01a039bfc8694c773803d4
Instruction Fuzzy Hash: 7CC19E75E00218CFDB14DFA9C994B9DBBB2EF89304F2080A9D809AB355DB355E85CF50

Function 056AEBA8 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2637183812.00000000056A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_56a0000_tx4pkcHL9o.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5bf6569ce2769348ffbf2f7bb9d8875fd0d5bb1f56d63dd7799e2d0f8abb1ab4
Instruction ID: 1f02fe4798b0e81843c8328ed9008878011a15f47d2f5cd0e7dc46a20d9ffa42
Opcode Fuzzy Hash: 5bf6569ce2769348ffbf2f7bb9d8875fd0d5bb1f56d63dd7799e2d0f8abb1ab4
Instruction Fuzzy Hash: F9C19F75E00218CFDB14DFA9C994B9DBBB2BF89304F2080A9D809AB355DB359E85CF51

Function 056A5228 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2637183812.00000000056A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_56a0000_tx4pkcHL9o.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 872cdd88e37aab5404cd9fa36b07386194d9d36acf7e813599223ed7b8d19665
Instruction ID: 0daf99ce6fd3fe89380fb608dd36d50eda2c91072e11a435dfb06a157b3c8b74
Opcode Fuzzy Hash: 872cdd88e37aab5404cd9fa36b07386194d9d36acf7e813599223ed7b8d19665
Instruction Fuzzy Hash: D5C19E75E00218CFDB14DFA9D994B9DBBB2BF89304F2080A9E809AB355DB355E85CF50

Function 056A5680 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2637183812.00000000056A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_56a0000_tx4pkcHL9o.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 954d9ac33bf1f514bbb3db661a0fe342518f6fec26caa70b94f5a059f2ef33f1
Instruction ID: b86b0eef533685f0496cab0e0a1fff48ac0015e3b1331720bce9f81ca1cbf08e
Opcode Fuzzy Hash: 954d9ac33bf1f514bbb3db661a0fe342518f6fec26caa70b94f5a059f2ef33f1
Instruction Fuzzy Hash: 37C19175E00218CFDB14DFA9C994B9DBBB2BF89304F2081A9E809AB355DB355E85CF50

Function 056ABC50 Relevance: 5.3, Strings: 4, Instructions: 273COMMON

Download Yara Rule

Strings

(oq, xrefs: 056ABD75
(oq, xrefs: 056ABD49
(oq, xrefs: 056ABE12
(oq, xrefs: 056ABC8E

Memory Dump Source

Source File: 0000000A.00000002.2637183812.00000000056A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_56a0000_tx4pkcHL9o.jbxd

Similarity

API ID:
String ID: (oq$(oq$(oq$(oq
API String ID: 0-3853041632
Opcode ID: fbb4fc41abf749f8c3d074ba151dc0a69bedb73dfd95619a40a7b2e76e0ea63c
Instruction ID: 90366c0e29997e4d2bb0923ee2d2f6c9e3dc709f35e936f0c3d070328baf987e
Opcode Fuzzy Hash: fbb4fc41abf749f8c3d074ba151dc0a69bedb73dfd95619a40a7b2e76e0ea63c
Instruction Fuzzy Hash: 88C14735A002099FDB24CF69C984AAEBBF2BF48314F148559F91AAB761D731ED41CF90

Function 01011A40 Relevance: 5.1, Strings: 4, Instructions: 99COMMON

Download Yara Rule

Strings

Xq, xrefs: 01011A76
Xq, xrefs: 01011B2F
Xq, xrefs: 01011AB0
Xq, xrefs: 01011B7C

Memory Dump Source

Source File: 0000000A.00000002.2632659726.0000000001010000.00000040.00000800.00020000.00000000.sdmp, Offset: 01010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1010000_tx4pkcHL9o.jbxd

Similarity

API ID:
String ID: Xq$Xq$Xq$Xq
API String ID: 0-3965792415
Opcode ID: 3cde3fed6bd1faa0f29ab569e2b62daf46bce429891297e31104a1f7e2f6edaa
Instruction ID: 310a34b6786614f9f4d9acefd91f5bc61f18f2d8ab63c1e11e56cefb72a2e9c4
Opcode Fuzzy Hash: 3cde3fed6bd1faa0f29ab569e2b62daf46bce429891297e31104a1f7e2f6edaa
Instruction Fuzzy Hash: 3C319C31E0031E8FEFB9CB7884953AE7BF6BF84210F1444A5C589A7245DB348985CBD2

Analysis Process: VyaPZFtSeDDse.exePID: 7880, Parent PID: 932COMMON

Execution Graph

Execution Coverage:	12.4%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	390
Total number of Limit Nodes:	21

Executed Functions

Function 0120D4E8 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 136
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 0120D576
GetCurrentThread.KERNEL32 ref: 0120D5B3
GetCurrentProcess.KERNEL32 ref: 0120D5F0
GetCurrentThreadId.KERNEL32 ref: 0120D649

Strings

$G'z, xrefs: 0120D514

Memory Dump Source

Source File: 0000000B.00000002.1460609479.0000000001200000.00000040.00000800.00020000.00000000.sdmp, Offset: 01200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1200000_VyaPZFtSeDDse.jbxd

Similarity

API ID: Current$ProcessThread
String ID: $G'z
API String ID: 2063062207-299128439
Opcode ID: 874a847fd3702567a4c343821b0f163bcc674901ee645f9f488642071a07ffa2
Instruction ID: 6c2d8384b0f0bd7f4cc0c2fcd1b8fb50b58abf7c5c82e8691bb32407795ef8b8
Opcode Fuzzy Hash: 874a847fd3702567a4c343821b0f163bcc674901ee645f9f488642071a07ffa2
Instruction Fuzzy Hash: B15177B09113498FEB15CFAAD948BEEBFF1EF48304F208459E448AB391D735A944CB65

Function 0120D4F8 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 128
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 0120D576
GetCurrentThread.KERNEL32 ref: 0120D5B3
GetCurrentProcess.KERNEL32 ref: 0120D5F0
GetCurrentThreadId.KERNEL32 ref: 0120D649

Strings

$G'z, xrefs: 0120D514

Memory Dump Source

Source File: 0000000B.00000002.1460609479.0000000001200000.00000040.00000800.00020000.00000000.sdmp, Offset: 01200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1200000_VyaPZFtSeDDse.jbxd

Similarity

API ID: Current$ProcessThread
String ID: $G'z
API String ID: 2063062207-299128439
Opcode ID: 2d8d497020826b3562852a727854b7d06b7835202dc58129cd6ca934a617c139
Instruction ID: b2b4cb54fc37c27a0f4a71e24e0ef5069d5b774822c264748cb41cbbbb2b4b77
Opcode Fuzzy Hash: 2d8d497020826b3562852a727854b7d06b7835202dc58129cd6ca934a617c139
Instruction Fuzzy Hash: 235155B0D11309CFEB14CFAAD948BEEBBF1EB48304F208459E549AB391D7359944CB65

Function 070858C5 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 248
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 07085B06

Strings

$G'z, xrefs: 0708590B
$G'z, xrefs: 0708593A

Memory Dump Source

Source File: 0000000B.00000002.1471550779.0000000007080000.00000040.00000800.00020000.00000000.sdmp, Offset: 07080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7080000_VyaPZFtSeDDse.jbxd

Similarity

API ID: CreateProcess
String ID: $G'z$$G'z
API String ID: 963392458-3191743983
Opcode ID: 313dd05e34a03b154eff720827e8c33a6b0c7a748c972e2663b5d216d4da68a8
Instruction ID: 85853c702969e4b877b8e8ae839798570426b07c6777a0e11a6229ec02d5c867
Opcode Fuzzy Hash: 313dd05e34a03b154eff720827e8c33a6b0c7a748c972e2663b5d216d4da68a8
Instruction Fuzzy Hash: 0CA14DB1D00219CFEB64DF68CC41BEDBBF2AF48310F148669E849A7240DB749995CF91

Function 070858D0 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 243
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 07085B06

Strings

$G'z, xrefs: 0708590B
$G'z, xrefs: 0708593A

Memory Dump Source

Source File: 0000000B.00000002.1471550779.0000000007080000.00000040.00000800.00020000.00000000.sdmp, Offset: 07080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7080000_VyaPZFtSeDDse.jbxd

Similarity

API ID: CreateProcess
String ID: $G'z$$G'z
API String ID: 963392458-3191743983
Opcode ID: 39859e070480b739cf6258f6e21f67c496e5c7d02af8b7bb589cf2d95fb10a4f
Instruction ID: e0064f2b4d82b331634871bc8eb02d6d452dd184c9e6086cbb97006e0da3e772
Opcode Fuzzy Hash: 39859e070480b739cf6258f6e21f67c496e5c7d02af8b7bb589cf2d95fb10a4f
Instruction Fuzzy Hash: C0914CB1D00319DFEB64DF68CC41BDEBBF2AB48310F148669E848A7240DB749995CF91

Function 02E11924 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 120
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 02E11A42

Strings

$G'z, xrefs: 02E1195E
$G'z, xrefs: 02E1197E

Memory Dump Source

Source File: 0000000B.00000002.1464720080.0000000002E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2e10000_VyaPZFtSeDDse.jbxd

Similarity

API ID: CreateWindow
String ID: $G'z$$G'z
API String ID: 716092398-3191743983
Opcode ID: 9812a24cdc16efbdfac938b08b76d72aa8f2fa8152c2e71822b0d769e6a3dd49
Instruction ID: b4d3db99f130f485058ec71ae0a333af35bde844237f1ed097a8fb2714e102b3
Opcode Fuzzy Hash: 9812a24cdc16efbdfac938b08b76d72aa8f2fa8152c2e71822b0d769e6a3dd49
Instruction Fuzzy Hash: F051CFB1D003499FDF14CF9AC884ADEBFB5BF48314F24812AE919AB250D775A985CF90

Function 02E11930 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 113
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 02E11A42

Strings

$G'z, xrefs: 02E1195E
$G'z, xrefs: 02E1197E

Memory Dump Source

Source File: 0000000B.00000002.1464720080.0000000002E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2e10000_VyaPZFtSeDDse.jbxd

Similarity

API ID: CreateWindow
String ID: $G'z$$G'z
API String ID: 716092398-3191743983
Opcode ID: 1a80e2c72229c3835a835e66c9f362fb9418708d0574dbb985a7e7d6a6bbc534
Instruction ID: 1b85cf3d752785f50ca99fa4099c186cc841c8eedf2296c0afcbfe5beaa45322
Opcode Fuzzy Hash: 1a80e2c72229c3835a835e66c9f362fb9418708d0574dbb985a7e7d6a6bbc534
Instruction Fuzzy Hash: 7C41CEB1D003499FDF14CF9AC884ADEBFB5BF48314F24812AE919AB250D775A985CF90

Function 0120AE59 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 227
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 0120B0BE

Strings

$G'z, xrefs: 0120B077

Memory Dump Source

Source File: 0000000B.00000002.1460609479.0000000001200000.00000040.00000800.00020000.00000000.sdmp, Offset: 01200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1200000_VyaPZFtSeDDse.jbxd

Similarity

API ID: HandleModule
String ID: $G'z
API String ID: 4139908857-299128439
Opcode ID: 9c026623f0153e2281c07e785d8a417a75c3d4c5118e1443fb87bc6566dbbec1
Instruction ID: 2aad4d80cd9f1d5433b96031a0f52c002d3d171c3489e3390099a01b9e386cde
Opcode Fuzzy Hash: 9c026623f0153e2281c07e785d8a417a75c3d4c5118e1443fb87bc6566dbbec1
Instruction Fuzzy Hash: 05915C70A107458FE726CF29D05579ABBF1FF88304F008A2DD586CB692D776E846CB91

Function 0120590D Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 101
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 012059C9

Strings

$G'z, xrefs: 0120594C

Memory Dump Source

Source File: 0000000B.00000002.1460609479.0000000001200000.00000040.00000800.00020000.00000000.sdmp, Offset: 01200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1200000_VyaPZFtSeDDse.jbxd

Similarity

API ID: Create
String ID: $G'z
API String ID: 2289755597-299128439
Opcode ID: 39f019b8c5e330497e16a9f5d7f69b084aa8138b0a4161d8f3de0aa68ac93649
Instruction ID: ec0c67c97335b01ead35cd12488786e8b06c233488330e96e7d7a6536d041b36
Opcode Fuzzy Hash: 39f019b8c5e330497e16a9f5d7f69b084aa8138b0a4161d8f3de0aa68ac93649
Instruction Fuzzy Hash: 4341E170C10719CFEB25DFAAC8847CDBBB5BF49314F20816AD508AB291D7756946CF90

Function 012044E0 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 96COMMON

Download Yara Rule

APIs

CreateActCtxA.KERNEL32(?), ref: 012059C9

Strings

$G'z, xrefs: 0120594C

Memory Dump Source

Source File: 0000000B.00000002.1460609479.0000000001200000.00000040.00000800.00020000.00000000.sdmp, Offset: 01200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1200000_VyaPZFtSeDDse.jbxd

Similarity

API ID: Create
String ID: $G'z
API String ID: 2289755597-299128439
Opcode ID: 475125683d4aaa3b26da5e047c102cef04ffa710b213e6e075443a077c1979d9
Instruction ID: 7300cf25619f7b33ef757bd0b0cdc06da04a6bb737d3c1e0c9cffdf6f85c8f39
Opcode Fuzzy Hash: 475125683d4aaa3b26da5e047c102cef04ffa710b213e6e075443a077c1979d9
Instruction Fuzzy Hash: 3641D071C1071DCFEB25DFA9C884B8EBBB5BF49304F20815AD508AB291DB75A946CF90

Function 02E14090 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 93COMMON

Download Yara Rule

APIs

CallWindowProcW.USER32(?,?,?,?,?), ref: 02E14151

Strings

$G'z, xrefs: 02E140A7

Memory Dump Source

Source File: 0000000B.00000002.1464720080.0000000002E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2e10000_VyaPZFtSeDDse.jbxd

Similarity

API ID: CallProcWindow
String ID: $G'z
API String ID: 2714655100-299128439
Opcode ID: e3f7b616b8cb7a185fcb03739bce5ff8a7ee78151f1b01e950893b25a4dbcdbe
Instruction ID: d0c65b2e0b806fe504a0d262fed90e5f973251ea9e58a816c1ac00658c067ee5
Opcode Fuzzy Hash: e3f7b616b8cb7a185fcb03739bce5ff8a7ee78151f1b01e950893b25a4dbcdbe
Instruction Fuzzy Hash: 094109B5A00309DFDB14CF99C848AAABBF5FF88314F25C499D519AB361D375A841CFA0

Function 0549BC80 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 74COMMON

Download Yara Rule

APIs

DrawTextExW.USER32(?,?,?,?,?,?,?,?,?,?,?,?,?,0549BC6D,?,?), ref: 0549BD1F

Strings

$G'z, xrefs: 0549BCAD

Memory Dump Source

Source File: 0000000B.00000002.1470260108.0000000005490000.00000040.00000800.00020000.00000000.sdmp, Offset: 05490000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_5490000_VyaPZFtSeDDse.jbxd

Similarity

API ID: DrawText
String ID: $G'z
API String ID: 2175133113-299128439
Opcode ID: b9c8664cecda0be54ad7e20281d999d55a0b60ba37e8f09a40e8c780d0417bd8
Instruction ID: f0f91b74595ed12c14985aa5e18d35f90c7744642f755f54efa76090bfdbae38
Opcode Fuzzy Hash: b9c8664cecda0be54ad7e20281d999d55a0b60ba37e8f09a40e8c780d0417bd8
Instruction Fuzzy Hash: B031F4B5D042499FDF14CF99E885ADEBBF5FB48210F14841AE819A7710C774A940CFA0

Function 0549A4EC Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 72COMMON

Download Yara Rule

APIs

DrawTextExW.USER32(?,?,?,?,?,?,?,?,?,?,?,?,?,0549BC6D,?,?), ref: 0549BD1F

Strings

$G'z, xrefs: 0549BCAD

Memory Dump Source

Source File: 0000000B.00000002.1470260108.0000000005490000.00000040.00000800.00020000.00000000.sdmp, Offset: 05490000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_5490000_VyaPZFtSeDDse.jbxd

Similarity

API ID: DrawText
String ID: $G'z
API String ID: 2175133113-299128439
Opcode ID: 7353bf44f6dcbd647e430cda052a8c2166a570d670b69df9ab3cbbe876f51173
Instruction ID: 0ee736c770576a30dc9798340466c825f30d95552a36e6aa4af84f87ea36ea15
Opcode Fuzzy Hash: 7353bf44f6dcbd647e430cda052a8c2166a570d670b69df9ab3cbbe876f51173
Instruction Fuzzy Hash: EA31DFB59042499FDB14CF9AE884AEEBBF5FB48210F14842EE919A7310D774A940CBA0

Function 07085240 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 72injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 070852D8

Strings

$G'z, xrefs: 07085267

Memory Dump Source

Source File: 0000000B.00000002.1471550779.0000000007080000.00000040.00000800.00020000.00000000.sdmp, Offset: 07080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7080000_VyaPZFtSeDDse.jbxd

Similarity

API ID: MemoryProcessWrite
String ID: $G'z
API String ID: 3559483778-299128439
Opcode ID: 5602101262256d7739b48c239cb29f54a8e7e11a67fd3e0854df5e649480c145
Instruction ID: 65b3ff712b2250c15cbf8042ec476aa04ff6eb2ce6444ab914a5a2b1cbf820a2
Opcode Fuzzy Hash: 5602101262256d7739b48c239cb29f54a8e7e11a67fd3e0854df5e649480c145
Instruction Fuzzy Hash: 482148B59003599FDB50DFA9C881BDEBBF1FF48310F10842AE958A7240C7789554CBA4

Function 07085248 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 69injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 070852D8

Strings

$G'z, xrefs: 07085267

Memory Dump Source

Source File: 0000000B.00000002.1471550779.0000000007080000.00000040.00000800.00020000.00000000.sdmp, Offset: 07080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7080000_VyaPZFtSeDDse.jbxd

Similarity

API ID: MemoryProcessWrite
String ID: $G'z
API String ID: 3559483778-299128439
Opcode ID: 03e54d5e9a90f14fe1a739439791a181436581244c08df70707f13f1de2eec4a
Instruction ID: 1cdf74066d61063e8ac1c24e007cc71605a2007a66d653dbee1ac8dfce90b616
Opcode Fuzzy Hash: 03e54d5e9a90f14fe1a739439791a181436581244c08df70707f13f1de2eec4a
Instruction Fuzzy Hash: 05212AB59003599FDB10DFAAC841BDEBBF5FF48310F108429E958A7240C7789550CB64

Function 07085330 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 66COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 070853B8

Strings

$G'z, xrefs: 07085357

Memory Dump Source

Source File: 0000000B.00000002.1471550779.0000000007080000.00000040.00000800.00020000.00000000.sdmp, Offset: 07080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7080000_VyaPZFtSeDDse.jbxd

Similarity

API ID: MemoryProcessRead
String ID: $G'z
API String ID: 1726664587-299128439
Opcode ID: 8f529a1da60cc64c37b2d345cf4bc03b1691e0e487be8685c0c21fb96db2404d
Instruction ID: ff0e5fdc50d360df6361e38e39f6238654b359abe53887491d7e6dba04d45d38
Opcode Fuzzy Hash: 8f529a1da60cc64c37b2d345cf4bc03b1691e0e487be8685c0c21fb96db2404d
Instruction Fuzzy Hash: A0212AB6C003599FDB10DFA9C9817EEBBF5FF48320F10881AE558A7640C7789541CBA5

Function 0120D738 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 65COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0120D7C7

Strings

$G'z, xrefs: 0120D75F

Memory Dump Source

Source File: 0000000B.00000002.1460609479.0000000001200000.00000040.00000800.00020000.00000000.sdmp, Offset: 01200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1200000_VyaPZFtSeDDse.jbxd

Similarity

API ID: DuplicateHandle
String ID: $G'z
API String ID: 3793708945-299128439
Opcode ID: e4195e0de548a3be1bd6eb39b5a9d7d958ea5c539f0f6e41ac14b5c86b0aacc6
Instruction ID: 44c6678267f541a27bf95f1248615139bd12f981cf91fd1666de1fe2df4831d0
Opcode Fuzzy Hash: e4195e0de548a3be1bd6eb39b5a9d7d958ea5c539f0f6e41ac14b5c86b0aacc6
Instruction Fuzzy Hash: 6521E3B5900249EFDB10CFAAD884ADEFFF4EB48310F14841AE954A7351D378AA41CFA5

Function 070850A8 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 65threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 0708512E

Strings

$G'z, xrefs: 070850CC

Memory Dump Source

Source File: 0000000B.00000002.1471550779.0000000007080000.00000040.00000800.00020000.00000000.sdmp, Offset: 07080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7080000_VyaPZFtSeDDse.jbxd

Similarity

API ID: ContextThreadWow64
String ID: $G'z
API String ID: 983334009-299128439
Opcode ID: 2de21b46db0c909157c13bb526da6560113058ae962264dddbc94891de93fa29
Instruction ID: 5d30be9275f22be59821fcd5ca56c44bafe57824bd19197bddf881fa6caf6dbf
Opcode Fuzzy Hash: 2de21b46db0c909157c13bb526da6560113058ae962264dddbc94891de93fa29
Instruction Fuzzy Hash: 742138B5D003098FDB14DFAAC9857EEBBF4AF48224F14842AD559A7340CB789545CFA4

Function 07085338 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 63COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 070853B8

Strings

$G'z, xrefs: 07085357

Memory Dump Source

Source File: 0000000B.00000002.1471550779.0000000007080000.00000040.00000800.00020000.00000000.sdmp, Offset: 07080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7080000_VyaPZFtSeDDse.jbxd

Similarity

API ID: MemoryProcessRead
String ID: $G'z
API String ID: 1726664587-299128439
Opcode ID: 83b6307c2852f71f37b14fb199b6a6532c75560bb419029c67d35adacfdd4347
Instruction ID: 515f53712efa52afb9cecfe2b2198d3ae4aaada9904cceddc7eb0348a1d3052d
Opcode Fuzzy Hash: 83b6307c2852f71f37b14fb199b6a6532c75560bb419029c67d35adacfdd4347
Instruction Fuzzy Hash: 862125B1C003499FDB10DFAAC880BEEBBF5FF48310F10842AE958A7240C7799940CBA5

Function 070850B0 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 63threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 0708512E

Strings

$G'z, xrefs: 070850CC

Memory Dump Source

Source File: 0000000B.00000002.1471550779.0000000007080000.00000040.00000800.00020000.00000000.sdmp, Offset: 07080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7080000_VyaPZFtSeDDse.jbxd

Similarity

API ID: ContextThreadWow64
String ID: $G'z
API String ID: 983334009-299128439
Opcode ID: f991de600c55563491a0dffdad86af3db4534c47546503494a93620f19225ee4
Instruction ID: 380c4ec3e939bb35dfd058e7312e3fd16ec46fe1e95442f696f484812e6901f7
Opcode Fuzzy Hash: f991de600c55563491a0dffdad86af3db4534c47546503494a93620f19225ee4
Instruction Fuzzy Hash: D32137B19003098FDB14DFAAC8857EEBBF4EF48210F14842AD559A7340CB789945CFA5

Function 0120D740 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 62COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0120D7C7

Strings

$G'z, xrefs: 0120D75F

Memory Dump Source

Source File: 0000000B.00000002.1460609479.0000000001200000.00000040.00000800.00020000.00000000.sdmp, Offset: 01200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1200000_VyaPZFtSeDDse.jbxd

Similarity

API ID: DuplicateHandle
String ID: $G'z
API String ID: 3793708945-299128439
Opcode ID: 11bb1f97476f8474af7b075086b421d440b84f3f880d3fb61445d5dbfbf54203
Instruction ID: 35fc52082e592bf81a6de5cd2faeed10e8cd833ebeb3a9cfbbcd8ae6dec2e6a4
Opcode Fuzzy Hash: 11bb1f97476f8474af7b075086b421d440b84f3f880d3fb61445d5dbfbf54203
Instruction Fuzzy Hash: 0221E4B5D00248DFDB10CF9AD484ADEBBF4EB48310F14841AE914A7350C378A940CF65

Function 07084FF9 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 62threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 07085062

Strings

$G'z, xrefs: 07085017

Memory Dump Source

Source File: 0000000B.00000002.1471550779.0000000007080000.00000040.00000800.00020000.00000000.sdmp, Offset: 07080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7080000_VyaPZFtSeDDse.jbxd

Similarity

API ID: ResumeThread
String ID: $G'z
API String ID: 947044025-299128439
Opcode ID: d95e8c098a1ab85f3549f6ca5dbc43559c75534507f28ef7f613c20e3da35a7a
Instruction ID: 94fa1a1163aa4ac4bf465027c5d7a6c06170d2497b9e6432f10e4e2a90ba100e
Opcode Fuzzy Hash: d95e8c098a1ab85f3549f6ca5dbc43559c75534507f28ef7f613c20e3da35a7a
Instruction Fuzzy Hash: 3B2188B5D003488FDB20DFA9C8457EEBBF4EF48210F14851AD919AB700CB399541CF94

Function 07085181 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 55memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 070851F6

Strings

$G'z, xrefs: 0708519F

Memory Dump Source

Source File: 0000000B.00000002.1471550779.0000000007080000.00000040.00000800.00020000.00000000.sdmp, Offset: 07080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7080000_VyaPZFtSeDDse.jbxd

Similarity

API ID: AllocVirtual
String ID: $G'z
API String ID: 4275171209-299128439
Opcode ID: 0b9de76015ebf506ea5ef743d5b051adfb92fb6bff3f8b92e100eb3b736ab39e
Instruction ID: 4b8f338c2fb69517860b3f6e90c3288df906a88277a46e93882114e893669ad2
Opcode Fuzzy Hash: 0b9de76015ebf506ea5ef743d5b051adfb92fb6bff3f8b92e100eb3b736ab39e
Instruction Fuzzy Hash: B01159768003499FDB20DFAAC844BDEBBF5EF48320F108819E955A7250CB759950CB91

Function 07085188 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 53memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 070851F6

Strings

$G'z, xrefs: 0708519F

Memory Dump Source

Source File: 0000000B.00000002.1471550779.0000000007080000.00000040.00000800.00020000.00000000.sdmp, Offset: 07080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7080000_VyaPZFtSeDDse.jbxd

Similarity

API ID: AllocVirtual
String ID: $G'z
API String ID: 4275171209-299128439
Opcode ID: 6b4ab74baf7efa737a06b8d6bb2892e92a49b0a847a1d2a8a311ec7d5252c7a9
Instruction ID: c0b3b2b42b08cd543e38baa110ae219310c002ffbf21fc127ca24441d99fa27a
Opcode Fuzzy Hash: 6b4ab74baf7efa737a06b8d6bb2892e92a49b0a847a1d2a8a311ec7d5252c7a9
Instruction Fuzzy Hash: DD1156728003499FDB20DFAAC844BDFBBF5EF48310F108819E555A7250CB79A540CBA4

Function 07085000 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 49threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 07085062

Strings

$G'z, xrefs: 07085017

Memory Dump Source

Source File: 0000000B.00000002.1471550779.0000000007080000.00000040.00000800.00020000.00000000.sdmp, Offset: 07080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7080000_VyaPZFtSeDDse.jbxd

Similarity

API ID: ResumeThread
String ID: $G'z
API String ID: 947044025-299128439
Opcode ID: 203a26be57bf8760251f175ad448c13684dd5028c46dfc30eaa590c100630c56
Instruction ID: 3a86e044b6568a8c971d69e1dee44176c6badb932b068145f178da09ae5f3dac
Opcode Fuzzy Hash: 203a26be57bf8760251f175ad448c13684dd5028c46dfc30eaa590c100630c56
Instruction Fuzzy Hash: FC1128B5D003488FDB24DFAAC8457EEFBF4EF48210F248419D559A7240CB79A544CFA5

Function 0120B058 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 0120B0BE

Strings

$G'z, xrefs: 0120B077

Memory Dump Source

Source File: 0000000B.00000002.1460609479.0000000001200000.00000040.00000800.00020000.00000000.sdmp, Offset: 01200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1200000_VyaPZFtSeDDse.jbxd

Similarity

API ID: HandleModule
String ID: $G'z
API String ID: 4139908857-299128439
Opcode ID: 91762da08df193c239ea2478082a56845f3eed22b49667ceec16342f6238841f
Instruction ID: 6d8f512718fe6f8e3f547fc6987d75c5704f0b03ff61941ea10901a380d967eb
Opcode Fuzzy Hash: 91762da08df193c239ea2478082a56845f3eed22b49667ceec16342f6238841f
Instruction Fuzzy Hash: EB1110BAC00249CFDB20CF9AC444BDEFBF5EF88210F10851AD928A7640D379A545CFA5

Function 0708552C Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 07088B2D

Strings

$G'z, xrefs: 07088AEA

Memory Dump Source

Source File: 0000000B.00000002.1471550779.0000000007080000.00000040.00000800.00020000.00000000.sdmp, Offset: 07080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7080000_VyaPZFtSeDDse.jbxd

Similarity

API ID: MessagePost
String ID: $G'z
API String ID: 410705778-299128439
Opcode ID: 643198e37f06231b8cdf5ceab0e74671e551f1d19a54f1392355ebe3df1ae787
Instruction ID: 7e7ab4877f291884432951eff5788f41b764b64001eaa4f4c30ed141ee85e3d9
Opcode Fuzzy Hash: 643198e37f06231b8cdf5ceab0e74671e551f1d19a54f1392355ebe3df1ae787
Instruction Fuzzy Hash: 9311F2B5800349DFDB20DF9AD485BDEBBF8EB48320F108419E958A7740C375A944CFA5

Function 07088ACA Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 07088B2D

Strings

$G'z, xrefs: 07088AEA

Memory Dump Source

Source File: 0000000B.00000002.1471550779.0000000007080000.00000040.00000800.00020000.00000000.sdmp, Offset: 07080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7080000_VyaPZFtSeDDse.jbxd

Similarity

API ID: MessagePost
String ID: $G'z
API String ID: 410705778-299128439
Opcode ID: be8db98ed74371a62b157ec849d85eca3aed27b24f68384244806aa8119df718
Instruction ID: 482613e67fe62e11602d0f809967b3e26c687e02f02805e4950211094d2e6d71
Opcode Fuzzy Hash: be8db98ed74371a62b157ec849d85eca3aed27b24f68384244806aa8119df718
Instruction Fuzzy Hash: E41103BA800249DFDB20DF99D545BDEFBF4EB48310F20881AD558A7740C375A544CFA5

Function 02E1EE30 Relevance: 1.7, APIs: 1, Instructions: 199COMMON

Download Yara Rule

APIs

KiUserCallbackDispatcher.NTDLL(00000014,?,?,03E44104,02E6093C,?,00000000), ref: 02E1EFBE

Memory Dump Source

Source File: 0000000B.00000002.1464720080.0000000002E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2e10000_VyaPZFtSeDDse.jbxd

Similarity

API ID: CallbackDispatcherUser
String ID:
API String ID: 2492992576-0
Opcode ID: d68d1c507c8df8a6aee4267af05a44174913e85a9cc99c82e5747e8264d89b02
Instruction ID: 55e1c2eab21511ed99f3c017a8b03f536102f4b5672e279a7a0f68eefe11669d
Opcode Fuzzy Hash: d68d1c507c8df8a6aee4267af05a44174913e85a9cc99c82e5747e8264d89b02
Instruction Fuzzy Hash: 7181CF74A41208EFCB15DFA9D894DAEBBB2AF49314F1590A8F902AB361C731EC41CF50

Function 0105D1FC Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1460211273.000000000105D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0105D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_105d000_VyaPZFtSeDDse.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb262ae38a979fb268e32c34b82216b6f2aa6588b79a42086873a45b3137a712
Instruction ID: cc2d4e2d57a363c128079fdeeb9259e06f51dd83ee7b00065089015d881bf8b4
Opcode Fuzzy Hash: fb262ae38a979fb268e32c34b82216b6f2aa6588b79a42086873a45b3137a712
Instruction Fuzzy Hash: 4A21E272504200DFDB959F94D9C0B2BBBA5FB98324F20C5AAED490B256C336D416CBA2

Function 0106D1D4 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1460281243.000000000106D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0106D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_106d000_VyaPZFtSeDDse.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a8e76e6ebc480be2b75125714316923cac75acefe462395b275b8eb7e2854508
Instruction ID: 83355c398700076724db4f460a25cff8276cd282eb6858a969966c5837c830b8
Opcode Fuzzy Hash: a8e76e6ebc480be2b75125714316923cac75acefe462395b275b8eb7e2854508
Instruction Fuzzy Hash: B3212571A04200EFDB15DF94D5C0B25BBA9FB84324F24C5ADE8894F292C336D446CB61

Function 0106D01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1460281243.000000000106D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0106D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_106d000_VyaPZFtSeDDse.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f9813cd25c3012c7bafd4bfb9e5a79dc34c1e9440bd0d75e915d156668a289d8
Instruction ID: 9af2f4e7a5a9a591d24fa49e7222ca88122f0aaef50cd104cbf91f13d51db06b
Opcode Fuzzy Hash: f9813cd25c3012c7bafd4bfb9e5a79dc34c1e9440bd0d75e915d156668a289d8
Instruction Fuzzy Hash: 07210371604300DFEB15DF64D580B26BBA9EB84314F20C5ADE98A0F292C336D407CB62

Function 0106D006 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1460281243.000000000106D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0106D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_106d000_VyaPZFtSeDDse.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 14c4fc777ed8f43efc051bcce8dba5e71221c8b549c1c78c33874aeabbfac00d
Instruction ID: c472a14fe7e8ac948d312396a2de0d03f01ec5aebb7ff9c442b3e31db8139321
Opcode Fuzzy Hash: 14c4fc777ed8f43efc051bcce8dba5e71221c8b549c1c78c33874aeabbfac00d
Instruction Fuzzy Hash: 422183755093809FDB12CF64D590715BFB1EB46214F28C5DAD8898F6A7C33A980ACB62

Function 0105D1F7 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1460211273.000000000105D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0105D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_105d000_VyaPZFtSeDDse.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 63590c6d4b85089a62ccbb5b73be6abf778bad766966e0b930af7b7dfcf8d66b
Instruction ID: 5cef1a3c940c95f516cc295eda5f8da22a63ba56af445725dffc64adf08bfce7
Opcode Fuzzy Hash: 63590c6d4b85089a62ccbb5b73be6abf778bad766966e0b930af7b7dfcf8d66b
Instruction Fuzzy Hash: 6421CDB6404240DFDB46CF44D9C4B16BFA2FB84320F24C5AADD480B656C33AD426CBA2

Function 0106D1CF Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1460281243.000000000106D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0106D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_106d000_VyaPZFtSeDDse.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9e088ad8a07711d9d3566a887b1f888bc4d4e2f61ff705deeaaa2a632ac83149
Instruction ID: c31fdde6ead0109bd15ae0f87611f8c33b83a913a2fe0ba2cf7d2895e39d9e1a
Opcode Fuzzy Hash: 9e088ad8a07711d9d3566a887b1f888bc4d4e2f61ff705deeaaa2a632ac83149
Instruction Fuzzy Hash: EF11BBB5A04280DFDB16CF54D5C0B15FFA1FB84324F28C6A9D8894B696C33AD44ACB62

Function 0105D745 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1460211273.000000000105D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0105D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_105d000_VyaPZFtSeDDse.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9d9ea7c08ffe4c073ff79e6766a3a7db3c0e0e93a8687227149c31eeb5f7e86f
Instruction ID: c0b179cc98737b99a21024acd35b48d31679716ff309a089f46779561b9e637f
Opcode Fuzzy Hash: 9d9ea7c08ffe4c073ff79e6766a3a7db3c0e0e93a8687227149c31eeb5f7e86f
Instruction Fuzzy Hash: 1601F7310043889AF7A04F69CD84B6BBBD8FF41664F04855BED880E282E2399441CBB2

Function 0105D744 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1460211273.000000000105D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0105D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_105d000_VyaPZFtSeDDse.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 95b9ad68a832c3ccd5d993dd86572546b27af494b09ff83c978c9bda01f77651
Instruction ID: ca55b0e6f5ae6d0a8b9bf2cd276d0429f4b3eb76ace258adc5dd7de33dbedd01
Opcode Fuzzy Hash: 95b9ad68a832c3ccd5d993dd86572546b27af494b09ff83c978c9bda01f77651
Instruction Fuzzy Hash: 9DF06271404384AEE7608E19C988B67FFD8EB41634F18C55BED484F287D2799844CBB1

Non-executed Functions

Function 054909D2 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62COMMON

Download Yara Rule

APIs

GetSystemMetrics.USER32 ref: 05490A2E
GetSystemMetrics.USER32(00000006), ref: 05490A68

Strings

$G'z, xrefs: 054909F7

Memory Dump Source

Source File: 0000000B.00000002.1470260108.0000000005490000.00000040.00000800.00020000.00000000.sdmp, Offset: 05490000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_5490000_VyaPZFtSeDDse.jbxd

Similarity

API ID: MetricsSystem
String ID: $G'z
API String ID: 4116985748-299128439
Opcode ID: b92311740cd7c7f4d6db1a71831161ed40e106ae29412e185e0d70cf3fadb9a9
Instruction ID: a3468cdeae5d304371a33fe8d2bc719d5b9bf166db6e7352dd714167781732bd
Opcode Fuzzy Hash: b92311740cd7c7f4d6db1a71831161ed40e106ae29412e185e0d70cf3fadb9a9
Instruction Fuzzy Hash: C12135B2901348CFEB24CF99D44A7AEBFF4EB18314F21845AD149AB380D3755544CFA6

Function 0549E359 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 61COMMON

Download Yara Rule

APIs

GetSystemMetrics.USER32(00000050), ref: 0549E3EB

Strings

4'q, xrefs: 0549E3A4
$G'z, xrefs: 0549E387

Memory Dump Source

Source File: 0000000B.00000002.1470260108.0000000005490000.00000040.00000800.00020000.00000000.sdmp, Offset: 05490000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_5490000_VyaPZFtSeDDse.jbxd

Similarity

API ID: MetricsSystem
String ID: $G'z$4'q
API String ID: 4116985748-455860590
Opcode ID: e4f4021fdbf4a055fbbb0cd8ac84c57a4c039d60c46bbd74b9b7d5be66f4b8f9
Instruction ID: 0a0c0329fc38d07c2c11e4fdb849c400b75457bc0de6391ba95b5be54a0921f3
Opcode Fuzzy Hash: e4f4021fdbf4a055fbbb0cd8ac84c57a4c039d60c46bbd74b9b7d5be66f4b8f9
Instruction Fuzzy Hash: BC2166B5C043599FDB14DFAAE8056EEBBF4EB08310F10855AE419B7381C3346900CFA5

Function 0549E368 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 56COMMON

Download Yara Rule

APIs

GetSystemMetrics.USER32(00000050), ref: 0549E3EB

Strings

4'q, xrefs: 0549E3A4
$G'z, xrefs: 0549E387

Memory Dump Source

Source File: 0000000B.00000002.1470260108.0000000005490000.00000040.00000800.00020000.00000000.sdmp, Offset: 05490000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_5490000_VyaPZFtSeDDse.jbxd

Similarity

API ID: MetricsSystem
String ID: $G'z$4'q
API String ID: 4116985748-455860590
Opcode ID: 9b4f1633f7e743edc3df81c2f69d7ccba79f70d2fe1304e78c32be73ed4a7461
Instruction ID: 17b6fcaaf313891c00052844705dc03672a0419bcf6880eeb694864ddf6a85a2
Opcode Fuzzy Hash: 9b4f1633f7e743edc3df81c2f69d7ccba79f70d2fe1304e78c32be73ed4a7461
Instruction Fuzzy Hash: 002134B5D0035A8FDB14DFAAE8456EEBBB4FB08320F10855AE819B7380C7346904CFA5

Analysis Process: VyaPZFtSeDDse.exePID: 5740, Parent PID: 7880COMMON

Executed Functions

Function 00C6C530 Relevance: 4.3, Strings: 1, Instructions: 3069COMMON

Download Yara Rule

Strings

N, xrefs: 00C6F910

Memory Dump Source

Source File: 00000011.00000002.2632129197.0000000000C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_c60000_VyaPZFtSeDDse.jbxd

Similarity

API ID:
String ID: N
API String ID: 0-1130791706
Opcode ID: 835dc511c821d8c29b4c5c490893ae92be62e1c5748d9287ee8c781aa82a5f46
Instruction ID: 3f961e79e58ecffe843f6633da8b06a2f69d29060a91b2062792c6e5b09e2d45
Opcode Fuzzy Hash: 835dc511c821d8c29b4c5c490893ae92be62e1c5748d9287ee8c781aa82a5f46
Instruction Fuzzy Hash: 8F73F831D1075A8EDB21EF68C984A99FBB1FF95300F51C6DAE45867121EB70AAC4CF81

Function 00C62DD1 Relevance: 2.9, Strings: 2, Instructions: 404COMMON

Download Yara Rule

Strings

$q, xrefs: 00C62DF6
Xq, xrefs: 00C62E0F

Memory Dump Source

Source File: 00000011.00000002.2632129197.0000000000C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_c60000_VyaPZFtSeDDse.jbxd

Similarity

API ID:
String ID: Xq$$q
API String ID: 0-855381642
Opcode ID: 2e7a01d06ff5669f6433d15d68784bf0d7378f59bc9b1a7b59d5836754031291
Instruction ID: c89d7bce1483facecde1da50002d8632a596d08931fa4336088804fb87e6db7a
Opcode Fuzzy Hash: 2e7a01d06ff5669f6433d15d68784bf0d7378f59bc9b1a7b59d5836754031291
Instruction Fuzzy Hash: 2DE17134E04288DFDB18DFB9D8946AEBBB2BF89310F148569E406EB394DF349941CB51

Function 00C69480 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2632129197.0000000000C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_c60000_VyaPZFtSeDDse.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 73f2474bb1c38908a050a475deb398c8bab5b1a2e2d068f745169c206e020108
Instruction ID: dd15cad7a6188241d5f7216667c52e58e3b3ed2a9e246d5950cbbc49a072322e
Opcode Fuzzy Hash: 73f2474bb1c38908a050a475deb398c8bab5b1a2e2d068f745169c206e020108
Instruction Fuzzy Hash: D5C19074E01218CFDB24DFA5D994B9DBBB2FB89300F2081A9E809AB355DB355E85CF50

Function 00C6C49F Relevance: .2, Instructions: 234COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2632129197.0000000000C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_c60000_VyaPZFtSeDDse.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c7e4669f91675bec0600561f00476aa2b64788e0be43a1b6c974b984899d9a0a
Instruction ID: 672e7c62a341cc6ac383bb686237867bcb1f9cc8f79749da3f935e53d2e2967b
Opcode Fuzzy Hash: c7e4669f91675bec0600561f00476aa2b64788e0be43a1b6c974b984899d9a0a
Instruction Fuzzy Hash: 28B12671D116198FDB20DFA9C8847EDFBB1EF89304F10C2AAE45867261EB709A85CF41

Function 00C6C521 Relevance: .2, Instructions: 224COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2632129197.0000000000C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_c60000_VyaPZFtSeDDse.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 73dc320dd9e89734235554fa7f9f2a4139f31a070a6b3938a5c477627304d3eb
Instruction ID: d949f0f200a59fcb3805221425f87a5e1ac46767286e78cf5de6292df8ee783e
Opcode Fuzzy Hash: 73dc320dd9e89734235554fa7f9f2a4139f31a070a6b3938a5c477627304d3eb
Instruction Fuzzy Hash: 96A11571D016198FDB24DFA9C8847EDFBB1EF89304F14C2AAE45867261EB709A85CF41

Function 00C69A30 Relevance: .2, Instructions: 224COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2632129197.0000000000C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_c60000_VyaPZFtSeDDse.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 18f2dd6227db1845b86e3389e10214ee890f0b46dd26fe2fda836c38e8dfa5aa
Instruction ID: ed8837d988adf7fa62da9b8c901cc0b14df51cd179aea896614ef7e8f4d9d87d
Opcode Fuzzy Hash: 18f2dd6227db1845b86e3389e10214ee890f0b46dd26fe2fda836c38e8dfa5aa
Instruction Fuzzy Hash: A4A11670D00208CFEB24DFA9D588BDDBBB1FF89311F248269E419AB291DB749985CF54

Function 00C69D87 Relevance: .2, Instructions: 202COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2632129197.0000000000C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_c60000_VyaPZFtSeDDse.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e78c02632b598edfe5cb3a25fbdf8a715b94c82b064e406018561a8accb93ee6
Instruction ID: 1c1d4350617ce67830e9b1ba1b578782fe39dd67d3b822fb3b6a144ffb4ca1ae
Opcode Fuzzy Hash: e78c02632b598edfe5cb3a25fbdf8a715b94c82b064e406018561a8accb93ee6
Instruction Fuzzy Hash: F0910770D00208CFEB24DFA9D9887DCBBB5FF89311F208269E419AB291DB759985CF54

Function 00C6946F Relevance: .1, Instructions: 99COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2632129197.0000000000C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_c60000_VyaPZFtSeDDse.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6e35eb3722302745c0e939adcf800e5fe607211ba47885e0f23ce74f50a8d852
Instruction ID: 7ab3053871c30515cb42515ce4d1b0502b5873138237fcc2d4d465a56b0e4fcd
Opcode Fuzzy Hash: 6e35eb3722302745c0e939adcf800e5fe607211ba47885e0f23ce74f50a8d852
Instruction Fuzzy Hash: 9141D274D05248CBEB18DFAAD5546ADFBB2FF89300F24C12AD815AB298DB345945CF10

Function 00C619B8 Relevance: 8.4, Strings: 6, Instructions: 865COMMON

Download Yara Rule

Strings

Xq, xrefs: 00C61B2F
Xq, xrefs: 00C62C95
Xq, xrefs: 00C61B7C
Xq, xrefs: 00C62CBE
Xq, xrefs: 00C61AB0
Xq, xrefs: 00C61A76

Memory Dump Source

Source File: 00000011.00000002.2632129197.0000000000C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_c60000_VyaPZFtSeDDse.jbxd

Similarity

API ID:
String ID: Xq$Xq$Xq$Xq$Xq$Xq
API String ID: 0-905847027
Opcode ID: 27bff674dc5789f5dd5fef49432288cea54a3677aed03db25e219fe0356cfa82
Instruction ID: e713f1d895d24ab4e3826af2748141c9d32d5225a371a2aa059134616f7f9664
Opcode Fuzzy Hash: 27bff674dc5789f5dd5fef49432288cea54a3677aed03db25e219fe0356cfa82
Instruction Fuzzy Hash: 61627B12A192C1CFE72707388CA47957FE59B27262F4A01CAC4D59F2E3D6A90A47C737

Function 00C6B500 Relevance: 6.6, Strings: 5, Instructions: 388COMMON

Download Yara Rule

Strings

8q, xrefs: 00C6B941
Hq, xrefs: 00C6B749
Hq, xrefs: 00C6B54E
Hq, xrefs: 00C6B6EA
TJq, xrefs: 00C6B97A

Memory Dump Source

Source File: 00000011.00000002.2632129197.0000000000C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_c60000_VyaPZFtSeDDse.jbxd

Similarity

API ID:
String ID: 8q$Hq$Hq$Hq$TJq
API String ID: 0-768243005
Opcode ID: 28848df88c3fb1f58a5603e4adbfd6e951e22a6428e2c8c189ae825daba3bd86
Instruction ID: c26252b5d665f31ec414861216414cf1e1f8745f259d79385bfd9b7099a83d85
Opcode Fuzzy Hash: 28848df88c3fb1f58a5603e4adbfd6e951e22a6428e2c8c189ae825daba3bd86
Instruction Fuzzy Hash: 53D1E831B042048FDB25DB68D491BAE7BB6EFC9320F244165E506EB391DB31DD82CB91

Function 00C63F78 Relevance: 6.4, Strings: 5, Instructions: 124COMMON

Download Yara Rule

Strings

PHq, xrefs: 00C640E1
0oKp, xrefs: 00C63FDA
LjKp, xrefs: 00C64078
LjKp, xrefs: 00C64088
PHq, xrefs: 00C640F2

Memory Dump Source

Source File: 00000011.00000002.2632129197.0000000000C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_c60000_VyaPZFtSeDDse.jbxd

Similarity

API ID:
String ID: 0oKp$LjKp$LjKp$PHq$PHq
API String ID: 0-2065946399
Opcode ID: 5111a4dd434be251317038d2cad7469874887c4e56c1a8d6b469a33c7e89ffbc
Instruction ID: 2191391d40723e2680099bb3a8eae0b69bbe0b3446153ec93a6c0cf97bdec1fd
Opcode Fuzzy Hash: 5111a4dd434be251317038d2cad7469874887c4e56c1a8d6b469a33c7e89ffbc
Instruction Fuzzy Hash: 0A51C474E00218DFDB58DFAAD584A9DBBF2BF89311F248429E815BB364DB34A941CF10

Function 00C6AD3D Relevance: 5.6, Strings: 4, Instructions: 562COMMON

Download Yara Rule

Strings

Hq, xrefs: 00C6B239
, xrefs: 00C6B065
Hq, xrefs: 00C6B206
Hq, xrefs: 00C6B1D3

Memory Dump Source

Source File: 00000011.00000002.2632129197.0000000000C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_c60000_VyaPZFtSeDDse.jbxd

Similarity

API ID:
String ID: $Hq$Hq$Hq
API String ID: 0-1373062214
Opcode ID: d42735d7a57bf05edcc63c0ec1b5911bf2b8abe97447f9ee1fa11d8d5400cad2
Instruction ID: 3f371cfb4c54727e027a0a734fa73c44a79f8600fa7a6df3f7227cf44fe64ca6
Opcode Fuzzy Hash: d42735d7a57bf05edcc63c0ec1b5911bf2b8abe97447f9ee1fa11d8d5400cad2
Instruction Fuzzy Hash: D8A1D8317042449FDB255F78E89926E7BA2EFC6320F24422AE926D73D1CF359D81C791

Function 00C6B869 Relevance: 2.6, Strings: 2, Instructions: 101COMMON

Download Yara Rule

Strings

8q, xrefs: 00C6B941
TJq, xrefs: 00C6B97A

Memory Dump Source

Source File: 00000011.00000002.2632129197.0000000000C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_c60000_VyaPZFtSeDDse.jbxd

Similarity

API ID:
String ID: 8q$TJq
API String ID: 0-1436491226
Opcode ID: cad5029d99b48da5178a6223e1241c519db9c4bb9b5b925cfcffcc0f14bf69fb
Instruction ID: ea9eeb26e7b0a84281ae19f360ac892f70dfe655ecb6e9d647b880db80e39f81
Opcode Fuzzy Hash: cad5029d99b48da5178a6223e1241c519db9c4bb9b5b925cfcffcc0f14bf69fb
Instruction Fuzzy Hash: 5E310435B002088FDB55DFA8D491EADBBB2EF88320F295054E501EF361DB71ED828B91

Function 00C6B89D Relevance: 2.6, Strings: 2, Instructions: 100COMMON

Download Yara Rule

Strings

8q, xrefs: 00C6B941
TJq, xrefs: 00C6B97A

Memory Dump Source

Source File: 00000011.00000002.2632129197.0000000000C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_c60000_VyaPZFtSeDDse.jbxd

Similarity

API ID:
String ID: 8q$TJq
API String ID: 0-1436491226
Opcode ID: 808da55e8a26a652a38f1a51faca4c64045dad3c4f45715891305b76158b6bc9
Instruction ID: a12d833ac9b1b0ebd042e349f9c6b0d5abb68bf5d4416684dc47e0c274481608
Opcode Fuzzy Hash: 808da55e8a26a652a38f1a51faca4c64045dad3c4f45715891305b76158b6bc9
Instruction Fuzzy Hash: F4311635B002088FDB55DFA8D491E9DBBB2EF88324F295054E501EF361DB71ED828B91

Function 00C60B20 Relevance: 1.5, Strings: 1, Instructions: 208COMMON

Download Yara Rule

Strings

LRq, xrefs: 00C60B62

Memory Dump Source

Source File: 00000011.00000002.2632129197.0000000000C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_c60000_VyaPZFtSeDDse.jbxd

Similarity

API ID:
String ID: LRq
API String ID: 0-3187445251
Opcode ID: 7f1e91606dcc6839c2acda300e95c8524d1538111cf18fede9fb95204dc1d9b7
Instruction ID: 96f5e043e39f2ea8fe236ec0943c45db7f6488d0514080fa7934995d14dba356
Opcode Fuzzy Hash: 7f1e91606dcc6839c2acda300e95c8524d1538111cf18fede9fb95204dc1d9b7
Instruction Fuzzy Hash: E2A1BB78E05209CFCF15EFA8E99599DBBB1FB88301B104529E415AF369EB306D06CF81

Function 00C60B30 Relevance: 1.4, Strings: 1, Instructions: 200COMMON

Download Yara Rule

Strings

LRq, xrefs: 00C60B62

Memory Dump Source

Source File: 00000011.00000002.2632129197.0000000000C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_c60000_VyaPZFtSeDDse.jbxd

Similarity

API ID:
String ID: LRq
API String ID: 0-3187445251
Opcode ID: 266bddf9903e741b9fe6f101a66343411200dec43233a6bda8f8d6951fc2acbd
Instruction ID: 29bdee5c56ece19a0c3f049fe07a19e66e87f7ec02e2550ec757eb661f92acdc
Opcode Fuzzy Hash: 266bddf9903e741b9fe6f101a66343411200dec43233a6bda8f8d6951fc2acbd
Instruction Fuzzy Hash: 1AA1AB78E05209CFCF15EFA8E99599DBBB1FB88301B104529E415AF369EB306D06CF81

Function 00C6BCE8 Relevance: 1.3, Strings: 1, Instructions: 80COMMON

Download Yara Rule

Strings

Hq, xrefs: 00C6BD2D

Memory Dump Source

Source File: 00000011.00000002.2632129197.0000000000C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_c60000_VyaPZFtSeDDse.jbxd

Similarity

API ID:
String ID: Hq
API String ID: 0-1594803414
Opcode ID: 7c3c1b61046740873becb3f5ee1bb436bed6650628dfcf2a7727c03e48e1aaaa
Instruction ID: 1f250b655ab426e1badd4065bc33b4660edfeb4f7daa00897028f1c567329315
Opcode Fuzzy Hash: 7c3c1b61046740873becb3f5ee1bb436bed6650628dfcf2a7727c03e48e1aaaa
Instruction Fuzzy Hash: 09218171A001089FDB48EFB8D955AAF7BB6EFC8310F20857AE519D7255DB309E01CB90

Function 00C6BE30 Relevance: 1.3, Strings: 1, Instructions: 49COMMON

Download Yara Rule

Strings

Hq, xrefs: 00C6BE36

Memory Dump Source

Source File: 00000011.00000002.2632129197.0000000000C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_c60000_VyaPZFtSeDDse.jbxd

Similarity

API ID:
String ID: Hq
API String ID: 0-1594803414
Opcode ID: 0b47bcbe6f1c8c774770cecfd562d565b758656a0a0f47edd863daeec1d4e7b2
Instruction ID: e81ba938abb41864db7305b474996bd3d720514cb95a3bf3e786f78763843841
Opcode Fuzzy Hash: 0b47bcbe6f1c8c774770cecfd562d565b758656a0a0f47edd863daeec1d4e7b2
Instruction Fuzzy Hash: 6301DE317002448FDB05EFB8D89569E7BA2EF8A300F60847AE106873A2CA369D46CB40

Function 00C6BF6F Relevance: .2, Instructions: 207COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2632129197.0000000000C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_c60000_VyaPZFtSeDDse.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c00e97a5744aa6f58a58f82e286b9516cdb638a98f38db7c74075416f85ba25f
Instruction ID: 3d811b3930588e2ba98094556cedfc39142da8050f0dd7f4154e582377961a60
Opcode Fuzzy Hash: c00e97a5744aa6f58a58f82e286b9516cdb638a98f38db7c74075416f85ba25f
Instruction Fuzzy Hash: EA51F772A002059FCB249B79D8C4ABBBBF5EBC9324F14852EE469D7740D631DD018BA0

Function 00C63168 Relevance: .1, Instructions: 109COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2632129197.0000000000C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_c60000_VyaPZFtSeDDse.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d577c2fa50a3bdfc7e0d7b7790f9846707d6fa8ca7337167e55840e31a26729f
Instruction ID: ddc7119d3b4ddec88c91d1036950fec52020f3e4ca73d64f213c3973541b59a8
Opcode Fuzzy Hash: d577c2fa50a3bdfc7e0d7b7790f9846707d6fa8ca7337167e55840e31a26729f
Instruction Fuzzy Hash: 3641CFB4E01248CFDB18DFAAD89499DBBF2BF89310F249429E805BB364DB309945CF14

Function 00C69249 Relevance: .1, Instructions: 107COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2632129197.0000000000C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_c60000_VyaPZFtSeDDse.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c5f31c0ec8c0914c1d10abd73521834d43178a0912b665ecb875a35e2022c2b
Instruction ID: 7863dcd762f21cb83513db033cd79c304fc31a63d63df6b4a4e64bd01cfa39b1
Opcode Fuzzy Hash: 6c5f31c0ec8c0914c1d10abd73521834d43178a0912b665ecb875a35e2022c2b
Instruction Fuzzy Hash: C531C07106220FCFD2603FA1B9ED67ABBB5FB8F3137446C00E41A90622DB7868C58B55

Function 00C618C8 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2632129197.0000000000C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_c60000_VyaPZFtSeDDse.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 351ef63d4b5cc82d8e982dc5726bf653403aadd1a9768f331863b44d4f8c888a
Instruction ID: ff11c85a937949746c9e6aa3b8b0f7e22a5e49b8ff1af6dfe11d4a1b6c81ca85
Opcode Fuzzy Hash: 351ef63d4b5cc82d8e982dc5726bf653403aadd1a9768f331863b44d4f8c888a
Instruction Fuzzy Hash: CF21C431A002159FCB24DF38C890AAE3BB5EB99350B68C519DD199B394EB31EE05CBC1

Function 00BDD030 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2631853885.0000000000BDD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BDD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_bdd000_VyaPZFtSeDDse.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5ee4bfd15ecadfb33f524e923921413c8a8e7ef469dc7097ad22de0c763232dd
Instruction ID: 2c4ea605dc3bf5ad68f571c655d1701d66ea0991db9c86f966914baf68c91613
Opcode Fuzzy Hash: 5ee4bfd15ecadfb33f524e923921413c8a8e7ef469dc7097ad22de0c763232dd
Instruction Fuzzy Hash: 0C21D371504204DFDB14DF14D9D0B26FBA5EB84314F24C5AEE9894B392D336D847CA62

Function 00C60EC8 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2632129197.0000000000C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_c60000_VyaPZFtSeDDse.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c79edf17b664d00410c684305cf42242de84307990345fcc700cb79bf9a66689
Instruction ID: 5d2f50da445d7e05b5b03ee587c20ace59665eb965ee1d7ab92e61fbd16f060f
Opcode Fuzzy Hash: c79edf17b664d00410c684305cf42242de84307990345fcc700cb79bf9a66689
Instruction Fuzzy Hash: 0A21D670E042089FCB15EFB9C5903AEB7B2EF85300F1084ADA4156B391DB748A41DF41

Function 00BDD005 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2631853885.0000000000BDD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BDD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_bdd000_VyaPZFtSeDDse.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 62bda14e93553681ab86cb6f4da103bbdc396d5759da0f9afe6f51ee88867da6
Instruction ID: 4998316c1baac299984f0441154ffcad22463943e23bf96ebfe42b472c737ba1
Opcode Fuzzy Hash: 62bda14e93553681ab86cb6f4da103bbdc396d5759da0f9afe6f51ee88867da6
Instruction Fuzzy Hash: CE215C755093C09FCB17CF20C9A0715BF71AB46214F28C5DBD8898B6A3D33A980ACB62

Function 00C617B8 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2632129197.0000000000C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_c60000_VyaPZFtSeDDse.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: edfb1c59780fc7ef34b7c310224aaca0464441616a38d37db482b10f1fa5a92d
Instruction ID: ed40566f42ccf08307e029fa1a095655efbf054d448976658ba83828289f75f5
Opcode Fuzzy Hash: edfb1c59780fc7ef34b7c310224aaca0464441616a38d37db482b10f1fa5a92d
Instruction Fuzzy Hash: BA212570C052498FCB11DFB8D8945EDBFF0EF4A301F1845AAD805B7261EB304A85CBA1

Function 00C6BB46 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2632129197.0000000000C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_c60000_VyaPZFtSeDDse.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 095c8e27a8e9f14a4838e0de1799ded40a87dde97d37ebdb64ffa06b09e3b63d
Instruction ID: 38163a0c7b94b6597dc492a102c5dcd880ac064c043f7d771bb681d7e4269a15
Opcode Fuzzy Hash: 095c8e27a8e9f14a4838e0de1799ded40a87dde97d37ebdb64ffa06b09e3b63d
Instruction Fuzzy Hash: F9118C367002008FD724DB6AD984A66B7E6EFC8721B208069E15ACF365CB71ED41CB50

Function 00C6C108 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2632129197.0000000000C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_c60000_VyaPZFtSeDDse.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f6b5eb4b83149337872794c94248a6e797e2167c919318e8174aa9e06ae6da85
Instruction ID: 1c859b5d857cacf75fa13a6096225376aea91d1b6c8d07319a43b36689ad4c93
Opcode Fuzzy Hash: f6b5eb4b83149337872794c94248a6e797e2167c919318e8174aa9e06ae6da85
Instruction Fuzzy Hash: 7011A075E002098BCB24EFB9D8C46AEBBF1AF89310B14413AD459E3201DB319C418BE1

Function 00C64850 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2632129197.0000000000C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_c60000_VyaPZFtSeDDse.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4c93b9f6fe315515c1124f66ce3d0b9dfa86aca056681a4edf917c623d2c189a
Instruction ID: 51efd896fdc9aaf49ca925f7f69eea1efd7af61563b75a7c78805b862b55c085
Opcode Fuzzy Hash: 4c93b9f6fe315515c1124f66ce3d0b9dfa86aca056681a4edf917c623d2c189a
Instruction Fuzzy Hash: DF01B132F043444FDB289B7A889467B7BEBAF88354315853AD905CB7A8FE34CC018750

Function 00C64860 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2632129197.0000000000C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_c60000_VyaPZFtSeDDse.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 58c207718cb75d0052d25c8edac562ff5bd9ad2947ba3456f3897bd1934782d9
Instruction ID: 72cc1ba261ee5c878735f6eb470fd0f331b3f6f5b24fc93ca981846aeb3b0210
Opcode Fuzzy Hash: 58c207718cb75d0052d25c8edac562ff5bd9ad2947ba3456f3897bd1934782d9
Instruction Fuzzy Hash: AF016232F003144BDB28AB7A585462F7BDBAFC87643154439D905C7758FE70CC018791

Function 00C6BEE9 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2632129197.0000000000C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_c60000_VyaPZFtSeDDse.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ca070d0b067fac57147425c119904842ec8e1152ae052606e57cbb38690dd858
Instruction ID: 25c0229c6f265b2d751f95fd19c5a6276a245442e3e03fdc402e70e2590bd982
Opcode Fuzzy Hash: ca070d0b067fac57147425c119904842ec8e1152ae052606e57cbb38690dd858
Instruction Fuzzy Hash: 50012B327042045BCB196FB4F85D6AD3FA6EBC5720B24442BE506C7291DE39CD52DBC1

Function 00C6A508 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2632129197.0000000000C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_c60000_VyaPZFtSeDDse.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c7cd26b6a01fde9e4d0f7561fc3172826121b586cf83991fde880de810ca3fc5
Instruction ID: 601bac8f7fec78b6ad5635a69409db34a04b237e186534d554ddc2a63cb77e66
Opcode Fuzzy Hash: c7cd26b6a01fde9e4d0f7561fc3172826121b586cf83991fde880de810ca3fc5
Instruction Fuzzy Hash: 51015275E0020D9FCF14DFA9E8546AE7BB5FBC8310B50442AE92697251DB349D10CBA1

Function 00C6BB48 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2632129197.0000000000C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_c60000_VyaPZFtSeDDse.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ab5b3936ee16c646900dda2bf896dbee50ee9fce95d3309c163b9b3b81fd6b93
Instruction ID: 96b6703682f72f7bef0ddb368ab75b66f8fbc33b7f8d130970fce0d5315e97a5
Opcode Fuzzy Hash: ab5b3936ee16c646900dda2bf896dbee50ee9fce95d3309c163b9b3b81fd6b93
Instruction Fuzzy Hash: B70156317002008FD724DB6AD998B26B7E6EFC9721F218069E15ACB365CBB0ED80CB50

Function 00C6A4F9 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2632129197.0000000000C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_c60000_VyaPZFtSeDDse.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8af5a6a8db2a5723da28d91bef71bdc6eaf83206278edab05fdc8576257ca226
Instruction ID: ccc7ed824d3a60023e98b3ce25aecb8bdbd05f75000af122de07ee2722f1c2f1
Opcode Fuzzy Hash: 8af5a6a8db2a5723da28d91bef71bdc6eaf83206278edab05fdc8576257ca226
Instruction Fuzzy Hash: 3F017175A0051A9FCB54DFA8E8949EE7FB5FB88310B10412AE929D3251D7308D10CB92

Function 00C6C1A0 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2632129197.0000000000C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_c60000_VyaPZFtSeDDse.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5bfa2ba38a3ff4d2aa1aa5a2855dd1f16570560bff546696a8b33f20a85c74c8
Instruction ID: 97087d2a912462ba86f2ac943ebafbb4582bdfc05f83844e06d14e544f85df7d
Opcode Fuzzy Hash: 5bfa2ba38a3ff4d2aa1aa5a2855dd1f16570560bff546696a8b33f20a85c74c8
Instruction Fuzzy Hash: 09F0E272B005114BCB295B69F8956AEBBA9EFC5330B04007AF108EB351DF31CC028790

Function 00C6B9EE Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2632129197.0000000000C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_c60000_VyaPZFtSeDDse.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b32fdd287f2635b7b4968e9747fc2ff24c42e9111bff39e9d81f40617387a2d8
Instruction ID: ffc5b4e41dc3ecba5844add049d75be006bd3ffd598d9c8e2cc7611396e5ed28
Opcode Fuzzy Hash: b32fdd287f2635b7b4968e9747fc2ff24c42e9111bff39e9d81f40617387a2d8
Instruction Fuzzy Hash: 2CF0B476E04204AF9B60DFA998815EFBBF5FB88250B14413AE509D3201E7709A0697D1

Function 00C6BE98 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2632129197.0000000000C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_c60000_VyaPZFtSeDDse.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cd765359fc36704cee75aca48cf28ca714e51530a87fc583a88f30be2d23ce71
Instruction ID: 158420b2e81981b34a044a803d2107391dc82620663966243972249b08152c1b
Opcode Fuzzy Hash: cd765359fc36704cee75aca48cf28ca714e51530a87fc583a88f30be2d23ce71
Instruction Fuzzy Hash: E1F05E35300205DFC710CF5AD484D6ABBEAFF887257604069E609C7330CB71AC51CB80

Function 00C646C9 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2632129197.0000000000C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_c60000_VyaPZFtSeDDse.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 824287cbd417476f84b268b9cec5451500a3577fe90462b927808bf7cdc4c6e4
Instruction ID: 372508a74a26424097c3ac98ce30ea392e9c34e073f4482b13f5c87becf55a1a
Opcode Fuzzy Hash: 824287cbd417476f84b268b9cec5451500a3577fe90462b927808bf7cdc4c6e4
Instruction Fuzzy Hash: 56E0A579167B428FE3222B60BDBC36ABB75EB1B31BB492C43E05A82471EF7044458B10

Function 00C6BE96 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2632129197.0000000000C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_c60000_VyaPZFtSeDDse.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2977999b9ae8f02303b9d8264fe02bbfc21e82f0eca51fe5d59fd6306669f649
Instruction ID: 9c3cef6bedcb08ce88929b4a578cc82fd50dbc29904c4fae638236ad21d594a9
Opcode Fuzzy Hash: 2977999b9ae8f02303b9d8264fe02bbfc21e82f0eca51fe5d59fd6306669f649
Instruction Fuzzy Hash: D0E0D831301205DFC7108F5AE484D9ABBA6FFC8325B504039F618C7230CB728C51CB80

Function 00C646D8 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2632129197.0000000000C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_c60000_VyaPZFtSeDDse.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3f63b9564db09c53254d0722ac9c16fc3c0561bde133732a82884e2e691eeb1e
Instruction ID: 91d47a3a93bc0c6bea5c678c5d2eb653b79b1b94dded7860a1223f62d47dc7a4
Opcode Fuzzy Hash: 3f63b9564db09c53254d0722ac9c16fc3c0561bde133732a82884e2e691eeb1e
Instruction Fuzzy Hash: 6EE00275067B068FE3252B61BDBC73AFB75EB1B31BB906D02A11E82431AF708454CA54

Function 00C61877 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2632129197.0000000000C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_c60000_VyaPZFtSeDDse.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a4c9021b09e7aa8970b20ceb10756d93838a5558d43f29d3308bc4978862ad3b
Instruction ID: 089f6eeb43194924f49d0e72d1bdad8948d230fd1b7567bab0a983cea632a911
Opcode Fuzzy Hash: a4c9021b09e7aa8970b20ceb10756d93838a5558d43f29d3308bc4978862ad3b
Instruction Fuzzy Hash: 0BE0D831EA03668BCB0297A49C440EE7B349D812117144253C024771D1EB20551AC6D2

Function 00C61888 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2632129197.0000000000C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_c60000_VyaPZFtSeDDse.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: af9ea9e48b5b4384175317c2d5993d4a386aee139e3b6c8c95fc79e1cc7a7643
Instruction ID: 01bee33d49dbe891f419d92e91c8902dac4829102c03bb42200e91b9da9e6017
Opcode Fuzzy Hash: af9ea9e48b5b4384175317c2d5993d4a386aee139e3b6c8c95fc79e1cc7a7643
Instruction Fuzzy Hash: 46D05B31D2033A57CB10E7A5DC044DFFB38EED5321B514666D51437144FB706659C6E1

Function 00C6BCD8 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2632129197.0000000000C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_c60000_VyaPZFtSeDDse.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 92825ed7e826f2a4ed811b25677a7254512b3c0aa76e8be73d9b32923621edfa
Instruction ID: a7f1b9292fc97c1715b7799e89d9b80cc50e77be5218d93a43d802d29a82df82
Opcode Fuzzy Hash: 92825ed7e826f2a4ed811b25677a7254512b3c0aa76e8be73d9b32923621edfa
Instruction Fuzzy Hash: EAD0233202020943DA2CBE50DCC7397731CD741306F4043AD5C09D9140F701D41D83C7

Function 00C6BF48 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2632129197.0000000000C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_c60000_VyaPZFtSeDDse.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a399c1dcdb0a70be9a2ad9f569876c482aa33cbf33ec322bb888de55e1a77c94
Instruction ID: 07189b50a35eabbf54e5c12840c9f21982da470ffc2a4479c81cc88b5a052bcc
Opcode Fuzzy Hash: a399c1dcdb0a70be9a2ad9f569876c482aa33cbf33ec322bb888de55e1a77c94
Instruction Fuzzy Hash: 79D0C736300118675B051A89B8048AE7B5EF7CD7717048026F91583340CE754D5197D5

Function 00C64831 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2632129197.0000000000C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_c60000_VyaPZFtSeDDse.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6181960456db0db74d89fcf441b059f74a675beeae218dcc9e6a664db53c4c24
Instruction ID: e7065dbc789025f3830f51c042ccc0d4458295eb754535c6a945d81aa8ae24ec
Opcode Fuzzy Hash: 6181960456db0db74d89fcf441b059f74a675beeae218dcc9e6a664db53c4c24
Instruction Fuzzy Hash: 8FC092A588D3C41FFF2F8770187A099BF20AE17304B2508CFC083DB093E62A99068306

Non-executed Functions

Function 00C61A40 Relevance: 5.1, Strings: 4, Instructions: 99COMMON

Download Yara Rule

Strings

Xq, xrefs: 00C61B2F
Xq, xrefs: 00C61B7C
Xq, xrefs: 00C61AB0
Xq, xrefs: 00C61A76

Memory Dump Source

Source File: 00000011.00000002.2632129197.0000000000C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_c60000_VyaPZFtSeDDse.jbxd

Similarity

API ID:
String ID: Xq$Xq$Xq$Xq
API String ID: 0-3965792415
Opcode ID: b4508eef2beccc2739c2e645b93bdf270a5f58cc4deadfd5d06bf4b3101b3f2c
Instruction ID: ad79cde8039c895e759b6de4297e5acf97102cdcc00aba8a12e6320bab1bee14
Opcode Fuzzy Hash: b4508eef2beccc2739c2e645b93bdf270a5f58cc4deadfd5d06bf4b3101b3f2c
Instruction Fuzzy Hash: 8A317570E1031A4FDF748BA988D53AEB7B6AF84311F1C4065D859A7251EB30CE85DBD2

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Container: Container Creation, File: File Creation, File: File Modification, Process: Process Creation, Scheduled Job: Scheduled Job Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata, File: File Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report tx4pkcHL9o.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: MassLogger

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Persistence and Installation Behavior

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Location Tracking

Compliance

Software Vulnerabilities

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\VyaPZFtSeDDse.exe.log

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\tx4pkcHL9o.exe.log

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1pwksqjp.01n.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_advxwvlj.lrh.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ffirf2ll.3rd.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_fhzsa5mk.tmy.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_gnoxec5r.vxs.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_knpie4pn.prt.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_l4yt2vq2.wap.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_sa2mx2rc.0cx.psm1

C:\Users\user\AppData\Local\Temp\tmp86BB.tmp

C:\Users\user\AppData\Local\Temp\tmp9B0E.tmp

Windows Analysis Report
tx4pkcHL9o.exe

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre