Edit tour

Windows Analysis Report
HGhGAjCVw5.exe

Overview

General Information

Sample name:	HGhGAjCVw5.exe renamed because original name is a hash value
Original sample name:	d4a4e4c891bacb6ffa8884695d7d757d8dbbae18ec64370bac3f6ecc024ea334.exe
Analysis ID:	1588132
MD5:	4d77d26b50bea6a8755808eb5bec3044
SHA1:	19383419c4a21e39c46852059ae240e8ab6cc12f
SHA256:	d4a4e4c891bacb6ffa8884695d7d757d8dbbae18ec64370bac3f6ecc024ea334
Tags:	AgentTeslaexeuser-adrian__luca
Infos:

Detection

AgentTesla

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Scheduled temp file as task from temp location

Yara detected AgentTesla

Yara detected AntiVM3

AI detected suspicious sample

Adds a directory exclusion to Windows Defender

Loading BitLocker PowerShell Module

Machine Learning detection for dropped file

Machine Learning detection for sample

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Mail credentials (via file / registry access)

Uses schtasks.exe or at.exe to add and modify task schedules

Yara detected Generic Downloader

Allocates memory with a write watch (potentially for evading sandboxes)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Powershell Defender Exclusion

Sigma detected: Suspicious Add Scheduled Task Parent

Sigma detected: Suspicious Outbound SMTP Connections

Sigma detected: Suspicious Schtasks From Env Var Folder

Uses 32bit PE files

Uses SMTP (mail sending)

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

HGhGAjCVw5.exe (PID: 1664 cmdline: "C:\Users\user\Desktop\HGhGAjCVw5.exe" MD5: 4D77D26B50BEA6A8755808EB5BEC3044)

powershell.exe (PID: 4052 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\HGhGAjCVw5.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 5956 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WmiPrvSE.exe (PID: 7560 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)

powershell.exe (PID: 2740 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\gdJhjh.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 5840 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

schtasks.exe (PID: 7220 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\gdJhjh" /XML "C:\Users\user\AppData\Local\Temp\tmp57CE.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 7240 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

HGhGAjCVw5.exe (PID: 7348 cmdline: "C:\Users\user\Desktop\HGhGAjCVw5.exe" MD5: 4D77D26B50BEA6A8755808EB5BEC3044)

gdJhjh.exe (PID: 7452 cmdline: C:\Users\user\AppData\Roaming\gdJhjh.exe MD5: 4D77D26B50BEA6A8755808EB5BEC3044)

schtasks.exe (PID: 7720 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\gdJhjh" /XML "C:\Users\user\AppData\Local\Temp\tmp6B66.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 7728 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

gdJhjh.exe (PID: 7764 cmdline: "C:\Users\user\AppData\Roaming\gdJhjh.exe" MD5: 4D77D26B50BEA6A8755808EB5BEC3044)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Agent Tesla, AgentTesla	A .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.	SWEED	http://blog.nsfocus.net/sweed-611/ http://l1v1ngc0d3.wordpress.com/2021/11/12/agenttesla-dropped-via-nsis-installer/ http://ropgadget.com/posts/originlogger.html http://www.secureworks.com/research/threat-profiles/gold-galleon https://0xmrmagnezi.github.io/malware%20analysis/AgentTesla/	https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Port": "25", "Host": "mail.iaa-airferight.com", "Username": "web@iaa-airferight.com", "Password": "webmaster"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
0000000E.00000002.2821075648.000000000313C000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0000000E.00000002.2821075648.0000000003111000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000E.00000002.2821075648.0000000003111000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000000.00000002.1590826725.00000000040C9000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.1590826725.00000000040C9000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0000000E.00000002.2818045057.0000000000432000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000E.00000002.2818045057.0000000000432000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000009.00000002.2822698121.00000000031F1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000009.00000002.2822698121.00000000031F1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000000.00000002.1590826725.0000000004934000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.1590826725.0000000004934000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000009.00000002.2822698121.000000000321C000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: HGhGAjCVw5.exe PID: 1664	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: HGhGAjCVw5.exe PID: 1664	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: HGhGAjCVw5.exe PID: 1664	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: HGhGAjCVw5.exe PID: 7348	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: HGhGAjCVw5.exe PID: 7348	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: gdJhjh.exe PID: 7452	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: gdJhjh.exe PID: 7764	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: gdJhjh.exe PID: 7764	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Click to see the 15 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.HGhGAjCVw5.exe.40f4448.2.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.HGhGAjCVw5.exe.40f4448.2.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.HGhGAjCVw5.exe.40f4448.2.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x316ef:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x31761:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x317eb:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x3187d:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x318e7:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x31959:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x319ef:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x31a7f:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
0.2.HGhGAjCVw5.exe.40f4448.2.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.HGhGAjCVw5.exe.40f4448.2.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.HGhGAjCVw5.exe.40f4448.2.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x334ef:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x33561:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x335eb:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x3367d:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x336e7:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x33759:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x337ef:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x3387f:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
0.2.HGhGAjCVw5.exe.4c41e68.1.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.HGhGAjCVw5.exe.4c41e68.1.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.HGhGAjCVw5.exe.4c41e68.1.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x316ef:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x31761:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x317eb:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x3187d:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x318e7:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x31959:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x319ef:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x31a7f:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
0.2.HGhGAjCVw5.exe.4c41e68.1.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.HGhGAjCVw5.exe.4c41e68.1.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.HGhGAjCVw5.exe.4c41e68.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x334ef:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x6dd0f:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x33561:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x6dd81:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x335eb:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x6de0b:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x3367d:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x6de9d:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x336e7:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x6df07:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x33759:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x6df79:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x337ef:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x6e00f:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x3387f:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548 0x6e09f:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
0.2.HGhGAjCVw5.exe.4bc3048.0.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.HGhGAjCVw5.exe.4bc3048.0.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.2.HGhGAjCVw5.exe.4bc3048.0.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.HGhGAjCVw5.exe.4bc3048.0.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0xb230f:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0xecb2f:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0xb2381:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0xecba1:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0xb240b:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0xecc2b:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0xb249d:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0xeccbd:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0xb2507:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0xecd27:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0xb2579:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0xecd99:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0xb260f:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0xece2f:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0xb269f:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548 0xecebf:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
0.2.HGhGAjCVw5.exe.4b44228.3.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.HGhGAjCVw5.exe.4b44228.3.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.2.HGhGAjCVw5.exe.4b44228.3.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.HGhGAjCVw5.exe.4b44228.3.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x13112f:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x16b94f:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x1311a1:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x16b9c1:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x13122b:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x16ba4b:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x1312bd:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x16badd:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x131327:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x16bb47:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x131399:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x16bbb9:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x13142f:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x16bc4f:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x1314bf:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548 0x16bcdf:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
Click to see the 15 entries

Sigma Signatures

System Summary

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\HGhGAjCVw5.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\HGhGAjCVw5.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\HGhGAjCVw5.exe", ParentImage: C:\Users\user\Desktop\HGhGAjCVw5.exe, ParentProcessId: 1664, ParentProcessName: HGhGAjCVw5.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\HGhGAjCVw5.exe", ProcessId: 4052, ProcessName: powershell.exe

Sigma detected: Powershell Defender Exclusion

Source: Process started

Sigma detected: Suspicious Add Scheduled Task Parent

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\gdJhjh" /XML "C:\Users\user\AppData\Local\Temp\tmp6B66.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\gdJhjh" /XML "C:\Users\user\AppData\Local\Temp\tmp6B66.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: C:\Users\user\AppData\Roaming\gdJhjh.exe, ParentImage: C:\Users\user\AppData\Roaming\gdJhjh.exe, ParentProcessId: 7452, ParentProcessName: gdJhjh.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\gdJhjh" /XML "C:\Users\user\AppData\Local\Temp\tmp6B66.tmp", ProcessId: 7720, ProcessName: schtasks.exe

Sigma detected: Suspicious Outbound SMTP Connections

Source: Network Connection

Author: frack113: Data: DestinationIp: 46.175.148.58, DestinationIsIpv6: false, DestinationPort: 25, EventID: 3, Image: C:\Users\user\Desktop\HGhGAjCVw5.exe, Initiated: true, ProcessId: 7348, Protocol: tcp, SourceIp: 192.168.2.10, SourceIsIpv6: false, SourcePort: 49708

Sigma detected: Suspicious Schtasks From Env Var Folder

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\gdJhjh" /XML "C:\Users\user\AppData\Local\Temp\tmp57CE.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\gdJhjh" /XML "C:\Users\user\AppData\Local\Temp\tmp57CE.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\HGhGAjCVw5.exe", ParentImage: C:\Users\user\Desktop\HGhGAjCVw5.exe, ParentProcessId: 1664, ParentProcessName: HGhGAjCVw5.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\gdJhjh" /XML "C:\Users\user\AppData\Local\Temp\tmp57CE.tmp", ProcessId: 7220, ProcessName: schtasks.exe

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\HGhGAjCVw5.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\HGhGAjCVw5.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\HGhGAjCVw5.exe", ParentImage: C:\Users\user\Desktop\HGhGAjCVw5.exe, ParentProcessId: 1664, ParentProcessName: HGhGAjCVw5.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\HGhGAjCVw5.exe", ProcessId: 4052, ProcessName: powershell.exe

Persistence and Installation Behavior

Sigma detected: Scheduled temp file as task from temp location

Source: Process started

Author: Joe Security: Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\gdJhjh" /XML "C:\Users\user\AppData\Local\Temp\tmp57CE.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\gdJhjh" /XML "C:\Users\user\AppData\Local\Temp\tmp57CE.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\HGhGAjCVw5.exe", ParentImage: C:\Users\user\Desktop\HGhGAjCVw5.exe, ParentProcessId: 1664, ParentProcessName: HGhGAjCVw5.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\gdJhjh" /XML "C:\Users\user\AppData\Local\Temp\tmp57CE.tmp", ProcessId: 7220, ProcessName: schtasks.exe

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: HGhGAjCVw5.exe

Avira: detected

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Roaming\gdJhjh.exe

Avira: detection malicious, Label: HEUR/AGEN.1305388

Found malware configuration

Source: 0.2.HGhGAjCVw5.exe.40f4448.2.raw.unpack

Malware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Port": "25", "Host": "mail.iaa-airferight.com", "Username": "web@iaa-airferight.com", "Password": "webmaster"}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\gdJhjh.exe	ReversingLabs: Detection: 71%
Source: C:\Users\user\AppData\Roaming\gdJhjh.exe	Virustotal: Detection: 60%			Perma Link

Multi AV Scanner detection for submitted file

Source: HGhGAjCVw5.exe	Virustotal: Detection: 60%			Perma Link
Source: HGhGAjCVw5.exe	ReversingLabs: Detection: 71%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\gdJhjh.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: HGhGAjCVw5.exe

Joe Sandbox ML: detected

Source: HGhGAjCVw5.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 104.26.13.205:443 -> 192.168.2.10:49707 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.26.13.205:443 -> 192.168.2.10:49711 version: TLS 1.2

Source: HGhGAjCVw5.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Networking

Yara detected Generic Downloader

Source: Yara match	File source: 0.2.HGhGAjCVw5.exe.4bc3048.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.HGhGAjCVw5.exe.4b44228.3.raw.unpack, type: UNPACKEDPE

Source: Joe Sandbox View	IP Address: 46.175.148.58 46.175.148.58
Source: Joe Sandbox View	IP Address: 104.26.13.205 104.26.13.205
Source: Joe Sandbox View	IP Address: 104.26.13.205 104.26.13.205

Source: Joe Sandbox View

JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: unknown	DNS query: name: api.ipify.org
Source: unknown	DNS query: name: api.ipify.org

Source: global traffic

TCP traffic: 192.168.2.10:49708 -> 46.175.148.58:25

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: api.ipify.org
Source: global traffic	DNS traffic detected: DNS query: mail.iaa-airferight.com

Source: HGhGAjCVw5.exe, 00000009.00000002.2822698121.000000000321C000.00000004.00000800.00020000.00000000.sdmp, gdJhjh.exe, 0000000E.00000002.2821075648.000000000313C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://mail.iaa-airferight.com
Source: HGhGAjCVw5.exe, 00000000.00000002.1589404165.0000000003310000.00000004.00000800.00020000.00000000.sdmp, HGhGAjCVw5.exe, 00000009.00000002.2822698121.00000000031A1000.00000004.00000800.00020000.00000000.sdmp, gdJhjh.exe, 0000000A.00000002.1638208076.0000000002F8F000.00000004.00000800.00020000.00000000.sdmp, gdJhjh.exe, 0000000E.00000002.2821075648.00000000030C1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: HGhGAjCVw5.exe, 00000000.00000002.1590826725.0000000004934000.00000004.00000800.00020000.00000000.sdmp, HGhGAjCVw5.exe, 00000000.00000002.1590826725.00000000040C9000.00000004.00000800.00020000.00000000.sdmp, gdJhjh.exe, 0000000E.00000002.2818045057.0000000000432000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://account.dyn.com/
Source: HGhGAjCVw5.exe, 00000000.00000002.1590826725.0000000004934000.00000004.00000800.00020000.00000000.sdmp, HGhGAjCVw5.exe, 00000000.00000002.1590826725.00000000040C9000.00000004.00000800.00020000.00000000.sdmp, HGhGAjCVw5.exe, 00000009.00000002.2822698121.00000000031A1000.00000004.00000800.00020000.00000000.sdmp, gdJhjh.exe, 0000000E.00000002.2821075648.00000000030C1000.00000004.00000800.00020000.00000000.sdmp, gdJhjh.exe, 0000000E.00000002.2818045057.0000000000432000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org
Source: HGhGAjCVw5.exe, 00000009.00000002.2822698121.00000000031A1000.00000004.00000800.00020000.00000000.sdmp, gdJhjh.exe, 0000000E.00000002.2821075648.00000000030C1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org/
Source: HGhGAjCVw5.exe, 00000009.00000002.2822698121.00000000031A1000.00000004.00000800.00020000.00000000.sdmp, gdJhjh.exe, 0000000E.00000002.2821075648.00000000030C1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org/t

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49711
Source: unknown	Network traffic detected: HTTP traffic on port 49707 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49711 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49707

Source: unknown	HTTPS traffic detected: 104.26.13.205:443 -> 192.168.2.10:49707 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.26.13.205:443 -> 192.168.2.10:49711 version: TLS 1.2

System Summary

Malicious sample detected (through community Yara rule)

Source: 0.2.HGhGAjCVw5.exe.40f4448.2.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.HGhGAjCVw5.exe.40f4448.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.HGhGAjCVw5.exe.4c41e68.1.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.HGhGAjCVw5.exe.4c41e68.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.HGhGAjCVw5.exe.4bc3048.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.HGhGAjCVw5.exe.4b44228.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen

Source: C:\Users\user\Desktop\HGhGAjCVw5.exe	Code function: 0_2_02EBD404	0_2_02EBD404
Source: C:\Users\user\Desktop\HGhGAjCVw5.exe	Code function: 0_2_07721E7A	0_2_07721E7A
Source: C:\Users\user\Desktop\HGhGAjCVw5.exe	Code function: 0_2_077296C8	0_2_077296C8
Source: C:\Users\user\Desktop\HGhGAjCVw5.exe	Code function: 0_2_07722CF8	0_2_07722CF8
Source: C:\Users\user\Desktop\HGhGAjCVw5.exe	Code function: 0_2_07720B90	0_2_07720B90
Source: C:\Users\user\Desktop\HGhGAjCVw5.exe	Code function: 0_2_077280A0	0_2_077280A0
Source: C:\Users\user\Desktop\HGhGAjCVw5.exe	Code function: 0_2_07724F10	0_2_07724F10
Source: C:\Users\user\Desktop\HGhGAjCVw5.exe	Code function: 0_2_07724F00	0_2_07724F00
Source: C:\Users\user\Desktop\HGhGAjCVw5.exe	Code function: 0_2_07729FC8	0_2_07729FC8
Source: C:\Users\user\Desktop\HGhGAjCVw5.exe	Code function: 0_2_07729FBA	0_2_07729FBA
Source: C:\Users\user\Desktop\HGhGAjCVw5.exe	Code function: 0_2_07728E40	0_2_07728E40
Source: C:\Users\user\Desktop\HGhGAjCVw5.exe	Code function: 0_2_077296C6	0_2_077296C6
Source: C:\Users\user\Desktop\HGhGAjCVw5.exe	Code function: 0_2_07728698	0_2_07728698
Source: C:\Users\user\Desktop\HGhGAjCVw5.exe	Code function: 0_2_07728688	0_2_07728688
Source: C:\Users\user\Desktop\HGhGAjCVw5.exe	Code function: 0_2_0772A570	0_2_0772A570
Source: C:\Users\user\Desktop\HGhGAjCVw5.exe	Code function: 0_2_0772557A	0_2_0772557A
Source: C:\Users\user\Desktop\HGhGAjCVw5.exe	Code function: 0_2_0772A560	0_2_0772A560
Source: C:\Users\user\Desktop\HGhGAjCVw5.exe	Code function: 0_2_07723D08	0_2_07723D08
Source: C:\Users\user\Desktop\HGhGAjCVw5.exe	Code function: 0_2_07725588	0_2_07725588
Source: C:\Users\user\Desktop\HGhGAjCVw5.exe	Code function: 0_2_07721440	0_2_07721440
Source: C:\Users\user\Desktop\HGhGAjCVw5.exe	Code function: 0_2_07723CF8	0_2_07723CF8
Source: C:\Users\user\Desktop\HGhGAjCVw5.exe	Code function: 0_2_07722C8B	0_2_07722C8B
Source: C:\Users\user\Desktop\HGhGAjCVw5.exe	Code function: 0_2_07720B77	0_2_07720B77
Source: C:\Users\user\Desktop\HGhGAjCVw5.exe	Code function: 0_2_07728358	0_2_07728358
Source: C:\Users\user\Desktop\HGhGAjCVw5.exe	Code function: 0_2_07728348	0_2_07728348
Source: C:\Users\user\Desktop\HGhGAjCVw5.exe	Code function: 0_2_07720B3F	0_2_07720B3F
Source: C:\Users\user\Desktop\HGhGAjCVw5.exe	Code function: 0_2_077253A8	0_2_077253A8
Source: C:\Users\user\Desktop\HGhGAjCVw5.exe	Code function: 0_2_07725398	0_2_07725398
Source: C:\Users\user\Desktop\HGhGAjCVw5.exe	Code function: 0_2_07720AF7	0_2_07720AF7
Source: C:\Users\user\Desktop\HGhGAjCVw5.exe	Code function: 0_2_07723ADA	0_2_07723ADA
Source: C:\Users\user\Desktop\HGhGAjCVw5.exe	Code function: 0_2_07728A90	0_2_07728A90
Source: C:\Users\user\Desktop\HGhGAjCVw5.exe	Code function: 0_2_07728A80	0_2_07728A80
Source: C:\Users\user\Desktop\HGhGAjCVw5.exe	Code function: 0_2_07725118	0_2_07725118
Source: C:\Users\user\Desktop\HGhGAjCVw5.exe	Code function: 0_2_07725108	0_2_07725108
Source: C:\Users\user\Desktop\HGhGAjCVw5.exe	Code function: 0_2_07720040	0_2_07720040
Source: C:\Users\user\Desktop\HGhGAjCVw5.exe	Code function: 0_2_07720007	0_2_07720007
Source: C:\Users\user\Desktop\HGhGAjCVw5.exe	Code function: 0_2_077218D9	0_2_077218D9
Source: C:\Users\user\Desktop\HGhGAjCVw5.exe	Code function: 0_2_07728090	0_2_07728090
Source: C:\Users\user\Desktop\HGhGAjCVw5.exe	Code function: 9_2_0110E6A1	9_2_0110E6A1
Source: C:\Users\user\Desktop\HGhGAjCVw5.exe	Code function: 9_2_0110A94F	9_2_0110A94F
Source: C:\Users\user\Desktop\HGhGAjCVw5.exe	Code function: 9_2_0110D9A8	9_2_0110D9A8
Source: C:\Users\user\Desktop\HGhGAjCVw5.exe	Code function: 9_2_01104A98	9_2_01104A98
Source: C:\Users\user\Desktop\HGhGAjCVw5.exe	Code function: 9_2_01103E80	9_2_01103E80
Source: C:\Users\user\Desktop\HGhGAjCVw5.exe	Code function: 9_2_011041C8	9_2_011041C8
Source: C:\Users\user\Desktop\HGhGAjCVw5.exe	Code function: 9_2_0698A034	9_2_0698A034
Source: C:\Users\user\Desktop\HGhGAjCVw5.exe	Code function: 9_2_0698B880	9_2_0698B880
Source: C:\Users\user\Desktop\HGhGAjCVw5.exe	Code function: 9_2_06995588	9_2_06995588
Source: C:\Users\user\Desktop\HGhGAjCVw5.exe	Code function: 9_2_069965E0	9_2_069965E0
Source: C:\Users\user\Desktop\HGhGAjCVw5.exe	Code function: 9_2_0699B20F	9_2_0699B20F
Source: C:\Users\user\Desktop\HGhGAjCVw5.exe	Code function: 9_2_06993040	9_2_06993040
Source: C:\Users\user\Desktop\HGhGAjCVw5.exe	Code function: 9_2_06997D68	9_2_06997D68
Source: C:\Users\user\Desktop\HGhGAjCVw5.exe	Code function: 9_2_06997688	9_2_06997688
Source: C:\Users\user\Desktop\HGhGAjCVw5.exe	Code function: 9_2_0699E388	9_2_0699E388
Source: C:\Users\user\Desktop\HGhGAjCVw5.exe	Code function: 9_2_0699234A	9_2_0699234A
Source: C:\Users\user\Desktop\HGhGAjCVw5.exe	Code function: 9_2_06990040	9_2_06990040
Source: C:\Users\user\Desktop\HGhGAjCVw5.exe	Code function: 9_2_06995CD3	9_2_06995CD3
Source: C:\Users\user\Desktop\HGhGAjCVw5.exe	Code function: 9_2_06990006	9_2_06990006
Source: C:\Users\user\AppData\Roaming\gdJhjh.exe	Code function: 10_2_02CE4B01	10_2_02CE4B01
Source: C:\Users\user\AppData\Roaming\gdJhjh.exe	Code function: 10_2_02CED404	10_2_02CED404
Source: C:\Users\user\AppData\Roaming\gdJhjh.exe	Code function: 10_2_074CE610	10_2_074CE610
Source: C:\Users\user\AppData\Roaming\gdJhjh.exe	Code function: 10_2_074C96C8	10_2_074C96C8
Source: C:\Users\user\AppData\Roaming\gdJhjh.exe	Code function: 10_2_074C1E88	10_2_074C1E88
Source: C:\Users\user\AppData\Roaming\gdJhjh.exe	Code function: 10_2_074C2CF8	10_2_074C2CF8
Source: C:\Users\user\AppData\Roaming\gdJhjh.exe	Code function: 10_2_074C0B90	10_2_074C0B90
Source: C:\Users\user\AppData\Roaming\gdJhjh.exe	Code function: 10_2_074C80A0	10_2_074C80A0
Source: C:\Users\user\AppData\Roaming\gdJhjh.exe	Code function: 10_2_074C9FC8	10_2_074C9FC8
Source: C:\Users\user\AppData\Roaming\gdJhjh.exe	Code function: 10_2_074C4FE8	10_2_074C4FE8
Source: C:\Users\user\AppData\Roaming\gdJhjh.exe	Code function: 10_2_074C4FE2	10_2_074C4FE2
Source: C:\Users\user\AppData\Roaming\gdJhjh.exe	Code function: 10_2_074C9FBA	10_2_074C9FBA
Source: C:\Users\user\AppData\Roaming\gdJhjh.exe	Code function: 10_2_074C8E40	10_2_074C8E40
Source: C:\Users\user\AppData\Roaming\gdJhjh.exe	Code function: 10_2_074C8E50	10_2_074C8E50
Source: C:\Users\user\AppData\Roaming\gdJhjh.exe	Code function: 10_2_074C1E7A	10_2_074C1E7A
Source: C:\Users\user\AppData\Roaming\gdJhjh.exe	Code function: 10_2_074C8688	10_2_074C8688
Source: C:\Users\user\AppData\Roaming\gdJhjh.exe	Code function: 10_2_074C8698	10_2_074C8698
Source: C:\Users\user\AppData\Roaming\gdJhjh.exe	Code function: 10_2_074C96B8	10_2_074C96B8
Source: C:\Users\user\AppData\Roaming\gdJhjh.exe	Code function: 10_2_074CA560	10_2_074CA560
Source: C:\Users\user\AppData\Roaming\gdJhjh.exe	Code function: 10_2_074C557A	10_2_074C557A
Source: C:\Users\user\AppData\Roaming\gdJhjh.exe	Code function: 10_2_074CA570	10_2_074CA570
Source: C:\Users\user\AppData\Roaming\gdJhjh.exe	Code function: 10_2_074C4DD0	10_2_074C4DD0
Source: C:\Users\user\AppData\Roaming\gdJhjh.exe	Code function: 10_2_074C4DE0	10_2_074C4DE0
Source: C:\Users\user\AppData\Roaming\gdJhjh.exe	Code function: 10_2_074C5588	10_2_074C5588
Source: C:\Users\user\AppData\Roaming\gdJhjh.exe	Code function: 10_2_074C1440	10_2_074C1440
Source: C:\Users\user\AppData\Roaming\gdJhjh.exe	Code function: 10_2_074C1450	10_2_074C1450
Source: C:\Users\user\AppData\Roaming\gdJhjh.exe	Code function: 10_2_074C2C9E	10_2_074C2C9E
Source: C:\Users\user\AppData\Roaming\gdJhjh.exe	Code function: 10_2_074C2CAD	10_2_074C2CAD
Source: C:\Users\user\AppData\Roaming\gdJhjh.exe	Code function: 10_2_074C8348	10_2_074C8348
Source: C:\Users\user\AppData\Roaming\gdJhjh.exe	Code function: 10_2_074C8358	10_2_074C8358
Source: C:\Users\user\AppData\Roaming\gdJhjh.exe	Code function: 10_2_074C0B76	10_2_074C0B76
Source: C:\Users\user\AppData\Roaming\gdJhjh.exe	Code function: 10_2_074C0B3D	10_2_074C0B3D
Source: C:\Users\user\AppData\Roaming\gdJhjh.exe	Code function: 10_2_074C3BC8	10_2_074C3BC8
Source: C:\Users\user\AppData\Roaming\gdJhjh.exe	Code function: 10_2_074C3BD8	10_2_074C3BD8
Source: C:\Users\user\AppData\Roaming\gdJhjh.exe	Code function: 10_2_074C3B90	10_2_074C3B90
Source: C:\Users\user\AppData\Roaming\gdJhjh.exe	Code function: 10_2_074C5268	10_2_074C5268
Source: C:\Users\user\AppData\Roaming\gdJhjh.exe	Code function: 10_2_074C5278	10_2_074C5278
Source: C:\Users\user\AppData\Roaming\gdJhjh.exe	Code function: 10_2_074C8A80	10_2_074C8A80
Source: C:\Users\user\AppData\Roaming\gdJhjh.exe	Code function: 10_2_074C8A90	10_2_074C8A90
Source: C:\Users\user\AppData\Roaming\gdJhjh.exe	Code function: 10_2_074C0040	10_2_074C0040
Source: C:\Users\user\AppData\Roaming\gdJhjh.exe	Code function: 10_2_074C0006	10_2_074C0006
Source: C:\Users\user\AppData\Roaming\gdJhjh.exe	Code function: 10_2_074C18D9	10_2_074C18D9
Source: C:\Users\user\AppData\Roaming\gdJhjh.exe	Code function: 10_2_074C18E8	10_2_074C18E8
Source: C:\Users\user\AppData\Roaming\gdJhjh.exe	Code function: 10_2_074C8090	10_2_074C8090
Source: C:\Users\user\AppData\Roaming\gdJhjh.exe	Code function: 14_2_0171E6A1	14_2_0171E6A1
Source: C:\Users\user\AppData\Roaming\gdJhjh.exe	Code function: 14_2_0171A94F	14_2_0171A94F
Source: C:\Users\user\AppData\Roaming\gdJhjh.exe	Code function: 14_2_01714A98	14_2_01714A98
Source: C:\Users\user\AppData\Roaming\gdJhjh.exe	Code function: 14_2_01713E80	14_2_01713E80
Source: C:\Users\user\AppData\Roaming\gdJhjh.exe	Code function: 14_2_017141C8	14_2_017141C8
Source: C:\Users\user\AppData\Roaming\gdJhjh.exe	Code function: 14_2_06DB65E0	14_2_06DB65E0
Source: C:\Users\user\AppData\Roaming\gdJhjh.exe	Code function: 14_2_06DB5588	14_2_06DB5588
Source: C:\Users\user\AppData\Roaming\gdJhjh.exe	Code function: 14_2_06DB7D68	14_2_06DB7D68
Source: C:\Users\user\AppData\Roaming\gdJhjh.exe	Code function: 14_2_06DBB20F	14_2_06DBB20F
Source: C:\Users\user\AppData\Roaming\gdJhjh.exe	Code function: 14_2_06DB3040	14_2_06DB3040
Source: C:\Users\user\AppData\Roaming\gdJhjh.exe	Code function: 14_2_06DB7688	14_2_06DB7688
Source: C:\Users\user\AppData\Roaming\gdJhjh.exe	Code function: 14_2_06DB5CD3	14_2_06DB5CD3
Source: C:\Users\user\AppData\Roaming\gdJhjh.exe	Code function: 14_2_06DBE388	14_2_06DBE388
Source: C:\Users\user\AppData\Roaming\gdJhjh.exe	Code function: 14_2_06DB234B	14_2_06DB234B
Source: C:\Users\user\AppData\Roaming\gdJhjh.exe	Code function: 14_2_06DB0040	14_2_06DB0040
Source: C:\Users\user\AppData\Roaming\gdJhjh.exe	Code function: 14_2_06DB033E	14_2_06DB033E
Source: C:\Users\user\AppData\Roaming\gdJhjh.exe	Code function: 14_2_06DB0007	14_2_06DB0007

Source: HGhGAjCVw5.exe, 00000000.00000002.1615026108.000000000A950000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameMontero.dll8 vs HGhGAjCVw5.exe
Source: HGhGAjCVw5.exe, 00000000.00000002.1587615048.000000000130E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs HGhGAjCVw5.exe
Source: HGhGAjCVw5.exe, 00000000.00000002.1590826725.0000000004934000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMontero.dll8 vs HGhGAjCVw5.exe
Source: HGhGAjCVw5.exe, 00000000.00000002.1590826725.0000000004934000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamec5ea4fda-43b2-4fc0-8a8b-07958574f042.exe4 vs HGhGAjCVw5.exe
Source: HGhGAjCVw5.exe, 00000000.00000002.1590826725.00000000040C9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamec5ea4fda-43b2-4fc0-8a8b-07958574f042.exe4 vs HGhGAjCVw5.exe
Source: HGhGAjCVw5.exe, 00000000.00000002.1590826725.00000000040C9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameArthur.dll" vs HGhGAjCVw5.exe
Source: HGhGAjCVw5.exe, 00000000.00000002.1589404165.0000000003310000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamec5ea4fda-43b2-4fc0-8a8b-07958574f042.exe4 vs HGhGAjCVw5.exe
Source: HGhGAjCVw5.exe, 00000000.00000000.1562867623.0000000000C52000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameRRxZ.exe, vs HGhGAjCVw5.exe
Source: HGhGAjCVw5.exe, 00000000.00000002.1610360090.0000000007480000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameArthur.dll" vs HGhGAjCVw5.exe
Source: HGhGAjCVw5.exe, 00000000.00000002.1609955220.00000000073AE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamePowerShell.EXE.MUIj% vs HGhGAjCVw5.exe
Source: HGhGAjCVw5.exe, 00000000.00000002.1609955220.00000000073AE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamePowerShell.EXEj% vs HGhGAjCVw5.exe
Source: HGhGAjCVw5.exe, 00000009.00000002.2819916590.0000000001148000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs HGhGAjCVw5.exe
Source: HGhGAjCVw5.exe, 00000009.00000002.2818522727.0000000000EF8000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameUNKNOWN_FILET vs HGhGAjCVw5.exe
Source: HGhGAjCVw5.exe	Binary or memory string: OriginalFilenameRRxZ.exe, vs HGhGAjCVw5.exe

Source: HGhGAjCVw5.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 0.2.HGhGAjCVw5.exe.40f4448.2.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.HGhGAjCVw5.exe.40f4448.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.HGhGAjCVw5.exe.4c41e68.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.HGhGAjCVw5.exe.4c41e68.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.HGhGAjCVw5.exe.4bc3048.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.HGhGAjCVw5.exe.4b44228.3.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers

Source: HGhGAjCVw5.exe	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: gdJhjh.exe.0.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@19/15@2/2

Source: C:\Users\user\Desktop\HGhGAjCVw5.exe

File created: C:\Users\user\AppData\Roaming\gdJhjh.exe

Jump to behavior

Source: C:\Users\user\AppData\Roaming\gdJhjh.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7240:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5840:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5956:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7728:120:WilError_03

Source: C:\Users\user\Desktop\HGhGAjCVw5.exe

File created: C:\Users\user\AppData\Local\Temp\tmp57CE.tmp

Jump to behavior

Source: HGhGAjCVw5.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: HGhGAjCVw5.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Source: C:\Users\user\Desktop\HGhGAjCVw5.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\HGhGAjCVw5.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\gdJhjh.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Roaming\gdJhjh.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\HGhGAjCVw5.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\HGhGAjCVw5.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: HGhGAjCVw5.exe	Virustotal: Detection: 60%
Source: HGhGAjCVw5.exe	ReversingLabs: Detection: 71%

Source: C:\Users\user\Desktop\HGhGAjCVw5.exe

File read: C:\Users\user\Desktop\HGhGAjCVw5.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\HGhGAjCVw5.exe "C:\Users\user\Desktop\HGhGAjCVw5.exe"
Source: C:\Users\user\Desktop\HGhGAjCVw5.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\HGhGAjCVw5.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\HGhGAjCVw5.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\gdJhjh.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\HGhGAjCVw5.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\gdJhjh" /XML "C:\Users\user\AppData\Local\Temp\tmp57CE.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\HGhGAjCVw5.exe	Process created: C:\Users\user\Desktop\HGhGAjCVw5.exe "C:\Users\user\Desktop\HGhGAjCVw5.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\gdJhjh.exe C:\Users\user\AppData\Roaming\gdJhjh.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: C:\Users\user\AppData\Roaming\gdJhjh.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\gdJhjh" /XML "C:\Users\user\AppData\Local\Temp\tmp6B66.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\gdJhjh.exe	Process created: C:\Users\user\AppData\Roaming\gdJhjh.exe "C:\Users\user\AppData\Roaming\gdJhjh.exe"
Source: C:\Users\user\Desktop\HGhGAjCVw5.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\HGhGAjCVw5.exe"	Jump to behavior
Source: C:\Users\user\Desktop\HGhGAjCVw5.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\gdJhjh.exe"	Jump to behavior
Source: C:\Users\user\Desktop\HGhGAjCVw5.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\gdJhjh" /XML "C:\Users\user\AppData\Local\Temp\tmp57CE.tmp"	Jump to behavior
Source: C:\Users\user\Desktop\HGhGAjCVw5.exe	Process created: C:\Users\user\Desktop\HGhGAjCVw5.exe "C:\Users\user\Desktop\HGhGAjCVw5.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gdJhjh.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\gdJhjh" /XML "C:\Users\user\AppData\Local\Temp\tmp6B66.tmp"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gdJhjh.exe	Process created: C:\Users\user\AppData\Roaming\gdJhjh.exe "C:\Users\user\AppData\Roaming\gdJhjh.exe"	Jump to behavior

Source: C:\Users\user\Desktop\HGhGAjCVw5.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGhGAjCVw5.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGhGAjCVw5.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGhGAjCVw5.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGhGAjCVw5.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGhGAjCVw5.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGhGAjCVw5.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGhGAjCVw5.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGhGAjCVw5.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGhGAjCVw5.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGhGAjCVw5.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGhGAjCVw5.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGhGAjCVw5.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGhGAjCVw5.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGhGAjCVw5.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGhGAjCVw5.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGhGAjCVw5.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGhGAjCVw5.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGhGAjCVw5.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGhGAjCVw5.exe	Section loaded: iconcodecservice.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGhGAjCVw5.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGhGAjCVw5.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGhGAjCVw5.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGhGAjCVw5.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGhGAjCVw5.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGhGAjCVw5.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGhGAjCVw5.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGhGAjCVw5.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGhGAjCVw5.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGhGAjCVw5.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGhGAjCVw5.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGhGAjCVw5.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGhGAjCVw5.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGhGAjCVw5.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGhGAjCVw5.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGhGAjCVw5.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGhGAjCVw5.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGhGAjCVw5.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGhGAjCVw5.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGhGAjCVw5.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGhGAjCVw5.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGhGAjCVw5.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGhGAjCVw5.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGhGAjCVw5.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGhGAjCVw5.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGhGAjCVw5.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGhGAjCVw5.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGhGAjCVw5.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGhGAjCVw5.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGhGAjCVw5.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGhGAjCVw5.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGhGAjCVw5.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGhGAjCVw5.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGhGAjCVw5.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGhGAjCVw5.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGhGAjCVw5.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGhGAjCVw5.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGhGAjCVw5.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGhGAjCVw5.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGhGAjCVw5.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGhGAjCVw5.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGhGAjCVw5.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGhGAjCVw5.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGhGAjCVw5.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGhGAjCVw5.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGhGAjCVw5.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGhGAjCVw5.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGhGAjCVw5.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGhGAjCVw5.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGhGAjCVw5.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGhGAjCVw5.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGhGAjCVw5.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGhGAjCVw5.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGhGAjCVw5.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGhGAjCVw5.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGhGAjCVw5.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gdJhjh.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gdJhjh.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gdJhjh.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gdJhjh.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gdJhjh.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gdJhjh.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gdJhjh.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gdJhjh.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gdJhjh.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gdJhjh.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gdJhjh.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gdJhjh.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gdJhjh.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gdJhjh.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gdJhjh.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gdJhjh.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gdJhjh.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gdJhjh.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gdJhjh.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gdJhjh.exe	Section loaded: iconcodecservice.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gdJhjh.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gdJhjh.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gdJhjh.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gdJhjh.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gdJhjh.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gdJhjh.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gdJhjh.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gdJhjh.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gdJhjh.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gdJhjh.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gdJhjh.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gdJhjh.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gdJhjh.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gdJhjh.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gdJhjh.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: fastprox.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: ncobjapi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mpclient.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: version.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wmitomi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: gpapi.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\gdJhjh.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\gdJhjh.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\gdJhjh.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\gdJhjh.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\gdJhjh.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\gdJhjh.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\gdJhjh.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\gdJhjh.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\gdJhjh.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\gdJhjh.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\gdJhjh.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\gdJhjh.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\gdJhjh.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\gdJhjh.exe	Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Roaming\gdJhjh.exe	Section loaded: amsi.dll
Source: C:\Users\user\AppData\Roaming\gdJhjh.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Roaming\gdJhjh.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\gdJhjh.exe	Section loaded: rasapi32.dll
Source: C:\Users\user\AppData\Roaming\gdJhjh.exe	Section loaded: rasman.dll
Source: C:\Users\user\AppData\Roaming\gdJhjh.exe	Section loaded: rtutils.dll
Source: C:\Users\user\AppData\Roaming\gdJhjh.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Roaming\gdJhjh.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Roaming\gdJhjh.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Roaming\gdJhjh.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Roaming\gdJhjh.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Users\user\AppData\Roaming\gdJhjh.exe	Section loaded: dhcpcsvc.dll
Source: C:\Users\user\AppData\Roaming\gdJhjh.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Roaming\gdJhjh.exe	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Roaming\gdJhjh.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Roaming\gdJhjh.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Roaming\gdJhjh.exe	Section loaded: secur32.dll
Source: C:\Users\user\AppData\Roaming\gdJhjh.exe	Section loaded: schannel.dll
Source: C:\Users\user\AppData\Roaming\gdJhjh.exe	Section loaded: mskeyprotect.dll
Source: C:\Users\user\AppData\Roaming\gdJhjh.exe	Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Roaming\gdJhjh.exe	Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Roaming\gdJhjh.exe	Section loaded: ncryptsslp.dll
Source: C:\Users\user\AppData\Roaming\gdJhjh.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Roaming\gdJhjh.exe	Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Roaming\gdJhjh.exe	Section loaded: vaultcli.dll
Source: C:\Users\user\AppData\Roaming\gdJhjh.exe	Section loaded: wintypes.dll

Source: C:\Users\user\Desktop\HGhGAjCVw5.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\HGhGAjCVw5.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Users\user\Desktop\HGhGAjCVw5.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\Profiles

Jump to behavior

Source: HGhGAjCVw5.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: HGhGAjCVw5.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: C:\Users\user\Desktop\HGhGAjCVw5.exe	Code function: 9_2_01100C53 push ebx; retf	9_2_01100C52
Source: C:\Users\user\Desktop\HGhGAjCVw5.exe	Code function: 9_2_01100C45 push ebx; retf	9_2_01100C52
Source: C:\Users\user\Desktop\HGhGAjCVw5.exe	Code function: 9_2_01100C6D push edi; retf	9_2_01100C7A
Source: C:\Users\user\Desktop\HGhGAjCVw5.exe	Code function: 9_2_01100CCB push edi; retf	9_2_01100C7A
Source: C:\Users\user\Desktop\HGhGAjCVw5.exe	Code function: 9_2_069834DB push es; retf	9_2_069834E4
Source: C:\Users\user\Desktop\HGhGAjCVw5.exe	Code function: 9_2_06983A40 push FC06A7DAh; retf	9_2_06983A4D
Source: C:\Users\user\Desktop\HGhGAjCVw5.exe	Code function: 9_2_0699FFB0 push es; ret	9_2_0699FFC0
Source: C:\Users\user\AppData\Roaming\gdJhjh.exe	Code function: 14_2_01710C6D push edi; retf	14_2_01710C7A
Source: C:\Users\user\AppData\Roaming\gdJhjh.exe	Code function: 14_2_01710C45 push ebx; retf	14_2_01710C52
Source: C:\Users\user\AppData\Roaming\gdJhjh.exe	Code function: 14_2_01710CCB push edi; retf	14_2_01710C7A

Source: HGhGAjCVw5.exe	Static PE information: section name: .text entropy: 7.6842460602118505
Source: gdJhjh.exe.0.dr	Static PE information: section name: .text entropy: 7.6842460602118505

Source: C:\Users\user\Desktop\HGhGAjCVw5.exe

File created: C:\Users\user\AppData\Roaming\gdJhjh.exe

Jump to dropped file

Boot Survival

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Users\user\Desktop\HGhGAjCVw5.exe

Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\gdJhjh" /XML "C:\Users\user\AppData\Local\Temp\tmp57CE.tmp"

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior

Source: C:\Users\user\Desktop\HGhGAjCVw5.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gdJhjh.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate
Source: C:\Users\user\AppData\Roaming\gdJhjh.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot

Source: C:\Users\user\Desktop\HGhGAjCVw5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HGhGAjCVw5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HGhGAjCVw5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HGhGAjCVw5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HGhGAjCVw5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HGhGAjCVw5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HGhGAjCVw5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HGhGAjCVw5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HGhGAjCVw5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HGhGAjCVw5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HGhGAjCVw5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HGhGAjCVw5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HGhGAjCVw5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HGhGAjCVw5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HGhGAjCVw5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HGhGAjCVw5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HGhGAjCVw5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HGhGAjCVw5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HGhGAjCVw5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HGhGAjCVw5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HGhGAjCVw5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HGhGAjCVw5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HGhGAjCVw5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HGhGAjCVw5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HGhGAjCVw5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HGhGAjCVw5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HGhGAjCVw5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HGhGAjCVw5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HGhGAjCVw5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HGhGAjCVw5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HGhGAjCVw5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HGhGAjCVw5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HGhGAjCVw5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HGhGAjCVw5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HGhGAjCVw5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HGhGAjCVw5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HGhGAjCVw5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HGhGAjCVw5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HGhGAjCVw5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HGhGAjCVw5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HGhGAjCVw5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HGhGAjCVw5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HGhGAjCVw5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HGhGAjCVw5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HGhGAjCVw5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HGhGAjCVw5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HGhGAjCVw5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HGhGAjCVw5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HGhGAjCVw5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HGhGAjCVw5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HGhGAjCVw5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HGhGAjCVw5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HGhGAjCVw5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HGhGAjCVw5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HGhGAjCVw5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HGhGAjCVw5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HGhGAjCVw5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HGhGAjCVw5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HGhGAjCVw5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HGhGAjCVw5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HGhGAjCVw5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HGhGAjCVw5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HGhGAjCVw5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HGhGAjCVw5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HGhGAjCVw5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HGhGAjCVw5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HGhGAjCVw5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HGhGAjCVw5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HGhGAjCVw5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HGhGAjCVw5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HGhGAjCVw5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HGhGAjCVw5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HGhGAjCVw5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HGhGAjCVw5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HGhGAjCVw5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HGhGAjCVw5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HGhGAjCVw5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HGhGAjCVw5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HGhGAjCVw5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HGhGAjCVw5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HGhGAjCVw5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HGhGAjCVw5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HGhGAjCVw5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HGhGAjCVw5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HGhGAjCVw5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HGhGAjCVw5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HGhGAjCVw5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HGhGAjCVw5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HGhGAjCVw5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HGhGAjCVw5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HGhGAjCVw5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HGhGAjCVw5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HGhGAjCVw5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HGhGAjCVw5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HGhGAjCVw5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HGhGAjCVw5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HGhGAjCVw5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HGhGAjCVw5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HGhGAjCVw5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HGhGAjCVw5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HGhGAjCVw5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HGhGAjCVw5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HGhGAjCVw5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HGhGAjCVw5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HGhGAjCVw5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gdJhjh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gdJhjh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gdJhjh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gdJhjh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gdJhjh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gdJhjh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gdJhjh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gdJhjh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gdJhjh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gdJhjh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gdJhjh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gdJhjh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gdJhjh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gdJhjh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gdJhjh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gdJhjh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gdJhjh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gdJhjh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gdJhjh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gdJhjh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gdJhjh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gdJhjh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gdJhjh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gdJhjh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gdJhjh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gdJhjh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gdJhjh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gdJhjh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gdJhjh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gdJhjh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gdJhjh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gdJhjh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gdJhjh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gdJhjh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gdJhjh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gdJhjh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gdJhjh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gdJhjh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gdJhjh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gdJhjh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gdJhjh.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\gdJhjh.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\gdJhjh.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\gdJhjh.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\gdJhjh.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\gdJhjh.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\gdJhjh.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\gdJhjh.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\gdJhjh.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\gdJhjh.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\gdJhjh.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\gdJhjh.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\gdJhjh.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\gdJhjh.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\gdJhjh.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\gdJhjh.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\gdJhjh.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\gdJhjh.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\gdJhjh.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\gdJhjh.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\gdJhjh.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\gdJhjh.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\gdJhjh.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\gdJhjh.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\gdJhjh.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\gdJhjh.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\gdJhjh.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\gdJhjh.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\gdJhjh.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\gdJhjh.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\gdJhjh.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\gdJhjh.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\gdJhjh.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\gdJhjh.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\gdJhjh.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\gdJhjh.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\gdJhjh.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\gdJhjh.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\gdJhjh.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\gdJhjh.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\gdJhjh.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\gdJhjh.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\gdJhjh.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\gdJhjh.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\gdJhjh.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\gdJhjh.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\gdJhjh.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\gdJhjh.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\gdJhjh.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\gdJhjh.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\gdJhjh.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\gdJhjh.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\gdJhjh.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\gdJhjh.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\gdJhjh.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\gdJhjh.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\gdJhjh.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\gdJhjh.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\gdJhjh.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\gdJhjh.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\gdJhjh.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\gdJhjh.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\gdJhjh.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match	File source: Process Memory Space: HGhGAjCVw5.exe PID: 1664, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: gdJhjh.exe PID: 7452, type: MEMORYSTR

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Source: C:\Users\user\Desktop\HGhGAjCVw5.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Source: C:\Users\user\AppData\Roaming\gdJhjh.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration

Source: C:\Users\user\Desktop\HGhGAjCVw5.exe	Memory allocated: 2E70000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\HGhGAjCVw5.exe	Memory allocated: 30C0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\HGhGAjCVw5.exe	Memory allocated: 3000000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\HGhGAjCVw5.exe	Memory allocated: 7DD0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\HGhGAjCVw5.exe	Memory allocated: 8DD0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\HGhGAjCVw5.exe	Memory allocated: 8F80000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\HGhGAjCVw5.exe	Memory allocated: 9F80000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\HGhGAjCVw5.exe	Memory allocated: A9D0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\HGhGAjCVw5.exe	Memory allocated: B9D0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\HGhGAjCVw5.exe	Memory allocated: C9D0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\HGhGAjCVw5.exe	Memory allocated: 1100000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\HGhGAjCVw5.exe	Memory allocated: 31A0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\HGhGAjCVw5.exe	Memory allocated: 17D0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gdJhjh.exe	Memory allocated: 13D0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gdJhjh.exe	Memory allocated: 2D40000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gdJhjh.exe	Memory allocated: 4D40000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gdJhjh.exe	Memory allocated: 7610000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gdJhjh.exe	Memory allocated: 8610000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gdJhjh.exe	Memory allocated: 87A0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gdJhjh.exe	Memory allocated: 97A0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gdJhjh.exe	Memory allocated: A1B0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gdJhjh.exe	Memory allocated: B1B0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gdJhjh.exe	Memory allocated: C1B0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gdJhjh.exe	Memory allocated: 1710000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\gdJhjh.exe	Memory allocated: 30C0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\gdJhjh.exe	Memory allocated: 50C0000 memory reserve \| memory write watch

Source: C:\Users\user\Desktop\HGhGAjCVw5.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\HGhGAjCVw5.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gdJhjh.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gdJhjh.exe	Thread delayed: delay time: 922337203685477

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5556	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6642	Jump to behavior
Source: C:\Users\user\Desktop\HGhGAjCVw5.exe	Window / User API: threadDelayed 4615	Jump to behavior
Source: C:\Users\user\Desktop\HGhGAjCVw5.exe	Window / User API: threadDelayed 5239	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gdJhjh.exe	Window / User API: threadDelayed 1910
Source: C:\Users\user\AppData\Roaming\gdJhjh.exe	Window / User API: threadDelayed 7947

Source: C:\Users\user\Desktop\HGhGAjCVw5.exe TID: 2092	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7196	Thread sleep count: 5556 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7380	Thread sleep time: -2767011611056431s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7180	Thread sleep count: 59 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7320	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7404	Thread sleep time: -2767011611056431s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7336	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\HGhGAjCVw5.exe TID: 7568	Thread sleep count: 36 > 30	Jump to behavior
Source: C:\Users\user\Desktop\HGhGAjCVw5.exe TID: 7568	Thread sleep time: -33204139332677172s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\HGhGAjCVw5.exe TID: 7568	Thread sleep time: -100000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\HGhGAjCVw5.exe TID: 7628	Thread sleep count: 4615 > 30	Jump to behavior
Source: C:\Users\user\Desktop\HGhGAjCVw5.exe TID: 7568	Thread sleep time: -99888s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\HGhGAjCVw5.exe TID: 7568	Thread sleep time: -99781s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\HGhGAjCVw5.exe TID: 7628	Thread sleep count: 5239 > 30	Jump to behavior
Source: C:\Users\user\Desktop\HGhGAjCVw5.exe TID: 7568	Thread sleep time: -99665s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\HGhGAjCVw5.exe TID: 7568	Thread sleep time: -99562s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\HGhGAjCVw5.exe TID: 7568	Thread sleep time: -99451s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\HGhGAjCVw5.exe TID: 7568	Thread sleep time: -99343s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\HGhGAjCVw5.exe TID: 7568	Thread sleep time: -99234s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\HGhGAjCVw5.exe TID: 7568	Thread sleep time: -99124s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\HGhGAjCVw5.exe TID: 7568	Thread sleep time: -99015s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\HGhGAjCVw5.exe TID: 7568	Thread sleep time: -98906s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\HGhGAjCVw5.exe TID: 7568	Thread sleep time: -98796s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\HGhGAjCVw5.exe TID: 7568	Thread sleep time: -98687s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\HGhGAjCVw5.exe TID: 7568	Thread sleep time: -98578s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\HGhGAjCVw5.exe TID: 7568	Thread sleep time: -98468s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\HGhGAjCVw5.exe TID: 7568	Thread sleep time: -98359s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\HGhGAjCVw5.exe TID: 7568	Thread sleep time: -98250s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\HGhGAjCVw5.exe TID: 7568	Thread sleep time: -98137s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\HGhGAjCVw5.exe TID: 7568	Thread sleep time: -98031s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\HGhGAjCVw5.exe TID: 7568	Thread sleep time: -97921s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\HGhGAjCVw5.exe TID: 7568	Thread sleep time: -97812s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\HGhGAjCVw5.exe TID: 7568	Thread sleep time: -97703s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\HGhGAjCVw5.exe TID: 7568	Thread sleep time: -97593s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\HGhGAjCVw5.exe TID: 7568	Thread sleep time: -97484s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\HGhGAjCVw5.exe TID: 7568	Thread sleep time: -97375s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\HGhGAjCVw5.exe TID: 7568	Thread sleep time: -97265s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\HGhGAjCVw5.exe TID: 7568	Thread sleep time: -97155s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\HGhGAjCVw5.exe TID: 7568	Thread sleep time: -97046s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\HGhGAjCVw5.exe TID: 7568	Thread sleep time: -96937s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\HGhGAjCVw5.exe TID: 7568	Thread sleep time: -96828s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\HGhGAjCVw5.exe TID: 7568	Thread sleep time: -96718s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\HGhGAjCVw5.exe TID: 7568	Thread sleep time: -96609s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\HGhGAjCVw5.exe TID: 7568	Thread sleep time: -96499s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\HGhGAjCVw5.exe TID: 7568	Thread sleep time: -96390s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\HGhGAjCVw5.exe TID: 7568	Thread sleep time: -96278s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\HGhGAjCVw5.exe TID: 7568	Thread sleep time: -96171s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\HGhGAjCVw5.exe TID: 7568	Thread sleep time: -96062s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\HGhGAjCVw5.exe TID: 7568	Thread sleep time: -95952s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\HGhGAjCVw5.exe TID: 7568	Thread sleep time: -95843s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\HGhGAjCVw5.exe TID: 7568	Thread sleep time: -95734s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\HGhGAjCVw5.exe TID: 7568	Thread sleep time: -95623s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\HGhGAjCVw5.exe TID: 7568	Thread sleep time: -95515s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\HGhGAjCVw5.exe TID: 7568	Thread sleep time: -95406s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\HGhGAjCVw5.exe TID: 7568	Thread sleep time: -95296s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\HGhGAjCVw5.exe TID: 7568	Thread sleep time: -95187s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\HGhGAjCVw5.exe TID: 7568	Thread sleep time: -95078s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\HGhGAjCVw5.exe TID: 7568	Thread sleep time: -94968s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\HGhGAjCVw5.exe TID: 7568	Thread sleep time: -94859s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\HGhGAjCVw5.exe TID: 7568	Thread sleep time: -94749s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\HGhGAjCVw5.exe TID: 7568	Thread sleep time: -94640s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\HGhGAjCVw5.exe TID: 7568	Thread sleep time: -94531s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gdJhjh.exe TID: 7496	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gdJhjh.exe TID: 7864	Thread sleep time: -26747778906878833s >= -30000s
Source: C:\Users\user\AppData\Roaming\gdJhjh.exe TID: 7864	Thread sleep time: -100000s >= -30000s
Source: C:\Users\user\AppData\Roaming\gdJhjh.exe TID: 7868	Thread sleep count: 1910 > 30
Source: C:\Users\user\AppData\Roaming\gdJhjh.exe TID: 7864	Thread sleep time: -99875s >= -30000s
Source: C:\Users\user\AppData\Roaming\gdJhjh.exe TID: 7868	Thread sleep count: 7947 > 30
Source: C:\Users\user\AppData\Roaming\gdJhjh.exe TID: 7864	Thread sleep time: -99765s >= -30000s
Source: C:\Users\user\AppData\Roaming\gdJhjh.exe TID: 7864	Thread sleep time: -99656s >= -30000s
Source: C:\Users\user\AppData\Roaming\gdJhjh.exe TID: 7864	Thread sleep time: -99544s >= -30000s
Source: C:\Users\user\AppData\Roaming\gdJhjh.exe TID: 7864	Thread sleep time: -99421s >= -30000s
Source: C:\Users\user\AppData\Roaming\gdJhjh.exe TID: 7864	Thread sleep time: -99312s >= -30000s
Source: C:\Users\user\AppData\Roaming\gdJhjh.exe TID: 7864	Thread sleep time: -99202s >= -30000s
Source: C:\Users\user\AppData\Roaming\gdJhjh.exe TID: 7864	Thread sleep time: -99091s >= -30000s
Source: C:\Users\user\AppData\Roaming\gdJhjh.exe TID: 7864	Thread sleep time: -98968s >= -30000s
Source: C:\Users\user\AppData\Roaming\gdJhjh.exe TID: 7864	Thread sleep time: -98856s >= -30000s
Source: C:\Users\user\AppData\Roaming\gdJhjh.exe TID: 7864	Thread sleep time: -98734s >= -30000s
Source: C:\Users\user\AppData\Roaming\gdJhjh.exe TID: 7864	Thread sleep time: -98625s >= -30000s
Source: C:\Users\user\AppData\Roaming\gdJhjh.exe TID: 7864	Thread sleep time: -98515s >= -30000s
Source: C:\Users\user\AppData\Roaming\gdJhjh.exe TID: 7864	Thread sleep time: -98406s >= -30000s
Source: C:\Users\user\AppData\Roaming\gdJhjh.exe TID: 7864	Thread sleep time: -98296s >= -30000s
Source: C:\Users\user\AppData\Roaming\gdJhjh.exe TID: 7864	Thread sleep time: -98187s >= -30000s
Source: C:\Users\user\AppData\Roaming\gdJhjh.exe TID: 7864	Thread sleep time: -98078s >= -30000s
Source: C:\Users\user\AppData\Roaming\gdJhjh.exe TID: 7864	Thread sleep time: -97968s >= -30000s
Source: C:\Users\user\AppData\Roaming\gdJhjh.exe TID: 7864	Thread sleep time: -97857s >= -30000s
Source: C:\Users\user\AppData\Roaming\gdJhjh.exe TID: 7864	Thread sleep time: -97734s >= -30000s
Source: C:\Users\user\AppData\Roaming\gdJhjh.exe TID: 7864	Thread sleep time: -97625s >= -30000s
Source: C:\Users\user\AppData\Roaming\gdJhjh.exe TID: 7864	Thread sleep time: -97515s >= -30000s
Source: C:\Users\user\AppData\Roaming\gdJhjh.exe TID: 7864	Thread sleep time: -97406s >= -30000s
Source: C:\Users\user\AppData\Roaming\gdJhjh.exe TID: 7864	Thread sleep time: -97296s >= -30000s
Source: C:\Users\user\AppData\Roaming\gdJhjh.exe TID: 7864	Thread sleep time: -97187s >= -30000s
Source: C:\Users\user\AppData\Roaming\gdJhjh.exe TID: 7864	Thread sleep time: -97078s >= -30000s
Source: C:\Users\user\AppData\Roaming\gdJhjh.exe TID: 7864	Thread sleep time: -96968s >= -30000s
Source: C:\Users\user\AppData\Roaming\gdJhjh.exe TID: 7864	Thread sleep time: -96859s >= -30000s
Source: C:\Users\user\AppData\Roaming\gdJhjh.exe TID: 7864	Thread sleep time: -96749s >= -30000s
Source: C:\Users\user\AppData\Roaming\gdJhjh.exe TID: 7864	Thread sleep time: -96640s >= -30000s
Source: C:\Users\user\AppData\Roaming\gdJhjh.exe TID: 7864	Thread sleep time: -96531s >= -30000s
Source: C:\Users\user\AppData\Roaming\gdJhjh.exe TID: 7864	Thread sleep time: -96419s >= -30000s
Source: C:\Users\user\AppData\Roaming\gdJhjh.exe TID: 7864	Thread sleep time: -96296s >= -30000s
Source: C:\Users\user\AppData\Roaming\gdJhjh.exe TID: 7864	Thread sleep time: -96187s >= -30000s
Source: C:\Users\user\AppData\Roaming\gdJhjh.exe TID: 7864	Thread sleep time: -96066s >= -30000s
Source: C:\Users\user\AppData\Roaming\gdJhjh.exe TID: 7864	Thread sleep time: -95937s >= -30000s
Source: C:\Users\user\AppData\Roaming\gdJhjh.exe TID: 7864	Thread sleep time: -95827s >= -30000s
Source: C:\Users\user\AppData\Roaming\gdJhjh.exe TID: 7864	Thread sleep time: -95716s >= -30000s
Source: C:\Users\user\AppData\Roaming\gdJhjh.exe TID: 7864	Thread sleep time: -95593s >= -30000s
Source: C:\Users\user\AppData\Roaming\gdJhjh.exe TID: 7864	Thread sleep time: -95484s >= -30000s
Source: C:\Users\user\AppData\Roaming\gdJhjh.exe TID: 7864	Thread sleep time: -95372s >= -30000s
Source: C:\Users\user\AppData\Roaming\gdJhjh.exe TID: 7864	Thread sleep time: -95250s >= -30000s
Source: C:\Users\user\AppData\Roaming\gdJhjh.exe TID: 7864	Thread sleep time: -95140s >= -30000s
Source: C:\Users\user\AppData\Roaming\gdJhjh.exe TID: 7864	Thread sleep time: -94993s >= -30000s
Source: C:\Users\user\AppData\Roaming\gdJhjh.exe TID: 7864	Thread sleep time: -94875s >= -30000s
Source: C:\Users\user\AppData\Roaming\gdJhjh.exe TID: 7864	Thread sleep time: -94765s >= -30000s
Source: C:\Users\user\AppData\Roaming\gdJhjh.exe TID: 7864	Thread sleep time: -94656s >= -30000s
Source: C:\Users\user\AppData\Roaming\gdJhjh.exe TID: 7864	Thread sleep time: -94546s >= -30000s
Source: C:\Users\user\AppData\Roaming\gdJhjh.exe TID: 7864	Thread sleep time: -94437s >= -30000s

Source: C:\Users\user\Desktop\HGhGAjCVw5.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Users\user\AppData\Roaming\gdJhjh.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard

Source: C:\Users\user\Desktop\HGhGAjCVw5.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\HGhGAjCVw5.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\gdJhjh.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Roaming\gdJhjh.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\HGhGAjCVw5.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\HGhGAjCVw5.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\HGhGAjCVw5.exe	Thread delayed: delay time: 100000	Jump to behavior
Source: C:\Users\user\Desktop\HGhGAjCVw5.exe	Thread delayed: delay time: 99888	Jump to behavior
Source: C:\Users\user\Desktop\HGhGAjCVw5.exe	Thread delayed: delay time: 99781	Jump to behavior
Source: C:\Users\user\Desktop\HGhGAjCVw5.exe	Thread delayed: delay time: 99665	Jump to behavior
Source: C:\Users\user\Desktop\HGhGAjCVw5.exe	Thread delayed: delay time: 99562	Jump to behavior
Source: C:\Users\user\Desktop\HGhGAjCVw5.exe	Thread delayed: delay time: 99451	Jump to behavior
Source: C:\Users\user\Desktop\HGhGAjCVw5.exe	Thread delayed: delay time: 99343	Jump to behavior
Source: C:\Users\user\Desktop\HGhGAjCVw5.exe	Thread delayed: delay time: 99234	Jump to behavior
Source: C:\Users\user\Desktop\HGhGAjCVw5.exe	Thread delayed: delay time: 99124	Jump to behavior
Source: C:\Users\user\Desktop\HGhGAjCVw5.exe	Thread delayed: delay time: 99015	Jump to behavior
Source: C:\Users\user\Desktop\HGhGAjCVw5.exe	Thread delayed: delay time: 98906	Jump to behavior
Source: C:\Users\user\Desktop\HGhGAjCVw5.exe	Thread delayed: delay time: 98796	Jump to behavior
Source: C:\Users\user\Desktop\HGhGAjCVw5.exe	Thread delayed: delay time: 98687	Jump to behavior
Source: C:\Users\user\Desktop\HGhGAjCVw5.exe	Thread delayed: delay time: 98578	Jump to behavior
Source: C:\Users\user\Desktop\HGhGAjCVw5.exe	Thread delayed: delay time: 98468	Jump to behavior
Source: C:\Users\user\Desktop\HGhGAjCVw5.exe	Thread delayed: delay time: 98359	Jump to behavior
Source: C:\Users\user\Desktop\HGhGAjCVw5.exe	Thread delayed: delay time: 98250	Jump to behavior
Source: C:\Users\user\Desktop\HGhGAjCVw5.exe	Thread delayed: delay time: 98137	Jump to behavior
Source: C:\Users\user\Desktop\HGhGAjCVw5.exe	Thread delayed: delay time: 98031	Jump to behavior
Source: C:\Users\user\Desktop\HGhGAjCVw5.exe	Thread delayed: delay time: 97921	Jump to behavior
Source: C:\Users\user\Desktop\HGhGAjCVw5.exe	Thread delayed: delay time: 97812	Jump to behavior
Source: C:\Users\user\Desktop\HGhGAjCVw5.exe	Thread delayed: delay time: 97703	Jump to behavior
Source: C:\Users\user\Desktop\HGhGAjCVw5.exe	Thread delayed: delay time: 97593	Jump to behavior
Source: C:\Users\user\Desktop\HGhGAjCVw5.exe	Thread delayed: delay time: 97484	Jump to behavior
Source: C:\Users\user\Desktop\HGhGAjCVw5.exe	Thread delayed: delay time: 97375	Jump to behavior
Source: C:\Users\user\Desktop\HGhGAjCVw5.exe	Thread delayed: delay time: 97265	Jump to behavior
Source: C:\Users\user\Desktop\HGhGAjCVw5.exe	Thread delayed: delay time: 97155	Jump to behavior
Source: C:\Users\user\Desktop\HGhGAjCVw5.exe	Thread delayed: delay time: 97046	Jump to behavior
Source: C:\Users\user\Desktop\HGhGAjCVw5.exe	Thread delayed: delay time: 96937	Jump to behavior
Source: C:\Users\user\Desktop\HGhGAjCVw5.exe	Thread delayed: delay time: 96828	Jump to behavior
Source: C:\Users\user\Desktop\HGhGAjCVw5.exe	Thread delayed: delay time: 96718	Jump to behavior
Source: C:\Users\user\Desktop\HGhGAjCVw5.exe	Thread delayed: delay time: 96609	Jump to behavior
Source: C:\Users\user\Desktop\HGhGAjCVw5.exe	Thread delayed: delay time: 96499	Jump to behavior
Source: C:\Users\user\Desktop\HGhGAjCVw5.exe	Thread delayed: delay time: 96390	Jump to behavior
Source: C:\Users\user\Desktop\HGhGAjCVw5.exe	Thread delayed: delay time: 96278	Jump to behavior
Source: C:\Users\user\Desktop\HGhGAjCVw5.exe	Thread delayed: delay time: 96171	Jump to behavior
Source: C:\Users\user\Desktop\HGhGAjCVw5.exe	Thread delayed: delay time: 96062	Jump to behavior
Source: C:\Users\user\Desktop\HGhGAjCVw5.exe	Thread delayed: delay time: 95952	Jump to behavior
Source: C:\Users\user\Desktop\HGhGAjCVw5.exe	Thread delayed: delay time: 95843	Jump to behavior
Source: C:\Users\user\Desktop\HGhGAjCVw5.exe	Thread delayed: delay time: 95734	Jump to behavior
Source: C:\Users\user\Desktop\HGhGAjCVw5.exe	Thread delayed: delay time: 95623	Jump to behavior
Source: C:\Users\user\Desktop\HGhGAjCVw5.exe	Thread delayed: delay time: 95515	Jump to behavior
Source: C:\Users\user\Desktop\HGhGAjCVw5.exe	Thread delayed: delay time: 95406	Jump to behavior
Source: C:\Users\user\Desktop\HGhGAjCVw5.exe	Thread delayed: delay time: 95296	Jump to behavior
Source: C:\Users\user\Desktop\HGhGAjCVw5.exe	Thread delayed: delay time: 95187	Jump to behavior
Source: C:\Users\user\Desktop\HGhGAjCVw5.exe	Thread delayed: delay time: 95078	Jump to behavior
Source: C:\Users\user\Desktop\HGhGAjCVw5.exe	Thread delayed: delay time: 94968	Jump to behavior
Source: C:\Users\user\Desktop\HGhGAjCVw5.exe	Thread delayed: delay time: 94859	Jump to behavior
Source: C:\Users\user\Desktop\HGhGAjCVw5.exe	Thread delayed: delay time: 94749	Jump to behavior
Source: C:\Users\user\Desktop\HGhGAjCVw5.exe	Thread delayed: delay time: 94640	Jump to behavior
Source: C:\Users\user\Desktop\HGhGAjCVw5.exe	Thread delayed: delay time: 94531	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gdJhjh.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gdJhjh.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\gdJhjh.exe	Thread delayed: delay time: 100000
Source: C:\Users\user\AppData\Roaming\gdJhjh.exe	Thread delayed: delay time: 99875
Source: C:\Users\user\AppData\Roaming\gdJhjh.exe	Thread delayed: delay time: 99765
Source: C:\Users\user\AppData\Roaming\gdJhjh.exe	Thread delayed: delay time: 99656
Source: C:\Users\user\AppData\Roaming\gdJhjh.exe	Thread delayed: delay time: 99544
Source: C:\Users\user\AppData\Roaming\gdJhjh.exe	Thread delayed: delay time: 99421
Source: C:\Users\user\AppData\Roaming\gdJhjh.exe	Thread delayed: delay time: 99312
Source: C:\Users\user\AppData\Roaming\gdJhjh.exe	Thread delayed: delay time: 99202
Source: C:\Users\user\AppData\Roaming\gdJhjh.exe	Thread delayed: delay time: 99091
Source: C:\Users\user\AppData\Roaming\gdJhjh.exe	Thread delayed: delay time: 98968
Source: C:\Users\user\AppData\Roaming\gdJhjh.exe	Thread delayed: delay time: 98856
Source: C:\Users\user\AppData\Roaming\gdJhjh.exe	Thread delayed: delay time: 98734
Source: C:\Users\user\AppData\Roaming\gdJhjh.exe	Thread delayed: delay time: 98625
Source: C:\Users\user\AppData\Roaming\gdJhjh.exe	Thread delayed: delay time: 98515
Source: C:\Users\user\AppData\Roaming\gdJhjh.exe	Thread delayed: delay time: 98406
Source: C:\Users\user\AppData\Roaming\gdJhjh.exe	Thread delayed: delay time: 98296
Source: C:\Users\user\AppData\Roaming\gdJhjh.exe	Thread delayed: delay time: 98187
Source: C:\Users\user\AppData\Roaming\gdJhjh.exe	Thread delayed: delay time: 98078
Source: C:\Users\user\AppData\Roaming\gdJhjh.exe	Thread delayed: delay time: 97968
Source: C:\Users\user\AppData\Roaming\gdJhjh.exe	Thread delayed: delay time: 97857
Source: C:\Users\user\AppData\Roaming\gdJhjh.exe	Thread delayed: delay time: 97734
Source: C:\Users\user\AppData\Roaming\gdJhjh.exe	Thread delayed: delay time: 97625
Source: C:\Users\user\AppData\Roaming\gdJhjh.exe	Thread delayed: delay time: 97515
Source: C:\Users\user\AppData\Roaming\gdJhjh.exe	Thread delayed: delay time: 97406
Source: C:\Users\user\AppData\Roaming\gdJhjh.exe	Thread delayed: delay time: 97296
Source: C:\Users\user\AppData\Roaming\gdJhjh.exe	Thread delayed: delay time: 97187
Source: C:\Users\user\AppData\Roaming\gdJhjh.exe	Thread delayed: delay time: 97078
Source: C:\Users\user\AppData\Roaming\gdJhjh.exe	Thread delayed: delay time: 96968
Source: C:\Users\user\AppData\Roaming\gdJhjh.exe	Thread delayed: delay time: 96859
Source: C:\Users\user\AppData\Roaming\gdJhjh.exe	Thread delayed: delay time: 96749
Source: C:\Users\user\AppData\Roaming\gdJhjh.exe	Thread delayed: delay time: 96640
Source: C:\Users\user\AppData\Roaming\gdJhjh.exe	Thread delayed: delay time: 96531
Source: C:\Users\user\AppData\Roaming\gdJhjh.exe	Thread delayed: delay time: 96419
Source: C:\Users\user\AppData\Roaming\gdJhjh.exe	Thread delayed: delay time: 96296
Source: C:\Users\user\AppData\Roaming\gdJhjh.exe	Thread delayed: delay time: 96187
Source: C:\Users\user\AppData\Roaming\gdJhjh.exe	Thread delayed: delay time: 96066
Source: C:\Users\user\AppData\Roaming\gdJhjh.exe	Thread delayed: delay time: 95937
Source: C:\Users\user\AppData\Roaming\gdJhjh.exe	Thread delayed: delay time: 95827
Source: C:\Users\user\AppData\Roaming\gdJhjh.exe	Thread delayed: delay time: 95716
Source: C:\Users\user\AppData\Roaming\gdJhjh.exe	Thread delayed: delay time: 95593
Source: C:\Users\user\AppData\Roaming\gdJhjh.exe	Thread delayed: delay time: 95484
Source: C:\Users\user\AppData\Roaming\gdJhjh.exe	Thread delayed: delay time: 95372
Source: C:\Users\user\AppData\Roaming\gdJhjh.exe	Thread delayed: delay time: 95250
Source: C:\Users\user\AppData\Roaming\gdJhjh.exe	Thread delayed: delay time: 95140
Source: C:\Users\user\AppData\Roaming\gdJhjh.exe	Thread delayed: delay time: 94993
Source: C:\Users\user\AppData\Roaming\gdJhjh.exe	Thread delayed: delay time: 94875
Source: C:\Users\user\AppData\Roaming\gdJhjh.exe	Thread delayed: delay time: 94765
Source: C:\Users\user\AppData\Roaming\gdJhjh.exe	Thread delayed: delay time: 94656
Source: C:\Users\user\AppData\Roaming\gdJhjh.exe	Thread delayed: delay time: 94546
Source: C:\Users\user\AppData\Roaming\gdJhjh.exe	Thread delayed: delay time: 94437

Source: HGhGAjCVw5.exe, 00000000.00000002.1587615048.000000000137F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
Source: HGhGAjCVw5.exe, 00000009.00000002.2820725559.000000000120E000.00000004.00000020.00020000.00000000.sdmp, gdJhjh.exe, 0000000E.00000002.2819563019.00000000013E5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\Desktop\HGhGAjCVw5.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Users\user\Desktop\HGhGAjCVw5.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Adds a directory exclusion to Windows Defender

Source: C:\Users\user\Desktop\HGhGAjCVw5.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\HGhGAjCVw5.exe"
Source: C:\Users\user\Desktop\HGhGAjCVw5.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\gdJhjh.exe"
Source: C:\Users\user\Desktop\HGhGAjCVw5.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\HGhGAjCVw5.exe"	Jump to behavior
Source: C:\Users\user\Desktop\HGhGAjCVw5.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\gdJhjh.exe"	Jump to behavior

Source: C:\Users\user\Desktop\HGhGAjCVw5.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\HGhGAjCVw5.exe"	Jump to behavior
Source: C:\Users\user\Desktop\HGhGAjCVw5.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\gdJhjh.exe"	Jump to behavior
Source: C:\Users\user\Desktop\HGhGAjCVw5.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\gdJhjh" /XML "C:\Users\user\AppData\Local\Temp\tmp57CE.tmp"	Jump to behavior
Source: C:\Users\user\Desktop\HGhGAjCVw5.exe	Process created: C:\Users\user\Desktop\HGhGAjCVw5.exe "C:\Users\user\Desktop\HGhGAjCVw5.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gdJhjh.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\gdJhjh" /XML "C:\Users\user\AppData\Local\Temp\tmp6B66.tmp"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gdJhjh.exe	Process created: C:\Users\user\AppData\Roaming\gdJhjh.exe "C:\Users\user\AppData\Roaming\gdJhjh.exe"	Jump to behavior

Source: C:\Users\user\Desktop\HGhGAjCVw5.exe	Queries volume information: C:\Users\user\Desktop\HGhGAjCVw5.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HGhGAjCVw5.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HGhGAjCVw5.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HGhGAjCVw5.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HGhGAjCVw5.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HGhGAjCVw5.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HGhGAjCVw5.exe	Queries volume information: C:\Users\user\Desktop\HGhGAjCVw5.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HGhGAjCVw5.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HGhGAjCVw5.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HGhGAjCVw5.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HGhGAjCVw5.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HGhGAjCVw5.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gdJhjh.exe	Queries volume information: C:\Users\user\AppData\Roaming\gdJhjh.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gdJhjh.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gdJhjh.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gdJhjh.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gdJhjh.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gdJhjh.exe	Queries volume information: C:\Users\user\AppData\Roaming\gdJhjh.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\gdJhjh.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\gdJhjh.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\gdJhjh.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\gdJhjh.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\gdJhjh.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation

Source: C:\Users\user\Desktop\HGhGAjCVw5.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected AgentTesla

Source: Yara match	File source: 0.2.HGhGAjCVw5.exe.40f4448.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.HGhGAjCVw5.exe.40f4448.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.HGhGAjCVw5.exe.4c41e68.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.HGhGAjCVw5.exe.4c41e68.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.HGhGAjCVw5.exe.4bc3048.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.HGhGAjCVw5.exe.4b44228.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000E.00000002.2821075648.000000000313C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.2821075648.0000000003111000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1590826725.00000000040C9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.2818045057.0000000000432000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2822698121.00000000031F1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1590826725.0000000004934000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2822698121.000000000321C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: HGhGAjCVw5.exe PID: 1664, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: HGhGAjCVw5.exe PID: 7348, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: gdJhjh.exe PID: 7764, type: MEMORYSTR

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Source: C:\Users\user\Desktop\HGhGAjCVw5.exe	Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions			Jump to behavior
Source: C:\Users\user\AppData\Roaming\gdJhjh.exe	Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\AppData\Roaming\gdJhjh.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
Source: C:\Users\user\AppData\Roaming\gdJhjh.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini
Source: C:\Users\user\AppData\Roaming\gdJhjh.exe	File opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini
Source: C:\Users\user\AppData\Roaming\gdJhjh.exe	File opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini
Source: C:\Users\user\AppData\Roaming\gdJhjh.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data

Tries to harvest and steal ftp login credentials

Source: C:\Users\user\AppData\Roaming\gdJhjh.exe

File opened: C:\FTP Navigator\Ftplist.txt

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\Desktop\HGhGAjCVw5.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\HGhGAjCVw5.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\HGhGAjCVw5.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles	Jump to behavior
Source: C:\Users\user\Desktop\HGhGAjCVw5.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gdJhjh.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Users\user\AppData\Roaming\gdJhjh.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Users\user\AppData\Roaming\gdJhjh.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles
Source: C:\Users\user\AppData\Roaming\gdJhjh.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities

Source: Yara match	File source: 0.2.HGhGAjCVw5.exe.40f4448.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.HGhGAjCVw5.exe.40f4448.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.HGhGAjCVw5.exe.4c41e68.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.HGhGAjCVw5.exe.4c41e68.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.HGhGAjCVw5.exe.4bc3048.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.HGhGAjCVw5.exe.4b44228.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000E.00000002.2821075648.0000000003111000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1590826725.00000000040C9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.2818045057.0000000000432000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2822698121.00000000031F1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1590826725.0000000004934000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: HGhGAjCVw5.exe PID: 1664, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: HGhGAjCVw5.exe PID: 7348, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: gdJhjh.exe PID: 7764, type: MEMORYSTR

Remote Access Functionality

Yara detected AgentTesla

Source: Yara match	File source: 0.2.HGhGAjCVw5.exe.40f4448.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.HGhGAjCVw5.exe.40f4448.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.HGhGAjCVw5.exe.4c41e68.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.HGhGAjCVw5.exe.4c41e68.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.HGhGAjCVw5.exe.4bc3048.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.HGhGAjCVw5.exe.4b44228.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000E.00000002.2821075648.000000000313C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.2821075648.0000000003111000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1590826725.00000000040C9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.2818045057.0000000000432000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2822698121.00000000031F1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1590826725.0000000004934000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2822698121.000000000321C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: HGhGAjCVw5.exe PID: 1664, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: HGhGAjCVw5.exe PID: 7348, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: gdJhjh.exe PID: 7764, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	121 Windows Management Instrumentation	1 DLL Side-Loading	1 DLL Side-Loading	11 Disable or Modify Tools	2 OS Credential Dumping	1 File and Directory Discovery	Remote Services	1 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Scheduled Task/Job	1 Scheduled Task/Job	11 Process Injection	2 Obfuscated Files or Information	1 Credentials in Registry	24 System Information Discovery	Remote Desktop Protocol	2 Data from Local System	11 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 Scheduled Task/Job	2 Software Packing	Security Account Manager	1 Query Registry	SMB/Windows Admin Shares	1 Email Collection	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 DLL Side-Loading	NTDS	211 Security Software Discovery	Distributed Component Object Model	Input Capture	23 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Masquerading	LSA Secrets	1 Process Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	141 Virtualization/Sandbox Evasion	Cached Domain Credentials	141 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	11 Process Injection	DCSync	1 Application Window Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	Indicator Removal from Tools	Proc Filesystem	1 System Network Configuration Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
HGhGAjCVw5.exe	61%	Virustotal		Browse
HGhGAjCVw5.exe	71%	ReversingLabs	ByteCode-MSIL.Backdoor.FormBook
HGhGAjCVw5.exe	100%	Avira	HEUR/AGEN.1305388
HGhGAjCVw5.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Roaming\gdJhjh.exe	100%	Avira	HEUR/AGEN.1305388
C:\Users\user\AppData\Roaming\gdJhjh.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\gdJhjh.exe	71%	ReversingLabs	ByteCode-MSIL.Backdoor.FormBook
C:\Users\user\AppData\Roaming\gdJhjh.exe	61%	Virustotal		Browse

Name	IP	Active	Malicious	Antivirus Detection	Reputation
mail.iaa-airferight.com	46.175.148.58	true	false		high
api.ipify.org	104.26.13.205	true	false		high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://api.ipify.org/	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Reputation
https://api.ipify.org	HGhGAjCVw5.exe, 00000000.00000002.1590826725.0000000004934000.00000004.00000800.00020000.00000000.sdmp, HGhGAjCVw5.exe, 00000000.00000002.1590826725.00000000040C9000.00000004.00000800.00020000.00000000.sdmp, HGhGAjCVw5.exe, 00000009.00000002.2822698121.00000000031A1000.00000004.00000800.00020000.00000000.sdmp, gdJhjh.exe, 0000000E.00000002.2821075648.00000000030C1000.00000004.00000800.00020000.00000000.sdmp, gdJhjh.exe, 0000000E.00000002.2818045057.0000000000432000.00000040.00000400.00020000.00000000.sdmp	false	high
https://account.dyn.com/	HGhGAjCVw5.exe, 00000000.00000002.1590826725.0000000004934000.00000004.00000800.00020000.00000000.sdmp, HGhGAjCVw5.exe, 00000000.00000002.1590826725.00000000040C9000.00000004.00000800.00020000.00000000.sdmp, gdJhjh.exe, 0000000E.00000002.2818045057.0000000000432000.00000040.00000400.00020000.00000000.sdmp	false	high
https://api.ipify.org/t	HGhGAjCVw5.exe, 00000009.00000002.2822698121.00000000031A1000.00000004.00000800.00020000.00000000.sdmp, gdJhjh.exe, 0000000E.00000002.2821075648.00000000030C1000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	HGhGAjCVw5.exe, 00000000.00000002.1589404165.0000000003310000.00000004.00000800.00020000.00000000.sdmp, HGhGAjCVw5.exe, 00000009.00000002.2822698121.00000000031A1000.00000004.00000800.00020000.00000000.sdmp, gdJhjh.exe, 0000000A.00000002.1638208076.0000000002F8F000.00000004.00000800.00020000.00000000.sdmp, gdJhjh.exe, 0000000E.00000002.2821075648.00000000030C1000.00000004.00000800.00020000.00000000.sdmp	false	high
http://mail.iaa-airferight.com	HGhGAjCVw5.exe, 00000009.00000002.2822698121.000000000321C000.00000004.00000800.00020000.00000000.sdmp, gdJhjh.exe, 0000000E.00000002.2821075648.000000000313C000.00000004.00000800.00020000.00000000.sdmp	false	high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
46.175.148.58	mail.iaa-airferight.com	Ukraine		56394	ASLAGIDKOM-NETUA	false
104.26.13.205	api.ipify.org	United States		13335	CLOUDFLARENETUS	false

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1588132
Start date and time:	2025-01-10 21:38:57 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 7m 48s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	19
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	HGhGAjCVw5.exe renamed because original name is a hash value
Original Sample Name:	d4a4e4c891bacb6ffa8884695d7d757d8dbbae18ec64370bac3f6ecc024ea334.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@19/15@2/2
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 98% Number of executed functions: 152 Number of non-executed functions: 27
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 2.23.242.162, 20.12.23.50, 13.107.246.45
Excluded domains from analysis (whitelisted): fs.microsoft.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
15:40:19	API Interceptor	190x Sleep call for process: HGhGAjCVw5.exe modified
15:40:20	API Interceptor	45x Sleep call for process: powershell.exe modified
15:40:24	API Interceptor	184x Sleep call for process: gdJhjh.exe modified
21:40:21	Task Scheduler	Run new task: gdJhjh path: C:\Users\user\AppData\Roaming\gdJhjh.exe

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
46.175.148.58	0PPJsQE4wD.exe	Get hash	malicious	AgentTesla	Browse
	kzy8qg5lbR.exe	Get hash	malicious	AgentTesla	Browse
	OP53532 Harumi new order.scr.exe	Get hash	malicious	AgentTesla	Browse
	INV01542 , INV01562-7500003124 JTR-0084.exe	Get hash	malicious	AgentTesla	Browse
	Shipment Dec Orders valves 2024.scr.exe	Get hash	malicious	AgentTesla	Browse
	proforma invoice.exe	Get hash	malicious	AgentTesla	Browse
	Overdue_payment.pdf.exe	Get hash	malicious	AgentTesla	Browse
	PO for fabric forecast.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse
	980001672 PPR for 30887217.scr.exe	Get hash	malicious	AgentTesla	Browse
	lC7L7oBBMC.exe	Get hash	malicious	AgentTesla	Browse
104.26.13.205	Yoranis Setup.exe	Get hash	malicious	Unknown	Browse	api.ipify.org/
	BiXS3FRoLe.exe	Get hash	malicious	TrojanRansom	Browse	api.ipify.org/
	lEUy79aLAW.exe	Get hash	malicious	TrojanRansom	Browse	api.ipify.org/
	Simple1.exe	Get hash	malicious	Unknown	Browse	api.ipify.org/
	2b7cu0KwZl.exe	Get hash	malicious	Unknown	Browse	api.ipify.org/
	file.exe	Get hash	malicious	Unknown	Browse	api.ipify.org/
	file.exe	Get hash	malicious	LummaC, PrivateLoader, Stealc, Vidar	Browse	api.ipify.org/
	file.exe	Get hash	malicious	LummaC, PrivateLoader, Stealc, Vidar	Browse	api.ipify.org/
	file.exe	Get hash	malicious	RDPWrap Tool	Browse	api.ipify.org/
	Prismifyr-Install.exe	Get hash	malicious	Node Stealer	Browse	api.ipify.org/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
mail.iaa-airferight.com	0PPJsQE4wD.exe	Get hash	malicious	AgentTesla	Browse	46.175.148.58
	kzy8qg5lbR.exe	Get hash	malicious	AgentTesla	Browse	46.175.148.58
	OP53532 Harumi new order.scr.exe	Get hash	malicious	AgentTesla	Browse	46.175.148.58
	INV01542 , INV01562-7500003124 JTR-0084.exe	Get hash	malicious	AgentTesla	Browse	46.175.148.58
	Shipment Dec Orders valves 2024.scr.exe	Get hash	malicious	AgentTesla	Browse	46.175.148.58
	proforma invoice.exe	Get hash	malicious	AgentTesla	Browse	46.175.148.58
	Overdue_payment.pdf.exe	Get hash	malicious	AgentTesla	Browse	46.175.148.58
	PO for fabric forecast.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	46.175.148.58
	980001672 PPR for 30887217.scr.exe	Get hash	malicious	AgentTesla	Browse	46.175.148.58
	lC7L7oBBMC.exe	Get hash	malicious	AgentTesla	Browse	46.175.148.58
api.ipify.org	https://glfbanks.com/	Get hash	malicious	HTMLPhisher	Browse	104.26.12.205
	s2Jg1MAahY.exe	Get hash	malicious	AgentTesla	Browse	104.26.12.205
	Y8Q1voljvb.exe	Get hash	malicious	AgentTesla	Browse	104.26.12.205
	IUqsn1SBGy.exe	Get hash	malicious	AgentTesla	Browse	104.26.13.205
	DpTbBYeE7J.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	104.26.12.205
	RJKUWSGxej.exe	Get hash	malicious	AgentTesla, RedLine	Browse	104.26.13.205
	7DpzcPcsTS.exe	Get hash	malicious	AgentTesla	Browse	172.67.74.152
	B8FnDUj8hy.exe	Get hash	malicious	AgentTesla	Browse	104.26.13.205
	FSRHC6mB16.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	172.67.74.152
	9pIm5d0rsW.exe	Get hash	malicious	AgentTesla, PureLog Stealer, zgRAT	Browse	104.26.13.205

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
ASLAGIDKOM-NETUA	0PPJsQE4wD.exe	Get hash	malicious	AgentTesla	Browse	46.175.148.58
	kzy8qg5lbR.exe	Get hash	malicious	AgentTesla	Browse	46.175.148.58
	OP53532 Harumi new order.scr.exe	Get hash	malicious	AgentTesla	Browse	46.175.148.58
	INV01542 , INV01562-7500003124 JTR-0084.exe	Get hash	malicious	AgentTesla	Browse	46.175.148.58
	Shipment Dec Orders valves 2024.scr.exe	Get hash	malicious	AgentTesla	Browse	46.175.148.58
	proforma invoice.exe	Get hash	malicious	AgentTesla	Browse	46.175.148.58
	Overdue_payment.pdf.exe	Get hash	malicious	AgentTesla	Browse	46.175.148.58
	PO for fabric forecast.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	46.175.148.58
	980001672 PPR for 30887217.scr.exe	Get hash	malicious	AgentTesla	Browse	46.175.148.58
	lC7L7oBBMC.exe	Get hash	malicious	AgentTesla	Browse	46.175.148.58
CLOUDFLARENETUS	https://atpscan.global.hornetsecurity.com/?d=W3rdHn1Og9hhUJnVJzqWF36wMmxswAZldvtx3E21ybg&f=v8m9AqGfgV2Ri7cjqmfsuyl2V2Mu_lVW0BRsqcFw4upagWAQ1C-MqANvN6gf4zNV&i=&k=xREg&m=b_ORYMkPffImCXbCPli-aiR7Ga6rGe55sar2xtigCL4MrowDPSzt7ABKETTGxzegakAfoZ57KD02aVix8V8TVmZ2VcxzjeybXYrPiS2SB73LCKYktj5jv2aw6VcPRslz&n=s4crRkyHC4bab6S3yrgn1E3n-VmdqgfSqNiaCJyPrf6hnyL_SE4PHEo5SUcwwsFGV6rnB35iQFM5FLsE91obvZ0HTAEiqHnB8ROLzY5JVgg&r=oMs_cp4DXIjeQhcPWsPLyR3_oxBVUN4Iok_tSVE4DNNtzqeot7ZzvdXkh4vatwpC&s=bd82eb507a358fd35f72f18b86e67f3bfc1ce64bbeab0c01d700897b1b678efb&u=https%3A%2F%2Fe.trustifi.com%2F%23%2Ffff2af%2F32054d%2F67960f%2Fee6fed%2F5d1d11%2F46c760%2Ff79190%2Fc5ec40%2Fe8666a%2Fef542d%2F85972d%2F627493%2F9a11d6%2F1f4096%2F1d247f%2F818e78%2Fc53383%2Fd59aa0%2Fedfa57%2F7914c7%2Fc38cf6%2Ff74f56%2Ff45915%2F39dbbd%2Ff48710%2F1ddf22%2F37d5f2%2F9de9f7%2F96109e%2F882355%2F854b66%2F9d606d%2F2d0447%2Fad3b01%2F637d1c%2F3c0f2b%2F606f48%2Fa6d904%2F8fefe3%2F00a4bb%2F6520c6%2F9b795c%2Fb7de1a%2Fb5dde6%2F3f5692%2F997c7d%2Fc00925%2F782cce%2F511459%2Fab5aa8%2F91722a%2Feec933%2F3f4f91%2F894088%2F43adfa%2Fb78195%2F0407d0%2F56f022%2Fddf20e%2F946567%2Faa271a%2F507b7a%2Faccd06%2F50d63c%2F485c4b%2F07ced8%2Fd0ec21%2F260ce6%2Fb5edbb%2F79a81e%2F1fd160%2Ff4da41%2F7073e0%2F8a5e9a%2Fdac829%2F521e52%2Fa1a847%2F13ea63%2Fabb5a3%2Fe1901e%2Fd876f6%2F7b0bf4%2Fbd19df%2F89bdcd%2F1874d8%2F0fb7f3%2F72f438%2Fa098c5%2F4e2214%2F4b6e54%2F0c4a8f	Get hash	malicious	Unknown	Browse	104.17.25.14
	https://cocteldedeas.mx/rx567#cmVjaWJhc2VAc2VhbWFyaXRpbWEuY29t	Get hash	malicious	HTMLPhisher	Browse	188.114.96.3
	NFhRxwbegd.exe	Get hash	malicious	FormBook	Browse	104.21.80.1
	4UQ5wnI389.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	104.21.112.1
	http://unikuesolutions.com/ck/bd/%7BRANDOM_NUMBER05%7D/YmVuc29uLmxpbkB2aGFjb3JwLmNvbQ==	Get hash	malicious	HTMLPhisher	Browse	188.114.96.3
	ajRZflJ2ch.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	104.21.48.1
	FUEvp5c8lO.exe	Get hash	malicious	AsyncRAT, StormKitty, WorldWind Stealer	Browse	104.16.184.241
	http://unikuesolutions.com/ck/bd/%7BRANDOM_NUMBER05%7D/YmVuc29uLmxpbkB2aGFjb3JwLmNvbQ==	Get hash	malicious	HTMLPhisher	Browse	104.17.25.14
	hZbkP3TJBJ.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.48.1
	348426869538810128.js	Get hash	malicious	Strela Downloader	Browse	162.159.61.3

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
3b5074b1b5d032e5620f69f9f700ff0e	4UQ5wnI389.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	104.26.13.205
	ajRZflJ2ch.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	104.26.13.205
	FUEvp5c8lO.exe	Get hash	malicious	AsyncRAT, StormKitty, WorldWind Stealer	Browse	104.26.13.205
	http://diebinjmajbkhhg.top/1.php?s=527	Get hash	malicious	Unknown	Browse	104.26.13.205
	https://patiooutletmaipu.cl/tiendas/head/	Get hash	malicious	LummaC, CAPTCHA Scam ClickFix, LummaC Stealer	Browse	104.26.13.205
	19d6P55zd1.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.26.13.205
	9L83v5j083.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.26.13.205
	y1jQC8Y6bP.exe	Get hash	malicious	MassLogger RAT	Browse	104.26.13.205
	FILHKLtCw0.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	104.26.13.205
	ppISxhDcpF.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	104.26.13.205

Process:	C:\Users\user\Desktop\HGhGAjCVw5.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1216
Entropy (8bit):	5.34331486778365
Encrypted:	false
SSDEEP:	24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
MD5:	1330C80CAAC9A0FB172F202485E9B1E8
SHA1:	86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
SHA-256:	B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
SHA-512:	75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
Malicious:	true
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\gdJhjh.exe.log

Download File

Process:	C:\Users\user\AppData\Roaming\gdJhjh.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1216
Entropy (8bit):	5.34331486778365
Encrypted:	false
SSDEEP:	24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
MD5:	1330C80CAAC9A0FB172F202485E9B1E8
SHA1:	86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
SHA-256:	B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
SHA-512:	75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	modified
Size (bytes):	2232
Entropy (8bit):	5.380805901110357
Encrypted:	false
SSDEEP:	48:lylWSU4y4RQmFoUeWmfgZ9tK8NPZHUm7u1iMugeC/ZPUyus:lGLHyIFKL3IZ2KRH9Oug8s
MD5:	16AD599332DD2FF94DA0787D71688B62
SHA1:	02F738694B02E84FFE3BAB7DE5709001823C6E40
SHA-256:	452876FE504FC0DBEDBD7F8467E94F6E80002DB4572D02C723ABC69F8DF0B367
SHA-512:	A96158FDFFA424A4AC01220EDC789F3236C03AAA6A7C1A3D8BE62074B4923957E6CFEEB6E8852F9064093E0A290B0E56E4B5504D18113A7983F48D5388CEC747
Malicious:	false
Preview:	@...e.................................^..............@..........P................1]...E.....j.....(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..\|f........System.Core.D...............4..7..D.#V.............System.Management.AutomationL.................gQ?O.....x5.......#.Microsoft.Management.Infrastructure.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServices4.................%...K... ...........System.Xml..8..................1...L..U;V.<}........System.Numerics.4.....................@.[8]'.\........System.Data.<...............i..VdqF...\|...........System.ConfigurationH................WY..2.M.&..g(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_hpb3sfrs.tx4.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_jrzqcvx2.aub.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_kgvckkcd.vjk.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_la3fu512.os0.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_lvbbwt2k.bzj.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_on2uzkq2.p0u.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_qr2gdxfr.eqi.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_qyekkh0i.bjf.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\tmp57CE.tmp

Download File

Process:	C:\Users\user\Desktop\HGhGAjCVw5.exe
File Type:	XML 1.0 document, ASCII text
Category:	dropped
Size (bytes):	1565
Entropy (8bit):	5.110098175381362
Encrypted:	false
SSDEEP:	48:cge7XQBBYrFdOFzOzN33ODOiDdKrsuTsv:He7XQBBYrFdOFzOz6dKrsuO
MD5:	093C3B37A8BB70FBF2D0924853DF7954
SHA1:	6B0DE4FBAC59F5543D701BC3E7B408C424D6BC98
SHA-256:	4F687B44380D99901AB19E140DC998431DB4A6001CCCF5E550F70F5265E296F6
SHA-512:	E5D7C5C30C099C10D6449FE3326F1E9EDCEB9FE50878891211C69F3D78D491051910AA9CC0B19E5FBDE98C732A7DCFD717B630410D7E3E209001D02AC1F4AA21
Malicious:	true
Preview:	<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetworkAvailable>f

C:\Users\user\AppData\Local\Temp\tmp6B66.tmp

Download File

Process:	C:\Users\user\AppData\Roaming\gdJhjh.exe
File Type:	XML 1.0 document, ASCII text
Category:	dropped
Size (bytes):	1565
Entropy (8bit):	5.110098175381362
Encrypted:	false
SSDEEP:	48:cge7XQBBYrFdOFzOzN33ODOiDdKrsuTsv:He7XQBBYrFdOFzOz6dKrsuO
MD5:	093C3B37A8BB70FBF2D0924853DF7954
SHA1:	6B0DE4FBAC59F5543D701BC3E7B408C424D6BC98
SHA-256:	4F687B44380D99901AB19E140DC998431DB4A6001CCCF5E550F70F5265E296F6
SHA-512:	E5D7C5C30C099C10D6449FE3326F1E9EDCEB9FE50878891211C69F3D78D491051910AA9CC0B19E5FBDE98C732A7DCFD717B630410D7E3E209001D02AC1F4AA21
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetworkAvailable>f

C:\Users\user\AppData\Roaming\gdJhjh.exe

Download File

Process:	C:\Users\user\Desktop\HGhGAjCVw5.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	986624
Entropy (8bit):	7.461406357161058
Encrypted:	false
SSDEEP:	12288:EjlIpHtMPku+l0CPPPJAhajNglP1FmS+jxSCMz+5vET5TVw/AQgMQ60kzodR67Ls:EjlIhSPd+pTgl1wS+jv56bw2V6+eAF
MD5:	4D77D26B50BEA6A8755808EB5BEC3044
SHA1:	19383419C4A21E39C46852059AE240E8AB6CC12F
SHA-256:	D4A4E4C891BACB6FFA8884695D7D757D8DBBAE18EC64370BAC3F6ECC024EA334
SHA-512:	2064F545989E2936DEC55A7D894B4DC03AEFEBC112310E2E9797A130D4625CCEB709E3739876B82C90FE236E100F5B31768C73472E53B9835ED8B6BE77ECC521
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 71% Antivirus: Virustotal, Detection: 61%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...K.Zg..............0..T...........r... ........@.. .......................`............@.................................Hr..O............................@....................................................... ............... ..H............text....R... ...T.................. ..`.rsrc................V..............@..@.reloc.......@......................@..B................\|r......H.......d1... .......... R..( ...........................................0...........(........}.....s....}.....r...p(....}.....~.... ....s....}.....{....o.... ......o......{.....o......{....o.....{....o......{.....{....o.....f........s....s....(.....~..{....r...po......{....o......0..}.........{....r9..po......+7...{.....\|....o ...}....(!....{....o".....{.....o........+.&..{....rS..po........&..{....rS..po...................>P..........>f.........}.....(#.......s....}....

C:\Users\user\AppData\Roaming\gdJhjh.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\HGhGAjCVw5.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Preview:	[ZoneTransfer]....ZoneId=0

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.461406357161058
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	HGhGAjCVw5.exe
File size:	986'624 bytes
MD5:	4d77d26b50bea6a8755808eb5bec3044
SHA1:	19383419c4a21e39c46852059ae240e8ab6cc12f
SHA256:	d4a4e4c891bacb6ffa8884695d7d757d8dbbae18ec64370bac3f6ecc024ea334
SHA512:	2064f545989e2936dec55a7d894b4dc03aefebc112310e2e9797a130d4625cceb709e3739876b82c90fe236e100f5b31768c73472e53b9835ed8b6be77ecc521
SSDEEP:	12288:EjlIpHtMPku+l0CPPPJAhajNglP1FmS+jxSCMz+5vET5TVw/AQgMQ60kzodR67Ls:EjlIhSPd+pTgl1wS+jv56bw2V6+eAF
TLSH:	C925F4C32A2DA672DE38A73C40159DF891B41D6C2088B5A65BF87F3EE57C0225D1FE19
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...K.Zg..............0..T...........r... ........@.. .......................`............@................................

File Icon


Icon Hash:	2946e68e96b3ca4d

Static PE Info

General

Entrypoint:	0x4c729a
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x675A854B [Thu Dec 12 06:40:11 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xc7248	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xc8000	0x2b504	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xf4000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0xc52a0	0xc5400	ad16d395b8c0f8de862b96de60b5759d	False	0.8843732671894804	data	7.6842460602118505	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0xc8000	0x2b504	0x2b600	b1bafe6306af8a4c4a787e3cc23398f5	False	0.20849468659942363	data	5.118470322925119	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xf4000	0xc	0x200	6999d2e0c3fd95254b190f50bdf454fd	False	0.044921875	data	0.09800417566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	ZLIB Complexity
RT_ICON	0xc8298	0x3751	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	0.9929383518113127
RT_ICON	0xcb9ec	0x10828	Device independent bitmap graphic, 128 x 256 x 32, image size 67584	0.0891251626641429
RT_ICON	0xdc214	0x94a8	Device independent bitmap graphic, 96 x 192 x 32, image size 38016	0.13335610678999368
RT_ICON	0xe56bc	0x5488	Device independent bitmap graphic, 72 x 144 x 32, image size 21600	0.16816081330868762
RT_ICON	0xeab44	0x4228	Device independent bitmap graphic, 64 x 128 x 32, image size 16896	0.15594000944733113
RT_ICON	0xeed6c	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9600	0.23392116182572614
RT_ICON	0xf1314	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4224	0.274624765478424
RT_ICON	0xf23bc	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 2400	0.41885245901639345
RT_ICON	0xf2d44	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1088	0.5
RT_GROUP_ICON	0xf31ac	0x84	data	0.7045454545454546
RT_GROUP_ICON	0xf3230	0x14	data	1.05
RT_VERSION	0xf3244	0x2c0	data	0.4602272727272727

Imports

DLL	Import
mscoree.dll	_CorExeMain

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 10, 2025 21:40:22.323254108 CET	49707	443	192.168.2.10	104.26.13.205
Jan 10, 2025 21:40:22.323302984 CET	443	49707	104.26.13.205	192.168.2.10
Jan 10, 2025 21:40:22.323532104 CET	49707	443	192.168.2.10	104.26.13.205
Jan 10, 2025 21:40:22.329847097 CET	49707	443	192.168.2.10	104.26.13.205
Jan 10, 2025 21:40:22.329864979 CET	443	49707	104.26.13.205	192.168.2.10
Jan 10, 2025 21:40:23.084063053 CET	443	49707	104.26.13.205	192.168.2.10
Jan 10, 2025 21:40:23.084269047 CET	49707	443	192.168.2.10	104.26.13.205
Jan 10, 2025 21:40:23.095752954 CET	49707	443	192.168.2.10	104.26.13.205
Jan 10, 2025 21:40:23.095773935 CET	443	49707	104.26.13.205	192.168.2.10
Jan 10, 2025 21:40:23.096079111 CET	443	49707	104.26.13.205	192.168.2.10
Jan 10, 2025 21:40:23.144391060 CET	49707	443	192.168.2.10	104.26.13.205
Jan 10, 2025 21:40:23.421547890 CET	49707	443	192.168.2.10	104.26.13.205
Jan 10, 2025 21:40:23.463326931 CET	443	49707	104.26.13.205	192.168.2.10
Jan 10, 2025 21:40:23.625230074 CET	443	49707	104.26.13.205	192.168.2.10
Jan 10, 2025 21:40:23.625302076 CET	443	49707	104.26.13.205	192.168.2.10
Jan 10, 2025 21:40:23.625416994 CET	49707	443	192.168.2.10	104.26.13.205
Jan 10, 2025 21:40:23.634704113 CET	49707	443	192.168.2.10	104.26.13.205
Jan 10, 2025 21:40:24.688853025 CET	49708	25	192.168.2.10	46.175.148.58
Jan 10, 2025 21:40:25.691360950 CET	49708	25	192.168.2.10	46.175.148.58
Jan 10, 2025 21:40:26.755333900 CET	49711	443	192.168.2.10	104.26.13.205
Jan 10, 2025 21:40:26.755377054 CET	443	49711	104.26.13.205	192.168.2.10
Jan 10, 2025 21:40:26.755517006 CET	49711	443	192.168.2.10	104.26.13.205
Jan 10, 2025 21:40:26.759520054 CET	49711	443	192.168.2.10	104.26.13.205
Jan 10, 2025 21:40:26.759541035 CET	443	49711	104.26.13.205	192.168.2.10
Jan 10, 2025 21:40:27.348928928 CET	443	49711	104.26.13.205	192.168.2.10
Jan 10, 2025 21:40:27.349016905 CET	49711	443	192.168.2.10	104.26.13.205
Jan 10, 2025 21:40:27.350509882 CET	49711	443	192.168.2.10	104.26.13.205
Jan 10, 2025 21:40:27.350516081 CET	443	49711	104.26.13.205	192.168.2.10
Jan 10, 2025 21:40:27.350781918 CET	443	49711	104.26.13.205	192.168.2.10
Jan 10, 2025 21:40:27.404808044 CET	49711	443	192.168.2.10	104.26.13.205
Jan 10, 2025 21:40:27.447374105 CET	443	49711	104.26.13.205	192.168.2.10
Jan 10, 2025 21:40:27.577241898 CET	443	49711	104.26.13.205	192.168.2.10
Jan 10, 2025 21:40:27.577313900 CET	443	49711	104.26.13.205	192.168.2.10
Jan 10, 2025 21:40:27.577426910 CET	49711	443	192.168.2.10	104.26.13.205
Jan 10, 2025 21:40:27.583257914 CET	49711	443	192.168.2.10	104.26.13.205
Jan 10, 2025 21:40:27.785024881 CET	49708	25	192.168.2.10	46.175.148.58
Jan 10, 2025 21:40:28.127831936 CET	49712	25	192.168.2.10	46.175.148.58
Jan 10, 2025 21:40:29.128782034 CET	49712	25	192.168.2.10	46.175.148.58
Jan 10, 2025 21:40:31.128895044 CET	49712	25	192.168.2.10	46.175.148.58
Jan 10, 2025 21:40:31.785049915 CET	49708	25	192.168.2.10	46.175.148.58
Jan 10, 2025 21:40:35.128880024 CET	49712	25	192.168.2.10	46.175.148.58
Jan 10, 2025 21:40:39.785082102 CET	49708	25	192.168.2.10	46.175.148.58
Jan 10, 2025 21:40:43.128806114 CET	49712	25	192.168.2.10	46.175.148.58

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 10, 2025 21:40:22.290512085 CET	64677	53	192.168.2.10	1.1.1.1
Jan 10, 2025 21:40:22.297337055 CET	53	64677	1.1.1.1	192.168.2.10
Jan 10, 2025 21:40:24.653084040 CET	62756	53	192.168.2.10	1.1.1.1
Jan 10, 2025 21:40:24.687710047 CET	53	62756	1.1.1.1	192.168.2.10

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jan 10, 2025 21:40:22.290512085 CET	192.168.2.10	1.1.1.1	0x2ff8	Standard query (0)	api.ipify.org	A (IP address)	IN (0x0001)	false
Jan 10, 2025 21:40:24.653084040 CET	192.168.2.10	1.1.1.1	0xe7cb	Standard query (0)	mail.iaa-airferight.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Jan 10, 2025 21:40:22.297337055 CET	1.1.1.1	192.168.2.10	0x2ff8	No error (0)	api.ipify.org	104.26.13.205	A (IP address)	IN (0x0001)	false
Jan 10, 2025 21:40:22.297337055 CET	1.1.1.1	192.168.2.10	0x2ff8	No error (0)	api.ipify.org	172.67.74.152	A (IP address)	IN (0x0001)	false
Jan 10, 2025 21:40:22.297337055 CET	1.1.1.1	192.168.2.10	0x2ff8	No error (0)	api.ipify.org	104.26.12.205	A (IP address)	IN (0x0001)	false
Jan 10, 2025 21:40:24.687710047 CET	1.1.1.1	192.168.2.10	0xe7cb	No error (0)	mail.iaa-airferight.com	46.175.148.58	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

api.ipify.org

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.10	49707	104.26.13.205	443	7348	C:\Users\user\Desktop\HGhGAjCVw5.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-10 20:40:23 UTC	155	OUT	GET / HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0 Host: api.ipify.org Connection: Keep-Alive
2025-01-10 20:40:23 UTC	427	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 20:40:23 GMT Content-Type: text/plain Content-Length: 12 Connection: close Vary: Origin CF-Cache-Status: DYNAMIC Server: cloudflare CF-RAY: 8fff7b5b09b67ced-EWR server-timing: cfL4;desc="?proto=TCP&rtt=64626&min_rtt=21717&rtt_var=35804&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2820&recv_bytes=769&delivery_rate=134456&cwnd=179&unsent_bytes=0&cid=64e79a11a18608c5&ts=557&x=0"
2025-01-10 20:40:23 UTC	12	IN	Data Raw: 38 2e 34 36 2e 31 32 33 2e 31 38 39 Data Ascii: 8.46.123.189

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.10	49711	104.26.13.205	443	7764	C:\Users\user\AppData\Roaming\gdJhjh.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-10 20:40:27 UTC	155	OUT	GET / HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0 Host: api.ipify.org Connection: Keep-Alive
2025-01-10 20:40:27 UTC	424	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 20:40:27 GMT Content-Type: text/plain Content-Length: 12 Connection: close Vary: Origin CF-Cache-Status: DYNAMIC Server: cloudflare CF-RAY: 8fff7b73ca914358-EWR server-timing: cfL4;desc="?proto=TCP&rtt=1809&min_rtt=1745&rtt_var=783&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2821&recv_bytes=769&delivery_rate=1290893&cwnd=206&unsent_bytes=0&cid=4adcc4d35d097ec2&ts=219&x=0"
2025-01-10 20:40:27 UTC	12	IN	Data Raw: 38 2e 34 36 2e 31 32 33 2e 31 38 39 Data Ascii: 8.46.123.189

Target ID:	0
Start time:	15:40:18
Start date:	10/01/2025
Path:	C:\Users\user\Desktop\HGhGAjCVw5.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\HGhGAjCVw5.exe"
Imagebase:	0xc50000
File size:	986'624 bytes
MD5 hash:	4D77D26B50BEA6A8755808EB5BEC3044
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.1590826725.00000000040C9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.1590826725.00000000040C9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.1590826725.0000000004934000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.1590826725.0000000004934000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	15:40:19
Start date:	10/01/2025
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\HGhGAjCVw5.exe"
Imagebase:	0x3f0000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	15:40:20
Start date:	10/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff620390000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	15:40:20
Start date:	10/01/2025
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\gdJhjh.exe"
Imagebase:	0x3f0000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	15:40:20
Start date:	10/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff620390000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	15:40:20
Start date:	10/01/2025
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\gdJhjh" /XML "C:\Users\user\AppData\Local\Temp\tmp57CE.tmp"
Imagebase:	0x420000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	15:40:20
Start date:	10/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff620390000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	15:40:20
Start date:	10/01/2025
Path:	C:\Users\user\Desktop\HGhGAjCVw5.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\HGhGAjCVw5.exe"
Imagebase:	0xa00000
File size:	986'624 bytes
MD5 hash:	4D77D26B50BEA6A8755808EB5BEC3044
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000009.00000002.2822698121.00000000031F1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000009.00000002.2822698121.00000000031F1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000009.00000002.2822698121.000000000321C000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	10
Start time:	15:40:21
Start date:	10/01/2025
Path:	C:\Users\user\AppData\Roaming\gdJhjh.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Roaming\gdJhjh.exe
Imagebase:	0x970000
File size:	986'624 bytes
MD5 hash:	4D77D26B50BEA6A8755808EB5BEC3044
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 71%, ReversingLabs Detection: 61%, Virustotal, Browse
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	15:40:23
Start date:	10/01/2025
Path:	C:\Windows\System32\wbem\WmiPrvSE.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Imagebase:	0x7ff6616b0000
File size:	496'640 bytes
MD5 hash:	60FF40CFD7FB8FE41EE4FE9AE5FE1C51
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	15:40:25
Start date:	10/01/2025
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\gdJhjh" /XML "C:\Users\user\AppData\Local\Temp\tmp6B66.tmp"
Imagebase:	0x420000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	15:40:25
Start date:	10/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff620390000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	15:40:25
Start date:	10/01/2025
Path:	C:\Users\user\AppData\Roaming\gdJhjh.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\gdJhjh.exe"
Imagebase:	0xce0000
File size:	986'624 bytes
MD5 hash:	4D77D26B50BEA6A8755808EB5BEC3044
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000E.00000002.2821075648.000000000313C000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000E.00000002.2821075648.0000000003111000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000E.00000002.2821075648.0000000003111000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000E.00000002.2818045057.0000000000432000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000E.00000002.2818045057.0000000000432000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	10%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	55
Total number of Limit Nodes:	8

Executed Functions

Function 07722C8B Relevance: 4.1, Strings: 3, Instructions: 339
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

ry, xrefs: 07722FCB
ry, xrefs: 07722FC4
ry, xrefs: 07722FE2

Memory Dump Source

Source File: 00000000.00000002.1611862646.0000000007720000.00000040.00000800.00020000.00000000.sdmp, Offset: 07720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7720000_HGhGAjCVw5.jbxd

Similarity

API ID:
String ID: ry$ry$ry
API String ID: 0-128149707
Opcode ID: 2886ce9dea797879214900865f29b7cdb8359aba846156c9222772c15aa18b79
Instruction ID: a21815463e2475846e1af88cca2a9cbe420ef796cc3860d346967acb4cdedaf1
Opcode Fuzzy Hash: 2886ce9dea797879214900865f29b7cdb8359aba846156c9222772c15aa18b79
Instruction Fuzzy Hash: 86D1CFB1D04626DFCB14CFA5D4844AEFBB2FF8A340B15855AD422AB216C734DA83DF94

Function 07722CF8 Relevance: 4.0, Strings: 3, Instructions: 284
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

ry, xrefs: 07722FCB
ry, xrefs: 07722FC4
ry, xrefs: 07722FE2

Memory Dump Source

Source File: 00000000.00000002.1611862646.0000000007720000.00000040.00000800.00020000.00000000.sdmp, Offset: 07720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7720000_HGhGAjCVw5.jbxd

Similarity

API ID:
String ID: ry$ry$ry
API String ID: 0-128149707
Opcode ID: 93a971eb8b2ceb50637042de12faa2a89394bf1713ef8ffa5b5d8f788c7e2263
Instruction ID: 9cd1946c56e639375dbdf1a0a65c48b2f68b85362461e3e8ea3bc4098ec046e6
Opcode Fuzzy Hash: 93a971eb8b2ceb50637042de12faa2a89394bf1713ef8ffa5b5d8f788c7e2263
Instruction Fuzzy Hash: F4C16AB0D1461ADFCB14CFA5D4858AEFBB2FF89340F11945AD422AB219D734EA42CF94

Function 077296C8 Relevance: 2.7, Strings: 2, Instructions: 224
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

UC;", xrefs: 077298B6
TuA, xrefs: 07729838

Memory Dump Source

Source File: 00000000.00000002.1611862646.0000000007720000.00000040.00000800.00020000.00000000.sdmp, Offset: 07720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7720000_HGhGAjCVw5.jbxd

Similarity

API ID:
String ID: TuA$UC;"
API String ID: 0-2071649361
Opcode ID: d5cba173b6161c21954de2e7a6ebab78077adc06f6b9004a2a19ba674001f540
Instruction ID: 6bf72588744c5be59f99ce7ca6d49ffd10be85bcbd81848ca35eb168ba3f205b
Opcode Fuzzy Hash: d5cba173b6161c21954de2e7a6ebab78077adc06f6b9004a2a19ba674001f540
Instruction Fuzzy Hash: DF9129B4D24219DFCB08CFA5E5815DEFBB2EF89350F14A42AE525BB264D730A542DF40

Function 077296C6 Relevance: 2.7, Strings: 2, Instructions: 217
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

UC;", xrefs: 077298B6
TuA, xrefs: 07729838

Memory Dump Source

Source File: 00000000.00000002.1611862646.0000000007720000.00000040.00000800.00020000.00000000.sdmp, Offset: 07720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7720000_HGhGAjCVw5.jbxd

Similarity

API ID:
String ID: TuA$UC;"
API String ID: 0-2071649361
Opcode ID: 50dd018d16264eea9a9bfc8f6e447836a35d48973567253e7119af89bf29b789
Instruction ID: a322b8bfe7522514e2bbf6b0b1754c107778fe279acf33715b2efbf7416a99a0
Opcode Fuzzy Hash: 50dd018d16264eea9a9bfc8f6e447836a35d48973567253e7119af89bf29b789
Instruction Fuzzy Hash: 7B9119B4D24219DFCB08CFA5E5815DEFBB2EF89390F14A42AE525B7264D730A542DF40

Function 07720AF7 Relevance: 1.5, Strings: 1, Instructions: 289
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

z^I, xrefs: 07720D51

Memory Dump Source

Source File: 00000000.00000002.1611862646.0000000007720000.00000040.00000800.00020000.00000000.sdmp, Offset: 07720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7720000_HGhGAjCVw5.jbxd

Similarity

API ID:
String ID: z^I
API String ID: 0-307258731
Opcode ID: 88c2f8dcf3d24bc6ffcb97f7e0d3d3d464cfb7631b54b5d6e4e2fd4b98ae72df
Instruction ID: 8930a8c7a418ea6ffd4d11b1f867e1f43820bf69d987f6f33c5f425e2d23afdf
Opcode Fuzzy Hash: 88c2f8dcf3d24bc6ffcb97f7e0d3d3d464cfb7631b54b5d6e4e2fd4b98ae72df
Instruction Fuzzy Hash: 50B16CB5E002598FCB04CFA9C8846DDFBB2FF89350F14912AD425AB365D7349982CF64

Function 07720B3F Relevance: 1.5, Strings: 1, Instructions: 248COMMON

Download Yara Rule

Strings

z^I, xrefs: 07720D51

Memory Dump Source

Source File: 00000000.00000002.1611862646.0000000007720000.00000040.00000800.00020000.00000000.sdmp, Offset: 07720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7720000_HGhGAjCVw5.jbxd

Similarity

API ID:
String ID: z^I
API String ID: 0-307258731
Opcode ID: 4646d36891b411a7c2103aa7dc54f93f6383eec6d8b9043cf248dcc17e05a5e1
Instruction ID: eb8df7fa3d24a5a49900e92c99f908affdd36e65d0a4df43496224167d8d3877
Opcode Fuzzy Hash: 4646d36891b411a7c2103aa7dc54f93f6383eec6d8b9043cf248dcc17e05a5e1
Instruction Fuzzy Hash: A6A128B5E102198FCB08CFA9C8846DEFBB2FF89310F14902AD415AB364D7349982CF64

Function 07720B77 Relevance: 1.5, Strings: 1, Instructions: 228COMMON

Download Yara Rule

Strings

z^I, xrefs: 07720D51

Memory Dump Source

Source File: 00000000.00000002.1611862646.0000000007720000.00000040.00000800.00020000.00000000.sdmp, Offset: 07720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7720000_HGhGAjCVw5.jbxd

Similarity

API ID:
String ID: z^I
API String ID: 0-307258731
Opcode ID: 4a1a322f2949e87b506c4db4810fd1567401cf987792bc0b983b3fa9db75ca28
Instruction ID: 541f92dcfdef79ac3003bfded57c3752aec1ae1e4b47930d9d7068c7d6d8470b
Opcode Fuzzy Hash: 4a1a322f2949e87b506c4db4810fd1567401cf987792bc0b983b3fa9db75ca28
Instruction Fuzzy Hash: E4A1E5B4E142199FCB04CFAAC9446DDFBB2EF89300F14902AD415AB364D7749946CF64

Function 07720B90 Relevance: 1.5, Strings: 1, Instructions: 219COMMON

Download Yara Rule

Strings

z^I, xrefs: 07720D51

Memory Dump Source

Source File: 00000000.00000002.1611862646.0000000007720000.00000040.00000800.00020000.00000000.sdmp, Offset: 07720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7720000_HGhGAjCVw5.jbxd

Similarity

API ID:
String ID: z^I
API String ID: 0-307258731
Opcode ID: 02037fd7059c3ee7756ac4396a91e53e9417d9fc04ed62eafc1d0a59b9dda50e
Instruction ID: 4223e3fdf96d09f1bdb9392f11c7ad655a89db3a5482d1902cfe350d9d827f54
Opcode Fuzzy Hash: 02037fd7059c3ee7756ac4396a91e53e9417d9fc04ed62eafc1d0a59b9dda50e
Instruction Fuzzy Hash: 4891B3B4E102199FDB08CFAAC9846DDFBB2EF89300F24942AD415BB364D7749946CF64

Function 07728090 Relevance: 1.4, Strings: 1, Instructions: 181COMMON

Download Yara Rule

Strings

5=6, xrefs: 077281CE

Memory Dump Source

Source File: 00000000.00000002.1611862646.0000000007720000.00000040.00000800.00020000.00000000.sdmp, Offset: 07720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7720000_HGhGAjCVw5.jbxd

Similarity

API ID:
String ID: 5=6
API String ID: 0-2897083178
Opcode ID: 75b3c95f9ee7da7562201830861aee02211adaf89f2458bd9e7713aecba7a8d5
Instruction ID: 7c9d4db8cc6d83e701f76a9688158b20e2475090d8bf5be3da9e15b5547e688e
Opcode Fuzzy Hash: 75b3c95f9ee7da7562201830861aee02211adaf89f2458bd9e7713aecba7a8d5
Instruction Fuzzy Hash: D77149B4E1521A9FCB08CFA6D8414AEFBF2FF8A240F00D46AD026E7254D7349A019F51

Function 077280A0 Relevance: 1.4, Strings: 1, Instructions: 176COMMON

Download Yara Rule

Strings

5=6, xrefs: 077281CE

Memory Dump Source

Source File: 00000000.00000002.1611862646.0000000007720000.00000040.00000800.00020000.00000000.sdmp, Offset: 07720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7720000_HGhGAjCVw5.jbxd

Similarity

API ID:
String ID: 5=6
API String ID: 0-2897083178
Opcode ID: c3b5b8d127079eeb6f1c2300a75aba4164832e10c0fbc1caf9d7a613383f8406
Instruction ID: c4cb4d7ea6cbcb4948b21534435784959133af5c5a23fcbd01017a28c4b914ad
Opcode Fuzzy Hash: c3b5b8d127079eeb6f1c2300a75aba4164832e10c0fbc1caf9d7a613383f8406
Instruction Fuzzy Hash: A8614AB4E1521ADFCB08CFA5D8414AEFBF2FF8A240F00E46AD026E7254D7349A019F55

Function 07721E7A Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1611862646.0000000007720000.00000040.00000800.00020000.00000000.sdmp, Offset: 07720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7720000_HGhGAjCVw5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9a5ecea53d62fe5d82bef2536bef700140e3e1f780f7cd2b5bb2f19892416f09
Instruction ID: 2008400797a4c4192ce58d3cdd7a3f39d59ec4a16fe8682d635660c4fb97e9fe
Opcode Fuzzy Hash: 9a5ecea53d62fe5d82bef2536bef700140e3e1f780f7cd2b5bb2f19892416f09
Instruction Fuzzy Hash: DF3127B1E016588FDB18CFA6D8502DEBBB2BFC9350F14C06AD809AA264DB345A46CF50

Function 02EBD4C9 Relevance: 6.1, APIs: 4, Instructions: 130
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 02EBD556
GetCurrentThread.KERNEL32 ref: 02EBD593
GetCurrentProcess.KERNEL32 ref: 02EBD5D0
GetCurrentThreadId.KERNEL32 ref: 02EBD629

Memory Dump Source

Source File: 00000000.00000002.1589028609.0000000002EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2eb0000_HGhGAjCVw5.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 0c58a929fa6b1f80b193144bff9c9e5f6ec3d3be84b0ada5cfbce77ef74c188e
Instruction ID: 3dd01c75289c44c09a206d37c077c97ec2cde9f1114d4a57ccfba3825224f68e
Opcode Fuzzy Hash: 0c58a929fa6b1f80b193144bff9c9e5f6ec3d3be84b0ada5cfbce77ef74c188e
Instruction Fuzzy Hash: D15155B09013498FDB15CFA9D949BDEBBF1FF88308F208459E019A7250DB789985CF65

Function 02EBD4D8 Relevance: 6.1, APIs: 4, Instructions: 128
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 02EBD556
GetCurrentThread.KERNEL32 ref: 02EBD593
GetCurrentProcess.KERNEL32 ref: 02EBD5D0
GetCurrentThreadId.KERNEL32 ref: 02EBD629

Memory Dump Source

Source File: 00000000.00000002.1589028609.0000000002EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2eb0000_HGhGAjCVw5.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: fe4a30edd666931e7ee35817ed7304c760f8b2b7f4cc4748f2c8dbb9c4433377
Instruction ID: af4b07d9336a5dd3e567c72ce57c225e068d3fe94f4bbf435b3337cb3d5492be
Opcode Fuzzy Hash: fe4a30edd666931e7ee35817ed7304c760f8b2b7f4cc4748f2c8dbb9c4433377
Instruction Fuzzy Hash: 125165B09012488FDB14DFAAD949BDEBBF1FF88308F208459E019A7350DB789985CF65

Function 02EBAE48 Relevance: 1.7, APIs: 1, Instructions: 196
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 02EBB09E

Memory Dump Source

Source File: 00000000.00000002.1589028609.0000000002EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2eb0000_HGhGAjCVw5.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: a2e1a200f2682f237fc44c57ff8197ce583eef62bbd6ede36e3ccd0197a94469
Instruction ID: 3c6c9ae6ae0a8e195cae9a44f333741a3f3a5aede589513c65b1964a00bb22b3
Opcode Fuzzy Hash: a2e1a200f2682f237fc44c57ff8197ce583eef62bbd6ede36e3ccd0197a94469
Instruction Fuzzy Hash: B97123B0A00B058FDB25DF2AD44479BBBF2BF48208F00892DE49A97B50DB75E845CF91

Function 02EB44B0 Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 02EB59C9

Memory Dump Source

Source File: 00000000.00000002.1589028609.0000000002EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2eb0000_HGhGAjCVw5.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: f03090f2c8250b0e5097ef2d658dd5645c8d58df4709d14306bc8e0022ed32c6
Instruction ID: 4328bcf1adb35a9882dcd6168416e0f7aa90916a57846fe9227e6653cfd2a65e
Opcode Fuzzy Hash: f03090f2c8250b0e5097ef2d658dd5645c8d58df4709d14306bc8e0022ed32c6
Instruction Fuzzy Hash: 9841C2B0C00719CBEB25DFA9C884BDEBBF5BF49304F60805AD409AB251DB756946CF90

Function 02EB590D Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 02EB59C9

Memory Dump Source

Source File: 00000000.00000002.1589028609.0000000002EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2eb0000_HGhGAjCVw5.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 32ad212a750f867dff0b359244edce2a34f1c1ecdf3e1a9a5a0d10fd41742a63
Instruction ID: afb2b3657841281611f83630f25f0f07ea6a274bd6e13717f5441b365a662586
Opcode Fuzzy Hash: 32ad212a750f867dff0b359244edce2a34f1c1ecdf3e1a9a5a0d10fd41742a63
Instruction Fuzzy Hash: 1E41C1B0C00719CBEB25CFA9C8847DEBBF1BF49304F60805AD408AB251DB75694ACF90

Function 02EBD720 Relevance: 1.6, APIs: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 02EBD7A7

Memory Dump Source

Source File: 00000000.00000002.1589028609.0000000002EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2eb0000_HGhGAjCVw5.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: ae89cef8bd6f4d0935b33c0353cb1da594874ac5e6c3420aec625a3d0db4ec34
Instruction ID: 1af1d251a609d7366ed738b64f495f70171cb2417d0a7c85740969146f8c7ee5
Opcode Fuzzy Hash: ae89cef8bd6f4d0935b33c0353cb1da594874ac5e6c3420aec625a3d0db4ec34
Instruction Fuzzy Hash: 1121E2B59002489FDB10CFAAD984ADEBBF8FB48310F14841AE918A3310D378A940CFA0

Function 02EBD719 Relevance: 1.6, APIs: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 02EBD7A7

Memory Dump Source

Source File: 00000000.00000002.1589028609.0000000002EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2eb0000_HGhGAjCVw5.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 1855460e9388077913be8beca86b406754ff308ce1f750a0748e40a363decb80
Instruction ID: a337f15996066cdaa99b56fad4f13ec026b31bd1d586137c97bc74b36e9750f9
Opcode Fuzzy Hash: 1855460e9388077913be8beca86b406754ff308ce1f750a0748e40a363decb80
Instruction Fuzzy Hash: 0A21E0B5D002189FDB10CFAAD985AEEBBF4FF48314F14841AE918B3210D378A940CFA0

Function 07727CB8 Relevance: 1.6, APIs: 1, Instructions: 57
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualProtect.KERNELBASE(?,?,?,?), ref: 07727D33

Memory Dump Source

Source File: 00000000.00000002.1611862646.0000000007720000.00000040.00000800.00020000.00000000.sdmp, Offset: 07720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7720000_HGhGAjCVw5.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 61315833a348d52e8c6e76d119d5a8f1377063e91fdc4e8d3c3aa749fd513184
Instruction ID: c032767fab8578cd86f843eca90b43bba10c4c2f251cd6042f742d1e053aa189
Opcode Fuzzy Hash: 61315833a348d52e8c6e76d119d5a8f1377063e91fdc4e8d3c3aa749fd513184
Instruction Fuzzy Hash: 862106B5D002599FCB20DF9AC584BDEFBF4FB48310F10842AE968A7650D378A545CFA5

Function 07727CC0 Relevance: 1.6, APIs: 1, Instructions: 55
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualProtect.KERNELBASE(?,?,?,?), ref: 07727D33

Memory Dump Source

Source File: 00000000.00000002.1611862646.0000000007720000.00000040.00000800.00020000.00000000.sdmp, Offset: 07720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7720000_HGhGAjCVw5.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: e822ec2fa24f1b5b82d0577cca58ac54c4621df05bf17cd1229116f8082a2bd9
Instruction ID: 2cdf404dae7e50223c3a45ee92cb6cd0ac5c5c0da2204330fb4bb19ce5fcb323
Opcode Fuzzy Hash: e822ec2fa24f1b5b82d0577cca58ac54c4621df05bf17cd1229116f8082a2bd9
Instruction Fuzzy Hash: 0E21E4B5D002599FDB20DF9AC585BDEFBF4FB48320F108429E968A7250D378A945CFA1

Function 02EBB038 Relevance: 1.5, APIs: 1, Instructions: 47
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 02EBB09E

Memory Dump Source

Source File: 00000000.00000002.1589028609.0000000002EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2eb0000_HGhGAjCVw5.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 170bb4e1ef45febb513c7cd5ef290fd13de9565f813fb1bea4f31389a27682ae
Instruction ID: 9acd1465ee07c4f33a11ce0f532d26de36c81b45aa63d70df4484f5aa3ca8bbd
Opcode Fuzzy Hash: 170bb4e1ef45febb513c7cd5ef290fd13de9565f813fb1bea4f31389a27682ae
Instruction Fuzzy Hash: 6811DFB5D006498FDB20DF9AC444BDFFBF4EF88218F10845AD829A7610D379A545CFA1

Function 02DDD1FC Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1588310925.0000000002DDD000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DDD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2ddd000_HGhGAjCVw5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 01d7ddb7aa06fa4580f7ad46a26d6c176b3c4613086de1ebe1f0d5d29afaeb36
Instruction ID: 6610c7e22aacf9646bc66cd06e85f4ffce3e6c9f0fcf22dc3325b463bffac5fd
Opcode Fuzzy Hash: 01d7ddb7aa06fa4580f7ad46a26d6c176b3c4613086de1ebe1f0d5d29afaeb36
Instruction Fuzzy Hash: 0F21FF72504640EFDF05DF50D8C0F2ABF66FB88210F20C5A9E8490B346C33AE816CBA2

Function 02DDD3D8 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1588310925.0000000002DDD000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DDD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2ddd000_HGhGAjCVw5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b856a6c3ddb8265ddbab391a547f29f04b95ec63c13d1469ac7007ed99c0b34b
Instruction ID: df7fbfedba1471eb1e4d0da9dba88d450366ebb40b378b0c043352689a0bf572
Opcode Fuzzy Hash: b856a6c3ddb8265ddbab391a547f29f04b95ec63c13d1469ac7007ed99c0b34b
Instruction Fuzzy Hash: 8A210372500604DFDF19DF10D9C0F26BB66FB88324F20C169E84A0B356C33AF856CAA2

Function 02DED01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1588563903.0000000002DED000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DED000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2ded000_HGhGAjCVw5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1d4af384a5857da1e9a7e68e1e6ed79de1af9f792c5b2441b96c30b944c5dc61
Instruction ID: ee7299e21b3a11161e5552ec475b79762e828e219f37b8df67dacfb3e2ecb7ee
Opcode Fuzzy Hash: 1d4af384a5857da1e9a7e68e1e6ed79de1af9f792c5b2441b96c30b944c5dc61
Instruction Fuzzy Hash: 3221D071604344DFDF15EF10D980B16BB6AEB88214F38C569E84A4B396CB3AD847CA62

Function 02DED1D4 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1588563903.0000000002DED000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DED000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2ded000_HGhGAjCVw5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a6ce26308d8ea9d2d1ea4e15e5ce07f9db9335c7e7b9c7cca499402cdf3e328
Instruction ID: 9898833f60ba773d908022ab2a221c4781e7af958c080a7d1fb22c245de6db04
Opcode Fuzzy Hash: 2a6ce26308d8ea9d2d1ea4e15e5ce07f9db9335c7e7b9c7cca499402cdf3e328
Instruction Fuzzy Hash: 6621F575504344EFDF05EF10D5C0B15BB6AFB88314F20C56DD84A4B392C736D846CA61

Function 02DED005 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1588563903.0000000002DED000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DED000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2ded000_HGhGAjCVw5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ee22c6e7185ef74b29df26866f49a08ac9f4da99ac8c7739fef1fbde7e2d7364
Instruction ID: a98f86cae83b2b9aff7d5e723194f77c0642e7170b699bc0688a8d7f4b21a743
Opcode Fuzzy Hash: ee22c6e7185ef74b29df26866f49a08ac9f4da99ac8c7739fef1fbde7e2d7364
Instruction Fuzzy Hash: BA2184755093C08FCB16DF24D594715BF72EB46214F28C5EAD8498F6A7C33A980BCB62

Function 02DDD1F7 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1588310925.0000000002DDD000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DDD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2ddd000_HGhGAjCVw5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a399c1c7e5d4767c66c0655504a55924ec654719013d5a2b029cea97317b5a7b
Instruction ID: 935e71a7e1381ba0f096b3a229934536c11e834e7f6c10f5f5aa9cb1b8dba6c6
Opcode Fuzzy Hash: a399c1c7e5d4767c66c0655504a55924ec654719013d5a2b029cea97317b5a7b
Instruction Fuzzy Hash: 4D218C76504640DFCF16CF50D9C4B16BF62FB88214F24C5A9DC490A656C33AD826CBA1

Function 02DDD3D3 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1588310925.0000000002DDD000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DDD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2ddd000_HGhGAjCVw5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1166f709330a6c50fb0ccab333658baa4cf0de4601631cd9e1789cef95a599a7
Instruction ID: 48b9ef3fed75ab250d84aee3fb72a16ff627a0d4518d7e9b9f3fe942e868687f
Opcode Fuzzy Hash: 1166f709330a6c50fb0ccab333658baa4cf0de4601631cd9e1789cef95a599a7
Instruction Fuzzy Hash: 4711AF76504640DFCF15CF10D5C4B16BF72FB84324F24C6A9D8490B656C33AE856CBA1

Function 02DED1CF Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1588563903.0000000002DED000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DED000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2ded000_HGhGAjCVw5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5930c3722e95abe2067eb95ddfb8aa1848112c8b53b048d5b6b565b5491e75cf
Instruction ID: add453e8f1033d25a04ca83b4210277218de0449acbb5b3f26b73d0974caf203
Opcode Fuzzy Hash: 5930c3722e95abe2067eb95ddfb8aa1848112c8b53b048d5b6b565b5491e75cf
Instruction Fuzzy Hash: 3A118B75504280DFCB15DF10D5C4B15BBA2FB84214F24C6A9D84A4B796C33AD84ACB61

Function 02DDD745 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1588310925.0000000002DDD000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DDD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2ddd000_HGhGAjCVw5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 83c833ab9bdb2c88b9cb73d51c2f11898d00dd7cdee2b605e0570477ec92f19f
Instruction ID: d55545bdfae2b620647ce9e41c98affeef026b495f1bfcb476d5a9b0503fd9a6
Opcode Fuzzy Hash: 83c833ab9bdb2c88b9cb73d51c2f11898d00dd7cdee2b605e0570477ec92f19f
Instruction Fuzzy Hash: EF012B32404740BEFB208E11CC84B67BBA8EF41264F14C59AED0A0B382D379DC41CAB5

Function 02DDD744 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1588310925.0000000002DDD000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DDD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2ddd000_HGhGAjCVw5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aa8ff0e7b3b8a9e02ae956a22820552730e6ea41372bd9a930fb4fc4574f886f
Instruction ID: c037f2683f7842458cac8f164d6bfaea2cf2204724bc483e4b5980453b9fb8a6
Opcode Fuzzy Hash: aa8ff0e7b3b8a9e02ae956a22820552730e6ea41372bd9a930fb4fc4574f886f
Instruction Fuzzy Hash: DFF0C272404344AEEB208E16C884B62FF98EB41634F18C45AED094B686C3799C40CAB1

Non-executed Functions

Function 0772A570 Relevance: 1.6, Strings: 1, Instructions: 325COMMON

Download Yara Rule

Strings

{#L, xrefs: 0772A748

Memory Dump Source

Source File: 00000000.00000002.1611862646.0000000007720000.00000040.00000800.00020000.00000000.sdmp, Offset: 07720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7720000_HGhGAjCVw5.jbxd

Similarity

API ID:
String ID: {#L
API String ID: 0-1361971085
Opcode ID: e87a5326a8b434eeb9faab9b79d478ae9179a675860e27ec2f845c8cf4032eb2
Instruction ID: 227fefe605220a158e6b091334871da8b0a85f8e9576756a525c60fc8d5ab2e3
Opcode Fuzzy Hash: e87a5326a8b434eeb9faab9b79d478ae9179a675860e27ec2f845c8cf4032eb2
Instruction Fuzzy Hash: 69D106B1E15219DBCB18CFAAD98059EFBF2BF8A340F14D52AD425EB224D7309942CF54

Function 0772A560 Relevance: 1.6, Strings: 1, Instructions: 325COMMON

Download Yara Rule

Strings

{#L, xrefs: 0772A748

Memory Dump Source

Source File: 00000000.00000002.1611862646.0000000007720000.00000040.00000800.00020000.00000000.sdmp, Offset: 07720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7720000_HGhGAjCVw5.jbxd

Similarity

API ID:
String ID: {#L
API String ID: 0-1361971085
Opcode ID: 7dd110f3df5fa5a5fd030425e6bb3a929ae76c6ba77cd6f036d436d1cea13c25
Instruction ID: 4c181282372847ca8c92961a21c0adcf1e54aab90710467feb7092ec154d268d
Opcode Fuzzy Hash: 7dd110f3df5fa5a5fd030425e6bb3a929ae76c6ba77cd6f036d436d1cea13c25
Instruction Fuzzy Hash: 40D116B1E15219DFCB18CFAAC98059EFBF2BF89340F15D52AD425EB224D73099428F54

Function 077218D9 Relevance: 1.4, Strings: 1, Instructions: 177COMMON

Download Yara Rule

Strings

98R, xrefs: 07721A43

Memory Dump Source

Source File: 00000000.00000002.1611862646.0000000007720000.00000040.00000800.00020000.00000000.sdmp, Offset: 07720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7720000_HGhGAjCVw5.jbxd

Similarity

API ID:
String ID: 98R
API String ID: 0-576591972
Opcode ID: 86c30b8db076f00dc7ff05461deab6bae858111a620ef9d2519fea84556b9e7a
Instruction ID: 5e8d99ae528751837d1a1e9ad4e877f5ecec7f17634011bef51fbcee709d7e7c
Opcode Fuzzy Hash: 86c30b8db076f00dc7ff05461deab6bae858111a620ef9d2519fea84556b9e7a
Instruction Fuzzy Hash: 6E7139B4E1425EDFCB04CF95D4819AEFBB2FB89350F64842AD465AB314D3349A42CF94

Function 07728688 Relevance: 1.4, Strings: 1, Instructions: 150COMMON

Download Yara Rule

Strings

iUfo, xrefs: 077287AE

Memory Dump Source

Source File: 00000000.00000002.1611862646.0000000007720000.00000040.00000800.00020000.00000000.sdmp, Offset: 07720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7720000_HGhGAjCVw5.jbxd

Similarity

API ID:
String ID: iUfo
API String ID: 0-3820436262
Opcode ID: 299e2c0c0cff124459d1ed0a3a9b780a2f24a4ff4465ecd88ae4a15b1be8ee36
Instruction ID: 451e3c4fc1464788824b5890583ad62932efc71b01c9cd6e2d34ebc62cf6e658
Opcode Fuzzy Hash: 299e2c0c0cff124459d1ed0a3a9b780a2f24a4ff4465ecd88ae4a15b1be8ee36
Instruction Fuzzy Hash: FA5134B4E152199FCF08CFA9D9455EEBBF2BF89300F10902AE415FB350EB349A428B55

Function 07728698 Relevance: 1.4, Strings: 1, Instructions: 149COMMON

Download Yara Rule

Strings

iUfo, xrefs: 077287AE

Memory Dump Source

Source File: 00000000.00000002.1611862646.0000000007720000.00000040.00000800.00020000.00000000.sdmp, Offset: 07720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7720000_HGhGAjCVw5.jbxd

Similarity

API ID:
String ID: iUfo
API String ID: 0-3820436262
Opcode ID: 431959f0b0e7be9d9f9bc7201e98b52d2335c336498b138f9def2083692df541
Instruction ID: 6f75817b47b9f8951269943b4fe5115a3873b55be812f1b94c50d49e31770877
Opcode Fuzzy Hash: 431959f0b0e7be9d9f9bc7201e98b52d2335c336498b138f9def2083692df541
Instruction Fuzzy Hash: EB5123B4E112299FCB08CFA9D9455EEFBF2BF89300F10902AE415BB354EB3499428F55

Function 07721440 Relevance: 1.4, Strings: 1, Instructions: 141COMMON

Download Yara Rule

Strings

-2m, xrefs: 07721563

Memory Dump Source

Source File: 00000000.00000002.1611862646.0000000007720000.00000040.00000800.00020000.00000000.sdmp, Offset: 07720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7720000_HGhGAjCVw5.jbxd

Similarity

API ID:
String ID: -2m
API String ID: 0-2686427999
Opcode ID: 39b5cb55f83c0f8a866fa1a98fbe6226c89b06418b029051bf411485b4926851
Instruction ID: 0322358ab087f93cc50006a36ba5e7b468d53f7354be60676a6f8e966f6b299d
Opcode Fuzzy Hash: 39b5cb55f83c0f8a866fa1a98fbe6226c89b06418b029051bf411485b4926851
Instruction Fuzzy Hash: 45512BB0E142198FDB08CFAAD5406AEFFF2FF89341F64D06AD41AA7254D7348A41DB64

Function 07728A90 Relevance: 1.4, Strings: 1, Instructions: 123COMMON

Download Yara Rule

Strings

w7e^, xrefs: 07728BC5

Memory Dump Source

Source File: 00000000.00000002.1611862646.0000000007720000.00000040.00000800.00020000.00000000.sdmp, Offset: 07720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7720000_HGhGAjCVw5.jbxd

Similarity

API ID:
String ID: w7e^
API String ID: 0-1657886525
Opcode ID: 77db235dca54f027b45e84e549a79b6cfe4a91d0c04e38f9e492e20e856eb4a6
Instruction ID: 4c28a706bb1b3b5f5600bb52f9658a0249e0c5062f7cceaa9a3307e403f7ccee
Opcode Fuzzy Hash: 77db235dca54f027b45e84e549a79b6cfe4a91d0c04e38f9e492e20e856eb4a6
Instruction Fuzzy Hash: F14158B0D14269DFCF04CFA6C8415EEFBB1FB8A280F14982AC426B7254D7394642CF59

Function 07728A80 Relevance: 1.4, Strings: 1, Instructions: 123COMMON

Download Yara Rule

Strings

w7e^, xrefs: 07728BC5

Memory Dump Source

Source File: 00000000.00000002.1611862646.0000000007720000.00000040.00000800.00020000.00000000.sdmp, Offset: 07720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7720000_HGhGAjCVw5.jbxd

Similarity

API ID:
String ID: w7e^
API String ID: 0-1657886525
Opcode ID: bb8bf7f9b58725201706065ee60d7f93b20560766454f44760f15c5e79ebc39b
Instruction ID: acabe6344de84cff4fa9fbaa2e4702a25314dac7d4eea505c775886e02bc7882
Opcode Fuzzy Hash: bb8bf7f9b58725201706065ee60d7f93b20560766454f44760f15c5e79ebc39b
Instruction Fuzzy Hash: 534148B5D15269CFCF04CFA6C8416EEFBB1FB8A240F14982AC426B7254D7394642CF5A

Function 07725588 Relevance: 1.4, Strings: 1, Instructions: 114COMMON

Download Yara Rule

Strings

0ni, xrefs: 077256F3

Memory Dump Source

Source File: 00000000.00000002.1611862646.0000000007720000.00000040.00000800.00020000.00000000.sdmp, Offset: 07720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7720000_HGhGAjCVw5.jbxd

Similarity

API ID:
String ID: 0ni
API String ID: 0-1488673370
Opcode ID: 588adbfed087228b08b5853498047a782a68f6ee6c143f78d396e65198d2a216
Instruction ID: 921872803b0b1b7dc546f1a54f269a669de379c2a53046bb16b4acacccbcbe49
Opcode Fuzzy Hash: 588adbfed087228b08b5853498047a782a68f6ee6c143f78d396e65198d2a216
Instruction Fuzzy Hash: C8515BB1E116188BDB68DF6B8D4579EFBF3BFC9200F14C1BA950DA6214EB340A858F51

Function 0772557A Relevance: 1.4, Strings: 1, Instructions: 111COMMON

Download Yara Rule

Strings

0ni, xrefs: 077256F3

Memory Dump Source

Source File: 00000000.00000002.1611862646.0000000007720000.00000040.00000800.00020000.00000000.sdmp, Offset: 07720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7720000_HGhGAjCVw5.jbxd

Similarity

API ID:
String ID: 0ni
API String ID: 0-1488673370
Opcode ID: 2ef1324eb97596928d564ef3758cab99e911e0bbd8696b526b4f59df7cffed5f
Instruction ID: 72cdb864738615884ff7dcfbf674122ec30e6189e7d906d7328cb223f7cb3b61
Opcode Fuzzy Hash: 2ef1324eb97596928d564ef3758cab99e911e0bbd8696b526b4f59df7cffed5f
Instruction Fuzzy Hash: AB516C71E056588BDB58CF6B8D4479AFBF3BFC9200F14C1BA850DA6254EB340A858F51

Function 02EBD404 Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1589028609.0000000002EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2eb0000_HGhGAjCVw5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 51325931cc5b4ca2d9b6041915a211d4b4f6d18362a88624902b14f6100d1af6
Instruction ID: 385fa9fcac7ab4ff6b5ec65ff6911025457cfeb5260c144bfdb462d26c090fc1
Opcode Fuzzy Hash: 51325931cc5b4ca2d9b6041915a211d4b4f6d18362a88624902b14f6100d1af6
Instruction Fuzzy Hash: D1A16832E402098FCF06DFB5C8405DEB7B2FF85304B2595AAF805AB265DB31E956CB80

Function 07729FC8 Relevance: .3, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1611862646.0000000007720000.00000040.00000800.00020000.00000000.sdmp, Offset: 07720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7720000_HGhGAjCVw5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c34f34ebd0eae9e7be6d15d24cfaa0e6e04d425cebae1951c05cede546825843
Instruction ID: 42245a44c169bc7b24fde381a44182fa11914bea9a10c2ba0614d3ba893a126a
Opcode Fuzzy Hash: c34f34ebd0eae9e7be6d15d24cfaa0e6e04d425cebae1951c05cede546825843
Instruction Fuzzy Hash: CEB1E8B1D15219DFCF18CFA6D54059EFBB2BF89340F20D42AD429A7254EB34AA06DF10

Function 07729FBA Relevance: .3, Instructions: 253COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1611862646.0000000007720000.00000040.00000800.00020000.00000000.sdmp, Offset: 07720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7720000_HGhGAjCVw5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fef42a83625edc7646f9ef1c2b95b20b430043b5650ab63e400b03a1233e52ec
Instruction ID: f82b167fa5dc6bd961a0adc6c766f74e58ac13ac836613bce5bfc8f3a6dedb7d
Opcode Fuzzy Hash: fef42a83625edc7646f9ef1c2b95b20b430043b5650ab63e400b03a1233e52ec
Instruction Fuzzy Hash: 4BB1F7B1D152199FCF18CFA6D58159EFBB2FF89340F20D42AD429A7254EB34AA06DF10

Function 07723CF8 Relevance: .2, Instructions: 197COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1611862646.0000000007720000.00000040.00000800.00020000.00000000.sdmp, Offset: 07720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7720000_HGhGAjCVw5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8a6ca61fd5762944be275d14145586170597b4a519a4a57fa53db58b3c70832d
Instruction ID: 6f1409c8e860e0d7df173657354ca7109aea33a040f352fd8bdb35071541b1f7
Opcode Fuzzy Hash: 8a6ca61fd5762944be275d14145586170597b4a519a4a57fa53db58b3c70832d
Instruction Fuzzy Hash: EC81F474A2525ACFCB04CFA9D58489EFBF1FF89350F24956AD425AB220D334AA42CF51

Function 07723D08 Relevance: .2, Instructions: 196COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1611862646.0000000007720000.00000040.00000800.00020000.00000000.sdmp, Offset: 07720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7720000_HGhGAjCVw5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f6032b56bfbf9ffedb0d4b931f6411a69b5b640dedbcce85d4e061d3996649b9
Instruction ID: d3b9fd6a7b63472259af2942e25176b6e3b4a3355653ef3aecb1a3708aa246ec
Opcode Fuzzy Hash: f6032b56bfbf9ffedb0d4b931f6411a69b5b640dedbcce85d4e061d3996649b9
Instruction Fuzzy Hash: 7A91E2B4A1521ACFCB04CF99C58489EFBF1FF89350F24955AD425AB224D334AA42CF51

Function 07728E40 Relevance: .2, Instructions: 190COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1611862646.0000000007720000.00000040.00000800.00020000.00000000.sdmp, Offset: 07720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7720000_HGhGAjCVw5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 45f1563058b8b5e1ffcfeb230ed86f298c568a3fe3d139fd76e1b58ed52ad3f9
Instruction ID: 24f3ff0d06955613398d7bef2deaf8b0d68a144e4c609cca988be9bed9ef2731
Opcode Fuzzy Hash: 45f1563058b8b5e1ffcfeb230ed86f298c568a3fe3d139fd76e1b58ed52ad3f9
Instruction Fuzzy Hash: 5D813EB4E10229CFDB14CF69C5806AEFBB6FF89300F24C569D418A7256D734AA42CF61

Function 07725108 Relevance: .2, Instructions: 175COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1611862646.0000000007720000.00000040.00000800.00020000.00000000.sdmp, Offset: 07720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7720000_HGhGAjCVw5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bd885183f5616c72629e409f96ca278c51dd78dbef6480ff9bf47cd9dc88dde7
Instruction ID: ded58ff0e12186891100bd33507764f9e933503e259eb66d3561075eb7f61def
Opcode Fuzzy Hash: bd885183f5616c72629e409f96ca278c51dd78dbef6480ff9bf47cd9dc88dde7
Instruction Fuzzy Hash: 2F7137B4E156198FCB04CFA9C9805DEFBF2FF89250F24946AD415BB264E3349A428B64

Function 07725118 Relevance: .2, Instructions: 173COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1611862646.0000000007720000.00000040.00000800.00020000.00000000.sdmp, Offset: 07720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7720000_HGhGAjCVw5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 23e392be569a3417ab51b805efae887b0232363e4fbfb51ae14f1cb1898e9745
Instruction ID: 5e46585ea05ca849d1b666df368bf79245946c2cab2f26b06b6c9e2059c2e514
Opcode Fuzzy Hash: 23e392be569a3417ab51b805efae887b0232363e4fbfb51ae14f1cb1898e9745
Instruction Fuzzy Hash: 187126B4E15219CFCB04CFA9C9805DEFBF2FF89350F24946AD415BB224E3349A528B64

Function 07723ADA Relevance: .1, Instructions: 137COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1611862646.0000000007720000.00000040.00000800.00020000.00000000.sdmp, Offset: 07720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7720000_HGhGAjCVw5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e9477ff7a08ab3fc9e2effb1ba1c4c0cb6d3b680a9f7a3c1ec03b9827a2bd1c2
Instruction ID: 5252ccb7ea10171e28f1a7b685eb21708c284aff54179263f9ee0b6a5663a61b
Opcode Fuzzy Hash: e9477ff7a08ab3fc9e2effb1ba1c4c0cb6d3b680a9f7a3c1ec03b9827a2bd1c2
Instruction Fuzzy Hash: 4E51BDB0D08259AFCB04CFA9C4805AEFFB1FF86340F54C59AC465AB252D3389A42DF91

Function 07724F00 Relevance: .1, Instructions: 115COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1611862646.0000000007720000.00000040.00000800.00020000.00000000.sdmp, Offset: 07720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7720000_HGhGAjCVw5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f5ecff7216fb432dfb87e718ddc07d25a92b60a77841ac373244cb48cd3d171e
Instruction ID: 387a1b2fe921a4c12de2b444c0eee2389b51f9a67a389f4e64e719de6a9d7c98
Opcode Fuzzy Hash: f5ecff7216fb432dfb87e718ddc07d25a92b60a77841ac373244cb48cd3d171e
Instruction Fuzzy Hash: 04413AB0E0425A9FCB08CFAAD4815AEFBF2FF89340F14C46AD425A7244D3349A428F94

Function 07728348 Relevance: .1, Instructions: 112COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1611862646.0000000007720000.00000040.00000800.00020000.00000000.sdmp, Offset: 07720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7720000_HGhGAjCVw5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8c8612f785ddc5725f26289cc4143224856b65adc6afb1d135fe0829348309c6
Instruction ID: df81ab55e292dd4a56a22eed81da302cc04946570da0efa53da2a8ee64aaa49e
Opcode Fuzzy Hash: 8c8612f785ddc5725f26289cc4143224856b65adc6afb1d135fe0829348309c6
Instruction Fuzzy Hash: F1419EB0E0961ADFCB04CFA5D5416AEFBF2EF89340F20D56AC114B7265D3748B428B96

Function 077253A8 Relevance: .1, Instructions: 108COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1611862646.0000000007720000.00000040.00000800.00020000.00000000.sdmp, Offset: 07720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7720000_HGhGAjCVw5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8c263080bccd4c2d170602adddee0dc59518d190a6351dc2ce087e1ddd5a160c
Instruction ID: 196f2c7d9eeefa46777569c11f1523330ce6125f63483d6fa0dedd1d166bf754
Opcode Fuzzy Hash: 8c263080bccd4c2d170602adddee0dc59518d190a6351dc2ce087e1ddd5a160c
Instruction Fuzzy Hash: 8F4128B0E0521ADFCB04CFAAC5815AEFBF2FF89340F20D5AAC415B7214D7309A529B94

Function 07725398 Relevance: .1, Instructions: 108COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1611862646.0000000007720000.00000040.00000800.00020000.00000000.sdmp, Offset: 07720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7720000_HGhGAjCVw5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5497fc4d37adbc6967aad021eba0d40bdb253a85e87c523d58e856382e39166e
Instruction ID: 9f5a458bf161df3058a97f598ff338859ff0c44c031a659a9c6ba01c0e0249dc
Opcode Fuzzy Hash: 5497fc4d37adbc6967aad021eba0d40bdb253a85e87c523d58e856382e39166e
Instruction Fuzzy Hash: C1412AB0E0521ADBCB04CFA9C5816AEFBF2FF88340F24D569C415A7214D7709A529B94

Function 07728358 Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1611862646.0000000007720000.00000040.00000800.00020000.00000000.sdmp, Offset: 07720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7720000_HGhGAjCVw5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1dcee51eaafbc617e377cfc23da00cedae290d8d5e04cf256c305d0e7c8826ee
Instruction ID: fb5d0c85783865d2c06478cfe5e7698fba01a816eb1432ef0d279dcc614225dc
Opcode Fuzzy Hash: 1dcee51eaafbc617e377cfc23da00cedae290d8d5e04cf256c305d0e7c8826ee
Instruction Fuzzy Hash: 66416DB0E1921ADFCB04CFA6C5416AEFBF1EF89340F20D46AC115B7264E37497028B95

Function 07724F10 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1611862646.0000000007720000.00000040.00000800.00020000.00000000.sdmp, Offset: 07720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7720000_HGhGAjCVw5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c48a644b01403e90d28a9f23ac36d97ebd1954b7a6cdad7414076b81101e9b6d
Instruction ID: 2c8e301f266b66b5d3748e43c7f863bc423665e7ea05022c3549bc257e990141
Opcode Fuzzy Hash: c48a644b01403e90d28a9f23ac36d97ebd1954b7a6cdad7414076b81101e9b6d
Instruction Fuzzy Hash: AA41D4B0E1421ADBCB48CFAAC4815AEFBF2BF89340F14C46AD425B7254D7349A429F94

Function 07720007 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1611862646.0000000007720000.00000040.00000800.00020000.00000000.sdmp, Offset: 07720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7720000_HGhGAjCVw5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f4446781d7132ca8230b98516b7870baa0234ecd6d98dcf4351b380e2ba05e2
Instruction ID: 1fd74c554553bb47be5e428e2b5d347b7f953a85247194d1df662514bf82b15d
Opcode Fuzzy Hash: 4f4446781d7132ca8230b98516b7870baa0234ecd6d98dcf4351b380e2ba05e2
Instruction Fuzzy Hash: 84313271E057548FE71ACF679C0029AFFF3AFCA210F08C0A7C454AA165D6350946CF65

Function 07720040 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1611862646.0000000007720000.00000040.00000800.00020000.00000000.sdmp, Offset: 07720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7720000_HGhGAjCVw5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dbb09b9debe3f8bdc4c5a8ee0373478bb80156a16f61f9bd1ee5d365ccc318fd
Instruction ID: 06525dc9f1f39bbf67c8e8c63778438f58dab1dc37bcbdeeb808c0e178829423
Opcode Fuzzy Hash: dbb09b9debe3f8bdc4c5a8ee0373478bb80156a16f61f9bd1ee5d365ccc318fd
Instruction Fuzzy Hash: 0611DDB1E006189BEB5CCFABD80069EFAF7AFC9200F04C07AC918B6254EB7005568F65

Analysis Process: HGhGAjCVw5.exePID: 7348, Parent PID: 1664COMMON

Execution Graph

Execution Coverage:	11.7%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	144
Total number of Limit Nodes:	16

Executed Functions

Function 0699234A Relevance: 1.0, Instructions: 1008COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2832606325.0000000006990000.00000040.00000800.00020000.00000000.sdmp, Offset: 06990000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6990000_HGhGAjCVw5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ef5d7552205a0f8c8907556afb47b0f1e3d3911e2b0b15a389106f150d2e41b6
Instruction ID: 3a902c1e1180cde6cc359da04107ee74f7aac017bac52e87b6033dd6933e91e3
Opcode Fuzzy Hash: ef5d7552205a0f8c8907556afb47b0f1e3d3911e2b0b15a389106f150d2e41b6
Instruction Fuzzy Hash: 25926834E102049FDFA4CB68C588A5DB7F6FF49314F6484A9D409AB761DB35ED81CBA0

Function 069965E0 Relevance: .8, Instructions: 814COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2832606325.0000000006990000.00000040.00000800.00020000.00000000.sdmp, Offset: 06990000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6990000_HGhGAjCVw5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 91446cf510c31cfa81c349b42102940a321e59a40cc5c082cc9cd5a00fb58e07
Instruction ID: eefc522b90b79660c88eb7d71405555d69de0e0af8a194392a44544bfd92b405
Opcode Fuzzy Hash: 91446cf510c31cfa81c349b42102940a321e59a40cc5c082cc9cd5a00fb58e07
Instruction Fuzzy Hash: 63629A34B102048FEF54DBA8D594BADB7F6EB88314F248469E406DB790DB75EC81CBA0

Function 06995588 Relevance: .6, Instructions: 609COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2832606325.0000000006990000.00000040.00000800.00020000.00000000.sdmp, Offset: 06990000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6990000_HGhGAjCVw5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6f68d8345be0d1bc21181c6a281c41c75514b9348b16b8be8a3753218bdbbf18
Instruction ID: b31a1a779267ccaf91576b87d2a4daa66762540542049f7bea446d1b250b6aa6
Opcode Fuzzy Hash: 6f68d8345be0d1bc21181c6a281c41c75514b9348b16b8be8a3753218bdbbf18
Instruction Fuzzy Hash: 8522BE31F002148FEF66CBA9C4806AEBBB6FF85320F258469D556AB741DA35DD41CBA0

Function 0699B20F Relevance: .6, Instructions: 583COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2832606325.0000000006990000.00000040.00000800.00020000.00000000.sdmp, Offset: 06990000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6990000_HGhGAjCVw5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5e8b79d1964306b56e11e35dd317dc1b36458e24fccc0d46b4f8c8956eaa5bb0
Instruction ID: 1b76b4d48866eedd7c4c40d390bf12d722c274b821b02e560ca45796de99945c
Opcode Fuzzy Hash: 5e8b79d1964306b56e11e35dd317dc1b36458e24fccc0d46b4f8c8956eaa5bb0
Instruction Fuzzy Hash: 7E225F30E101098FEF64CB9DE4947AEB7BAFB85310F248526E445DBB95DA38DC81CB61

Function 06993040 Relevance: .5, Instructions: 545COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2832606325.0000000006990000.00000040.00000800.00020000.00000000.sdmp, Offset: 06990000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6990000_HGhGAjCVw5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 342f0301ea499e1fd835b0bedf1c39e12bdb43877251a790f22d396768b4f440
Instruction ID: ea5285db5397a247bab6fe65b66a435d88fd287d056115825e1224cf2c36bb18
Opcode Fuzzy Hash: 342f0301ea499e1fd835b0bedf1c39e12bdb43877251a790f22d396768b4f440
Instruction Fuzzy Hash: CA323D30E10619CFDB24DF69D89469DB7B6FF99300F20866AD40AA7251EB70AD85CF90

Function 06997D68 Relevance: .5, Instructions: 476COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2832606325.0000000006990000.00000040.00000800.00020000.00000000.sdmp, Offset: 06990000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6990000_HGhGAjCVw5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0e3757109976785fd4f50ce6a1935b4c0bffafeeb776208b3a32d2b77ba8487e
Instruction ID: 16c2c9b647dcd888c5a1d43054c29dfe4c3d62d5c86a2ac83d34e493af073ef3
Opcode Fuzzy Hash: 0e3757109976785fd4f50ce6a1935b4c0bffafeeb776208b3a32d2b77ba8487e
Instruction Fuzzy Hash: 01028C30B102058FDF54DBA8D594BAEB7E6FF85310F248929D4059B781DB75EC82CBA0

Function 06982C83 Relevance: 6.1, APIs: 4, Instructions: 132
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 06982D06
GetCurrentThread.KERNEL32 ref: 06982D43
GetCurrentProcess.KERNEL32 ref: 06982D80
GetCurrentThreadId.KERNEL32 ref: 06982DD9

Memory Dump Source

Source File: 00000009.00000002.2832512525.0000000006980000.00000040.00000800.00020000.00000000.sdmp, Offset: 06980000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6980000_HGhGAjCVw5.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 85eb342f206ed2a3348e790f5a5e6b52bdf9585801dce2902ca797a1736f4989
Instruction ID: 0f8d8325481c91616f7ccc5c7dc435072c7106b2ac5549dd2e5cdf2f79548796
Opcode Fuzzy Hash: 85eb342f206ed2a3348e790f5a5e6b52bdf9585801dce2902ca797a1736f4989
Instruction Fuzzy Hash: 355167B09003098FDB54DFAAD948BDEBBF5FF88304F24801AE419A7750D7786985CBA5

Function 06982C88 Relevance: 6.1, APIs: 4, Instructions: 128
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 06982D06
GetCurrentThread.KERNEL32 ref: 06982D43
GetCurrentProcess.KERNEL32 ref: 06982D80
GetCurrentThreadId.KERNEL32 ref: 06982DD9

Memory Dump Source

Source File: 00000009.00000002.2832512525.0000000006980000.00000040.00000800.00020000.00000000.sdmp, Offset: 06980000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6980000_HGhGAjCVw5.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 9a9b2faf40af19d908ff38f5ad2c6fd37a5a3cc26077477364122c16d01bf637
Instruction ID: 6280b46685588718c994a942c1f68bf07db2691cf76e8b85f9e7e8afbfbc73e1
Opcode Fuzzy Hash: 9a9b2faf40af19d908ff38f5ad2c6fd37a5a3cc26077477364122c16d01bf637
Instruction Fuzzy Hash: A95166B09003098FDB54DFAAD948BDEBBF1FF88304F24801AE01AA7750D778A945CB65

Function 06994B50 Relevance: 3.9, Strings: 3, Instructions: 186
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

fq, xrefs: 0699525D
\Oq, xrefs: 06994D07
XPq, xrefs: 06994C7D

Memory Dump Source

Source File: 00000009.00000002.2832606325.0000000006990000.00000040.00000800.00020000.00000000.sdmp, Offset: 06990000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6990000_HGhGAjCVw5.jbxd

Similarity

API ID:
String ID: fq$XPq$\Oq
API String ID: 0-132346853
Opcode ID: b4bfa6589816a6da921b35e99d94d2b35ea7bcd12c8dc6803048afc28248e01e
Instruction ID: df700e9f2e6f39f656e64794b246722152612a9504c9f6a599a41973927029bc
Opcode Fuzzy Hash: b4bfa6589816a6da921b35e99d94d2b35ea7bcd12c8dc6803048afc28248e01e
Instruction Fuzzy Hash: 83617130F002199FEF559BA8C8147AEBAF6FF88700F20852AD506AB795DF754C45CB90

Function 0698B198 Relevance: 1.7, APIs: 1, Instructions: 203
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 0698B3FE

Memory Dump Source

Source File: 00000009.00000002.2832512525.0000000006980000.00000040.00000800.00020000.00000000.sdmp, Offset: 06980000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6980000_HGhGAjCVw5.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 072a44f590fda372abefcd1cb2051a0520e8e4b31cd5c2cc88ef903c1446da9b
Instruction ID: e3cf4423752b687863084192dbca5f402299ee6118065e81377a1aa894c3772e
Opcode Fuzzy Hash: 072a44f590fda372abefcd1cb2051a0520e8e4b31cd5c2cc88ef903c1446da9b
Instruction Fuzzy Hash: 0A818970A00B058FD7A4EF2AD44475ABBF5FF88200F14892DD49ADBB54D779E846CB90

Function 0110EB38 Relevance: 1.7, APIs: 1, Instructions: 161
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000009.00000002.2819670107.0000000001100000.00000040.00000800.00020000.00000000.sdmp, Offset: 01100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1100000_HGhGAjCVw5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6b571a7f5805ed77a0e04b678bcee2fe70098bd06b4975e51e841da20d3cf65f
Instruction ID: edb30177ac378f3455478cb111f7610d299853af494fd8d09554fa18bc2b9379
Opcode Fuzzy Hash: 6b571a7f5805ed77a0e04b678bcee2fe70098bd06b4975e51e841da20d3cf65f
Instruction Fuzzy Hash: F3517831D053999FDB19CF79D8046EEBFF5AFCA210F04856AD405A7282DB749845CBE0

Function 0698D384 Relevance: 1.6, APIs: 1, Instructions: 118
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 0698D4A2

Memory Dump Source

Source File: 00000009.00000002.2832512525.0000000006980000.00000040.00000800.00020000.00000000.sdmp, Offset: 06980000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6980000_HGhGAjCVw5.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: f8423a26d7a318d36c8fa6779c8f07308f737df717c37fda21666a3fee03e400
Instruction ID: b9e7867b2e2510871cce3956b0db46afe855542f0c0c73919bc3c5378aa9a082
Opcode Fuzzy Hash: f8423a26d7a318d36c8fa6779c8f07308f737df717c37fda21666a3fee03e400
Instruction Fuzzy Hash: 1651D2B1D003489FDB14DFA9C884ADEBBB5FF88314F64812AE819AB250D775A845CF90

Function 0698D390 Relevance: 1.6, APIs: 1, Instructions: 113
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 0698D4A2

Memory Dump Source

Source File: 00000009.00000002.2832512525.0000000006980000.00000040.00000800.00020000.00000000.sdmp, Offset: 06980000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6980000_HGhGAjCVw5.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 55a0830cf33c679fd82b98ef7c9f48a2e0ac2d333c8ebf9434acc9e52e99de9b
Instruction ID: 3a20d5581ceba8fd9a883de263f8e01e0e087a5b5b119d1ceda9397f0ef1a36a
Opcode Fuzzy Hash: 55a0830cf33c679fd82b98ef7c9f48a2e0ac2d333c8ebf9434acc9e52e99de9b
Instruction Fuzzy Hash: 1A41C2B1D003489FDB14DFA9C884ADEBBB5FF88310F24812AE819AB250D775A845CF90

Function 0698E2FC Relevance: 1.6, APIs: 1, Instructions: 97
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CallWindowProcW.USER32(?,?,?,?,?), ref: 0698FB91

Memory Dump Source

Source File: 00000009.00000002.2832512525.0000000006980000.00000040.00000800.00020000.00000000.sdmp, Offset: 06980000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6980000_HGhGAjCVw5.jbxd

Similarity

API ID: CallProcWindow
String ID:
API String ID: 2714655100-0
Opcode ID: 63c982863c489df1dbc4dbdc5d7dbef2795e66ffe54d448f5ad33a054069b36c
Instruction ID: a6aaa793030a2a76f0b5ebddaa114b097e994dd7aa24b1d01036f8d97565c5c2
Opcode Fuzzy Hash: 63c982863c489df1dbc4dbdc5d7dbef2795e66ffe54d448f5ad33a054069b36c
Instruction Fuzzy Hash: 074119B49003098FDB54DF95C488AAABBF5FF88314F24C459D519AB761D374A841CFA0

Function 06982EC8 Relevance: 1.6, APIs: 1, Instructions: 66
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 06982F57

Memory Dump Source

Source File: 00000009.00000002.2832512525.0000000006980000.00000040.00000800.00020000.00000000.sdmp, Offset: 06980000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6980000_HGhGAjCVw5.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: ac6d991bcad29d5ea1a7eee27b965069987fcaf8677b0684ffb8f2c49c2396c4
Instruction ID: ca4b245d90c1fb2b68a72dcabd872c30d564052815828b4d6ce1117b8bd8c9c6
Opcode Fuzzy Hash: ac6d991bcad29d5ea1a7eee27b965069987fcaf8677b0684ffb8f2c49c2396c4
Instruction Fuzzy Hash: 9C21E5B5D003489FDB10DFAAD984ADEBBF9EB48310F14841AE919A7350D378A941CFA5

Function 06982ED0 Relevance: 1.6, APIs: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 06982F57

Memory Dump Source

Source File: 00000009.00000002.2832512525.0000000006980000.00000040.00000800.00020000.00000000.sdmp, Offset: 06980000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6980000_HGhGAjCVw5.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 773054b497b4337161e2c3edf23acd1a24fc0758a2e3c390a7dadeb8105013ff
Instruction ID: 0902a957bd70f19e769beaf2901781e5d19ee33b38e6facde0a07cc8ddc5a7d6
Opcode Fuzzy Hash: 773054b497b4337161e2c3edf23acd1a24fc0758a2e3c390a7dadeb8105013ff
Instruction Fuzzy Hash: 2821C4B5D003489FDB10CF9AD984ADEBBF9EB48310F14841AE918A3350D378A945CFA5

Function 0110EC20 Relevance: 1.6, APIs: 1, Instructions: 52
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GlobalMemoryStatusEx.KERNELBASE ref: 0110EC87

Memory Dump Source

Source File: 00000009.00000002.2819670107.0000000001100000.00000040.00000800.00020000.00000000.sdmp, Offset: 01100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1100000_HGhGAjCVw5.jbxd

Similarity

API ID: GlobalMemoryStatus
String ID:
API String ID: 1890195054-0
Opcode ID: 255dd0c3c4aae20e2dd02be1c8d175263d74049b64c1032aee2ef0dfbc8fbf59
Instruction ID: 1370146657854843b949c3f3895aa5f45e1234dbd3dc9e3d78d84d3e6549e210
Opcode Fuzzy Hash: 255dd0c3c4aae20e2dd02be1c8d175263d74049b64c1032aee2ef0dfbc8fbf59
Instruction Fuzzy Hash: CA1120B1C006599BDB10CF9AC544BDEFBF4EF48220F10852AD818B7240D778A941CFA5

Function 0698B398 Relevance: 1.5, APIs: 1, Instructions: 47
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 0698B3FE

Memory Dump Source

Source File: 00000009.00000002.2832512525.0000000006980000.00000040.00000800.00020000.00000000.sdmp, Offset: 06980000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6980000_HGhGAjCVw5.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: b265f1108970973130f7841dc2d0ae5935b6e39c7e9f201758142627e284e155
Instruction ID: 7a72ce8dc75ec950b70cf9de812ed8c884bbfe5978ba0b8463edc057179c6e63
Opcode Fuzzy Hash: b265f1108970973130f7841dc2d0ae5935b6e39c7e9f201758142627e284e155
Instruction Fuzzy Hash: EC1113B5C003498FCB10DF9AC444BDEFBF4EB88214F14841AD819A7610C379A545CFA1

Function 06994B40 Relevance: 1.4, Strings: 1, Instructions: 132
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

XPq, xrefs: 06994C7D

Memory Dump Source

Source File: 00000009.00000002.2832606325.0000000006990000.00000040.00000800.00020000.00000000.sdmp, Offset: 06990000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6990000_HGhGAjCVw5.jbxd

Similarity

API ID:
String ID: XPq
API String ID: 0-1601936878
Opcode ID: a4bc153759c90a778fc24496207851c16fcd0bdb1f59cba9ed7d24c892ed7b3d
Instruction ID: 18d9e8294a4edaf486f0292d0df3fdb481a75d70a88b2e5051be1a13b298f605
Opcode Fuzzy Hash: a4bc153759c90a778fc24496207851c16fcd0bdb1f59cba9ed7d24c892ed7b3d
Instruction Fuzzy Hash: EC418470F002199FEF459BA8C814B9EBBF6FF88700F20852AD146AB795DB758C45CB90

Function 06994B78 Relevance: 1.4, Strings: 1, Instructions: 111
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

XPq, xrefs: 06994C7D

Memory Dump Source

Source File: 00000009.00000002.2832606325.0000000006990000.00000040.00000800.00020000.00000000.sdmp, Offset: 06990000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6990000_HGhGAjCVw5.jbxd

Similarity

API ID:
String ID: XPq
API String ID: 0-1601936878
Opcode ID: 2152239ffa545c9d8c9159fb08e9b1c455b0d2a644cd1844d36deeeb2f0e1c25
Instruction ID: 9b3b082a188e6b33d4a1087f42ce7684638cc48fd73acb3ece94b86fda2a832f
Opcode Fuzzy Hash: 2152239ffa545c9d8c9159fb08e9b1c455b0d2a644cd1844d36deeeb2f0e1c25
Instruction Fuzzy Hash: 3C412C74B002099FEF459FA9C414BAEBBF6FF88700F20852AE546AB395DB758C45CB50

Function 0699CF28 Relevance: .8, Instructions: 800COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2832606325.0000000006990000.00000040.00000800.00020000.00000000.sdmp, Offset: 06990000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6990000_HGhGAjCVw5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5a346817acedc8dae730fda1a2f29bfb38937af931d000395d489938a737f810
Instruction ID: 55999130f31e57be2435f8870c361066dca61795110575888f4b871627e29329
Opcode Fuzzy Hash: 5a346817acedc8dae730fda1a2f29bfb38937af931d000395d489938a737f810
Instruction Fuzzy Hash: EE628E30A106068FDB59DF68D590A9EB7B6FF84300B20CA29D0459F755EB79EC86CF90

Function 0699C170 Relevance: .6, Instructions: 649COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2832606325.0000000006990000.00000040.00000800.00020000.00000000.sdmp, Offset: 06990000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6990000_HGhGAjCVw5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 37750875f33e87677690592ed54181c8d360cff6a416509ab8343f5effa4561c
Instruction ID: 19320cab567ec986a6a2748b726dfa72a8126d68a7f2a0a8eea0e5c21ac48391
Opcode Fuzzy Hash: 37750875f33e87677690592ed54181c8d360cff6a416509ab8343f5effa4561c
Instruction Fuzzy Hash: BE325B34B10205DFDF54DBACD894BAEB7B6EB88354F208529E405DB781DB35EC818BA1

Function 0699B630 Relevance: .5, Instructions: 473COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2832606325.0000000006990000.00000040.00000800.00020000.00000000.sdmp, Offset: 06990000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6990000_HGhGAjCVw5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93b152164e99f932c6b271bb5155ded1a808aef298a819293a39678f40ef3e36
Instruction ID: b040f15c9bb87bf9e0d19fdea9bcda1478e6b1999cbe040e47df0fdabcc46f87
Opcode Fuzzy Hash: 93b152164e99f932c6b271bb5155ded1a808aef298a819293a39678f40ef3e36
Instruction Fuzzy Hash: 9A025D30E102098FDF64CB5CE4847AEB7B6FB45314F208566D445DBA59DB78EC81CBA1

Function 0699ACB8 Relevance: .4, Instructions: 399COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2832606325.0000000006990000.00000040.00000800.00020000.00000000.sdmp, Offset: 06990000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6990000_HGhGAjCVw5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 53a1feb67609263cee8f5b99f159cd8212244795496b0f66febd81c2600638c9
Instruction ID: 31ee6dad67756e570dd9b463af2dd044d6fafc38827b1ddd6abdd961a886985a
Opcode Fuzzy Hash: 53a1feb67609263cee8f5b99f159cd8212244795496b0f66febd81c2600638c9
Instruction Fuzzy Hash: EEE17030F102098FDF69DBA8D4506AEB7B6FF89304F208529D406AB745EB74DC46CBA1

Function 06999138 Relevance: .2, Instructions: 230COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2832606325.0000000006990000.00000040.00000800.00020000.00000000.sdmp, Offset: 06990000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6990000_HGhGAjCVw5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a9b17e22eb44df673ed2e460d3558d503da0473a87fd615b4332ef844ff12175
Instruction ID: 63d45ebf7af1177a4b2c718b11faa2f64ae84a396d43166d0eb8463608a7a68c
Opcode Fuzzy Hash: a9b17e22eb44df673ed2e460d3558d503da0473a87fd615b4332ef844ff12175
Instruction Fuzzy Hash: 16917E34B102098FDB64DB6DD8907AE77F6FF88310F148469C40AAB745EF74AC918B91

Function 069961E0 Relevance: .2, Instructions: 229COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2832606325.0000000006990000.00000040.00000800.00020000.00000000.sdmp, Offset: 06990000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6990000_HGhGAjCVw5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: afe1eca2475362f81aae5e4296cb8a4a48d0fc141b8c3fcc9c4eac27d55089f1
Instruction ID: 023176db9e0f36a184ea06b57c8e551394f5e73cce416a1b865ba4d6b3cbd2d9
Opcode Fuzzy Hash: afe1eca2475362f81aae5e4296cb8a4a48d0fc141b8c3fcc9c4eac27d55089f1
Instruction Fuzzy Hash: D161C471F001104FEF559B7DC84066EBAEBAFD4210B254439E40ADB361DEB5DC0287D1

Function 06994280 Relevance: .2, Instructions: 223COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2832606325.0000000006990000.00000040.00000800.00020000.00000000.sdmp, Offset: 06990000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6990000_HGhGAjCVw5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0ccdb253491f3830733c5da69aae5287f421ef237eba2aed702a27ea51696e86
Instruction ID: 47e1b3ee31826f0ff1799daf8b7df2cf475f65b4086909698a3f35a7d1d1e56c
Opcode Fuzzy Hash: 0ccdb253491f3830733c5da69aae5287f421ef237eba2aed702a27ea51696e86
Instruction Fuzzy Hash: 33814C34B102058FDF55DBB9D4547AEBBF6BF88300F208529E40ADB745EA35DC828B91

Function 069945A0 Relevance: .2, Instructions: 221COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2832606325.0000000006990000.00000040.00000800.00020000.00000000.sdmp, Offset: 06990000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6990000_HGhGAjCVw5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3c596b39dac8147c8700d542b550db0cbd7faf7cd068c5e8607cf65150c8bac6
Instruction ID: e98af734ee01dea3dee5b037c0b6f1470358047b33fe4e5e06af4e23c596abf3
Opcode Fuzzy Hash: 3c596b39dac8147c8700d542b550db0cbd7faf7cd068c5e8607cf65150c8bac6
Instruction Fuzzy Hash: AE913E30E102198FDF55DF68C890B9DB7B1FF89310F208699D449AB691DB70A986CF91

Function 069945B8 Relevance: .2, Instructions: 210COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2832606325.0000000006990000.00000040.00000800.00020000.00000000.sdmp, Offset: 06990000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6990000_HGhGAjCVw5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ac0f9d17cfd5f3d1bfd59091bee14ad485e6c3a319ad64dc8271286967761b74
Instruction ID: 7cafd071cc144bcc043993f13151bba2b6ef0a82928fb05a64db6cd6d5c8ea64
Opcode Fuzzy Hash: ac0f9d17cfd5f3d1bfd59091bee14ad485e6c3a319ad64dc8271286967761b74
Instruction Fuzzy Hash: 09911C30E106198FDF65DF68C880B9DB7B1FF89314F208699D549AB341DB70AA86CF91

Function 0699EEF0 Relevance: .2, Instructions: 209COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2832606325.0000000006990000.00000040.00000800.00020000.00000000.sdmp, Offset: 06990000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6990000_HGhGAjCVw5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b80ef8e0fe3543cd7aeeae08dd81d76dfd247514a20eec201ce05d47a54073b9
Instruction ID: 0ffbdcc5227fb31566517f4766e279e0eb64f3d810b8c45404d20936937c18f0
Opcode Fuzzy Hash: b80ef8e0fe3543cd7aeeae08dd81d76dfd247514a20eec201ce05d47a54073b9
Instruction Fuzzy Hash: EC814A70A002099FDB55DBA8D980A9EFBFAFF89304F248529E405EB755DB70EC42CB50

Function 0699EF00 Relevance: .2, Instructions: 201COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2832606325.0000000006990000.00000040.00000800.00020000.00000000.sdmp, Offset: 06990000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6990000_HGhGAjCVw5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1cabcdd93e101c7e90c3cda53d3dcc1e8c95f4f22875388997c3de680ff3395a
Instruction ID: 04aecf6b1b6f68e07e569dcfb1e230ca412f730d7208dc27531e026cc6112abd
Opcode Fuzzy Hash: 1cabcdd93e101c7e90c3cda53d3dcc1e8c95f4f22875388997c3de680ff3395a
Instruction Fuzzy Hash: B1714970E002098FDB55DBA8D980A9EBBFAFF88300F248429E405EB755DB74EC42CB50

Function 0699FC58 Relevance: .2, Instructions: 180COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2832606325.0000000006990000.00000040.00000800.00020000.00000000.sdmp, Offset: 06990000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6990000_HGhGAjCVw5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 26d5dca6010e674c2a7e4d160f9b68453c3139b5894e5e1f19eda0ec16da0691
Instruction ID: 97f0d07599cf3a08b8a54fbf507113e9a5d625425bd5238bf20b87e76aa52883
Opcode Fuzzy Hash: 26d5dca6010e674c2a7e4d160f9b68453c3139b5894e5e1f19eda0ec16da0691
Instruction Fuzzy Hash: 6C51C131E002099FDF64EBBCE4546AEF7B6FB84311F20886AE106D7751DB359855CBA0

Function 0699FA0A Relevance: .2, Instructions: 172COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2832606325.0000000006990000.00000040.00000800.00020000.00000000.sdmp, Offset: 06990000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6990000_HGhGAjCVw5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b09731703875723eaa63b303f5d6db3b151533356876a23ec098f9f72f668195
Instruction ID: 70c3821aa7097ad3ca08aecc692596ce95dd4b9080bb0c82ac64f5fe8996b806
Opcode Fuzzy Hash: b09731703875723eaa63b303f5d6db3b151533356876a23ec098f9f72f668195
Instruction Fuzzy Hash: 9B51E470F202044FEF645A6DD85476F666EEB89750F34482AE40AC7B91E96CCC9187A2

Function 0699FA18 Relevance: .2, Instructions: 163COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2832606325.0000000006990000.00000040.00000800.00020000.00000000.sdmp, Offset: 06990000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6990000_HGhGAjCVw5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 57dd7cdfa23d29a3cb0d0adb730316ad9da93f30c86611fb35da397b76e858bd
Instruction ID: 34f7bb57b4e9afe94ee4c27fd502e3ecdae5f37ab183fbfaf19b0e911b7cf783
Opcode Fuzzy Hash: 57dd7cdfa23d29a3cb0d0adb730316ad9da93f30c86611fb35da397b76e858bd
Instruction Fuzzy Hash: 4A51A1B0F202045FEF645A6DD89472F626EE789760F34482AD50EC7B90E9ACCCD147A2

Function 06999127 Relevance: .2, Instructions: 156COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2832606325.0000000006990000.00000040.00000800.00020000.00000000.sdmp, Offset: 06990000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6990000_HGhGAjCVw5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0b42d156d095c0c8d3820cbe925908e088e35afd34e89dfda98ee3dbc438002d
Instruction ID: 35f08b029dca3930d5fa2b0b6c01b43a96c6d665c4325fb67e292ca134b71762
Opcode Fuzzy Hash: 0b42d156d095c0c8d3820cbe925908e088e35afd34e89dfda98ee3dbc438002d
Instruction Fuzzy Hash: BA516E34B501059FDB64DBBCE8A0B6E77F6FB88310F148469C40A9B745EE34AC52CBA1

Function 069953F8 Relevance: .1, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2832606325.0000000006990000.00000040.00000800.00020000.00000000.sdmp, Offset: 06990000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6990000_HGhGAjCVw5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb4eee9fa34cd76fa64b62582284f1a1dbbc7999aee7c0f900a67ba7116a1418
Instruction ID: b2325e08f280d7dabe4b01bce4cbf432179c95ec52f9d4e0561ce169539384f9
Opcode Fuzzy Hash: fb4eee9fa34cd76fa64b62582284f1a1dbbc7999aee7c0f900a67ba7116a1418
Instruction Fuzzy Hash: 7F416D71E006098FDFB1CFADD880AAFF7F6EB84210F21492AD159D7A51D331E8558BA1

Function 0699DA9D Relevance: .1, Instructions: 125COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2832606325.0000000006990000.00000040.00000800.00020000.00000000.sdmp, Offset: 06990000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6990000_HGhGAjCVw5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 10aca81ec3bc15f4ddc6641c06c2852638df99037f898fa5f379af43a8142f00
Instruction ID: 2a9e69c37ed887357473071ad25acd9a3baed61f100a88569fe0105a902f9c56
Opcode Fuzzy Hash: 10aca81ec3bc15f4ddc6641c06c2852638df99037f898fa5f379af43a8142f00
Instruction Fuzzy Hash: C641B234E007099FDF64DF69C4906AEBBB6FF85300F204529E412EB740EB75984ACBA1

Function 069921D0 Relevance: .1, Instructions: 105COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2832606325.0000000006990000.00000040.00000800.00020000.00000000.sdmp, Offset: 06990000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6990000_HGhGAjCVw5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ec66ae1dd271a7addb48655a77beca7f799cf0bd8c79853fd48927fa0d5122b8
Instruction ID: fa6661653d60381d504e5f12e93e54623090e356d107acfea57a5cb9cfc49219
Opcode Fuzzy Hash: ec66ae1dd271a7addb48655a77beca7f799cf0bd8c79853fd48927fa0d5122b8
Instruction Fuzzy Hash: 5531EF30B202059FDF58ABB8C55476F3BAABF89640F204528D406DB385DF3ACD42CBA1

Function 0699D950 Relevance: .1, Instructions: 100COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2832606325.0000000006990000.00000040.00000800.00020000.00000000.sdmp, Offset: 06990000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6990000_HGhGAjCVw5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 96b29b0127e348add3cb5509e98a511e4b062ed51c30688383aa7643107ed2e5
Instruction ID: 62e1710a128e11ac690a61409280f09f36c0479fff8adc207b52149739dd08e9
Opcode Fuzzy Hash: 96b29b0127e348add3cb5509e98a511e4b062ed51c30688383aa7643107ed2e5
Instruction Fuzzy Hash: B131C630E1070A8FDF15DF68C890A9EB7B6FF85344F208929E405EB740E7B0E9468B91

Function 06992081 Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2832606325.0000000006990000.00000040.00000800.00020000.00000000.sdmp, Offset: 06990000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6990000_HGhGAjCVw5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d28cb5fd01a04f8fce330110e59802076da7d16ba28b2456eb37446505d375e8
Instruction ID: e944b8a8788fc06825caaaec572bab8dffb2b6e4796d1327123681304fed22d4
Opcode Fuzzy Hash: d28cb5fd01a04f8fce330110e59802076da7d16ba28b2456eb37446505d375e8
Instruction Fuzzy Hash: AA319D34E102059FDB69CF68D8546AEB7F6FF89310F108529E902A7B40DB71AD82CB50

Function 06992090 Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2832606325.0000000006990000.00000040.00000800.00020000.00000000.sdmp, Offset: 06990000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6990000_HGhGAjCVw5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fd812035cea443bae95844de2c1afe78787dccb4b59418bec6f3ae3ad324e1f3
Instruction ID: 9fe0dc1bd1a7bf0e4b55107fc0c9f2d3580cce9c750e5bbba3529395a581a9d1
Opcode Fuzzy Hash: fd812035cea443bae95844de2c1afe78787dccb4b59418bec6f3ae3ad324e1f3
Instruction Fuzzy Hash: 6F316D34E14205AFDB59CF68D854A9EB7B6FF89300F208519E906A7740DB71AD81CB50

Function 06993A80 Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2832606325.0000000006990000.00000040.00000800.00020000.00000000.sdmp, Offset: 06990000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6990000_HGhGAjCVw5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0a09e0107e54c1707e4571d2331d0d22abeb90a16d8e158406c1789426ebf6b2
Instruction ID: 31ab3c5ae492d4c7dfa2145e6f828d44eda159dfc2fece89f0a39a7699a4979e
Opcode Fuzzy Hash: 0a09e0107e54c1707e4571d2331d0d22abeb90a16d8e158406c1789426ebf6b2
Instruction Fuzzy Hash: 9C215A35F522159FDF40CFADE990AAEBBF5EB48710F108029E945E7391D734D8418BA4

Function 06993A90 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2832606325.0000000006990000.00000040.00000800.00020000.00000000.sdmp, Offset: 06990000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6990000_HGhGAjCVw5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b404b8cb4fad50d75b9dffa97d2312da684fe7cb99ac01cbcc733269f6617174
Instruction ID: bae800e8a13e5a49d8053d764d44d182a5192fa36f3c487e9f2c82ce198037f3
Opcode Fuzzy Hash: b404b8cb4fad50d75b9dffa97d2312da684fe7cb99ac01cbcc733269f6617174
Instruction Fuzzy Hash: 54212675F126159FDB50CFADE980AAEBBF5FB48710F108029E905E7381E639DC418BA4

Function 010BD030 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2818953327.00000000010BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 010BD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_10bd000_HGhGAjCVw5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 39bf4eb98a3b271adb62bde7703c36e9e73592c3d7114008167450b8e26b5d2f
Instruction ID: 9aa9d4ae2fce04a413eead14aea769a17ed1b422d6d276efa7dbc422c7892232
Opcode Fuzzy Hash: 39bf4eb98a3b271adb62bde7703c36e9e73592c3d7114008167450b8e26b5d2f
Instruction Fuzzy Hash: A1212271514304DFDB15DF94D9C0B66FBA1EB84318F20C5AEE8890B252C33AD847CB62

Function 06996D00 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2832606325.0000000006990000.00000040.00000800.00020000.00000000.sdmp, Offset: 06990000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6990000_HGhGAjCVw5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c2f01a4abb49e4a82bb819754a8b8d9dbd36b6acd8f751975937a0e02b27dcce
Instruction ID: be36acf1cb6a2a2a8fb3ccab88d808c293c90e3abd6f09945d683ea12c5381c2
Opcode Fuzzy Hash: c2f01a4abb49e4a82bb819754a8b8d9dbd36b6acd8f751975937a0e02b27dcce
Instruction Fuzzy Hash: 9D21A234B201199FDF54DBADE8506AEB7BBEB84350F248426E405EB780DB35DC918BA0

Function 06993BA0 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2832606325.0000000006990000.00000040.00000800.00020000.00000000.sdmp, Offset: 06990000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6990000_HGhGAjCVw5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0985f00ac0ff7e37fb51409fc6f1770e720f4296e337a6d5e7372383418a7cb7
Instruction ID: 2ac6b744ca639279bc8cef384ff8ae4db0fea9a9adb226946ce53bb3b3ca022a
Opcode Fuzzy Hash: 0985f00ac0ff7e37fb51409fc6f1770e720f4296e337a6d5e7372383418a7cb7
Instruction Fuzzy Hash: 5A118B35B145288FDF649A6CD8246AE77EAFBC8310B104439D90AE7740EE69DC528BA0

Function 069941E2 Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2832606325.0000000006990000.00000040.00000800.00020000.00000000.sdmp, Offset: 06990000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6990000_HGhGAjCVw5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f011974e7722a21e8f03e97fa47417d71e4af749d376f47464101dfaf57b3d4a
Instruction ID: be84ef092a4ba0951a6ec0565165a1f278e9370a5267a07c5b400e170ba23aea
Opcode Fuzzy Hash: f011974e7722a21e8f03e97fa47417d71e4af749d376f47464101dfaf57b3d4a
Instruction Fuzzy Hash: 8201F130B041101FEB6796BC9810B2FA7DEEBCA720F20843AE10ACB791E965DC4343E1

Function 06993B8F Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2832606325.0000000006990000.00000040.00000800.00020000.00000000.sdmp, Offset: 06990000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6990000_HGhGAjCVw5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cd2bb9ccd11c958be85f561a945414a85eb8149506d7d8f831f70fb67f05e74e
Instruction ID: 4ba1117a5ba8032a563c8a6db321ddadc9c01911a268f3f73a965a82805b5bb3
Opcode Fuzzy Hash: cd2bb9ccd11c958be85f561a945414a85eb8149506d7d8f831f70fb67f05e74e
Instruction Fuzzy Hash: 15012631B141141FDF658AADDC146FF76EEABC4300F140039E405D7280EE55DC1187E1

Function 0699A2F0 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2832606325.0000000006990000.00000040.00000800.00020000.00000000.sdmp, Offset: 06990000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6990000_HGhGAjCVw5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9ce07077a90aba21587ace2a80b58399bc8db2bca268980191c4dffec73db123
Instruction ID: 58497eff0574cf6f03ff0cf41b9aff58d9464d9fc24c3591f810f098ceb11d72
Opcode Fuzzy Hash: 9ce07077a90aba21587ace2a80b58399bc8db2bca268980191c4dffec73db123
Instruction Fuzzy Hash: 6401D830B142105FDFA5967CE865B6F77EDE786354F20843AE40ACB381EA25DC4287D0

Function 06993859 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2832606325.0000000006990000.00000040.00000800.00020000.00000000.sdmp, Offset: 06990000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6990000_HGhGAjCVw5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2d4e598337af3379055bd3fe2b424ad5d4f3726cd6bae7cbc8a6cffad28768ce
Instruction ID: 3b721d3963ba4b31b1c2b4df1197eb2aa4631e23233911807d4b8c48640d8c0e
Opcode Fuzzy Hash: 2d4e598337af3379055bd3fe2b424ad5d4f3726cd6bae7cbc8a6cffad28768ce
Instruction Fuzzy Hash: F821D3B5D01259AFCB10DF9AD885ADEFFB8FB48310F10812AE918A7200C375A955CFA5

Function 0699F171 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2832606325.0000000006990000.00000040.00000800.00020000.00000000.sdmp, Offset: 06990000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6990000_HGhGAjCVw5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3a435198507d4be71ec349d029fab3c794e4fd0644977c3ed4ba34f0eaade1a9
Instruction ID: 7cfb2f693de8c72d44a1c2eeefe61384c905ef1f66e08c783bbae173dd90a876
Opcode Fuzzy Hash: 3a435198507d4be71ec349d029fab3c794e4fd0644977c3ed4ba34f0eaade1a9
Instruction Fuzzy Hash: EE01BC75B001114FDF79CA6CD890B6EA7EAEBCA320F20852AE40ACB745DA65DC4247D0

Function 010BD02B Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2818953327.00000000010BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 010BD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_10bd000_HGhGAjCVw5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5930c3722e95abe2067eb95ddfb8aa1848112c8b53b048d5b6b565b5491e75cf
Instruction ID: 8db021a16fe21fe55bb541f8bd710c00886ca965d71227bc4f3428b583fddd60
Opcode Fuzzy Hash: 5930c3722e95abe2067eb95ddfb8aa1848112c8b53b048d5b6b565b5491e75cf
Instruction Fuzzy Hash: 7911BB75504280DFCB16CF54D5C0B15FFA2FB84318F28C6AAE8894B656C33AD44ACB62

Function 06993860 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2832606325.0000000006990000.00000040.00000800.00020000.00000000.sdmp, Offset: 06990000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6990000_HGhGAjCVw5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1b4759f5f424c141d78a9f20458fb3bcc22ba73e16246f0923b433aabaf2aa7a
Instruction ID: 803ed5976e6dbf4ea8807b4b965c4de7e033a0af8a98e84c4a6f1845ac7b1ac3
Opcode Fuzzy Hash: 1b4759f5f424c141d78a9f20458fb3bcc22ba73e16246f0923b433aabaf2aa7a
Instruction Fuzzy Hash: 0911B3B5D01259AFCB10DF9AD884ADEFBB8FB49310F10812AE918A7240D375A954CFA5

Function 069941F0 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2832606325.0000000006990000.00000040.00000800.00020000.00000000.sdmp, Offset: 06990000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6990000_HGhGAjCVw5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 152677b5609e2a14de0903d089e52ff289a1de1b89e9377acef0757f25ee4871
Instruction ID: 26677abc25087d5c6e367e52253ff4f29d6ee3bc4469b789f9bcfe1f4825e7e8
Opcode Fuzzy Hash: 152677b5609e2a14de0903d089e52ff289a1de1b89e9377acef0757f25ee4871
Instruction Fuzzy Hash: 0A016235B001111BDF6695AD945472FA3DEEBC9B60F208439E10AC7750DD65DC4343A1

Function 0699F180 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2832606325.0000000006990000.00000040.00000800.00020000.00000000.sdmp, Offset: 06990000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6990000_HGhGAjCVw5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fc33e036e274f32171faac83262613312f02443cadc8d09f9245095d0732cc9a
Instruction ID: 3722e661d8589343b1d8da22e4c10f36bf46d446ebec5574d780ef40410bb044
Opcode Fuzzy Hash: fc33e036e274f32171faac83262613312f02443cadc8d09f9245095d0732cc9a
Instruction Fuzzy Hash: CE018C75B101115BDF75997DD860B2FA3DEEBCA720F208829E50ACB780EE65EC4247E1

Function 0699A300 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2832606325.0000000006990000.00000040.00000800.00020000.00000000.sdmp, Offset: 06990000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6990000_HGhGAjCVw5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b48e9318e92e61b15172680c765d07ab74bf341469b0bbca05c3be66638d4978
Instruction ID: c1b0ae38a2712ade0be4833b00cfbcceb9f87870d520692ad806567416b20489
Opcode Fuzzy Hash: b48e9318e92e61b15172680c765d07ab74bf341469b0bbca05c3be66638d4978
Instruction Fuzzy Hash: 7001A434B101145FDF65DA7CE455B1F77DEE789754F208839E50ACB780EA25EC418790

Function 06996461 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2832606325.0000000006990000.00000040.00000800.00020000.00000000.sdmp, Offset: 06990000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6990000_HGhGAjCVw5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0fa090bd7ca4c3d1e62f6590c8f93cc1cef444cd67772f3e8ae3e7e168d5033e
Instruction ID: 464e157e279ec7a72614302e2542ff088ea4fdec7dc30864f8c9dcacd367a708
Opcode Fuzzy Hash: 0fa090bd7ca4c3d1e62f6590c8f93cc1cef444cd67772f3e8ae3e7e168d5033e
Instruction Fuzzy Hash: 9CE09270E552086FFFA0CEFC8D55A9A776ED742204F3048A5D804CBA41E272DD118BB1

Function 069982DE Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2832606325.0000000006990000.00000040.00000800.00020000.00000000.sdmp, Offset: 06990000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6990000_HGhGAjCVw5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fda300a4c461085e353d8cb0184664218fde2ac13ed79993e44b14d3566fa0a0
Instruction ID: 92a2fbdb00f2d36496ec08fd7089cab086ba6dcfd2ca6e2099722dd8b490048f
Opcode Fuzzy Hash: fda300a4c461085e353d8cb0184664218fde2ac13ed79993e44b14d3566fa0a0
Instruction Fuzzy Hash: AFF0A036F24200CFEF644DBDEB8227873A8EB06251B640D6ACD01C3941D239DD90CAB0

Analysis Process: gdJhjh.exePID: 7452, Parent PID: 1040COMMON

Execution Graph

Execution Coverage:	10.3%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	105
Total number of Limit Nodes:	6

Executed Functions

Function 02CEAE48 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 195
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 02CEB09E

Strings

J3, xrefs: 02CEB057

Memory Dump Source

Source File: 0000000A.00000002.1637612369.0000000002CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2ce0000_gdJhjh.jbxd

Similarity

API ID: HandleModule
String ID: J3
API String ID: 4139908857-2790555919
Opcode ID: 7840bf5feef57471e76f50213d6953d5e336692ee04d5e923610580b792e1dbe
Instruction ID: dd1d91e3f555adacb7c40d6bc85eaaad1cd96e358f914c4675c05da30e87c6cc
Opcode Fuzzy Hash: 7840bf5feef57471e76f50213d6953d5e336692ee04d5e923610580b792e1dbe
Instruction Fuzzy Hash: 967164B0A00B058FDB28DF2AD44475ABBF1BF88304F00892DE48AD7A50EB75E945CF95

Function 02CE44B0 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 02CE59C9

Strings

J3, xrefs: 02CE594C

Memory Dump Source

Source File: 0000000A.00000002.1637612369.0000000002CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2ce0000_gdJhjh.jbxd

Similarity

API ID: Create
String ID: J3
API String ID: 2289755597-2790555919
Opcode ID: b85ce673e8bf7ae9c37c415ccc4cd2cb5501f7c169d1ad8477009ee6d39c593e
Instruction ID: 77eeb372d1e03ccf9e13b434c56506d2817503c1ae03d2a83b51f741a66b946f
Opcode Fuzzy Hash: b85ce673e8bf7ae9c37c415ccc4cd2cb5501f7c169d1ad8477009ee6d39c593e
Instruction Fuzzy Hash: D241A271D00719CBEB24DFA9C884BDDBBB5BF49304F60805AD409AB251DBB56986CF90

Function 02CE590D Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 02CE59C9

Strings

J3, xrefs: 02CE594C

Memory Dump Source

Source File: 0000000A.00000002.1637612369.0000000002CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2ce0000_gdJhjh.jbxd

Similarity

API ID: Create
String ID: J3
API String ID: 2289755597-2790555919
Opcode ID: ea0619df093cf0604c03b65bc2c61e745aec25484b7e9a332613d34a448b23d2
Instruction ID: 68a6f63a49262fd05842cefbf97e57aaa3b882f7d5f6100d3735b0104e122621
Opcode Fuzzy Hash: ea0619df093cf0604c03b65bc2c61e745aec25484b7e9a332613d34a448b23d2
Instruction Fuzzy Hash: 6741C470D00719CFEB24CFA9C8847DDBBB5BF49304F60806AD409AB251DB756986CF50

Function 02CEB830 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,02CED6E6,?,?,?,?,?), ref: 02CED7A7

Strings

J3, xrefs: 02CED73F

Memory Dump Source

Source File: 0000000A.00000002.1637612369.0000000002CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2ce0000_gdJhjh.jbxd

Similarity

API ID: DuplicateHandle
String ID: J3
API String ID: 3793708945-2790555919
Opcode ID: eedf9361c123c4c92f65b6e2cbe2d8e2fe20e8386da347e30e930d71fc0ba6c7
Instruction ID: d64b25f7146f795e81d67d0b3c5edc7c5406ee02ee32b2c24ae21ff850ea0c26
Opcode Fuzzy Hash: eedf9361c123c4c92f65b6e2cbe2d8e2fe20e8386da347e30e930d71fc0ba6c7
Instruction Fuzzy Hash: 3221E4B5900348AFDB10CF9AD985BDEFBF9EB48310F14841AE919A3310D378A950CFA4

Function 02CED719 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 61
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,02CED6E6,?,?,?,?,?), ref: 02CED7A7

Strings

J3, xrefs: 02CED73F

Memory Dump Source

Source File: 0000000A.00000002.1637612369.0000000002CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2ce0000_gdJhjh.jbxd

Similarity

API ID: DuplicateHandle
String ID: J3
API String ID: 3793708945-2790555919
Opcode ID: 7695a45b5f461d7cebbfe46c93cdabf1b145594dd23d2d7d030cfa447e0a4c61
Instruction ID: e9bbf9ac086353cc29f2aa4de157a0934bc4fd3a42cd705f1ac8349594f82283
Opcode Fuzzy Hash: 7695a45b5f461d7cebbfe46c93cdabf1b145594dd23d2d7d030cfa447e0a4c61
Instruction Fuzzy Hash: 0721E2B59003489FDB10CFAAD585ADEBBF5EB48310F14841AE919B3211D378AA54CF64

Function 074C7CC0 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 55
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualProtect.KERNELBASE(?,?,?,?), ref: 074C7D33

Strings

J3, xrefs: 074C7CDF

Memory Dump Source

Source File: 0000000A.00000002.1643739877.00000000074C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_74c0000_gdJhjh.jbxd

Similarity

API ID: ProtectVirtual
String ID: J3
API String ID: 544645111-2790555919
Opcode ID: 724fa5cb14a2b5fbcc8245f4fd2581785fb04e6c990feeecfe7523303aad79f5
Instruction ID: c395473b9d4cecf248dd75b68b9734315d6ad77117fc1fdaaad8a99ecb2b55a6
Opcode Fuzzy Hash: 724fa5cb14a2b5fbcc8245f4fd2581785fb04e6c990feeecfe7523303aad79f5
Instruction Fuzzy Hash: 4D21E7B5D002499FDB10CF9AC484BDEFBF4FB48310F10842AE958A7250D378A545CFA5

Function 074C7CB8 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 55
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualProtect.KERNELBASE(?,?,?,?), ref: 074C7D33

Strings

J3, xrefs: 074C7CDF

Memory Dump Source

Source File: 0000000A.00000002.1643739877.00000000074C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_74c0000_gdJhjh.jbxd

Similarity

API ID: ProtectVirtual
String ID: J3
API String ID: 544645111-2790555919
Opcode ID: 7dd798cb50501915d2453d440e79005592175b670cc916a3193291bb86a63b7f
Instruction ID: e32f11c26e1786fe4320ca72bb142218d909e4e0ceed73037995d836ffd7f5eb
Opcode Fuzzy Hash: 7dd798cb50501915d2453d440e79005592175b670cc916a3193291bb86a63b7f
Instruction Fuzzy Hash: FC21C4B5D002599FDB10DF9AC484BEEBBF4FB48310F10842AE968A7650D378A645CFA5

Function 02CEB038 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 47
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 02CEB09E

Strings

J3, xrefs: 02CEB057

Memory Dump Source

Source File: 0000000A.00000002.1637612369.0000000002CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2ce0000_gdJhjh.jbxd

Similarity

API ID: HandleModule
String ID: J3
API String ID: 4139908857-2790555919
Opcode ID: 13833e9cd69433d76392e6066ea783e6189afd39d200af33f86caf05a5c212cf
Instruction ID: 340c4355fa81f94d0cd6c820a5c9381b221d36e5ee4432bae61893462320136d
Opcode Fuzzy Hash: 13833e9cd69433d76392e6066ea783e6189afd39d200af33f86caf05a5c212cf
Instruction Fuzzy Hash: 5311E3B5D002498FDB20CF9AC444BDEFBF5FB88314F10841AD929A7610D379A645CFA5

Function 0111D3D8 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1635624821.000000000111D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0111D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_111d000_gdJhjh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7957a6c3dd06fcb227137bc6085bf104fc3f18ce7ba721b09dee1de4b557bff0
Instruction ID: e8c912dbf7ea8e2b19498ebbc041fc6267e40f89338b358140fd4cc646d50193
Opcode Fuzzy Hash: 7957a6c3dd06fcb227137bc6085bf104fc3f18ce7ba721b09dee1de4b557bff0
Instruction Fuzzy Hash: A1213671540204DFDF09DF84E9C4B56FB65FB88314F20C179E8090BA5AC33AE446CBA2

Function 0111D4C4 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1635624821.000000000111D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0111D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_111d000_gdJhjh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d0341854405bd894caabd77f7b05e6211969fd85102b958fce4969de7094fea3
Instruction ID: e14c242fb6b21eb4516a8be65075eb90a625e8ed793750d16e5e5ecd85f559de
Opcode Fuzzy Hash: d0341854405bd894caabd77f7b05e6211969fd85102b958fce4969de7094fea3
Instruction Fuzzy Hash: 2F21F171500240DFDF19DF54E9C8B26FF75FB88218F20C579E8090B65AC336D456CAA2

Function 0112D1D4 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1635735849.000000000112D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0112D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_112d000_gdJhjh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 41a900dcf44c12347925e027871527eb84e8d588eb5e2ea38ab0c6d5903ef98a
Instruction ID: 88bebfe7696dc3f5bb13b068da542b3cc9723f7d536b5ed128d429041fa75bf1
Opcode Fuzzy Hash: 41a900dcf44c12347925e027871527eb84e8d588eb5e2ea38ab0c6d5903ef98a
Instruction Fuzzy Hash: B021F571504304DFDF19DF94E5C0B15BB65FB85324F20C56DE8094B252C336D456CA62

Function 0112D01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1635735849.000000000112D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0112D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_112d000_gdJhjh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3c26919b9f2ee17b68acd416fcda21d4856ec628601318f940a81c009ee27fc9
Instruction ID: 4ae153f02ac2719f9c93634ecb5825a773b3a998d142896bc5653adeba5a79fd
Opcode Fuzzy Hash: 3c26919b9f2ee17b68acd416fcda21d4856ec628601318f940a81c009ee27fc9
Instruction Fuzzy Hash: 5C212271604340DFDF19DF94E8C0B16BB61EB88354F20C5ADD80A0B2A2C33AD867CB66

Function 0112D006 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1635735849.000000000112D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0112D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_112d000_gdJhjh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 25215ccecbfcf8e89c0c1da52051319eb818805debcc56db814d89008e916d9c
Instruction ID: e67d21c89c78726689d4953297ce72b38aae7efabe3c2852b3f44e83df96d093
Opcode Fuzzy Hash: 25215ccecbfcf8e89c0c1da52051319eb818805debcc56db814d89008e916d9c
Instruction Fuzzy Hash: 162192755083809FCB07CF64D994715BF71EF4A214F28C5DAD8898F2A7C33A9816CB62

Function 0111D3D3 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1635624821.000000000111D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0111D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_111d000_gdJhjh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1166f709330a6c50fb0ccab333658baa4cf0de4601631cd9e1789cef95a599a7
Instruction ID: 3a8736a64acf9519a1361f73b4dad718efce8760dcc3c1da1f10d42f31f6dcbf
Opcode Fuzzy Hash: 1166f709330a6c50fb0ccab333658baa4cf0de4601631cd9e1789cef95a599a7
Instruction Fuzzy Hash: F111CD72404240CFCF1ACF44D5C4B56BF61FB88224F2486A9D8090BA5AC33AE456CBA2

Function 0111D4BF Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1635624821.000000000111D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0111D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_111d000_gdJhjh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1166f709330a6c50fb0ccab333658baa4cf0de4601631cd9e1789cef95a599a7
Instruction ID: 8e8593bbab0a7338200c45fbeab736a8497e638f29c6719cabc496223315864e
Opcode Fuzzy Hash: 1166f709330a6c50fb0ccab333658baa4cf0de4601631cd9e1789cef95a599a7
Instruction Fuzzy Hash: 6E119D76504280CFCF1ACF54E5C4B16BF71FB88214F2486A9D8490B65AC336D456CBA2

Function 0112D1CF Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1635735849.000000000112D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0112D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_112d000_gdJhjh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5930c3722e95abe2067eb95ddfb8aa1848112c8b53b048d5b6b565b5491e75cf
Instruction ID: 191554fa6aed78b1667ef0c057cb10f91aae3f3849e83936e26131b87d121fcf
Opcode Fuzzy Hash: 5930c3722e95abe2067eb95ddfb8aa1848112c8b53b048d5b6b565b5491e75cf
Instruction Fuzzy Hash: 8411BB75504280DFDB0ACF54D5C0B15BFA1FB85224F24C6A9D8494B296C33AD41ACB62

Analysis Process: gdJhjh.exePID: 7764, Parent PID: 7452COMMON

Execution Graph

Execution Coverage:	11.9%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	18
Total number of Limit Nodes:	5

Executed Functions

Function 06DB234B Relevance: 1.0, Instructions: 1009COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2833139770.0000000006DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6db0000_gdJhjh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 69f03ee18ff3285ad3030457ba59d607115b8b85a558265142edf223a6834661
Instruction ID: e39a95e0beea936830d5b7b2bfef84a1170945c07d2cbcb2779eec72c256d1f8
Opcode Fuzzy Hash: 69f03ee18ff3285ad3030457ba59d607115b8b85a558265142edf223a6834661
Instruction Fuzzy Hash: 1F924631E00204CFDB64DB68C584AADBBF2FF49314F5484A9D44AAB369DB35ED81CB81

Function 06DB65E0 Relevance: .8, Instructions: 812COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2833139770.0000000006DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6db0000_gdJhjh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8a4f82f41dec70b28860f525600825254bafb63164899fafb0659896bee9addf
Instruction ID: 04a120d7caad0f657b4a8bf1cabf62fbcf737292a1e63fc94134b507f43c93af
Opcode Fuzzy Hash: 8a4f82f41dec70b28860f525600825254bafb63164899fafb0659896bee9addf
Instruction Fuzzy Hash: 13628934B00245DFDB64DB68D594AADB7B2FF88310F149469E406DB398EB76EC81CB90

Function 06DB5588 Relevance: .6, Instructions: 607
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 0000000E.00000002.2833139770.0000000006DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6db0000_gdJhjh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0da78c45cfe8a04ed5d899b732554636a64b3522502b89bfba47f3f9e0957eeb
Instruction ID: 052f8bfb8c6610b2552a8d30144aa5fa6d6d7a2d64b25f06c58b643073d1fffe
Opcode Fuzzy Hash: 0da78c45cfe8a04ed5d899b732554636a64b3522502b89bfba47f3f9e0957eeb
Instruction Fuzzy Hash: 57229C35E00204DFDF65CF68D8906EEBBB2EF89310F248469D456AB349DA35DC45CB90

Function 06DBB20F Relevance: .6, Instructions: 589COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2833139770.0000000006DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6db0000_gdJhjh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b9f7ca5af4909a513583c630e8fb73293a7fcfb89c8715629bbbfdd3573f9b30
Instruction ID: 6de49e985ce52537c2ecc6c477c6e159653e770b469f35f568e085aa71c88723
Opcode Fuzzy Hash: b9f7ca5af4909a513583c630e8fb73293a7fcfb89c8715629bbbfdd3573f9b30
Instruction Fuzzy Hash: A7224C30E10209DFEF64CB59D4807EEB7A6FB49310F24942AE406EB395DE79DC818B91

Function 06DB3040 Relevance: .5, Instructions: 545
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 0000000E.00000002.2833139770.0000000006DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6db0000_gdJhjh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f327c69fc2b57e0fb4d819a78c15c23b4abcc1d2fd7c60722e504540cfa6466
Instruction ID: d83051aae93087643623f2d1fde31d68be98f4c579558d50a0a735cb79b1ffb4
Opcode Fuzzy Hash: 2f327c69fc2b57e0fb4d819a78c15c23b4abcc1d2fd7c60722e504540cfa6466
Instruction Fuzzy Hash: 63324D30E10619DFCB24DF79C89469DB7B2FFD9300F21966AD40AA7214EB74AD85CB90

Function 06DB7D68 Relevance: .5, Instructions: 476
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 0000000E.00000002.2833139770.0000000006DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6db0000_gdJhjh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40b6925b7e2802f1e7e9b99879e50437962ca2111fbd7cedb70ba9827446a4d5
Instruction ID: 8f2315173aacf22d98cf524c7f8ee9c6f3f352c17657b986b9772ca5348a40e3
Opcode Fuzzy Hash: 40b6925b7e2802f1e7e9b99879e50437962ca2111fbd7cedb70ba9827446a4d5
Instruction Fuzzy Hash: F3027D30B00205DFDB64DB69D590AAEB7B6FF84350F148529D906DB389EB75EC82CB90

Function 06DB4B50 Relevance: 3.9, Strings: 3, Instructions: 186
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

\Oq, xrefs: 06DB4D07
fq, xrefs: 06DB525D
XPq, xrefs: 06DB4C7D

Memory Dump Source

Source File: 0000000E.00000002.2833139770.0000000006DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6db0000_gdJhjh.jbxd

Similarity

API ID:
String ID: fq$XPq$\Oq
API String ID: 0-132346853
Opcode ID: 70eb56af4d03620911f5fb006dd93b4f520027a09d530b938746846ecb91634a
Instruction ID: 98964fbe1168bbd9a954574d339d9c46281c31b9ab808536a56e8be99c40bd01
Opcode Fuzzy Hash: 70eb56af4d03620911f5fb006dd93b4f520027a09d530b938746846ecb91634a
Instruction Fuzzy Hash: A8615C30F00219AFEB54DBA8D8547AEBBF6FF88700F248429D506AB395DA758C45CB94

Function 0171EB38 Relevance: 1.7, APIs: 1, Instructions: 155
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 0000000E.00000002.2820414192.0000000001710000.00000040.00000800.00020000.00000000.sdmp, Offset: 01710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1710000_gdJhjh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 639662ba3d9489018c8d4d0c5f75d171dff34e8cba9c7260681987fe8f2de3db
Instruction ID: a63f3fca6b8b5d5813937b276f1bd6d613f6deaa521268c1abf6f7ebd5820e3a
Opcode Fuzzy Hash: 639662ba3d9489018c8d4d0c5f75d171dff34e8cba9c7260681987fe8f2de3db
Instruction Fuzzy Hash: 90516732E043868FDB25CF69D8046DDBFF5AF86210F0885AAD845E7341DB749885CBA1

Function 0171EC20 Relevance: 1.6, APIs: 1, Instructions: 52
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GlobalMemoryStatusEx.KERNELBASE ref: 0171EC87

Memory Dump Source

Source File: 0000000E.00000002.2820414192.0000000001710000.00000040.00000800.00020000.00000000.sdmp, Offset: 01710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1710000_gdJhjh.jbxd

Similarity

API ID: GlobalMemoryStatus
String ID:
API String ID: 1890195054-0
Opcode ID: f99c9105f5c4243b3f19d810b68dab1e5bb7d4e94153bdd04b85a58ed064190b
Instruction ID: f66631c4a02c8c13e32ee70f142744bc17832677b49609735cca2673becc77e2
Opcode Fuzzy Hash: f99c9105f5c4243b3f19d810b68dab1e5bb7d4e94153bdd04b85a58ed064190b
Instruction Fuzzy Hash: BB11F0B1C006599BDB10CF9AD945BDEFBF4EF48220F14852AD818A7240D778A945CFA5

Function 06DB4B40 Relevance: 1.4, Strings: 1, Instructions: 133
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

XPq, xrefs: 06DB4C7D

Memory Dump Source

Source File: 0000000E.00000002.2833139770.0000000006DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6db0000_gdJhjh.jbxd

Similarity

API ID:
String ID: XPq
API String ID: 0-1601936878
Opcode ID: 2006512bb9a5a9fa27a0ca415907141a9fa541a29fc135448d892f99c9a34f81
Instruction ID: 19d09be957a1704ec6af4d5a31ea5baf2b72704677dacc634420f6a7fddbee00
Opcode Fuzzy Hash: 2006512bb9a5a9fa27a0ca415907141a9fa541a29fc135448d892f99c9a34f81
Instruction Fuzzy Hash: F0517E30F00218AFDB55DFA9C854B9EBBF6FF88700F208529D106AB395DA758C45CB94

Function 06DBCF28 Relevance: .8, Instructions: 798
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 0000000E.00000002.2833139770.0000000006DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6db0000_gdJhjh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5c935ae9a582ae4cf013b75d1d8e9afd30f370bb648bd371f6c51506d6987072
Instruction ID: 8219029fece2ee12a10cb67b8a83f0970f208824b0d2d048fffb432708428483
Opcode Fuzzy Hash: 5c935ae9a582ae4cf013b75d1d8e9afd30f370bb648bd371f6c51506d6987072
Instruction Fuzzy Hash: EB621C30A10206DFDB55EF68D590A9DB7B3FF84740B208968D0469F359EB79EC86CB81

Function 06DBC170 Relevance: .6, Instructions: 644
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 0000000E.00000002.2833139770.0000000006DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6db0000_gdJhjh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 85877542a95d05984fb99d1c2d3251be16e2e0e9bbbfe2194be4a570e37b51fa
Instruction ID: 413e129159b9837c995c81fdc2a575c2a5c2f38c34bda2cfae7bc2e8937d72df
Opcode Fuzzy Hash: 85877542a95d05984fb99d1c2d3251be16e2e0e9bbbfe2194be4a570e37b51fa
Instruction Fuzzy Hash: B2328D34B10209DFDB64DB68D890BAEB7B2FB88310F108429D506EB344DB79EC81CB91

Function 06DBB630 Relevance: .5, Instructions: 476COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2833139770.0000000006DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6db0000_gdJhjh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e45df431c73dc91f39c475da98ce2d89675190a44af7424c02154f5f5997646f
Instruction ID: 70cacfa04a2593f7c2c73fae5dee611c8072ddb5654b14a23a9009473e806f16
Opcode Fuzzy Hash: e45df431c73dc91f39c475da98ce2d89675190a44af7424c02154f5f5997646f
Instruction Fuzzy Hash: 73024830E10209DFDBA4CB69D880AADB7B2FB45310F20956AD446EB359DF74EC81CB95

Function 06DB9138 Relevance: .2, Instructions: 230COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2833139770.0000000006DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6db0000_gdJhjh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e18d0d0669b61e00b071a20c504cbc34a07161758b0da9a3025a5c69ae7367af
Instruction ID: acfc527c8cd90353e11cf48d86d08a9892c0240958cea32ae91053bcaf7263b3
Opcode Fuzzy Hash: e18d0d0669b61e00b071a20c504cbc34a07161758b0da9a3025a5c69ae7367af
Instruction Fuzzy Hash: 8B917F74B002099FDB64DF69C9A07AE77B6FF89340F108469C50AEB344EE75EC918B91

Function 06DB61E0 Relevance: .2, Instructions: 229COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2833139770.0000000006DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6db0000_gdJhjh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 32c27237fbd5bb14b154060e533b69f1a3de782b343ae3cbfb9b91d8e6bb8eaf
Instruction ID: 1e2fb922e667cff520a457083b1ab480d3e8a746b0e076a496aa180405529208
Opcode Fuzzy Hash: 32c27237fbd5bb14b154060e533b69f1a3de782b343ae3cbfb9b91d8e6bb8eaf
Instruction Fuzzy Hash: 0B61C372F001118FDF659B6DC8806AEBAEBAFD4210B154439E80BEB365DEB5DC0287C5

Function 06DB4280 Relevance: .2, Instructions: 227COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2833139770.0000000006DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6db0000_gdJhjh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 608f7ed769fe2f3dcdaffd4fcc9f82f04361cae445729af8a66ee5184c875209
Instruction ID: 38442391b2c9c026a92139879f7497de9956f26a6b742d6cc8e6c144cfc26904
Opcode Fuzzy Hash: 608f7ed769fe2f3dcdaffd4fcc9f82f04361cae445729af8a66ee5184c875209
Instruction Fuzzy Hash: FB814F34B002059FDB54DFA9D4947AE7BF3BF89300F108529D40AEB349EA75DC928B91

Function 06DB45A0 Relevance: .2, Instructions: 224COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2833139770.0000000006DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6db0000_gdJhjh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1a33db84ce23a47c8a217cad06c05d31ae8ca737fa543edc3a678df4e20320ab
Instruction ID: 84ae9a231d0ede113a99242a48a4cd43576994e34ff965b0458208a005ec4a06
Opcode Fuzzy Hash: 1a33db84ce23a47c8a217cad06c05d31ae8ca737fa543edc3a678df4e20320ab
Instruction Fuzzy Hash: FA912B34E102198FDB60DF68C890BDDB7B1FF89310F208699D549AB355DB70AA85CB91

Function 06DBAF08 Relevance: .2, Instructions: 215COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2833139770.0000000006DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6db0000_gdJhjh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cc8d488d9b01885be031b7f7a02056b65e0a68eb7ad00f7dc8123bd005ad7e19
Instruction ID: 9b6efebb8b3067ccd2b8b63f5614b236d8a36e662f242fcaf5ba15c625a0723a
Opcode Fuzzy Hash: cc8d488d9b01885be031b7f7a02056b65e0a68eb7ad00f7dc8123bd005ad7e19
Instruction Fuzzy Hash: A3714F70E1031ADFDB15DF69D8906AEB7B2FF85300F148529D406AB344EF759986CB81

Function 06DB45B8 Relevance: .2, Instructions: 210COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2833139770.0000000006DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6db0000_gdJhjh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c65ca2d21b3f048fa3ba93331d9823c72cfa5da85c411feca978ed1ca5fd5656
Instruction ID: f9d22e3d95144eadac3959871a5467509a562e18ae908a3d1eee5c56c63b8893
Opcode Fuzzy Hash: c65ca2d21b3f048fa3ba93331d9823c72cfa5da85c411feca978ed1ca5fd5656
Instruction Fuzzy Hash: BE912A34E106198BDF64DF68C890BDDB7B1FF89310F208699D549AB345EB70AA85CF90

Function 06DBEEF0 Relevance: .2, Instructions: 209COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2833139770.0000000006DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6db0000_gdJhjh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 939513bae1268b174130cfb7dd229f81cc3fc4624c8cec08ef66b9eb1b56338f
Instruction ID: 9a62341173f2bbed41f806ceb31c37c1f976c607c3b059044bc84edbd2cf7212
Opcode Fuzzy Hash: 939513bae1268b174130cfb7dd229f81cc3fc4624c8cec08ef66b9eb1b56338f
Instruction Fuzzy Hash: BF812970A00249DFDB54DBA9D980ADDBBF6FF88300F248529D406AB359DB34ED46CB50

Function 06DBEF00 Relevance: .2, Instructions: 201COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2833139770.0000000006DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6db0000_gdJhjh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4b6a3222d70c7b4bc09c69593741215546504be8524e9e6406b15cffa255a0f9
Instruction ID: e0bcaae907676147603d51ad01b24cd9b695bdfcca57813c8963c507bfcf80f9
Opcode Fuzzy Hash: 4b6a3222d70c7b4bc09c69593741215546504be8524e9e6406b15cffa255a0f9
Instruction Fuzzy Hash: 43712970A00209DFDB54DBA9D980ADEBBF6FF88340F249429E416AB359DB34ED41CB50

Function 06DBFC58 Relevance: .2, Instructions: 179COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2833139770.0000000006DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6db0000_gdJhjh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d2709d35266814ec887d1ddd1427edfc1422e825674c083188a591943fb89d4b
Instruction ID: c2e88b22bd0719c2381ee6d40f33bb100d0988df79e3594dcb8ede7656986af4
Opcode Fuzzy Hash: d2709d35266814ec887d1ddd1427edfc1422e825674c083188a591943fb89d4b
Instruction Fuzzy Hash: 2F51C131F01209DFDB64ABB8E8946EEBBB2FB84311F208879E106D7354DB359955C790

Function 06DBFA09 Relevance: .2, Instructions: 171COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2833139770.0000000006DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6db0000_gdJhjh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c629339597c0abac950a546752067bad7f571b43c903d9be3ab0ac83b97dc88b
Instruction ID: c518008131e2ce18b042c98c8dc9cf9f8321dcdb704b84c7f4bb9e62d9f71268
Opcode Fuzzy Hash: c629339597c0abac950a546752067bad7f571b43c903d9be3ab0ac83b97dc88b
Instruction Fuzzy Hash: 10519170B20214DFEF645BA8DC94BAE366AE789750F20443AE40BD77D4D97CCC818796

Function 06DBFA18 Relevance: .2, Instructions: 163COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2833139770.0000000006DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6db0000_gdJhjh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c37a5bdfb083c4e36a3ff099b85fd772c2a76427037434797d1192888055175c
Instruction ID: 988b8ea147cf8c25abff9b12bd11edc81c6385f1dcc980b2c8a14cdd43a6fe46
Opcode Fuzzy Hash: c37a5bdfb083c4e36a3ff099b85fd772c2a76427037434797d1192888055175c
Instruction Fuzzy Hash: A45191B0B20204DFEF645BA9DC94B6E326AE789750F20443AE40BD77D8D96CCC814795

Function 06DB9127 Relevance: .2, Instructions: 162COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2833139770.0000000006DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6db0000_gdJhjh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ee4a315c71b1be76a53a8bb878703dd0cfb3bc9ea77ca29339b7a030bb8ea6d1
Instruction ID: 4513a7ccc4c54594f36a3008963573f9f9c8078a3f46b568088437e91ee28366
Opcode Fuzzy Hash: ee4a315c71b1be76a53a8bb878703dd0cfb3bc9ea77ca29339b7a030bb8ea6d1
Instruction Fuzzy Hash: 17518F74B001049FDB64DB79D9A0BAE77A6FBC9340F108429C50AEB344EE75ECA18B91

Function 06DB53F8 Relevance: .1, Instructions: 136COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2833139770.0000000006DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6db0000_gdJhjh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dd85496bd29e3ea2d7729e2f3d9ea8f1440482f69c3e5320f54c82953ccbe1ed
Instruction ID: ae64776f4135557d2244e52d493cfd97cd04d74c0e4109109962d1b4b76eebb1
Opcode Fuzzy Hash: dd85496bd29e3ea2d7729e2f3d9ea8f1440482f69c3e5320f54c82953ccbe1ed
Instruction Fuzzy Hash: 86418E31E00609CFDB70CFA9E880ABFF7F2EB88211F10492AD15AD7654D231E9598B91

Function 06DBDA9D Relevance: .1, Instructions: 125COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2833139770.0000000006DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6db0000_gdJhjh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1983c129cd666adefaa62c5c2179e8ffb420aba1588061124d2eb4258b99cd86
Instruction ID: fc6cecd27021515446c6b1416e9b8b081adc3d52e2036c6c2c0200d7dae0e473
Opcode Fuzzy Hash: 1983c129cd666adefaa62c5c2179e8ffb420aba1588061124d2eb4258b99cd86
Instruction Fuzzy Hash: 1F416A30E00209DFDB659F65C894AAEBBB3BF85300F208529E416EB244EB75D946CB91

Function 06DB21D0 Relevance: .1, Instructions: 105COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2833139770.0000000006DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6db0000_gdJhjh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2d9341ddb26eb8de3407732755913683ff9a8355a44bb5bfddf2d883cdec9f4c
Instruction ID: 193cd21f26cffa5d1b9b1444fa01e844e9ce954a786b77a3cb21b490c237c341
Opcode Fuzzy Hash: 2d9341ddb26eb8de3407732755913683ff9a8355a44bb5bfddf2d883cdec9f4c
Instruction Fuzzy Hash: 3A31AB31B10205AFDB699B74C9547BE3AA6BF89340F20542CD406DB388EE3ADD45CBA5

Function 06DBD950 Relevance: .1, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2833139770.0000000006DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6db0000_gdJhjh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1d8eeea0412ae4cb09b2febf8ae0bf95196f09e0dddf7fff4ebe96a896c6a787
Instruction ID: fc55ecaa8f185a587f720769313480b24f545dd705a34733251973bdbe469115
Opcode Fuzzy Hash: 1d8eeea0412ae4cb09b2febf8ae0bf95196f09e0dddf7fff4ebe96a896c6a787
Instruction Fuzzy Hash: DF317030E1420ACFDF25DF64C890ADEBBB6FF85200F108529E406EB644EBB5E9468B51

Function 06DB2083 Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2833139770.0000000006DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6db0000_gdJhjh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e6ae05fe4596b2f035bcc387bca6e5556241139517619015fa0bbc22c3935bf3
Instruction ID: dc080dded850bb6782abb8e9fef83e6c5c74343904a0746837a9c7aa7d014661
Opcode Fuzzy Hash: e6ae05fe4596b2f035bcc387bca6e5556241139517619015fa0bbc22c3935bf3
Instruction Fuzzy Hash: C9315C35E10206DFCB15CF68D894AAEB7B2FF89300F148529E916EB344DB71E982CB40

Function 06DB2090 Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2833139770.0000000006DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6db0000_gdJhjh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eafb34f73e880714665442f7b876f54cd642b966b31f07a7ae4f0e3d441c499f
Instruction ID: b151e2b693bbf2f70193306ec3cf4df123a690c1a1437eab83286ee5d7daad7e
Opcode Fuzzy Hash: eafb34f73e880714665442f7b876f54cd642b966b31f07a7ae4f0e3d441c499f
Instruction Fuzzy Hash: C6318E35E1020ADBCB19CF65D894AAEB7B2FF89300F108529E916E7344DB71ED82CB50

Function 06DB3A80 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2833139770.0000000006DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6db0000_gdJhjh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 58ed8cbbf80113e2879456656b6f5af4782e1a62b945d2f5d0793456eb853d7c
Instruction ID: 60b84ef3e053872e4f3f0a6552b23aa97bb35982686b21e06136a5be49e7d48e
Opcode Fuzzy Hash: 58ed8cbbf80113e2879456656b6f5af4782e1a62b945d2f5d0793456eb853d7c
Instruction Fuzzy Hash: 2B217C39F00205AFDB50CF69E881AEEBBF6FB48710F108025E90AE7744EA35D9419BD4

Function 06DB3A90 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2833139770.0000000006DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6db0000_gdJhjh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e05d619ab71865d30d5d2028f136f9b391490db01801c056503184653e417178
Instruction ID: aab4c155ee5cbbe2a54ea7b2ea890eaaf3402a50716301dd518c1ddeb07d86ee
Opcode Fuzzy Hash: e05d619ab71865d30d5d2028f136f9b391490db01801c056503184653e417178
Instruction Fuzzy Hash: 05212775E00615EFDB50CF69D981AEEBBB1FB48710F118029EA4AE7354EB35D8408B94

Function 016CD030 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2820070907.00000000016CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 016CD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_16cd000_gdJhjh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c53fd82ffcb98872460a2cfdd45f990de313361acdaefd6a7452301bc44c341b
Instruction ID: a6540f4fe15a1a7364866dbdb5cf504e7769871bac6865635cd08de36828ac65
Opcode Fuzzy Hash: c53fd82ffcb98872460a2cfdd45f990de313361acdaefd6a7452301bc44c341b
Instruction Fuzzy Hash: B9210371604244DFDB15DF58DDC0B26BB61EB84614F20C57ED8090B392C33AD447CAA2

Function 06DB3BA0 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2833139770.0000000006DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6db0000_gdJhjh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f51cebb4be93b2ab8cd3caafc2b7694232d6c44c741ae5a1560260995b469282
Instruction ID: f632ae2fc7411ee4083007135036c3abcece27dc7f8f8ce8d545e1fe237b0d13
Opcode Fuzzy Hash: f51cebb4be93b2ab8cd3caafc2b7694232d6c44c741ae5a1560260995b469282
Instruction Fuzzy Hash: 56118E31B00124AFDB649A68C8146EF77AAEBC8310B014439D50AE7344EE25DC5287D4

Function 06DBF171 Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2833139770.0000000006DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6db0000_gdJhjh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 28ad5e046a0c2e801839fad1553bc34160b9fb1f4c7241b3d13ac29e4204ecf0
Instruction ID: 50ae2ab7ea71bf1e2b8dcd5413cb202be23acef5a71e4b29a069dd25c705ed0d
Opcode Fuzzy Hash: 28ad5e046a0c2e801839fad1553bc34160b9fb1f4c7241b3d13ac29e4204ecf0
Instruction Fuzzy Hash: 0901B175F001105FDB669B3CDC90BAF67E6EBC96A0B148929E00BC7345DE29DC0243D1

Function 06DB3859 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2833139770.0000000006DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6db0000_gdJhjh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 157060b1190eda6765459613ea97ef78ffe317a94118b2d5ed9390029cc97d0e
Instruction ID: e77c4e9e7d05d7b17c1acdeba1b2d3580fb12e383cd1f7701d5291a78a8955f7
Opcode Fuzzy Hash: 157060b1190eda6765459613ea97ef78ffe317a94118b2d5ed9390029cc97d0e
Instruction Fuzzy Hash: AB21F2B5D01259EFDB10CF9AD884ADEFBB8FB49310F10852AE918A7200C374A944CFA5

Function 06DB41E1 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2833139770.0000000006DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6db0000_gdJhjh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 040e33456f1e72b853b01f42a9d12f202abcc85ee9e02dd0a2b423ff2584eea0
Instruction ID: 0ff83b5f3782d3a790fb676bf8de4c95fdd494a116026daab8582c2fdff8ffd4
Opcode Fuzzy Hash: 040e33456f1e72b853b01f42a9d12f202abcc85ee9e02dd0a2b423ff2584eea0
Instruction Fuzzy Hash: 3E01F134B041519FDB71DABCD84075FB7DAEFCA760F24882AE10AC739AD969CC424391

Function 06DBA2F0 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2833139770.0000000006DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6db0000_gdJhjh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0180207d3afb3c74515cd1815b9ffe0997375229a8e959639f213ef5199c7773
Instruction ID: 6ef1f621da6281ba80329c26c9861f7d257a6b2638b319fae0ee91d2376c0ebe
Opcode Fuzzy Hash: 0180207d3afb3c74515cd1815b9ffe0997375229a8e959639f213ef5199c7773
Instruction Fuzzy Hash: C301D230B001109FC7619BB8E850B9EB7E1EB86750F10882DD00BC7344DA25EC8187C0

Function 06DB3B8F Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2833139770.0000000006DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6db0000_gdJhjh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f8b4154f551df3180ce5e8a8e82966ca6418d693b0253cfc0323c5b00d98dfbf
Instruction ID: bb18c2996aecb6fc2520464488bf87aaa443c601691d9388809ccb6e4114eda5
Opcode Fuzzy Hash: f8b4154f551df3180ce5e8a8e82966ca6418d693b0253cfc0323c5b00d98dfbf
Instruction Fuzzy Hash: F5012232B04165AFDBA18AADD8246EF7BAAEFC4310F05043ED846D3284EE21885687C5

Function 016CD02B Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2820070907.00000000016CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 016CD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_16cd000_gdJhjh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5930c3722e95abe2067eb95ddfb8aa1848112c8b53b048d5b6b565b5491e75cf
Instruction ID: bc8cd2148729e4a1e9d188bb3db0e26f3e63aaae17d939f80add43c29ad67cc1
Opcode Fuzzy Hash: 5930c3722e95abe2067eb95ddfb8aa1848112c8b53b048d5b6b565b5491e75cf
Instruction Fuzzy Hash: 5D11A975604280CFCB16CF58D9C0B25BBA1FB84614F28C6AED8494B756C33AD44ACBA2

Function 06DB3860 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2833139770.0000000006DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6db0000_gdJhjh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 620bb5acb1f3ee5cfcdb8a54e77168fd5e4f99e5f4119ea98872e6df421913d2
Instruction ID: 2e148ced42ecf7580f41edb7703b0db2a24f5b031aabe39fcc59fa60efea8fc7
Opcode Fuzzy Hash: 620bb5acb1f3ee5cfcdb8a54e77168fd5e4f99e5f4119ea98872e6df421913d2
Instruction Fuzzy Hash: BD11D3B5D01259AFCB10CF9AD884ADEFBB4FB48310F10812AE918A7200C374A944CFA5

Function 06DB41F0 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2833139770.0000000006DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6db0000_gdJhjh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cdbae0aee0a62d21e275ef63596c4f6a39592a20683fa251bc184d92cc80ae34
Instruction ID: 91055ab8ac9762042bf75d2f4ee5311d7acc30071b043e0ae270c4aade51617f
Opcode Fuzzy Hash: cdbae0aee0a62d21e275ef63596c4f6a39592a20683fa251bc184d92cc80ae34
Instruction Fuzzy Hash: 8801AD35B000119BDB74DAADE84476BA2DAEBC9760F20883AE10BC7349EA65DC424395

Function 06DBF180 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2833139770.0000000006DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6db0000_gdJhjh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 80c71f0c040a2ace2d596f37d5991c6419b6ee9a0db1073da6867c7d0d67f297
Instruction ID: c4fec8ba506d37009a1aa5b54545102591736d59c4c505ccc3648b5eccc3f9be
Opcode Fuzzy Hash: 80c71f0c040a2ace2d596f37d5991c6419b6ee9a0db1073da6867c7d0d67f297
Instruction Fuzzy Hash: 7E01DC75F000119BDB65DB3CDC90B6F62DAEBC96A0F248839E10BC7344EE29EC024381

Function 06DBA300 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2833139770.0000000006DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6db0000_gdJhjh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6330e666eb7c8accab2f39a93ac3c6010411358f43072efd2bc6274c8ebbcd5f
Instruction ID: 87b6e4aa6368ece6b4df0b0f25811d2eba005c67dd51995bbf18c76d7be440e1
Opcode Fuzzy Hash: 6330e666eb7c8accab2f39a93ac3c6010411358f43072efd2bc6274c8ebbcd5f
Instruction Fuzzy Hash: E8016D34B101109BDB61DAACE890B5EB3D5EB89650F108829E50BD7344EA26EC4187C0

Function 06DB82DE Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2833139770.0000000006DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6db0000_gdJhjh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a3fc35e48a4c45d1b52a748e6b6d11959e47b358e5b22d6b09e9e309f74cfe9b
Instruction ID: 338e4ead2706d65ca1543d2b679a2b3d4ec1f853f8ed151ff9a125adeebb6766
Opcode Fuzzy Hash: a3fc35e48a4c45d1b52a748e6b6d11959e47b358e5b22d6b09e9e309f74cfe9b
Instruction Fuzzy Hash: A6F0A036E04200DFEF645E86E9502E873A8EB00251F041066CE03D3348D63AD950EA90

Function 06DB6461 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2833139770.0000000006DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6db0000_gdJhjh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b8c825b23e50df87c7dd06301bfc89ec7ec72372bccc2c3e5b7662c6ba025add
Instruction ID: 653fc52a5f29368673c17f51008d9358d91c00f78dcc8a9c9b812ab62612d38e
Opcode Fuzzy Hash: b8c825b23e50df87c7dd06301bfc89ec7ec72372bccc2c3e5b7662c6ba025add
Instruction Fuzzy Hash: 4BF02B70E08688DFDB60CF70841469A77A9D745204F204CA5D446C7189E132D9008351

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Container: Container Creation, File: File Creation, File: File Modification, Process: Process Creation, Scheduled Job: Scheduled Job Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search the Registry on compromised systems for insecurely stored credentials. The Windows Registry stores configuration information that can be used by the system or other programs. Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services. Sometimes these credentials are used for automatic logons.
Tactics:	Credential Access
Data Sources:	Command: Command Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report HGhGAjCVw5.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Agenttesla

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Persistence and Installation Behavior

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\HGhGAjCVw5.exe.log

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\gdJhjh.exe.log

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_hpb3sfrs.tx4.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_jrzqcvx2.aub.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_kgvckkcd.vjk.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_la3fu512.os0.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_lvbbwt2k.bzj.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_on2uzkq2.p0u.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_qr2gdxfr.eqi.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_qyekkh0i.bjf.psm1

C:\Users\user\AppData\Local\Temp\tmp57CE.tmp

C:\Users\user\AppData\Local\Temp\tmp6B66.tmp

C:\Users\user\AppData\Roaming\gdJhjh.exe

Windows Analysis Report
HGhGAjCVw5.exe

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre