Edit tour

Windows Analysis Report
upXUt2jZ0S.exe

Overview

General Information

Sample name:	upXUt2jZ0S.exe renamed because original name is a hash value
Original sample name:	d53a9888b375983c277dc4471f3f37e258cca57a1e242784c4130b928127c254.exe
Analysis ID:	1588147
MD5:	857fc5f1da7948839d47abe238392ea2
SHA1:	8cc415a58dae52f82befc0dafd947d519a4b1574
SHA256:	d53a9888b375983c277dc4471f3f37e258cca57a1e242784c4130b928127c254
Tags:	exeSnakeKeyloggeruser-adrian__luca
Infos:

Detection

Snake Keylogger

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Copy file to startup via Powershell

Yara detected Snake Keylogger

AI detected suspicious sample

Bypasses PowerShell execution policy

Creates executable files without a name

Drops PE files to the startup folder

Machine Learning detection for dropped file

Machine Learning detection for sample

Powershell drops PE file

Self deletion via cmd or bat file

Tries to detect the country of the analysis system (by using the IP)

Yara detected Generic Downloader

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Checks if the current process is being debugged

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates a start menu entry (Start Menu\Programs\Startup)

Creates files inside the system directory

Detected non-DNS traffic on DNS port

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

HTTP GET or POST without a user agent

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

One or more processes crash

Queries disk information (often used to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Change PowerShell Policies to an Insecure Level

Sigma detected: Potential Binary Or Script Dropper Via PowerShell

Sigma detected: Startup Folder File Write

Stores files to the Windows start menu directory

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Uses insecure TLS / SSL version for HTTPS connection

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

upXUt2jZ0S.exe (PID: 2716 cmdline: "C:\Users\user\Desktop\upXUt2jZ0S.exe" MD5: 857FC5F1DA7948839D47ABE238392EA2)

powershell.exe (PID: 3964 cmdline: "Powershell.exe" -ExecutionPolicy Bypass -command Copy-Item 'C:\Users\user\Desktop\upXUt2jZ0S.exe' 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe' MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 1048 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

upXUt2jZ0S.exe (PID: 1184 cmdline: "C:\Users\user\Desktop\upXUt2jZ0S.exe" MD5: 857FC5F1DA7948839D47ABE238392EA2)

cmd.exe (PID: 7692 cmdline: "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\user\Desktop\upXUt2jZ0S.exe" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 7704 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

choice.exe (PID: 7740 cmdline: choice /C Y /N /D Y /T 3 MD5: FCE0E41C87DC4ABBE976998AD26C27E4)

svchost.exe (PID: 5136 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

.exe (PID: 7472 cmdline: "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe" MD5: 857FC5F1DA7948839D47ABE238392EA2)

powershell.exe (PID: 7504 cmdline: "Powershell.exe" -ExecutionPolicy Bypass -command Copy-Item 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe' 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe' MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 7512 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

.exe (PID: 7624 cmdline: "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe" MD5: 857FC5F1DA7948839D47ABE238392EA2)

WerFault.exe (PID: 7840 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7624 -s 1528 MD5: C31336C1EFC2CCB44B4326EA793040F2)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
404 Keylogger, Snake Keylogger	Snake Keylogger (aka 404 Keylogger) is a subscription-based keylogger that has many capabilities. The infostealer can steal a victims sensitive information, log keyboard strokes, take screenshots and extract information from the system clipboard. It was initially released on a Russian hacking forum in August 2019. It is notable for its relatively unusual methods of data exfiltration, including via email, FTP, SMTP, Pastebin or the messaging app Telegram.	No Attribution	https://any.run/cybersecurity-blog/analyzing-snake-keylogger/ https://any.run/cybersecurity-blog/reverse-engineering-snake-keylogger/ https://blog.netlab.360.com/purecrypter https://blog.nviso.eu/2022/04/06/analyzing-a-multilayer-maldoc-a-beginners-guide/ https://blogs.blackberry.com/en/2022/05/dot-net-stubs-sowing-the-seeds-of-discord	https://malpedia.caad.fkie.fraunhofer.de/details/win.404keylogger

Malware Configuration

Threatname: Snake Keylogger

{"Exfil Mode": "Telegram", "Telegram URL": "https://api.telegram.org/bot6956304715:AAGEsKc2_BChUeZlL8X0MH3xZIsug2zAAIA/sendMessage?chat_id=6939220311", "Token": "6956304715:AAGEsKc2_BChUeZlL8X0MH3xZIsug2zAAIA", "Chat_id": "6939220311", "Version": "5.1"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000004.00000002.1542562831.0000000000592000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000004.00000002.1542562831.0000000000592000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000004.00000002.1542562831.0000000000592000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x149c0:$a1: get_encryptedPassword 0x14cac:$a2: get_encryptedUsername 0x147cc:$a3: get_timePasswordChanged 0x148c7:$a4: get_passwordField 0x149d6:$a5: set_encryptedPassword 0x16024:$a7: get_logins 0x15f87:$a10: KeyLoggerEventArgs 0x15bf2:$a11: KeyLoggerEventArgsEventHandler
00000004.00000002.1542562831.0000000000592000.00000040.00000400.00020000.00000000.sdmp	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x19968:$x1: $%SMTPDV$ 0x1834c:$x2: $#TheHashHere%& 0x19910:$x3: %FTPDV$ 0x182ec:$x4: $%TelegramDv$ 0x15bf2:$x5: KeyLoggerEventArgs 0x15f87:$x5: KeyLoggerEventArgs 0x19934:$m2: Clipboard Logs ID 0x19b72:$m2: Screenshot Logs ID 0x19c82:$m2: keystroke Logs ID 0x19f5c:$m3: SnakePW 0x19b4a:$m4: \SnakeKeylogger\
00000000.00000002.2603874674.0000000004189000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.2603874674.0000000004189000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000000.00000002.2603874674.0000000004189000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xf51d0:$a1: get_encryptedPassword 0x115e00:$a1: get_encryptedPassword 0x136820:$a1: get_encryptedPassword 0xf54bc:$a2: get_encryptedUsername 0x1160ec:$a2: get_encryptedUsername 0x136b0c:$a2: get_encryptedUsername 0xf4fdc:$a3: get_timePasswordChanged 0x115c0c:$a3: get_timePasswordChanged 0x13662c:$a3: get_timePasswordChanged 0xf50d7:$a4: get_passwordField 0x115d07:$a4: get_passwordField 0x136727:$a4: get_passwordField 0xf51e6:$a5: set_encryptedPassword 0x115e16:$a5: set_encryptedPassword 0x136836:$a5: set_encryptedPassword 0xf6834:$a7: get_logins 0x117464:$a7: get_logins 0x137e84:$a7: get_logins 0xf6797:$a10: KeyLoggerEventArgs 0x1173c7:$a10: KeyLoggerEventArgs 0x137de7:$a10: KeyLoggerEventArgs
00000000.00000002.2603874674.0000000004189000.00000004.00000800.00020000.00000000.sdmp	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0xfa178:$x1: $%SMTPDV$ 0x11ada8:$x1: $%SMTPDV$ 0x13b7c8:$x1: $%SMTPDV$ 0xf8b5c:$x2: $#TheHashHere%& 0x11978c:$x2: $#TheHashHere%& 0x13a1ac:$x2: $#TheHashHere%& 0xfa120:$x3: %FTPDV$ 0x11ad50:$x3: %FTPDV$ 0x13b770:$x3: %FTPDV$ 0xf8afc:$x4: $%TelegramDv$ 0x11972c:$x4: $%TelegramDv$ 0x13a14c:$x4: $%TelegramDv$ 0xf6402:$x5: KeyLoggerEventArgs 0xf6797:$x5: KeyLoggerEventArgs 0x117032:$x5: KeyLoggerEventArgs 0x1173c7:$x5: KeyLoggerEventArgs 0x137a52:$x5: KeyLoggerEventArgs 0x137de7:$x5: KeyLoggerEventArgs 0xfa144:$m2: Clipboard Logs ID 0xfa382:$m2: Screenshot Logs ID 0xfa492:$m2: keystroke Logs ID
00000004.00000002.1554551898.0000000002551000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
0000000A.00000002.1797959827.0000000002FF1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
Process Memory Space: upXUt2jZ0S.exe PID: 2716	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: upXUt2jZ0S.exe PID: 2716	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
Process Memory Space: upXUt2jZ0S.exe PID: 2716	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x576d6:$a1: get_encryptedPassword 0x578e9:$a2: get_encryptedUsername 0x57505:$a3: get_timePasswordChanged 0x575e7:$a4: get_passwordField 0x576ec:$a5: set_encryptedPassword 0x59537:$a7: get_logins 0x594b8:$a10: KeyLoggerEventArgs 0x59226:$a11: KeyLoggerEventArgsEventHandler
Process Memory Space: upXUt2jZ0S.exe PID: 2716	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x59226:$x5: KeyLoggerEventArgs 0x594b8:$x5: KeyLoggerEventArgs 0x59f25:$x5: KeyLoggerEventArgs 0x5a286:$x5: KeyLoggerEventArgs 0x5b575:$m2: Clipboard Logs ID 0x5b67b:$m2: Screenshot Logs ID 0x5b6d1:$m2: keystroke Logs ID 0x5b806:$m3: SnakePW 0x5b667:$m4: \SnakeKeylogger\
Process Memory Space: upXUt2jZ0S.exe PID: 1184	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: upXUt2jZ0S.exe PID: 1184	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
Process Memory Space: upXUt2jZ0S.exe PID: 1184	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xce43:$a1: get_encryptedPassword 0xd125:$a2: get_encryptedUsername 0xcc59:$a3: get_timePasswordChanged 0xcd54:$a4: get_passwordField 0xce59:$a5: set_encryptedPassword 0xf333:$a7: get_logins 0xf296:$a10: KeyLoggerEventArgs 0xef01:$a11: KeyLoggerEventArgsEventHandler
Process Memory Space: upXUt2jZ0S.exe PID: 1184	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0xef01:$x5: KeyLoggerEventArgs 0xf296:$x5: KeyLoggerEventArgs 0xfe6f:$x5: KeyLoggerEventArgs 0x101d0:$x5: KeyLoggerEventArgs 0x114bf:$m2: Clipboard Logs ID 0x115c5:$m2: Screenshot Logs ID 0x1161b:$m2: keystroke Logs ID 0x11750:$m3: SnakePW 0x115b1:$m4: \SnakeKeylogger\
Process Memory Space: .exe PID: 7624	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
Click to see the 14 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.upXUt2jZ0S.exe.4269610.2.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.upXUt2jZ0S.exe.4269610.2.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
0.2.upXUt2jZ0S.exe.4269610.2.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x12dc0:$a1: get_encryptedPassword 0x130ac:$a2: get_encryptedUsername 0x12bcc:$a3: get_timePasswordChanged 0x12cc7:$a4: get_passwordField 0x12dd6:$a5: set_encryptedPassword 0x14424:$a7: get_logins 0x14387:$a10: KeyLoggerEventArgs 0x13ff2:$a11: KeyLoggerEventArgsEventHandler
0.2.upXUt2jZ0S.exe.4269610.2.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1a72c:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x1995e:$a3: \Google\Chrome\User Data\Default\Login Data 0x19d91:$a4: \Orbitum\User Data\Default\Login Data 0x1add0:$a5: \Kometa\User Data\Default\Login Data
0.2.upXUt2jZ0S.exe.4269610.2.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x1398e:$s1: UnHook 0x13995:$s2: SetHook 0x1399d:$s3: CallNextHook 0x139aa:$s4: _hook
0.2.upXUt2jZ0S.exe.4269610.2.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x17d68:$x1: $%SMTPDV$ 0x1674c:$x2: $#TheHashHere%& 0x17d10:$x3: %FTPDV$ 0x166ec:$x4: $%TelegramDv$ 0x13ff2:$x5: KeyLoggerEventArgs 0x14387:$x5: KeyLoggerEventArgs 0x17d34:$m2: Clipboard Logs ID 0x17f72:$m2: Screenshot Logs ID 0x18082:$m2: keystroke Logs ID 0x1835c:$m3: SnakePW 0x17f4a:$m4: \SnakeKeylogger\
0.2.upXUt2jZ0S.exe.428a240.3.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.upXUt2jZ0S.exe.428a240.3.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
0.2.upXUt2jZ0S.exe.428a240.3.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x12dc0:$a1: get_encryptedPassword 0x130ac:$a2: get_encryptedUsername 0x12bcc:$a3: get_timePasswordChanged 0x12cc7:$a4: get_passwordField 0x12dd6:$a5: set_encryptedPassword 0x14424:$a7: get_logins 0x14387:$a10: KeyLoggerEventArgs 0x13ff2:$a11: KeyLoggerEventArgsEventHandler
0.2.upXUt2jZ0S.exe.428a240.3.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1a72c:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x1995e:$a3: \Google\Chrome\User Data\Default\Login Data 0x19d91:$a4: \Orbitum\User Data\Default\Login Data 0x1add0:$a5: \Kometa\User Data\Default\Login Data
0.2.upXUt2jZ0S.exe.428a240.3.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x1398e:$s1: UnHook 0x13995:$s2: SetHook 0x1399d:$s3: CallNextHook 0x139aa:$s4: _hook
0.2.upXUt2jZ0S.exe.428a240.3.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x17d68:$x1: $%SMTPDV$ 0x1674c:$x2: $#TheHashHere%& 0x17d10:$x3: %FTPDV$ 0x166ec:$x4: $%TelegramDv$ 0x13ff2:$x5: KeyLoggerEventArgs 0x14387:$x5: KeyLoggerEventArgs 0x17d34:$m2: Clipboard Logs ID 0x17f72:$m2: Screenshot Logs ID 0x18082:$m2: keystroke Logs ID 0x1835c:$m3: SnakePW 0x17f4a:$m4: \SnakeKeylogger\
4.2.upXUt2jZ0S.exe.590000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
4.2.upXUt2jZ0S.exe.590000.0.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
4.2.upXUt2jZ0S.exe.590000.0.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
4.2.upXUt2jZ0S.exe.590000.0.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x14bc0:$a1: get_encryptedPassword 0x14eac:$a2: get_encryptedUsername 0x149cc:$a3: get_timePasswordChanged 0x14ac7:$a4: get_passwordField 0x14bd6:$a5: set_encryptedPassword 0x16224:$a7: get_logins 0x16187:$a10: KeyLoggerEventArgs 0x15df2:$a11: KeyLoggerEventArgsEventHandler
4.2.upXUt2jZ0S.exe.590000.0.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1c52c:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x1b75e:$a3: \Google\Chrome\User Data\Default\Login Data 0x1bb91:$a4: \Orbitum\User Data\Default\Login Data 0x1cbd0:$a5: \Kometa\User Data\Default\Login Data
4.2.upXUt2jZ0S.exe.590000.0.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x1578e:$s1: UnHook 0x15795:$s2: SetHook 0x1579d:$s3: CallNextHook 0x157aa:$s4: _hook
4.2.upXUt2jZ0S.exe.590000.0.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x19b68:$x1: $%SMTPDV$ 0x1854c:$x2: $#TheHashHere%& 0x19b10:$x3: %FTPDV$ 0x184ec:$x4: $%TelegramDv$ 0x15df2:$x5: KeyLoggerEventArgs 0x16187:$x5: KeyLoggerEventArgs 0x19b34:$m2: Clipboard Logs ID 0x19d72:$m2: Screenshot Logs ID 0x19e82:$m2: keystroke Logs ID 0x1a15c:$m3: SnakePW 0x19d4a:$m4: \SnakeKeylogger\
0.2.upXUt2jZ0S.exe.428a240.3.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.upXUt2jZ0S.exe.428a240.3.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.2.upXUt2jZ0S.exe.428a240.3.raw.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
0.2.upXUt2jZ0S.exe.428a240.3.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x14bc0:$a1: get_encryptedPassword 0x355e0:$a1: get_encryptedPassword 0x14eac:$a2: get_encryptedUsername 0x358cc:$a2: get_encryptedUsername 0x149cc:$a3: get_timePasswordChanged 0x353ec:$a3: get_timePasswordChanged 0x14ac7:$a4: get_passwordField 0x354e7:$a4: get_passwordField 0x14bd6:$a5: set_encryptedPassword 0x355f6:$a5: set_encryptedPassword 0x16224:$a7: get_logins 0x36c44:$a7: get_logins 0x16187:$a10: KeyLoggerEventArgs 0x36ba7:$a10: KeyLoggerEventArgs 0x15df2:$a11: KeyLoggerEventArgsEventHandler 0x36812:$a11: KeyLoggerEventArgsEventHandler
0.2.upXUt2jZ0S.exe.428a240.3.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1c52c:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3cf4c:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x1b75e:$a3: \Google\Chrome\User Data\Default\Login Data 0x3c17e:$a3: \Google\Chrome\User Data\Default\Login Data 0x1bb91:$a4: \Orbitum\User Data\Default\Login Data 0x3c5b1:$a4: \Orbitum\User Data\Default\Login Data 0x1cbd0:$a5: \Kometa\User Data\Default\Login Data 0x3d5f0:$a5: \Kometa\User Data\Default\Login Data
0.2.upXUt2jZ0S.exe.428a240.3.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x1578e:$s1: UnHook 0x361ae:$s1: UnHook 0x15795:$s2: SetHook 0x361b5:$s2: SetHook 0x1579d:$s3: CallNextHook 0x361bd:$s3: CallNextHook 0x157aa:$s4: _hook 0x361ca:$s4: _hook
0.2.upXUt2jZ0S.exe.428a240.3.raw.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x19b68:$x1: $%SMTPDV$ 0x3a588:$x1: $%SMTPDV$ 0x1854c:$x2: $#TheHashHere%& 0x38f6c:$x2: $#TheHashHere%& 0x19b10:$x3: %FTPDV$ 0x3a530:$x3: %FTPDV$ 0x184ec:$x4: $%TelegramDv$ 0x38f0c:$x4: $%TelegramDv$ 0x15df2:$x5: KeyLoggerEventArgs 0x16187:$x5: KeyLoggerEventArgs 0x36812:$x5: KeyLoggerEventArgs 0x36ba7:$x5: KeyLoggerEventArgs 0x19b34:$m2: Clipboard Logs ID 0x19d72:$m2: Screenshot Logs ID 0x19e82:$m2: keystroke Logs ID 0x3a554:$m2: Clipboard Logs ID 0x3a792:$m2: Screenshot Logs ID 0x3a8a2:$m2: keystroke Logs ID 0x1a15c:$m3: SnakePW 0x3ab7c:$m3: SnakePW 0x19d4a:$m4: \SnakeKeylogger\
0.2.upXUt2jZ0S.exe.4269610.2.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.upXUt2jZ0S.exe.4269610.2.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.2.upXUt2jZ0S.exe.4269610.2.raw.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
0.2.upXUt2jZ0S.exe.4269610.2.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x14bc0:$a1: get_encryptedPassword 0x357f0:$a1: get_encryptedPassword 0x56210:$a1: get_encryptedPassword 0x14eac:$a2: get_encryptedUsername 0x35adc:$a2: get_encryptedUsername 0x564fc:$a2: get_encryptedUsername 0x149cc:$a3: get_timePasswordChanged 0x355fc:$a3: get_timePasswordChanged 0x5601c:$a3: get_timePasswordChanged 0x14ac7:$a4: get_passwordField 0x356f7:$a4: get_passwordField 0x56117:$a4: get_passwordField 0x14bd6:$a5: set_encryptedPassword 0x35806:$a5: set_encryptedPassword 0x56226:$a5: set_encryptedPassword 0x16224:$a7: get_logins 0x36e54:$a7: get_logins 0x57874:$a7: get_logins 0x16187:$a10: KeyLoggerEventArgs 0x36db7:$a10: KeyLoggerEventArgs 0x577d7:$a10: KeyLoggerEventArgs
0.2.upXUt2jZ0S.exe.4269610.2.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1c52c:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3d15c:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x5db7c:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x1b75e:$a3: \Google\Chrome\User Data\Default\Login Data 0x3c38e:$a3: \Google\Chrome\User Data\Default\Login Data 0x5cdae:$a3: \Google\Chrome\User Data\Default\Login Data 0x1bb91:$a4: \Orbitum\User Data\Default\Login Data 0x3c7c1:$a4: \Orbitum\User Data\Default\Login Data 0x5d1e1:$a4: \Orbitum\User Data\Default\Login Data 0x1cbd0:$a5: \Kometa\User Data\Default\Login Data 0x3d800:$a5: \Kometa\User Data\Default\Login Data 0x5e220:$a5: \Kometa\User Data\Default\Login Data
0.2.upXUt2jZ0S.exe.4269610.2.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x1578e:$s1: UnHook 0x363be:$s1: UnHook 0x56dde:$s1: UnHook 0x15795:$s2: SetHook 0x363c5:$s2: SetHook 0x56de5:$s2: SetHook 0x1579d:$s3: CallNextHook 0x363cd:$s3: CallNextHook 0x56ded:$s3: CallNextHook 0x157aa:$s4: _hook 0x363da:$s4: _hook 0x56dfa:$s4: _hook
0.2.upXUt2jZ0S.exe.4269610.2.raw.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x19b68:$x1: $%SMTPDV$ 0x3a798:$x1: $%SMTPDV$ 0x5b1b8:$x1: $%SMTPDV$ 0x1854c:$x2: $#TheHashHere%& 0x3917c:$x2: $#TheHashHere%& 0x59b9c:$x2: $#TheHashHere%& 0x19b10:$x3: %FTPDV$ 0x3a740:$x3: %FTPDV$ 0x5b160:$x3: %FTPDV$ 0x184ec:$x4: $%TelegramDv$ 0x3911c:$x4: $%TelegramDv$ 0x59b3c:$x4: $%TelegramDv$ 0x15df2:$x5: KeyLoggerEventArgs 0x16187:$x5: KeyLoggerEventArgs 0x36a22:$x5: KeyLoggerEventArgs 0x36db7:$x5: KeyLoggerEventArgs 0x57442:$x5: KeyLoggerEventArgs 0x577d7:$x5: KeyLoggerEventArgs 0x19b34:$m2: Clipboard Logs ID 0x19d72:$m2: Screenshot Logs ID 0x19e82:$m2: keystroke Logs ID
0.2.upXUt2jZ0S.exe.41d8770.4.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.upXUt2jZ0S.exe.41d8770.4.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.2.upXUt2jZ0S.exe.41d8770.4.raw.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
0.2.upXUt2jZ0S.exe.41d8770.4.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xa5a60:$a1: get_encryptedPassword 0xc6690:$a1: get_encryptedPassword 0xe70b0:$a1: get_encryptedPassword 0xa5d4c:$a2: get_encryptedUsername 0xc697c:$a2: get_encryptedUsername 0xe739c:$a2: get_encryptedUsername 0xa586c:$a3: get_timePasswordChanged 0xc649c:$a3: get_timePasswordChanged 0xe6ebc:$a3: get_timePasswordChanged 0xa5967:$a4: get_passwordField 0xc6597:$a4: get_passwordField 0xe6fb7:$a4: get_passwordField 0xa5a76:$a5: set_encryptedPassword 0xc66a6:$a5: set_encryptedPassword 0xe70c6:$a5: set_encryptedPassword 0xa70c4:$a7: get_logins 0xc7cf4:$a7: get_logins 0xe8714:$a7: get_logins 0xa7027:$a10: KeyLoggerEventArgs 0xc7c57:$a10: KeyLoggerEventArgs 0xe8677:$a10: KeyLoggerEventArgs
0.2.upXUt2jZ0S.exe.41d8770.4.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0xa662e:$s1: UnHook 0xc725e:$s1: UnHook 0xe7c7e:$s1: UnHook 0xa6635:$s2: SetHook 0xc7265:$s2: SetHook 0xe7c85:$s2: SetHook 0xa663d:$s3: CallNextHook 0xc726d:$s3: CallNextHook 0xe7c8d:$s3: CallNextHook 0xa664a:$s4: _hook 0xc727a:$s4: _hook 0xe7c9a:$s4: _hook
0.2.upXUt2jZ0S.exe.41d8770.4.raw.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0xaaa08:$x1: $%SMTPDV$ 0xcb638:$x1: $%SMTPDV$ 0xec058:$x1: $%SMTPDV$ 0xa93ec:$x2: $#TheHashHere%& 0xca01c:$x2: $#TheHashHere%& 0xeaa3c:$x2: $#TheHashHere%& 0xaa9b0:$x3: %FTPDV$ 0xcb5e0:$x3: %FTPDV$ 0xec000:$x3: %FTPDV$ 0xa938c:$x4: $%TelegramDv$ 0xc9fbc:$x4: $%TelegramDv$ 0xea9dc:$x4: $%TelegramDv$ 0xa6c92:$x5: KeyLoggerEventArgs 0xa7027:$x5: KeyLoggerEventArgs 0xc78c2:$x5: KeyLoggerEventArgs 0xc7c57:$x5: KeyLoggerEventArgs 0xe82e2:$x5: KeyLoggerEventArgs 0xe8677:$x5: KeyLoggerEventArgs 0xaa9d4:$m2: Clipboard Logs ID 0xaac12:$m2: Screenshot Logs ID 0xaad22:$m2: keystroke Logs ID
Click to see the 34 entries

Sigma Signatures

System Summary

Sigma detected: Change PowerShell Policies to an Insecure Level

Source: Process started

Author: frack113: Data: Command: "Powershell.exe" -ExecutionPolicy Bypass -command Copy-Item 'C:\Users\user\Desktop\upXUt2jZ0S.exe' 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe', CommandLine: "Powershell.exe" -ExecutionPolicy Bypass -command Copy-Item 'C:\Users\user\Desktop\upXUt2jZ0S.exe' 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\upXUt2jZ0S.exe", ParentImage: C:\Users\user\Desktop\upXUt2jZ0S.exe, ParentProcessId: 2716, ParentProcessName: upXUt2jZ0S.exe, ProcessCommandLine: "Powershell.exe" -ExecutionPolicy Bypass -command Copy-Item 'C:\Users\user\Desktop\upXUt2jZ0S.exe' 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe', ProcessId: 3964, ProcessName: powershell.exe

Sigma detected: Potential Binary Or Script Dropper Via PowerShell

Source: File created

Author: frack113, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 3964, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe

Sigma detected: Startup Folder File Write

Source: File created

Author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): Data: EventID: 11, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 3964, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "Powershell.exe" -ExecutionPolicy Bypass -command Copy-Item 'C:\Users\user\Desktop\upXUt2jZ0S.exe' 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe', CommandLine: "Powershell.exe" -ExecutionPolicy Bypass -command Copy-Item 'C:\Users\user\Desktop\upXUt2jZ0S.exe' 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\upXUt2jZ0S.exe", ParentImage: C:\Users\user\Desktop\upXUt2jZ0S.exe, ParentProcessId: 2716, ParentProcessName: upXUt2jZ0S.exe, ProcessCommandLine: "Powershell.exe" -ExecutionPolicy Bypass -command Copy-Item 'C:\Users\user\Desktop\upXUt2jZ0S.exe' 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe', ProcessId: 3964, ProcessName: powershell.exe

Sigma detected: Windows Processes Suspicious Parent Directory

Source: Process started

Author: vburov: Data: Command: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 632, ProcessCommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, ProcessId: 5136, ProcessName: svchost.exe

Persistence and Installation Behavior

Sigma detected: Copy file to startup via Powershell

Source: Process started

Author: Joe Security: Data: Command: "Powershell.exe" -ExecutionPolicy Bypass -command Copy-Item 'C:\Users\user\Desktop\upXUt2jZ0S.exe' 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe', CommandLine: "Powershell.exe" -ExecutionPolicy Bypass -command Copy-Item 'C:\Users\user\Desktop\upXUt2jZ0S.exe' 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\upXUt2jZ0S.exe", ParentImage: C:\Users\user\Desktop\upXUt2jZ0S.exe, ParentProcessId: 2716, ParentProcessName: upXUt2jZ0S.exe, ProcessCommandLine: "Powershell.exe" -ExecutionPolicy Bypass -command Copy-Item 'C:\Users\user\Desktop\upXUt2jZ0S.exe' 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe', ProcessId: 3964, ProcessName: powershell.exe

Suricata Signatures

ETPRO MALWARE Common Downloader Header Pattern H

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-10T21:55:54.942841+0100	2803305	3	Unknown Traffic	192.168.2.9	49794	104.21.48.1	443	TCP
2025-01-10T21:55:59.613581+0100	2803305	3	Unknown Traffic	192.168.2.9	49826	104.21.48.1	443	TCP
2025-01-10T21:56:00.946154+0100	2803305	3	Unknown Traffic	192.168.2.9	49836	104.21.48.1	443	TCP
2025-01-10T21:56:02.283538+0100	2803305	3	Unknown Traffic	192.168.2.9	49845	104.21.48.1	443	TCP

ETPRO MALWARE Common Downloader Header Pattern UH

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-10T21:55:49.925091+0100	2803274	2	Potentially Bad Traffic	192.168.2.9	49738	132.226.247.73	80	TCP
2025-01-10T21:55:54.012223+0100	2803274	2	Potentially Bad Traffic	192.168.2.9	49738	132.226.247.73	80	TCP
2025-01-10T21:55:54.378282+0100	2803274	2	Potentially Bad Traffic	192.168.2.9	49738	132.226.247.73	80	TCP
2025-01-10T21:55:56.675118+0100	2803274	2	Potentially Bad Traffic	192.168.2.9	49799	132.226.247.73	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 00000004.00000002.1542562831.0000000000592000.00000040.00000400.00020000.00000000.sdmp

Malware Configuration Extractor: Snake Keylogger {"Exfil Mode": "Telegram", "Telegram URL": "https://api.telegram.org/bot6956304715:AAGEsKc2_BChUeZlL8X0MH3xZIsug2zAAIA/sendMessage?chat_id=6939220311", "Token": "6956304715:AAGEsKc2_BChUeZlL8X0MH3xZIsug2zAAIA", "Chat_id": "6939220311", "Version": "5.1"}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe	ReversingLabs: Detection: 68%
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe	Virustotal: Detection: 61%			Perma Link

Multi AV Scanner detection for submitted file

Source: upXUt2jZ0S.exe	ReversingLabs: Detection: 68%
Source: upXUt2jZ0S.exe	Virustotal: Detection: 61%			Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: upXUt2jZ0S.exe

Joe Sandbox ML: detected

Location Tracking

Tries to detect the country of the analysis system (by using the IP)

Source: unknown

DNS query: name: reallyfreegeoip.org

Source: upXUt2jZ0S.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown

HTTPS traffic detected: 104.21.48.1:443 -> 192.168.2.9:49761 version: TLS 1.0

Source: upXUt2jZ0S.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: C:\Windows\mscorlib.pdbpdblib.pdb source: .exe, 0000000A.00000002.1796684771.00000000013B6000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Xml.ni.pdb source: WER65D3.tmp.dmp.16.dr
Source:	Binary string: Microsoft.VisualBasic.pdbL0Tw# source: WER65D3.tmp.dmp.16.dr
Source:	Binary string: \??\C:\Windows\dll\mscorlib.pdbi source: .exe, 0000000A.00000002.1796684771.00000000013B6000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdbGq source: .exe, 0000000A.00000002.1796684771.00000000013B6000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.ni.pdbRSDS source: WER65D3.tmp.dmp.16.dr
Source:	Binary string: System.pdbPY4& source: WER65D3.tmp.dmp.16.dr
Source:	Binary string: \??\C:\Windows\mscorlib.pdbN source: .exe, 0000000A.00000002.1796684771.00000000013B6000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Configuration.pdbd source: WER65D3.tmp.dmp.16.dr
Source:	Binary string: System.Configuration.ni.pdb source: WER65D3.tmp.dmp.16.dr
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: .exe, 0000000A.00000002.1796684771.00000000013B6000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.PDB source: .exe, 0000000A.00000002.1795968848.00000000010F7000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: mscorlib.ni.pdbRSDS source: WER65D3.tmp.dmp.16.dr
Source:	Binary string: System.Xml.pdbd source: WER65D3.tmp.dmp.16.dr
Source:	Binary string: System.Configuration.pdb source: WER65D3.tmp.dmp.16.dr
Source:	Binary string: System.Xml.pdb source: WER65D3.tmp.dmp.16.dr
Source:	Binary string: System.pdb source: WER65D3.tmp.dmp.16.dr
Source:	Binary string: System.Xml.ni.pdbRSDS# source: WER65D3.tmp.dmp.16.dr
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdbn^ source: .exe, 0000000A.00000002.1796684771.00000000013B6000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: Microsoft.VisualBasic.pdb source: WER65D3.tmp.dmp.16.dr
Source:	Binary string: System.Core.ni.pdb source: WER65D3.tmp.dmp.16.dr
Source:	Binary string: C:\Users\GT350\source\repos\UpdatedRunpe\UpdatedRunpe\obj\x86\Debug\AQipUvwTwkLZyiCs.pdb source: upXUt2jZ0S.exe, 00000000.00000002.2592580416.0000000003181000.00000004.00000800.00020000.00000000.sdmp, .exe, 00000007.00000002.2610356599.00000000056A0000.00000004.08000000.00040000.00000000.sdmp, .exe, 00000007.00000002.2594797460.0000000002D11000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: %%.pdb source: .exe, 0000000A.00000002.1795968848.00000000010F7000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: System.Windows.Forms.pdb source: WER65D3.tmp.dmp.16.dr
Source:	Binary string: \??\C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.PDBl source: .exe, 0000000A.00000002.1796684771.00000000013B6000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mscorlib.pdb source: WER65D3.tmp.dmp.16.dr
Source:	Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdb source: .exe, 0000000A.00000002.1796684771.00000000013B6000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mscorlib.ni.pdb source: WER65D3.tmp.dmp.16.dr
Source:	Binary string: \??\C:\Windows\mscorlib.pdb source: .exe, 0000000A.00000002.1796684771.00000000013B6000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Core.pdb source: WER65D3.tmp.dmp.16.dr
Source:	Binary string: System.Configuration.ni.pdbRSDScUN source: WER65D3.tmp.dmp.16.dr
Source:	Binary string: System.ni.pdb source: WER65D3.tmp.dmp.16.dr
Source:	Binary string: System.Core.ni.pdbRSDS source: WER65D3.tmp.dmp.16.dr

Networking

Yara detected Generic Downloader

Source: Yara match	File source: 4.2.upXUt2jZ0S.exe.590000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.upXUt2jZ0S.exe.428a240.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.upXUt2jZ0S.exe.4269610.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.upXUt2jZ0S.exe.41d8770.4.raw.unpack, type: UNPACKEDPE

Source: global traffic

TCP traffic: 192.168.2.9:60784 -> 162.159.36.2:53

Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive

Source: Joe Sandbox View	IP Address: 104.21.48.1 104.21.48.1
Source: Joe Sandbox View	IP Address: 132.226.247.73 132.226.247.73

Source: Joe Sandbox View

JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad

Source: unknown	DNS query: name: checkip.dyndns.org
Source: unknown	DNS query: name: reallyfreegeoip.org

Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.9:49738 -> 132.226.247.73:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.9:49799 -> 132.226.247.73:80
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.9:49794 -> 104.21.48.1:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.9:49836 -> 104.21.48.1:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.9:49826 -> 104.21.48.1:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.9:49845 -> 104.21.48.1:443

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Source: unknown

HTTPS traffic detected: 104.21.48.1:443 -> 192.168.2.9:49761 version: TLS 1.0

Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: checkip.dyndns.org
Source: global traffic	DNS traffic detected: DNS query: reallyfreegeoip.org
Source: global traffic	DNS traffic detected: DNS query: 15.164.165.52.in-addr.arpa

Source: upXUt2jZ0S.exe, 00000004.00000002.1554551898.0000000002616000.00000004.00000800.00020000.00000000.sdmp, upXUt2jZ0S.exe, 00000004.00000002.1554551898.00000000026B0000.00000004.00000800.00020000.00000000.sdmp, upXUt2jZ0S.exe, 00000004.00000002.1554551898.00000000026CB000.00000004.00000800.00020000.00000000.sdmp, upXUt2jZ0S.exe, 00000004.00000002.1554551898.0000000002708000.00000004.00000800.00020000.00000000.sdmp, upXUt2jZ0S.exe, 00000004.00000002.1554551898.00000000026BD000.00000004.00000800.00020000.00000000.sdmp, upXUt2jZ0S.exe, 00000004.00000002.1554551898.00000000026D9000.00000004.00000800.00020000.00000000.sdmp, .exe, 0000000A.00000002.1797959827.00000000030B3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.com
Source: upXUt2jZ0S.exe, 00000004.00000002.1554551898.0000000002616000.00000004.00000800.00020000.00000000.sdmp, upXUt2jZ0S.exe, 00000004.00000002.1554551898.00000000026B0000.00000004.00000800.00020000.00000000.sdmp, upXUt2jZ0S.exe, 00000004.00000002.1554551898.00000000026CB000.00000004.00000800.00020000.00000000.sdmp, upXUt2jZ0S.exe, 00000004.00000002.1554551898.0000000002659000.00000004.00000800.00020000.00000000.sdmp, upXUt2jZ0S.exe, 00000004.00000002.1554551898.0000000002708000.00000004.00000800.00020000.00000000.sdmp, upXUt2jZ0S.exe, 00000004.00000002.1554551898.00000000026BD000.00000004.00000800.00020000.00000000.sdmp, upXUt2jZ0S.exe, 00000004.00000002.1554551898.00000000026D9000.00000004.00000800.00020000.00000000.sdmp, upXUt2jZ0S.exe, 00000004.00000002.1554551898.000000000260A000.00000004.00000800.00020000.00000000.sdmp, .exe, 0000000A.00000002.1797959827.00000000030B3000.00000004.00000800.00020000.00000000.sdmp, .exe, 0000000A.00000002.1797959827.00000000030A6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org
Source: upXUt2jZ0S.exe, 00000004.00000002.1554551898.0000000002551000.00000004.00000800.00020000.00000000.sdmp, .exe, 0000000A.00000002.1797959827.0000000002FF1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/
Source: upXUt2jZ0S.exe, 00000000.00000002.2603874674.0000000004189000.00000004.00000800.00020000.00000000.sdmp, upXUt2jZ0S.exe, 00000004.00000002.1542562831.0000000000592000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/q
Source: powershell.exe, 00000002.00000002.1384829264.0000000006F6C000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1563393236.00000000071F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.micro
Source: svchost.exe, 00000005.00000002.2594028413.00000294CE884000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.ver)
Source: qmgr.db.5.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvYjFkQUFWdmlaXy12MHFU
Source: qmgr.db.5.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaa5khuklrahrby256zitbxd5wq_1.0.2512.1/n
Source: qmgr.db.5.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaxuysrwzdnwqutaimsxybnjbrq_2023.9.25.0/
Source: qmgr.db.5.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adhioj45hzjkfunn7ccrbqyyhu3q_20230916.567
Source: qmgr.db.5.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adqyi2uk2bd7epzsrzisajjiqe_9.48.0/gcmjkmg
Source: qmgr.db.5.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/dix4vjifjljmfobl3a7lhcpvw4_414/lmelglejhe
Source: edb.log.5.dr	String found in binary or memory: http://f.c2r.ts.cdn.office.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32_16.0.16827.20
Source: powershell.exe, 00000002.00000002.1381308644.0000000005508000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1560390243.0000000005855000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000008.00000002.1541702733.0000000004942000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: upXUt2jZ0S.exe, 00000004.00000002.1554551898.00000000026B0000.00000004.00000800.00020000.00000000.sdmp, upXUt2jZ0S.exe, 00000004.00000002.1554551898.000000000262E000.00000004.00000800.00020000.00000000.sdmp, upXUt2jZ0S.exe, 00000004.00000002.1554551898.00000000026CB000.00000004.00000800.00020000.00000000.sdmp, upXUt2jZ0S.exe, 00000004.00000002.1554551898.0000000002708000.00000004.00000800.00020000.00000000.sdmp, upXUt2jZ0S.exe, 00000004.00000002.1554551898.00000000026BD000.00000004.00000800.00020000.00000000.sdmp, upXUt2jZ0S.exe, 00000004.00000002.1554551898.00000000026D9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://reallyfreegeoip.org
Source: powershell.exe, 00000002.00000002.1378357303.00000000044A1000.00000004.00000800.00020000.00000000.sdmp, upXUt2jZ0S.exe, 00000004.00000002.1554551898.0000000002551000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1541702733.00000000047F1000.00000004.00000800.00020000.00000000.sdmp, .exe, 0000000A.00000002.1797959827.0000000002FF1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000008.00000002.1541702733.0000000004942000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 00000002.00000002.1378357303.00000000044A1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1541702733.00000000047F1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore6lB
Source: powershell.exe, 00000008.00000002.1560390243.0000000005855000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000008.00000002.1560390243.0000000005855000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000008.00000002.1560390243.0000000005855000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: edb.log.5.dr	String found in binary or memory: https://g.live.com/odclientsettings/Prod-C:
Source: svchost.exe, 00000005.00000003.1371247818.00000294CE670000.00000004.00000800.00020000.00000000.sdmp, edb.log.5.dr	String found in binary or memory: https://g.live.com/odclientsettings/ProdV2-C:
Source: .exe.2.dr	String found in binary or memory: https://github.com/0xd4d/dnSpy/wiki/Debugging-Unity-Games
Source: powershell.exe, 00000008.00000002.1541702733.0000000004942000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000002.00000002.1381308644.0000000005508000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1560390243.0000000005855000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: upXUt2jZ0S.exe, 00000004.00000002.1554551898.0000000002616000.00000004.00000800.00020000.00000000.sdmp, upXUt2jZ0S.exe, 00000004.00000002.1554551898.00000000026B0000.00000004.00000800.00020000.00000000.sdmp, upXUt2jZ0S.exe, 00000004.00000002.1554551898.00000000026CB000.00000004.00000800.00020000.00000000.sdmp, upXUt2jZ0S.exe, 00000004.00000002.1554551898.0000000002659000.00000004.00000800.00020000.00000000.sdmp, upXUt2jZ0S.exe, 00000004.00000002.1554551898.0000000002708000.00000004.00000800.00020000.00000000.sdmp, upXUt2jZ0S.exe, 00000004.00000002.1554551898.00000000026BD000.00000004.00000800.00020000.00000000.sdmp, upXUt2jZ0S.exe, 00000004.00000002.1554551898.00000000026D9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org
Source: upXUt2jZ0S.exe, 00000000.00000002.2603874674.0000000004189000.00000004.00000800.00020000.00000000.sdmp, upXUt2jZ0S.exe, 00000004.00000002.1554551898.0000000002616000.00000004.00000800.00020000.00000000.sdmp, upXUt2jZ0S.exe, 00000004.00000002.1542562831.0000000000592000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/
Source: upXUt2jZ0S.exe, 00000004.00000002.1554551898.00000000026D9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189
Source: upXUt2jZ0S.exe, 00000004.00000002.1554551898.00000000026B0000.00000004.00000800.00020000.00000000.sdmp, upXUt2jZ0S.exe, 00000004.00000002.1554551898.00000000026CB000.00000004.00000800.00020000.00000000.sdmp, upXUt2jZ0S.exe, 00000004.00000002.1554551898.0000000002659000.00000004.00000800.00020000.00000000.sdmp, upXUt2jZ0S.exe, 00000004.00000002.1554551898.0000000002708000.00000004.00000800.00020000.00000000.sdmp, upXUt2jZ0S.exe, 00000004.00000002.1554551898.00000000026BD000.00000004.00000800.00020000.00000000.sdmp, upXUt2jZ0S.exe, 00000004.00000002.1554551898.00000000026D9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189$

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49761
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49794
Source: unknown	Network traffic detected: HTTP traffic on port 49836 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49857 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49761 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49794 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49807 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49826 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49807
Source: unknown	Network traffic detected: HTTP traffic on port 49845 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49826
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49836
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49857
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49845

System Summary

Malicious sample detected (through community Yara rule)

Source: 0.2.upXUt2jZ0S.exe.4269610.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.upXUt2jZ0S.exe.4269610.2.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.upXUt2jZ0S.exe.4269610.2.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.upXUt2jZ0S.exe.4269610.2.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 0.2.upXUt2jZ0S.exe.428a240.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.upXUt2jZ0S.exe.428a240.3.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.upXUt2jZ0S.exe.428a240.3.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.upXUt2jZ0S.exe.428a240.3.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 4.2.upXUt2jZ0S.exe.590000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 4.2.upXUt2jZ0S.exe.590000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 4.2.upXUt2jZ0S.exe.590000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 4.2.upXUt2jZ0S.exe.590000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 0.2.upXUt2jZ0S.exe.428a240.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.upXUt2jZ0S.exe.428a240.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.upXUt2jZ0S.exe.428a240.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.upXUt2jZ0S.exe.428a240.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 0.2.upXUt2jZ0S.exe.4269610.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.upXUt2jZ0S.exe.4269610.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.upXUt2jZ0S.exe.4269610.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.upXUt2jZ0S.exe.4269610.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 0.2.upXUt2jZ0S.exe.41d8770.4.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.upXUt2jZ0S.exe.41d8770.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.upXUt2jZ0S.exe.41d8770.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 00000004.00000002.1542562831.0000000000592000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000004.00000002.1542562831.0000000000592000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 00000000.00000002.2603874674.0000000004189000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000000.00000002.2603874674.0000000004189000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: Process Memory Space: upXUt2jZ0S.exe PID: 2716, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: upXUt2jZ0S.exe PID: 2716, type: MEMORYSTR	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: Process Memory Space: upXUt2jZ0S.exe PID: 1184, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: upXUt2jZ0S.exe PID: 1184, type: MEMORYSTR	Matched rule: Detects Snake Keylogger Author: ditekSHen

Powershell drops PE file

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe

Jump to dropped file

Source: C:\Windows\System32\svchost.exe

File created: C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp

Jump to behavior

Source: C:\Users\user\Desktop\upXUt2jZ0S.exe	Code function: 0_2_0302D364	0_2_0302D364
Source: C:\Users\user\Desktop\upXUt2jZ0S.exe	Code function: 0_2_05CF0A88	0_2_05CF0A88
Source: C:\Users\user\Desktop\upXUt2jZ0S.exe	Code function: 0_2_05CF0A79	0_2_05CF0A79
Source: C:\Users\user\Desktop\upXUt2jZ0S.exe	Code function: 0_2_06501710	0_2_06501710
Source: C:\Users\user\Desktop\upXUt2jZ0S.exe	Code function: 0_2_0650E520	0_2_0650E520
Source: C:\Users\user\Desktop\upXUt2jZ0S.exe	Code function: 0_2_06502C00	0_2_06502C00
Source: C:\Users\user\Desktop\upXUt2jZ0S.exe	Code function: 4_2_0083C1D1	4_2_0083C1D1
Source: C:\Users\user\Desktop\upXUt2jZ0S.exe	Code function: 4_2_00836108	4_2_00836108
Source: C:\Users\user\Desktop\upXUt2jZ0S.exe	Code function: 4_2_0083B328	4_2_0083B328
Source: C:\Users\user\Desktop\upXUt2jZ0S.exe	Code function: 4_2_0083C4B1	4_2_0083C4B1
Source: C:\Users\user\Desktop\upXUt2jZ0S.exe	Code function: 4_2_0083C790	4_2_0083C790
Source: C:\Users\user\Desktop\upXUt2jZ0S.exe	Code function: 4_2_00836730	4_2_00836730
Source: C:\Users\user\Desktop\upXUt2jZ0S.exe	Code function: 4_2_00839858	4_2_00839858
Source: C:\Users\user\Desktop\upXUt2jZ0S.exe	Code function: 4_2_00834AD9	4_2_00834AD9
Source: C:\Users\user\Desktop\upXUt2jZ0S.exe	Code function: 4_2_0083CA70	4_2_0083CA70
Source: C:\Users\user\Desktop\upXUt2jZ0S.exe	Code function: 4_2_0083CD51	4_2_0083CD51
Source: C:\Users\user\Desktop\upXUt2jZ0S.exe	Code function: 4_2_0083BEF0	4_2_0083BEF0
Source: C:\Users\user\Desktop\upXUt2jZ0S.exe	Code function: 4_2_0083B4F2	4_2_0083B4F2
Source: C:\Users\user\Desktop\upXUt2jZ0S.exe	Code function: 4_2_00833570	4_2_00833570
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe	Code function: 7_2_014BD364	7_2_014BD364
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe	Code function: 7_2_07261710	7_2_07261710
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe	Code function: 7_2_0726E520	7_2_0726E520
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe	Code function: 7_2_07262C00	7_2_07262C00
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe	Code function: 10_2_01373578	10_2_01373578

Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7624 -s 1528

Source: upXUt2jZ0S.exe, 00000000.00000002.2588995313.000000000148E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs upXUt2jZ0S.exe
Source: upXUt2jZ0S.exe, 00000000.00000002.2592580416.0000000003181000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameAQipUvwTwkLZyiCs.dll: vs upXUt2jZ0S.exe
Source: upXUt2jZ0S.exe, 00000000.00000002.2592580416.0000000003181000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamelfwhUWZlmFnGhDYPudAJ.exeX vs upXUt2jZ0S.exe
Source: upXUt2jZ0S.exe, 00000000.00000000.1344261917.0000000000F0A000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameInochia.exe0 vs upXUt2jZ0S.exe
Source: upXUt2jZ0S.exe, 00000000.00000002.2603874674.0000000004189000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameExample.dll0 vs upXUt2jZ0S.exe
Source: upXUt2jZ0S.exe, 00000000.00000002.2603874674.0000000004189000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamelfwhUWZlmFnGhDYPudAJ.exeX vs upXUt2jZ0S.exe
Source: upXUt2jZ0S.exe, 00000004.00000002.1542562831.0000000000592000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamelfwhUWZlmFnGhDYPudAJ.exeX vs upXUt2jZ0S.exe
Source: upXUt2jZ0S.exe	Binary or memory string: OriginalFilenameInochia.exe0 vs upXUt2jZ0S.exe

Source: upXUt2jZ0S.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 0.2.upXUt2jZ0S.exe.4269610.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.upXUt2jZ0S.exe.4269610.2.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.upXUt2jZ0S.exe.4269610.2.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.upXUt2jZ0S.exe.4269610.2.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 0.2.upXUt2jZ0S.exe.428a240.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.upXUt2jZ0S.exe.428a240.3.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.upXUt2jZ0S.exe.428a240.3.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.upXUt2jZ0S.exe.428a240.3.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 4.2.upXUt2jZ0S.exe.590000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 4.2.upXUt2jZ0S.exe.590000.0.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 4.2.upXUt2jZ0S.exe.590000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 4.2.upXUt2jZ0S.exe.590000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 0.2.upXUt2jZ0S.exe.428a240.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.upXUt2jZ0S.exe.428a240.3.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.upXUt2jZ0S.exe.428a240.3.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.upXUt2jZ0S.exe.428a240.3.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 0.2.upXUt2jZ0S.exe.4269610.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.upXUt2jZ0S.exe.4269610.2.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.upXUt2jZ0S.exe.4269610.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.upXUt2jZ0S.exe.4269610.2.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 0.2.upXUt2jZ0S.exe.41d8770.4.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.upXUt2jZ0S.exe.41d8770.4.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.upXUt2jZ0S.exe.41d8770.4.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 00000004.00000002.1542562831.0000000000592000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000004.00000002.1542562831.0000000000592000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 00000000.00000002.2603874674.0000000004189000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000000.00000002.2603874674.0000000004189000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: Process Memory Space: upXUt2jZ0S.exe PID: 2716, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: upXUt2jZ0S.exe PID: 2716, type: MEMORYSTR	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: Process Memory Space: upXUt2jZ0S.exe PID: 1184, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: upXUt2jZ0S.exe PID: 1184, type: MEMORYSTR	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger

Source: classification engine

Classification label: mal100.spre.troj.adwa.evad.winEXE@19/16@3/3

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe

Jump to behavior

Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1048:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7704:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7512:120:WilError_03
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7624

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4oc1j4jg.cbj.ps1

Jump to behavior

Source: upXUt2jZ0S.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: upXUt2jZ0S.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Source: C:\Users\user\Desktop\upXUt2jZ0S.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\upXUt2jZ0S.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: upXUt2jZ0S.exe	ReversingLabs: Detection: 68%
Source: upXUt2jZ0S.exe	Virustotal: Detection: 61%

Source: unknown	Process created: C:\Users\user\Desktop\upXUt2jZ0S.exe "C:\Users\user\Desktop\upXUt2jZ0S.exe"
Source: C:\Users\user\Desktop\upXUt2jZ0S.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "Powershell.exe" -ExecutionPolicy Bypass -command Copy-Item 'C:\Users\user\Desktop\upXUt2jZ0S.exe' 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe'
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\upXUt2jZ0S.exe	Process created: C:\Users\user\Desktop\upXUt2jZ0S.exe "C:\Users\user\Desktop\upXUt2jZ0S.exe"
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe"
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "Powershell.exe" -ExecutionPolicy Bypass -command Copy-Item 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe' 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe'
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe	Process created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe"
Source: C:\Users\user\Desktop\upXUt2jZ0S.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\user\Desktop\upXUt2jZ0S.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\choice.exe choice /C Y /N /D Y /T 3
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7624 -s 1528
Source: C:\Users\user\Desktop\upXUt2jZ0S.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "Powershell.exe" -ExecutionPolicy Bypass -command Copy-Item 'C:\Users\user\Desktop\upXUt2jZ0S.exe' 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe'	Jump to behavior
Source: C:\Users\user\Desktop\upXUt2jZ0S.exe	Process created: C:\Users\user\Desktop\upXUt2jZ0S.exe "C:\Users\user\Desktop\upXUt2jZ0S.exe"	Jump to behavior
Source: C:\Users\user\Desktop\upXUt2jZ0S.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\user\Desktop\upXUt2jZ0S.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "Powershell.exe" -ExecutionPolicy Bypass -command Copy-Item 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe' 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe'	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe	Process created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\choice.exe choice /C Y /N /D Y /T 3

Source: C:\Users\user\Desktop\upXUt2jZ0S.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\upXUt2jZ0S.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\upXUt2jZ0S.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\upXUt2jZ0S.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\upXUt2jZ0S.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\upXUt2jZ0S.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\upXUt2jZ0S.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\upXUt2jZ0S.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\upXUt2jZ0S.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\upXUt2jZ0S.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\upXUt2jZ0S.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\upXUt2jZ0S.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\upXUt2jZ0S.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\upXUt2jZ0S.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\upXUt2jZ0S.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\upXUt2jZ0S.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\upXUt2jZ0S.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\upXUt2jZ0S.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\upXUt2jZ0S.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\upXUt2jZ0S.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\upXUt2jZ0S.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\upXUt2jZ0S.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\upXUt2jZ0S.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\upXUt2jZ0S.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\upXUt2jZ0S.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\upXUt2jZ0S.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\upXUt2jZ0S.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\upXUt2jZ0S.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\upXUt2jZ0S.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\upXUt2jZ0S.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\upXUt2jZ0S.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\upXUt2jZ0S.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\upXUt2jZ0S.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\upXUt2jZ0S.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\upXUt2jZ0S.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\upXUt2jZ0S.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\upXUt2jZ0S.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\upXUt2jZ0S.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\upXUt2jZ0S.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\upXUt2jZ0S.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\upXUt2jZ0S.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\upXUt2jZ0S.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\upXUt2jZ0S.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\upXUt2jZ0S.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\upXUt2jZ0S.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\upXUt2jZ0S.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\upXUt2jZ0S.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\upXUt2jZ0S.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\upXUt2jZ0S.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\upXUt2jZ0S.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\upXUt2jZ0S.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\upXUt2jZ0S.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\upXUt2jZ0S.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\upXUt2jZ0S.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\upXUt2jZ0S.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\upXUt2jZ0S.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\upXUt2jZ0S.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\upXUt2jZ0S.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\upXUt2jZ0S.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\upXUt2jZ0S.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\upXUt2jZ0S.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\upXUt2jZ0S.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\upXUt2jZ0S.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\upXUt2jZ0S.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\upXUt2jZ0S.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\upXUt2jZ0S.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\upXUt2jZ0S.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\upXUt2jZ0S.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\upXUt2jZ0S.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\upXUt2jZ0S.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\upXUt2jZ0S.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\upXUt2jZ0S.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\upXUt2jZ0S.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\upXUt2jZ0S.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\upXUt2jZ0S.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\upXUt2jZ0S.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: qmgr.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsperf.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: firewallapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: esent.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: fwbase.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: flightsettings.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: netprofm.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: npmproxy.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsigd.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: upnp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ssdpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: appxdeploymentclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wsmauto.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wsmsvc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dsrole.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: pcwum.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msv1_0.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ntlmshared.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptdll.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: rmclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: usermgrcli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: execmodelclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: execmodelproxy.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: resourcepolicyclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: vssapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: vsstrace.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: samlib.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: es.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsproxy.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\choice.exe	Section loaded: version.dll

Source: C:\Users\user\Desktop\upXUt2jZ0S.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\upXUt2jZ0S.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: upXUt2jZ0S.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: upXUt2jZ0S.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: C:\Windows\mscorlib.pdbpdblib.pdb source: .exe, 0000000A.00000002.1796684771.00000000013B6000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Xml.ni.pdb source: WER65D3.tmp.dmp.16.dr
Source:	Binary string: Microsoft.VisualBasic.pdbL0Tw# source: WER65D3.tmp.dmp.16.dr
Source:	Binary string: \??\C:\Windows\dll\mscorlib.pdbi source: .exe, 0000000A.00000002.1796684771.00000000013B6000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdbGq source: .exe, 0000000A.00000002.1796684771.00000000013B6000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.ni.pdbRSDS source: WER65D3.tmp.dmp.16.dr
Source:	Binary string: System.pdbPY4& source: WER65D3.tmp.dmp.16.dr
Source:	Binary string: \??\C:\Windows\mscorlib.pdbN source: .exe, 0000000A.00000002.1796684771.00000000013B6000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Configuration.pdbd source: WER65D3.tmp.dmp.16.dr
Source:	Binary string: System.Configuration.ni.pdb source: WER65D3.tmp.dmp.16.dr
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: .exe, 0000000A.00000002.1796684771.00000000013B6000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.PDB source: .exe, 0000000A.00000002.1795968848.00000000010F7000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: mscorlib.ni.pdbRSDS source: WER65D3.tmp.dmp.16.dr
Source:	Binary string: System.Xml.pdbd source: WER65D3.tmp.dmp.16.dr
Source:	Binary string: System.Configuration.pdb source: WER65D3.tmp.dmp.16.dr
Source:	Binary string: System.Xml.pdb source: WER65D3.tmp.dmp.16.dr
Source:	Binary string: System.pdb source: WER65D3.tmp.dmp.16.dr
Source:	Binary string: System.Xml.ni.pdbRSDS# source: WER65D3.tmp.dmp.16.dr
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdbn^ source: .exe, 0000000A.00000002.1796684771.00000000013B6000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: Microsoft.VisualBasic.pdb source: WER65D3.tmp.dmp.16.dr
Source:	Binary string: System.Core.ni.pdb source: WER65D3.tmp.dmp.16.dr
Source:	Binary string: C:\Users\GT350\source\repos\UpdatedRunpe\UpdatedRunpe\obj\x86\Debug\AQipUvwTwkLZyiCs.pdb source: upXUt2jZ0S.exe, 00000000.00000002.2592580416.0000000003181000.00000004.00000800.00020000.00000000.sdmp, .exe, 00000007.00000002.2610356599.00000000056A0000.00000004.08000000.00040000.00000000.sdmp, .exe, 00000007.00000002.2594797460.0000000002D11000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: %%.pdb source: .exe, 0000000A.00000002.1795968848.00000000010F7000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: System.Windows.Forms.pdb source: WER65D3.tmp.dmp.16.dr
Source:	Binary string: \??\C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.PDBl source: .exe, 0000000A.00000002.1796684771.00000000013B6000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mscorlib.pdb source: WER65D3.tmp.dmp.16.dr
Source:	Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdb source: .exe, 0000000A.00000002.1796684771.00000000013B6000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mscorlib.ni.pdb source: WER65D3.tmp.dmp.16.dr
Source:	Binary string: \??\C:\Windows\mscorlib.pdb source: .exe, 0000000A.00000002.1796684771.00000000013B6000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Core.pdb source: WER65D3.tmp.dmp.16.dr
Source:	Binary string: System.Configuration.ni.pdbRSDScUN source: WER65D3.tmp.dmp.16.dr
Source:	Binary string: System.ni.pdb source: WER65D3.tmp.dmp.16.dr
Source:	Binary string: System.Core.ni.pdbRSDS source: WER65D3.tmp.dmp.16.dr

Source: upXUt2jZ0S.exe

Static PE information: 0x81AF2B24 [Sun Dec 12 04:25:08 2038 UTC]

Source: C:\Users\user\Desktop\upXUt2jZ0S.exe	Code function: 0_2_065076D0 pushad ; ret	0_2_065076D1
Source: C:\Users\user\Desktop\upXUt2jZ0S.exe	Code function: 0_2_06500013 push es; retf	0_2_0650001C
Source: C:\Users\user\Desktop\upXUt2jZ0S.exe	Code function: 0_2_06508C20 pushad ; iretd	0_2_06508C21
Source: C:\Users\user\Desktop\upXUt2jZ0S.exe	Code function: 0_2_06508C22 push esp; iretd	0_2_06508C29
Source: C:\Users\user\Desktop\upXUt2jZ0S.exe	Code function: 0_2_0650F8A0 pushfd ; iretd	0_2_0650F8A1
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe	Code function: 7_2_072676D0 pushad ; ret	7_2_072676D1
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe	Code function: 7_2_07268C20 pushad ; iretd	7_2_07268C21
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_04706BA8 push 90081B79h; ret	8_2_04706E75
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe	Code function: 10_2_013724B9 push 8BFFFFFFh; retf	10_2_013724BF

Source: upXUt2jZ0S.exe	Static PE information: section name: .text entropy: 7.347382019818626
Source: .exe.2.dr	Static PE information: section name: .text entropy: 7.347382019818626

Persistence and Installation Behavior

Creates executable files without a name

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe

Jump to dropped file

Boot Survival

Drops PE files to the startup folder

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe

Jump to dropped file

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe\:Zone.Identifier:$DATA			Jump to behavior

Hooking and other Techniques for Hiding and Protection

Self deletion via cmd or bat file

Source: C:\Users\user\Desktop\upXUt2jZ0S.exe	Process created: "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\user\Desktop\upXUt2jZ0S.exe"
Source: C:\Users\user\Desktop\upXUt2jZ0S.exe	Process created: "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\user\Desktop\upXUt2jZ0S.exe"			Jump to behavior

Source: C:\Users\user\Desktop\upXUt2jZ0S.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\upXUt2jZ0S.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\upXUt2jZ0S.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\upXUt2jZ0S.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\upXUt2jZ0S.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\upXUt2jZ0S.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\upXUt2jZ0S.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\upXUt2jZ0S.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\upXUt2jZ0S.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\upXUt2jZ0S.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\upXUt2jZ0S.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\upXUt2jZ0S.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\upXUt2jZ0S.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\upXUt2jZ0S.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\upXUt2jZ0S.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\upXUt2jZ0S.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\upXUt2jZ0S.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\upXUt2jZ0S.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\upXUt2jZ0S.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\upXUt2jZ0S.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\upXUt2jZ0S.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\upXUt2jZ0S.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\upXUt2jZ0S.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\upXUt2jZ0S.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\upXUt2jZ0S.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\upXUt2jZ0S.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\upXUt2jZ0S.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\upXUt2jZ0S.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\upXUt2jZ0S.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\upXUt2jZ0S.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\upXUt2jZ0S.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\upXUt2jZ0S.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\upXUt2jZ0S.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\upXUt2jZ0S.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\upXUt2jZ0S.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\upXUt2jZ0S.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\upXUt2jZ0S.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\upXUt2jZ0S.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\upXUt2jZ0S.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\upXUt2jZ0S.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\upXUt2jZ0S.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\upXUt2jZ0S.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\upXUt2jZ0S.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\upXUt2jZ0S.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\upXUt2jZ0S.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\upXUt2jZ0S.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\upXUt2jZ0S.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\upXUt2jZ0S.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\upXUt2jZ0S.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\upXUt2jZ0S.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\upXUt2jZ0S.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\upXUt2jZ0S.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\upXUt2jZ0S.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\upXUt2jZ0S.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\upXUt2jZ0S.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\upXUt2jZ0S.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\upXUt2jZ0S.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\upXUt2jZ0S.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\upXUt2jZ0S.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\upXUt2jZ0S.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\upXUt2jZ0S.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\upXUt2jZ0S.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\upXUt2jZ0S.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\upXUt2jZ0S.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\upXUt2jZ0S.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\upXUt2jZ0S.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\upXUt2jZ0S.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\upXUt2jZ0S.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\upXUt2jZ0S.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\upXUt2jZ0S.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\upXUt2jZ0S.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\upXUt2jZ0S.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\upXUt2jZ0S.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\upXUt2jZ0S.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\upXUt2jZ0S.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\upXUt2jZ0S.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\upXUt2jZ0S.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\upXUt2jZ0S.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\upXUt2jZ0S.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\upXUt2jZ0S.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\upXUt2jZ0S.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\upXUt2jZ0S.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\upXUt2jZ0S.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\upXUt2jZ0S.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\upXUt2jZ0S.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\upXUt2jZ0S.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\upXUt2jZ0S.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\upXUt2jZ0S.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\upXUt2jZ0S.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\upXUt2jZ0S.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\upXUt2jZ0S.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX

Source: C:\Users\user\Desktop\upXUt2jZ0S.exe	Memory allocated: 3020000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\upXUt2jZ0S.exe	Memory allocated: 3180000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\upXUt2jZ0S.exe	Memory allocated: 5180000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\upXUt2jZ0S.exe	Memory allocated: 820000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\upXUt2jZ0S.exe	Memory allocated: 2550000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\upXUt2jZ0S.exe	Memory allocated: AF0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe	Memory allocated: 1490000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe	Memory allocated: 2D10000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe	Memory allocated: 4D10000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe	Memory allocated: 12E0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe	Memory allocated: 2FF0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe	Memory allocated: 2F30000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\upXUt2jZ0S.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\upXUt2jZ0S.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\Desktop\upXUt2jZ0S.exe	Thread delayed: delay time: 599891	Jump to behavior
Source: C:\Users\user\Desktop\upXUt2jZ0S.exe	Thread delayed: delay time: 599781	Jump to behavior
Source: C:\Users\user\Desktop\upXUt2jZ0S.exe	Thread delayed: delay time: 599672	Jump to behavior
Source: C:\Users\user\Desktop\upXUt2jZ0S.exe	Thread delayed: delay time: 599563	Jump to behavior
Source: C:\Users\user\Desktop\upXUt2jZ0S.exe	Thread delayed: delay time: 599438	Jump to behavior
Source: C:\Users\user\Desktop\upXUt2jZ0S.exe	Thread delayed: delay time: 599328	Jump to behavior
Source: C:\Users\user\Desktop\upXUt2jZ0S.exe	Thread delayed: delay time: 599219	Jump to behavior
Source: C:\Users\user\Desktop\upXUt2jZ0S.exe	Thread delayed: delay time: 599094	Jump to behavior
Source: C:\Users\user\Desktop\upXUt2jZ0S.exe	Thread delayed: delay time: 598984	Jump to behavior
Source: C:\Users\user\Desktop\upXUt2jZ0S.exe	Thread delayed: delay time: 598875	Jump to behavior
Source: C:\Users\user\Desktop\upXUt2jZ0S.exe	Thread delayed: delay time: 598764	Jump to behavior
Source: C:\Users\user\Desktop\upXUt2jZ0S.exe	Thread delayed: delay time: 598656	Jump to behavior
Source: C:\Users\user\Desktop\upXUt2jZ0S.exe	Thread delayed: delay time: 598547	Jump to behavior
Source: C:\Users\user\Desktop\upXUt2jZ0S.exe	Thread delayed: delay time: 598437	Jump to behavior
Source: C:\Users\user\Desktop\upXUt2jZ0S.exe	Thread delayed: delay time: 598328	Jump to behavior
Source: C:\Users\user\Desktop\upXUt2jZ0S.exe	Thread delayed: delay time: 598218	Jump to behavior
Source: C:\Users\user\Desktop\upXUt2jZ0S.exe	Thread delayed: delay time: 598109	Jump to behavior
Source: C:\Users\user\Desktop\upXUt2jZ0S.exe	Thread delayed: delay time: 598000	Jump to behavior
Source: C:\Users\user\Desktop\upXUt2jZ0S.exe	Thread delayed: delay time: 597891	Jump to behavior
Source: C:\Users\user\Desktop\upXUt2jZ0S.exe	Thread delayed: delay time: 597766	Jump to behavior
Source: C:\Users\user\Desktop\upXUt2jZ0S.exe	Thread delayed: delay time: 597656	Jump to behavior
Source: C:\Users\user\Desktop\upXUt2jZ0S.exe	Thread delayed: delay time: 597547	Jump to behavior
Source: C:\Users\user\Desktop\upXUt2jZ0S.exe	Thread delayed: delay time: 597438	Jump to behavior
Source: C:\Users\user\Desktop\upXUt2jZ0S.exe	Thread delayed: delay time: 597313	Jump to behavior
Source: C:\Users\user\Desktop\upXUt2jZ0S.exe	Thread delayed: delay time: 597188	Jump to behavior
Source: C:\Users\user\Desktop\upXUt2jZ0S.exe	Thread delayed: delay time: 597063	Jump to behavior
Source: C:\Users\user\Desktop\upXUt2jZ0S.exe	Thread delayed: delay time: 596953	Jump to behavior
Source: C:\Users\user\Desktop\upXUt2jZ0S.exe	Thread delayed: delay time: 596844	Jump to behavior
Source: C:\Users\user\Desktop\upXUt2jZ0S.exe	Thread delayed: delay time: 596719	Jump to behavior
Source: C:\Users\user\Desktop\upXUt2jZ0S.exe	Thread delayed: delay time: 596609	Jump to behavior
Source: C:\Users\user\Desktop\upXUt2jZ0S.exe	Thread delayed: delay time: 596500	Jump to behavior
Source: C:\Users\user\Desktop\upXUt2jZ0S.exe	Thread delayed: delay time: 596390	Jump to behavior
Source: C:\Users\user\Desktop\upXUt2jZ0S.exe	Thread delayed: delay time: 596281	Jump to behavior
Source: C:\Users\user\Desktop\upXUt2jZ0S.exe	Thread delayed: delay time: 596172	Jump to behavior
Source: C:\Users\user\Desktop\upXUt2jZ0S.exe	Thread delayed: delay time: 596060	Jump to behavior
Source: C:\Users\user\Desktop\upXUt2jZ0S.exe	Thread delayed: delay time: 595953	Jump to behavior
Source: C:\Users\user\Desktop\upXUt2jZ0S.exe	Thread delayed: delay time: 595837	Jump to behavior
Source: C:\Users\user\Desktop\upXUt2jZ0S.exe	Thread delayed: delay time: 595728	Jump to behavior
Source: C:\Users\user\Desktop\upXUt2jZ0S.exe	Thread delayed: delay time: 595524	Jump to behavior
Source: C:\Users\user\Desktop\upXUt2jZ0S.exe	Thread delayed: delay time: 595393	Jump to behavior
Source: C:\Users\user\Desktop\upXUt2jZ0S.exe	Thread delayed: delay time: 595272	Jump to behavior
Source: C:\Users\user\Desktop\upXUt2jZ0S.exe	Thread delayed: delay time: 595156	Jump to behavior
Source: C:\Users\user\Desktop\upXUt2jZ0S.exe	Thread delayed: delay time: 595047	Jump to behavior
Source: C:\Users\user\Desktop\upXUt2jZ0S.exe	Thread delayed: delay time: 594937	Jump to behavior
Source: C:\Users\user\Desktop\upXUt2jZ0S.exe	Thread delayed: delay time: 594826	Jump to behavior
Source: C:\Users\user\Desktop\upXUt2jZ0S.exe	Thread delayed: delay time: 594717	Jump to behavior
Source: C:\Users\user\Desktop\upXUt2jZ0S.exe	Thread delayed: delay time: 594609	Jump to behavior
Source: C:\Users\user\Desktop\upXUt2jZ0S.exe	Thread delayed: delay time: 594500	Jump to behavior
Source: C:\Users\user\Desktop\upXUt2jZ0S.exe	Thread delayed: delay time: 594391	Jump to behavior
Source: C:\Users\user\Desktop\upXUt2jZ0S.exe	Thread delayed: delay time: 594281	Jump to behavior
Source: C:\Users\user\Desktop\upXUt2jZ0S.exe	Thread delayed: delay time: 594172	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1453	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1095	Jump to behavior
Source: C:\Users\user\Desktop\upXUt2jZ0S.exe	Window / User API: threadDelayed 7617	Jump to behavior
Source: C:\Users\user\Desktop\upXUt2jZ0S.exe	Window / User API: threadDelayed 2202	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3873	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1777	Jump to behavior

Source: C:\Users\user\Desktop\upXUt2jZ0S.exe TID: 2440	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2288	Thread sleep count: 1453 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4632	Thread sleep count: 1095 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7232	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3916	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\upXUt2jZ0S.exe TID: 7372	Thread sleep count: 35 > 30	Jump to behavior
Source: C:\Users\user\Desktop\upXUt2jZ0S.exe TID: 7372	Thread sleep time: -32281802128991695s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\upXUt2jZ0S.exe TID: 7372	Thread sleep time: -600000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\upXUt2jZ0S.exe TID: 7372	Thread sleep time: -599891s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\upXUt2jZ0S.exe TID: 7376	Thread sleep count: 7617 > 30	Jump to behavior
Source: C:\Users\user\Desktop\upXUt2jZ0S.exe TID: 7376	Thread sleep count: 2202 > 30	Jump to behavior
Source: C:\Users\user\Desktop\upXUt2jZ0S.exe TID: 7372	Thread sleep time: -599781s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\upXUt2jZ0S.exe TID: 7372	Thread sleep time: -599672s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\upXUt2jZ0S.exe TID: 7372	Thread sleep time: -599563s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\upXUt2jZ0S.exe TID: 7372	Thread sleep time: -599438s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\upXUt2jZ0S.exe TID: 7372	Thread sleep time: -599328s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\upXUt2jZ0S.exe TID: 7372	Thread sleep time: -599219s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\upXUt2jZ0S.exe TID: 7372	Thread sleep time: -599094s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\upXUt2jZ0S.exe TID: 7372	Thread sleep time: -598984s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\upXUt2jZ0S.exe TID: 7372	Thread sleep time: -598875s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\upXUt2jZ0S.exe TID: 7372	Thread sleep time: -598764s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\upXUt2jZ0S.exe TID: 7372	Thread sleep time: -598656s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\upXUt2jZ0S.exe TID: 7372	Thread sleep time: -598547s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\upXUt2jZ0S.exe TID: 7372	Thread sleep time: -598437s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\upXUt2jZ0S.exe TID: 7372	Thread sleep time: -598328s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\upXUt2jZ0S.exe TID: 7372	Thread sleep time: -598218s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\upXUt2jZ0S.exe TID: 7372	Thread sleep time: -598109s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\upXUt2jZ0S.exe TID: 7372	Thread sleep time: -598000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\upXUt2jZ0S.exe TID: 7372	Thread sleep time: -597891s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\upXUt2jZ0S.exe TID: 7372	Thread sleep time: -597766s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\upXUt2jZ0S.exe TID: 7372	Thread sleep time: -597656s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\upXUt2jZ0S.exe TID: 7372	Thread sleep time: -597547s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\upXUt2jZ0S.exe TID: 7372	Thread sleep time: -597438s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\upXUt2jZ0S.exe TID: 7372	Thread sleep time: -597313s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\upXUt2jZ0S.exe TID: 7372	Thread sleep time: -597188s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\upXUt2jZ0S.exe TID: 7372	Thread sleep time: -597063s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\upXUt2jZ0S.exe TID: 7372	Thread sleep time: -596953s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\upXUt2jZ0S.exe TID: 7372	Thread sleep time: -596844s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\upXUt2jZ0S.exe TID: 7372	Thread sleep time: -596719s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\upXUt2jZ0S.exe TID: 7372	Thread sleep time: -596609s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\upXUt2jZ0S.exe TID: 7372	Thread sleep time: -596500s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\upXUt2jZ0S.exe TID: 7372	Thread sleep time: -596390s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\upXUt2jZ0S.exe TID: 7372	Thread sleep time: -596281s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\upXUt2jZ0S.exe TID: 7372	Thread sleep time: -596172s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\upXUt2jZ0S.exe TID: 7372	Thread sleep time: -596060s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\upXUt2jZ0S.exe TID: 7372	Thread sleep time: -595953s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\upXUt2jZ0S.exe TID: 7372	Thread sleep time: -595837s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\upXUt2jZ0S.exe TID: 7372	Thread sleep time: -595728s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\upXUt2jZ0S.exe TID: 7372	Thread sleep time: -595524s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\upXUt2jZ0S.exe TID: 7372	Thread sleep time: -595393s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\upXUt2jZ0S.exe TID: 7372	Thread sleep time: -595272s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\upXUt2jZ0S.exe TID: 7372	Thread sleep time: -595156s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\upXUt2jZ0S.exe TID: 7372	Thread sleep time: -595047s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\upXUt2jZ0S.exe TID: 7372	Thread sleep time: -594937s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\upXUt2jZ0S.exe TID: 7372	Thread sleep time: -594826s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\upXUt2jZ0S.exe TID: 7372	Thread sleep time: -594717s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\upXUt2jZ0S.exe TID: 7372	Thread sleep time: -594609s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\upXUt2jZ0S.exe TID: 7372	Thread sleep time: -594500s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\upXUt2jZ0S.exe TID: 7372	Thread sleep time: -594391s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\upXUt2jZ0S.exe TID: 7372	Thread sleep time: -594281s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\upXUt2jZ0S.exe TID: 7372	Thread sleep time: -594172s >= -30000s	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 7188	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe TID: 7476	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7584	Thread sleep count: 3873 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7572	Thread sleep count: 1777 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7620	Thread sleep time: -1844674407370954s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7604	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior

Source: C:\Windows\System32\svchost.exe

File opened: PhysicalDrive0

Jump to behavior

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Users\user\Desktop\upXUt2jZ0S.exe	Thread delayed: delay time: 30000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\upXUt2jZ0S.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\upXUt2jZ0S.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\Desktop\upXUt2jZ0S.exe	Thread delayed: delay time: 599891	Jump to behavior
Source: C:\Users\user\Desktop\upXUt2jZ0S.exe	Thread delayed: delay time: 599781	Jump to behavior
Source: C:\Users\user\Desktop\upXUt2jZ0S.exe	Thread delayed: delay time: 599672	Jump to behavior
Source: C:\Users\user\Desktop\upXUt2jZ0S.exe	Thread delayed: delay time: 599563	Jump to behavior
Source: C:\Users\user\Desktop\upXUt2jZ0S.exe	Thread delayed: delay time: 599438	Jump to behavior
Source: C:\Users\user\Desktop\upXUt2jZ0S.exe	Thread delayed: delay time: 599328	Jump to behavior
Source: C:\Users\user\Desktop\upXUt2jZ0S.exe	Thread delayed: delay time: 599219	Jump to behavior
Source: C:\Users\user\Desktop\upXUt2jZ0S.exe	Thread delayed: delay time: 599094	Jump to behavior
Source: C:\Users\user\Desktop\upXUt2jZ0S.exe	Thread delayed: delay time: 598984	Jump to behavior
Source: C:\Users\user\Desktop\upXUt2jZ0S.exe	Thread delayed: delay time: 598875	Jump to behavior
Source: C:\Users\user\Desktop\upXUt2jZ0S.exe	Thread delayed: delay time: 598764	Jump to behavior
Source: C:\Users\user\Desktop\upXUt2jZ0S.exe	Thread delayed: delay time: 598656	Jump to behavior
Source: C:\Users\user\Desktop\upXUt2jZ0S.exe	Thread delayed: delay time: 598547	Jump to behavior
Source: C:\Users\user\Desktop\upXUt2jZ0S.exe	Thread delayed: delay time: 598437	Jump to behavior
Source: C:\Users\user\Desktop\upXUt2jZ0S.exe	Thread delayed: delay time: 598328	Jump to behavior
Source: C:\Users\user\Desktop\upXUt2jZ0S.exe	Thread delayed: delay time: 598218	Jump to behavior
Source: C:\Users\user\Desktop\upXUt2jZ0S.exe	Thread delayed: delay time: 598109	Jump to behavior
Source: C:\Users\user\Desktop\upXUt2jZ0S.exe	Thread delayed: delay time: 598000	Jump to behavior
Source: C:\Users\user\Desktop\upXUt2jZ0S.exe	Thread delayed: delay time: 597891	Jump to behavior
Source: C:\Users\user\Desktop\upXUt2jZ0S.exe	Thread delayed: delay time: 597766	Jump to behavior
Source: C:\Users\user\Desktop\upXUt2jZ0S.exe	Thread delayed: delay time: 597656	Jump to behavior
Source: C:\Users\user\Desktop\upXUt2jZ0S.exe	Thread delayed: delay time: 597547	Jump to behavior
Source: C:\Users\user\Desktop\upXUt2jZ0S.exe	Thread delayed: delay time: 597438	Jump to behavior
Source: C:\Users\user\Desktop\upXUt2jZ0S.exe	Thread delayed: delay time: 597313	Jump to behavior
Source: C:\Users\user\Desktop\upXUt2jZ0S.exe	Thread delayed: delay time: 597188	Jump to behavior
Source: C:\Users\user\Desktop\upXUt2jZ0S.exe	Thread delayed: delay time: 597063	Jump to behavior
Source: C:\Users\user\Desktop\upXUt2jZ0S.exe	Thread delayed: delay time: 596953	Jump to behavior
Source: C:\Users\user\Desktop\upXUt2jZ0S.exe	Thread delayed: delay time: 596844	Jump to behavior
Source: C:\Users\user\Desktop\upXUt2jZ0S.exe	Thread delayed: delay time: 596719	Jump to behavior
Source: C:\Users\user\Desktop\upXUt2jZ0S.exe	Thread delayed: delay time: 596609	Jump to behavior
Source: C:\Users\user\Desktop\upXUt2jZ0S.exe	Thread delayed: delay time: 596500	Jump to behavior
Source: C:\Users\user\Desktop\upXUt2jZ0S.exe	Thread delayed: delay time: 596390	Jump to behavior
Source: C:\Users\user\Desktop\upXUt2jZ0S.exe	Thread delayed: delay time: 596281	Jump to behavior
Source: C:\Users\user\Desktop\upXUt2jZ0S.exe	Thread delayed: delay time: 596172	Jump to behavior
Source: C:\Users\user\Desktop\upXUt2jZ0S.exe	Thread delayed: delay time: 596060	Jump to behavior
Source: C:\Users\user\Desktop\upXUt2jZ0S.exe	Thread delayed: delay time: 595953	Jump to behavior
Source: C:\Users\user\Desktop\upXUt2jZ0S.exe	Thread delayed: delay time: 595837	Jump to behavior
Source: C:\Users\user\Desktop\upXUt2jZ0S.exe	Thread delayed: delay time: 595728	Jump to behavior
Source: C:\Users\user\Desktop\upXUt2jZ0S.exe	Thread delayed: delay time: 595524	Jump to behavior
Source: C:\Users\user\Desktop\upXUt2jZ0S.exe	Thread delayed: delay time: 595393	Jump to behavior
Source: C:\Users\user\Desktop\upXUt2jZ0S.exe	Thread delayed: delay time: 595272	Jump to behavior
Source: C:\Users\user\Desktop\upXUt2jZ0S.exe	Thread delayed: delay time: 595156	Jump to behavior
Source: C:\Users\user\Desktop\upXUt2jZ0S.exe	Thread delayed: delay time: 595047	Jump to behavior
Source: C:\Users\user\Desktop\upXUt2jZ0S.exe	Thread delayed: delay time: 594937	Jump to behavior
Source: C:\Users\user\Desktop\upXUt2jZ0S.exe	Thread delayed: delay time: 594826	Jump to behavior
Source: C:\Users\user\Desktop\upXUt2jZ0S.exe	Thread delayed: delay time: 594717	Jump to behavior
Source: C:\Users\user\Desktop\upXUt2jZ0S.exe	Thread delayed: delay time: 594609	Jump to behavior
Source: C:\Users\user\Desktop\upXUt2jZ0S.exe	Thread delayed: delay time: 594500	Jump to behavior
Source: C:\Users\user\Desktop\upXUt2jZ0S.exe	Thread delayed: delay time: 594391	Jump to behavior
Source: C:\Users\user\Desktop\upXUt2jZ0S.exe	Thread delayed: delay time: 594281	Jump to behavior
Source: C:\Users\user\Desktop\upXUt2jZ0S.exe	Thread delayed: delay time: 594172	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe	Thread delayed: delay time: 30000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: upXUt2jZ0S.exe, .exe.2.dr	Binary or memory string: ResumeVirtualMachine
Source: upXUt2jZ0S.exe, .exe.2.dr	Binary or memory string: InitializeVirtualMachine
Source: upXUt2jZ0S.exe, 00000004.00000002.1560391567.0000000005D30000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: .exe, 0000000A.00000002.1796684771.00000000013B6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll;
Source: upXUt2jZ0S.exe, 00000004.00000002.1549705639.0000000000886000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllM
Source: svchost.exe, 00000005.00000002.2593915418.00000294CE854000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000005.00000002.2591225426.00000294C922B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000005.00000002.2593762646.00000294CE841000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: upXUt2jZ0S.exe, .exe.2.dr	Binary or memory string: get_VirtualMachine
Source: upXUt2jZ0S.exe, .exe.2.dr	Binary or memory string: get_MonoVirtualMachine
Source: upXUt2jZ0S.exe, .exe.2.dr	Binary or memory string: VirtualMachineManager

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Users\user\Desktop\upXUt2jZ0S.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Users\user\Desktop\upXUt2jZ0S.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Bypasses PowerShell execution policy

Source: C:\Users\user\Desktop\upXUt2jZ0S.exe

Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "Powershell.exe" -ExecutionPolicy Bypass -command Copy-Item 'C:\Users\user\Desktop\upXUt2jZ0S.exe' 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe'

Source: C:\Users\user\Desktop\upXUt2jZ0S.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "Powershell.exe" -ExecutionPolicy Bypass -command Copy-Item 'C:\Users\user\Desktop\upXUt2jZ0S.exe' 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe'	Jump to behavior
Source: C:\Users\user\Desktop\upXUt2jZ0S.exe	Process created: C:\Users\user\Desktop\upXUt2jZ0S.exe "C:\Users\user\Desktop\upXUt2jZ0S.exe"	Jump to behavior
Source: C:\Users\user\Desktop\upXUt2jZ0S.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\user\Desktop\upXUt2jZ0S.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "Powershell.exe" -ExecutionPolicy Bypass -command Copy-Item 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe' 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe'	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe	Process created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\choice.exe choice /C Y /N /D Y /T 3

Source: C:\Users\user\Desktop\upXUt2jZ0S.exe	Queries volume information: C:\Users\user\Desktop\upXUt2jZ0S.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\upXUt2jZ0S.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\upXUt2jZ0S.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\upXUt2jZ0S.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\upXUt2jZ0S.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\upXUt2jZ0S.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\upXUt2jZ0S.exe	Queries volume information: C:\Users\user\Desktop\upXUt2jZ0S.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\upXUt2jZ0S.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\upXUt2jZ0S.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe	Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe	Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\upXUt2jZ0S.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected Snake Keylogger

Source: Yara match	File source: 0.2.upXUt2jZ0S.exe.4269610.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.upXUt2jZ0S.exe.428a240.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.upXUt2jZ0S.exe.590000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.upXUt2jZ0S.exe.428a240.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.upXUt2jZ0S.exe.4269610.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.upXUt2jZ0S.exe.41d8770.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000002.1542562831.0000000000592000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2603874674.0000000004189000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.1554551898.0000000002551000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.1797959827.0000000002FF1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: upXUt2jZ0S.exe PID: 2716, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: upXUt2jZ0S.exe PID: 1184, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: .exe PID: 7624, type: MEMORYSTR

Source: Yara match	File source: 0.2.upXUt2jZ0S.exe.4269610.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.upXUt2jZ0S.exe.428a240.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.upXUt2jZ0S.exe.590000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.upXUt2jZ0S.exe.428a240.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.upXUt2jZ0S.exe.4269610.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.upXUt2jZ0S.exe.41d8770.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000002.1542562831.0000000000592000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2603874674.0000000004189000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: upXUt2jZ0S.exe PID: 2716, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: upXUt2jZ0S.exe PID: 1184, type: MEMORYSTR

Remote Access Functionality

Yara detected Snake Keylogger

Source: Yara match	File source: 0.2.upXUt2jZ0S.exe.4269610.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.upXUt2jZ0S.exe.428a240.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.upXUt2jZ0S.exe.590000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.upXUt2jZ0S.exe.428a240.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.upXUt2jZ0S.exe.4269610.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.upXUt2jZ0S.exe.41d8770.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000002.1542562831.0000000000592000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2603874674.0000000004189000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.1554551898.0000000002551000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.1797959827.0000000002FF1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: upXUt2jZ0S.exe PID: 2716, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: upXUt2jZ0S.exe PID: 1184, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: .exe PID: 7624, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	2 PowerShell	12 Registry Run Keys / Startup Folder	11 Process Injection	111 Masquerading	OS Credential Dumping	121 Security Software Discovery	Remote Services	1 Archive Collected Data	11 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 DLL Side-Loading	12 Registry Run Keys / Startup Folder	1 Disable or Modify Tools	LSASS Memory	1 Process Discovery	Remote Desktop Protocol	Data from Removable Media	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 DLL Side-Loading	51 Virtualization/Sandbox Evasion	Security Account Manager	51 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	11 Process Injection	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	13 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	2 Obfuscated Files or Information	LSA Secrets	1 System Network Configuration Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Software Packing	Cached Domain Credentials	1 File and Directory Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 Timestomp	DCSync	22 System Information Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 DLL Side-Loading	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	1 File Deletion	/etc/passwd and /etc/shadow	Network Sniffing	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
upXUt2jZ0S.exe	68%	ReversingLabs	Win32.Trojan.SnakeKeylogger
upXUt2jZ0S.exe	61%	Virustotal		Browse
upXUt2jZ0S.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe	68%	ReversingLabs	Win32.Trojan.SnakeKeylogger
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe	61%	Virustotal		Browse

Name	IP	Active	Malicious	Reputation
s-part-0017.t-0009.t-msedge.net	13.107.246.45	true	false	high
reallyfreegeoip.org	104.21.48.1	true	false	high
checkip.dyndns.com	132.226.247.73	true	false	high
15.164.165.52.in-addr.arpa	unknown	unknown	false	high
checkip.dyndns.org	unknown	unknown	false	high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://checkip.dyndns.org/	false		high
https://reallyfreegeoip.org/xml/8.46.123.189	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Reputation
http://nuget.org/NuGet.exe	powershell.exe, 00000002.00000002.1381308644.0000000005508000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1560390243.0000000005855000.00000004.00000800.00020000.00000000.sdmp	false	high
https://github.com/0xd4d/dnSpy/wiki/Debugging-Unity-Games	.exe.2.dr	false	high
http://crl.micro	powershell.exe, 00000002.00000002.1384829264.0000000006F6C000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1563393236.00000000071F0000.00000004.00000020.00020000.00000000.sdmp	false	high
http://pesterbdd.com/images/Pester.png	powershell.exe, 00000008.00000002.1541702733.0000000004942000.00000004.00000800.00020000.00000000.sdmp	false	high
https://g.live.com/odclientsettings/Prod-C:	edb.log.5.dr	false	high
https://aka.ms/pscore6lB	powershell.exe, 00000002.00000002.1378357303.00000000044A1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1541702733.00000000047F1000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.apache.org/licenses/LICENSE-2.0.html	powershell.exe, 00000008.00000002.1541702733.0000000004942000.00000004.00000800.00020000.00000000.sdmp	false	high
http://checkip.dyndns.org/q	upXUt2jZ0S.exe, 00000000.00000002.2603874674.0000000004189000.00000004.00000800.00020000.00000000.sdmp, upXUt2jZ0S.exe, 00000004.00000002.1542562831.0000000000592000.00000040.00000400.00020000.00000000.sdmp	false	high
https://contoso.com/	powershell.exe, 00000008.00000002.1560390243.0000000005855000.00000004.00000800.00020000.00000000.sdmp	false	high
https://g.live.com/odclientsettings/ProdV2-C:	svchost.exe, 00000005.00000003.1371247818.00000294CE670000.00000004.00000800.00020000.00000000.sdmp, edb.log.5.dr	false	high
https://nuget.org/nuget.exe	powershell.exe, 00000002.00000002.1381308644.0000000005508000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1560390243.0000000005855000.00000004.00000800.00020000.00000000.sdmp	false	high
https://contoso.com/License	powershell.exe, 00000008.00000002.1560390243.0000000005855000.00000004.00000800.00020000.00000000.sdmp	false	high
https://reallyfreegeoip.org/xml/8.46.123.189$	upXUt2jZ0S.exe, 00000004.00000002.1554551898.00000000026B0000.00000004.00000800.00020000.00000000.sdmp, upXUt2jZ0S.exe, 00000004.00000002.1554551898.00000000026CB000.00000004.00000800.00020000.00000000.sdmp, upXUt2jZ0S.exe, 00000004.00000002.1554551898.0000000002659000.00000004.00000800.00020000.00000000.sdmp, upXUt2jZ0S.exe, 00000004.00000002.1554551898.0000000002708000.00000004.00000800.00020000.00000000.sdmp, upXUt2jZ0S.exe, 00000004.00000002.1554551898.00000000026BD000.00000004.00000800.00020000.00000000.sdmp, upXUt2jZ0S.exe, 00000004.00000002.1554551898.00000000026D9000.00000004.00000800.00020000.00000000.sdmp	false	high
http://reallyfreegeoip.org	upXUt2jZ0S.exe, 00000004.00000002.1554551898.00000000026B0000.00000004.00000800.00020000.00000000.sdmp, upXUt2jZ0S.exe, 00000004.00000002.1554551898.000000000262E000.00000004.00000800.00020000.00000000.sdmp, upXUt2jZ0S.exe, 00000004.00000002.1554551898.00000000026CB000.00000004.00000800.00020000.00000000.sdmp, upXUt2jZ0S.exe, 00000004.00000002.1554551898.0000000002708000.00000004.00000800.00020000.00000000.sdmp, upXUt2jZ0S.exe, 00000004.00000002.1554551898.00000000026BD000.00000004.00000800.00020000.00000000.sdmp, upXUt2jZ0S.exe, 00000004.00000002.1554551898.00000000026D9000.00000004.00000800.00020000.00000000.sdmp	false	high
https://contoso.com/Icon	powershell.exe, 00000008.00000002.1560390243.0000000005855000.00000004.00000800.00020000.00000000.sdmp	false	high
https://reallyfreegeoip.org	upXUt2jZ0S.exe, 00000004.00000002.1554551898.0000000002616000.00000004.00000800.00020000.00000000.sdmp, upXUt2jZ0S.exe, 00000004.00000002.1554551898.00000000026B0000.00000004.00000800.00020000.00000000.sdmp, upXUt2jZ0S.exe, 00000004.00000002.1554551898.00000000026CB000.00000004.00000800.00020000.00000000.sdmp, upXUt2jZ0S.exe, 00000004.00000002.1554551898.0000000002659000.00000004.00000800.00020000.00000000.sdmp, upXUt2jZ0S.exe, 00000004.00000002.1554551898.0000000002708000.00000004.00000800.00020000.00000000.sdmp, upXUt2jZ0S.exe, 00000004.00000002.1554551898.00000000026BD000.00000004.00000800.00020000.00000000.sdmp, upXUt2jZ0S.exe, 00000004.00000002.1554551898.00000000026D9000.00000004.00000800.00020000.00000000.sdmp	false	high
http://crl.ver)	svchost.exe, 00000005.00000002.2594028413.00000294CE884000.00000004.00000020.00020000.00000000.sdmp	false	high
http://checkip.dyndns.org	upXUt2jZ0S.exe, 00000004.00000002.1554551898.0000000002616000.00000004.00000800.00020000.00000000.sdmp, upXUt2jZ0S.exe, 00000004.00000002.1554551898.00000000026B0000.00000004.00000800.00020000.00000000.sdmp, upXUt2jZ0S.exe, 00000004.00000002.1554551898.00000000026CB000.00000004.00000800.00020000.00000000.sdmp, upXUt2jZ0S.exe, 00000004.00000002.1554551898.0000000002659000.00000004.00000800.00020000.00000000.sdmp, upXUt2jZ0S.exe, 00000004.00000002.1554551898.0000000002708000.00000004.00000800.00020000.00000000.sdmp, upXUt2jZ0S.exe, 00000004.00000002.1554551898.00000000026BD000.00000004.00000800.00020000.00000000.sdmp, upXUt2jZ0S.exe, 00000004.00000002.1554551898.00000000026D9000.00000004.00000800.00020000.00000000.sdmp, upXUt2jZ0S.exe, 00000004.00000002.1554551898.000000000260A000.00000004.00000800.00020000.00000000.sdmp, .exe, 0000000A.00000002.1797959827.00000000030B3000.00000004.00000800.00020000.00000000.sdmp, .exe, 0000000A.00000002.1797959827.00000000030A6000.00000004.00000800.00020000.00000000.sdmp	false	high
http://checkip.dyndns.com	upXUt2jZ0S.exe, 00000004.00000002.1554551898.0000000002616000.00000004.00000800.00020000.00000000.sdmp, upXUt2jZ0S.exe, 00000004.00000002.1554551898.00000000026B0000.00000004.00000800.00020000.00000000.sdmp, upXUt2jZ0S.exe, 00000004.00000002.1554551898.00000000026CB000.00000004.00000800.00020000.00000000.sdmp, upXUt2jZ0S.exe, 00000004.00000002.1554551898.0000000002708000.00000004.00000800.00020000.00000000.sdmp, upXUt2jZ0S.exe, 00000004.00000002.1554551898.00000000026BD000.00000004.00000800.00020000.00000000.sdmp, upXUt2jZ0S.exe, 00000004.00000002.1554551898.00000000026D9000.00000004.00000800.00020000.00000000.sdmp, .exe, 0000000A.00000002.1797959827.00000000030B3000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	powershell.exe, 00000002.00000002.1378357303.00000000044A1000.00000004.00000800.00020000.00000000.sdmp, upXUt2jZ0S.exe, 00000004.00000002.1554551898.0000000002551000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1541702733.00000000047F1000.00000004.00000800.00020000.00000000.sdmp, .exe, 0000000A.00000002.1797959827.0000000002FF1000.00000004.00000800.00020000.00000000.sdmp	false	high
https://github.com/Pester/Pester	powershell.exe, 00000008.00000002.1541702733.0000000004942000.00000004.00000800.00020000.00000000.sdmp	false	high
https://reallyfreegeoip.org/xml/	upXUt2jZ0S.exe, 00000000.00000002.2603874674.0000000004189000.00000004.00000800.00020000.00000000.sdmp, upXUt2jZ0S.exe, 00000004.00000002.1554551898.0000000002616000.00000004.00000800.00020000.00000000.sdmp, upXUt2jZ0S.exe, 00000004.00000002.1542562831.0000000000592000.00000040.00000400.00020000.00000000.sdmp	false	high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
104.21.48.1	reallyfreegeoip.org	United States		13335	CLOUDFLARENETUS	false
132.226.247.73	checkip.dyndns.com	United States		16989	UTMEMUS	false

Private

IP
127.0.0.1

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1588147
Start date and time:	2025-01-10 21:54:51 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 48s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	21
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	upXUt2jZ0S.exe renamed because original name is a hash value
Original Sample Name:	d53a9888b375983c277dc4471f3f37e258cca57a1e242784c4130b928127c254.exe
Detection:	MAL
Classification:	mal100.spre.troj.adwa.evad.winEXE@19/16@3/3
EGA Information:	Successful, ratio: 33.3%
HCA Information:	Successful, ratio: 100% Number of executed functions: 132 Number of non-executed functions: 3
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 2.23.242.162, 13.89.179.12, 13.107.246.45, 4.245.163.56, 40.126.32.138, 52.165.164.15, 20.109.210.53
Excluded domains from analysis (whitelisted): fs.microsoft.com, slscr.update.microsoft.com, otelrules.azureedge.net, otelrules.afd.azureedge.net, onedsblobprdcus17.centralus.cloudapp.azure.com, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, fe3cr.delivery.mp.microsoft.com, login.live.com, e16604.g.akamaiedge.net, blobcollector.events.data.trafficmanager.net, azureedge-t-prod.trafficmanager.net, umwatson.events.data.microsoft.com, prod.fs.microsoft.com.akadns.net
Execution Graph export aborted for target .exe, PID 7624 because it is empty
Execution Graph export aborted for target powershell.exe, PID 3964 because it is empty
Execution Graph export aborted for target powershell.exe, PID 7504 because it is empty
Execution Graph export aborted for target upXUt2jZ0S.exe, PID 1184 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
Report size getting too big, too many NtSetInformationFile calls found.

Simulations

Behavior and APIs

Time	Type	Description
15:55:44	API Interceptor	80x Sleep call for process: upXUt2jZ0S.exe modified
15:55:46	API Interceptor	2x Sleep call for process: svchost.exe modified
15:55:46	API Interceptor	7x Sleep call for process: powershell.exe modified
15:56:01	API Interceptor	1x Sleep call for process: .exe modified
15:56:28	API Interceptor	1x Sleep call for process: WerFault.exe modified
20:55:51	Autostart	Run: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
104.21.48.1	NWPZbNcRxL.exe	Get hash	malicious	FormBook	Browse	www.axis138ae.shop/j2vs/
	SH8ZyOWNi2.exe	Get hash	malicious	CMSBrute	Browse	twirpx.org/administrator/index.php
	SN500, SN150 Spec.exe	Get hash	malicious	FormBook	Browse	www.antipromil.site/7ykh/
132.226.247.73	2CQ2zMn0hb.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	checkip.dyndns.org/
	6mGpn6kupm.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	checkip.dyndns.org/
	oEQp0EklDb.exe	Get hash	malicious	MassLogger RAT	Browse	checkip.dyndns.org/
	ajRZflJ2ch.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	checkip.dyndns.org/
	19d6P55zd1.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	fGu8xWoMrg.exe	Get hash	malicious	GuLoader, Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	eLo1khn7DQ.exe	Get hash	malicious	MassLogger RAT	Browse	checkip.dyndns.org/
	v3tK92KcJV.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	MtxN2qEWpW.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	8nkdC8daWi.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
s-part-0017.t-0009.t-msedge.net	247714231173424547.js	Get hash	malicious	Strela Downloader	Browse	13.107.246.45
	984279432356016169.js	Get hash	malicious	Strela Downloader	Browse	13.107.246.45
	https://cocteldedeas.mx/rx567#cmVjaWJhc2VAc2VhbWFyaXRpbWEuY29t	Get hash	malicious	HTMLPhisher	Browse	13.107.246.45
	I3LPkQh2an.exe	Get hash	malicious	FormBook	Browse	13.107.246.45
	295963673155714664.js	Get hash	malicious	Strela Downloader	Browse	13.107.246.45
	24928193762733825739.js	Get hash	malicious	Strela Downloader	Browse	13.107.246.45
	FUEvp5c8lO.exe	Get hash	malicious	AsyncRAT, StormKitty, WorldWind Stealer	Browse	13.107.246.45
	http://unikuesolutions.com/ck/bd/%7BRANDOM_NUMBER05%7D/YmVuc29uLmxpbkB2aGFjb3JwLmNvbQ==	Get hash	malicious	HTMLPhisher	Browse	13.107.246.45
	Bontrageroutdoors_Project_Update_202557516.pdf	Get hash	malicious	Unknown	Browse	13.107.246.45
	AuKUol8SPU.exe	Get hash	malicious	FormBook	Browse	13.107.246.45
checkip.dyndns.com	2CQ2zMn0hb.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	132.226.247.73
	6mGpn6kupm.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	132.226.247.73
	SABXJ1B5c8.exe	Get hash	malicious	MassLogger RAT	Browse	158.101.44.242
	oEQp0EklDb.exe	Get hash	malicious	MassLogger RAT	Browse	132.226.247.73
	FylY1FW6fl.exe	Get hash	malicious	MassLogger RAT	Browse	132.226.8.169
	v4nrZtP7K2.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	132.226.8.169
	xXUnP7uCBJ.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	193.122.6.168
	4UQ5wnI389.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	158.101.44.242
	ajRZflJ2ch.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	193.122.6.168
	hZbkP3TJBJ.exe	Get hash	malicious	Snake Keylogger	Browse	193.122.6.168
reallyfreegeoip.org	2CQ2zMn0hb.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	104.21.16.1
	6mGpn6kupm.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	104.21.48.1
	SABXJ1B5c8.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.64.1
	oEQp0EklDb.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.48.1
	FylY1FW6fl.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.32.1
	v4nrZtP7K2.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	104.21.48.1
	xXUnP7uCBJ.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	104.21.64.1
	4UQ5wnI389.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	104.21.112.1
	ajRZflJ2ch.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	104.21.48.1
	hZbkP3TJBJ.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.48.1

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	jG8N6WDJOx.exe	Get hash	malicious	AgentTesla	Browse	104.26.13.205
	2CQ2zMn0hb.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	104.21.16.1
	6mGpn6kupm.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	104.21.48.1
	SABXJ1B5c8.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.64.1
	oEQp0EklDb.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.48.1
	gKvjKMCUfq.exe	Get hash	malicious	FormBook	Browse	188.114.97.3
	FylY1FW6fl.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.32.1
	v4nrZtP7K2.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	104.21.48.1
	xXUnP7uCBJ.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	104.21.64.1
	HGhGAjCVw5.exe	Get hash	malicious	AgentTesla	Browse	104.26.13.205
UTMEMUS	2CQ2zMn0hb.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	132.226.247.73
	6mGpn6kupm.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	132.226.247.73
	oEQp0EklDb.exe	Get hash	malicious	MassLogger RAT	Browse	132.226.247.73
	FylY1FW6fl.exe	Get hash	malicious	MassLogger RAT	Browse	132.226.8.169
	v4nrZtP7K2.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	132.226.8.169
	ajRZflJ2ch.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	132.226.247.73
	19d6P55zd1.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	132.226.247.73
	ppISxhDcpF.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	132.226.8.169
	CvzLvta2bG.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	132.226.8.169
	fGu8xWoMrg.exe	Get hash	malicious	GuLoader, Snake Keylogger, VIP Keylogger	Browse	132.226.247.73

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
54328bd36c14bd82ddaa0c04b25ed9ad	2CQ2zMn0hb.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	104.21.48.1
	6mGpn6kupm.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	104.21.48.1
	SABXJ1B5c8.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.48.1
	oEQp0EklDb.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.48.1
	FylY1FW6fl.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.48.1
	v4nrZtP7K2.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	104.21.48.1
	xXUnP7uCBJ.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	104.21.48.1
	4UQ5wnI389.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	104.21.48.1
	ajRZflJ2ch.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	104.21.48.1
	hZbkP3TJBJ.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.48.1

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	1310720
Entropy (8bit):	0.49320858179212973
Encrypted:	false
SSDEEP:	1536:cJNnm0h6QV70hV40h5RJkS6SNJNJbSMeCXhtvKTeYYJyNtEBRDna33JnbgY1Ztan:cJhXC9lHmutpJyiRDeJ/aUKrDgnmJ
MD5:	3470EB01E2E31041BFA8A642BA17A5AF
SHA1:	E7D599F0FD8DDC7058B29154F1DDF630B38148C2
SHA-256:	CE4619A5EFC06BD36C2A7CE53703C97C5B743D94BF8A4F981D0E68AFCC0C3FCB
SHA-512:	7C25EF97176E41B64DD336D3513C99FA562FE97E42ABEAB7217589EB565462F38037CEB94E1BE93DD32ADE1FE934B0F6B93106918331A4A1A6B520D54F513F58
Malicious:	false
Preview:	^.;V........@..@-....{...;...{..........<...D./..;...{..................C:\ProgramData\Microsoft\Network\Downloader\.........................................................................................................................................................................................................................C:\ProgramData\Microsoft\Network\Downloader\..........................................................................................................................................................................................................................0u..................@...@...................................&.#.\.#.........`h.................h.......0.......X\...;...{..................C.:.\.P.r.o.g.r.a.m.D.a.t.a.\.M.i.c.r.o.s.o.f.t.\.N.e.t.w.o.r.k.\.D.o.w.n.l.o.a.d.e.r.\.q.m.g.r...d.b....................................................................................................................................................................

C:\ProgramData\Microsoft\Network\Downloader\qmgr.db

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	Extensible storage engine DataBase, version 0x620, checksum 0xf3fc2108, page size 16384, DirtyShutdown, Windows version 10.0
Category:	dropped
Size (bytes):	1310720
Entropy (8bit):	0.7216983381064119
Encrypted:	false
SSDEEP:	1536:rSB2ESB2SSjlK/Tv5m0hnRJjAVtu8Ykr3g16tV2UPkLk+kcBLZiAcZwytuknSDVd:razaNvFv8V2UW/DLzN/w4wZi
MD5:	FBDCA77CB82E9069881C2A35B84B7611
SHA1:	217813CD5D7C986C5FF90B8E5F2EB91C23999256
SHA-256:	9CCE830E986ED49FEBBDB2378CFD99856F09E48B55DB5C2DD2376841EBEC8217
SHA-512:	64034854BA92C6964A5F5AA992F509FF53B295D2351AD791998314C81428AAFEE8D7F41C04B5708E01747BB6568226FC1484068D54828EC6D93AAA5A17B21E62
Malicious:	false
Preview:	..!.... ...............X\...;...{......................p.D..........{}..7...}..h.F.........................D./..;...{..........................................................................................................eJ......n....@...................................................................................................... .......-....{...............................................................................................................................................................................................2...{.....................................t.7...}......................7...}...........................#......h.F.....................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	16384
Entropy (8bit):	0.08096791731506894
Encrypted:	false
SSDEEP:	3:N2llKYe8iWO/fgsCrZClW/tRLiWjloll+SHY/Xl+/rQLve:Y/KzO+fgs3GvL1CAS4M
MD5:	D3BC5DE48DA2AD1DE02F2FDABAA02C72
SHA1:	9ED0FF1871094577A46DEEA603F338913E181879
SHA-256:	35B8B71C09394FC7DB76C972E8325BA78C01934455534A3CE228B93F422686A0
SHA-512:	642D5B9B715D172C6AE43F478086825EA876B8FEF38DC7CFF09506F5B9BDE453A3270168DE98B59B1A74EB3ABC02D407E6F9B1EDDDF2F85EE69F5DA00BF539CF
Malicious:	false
Preview:	2........................................;...{...7...}.......{}..............{}......{}.vv_Q.....{}.....................7...}..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_.exe_4fd875b65d5c828f378f9ce7d8dd6c3315c4c3_2cfaa02b_cc41215d-848b-4d3c-a40a-a0d2245250a7\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	1.0950866094737384
Encrypted:	false
SSDEEP:	192:q3joSaI0T0BU/HbGa6ce36izuiFCZ24IO8Q3g:kjoSaI0ABU/6arVizuiFCY4IO8Qw
MD5:	F63C0C566C19CC7FF005D5CD658E8767
SHA1:	71BFF0EB45EB1119DA850EE75B0EA2D38FB3527F
SHA-256:	5ABA8A576C782E37557E549F3E143C967B2CB4F8886EC82E2517793F2F25905A
SHA-512:	63D4BE344AE9E1EDD6009B2780ECCCB81D456F744227AFC89E518AB0D27B3C283B50E974B55F43545562B12F872CB0375B556B8DF814790E1C823B0D2DA9E458
Malicious:	false
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.8.1.0.1.6.1.6.7.7.3.0.0.5.9.8.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.8.1.0.1.6.1.6.8.5.4.2.5.4.4.3.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.c.c.4.1.2.1.5.d.-.8.4.8.b.-.4.d.3.c.-.a.4.0.a.-.a.0.d.2.2.4.5.2.5.0.a.7.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.1.2.7.d.4.3.d.a.-.d.c.e.c.-.4.6.3.e.-.a.e.b.0.-.2.2.a.0.5.3.c.5.e.a.e.d.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.I.n.o.c.h.i.a...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.d.c.8.-.0.0.0.1.-.0.0.1.4.-.3.a.6.7.-.3.1.0.f.a.2.6.3.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.1.1.7.5.8.0.2.8.9.e.c.f.b.2.6.f.1.8.b.f.6.9.0.1.4.4.5.5.a.9.3.8.0.0.0.0.0.0.0.0.!.0.0.0.0.8.c.c.4.1.5.a.5.8.d.a.e.5.2.f.8.2.b.e.f.c.0.d.a.f.d.9.4.7.d.5.1.9.a.4.b.1.5.7.4.!...e.x.e...

C:\ProgramData\Microsoft\Windows\WER\Temp\WER65D3.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 15 streams, Fri Jan 10 20:56:08 2025, 0x1205a4 type
Category:	dropped
Size (bytes):	270634
Entropy (8bit):	3.716225568089184
Encrypted:	false
SSDEEP:	3072:HvnBuEacuUNhwP8Tt0nNMWc4uEqSyU6D/LTgx9AYAx86Mp:HvnBuEa9faWc4/ynXTgx9AW
MD5:	54F39FE7FAA14C762EC5FC905E52BEF5
SHA1:	CF84E516FFF17BBAAFBCB16CB90539B85B3CE2F5
SHA-256:	23958E42D6560E9CE4938C847179EBE63787E5165230D9879CC6DAF3D9C25AAF
SHA-512:	5B9E8055AB9F939FA82AB575E7479F67AE7AB3201DD70D87D388EC0957D79ECE7BE614EC384119A49CECDA52B8970178989430D904E93347E58725038C1567DA
Malicious:	false
Preview:	MDMP..a..... .......h..g............D...............X.......<....#......4%...R..........`.......8...........T............<..............,$...........&..............................................................................eJ.......&......GenuineIntel............T...........b..g............................. ..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER672C.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8264
Entropy (8bit):	3.692532079870383
Encrypted:	false
SSDEEP:	192:R6l7wVeJeF6wp6Y/M6m1gmf540mprr89bmUsfDim:R6lXJs6E6YU6Ugmf540/mHfn
MD5:	AEB3597132E9F4131444CDF337DFF188
SHA1:	C3D8B7C8DD5C02648403B729843F7A2FA1BEB1AE
SHA-256:	B7FA1FD8395DBD0FEA0DE6F7224C45671C7D5B9A1954013BE4AF38D051B1280B
SHA-512:	C75674AE9C751396EE2C484A0AEB173D280D3260012341176A4117BD5FB88CFB7DF0568DA0D812DF905E83DD93B444ECC63D459AA438DDFA00C1F27EC959AE19
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.6.2.4.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER677B.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4607
Entropy (8bit):	4.4480518940622575
Encrypted:	false
SSDEEP:	48:cvIwWl8zslJg77aI9WiwWpW8VYFYm8M4JPjFxO+q8T4XPlJ0Rd:uIjf/I7RJ7VxJLOXXPwRd
MD5:	88983681B3A6BA37C0FCF8E9770D13A3
SHA1:	56626C6721683BFBBE3A90332E6B38C50FDE93D0
SHA-256:	F3BB6C3D79489B5F4D9BC1710795C4CC86E5F16FB98BFBB5909158334A0A744B
SHA-512:	31F19B1920BC50E60E6F6A648503617F3CEC56B5BA8688B158F8FF54FDE455688A01F578EF25176E7D15D4F4538EFBD6BB6BB2A3B13EA345135F16DF42D67076
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="670318" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\upXUt2jZ0S.exe.log

Download File

Process:	C:\Users\user\Desktop\upXUt2jZ0S.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1039
Entropy (8bit):	5.353332853270839
Encrypted:	false
SSDEEP:	24:ML9E4KiE4Ko84qXKDE4KhKiKhPKIE4oKNzKoZAE4KzeR:MxHKiHKoviYHKh3oPtHo6hAHKzeR
MD5:	A4AF0F36EC4E0C69DC0F860C891E8BBE
SHA1:	28DD81A1EDDF71CBCBF86DA986E047279EF097CD
SHA-256:	B038D4342E4DD96217BD90CFE32581FCCB381C5C2E6FF257CD32854F840D1FDE
SHA-512:	A675D3E9DB5BDD325A22E82C6BCDBD5409D7A34453DAAEB0E37206BE982C388547E1BDF22DC70393C69D0CE55635E2364502572C3AD2E6753A56A5C3893F6D69
Malicious:	true
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	1248
Entropy (8bit):	5.370777891441471
Encrypted:	false
SSDEEP:	24:3vQWWSKco4KmBs4RPT6BmFoUebIKomjKcmZ9tXt/NK3R8UHrx:YWWSU4y4RQmFoUeWmfmZ9tlNWR8Wt
MD5:	93C80849E27DDE20CCB9753F5E77CFEF
SHA1:	D804D9BDD6F298E64F1CF6FD9CB6B4B47BB93C48
SHA-256:	A0DD3BB5A627248AC2FCBF8BB234C769E5D33230B92DE9FCD1AB6E39AE4815F1
SHA-512:	250FBCD5905FF70E5CB723E6CF23CF19F7C64F55D7F22A05A54248F34E07A4C825680C0C905FF45DF60998CB7DA84B3E5342B105EEF613EBBCA569F03B63B84E
Malicious:	false
Preview:	@...e.................................f..............@..........P................1]...E...........(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..\|f........System.Core.D...............4..7..D.#V.............System.Management.AutomationL.................gQ?O.....x5.......#.Microsoft.Management.Infrastructure.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServices4.................%...K... ...........System.Xml..8..................1...L..U;V.<}........System.Numerics.4.....................@.[8]'.\........System.Data.<...............i..VdqF...\|...........System.ConfigurationH................WY..2.M.&..g(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.D....................+.H..!...e........System.Configuration.Ins

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4oc1j4jg.cbj.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5eyc0nol.gd3.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_crluqciu.vvk.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_yvr3kyui.0ji.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	555520
Entropy (8bit):	7.336606448393891
Encrypted:	false
SSDEEP:	12288:YiU+RfWk1oPD4MAQXOHx7S+r0c4rOQe9HDv24RPlA24:Yi3fW3D4v3c+r0clRjvDf
MD5:	857FC5F1DA7948839D47ABE238392EA2
SHA1:	8CC415A58DAE52F82BEFC0DAFD947D519A4B1574
SHA-256:	D53A9888B375983C277DC4471F3F37E258CCA57A1E242784C4130B928127C254
SHA-512:	7AA0F11C047F5C2401B048162F5596B656872FE9BC9A20B3B674855A8EA5C31C571F196614A9C0E246394B4EA45796A82D1CBCEFBE13FBEE4945ABC348D01A9A
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 68% Antivirus: Virustotal, Detection: 61%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...$+................0..p.............. ........@.. ....................................@.....................................K.................................................................................... ............... ..H............text....o... ...p.................. ..`.rsrc................r..............@..@.reloc...............x..............@..B........................H.......$...l.......6...Hf..."..........................................J.o...JZ..v.7.g.....u.".(A.....(/........&.(A.....".......".(J....Vs1...(K...t.........j.(^.....(_....s3...(`....>. 4......(a...2......ob...:........oc...&...of.....(g...&...{....&...{......(A....sA...}.....(h...}.....si...}......sj...}....:.{....(h.....R.(@...-.r...psk...zN....C...sl...(D...&...(E.....(A......{....{....{....o....}.....{....{....or...&6.{....o.....v.(......%-.&r...

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe:Zone.Identifier

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Preview:	[ZoneTransfer]....ZoneId=0

C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	55
Entropy (8bit):	4.306461250274409
Encrypted:	false
SSDEEP:	3:YDQRWu83XfAw2fHbY:YMRl83Xt2f7Y
MD5:	DCA83F08D448911A14C22EBCACC5AD57
SHA1:	91270525521B7FE0D986DB19747F47D34B6318AD
SHA-256:	2B4B2D4A06044AD0BD2AE3287CFCBECD90B959FEB2F503AC258D7C0A235D6FE9
SHA-512:	96F3A02DC4AE302A30A376FC7082002065C7A35ECB74573DE66254EFD701E8FD9E9D867A2C8ABEB4C482738291B715D4965A0D2412663FDF1EE6CBC0BA9FBACA
Malicious:	false
Preview:	{"fontSetUri":"fontset-2017-04.json","baseUri":"fonts"}

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.336606448393891
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	upXUt2jZ0S.exe
File size:	555'520 bytes
MD5:	857fc5f1da7948839d47abe238392ea2
SHA1:	8cc415a58dae52f82befc0dafd947d519a4b1574
SHA256:	d53a9888b375983c277dc4471f3f37e258cca57a1e242784c4130b928127c254
SHA512:	7aa0f11c047f5c2401b048162f5596b656872fe9bc9a20b3b674855a8ea5c31c571f196614a9c0e246394b4ea45796a82d1cbcefbe13fbee4945abc348d01a9a
SSDEEP:	12288:YiU+RfWk1oPD4MAQXOHx7S+r0c4rOQe9HDv24RPlA24:Yi3fW3D4v3c+r0clRjvDf
TLSH:	78C4CF2527BA8347D6AF5339F034525087B5A302F59AEFCC8C8468EF1D277499B093A3
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...$+................0..p............... ........@.. ....................................@................................

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x488fde
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x81AF2B24 [Sun Dec 12 04:25:08 2038 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x88f90	0x4b	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x8a000	0x596	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x8c000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x86fe4	0x87000	6222d962b822e67150285e528677419b	False	0.6019259982638889	data	7.347382019818626	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x8a000	0x596	0x600	bb337337fd525b603631f27b8432eb2e	False	0.41015625	data	4.03984594780929	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x8c000	0xc	0x200	fd9f3ab53802688c8f3cda00e0951595	False	0.044921875	data	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0x8a0a0	0x30c	data			0.4230769230769231
RT_MANIFEST	0x8a3ac	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators			0.5489795918367347

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2025-01-10T21:55:49.925091+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.9	49738	132.226.247.73	80	TCP
2025-01-10T21:55:54.012223+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.9	49738	132.226.247.73	80	TCP
2025-01-10T21:55:54.378282+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.9	49738	132.226.247.73	80	TCP
2025-01-10T21:55:54.942841+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.9	49794	104.21.48.1	443	TCP
2025-01-10T21:55:56.675118+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.9	49799	132.226.247.73	80	TCP
2025-01-10T21:55:59.613581+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.9	49826	104.21.48.1	443	TCP
2025-01-10T21:56:00.946154+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.9	49836	104.21.48.1	443	TCP
2025-01-10T21:56:02.283538+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.9	49845	104.21.48.1	443	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 10, 2025 21:55:46.954423904 CET	49738	80	192.168.2.9	132.226.247.73
Jan 10, 2025 21:55:46.959229946 CET	80	49738	132.226.247.73	192.168.2.9
Jan 10, 2025 21:55:46.959305048 CET	49738	80	192.168.2.9	132.226.247.73
Jan 10, 2025 21:55:46.959542990 CET	49738	80	192.168.2.9	132.226.247.73
Jan 10, 2025 21:55:46.964276075 CET	80	49738	132.226.247.73	192.168.2.9
Jan 10, 2025 21:55:47.631844997 CET	80	49738	132.226.247.73	192.168.2.9
Jan 10, 2025 21:55:47.661509037 CET	49738	80	192.168.2.9	132.226.247.73
Jan 10, 2025 21:55:47.666363955 CET	80	49738	132.226.247.73	192.168.2.9
Jan 10, 2025 21:55:49.870723009 CET	80	49738	132.226.247.73	192.168.2.9
Jan 10, 2025 21:55:49.925091028 CET	49738	80	192.168.2.9	132.226.247.73
Jan 10, 2025 21:55:49.949619055 CET	49761	443	192.168.2.9	104.21.48.1
Jan 10, 2025 21:55:49.949656010 CET	443	49761	104.21.48.1	192.168.2.9
Jan 10, 2025 21:55:49.949709892 CET	49761	443	192.168.2.9	104.21.48.1
Jan 10, 2025 21:55:49.985052109 CET	49761	443	192.168.2.9	104.21.48.1
Jan 10, 2025 21:55:49.985089064 CET	443	49761	104.21.48.1	192.168.2.9
Jan 10, 2025 21:55:50.455708981 CET	443	49761	104.21.48.1	192.168.2.9
Jan 10, 2025 21:55:50.455796957 CET	49761	443	192.168.2.9	104.21.48.1
Jan 10, 2025 21:55:50.476711035 CET	49761	443	192.168.2.9	104.21.48.1
Jan 10, 2025 21:55:50.476732969 CET	443	49761	104.21.48.1	192.168.2.9
Jan 10, 2025 21:55:50.477859974 CET	443	49761	104.21.48.1	192.168.2.9
Jan 10, 2025 21:55:50.518879890 CET	49761	443	192.168.2.9	104.21.48.1
Jan 10, 2025 21:55:50.578707933 CET	49761	443	192.168.2.9	104.21.48.1
Jan 10, 2025 21:55:50.619333029 CET	443	49761	104.21.48.1	192.168.2.9
Jan 10, 2025 21:55:50.696280003 CET	443	49761	104.21.48.1	192.168.2.9
Jan 10, 2025 21:55:50.696432114 CET	443	49761	104.21.48.1	192.168.2.9
Jan 10, 2025 21:55:50.696640968 CET	49761	443	192.168.2.9	104.21.48.1
Jan 10, 2025 21:55:50.742134094 CET	49761	443	192.168.2.9	104.21.48.1
Jan 10, 2025 21:55:50.745974064 CET	49738	80	192.168.2.9	132.226.247.73
Jan 10, 2025 21:55:50.750962973 CET	80	49738	132.226.247.73	192.168.2.9
Jan 10, 2025 21:55:53.953176975 CET	80	49738	132.226.247.73	192.168.2.9
Jan 10, 2025 21:55:54.012223005 CET	49738	80	192.168.2.9	132.226.247.73
Jan 10, 2025 21:55:54.120001078 CET	49738	80	192.168.2.9	132.226.247.73
Jan 10, 2025 21:55:54.124814034 CET	80	49738	132.226.247.73	192.168.2.9
Jan 10, 2025 21:55:54.335509062 CET	80	49738	132.226.247.73	192.168.2.9
Jan 10, 2025 21:55:54.338560104 CET	49794	443	192.168.2.9	104.21.48.1
Jan 10, 2025 21:55:54.338609934 CET	443	49794	104.21.48.1	192.168.2.9
Jan 10, 2025 21:55:54.338716984 CET	49794	443	192.168.2.9	104.21.48.1
Jan 10, 2025 21:55:54.339406013 CET	49794	443	192.168.2.9	104.21.48.1
Jan 10, 2025 21:55:54.339420080 CET	443	49794	104.21.48.1	192.168.2.9
Jan 10, 2025 21:55:54.378282070 CET	49738	80	192.168.2.9	132.226.247.73
Jan 10, 2025 21:55:54.805670023 CET	443	49794	104.21.48.1	192.168.2.9
Jan 10, 2025 21:55:54.808099985 CET	49794	443	192.168.2.9	104.21.48.1
Jan 10, 2025 21:55:54.808119059 CET	443	49794	104.21.48.1	192.168.2.9
Jan 10, 2025 21:55:54.942852020 CET	443	49794	104.21.48.1	192.168.2.9
Jan 10, 2025 21:55:54.942933083 CET	443	49794	104.21.48.1	192.168.2.9
Jan 10, 2025 21:55:54.942985058 CET	49794	443	192.168.2.9	104.21.48.1
Jan 10, 2025 21:55:54.943697929 CET	49794	443	192.168.2.9	104.21.48.1
Jan 10, 2025 21:55:54.947891951 CET	49738	80	192.168.2.9	132.226.247.73
Jan 10, 2025 21:55:54.949273109 CET	49799	80	192.168.2.9	132.226.247.73
Jan 10, 2025 21:55:54.954020977 CET	80	49738	132.226.247.73	192.168.2.9
Jan 10, 2025 21:55:54.954087019 CET	49738	80	192.168.2.9	132.226.247.73
Jan 10, 2025 21:55:54.955188036 CET	80	49799	132.226.247.73	192.168.2.9
Jan 10, 2025 21:55:54.955297947 CET	49799	80	192.168.2.9	132.226.247.73
Jan 10, 2025 21:55:54.955499887 CET	49799	80	192.168.2.9	132.226.247.73
Jan 10, 2025 21:55:54.961466074 CET	80	49799	132.226.247.73	192.168.2.9
Jan 10, 2025 21:55:56.625652075 CET	80	49799	132.226.247.73	192.168.2.9
Jan 10, 2025 21:55:56.627113104 CET	49807	443	192.168.2.9	104.21.48.1
Jan 10, 2025 21:55:56.627156973 CET	443	49807	104.21.48.1	192.168.2.9
Jan 10, 2025 21:55:56.627383947 CET	49807	443	192.168.2.9	104.21.48.1
Jan 10, 2025 21:55:56.627703905 CET	49807	443	192.168.2.9	104.21.48.1
Jan 10, 2025 21:55:56.627717972 CET	443	49807	104.21.48.1	192.168.2.9
Jan 10, 2025 21:55:56.675117970 CET	49799	80	192.168.2.9	132.226.247.73
Jan 10, 2025 21:55:57.110718966 CET	443	49807	104.21.48.1	192.168.2.9
Jan 10, 2025 21:55:57.112909079 CET	49807	443	192.168.2.9	104.21.48.1
Jan 10, 2025 21:55:57.112927914 CET	443	49807	104.21.48.1	192.168.2.9
Jan 10, 2025 21:55:57.260442019 CET	443	49807	104.21.48.1	192.168.2.9
Jan 10, 2025 21:55:57.260535002 CET	443	49807	104.21.48.1	192.168.2.9
Jan 10, 2025 21:55:57.260598898 CET	49807	443	192.168.2.9	104.21.48.1
Jan 10, 2025 21:55:57.261157036 CET	49807	443	192.168.2.9	104.21.48.1
Jan 10, 2025 21:55:57.266896963 CET	49813	80	192.168.2.9	132.226.247.73
Jan 10, 2025 21:55:57.271708012 CET	80	49813	132.226.247.73	192.168.2.9
Jan 10, 2025 21:55:57.271786928 CET	49813	80	192.168.2.9	132.226.247.73
Jan 10, 2025 21:55:57.271898031 CET	49813	80	192.168.2.9	132.226.247.73
Jan 10, 2025 21:55:57.276669979 CET	80	49813	132.226.247.73	192.168.2.9
Jan 10, 2025 21:55:58.978566885 CET	80	49813	132.226.247.73	192.168.2.9
Jan 10, 2025 21:55:58.983273983 CET	49826	443	192.168.2.9	104.21.48.1
Jan 10, 2025 21:55:58.983305931 CET	443	49826	104.21.48.1	192.168.2.9
Jan 10, 2025 21:55:58.983387947 CET	49826	443	192.168.2.9	104.21.48.1
Jan 10, 2025 21:55:58.983870029 CET	49826	443	192.168.2.9	104.21.48.1
Jan 10, 2025 21:55:58.983884096 CET	443	49826	104.21.48.1	192.168.2.9
Jan 10, 2025 21:55:59.018868923 CET	49813	80	192.168.2.9	132.226.247.73
Jan 10, 2025 21:55:59.458817959 CET	443	49826	104.21.48.1	192.168.2.9
Jan 10, 2025 21:55:59.460772991 CET	49826	443	192.168.2.9	104.21.48.1
Jan 10, 2025 21:55:59.460799932 CET	443	49826	104.21.48.1	192.168.2.9
Jan 10, 2025 21:55:59.613583088 CET	443	49826	104.21.48.1	192.168.2.9
Jan 10, 2025 21:55:59.614593983 CET	443	49826	104.21.48.1	192.168.2.9
Jan 10, 2025 21:55:59.614666939 CET	49826	443	192.168.2.9	104.21.48.1
Jan 10, 2025 21:55:59.615051985 CET	49826	443	192.168.2.9	104.21.48.1
Jan 10, 2025 21:55:59.620258093 CET	49813	80	192.168.2.9	132.226.247.73
Jan 10, 2025 21:55:59.621423006 CET	49831	80	192.168.2.9	132.226.247.73
Jan 10, 2025 21:55:59.625282049 CET	80	49813	132.226.247.73	192.168.2.9
Jan 10, 2025 21:55:59.625354052 CET	49813	80	192.168.2.9	132.226.247.73
Jan 10, 2025 21:55:59.626277924 CET	80	49831	132.226.247.73	192.168.2.9
Jan 10, 2025 21:55:59.626348972 CET	49831	80	192.168.2.9	132.226.247.73
Jan 10, 2025 21:55:59.626461029 CET	49831	80	192.168.2.9	132.226.247.73
Jan 10, 2025 21:55:59.631350994 CET	80	49831	132.226.247.73	192.168.2.9
Jan 10, 2025 21:56:00.336684942 CET	80	49831	132.226.247.73	192.168.2.9
Jan 10, 2025 21:56:00.340322971 CET	49836	443	192.168.2.9	104.21.48.1
Jan 10, 2025 21:56:00.340364933 CET	443	49836	104.21.48.1	192.168.2.9
Jan 10, 2025 21:56:00.341914892 CET	49836	443	192.168.2.9	104.21.48.1
Jan 10, 2025 21:56:00.342192888 CET	49836	443	192.168.2.9	104.21.48.1
Jan 10, 2025 21:56:00.342202902 CET	443	49836	104.21.48.1	192.168.2.9
Jan 10, 2025 21:56:00.378251076 CET	49831	80	192.168.2.9	132.226.247.73
Jan 10, 2025 21:56:00.796771049 CET	443	49836	104.21.48.1	192.168.2.9
Jan 10, 2025 21:56:00.805547953 CET	49836	443	192.168.2.9	104.21.48.1
Jan 10, 2025 21:56:00.805572033 CET	443	49836	104.21.48.1	192.168.2.9
Jan 10, 2025 21:56:00.946230888 CET	443	49836	104.21.48.1	192.168.2.9
Jan 10, 2025 21:56:00.946310043 CET	443	49836	104.21.48.1	192.168.2.9
Jan 10, 2025 21:56:00.946544886 CET	49836	443	192.168.2.9	104.21.48.1
Jan 10, 2025 21:56:00.946922064 CET	49836	443	192.168.2.9	104.21.48.1
Jan 10, 2025 21:56:00.950635910 CET	49831	80	192.168.2.9	132.226.247.73
Jan 10, 2025 21:56:00.952183008 CET	49842	80	192.168.2.9	132.226.247.73
Jan 10, 2025 21:56:00.955586910 CET	80	49831	132.226.247.73	192.168.2.9
Jan 10, 2025 21:56:00.955660105 CET	49831	80	192.168.2.9	132.226.247.73
Jan 10, 2025 21:56:00.956984997 CET	80	49842	132.226.247.73	192.168.2.9
Jan 10, 2025 21:56:00.957072020 CET	49842	80	192.168.2.9	132.226.247.73
Jan 10, 2025 21:56:00.957765102 CET	49842	80	192.168.2.9	132.226.247.73
Jan 10, 2025 21:56:00.962605953 CET	80	49842	132.226.247.73	192.168.2.9
Jan 10, 2025 21:56:01.651186943 CET	80	49842	132.226.247.73	192.168.2.9
Jan 10, 2025 21:56:01.664659023 CET	49845	443	192.168.2.9	104.21.48.1
Jan 10, 2025 21:56:01.664716005 CET	443	49845	104.21.48.1	192.168.2.9
Jan 10, 2025 21:56:01.664810896 CET	49845	443	192.168.2.9	104.21.48.1
Jan 10, 2025 21:56:01.665585041 CET	49845	443	192.168.2.9	104.21.48.1
Jan 10, 2025 21:56:01.665606022 CET	443	49845	104.21.48.1	192.168.2.9
Jan 10, 2025 21:56:01.706423998 CET	49842	80	192.168.2.9	132.226.247.73
Jan 10, 2025 21:56:02.155219078 CET	443	49845	104.21.48.1	192.168.2.9
Jan 10, 2025 21:56:02.157443047 CET	49845	443	192.168.2.9	104.21.48.1
Jan 10, 2025 21:56:02.157476902 CET	443	49845	104.21.48.1	192.168.2.9
Jan 10, 2025 21:56:02.283499956 CET	443	49845	104.21.48.1	192.168.2.9
Jan 10, 2025 21:56:02.283584118 CET	443	49845	104.21.48.1	192.168.2.9
Jan 10, 2025 21:56:02.283631086 CET	49845	443	192.168.2.9	104.21.48.1
Jan 10, 2025 21:56:02.284435987 CET	49845	443	192.168.2.9	104.21.48.1
Jan 10, 2025 21:56:02.289467096 CET	49842	80	192.168.2.9	132.226.247.73
Jan 10, 2025 21:56:02.290891886 CET	49851	80	192.168.2.9	132.226.247.73
Jan 10, 2025 21:56:02.294516087 CET	80	49842	132.226.247.73	192.168.2.9
Jan 10, 2025 21:56:02.294573069 CET	49842	80	192.168.2.9	132.226.247.73
Jan 10, 2025 21:56:02.295707941 CET	80	49851	132.226.247.73	192.168.2.9
Jan 10, 2025 21:56:02.295799971 CET	49851	80	192.168.2.9	132.226.247.73
Jan 10, 2025 21:56:02.296025038 CET	49851	80	192.168.2.9	132.226.247.73
Jan 10, 2025 21:56:02.300846100 CET	80	49851	132.226.247.73	192.168.2.9
Jan 10, 2025 21:56:02.974539042 CET	80	49851	132.226.247.73	192.168.2.9
Jan 10, 2025 21:56:02.975843906 CET	49857	443	192.168.2.9	104.21.48.1
Jan 10, 2025 21:56:02.975893974 CET	443	49857	104.21.48.1	192.168.2.9
Jan 10, 2025 21:56:02.976351976 CET	49857	443	192.168.2.9	104.21.48.1
Jan 10, 2025 21:56:02.976579905 CET	49857	443	192.168.2.9	104.21.48.1
Jan 10, 2025 21:56:02.976598024 CET	443	49857	104.21.48.1	192.168.2.9
Jan 10, 2025 21:56:03.018909931 CET	49851	80	192.168.2.9	132.226.247.73
Jan 10, 2025 21:56:03.441584110 CET	443	49857	104.21.48.1	192.168.2.9
Jan 10, 2025 21:56:03.450165987 CET	49857	443	192.168.2.9	104.21.48.1
Jan 10, 2025 21:56:03.450208902 CET	443	49857	104.21.48.1	192.168.2.9
Jan 10, 2025 21:56:03.579442024 CET	443	49857	104.21.48.1	192.168.2.9
Jan 10, 2025 21:56:03.579499006 CET	443	49857	104.21.48.1	192.168.2.9
Jan 10, 2025 21:56:03.579606056 CET	49857	443	192.168.2.9	104.21.48.1
Jan 10, 2025 21:56:03.580426931 CET	49857	443	192.168.2.9	104.21.48.1
Jan 10, 2025 21:56:03.873068094 CET	49863	80	192.168.2.9	132.226.247.73
Jan 10, 2025 21:56:03.877866030 CET	80	49863	132.226.247.73	192.168.2.9
Jan 10, 2025 21:56:03.878022909 CET	49863	80	192.168.2.9	132.226.247.73
Jan 10, 2025 21:56:03.916841030 CET	49863	80	192.168.2.9	132.226.247.73
Jan 10, 2025 21:56:03.921643019 CET	80	49863	132.226.247.73	192.168.2.9
Jan 10, 2025 21:56:03.975198030 CET	49799	80	192.168.2.9	132.226.247.73
Jan 10, 2025 21:56:03.975894928 CET	49851	80	192.168.2.9	132.226.247.73
Jan 10, 2025 21:56:07.623919964 CET	80	49863	132.226.247.73	192.168.2.9
Jan 10, 2025 21:56:07.753262043 CET	49863	80	192.168.2.9	132.226.247.73
Jan 10, 2025 21:56:13.963978052 CET	60784	53	192.168.2.9	162.159.36.2
Jan 10, 2025 21:56:13.968776941 CET	53	60784	162.159.36.2	192.168.2.9
Jan 10, 2025 21:56:13.968848944 CET	60784	53	192.168.2.9	162.159.36.2
Jan 10, 2025 21:56:13.974960089 CET	53	60784	162.159.36.2	192.168.2.9
Jan 10, 2025 21:56:14.503804922 CET	60784	53	192.168.2.9	162.159.36.2
Jan 10, 2025 21:56:14.508886099 CET	53	60784	162.159.36.2	192.168.2.9
Jan 10, 2025 21:56:14.508941889 CET	60784	53	192.168.2.9	162.159.36.2
Jan 10, 2025 21:56:29.792005062 CET	49863	80	192.168.2.9	132.226.247.73

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 10, 2025 21:55:46.940901041 CET	49470	53	192.168.2.9	1.1.1.1
Jan 10, 2025 21:55:46.947477102 CET	53	49470	1.1.1.1	192.168.2.9
Jan 10, 2025 21:55:49.941523075 CET	49934	53	192.168.2.9	1.1.1.1
Jan 10, 2025 21:55:49.948889971 CET	53	49934	1.1.1.1	192.168.2.9
Jan 10, 2025 21:56:13.963356018 CET	53	60020	162.159.36.2	192.168.2.9
Jan 10, 2025 21:56:14.552771091 CET	63125	53	192.168.2.9	1.1.1.1
Jan 10, 2025 21:56:14.559752941 CET	53	63125	1.1.1.1	192.168.2.9

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jan 10, 2025 21:55:46.940901041 CET	192.168.2.9	1.1.1.1	0x5373	Standard query (0)	checkip.dyndns.org	A (IP address)	IN (0x0001)	false
Jan 10, 2025 21:55:49.941523075 CET	192.168.2.9	1.1.1.1	0xfaf0	Standard query (0)	reallyfreegeoip.org	A (IP address)	IN (0x0001)	false
Jan 10, 2025 21:56:14.552771091 CET	192.168.2.9	1.1.1.1	0xfec7	Standard query (0)	15.164.165.52.in-addr.arpa	PTR (Pointer record)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jan 10, 2025 21:55:40.635499954 CET	1.1.1.1	192.168.2.9	0xeff0	No error (0)	shed.dual-low.s-part-0017.t-0009.t-msedge.net	s-part-0017.t-0009.t-msedge.net		CNAME (Canonical name)	IN (0x0001)	false
Jan 10, 2025 21:55:40.635499954 CET	1.1.1.1	192.168.2.9	0xeff0	No error (0)	s-part-0017.t-0009.t-msedge.net		13.107.246.45	A (IP address)	IN (0x0001)	false
Jan 10, 2025 21:55:46.947477102 CET	1.1.1.1	192.168.2.9	0x5373	No error (0)	checkip.dyndns.org	checkip.dyndns.com		CNAME (Canonical name)	IN (0x0001)	false
Jan 10, 2025 21:55:46.947477102 CET	1.1.1.1	192.168.2.9	0x5373	No error (0)	checkip.dyndns.com		132.226.247.73	A (IP address)	IN (0x0001)	false
Jan 10, 2025 21:55:46.947477102 CET	1.1.1.1	192.168.2.9	0x5373	No error (0)	checkip.dyndns.com		132.226.8.169	A (IP address)	IN (0x0001)	false
Jan 10, 2025 21:55:46.947477102 CET	1.1.1.1	192.168.2.9	0x5373	No error (0)	checkip.dyndns.com		193.122.6.168	A (IP address)	IN (0x0001)	false
Jan 10, 2025 21:55:46.947477102 CET	1.1.1.1	192.168.2.9	0x5373	No error (0)	checkip.dyndns.com		193.122.130.0	A (IP address)	IN (0x0001)	false
Jan 10, 2025 21:55:46.947477102 CET	1.1.1.1	192.168.2.9	0x5373	No error (0)	checkip.dyndns.com		158.101.44.242	A (IP address)	IN (0x0001)	false
Jan 10, 2025 21:55:49.948889971 CET	1.1.1.1	192.168.2.9	0xfaf0	No error (0)	reallyfreegeoip.org		104.21.48.1	A (IP address)	IN (0x0001)	false
Jan 10, 2025 21:55:49.948889971 CET	1.1.1.1	192.168.2.9	0xfaf0	No error (0)	reallyfreegeoip.org		104.21.32.1	A (IP address)	IN (0x0001)	false
Jan 10, 2025 21:55:49.948889971 CET	1.1.1.1	192.168.2.9	0xfaf0	No error (0)	reallyfreegeoip.org		104.21.112.1	A (IP address)	IN (0x0001)	false
Jan 10, 2025 21:55:49.948889971 CET	1.1.1.1	192.168.2.9	0xfaf0	No error (0)	reallyfreegeoip.org		104.21.64.1	A (IP address)	IN (0x0001)	false
Jan 10, 2025 21:55:49.948889971 CET	1.1.1.1	192.168.2.9	0xfaf0	No error (0)	reallyfreegeoip.org		104.21.96.1	A (IP address)	IN (0x0001)	false
Jan 10, 2025 21:55:49.948889971 CET	1.1.1.1	192.168.2.9	0xfaf0	No error (0)	reallyfreegeoip.org		104.21.16.1	A (IP address)	IN (0x0001)	false
Jan 10, 2025 21:55:49.948889971 CET	1.1.1.1	192.168.2.9	0xfaf0	No error (0)	reallyfreegeoip.org		104.21.80.1	A (IP address)	IN (0x0001)	false
Jan 10, 2025 21:56:14.559752941 CET	1.1.1.1	192.168.2.9	0xfec7	Name error (3)	15.164.165.52.in-addr.arpa	none	none	PTR (Pointer record)	IN (0x0001)	false

HTTP Request Dependency Graph

reallyfreegeoip.org

checkip.dyndns.org

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.9	49738	132.226.247.73	80	1184	C:\Users\user\Desktop\upXUt2jZ0S.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 21:55:46.959542990 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 10, 2025 21:55:47.631844997 CET	273	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 20:55:47 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
Jan 10, 2025 21:55:47.661509037 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Jan 10, 2025 21:55:49.870723009 CET	273	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 20:55:49 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
Jan 10, 2025 21:55:50.745974064 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Jan 10, 2025 21:55:53.953176975 CET	697	IN	HTTP/1.1 504 Gateway Time-out Date: Fri, 10 Jan 2025 20:55:53 GMT Content-Type: text/html Content-Length: 557 Connection: keep-alive Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 35 30 34 20 47 61 74 65 77 61 79 20 54 69 6d 65 2d 6f 75 74 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 35 30 34 20 47 61 74 65 77 61 79 20 54 69 6d 65 2d 6f 75 74 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c [TRUNCATED] Data Ascii: <html><head><title>504 Gateway Time-out</title></head><body><center><h1>504 Gateway Time-out</h1></center><hr><center></center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->
Jan 10, 2025 21:55:54.120001078 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Jan 10, 2025 21:55:54.335509062 CET	273	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 20:55:54 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.9	49799	132.226.247.73	80	1184	C:\Users\user\Desktop\upXUt2jZ0S.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 21:55:54.955499887 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Jan 10, 2025 21:55:56.625652075 CET	273	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 20:55:56 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.9	49813	132.226.247.73	80	1184	C:\Users\user\Desktop\upXUt2jZ0S.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 21:55:57.271898031 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 10, 2025 21:55:58.978566885 CET	273	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 20:55:58 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.9	49831	132.226.247.73	80	1184	C:\Users\user\Desktop\upXUt2jZ0S.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 21:55:59.626461029 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 10, 2025 21:56:00.336684942 CET	273	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 20:56:00 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.9	49842	132.226.247.73	80	1184	C:\Users\user\Desktop\upXUt2jZ0S.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 21:56:00.957765102 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 10, 2025 21:56:01.651186943 CET	273	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 20:56:01 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.9	49851	132.226.247.73	80	1184	C:\Users\user\Desktop\upXUt2jZ0S.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 21:56:02.296025038 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 10, 2025 21:56:02.974539042 CET	273	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 20:56:02 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.9	49863	132.226.247.73	80	7624	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 21:56:03.916841030 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 10, 2025 21:56:07.623919964 CET	697	IN	HTTP/1.1 504 Gateway Time-out Date: Fri, 10 Jan 2025 20:56:07 GMT Content-Type: text/html Content-Length: 557 Connection: keep-alive Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 35 30 34 20 47 61 74 65 77 61 79 20 54 69 6d 65 2d 6f 75 74 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 35 30 34 20 47 61 74 65 77 61 79 20 54 69 6d 65 2d 6f 75 74 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c [TRUNCATED] Data Ascii: <html><head><title>504 Gateway Time-out</title></head><body><center><h1>504 Gateway Time-out</h1></center><hr><center></center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.9	49761	104.21.48.1	443	1184	C:\Users\user\Desktop\upXUt2jZ0S.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-10 20:55:50 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2025-01-10 20:55:50 UTC	853	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 20:55:50 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1857339 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=I5UgRqf1EhDUiblk91kv1BvZHaiOJrHWv9aoQlAtU0oa27U5EaZLMCOph3SoFAiAAYCeu2T8XnImPOECvNV3ZjA8DXsK9E9lwHChd7SIq1%2FaX5C1jfJORlfQoXcNf%2FL6pXv0QE0W"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fff91fd7e788c15-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1809&min_rtt=1799&rtt_var=695&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2847&recv_bytes=699&delivery_rate=1550716&cwnd=238&unsent_bytes=0&cid=29656c5879610b25&ts=257&x=0"
2025-01-10 20:55:50 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.9	49794	104.21.48.1	443	1184	C:\Users\user\Desktop\upXUt2jZ0S.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-10 20:55:54 UTC	61	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org
2025-01-10 20:55:54 UTC	863	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 20:55:54 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1857344 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=afzH3wZcrSOtMb8Uv%2FXiPqDxCv%2BSWHGv7TMjckv%2FxvK1vwCfvo3T7Rj5EWayUEGzImDt2UucCyv%2B12ZO%2FQUZpjDfb95zG51fSj1wnfTP6JioHAIatGKvHS%2FX%2Ffgu6XRbbO6y5uns"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fff92180bc9c461-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1594&min_rtt=1588&rtt_var=608&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2849&recv_bytes=699&delivery_rate=1781574&cwnd=228&unsent_bytes=0&cid=f96b5d6171dda926&ts=143&x=0"
2025-01-10 20:55:54 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.9	49807	104.21.48.1	443	1184	C:\Users\user\Desktop\upXUt2jZ0S.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-10 20:55:57 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2025-01-10 20:55:57 UTC	857	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 20:55:57 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1857346 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=3FASVDjoFjbWXgAgl4XbulYhcukPlvyW%2B97QXfBAjYpQ5qYG%2Fsgl8xOK7PSHlOwVEOibQ056f8wqTWLRYBYALGR6b3PgA4yYLv9cHXhZl2MIIhbrfY3%2BQu%2B1HwdEy7remgJgKYxN"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fff92267f0342e9-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1644&min_rtt=1632&rtt_var=637&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2849&recv_bytes=699&delivery_rate=1684939&cwnd=240&unsent_bytes=0&cid=3796a1b27ebb5027&ts=155&x=0"
2025-01-10 20:55:57 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.9	49826	104.21.48.1	443	1184	C:\Users\user\Desktop\upXUt2jZ0S.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-10 20:55:59 UTC	61	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org
2025-01-10 20:55:59 UTC	855	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 20:55:59 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1857348 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=FhiVcLc7kuxHSVIQLJ0Z0SuPVlOGtfriUmCF7OzbP0SFpWvib84TN97KuYLzM6k%2B5vSDlYA5ggvbleCqadR4yqKYXKu43KRW%2FWogIV%2BdnGEXx5QngefXXr3mh9xM1kU06JhifWGH"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fff92353f6343be-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1662&min_rtt=1561&rtt_var=789&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2846&recv_bytes=699&delivery_rate=1229473&cwnd=226&unsent_bytes=0&cid=fac13f6b5a92127e&ts=161&x=0"
2025-01-10 20:55:59 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.9	49836	104.21.48.1	443	1184	C:\Users\user\Desktop\upXUt2jZ0S.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-10 20:56:00 UTC	61	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org
2025-01-10 20:56:00 UTC	857	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 20:56:00 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1857350 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=dB7dKNxe%2FQWymfta942QQpQ3TizJjUug5AP56rTddTsekKclRgXdU1YIY1szrRqAd8zzi%2Fy%2FMf04T0P6LnxeDnfM7DqaOGnXZx0QIgwZkrVJKQPcbxDkbc9e3n6x%2FPTfSr6lqtVk"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fff923d9c918c15-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1792&min_rtt=1788&rtt_var=680&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2849&recv_bytes=699&delivery_rate=1599123&cwnd=238&unsent_bytes=0&cid=7a2061b2a0967330&ts=153&x=0"
2025-01-10 20:56:00 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.9	49845	104.21.48.1	443	1184	C:\Users\user\Desktop\upXUt2jZ0S.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-10 20:56:02 UTC	61	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org
2025-01-10 20:56:02 UTC	857	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 20:56:02 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1857351 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Y5juoLH2opwWG9TTLVQIdCxFA0Vwf%2F%2BqYKvYdE3POpqizdy4uhZYZccluT4APeQptQaGeUeXwcRvYNIvVYhsLMv3pVPWf4fEBwFNRQ%2BLeKiShj9EKZKkY63pqqs2i355yDBDuxT%2B"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fff9245eec4c461-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1737&min_rtt=1731&rtt_var=661&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2847&recv_bytes=699&delivery_rate=1641371&cwnd=228&unsent_bytes=0&cid=c19861ffbb29daf9&ts=139&x=0"
2025-01-10 20:56:02 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.9	49857	104.21.48.1	443	1184	C:\Users\user\Desktop\upXUt2jZ0S.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-10 20:56:03 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2025-01-10 20:56:03 UTC	857	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 20:56:03 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1857352 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Ys81IcNp1Gmgz1tTnVNphePTqHo9gGJ4LO9RUkh67DV1di48kbEANucX27f%2B4KljDAka29CEV0Fqw6A8Fdc91v%2FxB9q6DdVk7rnaY8p%2FYlMRYgtz16HsHMNT6enu5IBaeSw%2FCiOE"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fff924e0d928c15-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1854&min_rtt=1762&rtt_var=844&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2849&recv_bytes=699&delivery_rate=1168935&cwnd=238&unsent_bytes=0&cid=fc17e3f1c6a82306&ts=142&x=0"
2025-01-10 20:56:03 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Target ID:	0
Start time:	15:55:43
Start date:	10/01/2025
Path:	C:\Users\user\Desktop\upXUt2jZ0S.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\upXUt2jZ0S.exe"
Imagebase:	0xe80000
File size:	555'520 bytes
MD5 hash:	857FC5F1DA7948839D47ABE238392EA2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.2603874674.0000000004189000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000000.00000002.2603874674.0000000004189000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000000.00000002.2603874674.0000000004189000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: MALWARE_Win_SnakeKeylogger, Description: Detects Snake Keylogger, Source: 00000000.00000002.2603874674.0000000004189000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	2
Start time:	15:55:44
Start date:	10/01/2025
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"Powershell.exe" -ExecutionPolicy Bypass -command Copy-Item 'C:\Users\user\Desktop\upXUt2jZ0S.exe' 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe'
Imagebase:	0xca0000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	15:55:44
Start date:	10/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff70f010000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	15:55:45
Start date:	10/01/2025
Path:	C:\Users\user\Desktop\upXUt2jZ0S.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\upXUt2jZ0S.exe"
Imagebase:	0x140000
File size:	555'520 bytes
MD5 hash:	857FC5F1DA7948839D47ABE238392EA2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000004.00000002.1542562831.0000000000592000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000004.00000002.1542562831.0000000000592000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000004.00000002.1542562831.0000000000592000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: MALWARE_Win_SnakeKeylogger, Description: Detects Snake Keylogger, Source: 00000004.00000002.1542562831.0000000000592000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000004.00000002.1554551898.0000000002551000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	15:55:46
Start date:	10/01/2025
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Imagebase:	0x7ff77afe0000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	7
Start time:	15:55:59
Start date:	10/01/2025
Path:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe"
Imagebase:	0x950000
File size:	555'520 bytes
MD5 hash:	857FC5F1DA7948839D47ABE238392EA2
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 100%, Joe Sandbox ML Detection: 68%, ReversingLabs Detection: 61%, Virustotal, Browse
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	8
Start time:	15:56:01
Start date:	10/01/2025
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"Powershell.exe" -ExecutionPolicy Bypass -command Copy-Item 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe' 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe'
Imagebase:	0xca0000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	15:56:01
Start date:	10/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff70f010000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	15:56:02
Start date:	10/01/2025
Path:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe"
Imagebase:	0xc20000
File size:	555'520 bytes
MD5 hash:	857FC5F1DA7948839D47ABE238392EA2
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 0000000A.00000002.1797959827.0000000002FF1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	15:56:03
Start date:	10/01/2025
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\user\Desktop\upXUt2jZ0S.exe"
Imagebase:	0xc50000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	15:56:03
Start date:	10/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff70f010000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	15:56:03
Start date:	10/01/2025
Path:	C:\Windows\SysWOW64\choice.exe
Wow64 process (32bit):	true
Commandline:	choice /C Y /N /D Y /T 3
Imagebase:	0xbd0000
File size:	28'160 bytes
MD5 hash:	FCE0E41C87DC4ABBE976998AD26C27E4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	16
Start time:	15:56:07
Start date:	10/01/2025
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 7624 -s 1528
Imagebase:	0x670000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	9.4%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	2.2%
Total number of Nodes:	180
Total number of Limit Nodes:	21

Executed Functions

Function 0650E520 Relevance: 1.9, APIs: 1, Instructions: 396
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.2612321321.0000000006500000.00000040.00000800.00020000.00000000.sdmp, Offset: 06500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6500000_upXUt2jZ0S.jbxd

Similarity

API ID: DispatchMessage
String ID:
API String ID: 2061451462-0
Opcode ID: 58bef4cece3a293231cf0b5a2a70d04eb6c5a47eb8f0c8af5be5905ee9aa25b6
Instruction ID: 96f82ffbcf9bcb546eb9d1092f24ddb72f7e21679aaf623ec08760b16fcb3e32
Opcode Fuzzy Hash: 58bef4cece3a293231cf0b5a2a70d04eb6c5a47eb8f0c8af5be5905ee9aa25b6
Instruction Fuzzy Hash: 20F12870E00209CFEB54DFA9D949B9DBBF1BF88304F258959E405AB2A1DB74E945CF80

Function 06501710 Relevance: .6, Instructions: 650COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2612321321.0000000006500000.00000040.00000800.00020000.00000000.sdmp, Offset: 06500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6500000_upXUt2jZ0S.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 187789bb3e3b77d4d314ef4515357e615797c19249cc9e30baafdf1642e0978b
Instruction ID: 75eff4185cb0695e06dbf140130233b68265c76f4116f6c3e3c28d5d6c7939d3
Opcode Fuzzy Hash: 187789bb3e3b77d4d314ef4515357e615797c19249cc9e30baafdf1642e0978b
Instruction Fuzzy Hash: 4C425A30E00219CFEB94DFA9C89479EBBB6BF88340F148569D509AB294DB34DD85CF91

Function 06502C00 Relevance: .3, Instructions: 282COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2612321321.0000000006500000.00000040.00000800.00020000.00000000.sdmp, Offset: 06500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6500000_upXUt2jZ0S.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5f59c329514c295b734ac6721f8a1dbfff8a593e9985e7241be2b39df31f85b7
Instruction ID: a3334dd7bbc42dee0e5f78fae56d7834da551bec05f66e5889afd0ae26b2603a
Opcode Fuzzy Hash: 5f59c329514c295b734ac6721f8a1dbfff8a593e9985e7241be2b39df31f85b7
Instruction Fuzzy Hash: 32C15A31E006198FEFA5CFA5C88479DBBB2BF88300F14C5A9D859AB295DB30D985CF51

Function 0302D429 Relevance: 6.1, APIs: 4, Instructions: 133
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 0302D4B6
GetCurrentThread.KERNEL32 ref: 0302D4F3
GetCurrentProcess.KERNEL32 ref: 0302D530
GetCurrentThreadId.KERNEL32 ref: 0302D589

Memory Dump Source

Source File: 00000000.00000002.2592132253.0000000003020000.00000040.00000800.00020000.00000000.sdmp, Offset: 03020000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3020000_upXUt2jZ0S.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 39732bc337e28bbf53c1f10b243c2580eda79b920291198ba67b0435744eee80
Instruction ID: c8d166d4bf2b6533ed9160dd8d2a562d194d267771077144b19e293a22cdbb11
Opcode Fuzzy Hash: 39732bc337e28bbf53c1f10b243c2580eda79b920291198ba67b0435744eee80
Instruction Fuzzy Hash: B65167B09017198FDB54CFAAD448BAEFFF1AF48304F248059E019A7390DB75A944CB66

Function 0302D438 Relevance: 6.1, APIs: 4, Instructions: 128
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 0302D4B6
GetCurrentThread.KERNEL32 ref: 0302D4F3
GetCurrentProcess.KERNEL32 ref: 0302D530
GetCurrentThreadId.KERNEL32 ref: 0302D589

Memory Dump Source

Source File: 00000000.00000002.2592132253.0000000003020000.00000040.00000800.00020000.00000000.sdmp, Offset: 03020000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3020000_upXUt2jZ0S.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 57c7c156a227a87e043c65caad36822dcfc85a403bf5d454c9b2416d91197406
Instruction ID: 10798b45b32c7a470176eb0502ee53ef35be4d20fe79e4b6a4bbcc879dff7d98
Opcode Fuzzy Hash: 57c7c156a227a87e043c65caad36822dcfc85a403bf5d454c9b2416d91197406
Instruction Fuzzy Hash: ED5166B09013198FDB54CFAAD548B9EFBF1AF48304F248459E019A73A0DB75A984CB66

Function 0302ADA8 Relevance: 1.7, APIs: 1, Instructions: 209
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 0302AFFE

Memory Dump Source

Source File: 00000000.00000002.2592132253.0000000003020000.00000040.00000800.00020000.00000000.sdmp, Offset: 03020000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3020000_upXUt2jZ0S.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 36f849401086cb0694b6da693dd5ab99ef9bd5ef29ee856b31e7502805cf92ff
Instruction ID: 518da81fc7371cd3d42d20c7e52993fd5f9885ab7c9bcd4ada4b6ba4efa02be1
Opcode Fuzzy Hash: 36f849401086cb0694b6da693dd5ab99ef9bd5ef29ee856b31e7502805cf92ff
Instruction Fuzzy Hash: EC817870A01B158FDB64DF6AC44079ABBF5FF88304F04892DD44ADBA50DB35E846CB90

Function 0302590D Relevance: 1.6, APIs: 1, Instructions: 100
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 030259C9

Memory Dump Source

Source File: 00000000.00000002.2592132253.0000000003020000.00000040.00000800.00020000.00000000.sdmp, Offset: 03020000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3020000_upXUt2jZ0S.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 068000868f9d358941ff28d5d4453e7e10b79b1e88a112b985780d501726f9a8
Instruction ID: f2b20180b6a399c352424282071fb9d8d64dab4026c8232f5b2c1f86e07b7bfa
Opcode Fuzzy Hash: 068000868f9d358941ff28d5d4453e7e10b79b1e88a112b985780d501726f9a8
Instruction Fuzzy Hash: B341EFB0C01729CFDB24DFAAC88479EFBB5BF49314F24806AD408AB251DB756945CF90

Function 03024248 Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 030259C9

Memory Dump Source

Source File: 00000000.00000002.2592132253.0000000003020000.00000040.00000800.00020000.00000000.sdmp, Offset: 03020000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3020000_upXUt2jZ0S.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: b7e58bdfd4a25db37ac216ef9d4c93fb83b2c18f8e87bb8b6de9dc5df1d46c4f
Instruction ID: b85dbb256628459f0d2c947e7d34adfd3dafcdea8c736042f8a683c83349e661
Opcode Fuzzy Hash: b7e58bdfd4a25db37ac216ef9d4c93fb83b2c18f8e87bb8b6de9dc5df1d46c4f
Instruction Fuzzy Hash: D241FFB0C01729CBDB24CFAAC884B8EFBF5BF49304F20846AD408AB251DB756945CF90

Function 06503780 Relevance: 1.6, APIs: 1, Instructions: 80
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SendMessageW.USER32(?,?,?,?), ref: 06503835

Memory Dump Source

Source File: 00000000.00000002.2612321321.0000000006500000.00000040.00000800.00020000.00000000.sdmp, Offset: 06500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6500000_upXUt2jZ0S.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 6d0bad21a9c0b71e63804ddd3ce233bee4debc27d54b937613fc170c990342be
Instruction ID: 75101eca8a19916f2e85ce79e27acce0c23cd4c4ecf890dd5cc5cb4f9436df8e
Opcode Fuzzy Hash: 6d0bad21a9c0b71e63804ddd3ce233bee4debc27d54b937613fc170c990342be
Instruction Fuzzy Hash: 242146B19003099FDB10DFAAC885B9EBBF8FF48310F20846AE509A7750D775A944CFA5

Function 065019A8 Relevance: 1.6, APIs: 1, Instructions: 73
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetWindowTextW.USER32(?,00000000), ref: 06501A42

Memory Dump Source

Source File: 00000000.00000002.2612321321.0000000006500000.00000040.00000800.00020000.00000000.sdmp, Offset: 06500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6500000_upXUt2jZ0S.jbxd

Similarity

API ID: TextWindow
String ID:
API String ID: 530164218-0
Opcode ID: 0cca1b289f29678741bf4b1b084be50489da960d64d83ed72290a154a079d443
Instruction ID: 3009715bf580bd3d9aa91b3e31ee364160b7ebe0a94af843e9eedae828c56b07
Opcode Fuzzy Hash: 0cca1b289f29678741bf4b1b084be50489da960d64d83ed72290a154a079d443
Instruction Fuzzy Hash: 5C2126768043898FDB11CFAAD884ADAFFF4AF49210F14845AD494A7251D338A549CFA5

Function 0302D679 Relevance: 1.6, APIs: 1, Instructions: 64
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0302D707

Memory Dump Source

Source File: 00000000.00000002.2592132253.0000000003020000.00000040.00000800.00020000.00000000.sdmp, Offset: 03020000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3020000_upXUt2jZ0S.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 8c8bd18cf807ad2c32da89674a6771950115531162f814c2b19ffd732a8fc3d9
Instruction ID: 0428e56b422584af33299bae42c448c197849c5445fcd1741b113b2f3decca36
Opcode Fuzzy Hash: 8c8bd18cf807ad2c32da89674a6771950115531162f814c2b19ffd732a8fc3d9
Instruction Fuzzy Hash: 2D21E3B5D012199FDB10CFAAD884ADEFBF9EB48310F14841AE918A3350D378A944CFA5

Function 0302D680 Relevance: 1.6, APIs: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0302D707

Memory Dump Source

Source File: 00000000.00000002.2592132253.0000000003020000.00000040.00000800.00020000.00000000.sdmp, Offset: 03020000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3020000_upXUt2jZ0S.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: e36e12e1d47f12a63d1dc2f784a8da1d909c0726b539b7cd56509547df17b083
Instruction ID: e0e968d50182c7fdebb112aca7c09239a656c518783b126d1f6eff58861774a9
Opcode Fuzzy Hash: e36e12e1d47f12a63d1dc2f784a8da1d909c0726b539b7cd56509547df17b083
Instruction Fuzzy Hash: 0B21E2B5D002099FDB10CFAAD884ADEFBF8EB48310F14841AE918A3350D378A940CFA1

Function 065019D8 Relevance: 1.6, APIs: 1, Instructions: 53
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetWindowTextW.USER32(?,00000000), ref: 06501A42

Memory Dump Source

Source File: 00000000.00000002.2612321321.0000000006500000.00000040.00000800.00020000.00000000.sdmp, Offset: 06500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6500000_upXUt2jZ0S.jbxd

Similarity

API ID: TextWindow
String ID:
API String ID: 530164218-0
Opcode ID: 776c870b219872173c40343899ca1178a1ee8222f1b3b9e730fa604df1ca02c5
Instruction ID: 144473d09a753c15714f495ba91e6af04cfc748f9e5ba94ab38cba4eb729e874
Opcode Fuzzy Hash: 776c870b219872173c40343899ca1178a1ee8222f1b3b9e730fa604df1ca02c5
Instruction Fuzzy Hash: 4D11F6B6C006498FDB14CF9AC844BDEFBF4FB88310F14842AD859A7641D378A549CFA5

Function 06505318 Relevance: 1.6, APIs: 1, Instructions: 51
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PostMessageW.USER32(?,?,?,?), ref: 0650537D

Memory Dump Source

Source File: 00000000.00000002.2612321321.0000000006500000.00000040.00000800.00020000.00000000.sdmp, Offset: 06500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6500000_upXUt2jZ0S.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 44b5bfe6b6313bda8110207cef9e496ad18298dfe921bcf40888bba245080d48
Instruction ID: 1b4b3dce8461d913780ced5e5724fdbb5c174c47514cc614fcb363f268b5d74d
Opcode Fuzzy Hash: 44b5bfe6b6313bda8110207cef9e496ad18298dfe921bcf40888bba245080d48
Instruction Fuzzy Hash: FC110AB58003499FDB10CF9AC945BDEFBF8FB48310F148419E954A3651D379A544CFA5

Function 06505320 Relevance: 1.5, APIs: 1, Instructions: 48
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PostMessageW.USER32(?,?,?,?), ref: 0650537D

Memory Dump Source

Source File: 00000000.00000002.2612321321.0000000006500000.00000040.00000800.00020000.00000000.sdmp, Offset: 06500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6500000_upXUt2jZ0S.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: b485e23b6941eba87c4502025bf86cb9847d21e89c0c6ebe9aeb906ead57350d
Instruction ID: 80f2952bc36857869a8fe4b42c3e1990bb1dd0c6471a73eda34f9c12a5c5ecb9
Opcode Fuzzy Hash: b485e23b6941eba87c4502025bf86cb9847d21e89c0c6ebe9aeb906ead57350d
Instruction Fuzzy Hash: 141106B58003499FDB10CF9AC945BEEFBF8FB48320F10841AE558A3651D378A544CFA5

Function 0302AF98 Relevance: 1.5, APIs: 1, Instructions: 47
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 0302AFFE

Memory Dump Source

Source File: 00000000.00000002.2592132253.0000000003020000.00000040.00000800.00020000.00000000.sdmp, Offset: 03020000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3020000_upXUt2jZ0S.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 058896db979a312ba019e52723ac1ffbe6b64ace78a6217213c7b0c9af51c717
Instruction ID: e9017e92b49fd26b1757b203afe55d0d1e3cfd8abef94423b314f819a91d1581
Opcode Fuzzy Hash: 058896db979a312ba019e52723ac1ffbe6b64ace78a6217213c7b0c9af51c717
Instruction Fuzzy Hash: F311E0B5C007598FDB10CF9AC444BDEFBF4AF88314F14842AD829A7610D379A545CFA1

Function 06501FB1 Relevance: 1.5, APIs: 1, Instructions: 47
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SendMessageW.USER32(?,?,?,?), ref: 06502015

Memory Dump Source

Source File: 00000000.00000002.2612321321.0000000006500000.00000040.00000800.00020000.00000000.sdmp, Offset: 06500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6500000_upXUt2jZ0S.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: f72f57506356acefd3f4a80327b7243a4319c603e970745162df1830f9a1cf74
Instruction ID: 40fdc70d9274c0d76dad77f7f3d9245e077d58d685f894e4a48203bc47ece5c4
Opcode Fuzzy Hash: f72f57506356acefd3f4a80327b7243a4319c603e970745162df1830f9a1cf74
Instruction Fuzzy Hash: 5B1103B58003499FDB10CF9AC845BDEFBF8FB48310F14881AE518A7650C375A944CFA5

Function 06505670 Relevance: 1.5, APIs: 1, Instructions: 46comCOMMON

Download Yara Rule

APIs

OleInitialize.OLE32(00000000), ref: 06506CBD

Memory Dump Source

Source File: 00000000.00000002.2612321321.0000000006500000.00000040.00000800.00020000.00000000.sdmp, Offset: 06500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6500000_upXUt2jZ0S.jbxd

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: 73a999587b1536c8132af01604e9d9725c7fdcebf993633f3b3f2eb40e0f547e
Instruction ID: 8daa6b877f6992cd8e7e533cc3ecf32685e288f80d6975c42c2928a31ad8043d
Opcode Fuzzy Hash: 73a999587b1536c8132af01604e9d9725c7fdcebf993633f3b3f2eb40e0f547e
Instruction Fuzzy Hash: 7A1103B5C007498FDB10DF9AD585BDEBBF4FB48210F108469D518A7740D378A944CFA5

Function 06506C60 Relevance: 1.5, APIs: 1, Instructions: 46comCOMMON

Download Yara Rule

APIs

OleInitialize.OLE32(00000000), ref: 06506CBD

Memory Dump Source

Source File: 00000000.00000002.2612321321.0000000006500000.00000040.00000800.00020000.00000000.sdmp, Offset: 06500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6500000_upXUt2jZ0S.jbxd

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: cb11897bb9ce52c0b19c65ce7a27bafea0e2ac11aa4431ffba12b1fc34c9668d
Instruction ID: c00ea64aa349c565801607b9cb3ae22e24d3766b90dbfec4bf27ce64142ff198
Opcode Fuzzy Hash: cb11897bb9ce52c0b19c65ce7a27bafea0e2ac11aa4431ffba12b1fc34c9668d
Instruction Fuzzy Hash: 9811FEB58007498FDB20DFAAD946BDEBBF4EB48224F20846AD518A7740C378A544CFA5

Function 0650C8DC Relevance: 1.5, APIs: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

DispatchMessageW.USER32(?,?,?,?,?,?,00000000,-00000018,?,0650E847), ref: 0650F2E5

Memory Dump Source

Source File: 00000000.00000002.2612321321.0000000006500000.00000040.00000800.00020000.00000000.sdmp, Offset: 06500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6500000_upXUt2jZ0S.jbxd

Similarity

API ID: DispatchMessage
String ID:
API String ID: 2061451462-0
Opcode ID: c9daa3fe7f39b7b196dd44a2924a8be90225d16abd51bc7d74e4c25ef83d925c
Instruction ID: 45e87167fa8e8c9fffd1891d849d5004d9af48a8dce06045f61b47a996256b3e
Opcode Fuzzy Hash: c9daa3fe7f39b7b196dd44a2924a8be90225d16abd51bc7d74e4c25ef83d925c
Instruction Fuzzy Hash: 4F11EDB5C0468A8FDB20CF9AD844BDEFBF4FB48310F10852AE819A7640D379A544CFA5

Function 0650F280 Relevance: 1.5, APIs: 1, Instructions: 45windowCOMMON

Download Yara Rule

APIs

DispatchMessageW.USER32(?,?,?,?,?,?,00000000,-00000018,?,0650E847), ref: 0650F2E5

Memory Dump Source

Source File: 00000000.00000002.2612321321.0000000006500000.00000040.00000800.00020000.00000000.sdmp, Offset: 06500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6500000_upXUt2jZ0S.jbxd

Similarity

API ID: DispatchMessage
String ID:
API String ID: 2061451462-0
Opcode ID: ce3d8836988ba445d81298160f151b00da436e17f5bb2e75c3e5e36f07aeeb67
Instruction ID: f6419192800c98537bce1809a6b7af66e25d96531213c1ccce144d07d616c4b6
Opcode Fuzzy Hash: ce3d8836988ba445d81298160f151b00da436e17f5bb2e75c3e5e36f07aeeb67
Instruction Fuzzy Hash: 1E1122B4C042898FDB10CFAAD844BCEFBF4AB48314F10846AD418A7240C378A544CFA5

Function 06501FB8 Relevance: 1.5, APIs: 1, Instructions: 44windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,?,?,?), ref: 06502015

Memory Dump Source

Source File: 00000000.00000002.2612321321.0000000006500000.00000040.00000800.00020000.00000000.sdmp, Offset: 06500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6500000_upXUt2jZ0S.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 9a3beaed06890263c193aaca50aa5a9ee52360fb169259f97802ed60421f867e
Instruction ID: 103c7629fe03986bf76fe71b7712117a267f6967c49a3963d881915239a64058
Opcode Fuzzy Hash: 9a3beaed06890263c193aaca50aa5a9ee52360fb169259f97802ed60421f867e
Instruction Fuzzy Hash: 5E11E2B58003499FDB10DF9AC889BDEFBF8FB48324F10841AE558A7650D379A944CFA5

Function 02F9D01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2591643152.0000000002F9D000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F9D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f9d000_upXUt2jZ0S.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 84bedfb32b861abf38ea0b60d0358dd4ac3415e84e97cdb843e2c308921592b6
Instruction ID: 82caf5449e82a1bb620141b4f37ef79c0fe90fa90ec1e480bc6db8146be93fa3
Opcode Fuzzy Hash: 84bedfb32b861abf38ea0b60d0358dd4ac3415e84e97cdb843e2c308921592b6
Instruction Fuzzy Hash: 85212571A04340DFEF14EF10D4C0B16BB65FB84754F34C569DA0A4B2AAC336D407CA61

Function 02F9D2BC Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2591643152.0000000002F9D000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F9D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f9d000_upXUt2jZ0S.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a9191d465f3b1291c935c257cc64bb4c6a4a2b19ca155c46161bff39e428f2b3
Instruction ID: 2cae3b887d85e328ecb9b736c8cf2d263135f7650f5c899642f6867e3d56222d
Opcode Fuzzy Hash: a9191d465f3b1291c935c257cc64bb4c6a4a2b19ca155c46161bff39e428f2b3
Instruction Fuzzy Hash: 8721D176A042449FFF04EF10D9C0F2ABB65FB84265F34C569DA494B282C33AD446CAA2

Function 02F9D005 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2591643152.0000000002F9D000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F9D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f9d000_upXUt2jZ0S.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 17d37cd99147092569bc3b0695c34aea8887ef0121fffa8e0bd6fe42f708c266
Instruction ID: 59dd596e4a375249a393803e7c8440cb1453fa1550960ac2ce89d696495064d6
Opcode Fuzzy Hash: 17d37cd99147092569bc3b0695c34aea8887ef0121fffa8e0bd6fe42f708c266
Instruction Fuzzy Hash: F5219F755093C08FDB02DF24D990715BF71EB46214F28C5EAD9498F6A7C33A980ACB62

Function 02F9D2B7 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2591643152.0000000002F9D000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F9D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f9d000_upXUt2jZ0S.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d692a0047d57c856fe9c281bc03ca2a8a9bd8913fa11d24a2e87d76695bbbe94
Instruction ID: b418f92ce2511f167787391bc78bc82f1fde26618d26526c211469e3f200cd0a
Opcode Fuzzy Hash: d692a0047d57c856fe9c281bc03ca2a8a9bd8913fa11d24a2e87d76695bbbe94
Instruction Fuzzy Hash: 8E11EF76904680CFEF01DF10D5C0B19FB61FB84324F38C6AAD9490B642C33AD40ACBA2

Non-executed Functions

Function 05CF0A88 Relevance: 1.9, Strings: 1, Instructions: 615COMMON

Download Yara Rule

Strings

(, xrefs: 05CF1238

Memory Dump Source

Source File: 00000000.00000002.2611719246.0000000005CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5cf0000_upXUt2jZ0S.jbxd

Similarity

API ID:
String ID: (
API String ID: 0-3887548279
Opcode ID: 058bb0c60305c4cf08508187187b026960190edf9fe9812e1a16cca3f08f365e
Instruction ID: 8b8ba3c1619d28db2c3479e2d985bb8e60b34d82d19a7e276b8467d052ebd7c6
Opcode Fuzzy Hash: 058bb0c60305c4cf08508187187b026960190edf9fe9812e1a16cca3f08f365e
Instruction Fuzzy Hash: 4952BD74E01228CFEB68DF65C954BEDBBB2BF89300F1485EA8509A7291DB345E85CF40

Function 05CF0A79 Relevance: .5, Instructions: 502COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2611719246.0000000005CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5cf0000_upXUt2jZ0S.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e9096b52c75fc3e50c5188e3f623446b58db298b9bdfdb7903db9ef888b85a07
Instruction ID: d20de5e4e57a1c11c7f3c1c6e2deb24f8516e877dea51dfd26116d0a9737c1cc
Opcode Fuzzy Hash: e9096b52c75fc3e50c5188e3f623446b58db298b9bdfdb7903db9ef888b85a07
Instruction Fuzzy Hash: 5E32CF74E05228CFEB68DF65C944BEDBBB2BF89300F1485EA8109A7291DB355E85CF50

Function 0302D364 Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2592132253.0000000003020000.00000040.00000800.00020000.00000000.sdmp, Offset: 03020000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3020000_upXUt2jZ0S.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a3ed04100ff2b1b834029aa46845f14a792eeb2feb985961c9c800aa80173b4c
Instruction ID: e9717542911bdb848a0e1b6e5536ee27e7392820881860c01dd82e544b52fb2f
Opcode Fuzzy Hash: a3ed04100ff2b1b834029aa46845f14a792eeb2feb985961c9c800aa80173b4c
Instruction Fuzzy Hash: 42A16D36E0122A8FCF05DFB4C4849DEBBF2FF85344B1585AAE905AB261DB71E915CB40

Analysis Process: powershell.exePID: 3964, Parent PID: 2716COMMON

Executed Functions

Function 00926C4A Relevance: .3, Instructions: 273COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1377097347.0000000000920000.00000040.00000800.00020000.00000000.sdmp, Offset: 00920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_920000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8b9c519ffe378f9f636a0601bae6bd90f5d0d97764c8ff87b9ba559fe0b225e9
Instruction ID: a232b5b9d502861a24fef5ed715008adc3cf2c9ef74111aff46cf92a8fa50ea1
Opcode Fuzzy Hash: 8b9c519ffe378f9f636a0601bae6bd90f5d0d97764c8ff87b9ba559fe0b225e9
Instruction Fuzzy Hash: 76514A34A05258DFCB05CFA9E4809EDBBF2FF89300F2580A5E844AB366D735AD55DB50

Function 009229F0 Relevance: .2, Instructions: 211COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1377097347.0000000000920000.00000040.00000800.00020000.00000000.sdmp, Offset: 00920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_920000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 07ab0518871c9c9c765cf3bf16986b9ec11187e0d957bb0acf53ea1cb39ec42a
Instruction ID: 40a19fbdd3100adfa351779cfb86f3606575ddb6cf01c8089afc97cd646c1dc3
Opcode Fuzzy Hash: 07ab0518871c9c9c765cf3bf16986b9ec11187e0d957bb0acf53ea1cb39ec42a
Instruction Fuzzy Hash: 37919D74A00606DFCB15CF58C494AAEFBB1FF48310B2485A9D855AB7A9C736EC51CFA0

Function 00922B00 Relevance: .1, Instructions: 112COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1377097347.0000000000920000.00000040.00000800.00020000.00000000.sdmp, Offset: 00920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_920000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f18fcb6fd872a36fab8f0412333f3c090202c974934612c6251b4b387bd8a06f
Instruction ID: 8b53dffe1a32a665d10324f83c2186e8288713bdd1bb380c050cb16beefda510
Opcode Fuzzy Hash: f18fcb6fd872a36fab8f0412333f3c090202c974934612c6251b4b387bd8a06f
Instruction Fuzzy Hash: 3D413A74A006169FCB05CF58D498AEEF7B1FF48310B1585A9D855AB368C732EC51CFA0

Function 0084D01D Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1376591834.000000000084D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0084D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_84d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8da1beeb68adc431b68f555e1aab0aeb6159b3fef139a0b55935b9baacad2b0a
Instruction ID: 82fe997f05bb6995204fbf1f5481b81e18243d1cbf0f3af15efff6ff5ca3063b
Opcode Fuzzy Hash: 8da1beeb68adc431b68f555e1aab0aeb6159b3fef139a0b55935b9baacad2b0a
Instruction Fuzzy Hash: E801D632504B489FE7108E26CDC4B67BBD8EF41324F18C55AED488B282C6799941CAB2

Function 0084D01C Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1376591834.000000000084D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0084D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_84d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c9108bf24cd3d625658d50e1034642469a4211ea01952d450b05d6f177125131
Instruction ID: a2587165009ee96125ee48027203e7d88567a1bf8f91e5781fcb06d086119782
Opcode Fuzzy Hash: c9108bf24cd3d625658d50e1034642469a4211ea01952d450b05d6f177125131
Instruction Fuzzy Hash: 0EF0CD72404744AEEB108A16C9C4B62FBD8EB51734F18C05AED484F286C2B99840CAB1

Analysis Process: upXUt2jZ0S.exePID: 1184, Parent PID: 2716COMMON

Executed Functions

Function 0083C4B1 Relevance: 5.2, Strings: 4, Instructions: 185COMMON

Download Yara Rule

Strings

Lj#p, xrefs: 0083C6A5
8, xrefs: 0083C4B1
0o#p, xrefs: 0083C522
Lj#p, xrefs: 0083C68F

Memory Dump Source

Source File: 00000004.00000002.1545197773.0000000000830000.00000040.00000800.00020000.00000000.sdmp, Offset: 00830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_830000_upXUt2jZ0S.jbxd

Similarity

API ID:
String ID: 0o#p$8$Lj#p$Lj#p
API String ID: 0-223937649
Opcode ID: 61be3c9dda1f52344ca54fc47d9e079b105a404a1ee65b2e7af387a875bce772
Instruction ID: 757eb2270391e19cb3b2594ca06c247341c779d08b58f64445d8a6fc800be965
Opcode Fuzzy Hash: 61be3c9dda1f52344ca54fc47d9e079b105a404a1ee65b2e7af387a875bce772
Instruction Fuzzy Hash: 5281AF74E00218DFDB14DFAAD984A9DBBB2FF89300F14D069E819AB365EB349945CF50

Function 0083B328 Relevance: 4.1, Strings: 3, Instructions: 350COMMON

Download Yara Rule

Strings

0o#p, xrefs: 0083B562
Lj#p, xrefs: 0083B6E5
Lj#p, xrefs: 0083B6CF

Memory Dump Source

Source File: 00000004.00000002.1545197773.0000000000830000.00000040.00000800.00020000.00000000.sdmp, Offset: 00830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_830000_upXUt2jZ0S.jbxd

Similarity

API ID:
String ID: 0o#p$Lj#p$Lj#p
API String ID: 0-1178635779
Opcode ID: db3281e5d67440c4bbce521360098ac1543250a32b391d82e8d64f2c2349333c
Instruction ID: b1d5eb0e792d9e32c1dd9523497c829db6a92507aac073448a7e73f0583f4ff2
Opcode Fuzzy Hash: db3281e5d67440c4bbce521360098ac1543250a32b391d82e8d64f2c2349333c
Instruction Fuzzy Hash: 5FE1E8B5A00618CFDB14DFA9D884A9DBBB1FF89310F158069E919EB362D731EC41CB94

Function 0083BEF0 Relevance: 3.9, Strings: 3, Instructions: 190COMMON

Download Yara Rule

Strings

Lj#p, xrefs: 0083C0E5
Lj#p, xrefs: 0083C0CF
0o#p, xrefs: 0083BF62

Memory Dump Source

Source File: 00000004.00000002.1545197773.0000000000830000.00000040.00000800.00020000.00000000.sdmp, Offset: 00830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_830000_upXUt2jZ0S.jbxd

Similarity

API ID:
String ID: 0o#p$Lj#p$Lj#p
API String ID: 0-1178635779
Opcode ID: 118fbff2c978450af0f9d223c8bd30e0781b30bf4ef075be7d546aabb6d335e1
Instruction ID: 2080a92e0593d8a1d1d7f4092a117a04110b46606f6fb6c1028f58fb59b61365
Opcode Fuzzy Hash: 118fbff2c978450af0f9d223c8bd30e0781b30bf4ef075be7d546aabb6d335e1
Instruction Fuzzy Hash: 1D81CFB4E00658CFDB18DFA9D894A9DBBB2FF89300F148069E809BB365DB349941DF50

Function 0083C1D1 Relevance: 3.9, Strings: 3, Instructions: 189COMMON

Download Yara Rule

Strings

0o#p, xrefs: 0083C242
Lj#p, xrefs: 0083C3C5
Lj#p, xrefs: 0083C3AF

Memory Dump Source

Source File: 00000004.00000002.1545197773.0000000000830000.00000040.00000800.00020000.00000000.sdmp, Offset: 00830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_830000_upXUt2jZ0S.jbxd

Similarity

API ID:
String ID: 0o#p$Lj#p$Lj#p
API String ID: 0-1178635779
Opcode ID: c9addf72207a49f481d7d468093e7fed7218a62c61f50a6459d9a1d209dc44ad
Instruction ID: 2f16f07362a813c196892a903aaee26c2aca7ea12f911f466a54e7bf3aac6d5a
Opcode Fuzzy Hash: c9addf72207a49f481d7d468093e7fed7218a62c61f50a6459d9a1d209dc44ad
Instruction Fuzzy Hash: 58919F74E00258CFEB14DFAAD984A9DBBB2FF89300F14C069E419AB365DB349946CF54

Function 00834AD9 Relevance: 3.9, Strings: 3, Instructions: 188COMMON

Download Yara Rule

Strings

Lj#p, xrefs: 00834CCE
0o#p, xrefs: 00834B4A
Lj#p, xrefs: 00834CB8

Memory Dump Source

Source File: 00000004.00000002.1545197773.0000000000830000.00000040.00000800.00020000.00000000.sdmp, Offset: 00830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_830000_upXUt2jZ0S.jbxd

Similarity

API ID:
String ID: 0o#p$Lj#p$Lj#p
API String ID: 0-1178635779
Opcode ID: 7118677afde082f956fc07363a479230f9725e70b4958a626387c2e8cbb90647
Instruction ID: cd670a497cb483cd40da7a1a67337c830c65fdb360f5d9d3dda0d9d33be25f64
Opcode Fuzzy Hash: 7118677afde082f956fc07363a479230f9725e70b4958a626387c2e8cbb90647
Instruction Fuzzy Hash: BD81A274E01218CFDB14DFA9D884A9DBBF2FF89300F149069E819AB365DB34A942CF54

Function 0083C790 Relevance: 3.9, Strings: 3, Instructions: 186COMMON

Download Yara Rule

Strings

Lj#p, xrefs: 0083C96F
0o#p, xrefs: 0083C802
Lj#p, xrefs: 0083C985

Memory Dump Source

Source File: 00000004.00000002.1545197773.0000000000830000.00000040.00000800.00020000.00000000.sdmp, Offset: 00830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_830000_upXUt2jZ0S.jbxd

Similarity

API ID:
String ID: 0o#p$Lj#p$Lj#p
API String ID: 0-1178635779
Opcode ID: 7a425e93a6c92efcb0bf842cd73fa3cf579fbc857c1a29052ed895ffd74d3511
Instruction ID: 59d92d60398a48fe089497f178a1833fe094ad4d129a37a02d0fe39f6409c4bf
Opcode Fuzzy Hash: 7a425e93a6c92efcb0bf842cd73fa3cf579fbc857c1a29052ed895ffd74d3511
Instruction Fuzzy Hash: 03818D74E00218DFDB14DFAAD884A9DBBB2BF89300F25C069E819AB265DB349941DF54

Function 0083CA70 Relevance: 3.9, Strings: 3, Instructions: 186COMMON

Download Yara Rule

Strings

Lj#p, xrefs: 0083CC4F
Lj#p, xrefs: 0083CC65
0o#p, xrefs: 0083CAE2

Memory Dump Source

Source File: 00000004.00000002.1545197773.0000000000830000.00000040.00000800.00020000.00000000.sdmp, Offset: 00830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_830000_upXUt2jZ0S.jbxd

Similarity

API ID:
String ID: 0o#p$Lj#p$Lj#p
API String ID: 0-1178635779
Opcode ID: f3615eb31a16519c32e9d36c54522a1eeb328718cf33f690bc9b9b6a6f90a2a3
Instruction ID: e103134e88a60056c5476f4034b19eae272db71c17de1050c3d489f1cc1c772f
Opcode Fuzzy Hash: f3615eb31a16519c32e9d36c54522a1eeb328718cf33f690bc9b9b6a6f90a2a3
Instruction Fuzzy Hash: 5A81AE74E00218CFDB14DFAAD884A9DBBF2FF89310F14C069E819AB265DB349942DF54

Function 0083CD51 Relevance: 3.9, Strings: 3, Instructions: 184COMMON

Download Yara Rule

Strings

Lj#p, xrefs: 0083CF2F
Lj#p, xrefs: 0083CF45
0o#p, xrefs: 0083CDC2

Memory Dump Source

Source File: 00000004.00000002.1545197773.0000000000830000.00000040.00000800.00020000.00000000.sdmp, Offset: 00830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_830000_upXUt2jZ0S.jbxd

Similarity

API ID:
String ID: 0o#p$Lj#p$Lj#p
API String ID: 0-1178635779
Opcode ID: 070a5e89756ddf1339e7ac89f18e2bf51f40a3d47b5eea748c5378d139a66b43
Instruction ID: f067b2e91b3f5bdf42badeb0020deea58973cd4559c54ac88aacda081b9d5d72
Opcode Fuzzy Hash: 070a5e89756ddf1339e7ac89f18e2bf51f40a3d47b5eea748c5378d139a66b43
Instruction Fuzzy Hash: 91819F74E00218DFDB18DFA9D984A9DBBF2BF89300F24C069E819AB365DB749945CF50

Function 0083B4F2 Relevance: 1.4, Strings: 1, Instructions: 152COMMON

Download Yara Rule

Strings

0o#p, xrefs: 0083B562

Memory Dump Source

Source File: 00000004.00000002.1545197773.0000000000830000.00000040.00000800.00020000.00000000.sdmp, Offset: 00830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_830000_upXUt2jZ0S.jbxd

Similarity

API ID:
String ID: 0o#p
API String ID: 0-2085137917
Opcode ID: 8e9ec811a2adb802c169abffaaafa44e500866ef78fac2fcbd80b919317048d2
Instruction ID: 65ed16fa928150827f7ffbd964a09c4b91796c8d4326480e366890da15febcfa
Opcode Fuzzy Hash: 8e9ec811a2adb802c169abffaaafa44e500866ef78fac2fcbd80b919317048d2
Instruction Fuzzy Hash: 7161A2B4E00608DFDB14DFAAD844A9DBBF2FF89300F148069E419AB365DB345942DF50

Function 00839858 Relevance: .9, Instructions: 860COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1545197773.0000000000830000.00000040.00000800.00020000.00000000.sdmp, Offset: 00830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_830000_upXUt2jZ0S.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0bafe810f408923578129a9d0410098b371a73295bc1b9741fa2b7b70c4164a8
Instruction ID: afa5c8d8eb2aa0d7081842a0040727bf32b52fee806d626dae4961243bb4b9f3
Opcode Fuzzy Hash: 0bafe810f408923578129a9d0410098b371a73295bc1b9741fa2b7b70c4164a8
Instruction Fuzzy Hash: 50725F71A00609DFCB19CF68C984AAEBBF2FF88310F158559E846DB2A1D770ED41DB91

Function 00836108 Relevance: .5, Instructions: 515COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1545197773.0000000000830000.00000040.00000800.00020000.00000000.sdmp, Offset: 00830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_830000_upXUt2jZ0S.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6b764e142a897bda6e19f22186386dbc66a54a30bbf9931db8b772faa9e70b0c
Instruction ID: 9b0c23f1448c8fa3d581f4830ac908364554f3d93787b8784146edc0e6f4bf9c
Opcode Fuzzy Hash: 6b764e142a897bda6e19f22186386dbc66a54a30bbf9931db8b772faa9e70b0c
Instruction Fuzzy Hash: 7F125F70A002189FDB14DFA9C954BAEBBB6FFC8304F108569E406EB351EB349D52CB90

Function 00836730 Relevance: .5, Instructions: 467COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1545197773.0000000000830000.00000040.00000800.00020000.00000000.sdmp, Offset: 00830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_830000_upXUt2jZ0S.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1635425403931f44d18886dda16d3404a894d66de5ccc1a8bf5ab4b06f703739
Instruction ID: 376f6dbb46c317f89e48d808bcc7becd8bd7d7f86ae0ee05c0efa6116693729a
Opcode Fuzzy Hash: 1635425403931f44d18886dda16d3404a894d66de5ccc1a8bf5ab4b06f703739
Instruction Fuzzy Hash: F1124F70A00219EFCB15DFA8C984AADBBB2FF88314F14C169E455EB261E734DD52CB90

Function 00833570 Relevance: .4, Instructions: 425COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1545197773.0000000000830000.00000040.00000800.00020000.00000000.sdmp, Offset: 00830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_830000_upXUt2jZ0S.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a7b3430c9f996385098bb5771e313f396c022dff02479ce462d68a9f2a510c21
Instruction ID: 3a2db6d419822069790f63b8a9c4daf92970aa6e1ad68810da7759e83e2ba61a
Opcode Fuzzy Hash: a7b3430c9f996385098bb5771e313f396c022dff02479ce462d68a9f2a510c21
Instruction Fuzzy Hash: DDF13A34E012589FDB08DFB8D8546AEBBB2FF89310B15856AE406EB354DB349D02CB95

Function 008377F0 Relevance: .7, Instructions: 707COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1545197773.0000000000830000.00000040.00000800.00020000.00000000.sdmp, Offset: 00830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_830000_upXUt2jZ0S.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8942da77075e54cf209fb13e59979c9bcb41966f99c62b57ded55b86f0401d56
Instruction ID: 20e3618265fe71291f2d39c4b78ebb767deb1f8d5c5be26a33deab0f09d3300e
Opcode Fuzzy Hash: 8942da77075e54cf209fb13e59979c9bcb41966f99c62b57ded55b86f0401d56
Instruction Fuzzy Hash: ED52FC34A40318CFEB15EBA4C864B9EB772FF88310F1081AAD10A6B3A5DE359E45DF55

Function 0083215C Relevance: .6, Instructions: 627COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1545197773.0000000000830000.00000040.00000800.00020000.00000000.sdmp, Offset: 00830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_830000_upXUt2jZ0S.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ff82b767002f2b9f2ca96fbeb7f8f4f7cc8912da1bacb53eb2f9c9a3355a530f
Instruction ID: 48f8bd321f9b26e792486b8ba1924fc59308a63f1233001b54e8f387c1ef19ec
Opcode Fuzzy Hash: ff82b767002f2b9f2ca96fbeb7f8f4f7cc8912da1bacb53eb2f9c9a3355a530f
Instruction Fuzzy Hash: 0B426D76C047828FCB524FB889A82A47F70FF97334B5583CEC0A49A5A6E7745E06CB51

Function 008387E9 Relevance: .5, Instructions: 503COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1545197773.0000000000830000.00000040.00000800.00020000.00000000.sdmp, Offset: 00830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_830000_upXUt2jZ0S.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: befde6f6c3f34ec2866fe1841005a06a061291c3985ebf687ec761fd801af40c
Instruction ID: 51829757a84a4b981d674164b42656f247039075ca77db0b57d22f32f7d2a02e
Opcode Fuzzy Hash: befde6f6c3f34ec2866fe1841005a06a061291c3985ebf687ec761fd801af40c
Instruction Fuzzy Hash: 08F16970314705CFDB159A29C868B3977A6FFC5715F2840AAF442CF3A1EE29CC429792

Function 00836E58 Relevance: .5, Instructions: 477COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1545197773.0000000000830000.00000040.00000800.00020000.00000000.sdmp, Offset: 00830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_830000_upXUt2jZ0S.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fa44cbc34902f47d925426fd94c9310e0cbf482a8e69013443d12f6c497d8cd7
Instruction ID: 0094e2a98ebc73b9fcf1df620294883f0f6b7cd169357a53dbb9c1474a46c8a3
Opcode Fuzzy Hash: fa44cbc34902f47d925426fd94c9310e0cbf482a8e69013443d12f6c497d8cd7
Instruction Fuzzy Hash: D8123970A04649DFCB24CF68D884A9EBBF2FF89314F158599E846DB261DB30ED41CB90

Function 00830C8F Relevance: .4, Instructions: 399COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1545197773.0000000000830000.00000040.00000800.00020000.00000000.sdmp, Offset: 00830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_830000_upXUt2jZ0S.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3384543ccd86a5889c79adcbc9871201d5334d53ca01093aa7b326843b1fe771
Instruction ID: daf35395d2dab2404d9be9a50bf48800c395850f5e96ac63d971c33c25a86bb7
Opcode Fuzzy Hash: 3384543ccd86a5889c79adcbc9871201d5334d53ca01093aa7b326843b1fe771
Instruction Fuzzy Hash: 4B22B87490121ACFCB55EF64E994B9DB7B2FF48301F1085AAD40AA7364DB346E8ADF40

Function 0083A84F Relevance: .4, Instructions: 395COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1545197773.0000000000830000.00000040.00000800.00020000.00000000.sdmp, Offset: 00830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_830000_upXUt2jZ0S.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4c1420f3c2231972f096b3b2b9e91693906598714e4966ff835f680b0f2610c4
Instruction ID: 535c55cd56ae93700ec97333266bac08779885bbd0c7e5aace03297349f252de
Opcode Fuzzy Hash: 4c1420f3c2231972f096b3b2b9e91693906598714e4966ff835f680b0f2610c4
Instruction Fuzzy Hash: 9AF1EB75A006148FCB18CF69D884AADBBF2FF98311F1A8059E555EB361CB35EC42CB91

Function 00830CA0 Relevance: .4, Instructions: 395COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1545197773.0000000000830000.00000040.00000800.00020000.00000000.sdmp, Offset: 00830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_830000_upXUt2jZ0S.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 770896b729666d0b7024fc6aabe47d9c3b15c349b1956928e830096dcffda894
Instruction ID: 27cb1ebe8cca56bf480b18e2a89abc3fa9bb0e213425a43334f2e6340665efce
Opcode Fuzzy Hash: 770896b729666d0b7024fc6aabe47d9c3b15c349b1956928e830096dcffda894
Instruction Fuzzy Hash: BB22A77490121ACFCB55EF64E994B9DB7B2FF48301F1085AAD40AA7364DB346E8ADF40

Function 008356A8 Relevance: .3, Instructions: 326COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1545197773.0000000000830000.00000040.00000800.00020000.00000000.sdmp, Offset: 00830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_830000_upXUt2jZ0S.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6763654d288039edac72ddd0c5a087490450e1f93bea2fbe7deefae49de6eff8
Instruction ID: 8d81cad5cd72ff6f6ad198fd99ff034638f4eb88f36984582a9620b3851cdd5d
Opcode Fuzzy Hash: 6763654d288039edac72ddd0c5a087490450e1f93bea2fbe7deefae49de6eff8
Instruction Fuzzy Hash: 31B1AB31704614CFDB159BB8D898B2A7BA2FBC8354F14896AE846CB3A1DB74CC42D7D1

Function 00835C08 Relevance: .2, Instructions: 230COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1545197773.0000000000830000.00000040.00000800.00020000.00000000.sdmp, Offset: 00830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_830000_upXUt2jZ0S.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 11f795a922383b42b6b55b1aee5150fe0e7a3142cb85de6e3b38f917df9bcd41
Instruction ID: d0681ce5f6965370dfba2e8be9106569d83de6c697fd02d48aaa4ea76b1efb78
Opcode Fuzzy Hash: 11f795a922383b42b6b55b1aee5150fe0e7a3142cb85de6e3b38f917df9bcd41
Instruction Fuzzy Hash: 7F817034A00A09CFCB14DFA9C888AA9B7B2FFC9315F258169D406EB365D731ED41CB91

Function 00837438 Relevance: .2, Instructions: 201COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1545197773.0000000000830000.00000040.00000800.00020000.00000000.sdmp, Offset: 00830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_830000_upXUt2jZ0S.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a540b13a95fc6f442550e1d7357ddde706e7282f688ea77e66387dcbfb6d2df4
Instruction ID: 382050b2426ed408a5aef071525b3a6a415ada7014bf01b74304b4300f58dec4
Opcode Fuzzy Hash: a540b13a95fc6f442550e1d7357ddde706e7282f688ea77e66387dcbfb6d2df4
Instruction Fuzzy Hash: BD71F6747046058FDB29DF68C898AAA7BE5FF99700F1540A9E902CB3B1DB70DC41DB91

Function 0083D36A Relevance: .2, Instructions: 171COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1545197773.0000000000830000.00000040.00000800.00020000.00000000.sdmp, Offset: 00830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_830000_upXUt2jZ0S.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6ce7a8c97b9c0224e3ced1e8386ffef18478da53dd9cc5c133508b2d126e62a9
Instruction ID: d1928f7e2b888738ac8ce230c779d1810aea49fcdda4040e137997cbc0b631a1
Opcode Fuzzy Hash: 6ce7a8c97b9c0224e3ced1e8386ffef18478da53dd9cc5c133508b2d126e62a9
Instruction Fuzzy Hash: 4751BC34076A528FD302ABA4ADAC57E7FB4FB0F327305AD86A05F85435CB39504A9B58

Function 0083D378 Relevance: .2, Instructions: 167COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1545197773.0000000000830000.00000040.00000800.00020000.00000000.sdmp, Offset: 00830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_830000_upXUt2jZ0S.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3549a492e1ad0684eb2ac947cd76a96079b4968be80c0337c367fbb52f4a91d4
Instruction ID: 0ae8d8eb21eb9a2d1f6c37751e878c68ee87b0c1a806d36799bf9f71ae29b299
Opcode Fuzzy Hash: 3549a492e1ad0684eb2ac947cd76a96079b4968be80c0337c367fbb52f4a91d4
Instruction Fuzzy Hash: 3051AB34072A528F9302BFA4ADAC57E7BB5FB0F327705AD86A01F84434CB3550469B98

Function 0083D030 Relevance: .1, Instructions: 135COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1545197773.0000000000830000.00000040.00000800.00020000.00000000.sdmp, Offset: 00830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_830000_upXUt2jZ0S.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aac80607d2c8f68d5ec65f4f2418c5c2d09b31681706f64748052e22af1918e9
Instruction ID: 4c7a5a695bba00bdd6297d2b3a6c5f5c965271d7bacac1606f7af90b7aef7cb2
Opcode Fuzzy Hash: aac80607d2c8f68d5ec65f4f2418c5c2d09b31681706f64748052e22af1918e9
Instruction Fuzzy Hash: 1E519374E01218DFDB58DFA9D99499DBBF2FF89700F248169E809AB365DB309901CF50

Function 00833908 Relevance: .1, Instructions: 134COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1545197773.0000000000830000.00000040.00000800.00020000.00000000.sdmp, Offset: 00830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_830000_upXUt2jZ0S.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 037d1312f2177ba5c5a315e8d6d48ff8976624b822394a2206be719e2d7645c0
Instruction ID: 70239170c66318bca7288ad622024d38878ba6dd14f8ac34416e1e201ac6f340
Opcode Fuzzy Hash: 037d1312f2177ba5c5a315e8d6d48ff8976624b822394a2206be719e2d7645c0
Instruction Fuzzy Hash: 72519175E01308CFCB08DFA9D89499DBBB2FF89301F208469E805AB364DB31A946DF50

Function 00839A63 Relevance: .1, Instructions: 125COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1545197773.0000000000830000.00000040.00000800.00020000.00000000.sdmp, Offset: 00830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_830000_upXUt2jZ0S.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2476e3393c476a720cb1b7616b3d4e3d76a00085f535d32149e5e5e1d1144f66
Instruction ID: a64128e69560e225b636de24caf7a7c613a747f4e8a62be23cb336d455aa40eb
Opcode Fuzzy Hash: 2476e3393c476a720cb1b7616b3d4e3d76a00085f535d32149e5e5e1d1144f66
Instruction Fuzzy Hash: 9E41A031A04259DFCF11CFA4D844A9EBFB2FF89310F148656E896DB2A1D3B0D951DBA0

Function 0083A650 Relevance: .1, Instructions: 124COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1545197773.0000000000830000.00000040.00000800.00020000.00000000.sdmp, Offset: 00830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_830000_upXUt2jZ0S.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 107ddf94c1d869eae4c82177e5ca7ed9a7809daf5e05991e409ee2669e4f5b96
Instruction ID: d28a9141643158f17a24a40b8f821371119c84165f3202175d00cecd50137392
Opcode Fuzzy Hash: 107ddf94c1d869eae4c82177e5ca7ed9a7809daf5e05991e409ee2669e4f5b96
Instruction Fuzzy Hash: E441C3357042089FCB159BB5D8546AE7BF6FBC8310F14456AE906E7391CE359C02C791

Function 00833428 Relevance: .1, Instructions: 112COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1545197773.0000000000830000.00000040.00000800.00020000.00000000.sdmp, Offset: 00830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_830000_upXUt2jZ0S.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fadb6bda0c7053f7ff46f31117e1828ca92b9114f5e2397058074625a349ce17
Instruction ID: 9859d9b94d4b641ded563adae94989fcf0efd85d1036ffc9686a1158840e306e
Opcode Fuzzy Hash: fadb6bda0c7053f7ff46f31117e1828ca92b9114f5e2397058074625a349ce17
Instruction Fuzzy Hash: 1A313431B003298BEF189BB6889437E62AAFBD4310F18443AD806D7390DF79CE0597D5

Function 00834DC8 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1545197773.0000000000830000.00000040.00000800.00020000.00000000.sdmp, Offset: 00830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_830000_upXUt2jZ0S.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eddae7d63c6bb8f739f9b9172dca759ebe2f130851cc037993cbcb19dc4b987c
Instruction ID: 1c46289342e40acfb909f68232ea64048bac2b5ab4384efacb82b1c99a2e37ac
Opcode Fuzzy Hash: eddae7d63c6bb8f739f9b9172dca759ebe2f130851cc037993cbcb19dc4b987c
Instruction Fuzzy Hash: C6319271204149DFCB05AFA4D854AAF3BA2FB88311F104425F91AC7361DB39DD62DBE1

Function 008376D0 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1545197773.0000000000830000.00000040.00000800.00020000.00000000.sdmp, Offset: 00830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_830000_upXUt2jZ0S.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3162a15b169bad9b1b1d4989752eb5ab2be23980a2590d5ec29c200092181711
Instruction ID: fd90a0fe78b4753c26ceb98929d83af4285c07cc0e731e4f1ff565be2be8fbe1
Opcode Fuzzy Hash: 3162a15b169bad9b1b1d4989752eb5ab2be23980a2590d5ec29c200092181711
Instruction Fuzzy Hash: 0221B0743082048BEB3517699CA4AB93797FFD8719F1841BAD942CB795EE25CC42A7C0

Function 008376E0 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1545197773.0000000000830000.00000040.00000800.00020000.00000000.sdmp, Offset: 00830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_830000_upXUt2jZ0S.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fcecf3697a6783d19409ef6954adf62416a2aa37564a000e299cf596c1e281ac
Instruction ID: 9de74df24d577579135cff0334b7fa308413dd11c180ddd695792e1dc2038a6f
Opcode Fuzzy Hash: fcecf3697a6783d19409ef6954adf62416a2aa37564a000e299cf596c1e281ac
Instruction Fuzzy Hash: B721C2783082058BEB3457398864ABE3297FFC8719F284079D502CB798EE69CC42E7C1

Function 00835A60 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1545197773.0000000000830000.00000040.00000800.00020000.00000000.sdmp, Offset: 00830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_830000_upXUt2jZ0S.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dfccd67f2921427159762dc431b2b299608dd8bfce2943036e10823f32f60ef6
Instruction ID: 944cda30c0ecff42cef73f9716fd1b36c86a010d5e9600ad1485d0ebb8b63db2
Opcode Fuzzy Hash: dfccd67f2921427159762dc431b2b299608dd8bfce2943036e10823f32f60ef6
Instruction Fuzzy Hash: F721A130305A218FC7199B64C8A452EB7A2FFC9761B1942AAE807CB361DF34DC0397D0

Function 00832060 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1545197773.0000000000830000.00000040.00000800.00020000.00000000.sdmp, Offset: 00830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_830000_upXUt2jZ0S.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 31bf25b6ededf93929045efdc1336394a86b617ac2157c39c9e41f7a90d8f1aa
Instruction ID: a38a60cba45a65bfcfd50ce3915be2ea47228c4b39dfe3005b4fa52a7cc633dc
Opcode Fuzzy Hash: 31bf25b6ededf93929045efdc1336394a86b617ac2157c39c9e41f7a90d8f1aa
Instruction Fuzzy Hash: 9521A131A00615DFDB14DB64C4909AE77A9FBD8350F20C419E909DB260DB31EE4ACBD1

Function 0083D5B9 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1545197773.0000000000830000.00000040.00000800.00020000.00000000.sdmp, Offset: 00830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_830000_upXUt2jZ0S.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 345342752cd38ff0ba0ebb55e19b22f9073ff51dbe03c9323f06bd8a579e6bce
Instruction ID: ab66c418ef296b77b82f54910b2eca2ac2c30eb5be078998bc33d21228d33196
Opcode Fuzzy Hash: 345342752cd38ff0ba0ebb55e19b22f9073ff51dbe03c9323f06bd8a579e6bce
Instruction Fuzzy Hash: FB214830C102598ECB11EFF8D8186ECBBB0FF9A304F109669D444B7261EB306A5ADB94

Function 0078D404 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1543758444.000000000078D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0078D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_78d000_upXUt2jZ0S.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c6eed25e3c0df23596704b74a48da0493305876882232cf6604f2994ebdfe10a
Instruction ID: 16ba9cfab6da614724b91fdbf9e51856bc9d6f51f42183eb6d0e498b57d34bdc
Opcode Fuzzy Hash: c6eed25e3c0df23596704b74a48da0493305876882232cf6604f2994ebdfe10a
Instruction Fuzzy Hash: 4F21F471540284DFDB24EF50D8C0F16BB65FB94324F24C169DD094A296C33AEC56C7A1

Function 0083D6B7 Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1545197773.0000000000830000.00000040.00000800.00020000.00000000.sdmp, Offset: 00830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_830000_upXUt2jZ0S.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: af09c965d3831946239d6e2a6a32c59a81800433be34912f3bf6a2c03010bc98
Instruction ID: 6d7178956f05d9948df2cead2697fdca6868380bc291e710d50f33929d8515d3
Opcode Fuzzy Hash: af09c965d3831946239d6e2a6a32c59a81800433be34912f3bf6a2c03010bc98
Instruction Fuzzy Hash: 2621F8349412098FCF05DFB5D854AEEB7B2FB8A305F109569C805B73A4DB35A906CB54

Function 00834DB9 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1545197773.0000000000830000.00000040.00000800.00020000.00000000.sdmp, Offset: 00830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_830000_upXUt2jZ0S.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 38f497c874a61ad78ba033e364ac754a118f456ec6f127db6d3efe1395a43555
Instruction ID: dd385ff532e921b78c27ecaeebc6ef198b066e894b100f8267ab82b495f6066c
Opcode Fuzzy Hash: 38f497c874a61ad78ba033e364ac754a118f456ec6f127db6d3efe1395a43555
Instruction Fuzzy Hash: 8621D771608249CFC7159FA8D854A6E3BA2FF88720F14406AF406CB352DB38ED16DBD1

Function 008339ED Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1545197773.0000000000830000.00000040.00000800.00020000.00000000.sdmp, Offset: 00830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_830000_upXUt2jZ0S.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 581eba752e346472a8b2cfdc236a26255a3e145486c800b1e493ab836730357d
Instruction ID: 198d54bbb67d417721fdfc0a920b6f19e992ae0905c1a67998db5bff08090709
Opcode Fuzzy Hash: 581eba752e346472a8b2cfdc236a26255a3e145486c800b1e493ab836730357d
Instruction Fuzzy Hash: 2B316278E01308DFCB44EFA8E59489DBBB2FF49305B21446AE809AB364D731AD05DF50

Function 0083D6C8 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1545197773.0000000000830000.00000040.00000800.00020000.00000000.sdmp, Offset: 00830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_830000_upXUt2jZ0S.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7d88a3aa4747b3ada7e5a044b6910f70cc69cc1377d0e4d279a570830e6c1aa3
Instruction ID: ce8dfc32511db7ca3565632a97ff493e78b430a88bfb2b73dacc8925743a928f
Opcode Fuzzy Hash: 7d88a3aa4747b3ada7e5a044b6910f70cc69cc1377d0e4d279a570830e6c1aa3
Instruction Fuzzy Hash: 1321C434A01208CBCF05DFB9E854AEEB7B2BB8A305F109469D405B7364DB39A946CF64

Function 00835A70 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1545197773.0000000000830000.00000040.00000800.00020000.00000000.sdmp, Offset: 00830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_830000_upXUt2jZ0S.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9a932b4cf2d6f99019a615e163d8fcc43e22d907f8c1264b6fe5f6c33b4ae464
Instruction ID: 1fe5079a007a15aef02b969ba85b7cb03513962a2726dd36d4d8ea5e5c25418a
Opcode Fuzzy Hash: 9a932b4cf2d6f99019a615e163d8fcc43e22d907f8c1264b6fe5f6c33b4ae464
Instruction Fuzzy Hash: 52118231301A218BC7199B69C8A492EB7A6FFC8761B194169E807CB360DF30DC0297D0

Function 0078D3FF Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1543758444.000000000078D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0078D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_78d000_upXUt2jZ0S.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f4ddf6aab7a4ec5fdcafc4d9db3305c30ac7726daeb53e4266b93089bec5e780
Instruction ID: b47f76186dbaa60f0f3a33c386138d32428754410721065a18cb095c3c754fa3
Opcode Fuzzy Hash: f4ddf6aab7a4ec5fdcafc4d9db3305c30ac7726daeb53e4266b93089bec5e780
Instruction Fuzzy Hash: 53110372444280CFCB11DF00D5C4B16BF71FB94324F24C1A9DC090B696C33AE856CBA1

Function 00831F08 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1545197773.0000000000830000.00000040.00000800.00020000.00000000.sdmp, Offset: 00830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_830000_upXUt2jZ0S.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 069fdeda2b8850fc236eb9d065aa166873075a9ab1f8fce96479d6760c22d966
Instruction ID: 57bbbed00662b07794bf65c09ea8bc60d56890e8a6da0d3a295d0a25734053dc
Opcode Fuzzy Hash: 069fdeda2b8850fc236eb9d065aa166873075a9ab1f8fce96479d6760c22d966
Instruction Fuzzy Hash: 9821D0B4D056098FCB11EFA8D8585EEBFF0FF49304F1041AAD846B7264EB345A46CBA1

Function 00831F61 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1545197773.0000000000830000.00000040.00000800.00020000.00000000.sdmp, Offset: 00830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_830000_upXUt2jZ0S.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a03f06b88d4566769d7d870ef5b87d4f5e552373f860685196473fb14018dd07
Instruction ID: 8b8fcedf42ebb0d998a3baa0ee45d9dbd3a356bd530a04e608295da43f0e9b6b
Opcode Fuzzy Hash: a03f06b88d4566769d7d870ef5b87d4f5e552373f860685196473fb14018dd07
Instruction Fuzzy Hash: 3721C2B4D056098FCB44EFA8D8556EDBBF1FF49304F10416AD805B3220EB346A45CBA1

Function 00835607 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1545197773.0000000000830000.00000040.00000800.00020000.00000000.sdmp, Offset: 00830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_830000_upXUt2jZ0S.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a08b976281268b412f7e993cb86f027a4cf055d9bfba48ba963b13143cd46f02
Instruction ID: adc2008896009c45a88ecdf5d8809c94388a787f72e6c362fae662bbd6215dcd
Opcode Fuzzy Hash: a08b976281268b412f7e993cb86f027a4cf055d9bfba48ba963b13143cd46f02
Instruction Fuzzy Hash: B501F5727041046FCB069E689811AEE3BA7EBD9760F18806BF406C7280DA398D07DBA1

Function 00832010 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1545197773.0000000000830000.00000040.00000800.00020000.00000000.sdmp, Offset: 00830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_830000_upXUt2jZ0S.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0f88cfe7d6d5385fb646d7b6e22fb11fe68c457dff6332e107128393aa31a3ef
Instruction ID: 303c6bb7f046450678a3541094add7f3624fc6eb6319ccc833218de56419633f
Opcode Fuzzy Hash: 0f88cfe7d6d5385fb646d7b6e22fb11fe68c457dff6332e107128393aa31a3ef
Instruction Fuzzy Hash: 3AE0DF36D2426A9BCB2096A5B8189FEBF35AFE2315F11426AD06137181EB70150A8761

Function 00832020 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1545197773.0000000000830000.00000040.00000800.00020000.00000000.sdmp, Offset: 00830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_830000_upXUt2jZ0S.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 72ca6b1f4bbfef835cae689a35a7d9f0f98555ee047b86f354304d8d87fda73b
Instruction ID: a7925a47f84833d748cca345b0d4b124d72dd65a835aba162b19291c4699523a
Opcode Fuzzy Hash: 72ca6b1f4bbfef835cae689a35a7d9f0f98555ee047b86f354304d8d87fda73b
Instruction Fuzzy Hash: D8D01732D2022A979B10AAA9DC048EEBB38EE96621B908626D52437140EB70265986B1

Function 00838258 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1545197773.0000000000830000.00000040.00000800.00020000.00000000.sdmp, Offset: 00830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_830000_upXUt2jZ0S.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4bdaacd32790817b91c477bf05988045433f614a4c8c6b26760f84615e577b64
Instruction ID: 2bdb7748b48a04e9d5fe3a99138b23bc39711ef955dddacdccdc9bf841c07448
Opcode Fuzzy Hash: 4bdaacd32790817b91c477bf05988045433f614a4c8c6b26760f84615e577b64
Instruction Fuzzy Hash: 00C0123324C228AAA624208E7C40AA3AB8CE2C17B8E250137F91CE3300A8429C8001E8

Function 0083A70D Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1545197773.0000000000830000.00000040.00000800.00020000.00000000.sdmp, Offset: 00830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_830000_upXUt2jZ0S.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 597da9fd309c2592eda62836f0e90d6cb82ec0902d6e8c3c7fee6b5cd88c1919
Instruction ID: 8e74430b375de0659912a281cdf1d17ab969f144e8f62a1e8aecd0517a06316c
Opcode Fuzzy Hash: 597da9fd309c2592eda62836f0e90d6cb82ec0902d6e8c3c7fee6b5cd88c1919
Instruction Fuzzy Hash: 89D0677AB01008EFDB04DF98EC409DDB7B6FB9C221B048156E915A3260C6319961DB54

Function 00835EA8 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1545197773.0000000000830000.00000040.00000800.00020000.00000000.sdmp, Offset: 00830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_830000_upXUt2jZ0S.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 00f2b730b46531f3e56225cf017896437ad174abb2aefa1d8cab11105c3363fe
Instruction ID: da6902bda6daee1fb2961c6a0f3c417049de8b038069cbe192665812a1444ec8
Opcode Fuzzy Hash: 00f2b730b46531f3e56225cf017896437ad174abb2aefa1d8cab11105c3363fe
Instruction Fuzzy Hash: B4D02B7440C3850BD703F770E9698483F216A85108B4442D9E8060942BEA74591B9B13

Function 00835EB8 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1545197773.0000000000830000.00000040.00000800.00020000.00000000.sdmp, Offset: 00830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_830000_upXUt2jZ0S.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7b3447b70db245deefee1abfb1622833eb0c8b6c42c065e8299a0ae6bc25b027
Instruction ID: 3245b1270ab839f94542f4a84f836a57d8198698307615e99a542319e2deeae4
Opcode Fuzzy Hash: 7b3447b70db245deefee1abfb1622833eb0c8b6c42c065e8299a0ae6bc25b027
Instruction Fuzzy Hash: 91C0127051030947D501F7B1E959915331A66C4600F404510B0090912AEF787E5B5792

Analysis Process: .exePID: 7472, Parent PID: 3504COMMON

Execution Graph

Execution Coverage:	10.5%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	158
Total number of Limit Nodes:	21

Executed Functions

Function 014BADA8 Relevance: 1.7, APIs: 1, Instructions: 195
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 014BAFFE

Memory Dump Source

Source File: 00000007.00000002.2592482539.00000000014B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_14b0000_UNK_.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: dc9705618024ea2c9b3ea93c42819361198ac6458ddac33bd5de046f6ce0e97d
Instruction ID: 8208ee768a8a3e9ce7ddd3b48b698eca9ff3c69188e1959f989ef9a4c41524ae
Opcode Fuzzy Hash: dc9705618024ea2c9b3ea93c42819361198ac6458ddac33bd5de046f6ce0e97d
Instruction Fuzzy Hash: 8C7135B0A00B058FEB24DF2AD48579ABBF5FF48214F10892ED04AD7B60D775E845CBA0

Function 014B4248 Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 014B59C9

Memory Dump Source

Source File: 00000007.00000002.2592482539.00000000014B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_14b0000_UNK_.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: d962fcef7c4dba8e445ae33b2f73dd5591442098ea2f49866f2403b601003549
Instruction ID: 73dfcf381ab0aa8f9db385dc0f4b1b31be2305d9137dc4a901cd823e67f0a232
Opcode Fuzzy Hash: d962fcef7c4dba8e445ae33b2f73dd5591442098ea2f49866f2403b601003549
Instruction Fuzzy Hash: 8541D2B0D00719CBDB24CFA9C8847CEFBB5BF49704F60846AD508AB251DB756945CFA0

Function 014B590D Relevance: 1.6, APIs: 1, Instructions: 94
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 014B59C9

Memory Dump Source

Source File: 00000007.00000002.2592482539.00000000014B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_14b0000_UNK_.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 81eda4490e54ff4b4c3198b236b6a3cee823d0269e0d01e883c9bbc463f20ea4
Instruction ID: 391cbe5483aed67ef59dd37f62450456457bfcc9eb841554eafcd9931406ebc1
Opcode Fuzzy Hash: 81eda4490e54ff4b4c3198b236b6a3cee823d0269e0d01e883c9bbc463f20ea4
Instruction Fuzzy Hash: AE41BEB0D00719CBEB24CFA9C8847CEFBB5BF49304F60846AD508AB265DB756946CF50

Function 07263780 Relevance: 1.6, APIs: 1, Instructions: 78
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SendMessageW.USER32(?,?,?,?), ref: 07263835

Memory Dump Source

Source File: 00000007.00000002.2612312989.0000000007260000.00000040.00000800.00020000.00000000.sdmp, Offset: 07260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7260000_UNK_.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 36d72426ab3fb15363b049fb1fc1648115fc96ab98ab1eade7da86ae47da568f
Instruction ID: 9ea6354d2cd819143f0a0c1bd5fc4a22886cf69f8e5b9cbf2c65e373270e8492
Opcode Fuzzy Hash: 36d72426ab3fb15363b049fb1fc1648115fc96ab98ab1eade7da86ae47da568f
Instruction Fuzzy Hash: E82148B19003099FDB10DFA9C885B9EBFF8EF48320F10846AE419A7751C775A980CBA1

Function 072619A8 Relevance: 1.6, APIs: 1, Instructions: 69
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetWindowTextW.USER32(?,00000000), ref: 07261A42

Memory Dump Source

Source File: 00000007.00000002.2612312989.0000000007260000.00000040.00000800.00020000.00000000.sdmp, Offset: 07260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7260000_UNK_.jbxd

Similarity

API ID: TextWindow
String ID:
API String ID: 530164218-0
Opcode ID: b178e2296c83e326a4a8a10ac4972dc2cd695558a20a2f4c07c13540a02bfb80
Instruction ID: b64adba83af37b9d07d9f6271f352a754d9b003b31e36eb8fbb086a8d3e66435
Opcode Fuzzy Hash: b178e2296c83e326a4a8a10ac4972dc2cd695558a20a2f4c07c13540a02bfb80
Instruction Fuzzy Hash: 71219DB68053898FDB01CFAAD845BDEFFF1AF49220F14809BC454A7652D338A949CF61

Function 014BB790 Relevance: 1.6, APIs: 1, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,014BD646,?,?,?,?,?), ref: 014BD707

Memory Dump Source

Source File: 00000007.00000002.2592482539.00000000014B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_14b0000_UNK_.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: f83c3d529ab7d3d3e8d096bc248b22f4ff4cfcd7ade4ca89d3c86bac37188b9c
Instruction ID: 9723abbfbf1590d429a4e21e0a919d229d1b1ed874520ae04b292fc131e70d16
Opcode Fuzzy Hash: f83c3d529ab7d3d3e8d096bc248b22f4ff4cfcd7ade4ca89d3c86bac37188b9c
Instruction Fuzzy Hash: 7E21E5B5D002499FDB10CF9AD584ADEBBF4EB48314F14846AE918A3350D378A950CFA4

Function 0726EAE1 Relevance: 1.6, APIs: 1, Instructions: 63
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PeekMessageW.USER32(?,?,00000000,00000000,00000000,?,?,?,?,0726E702,00000000,00000000,03D141AC,02D305D0), ref: 0726EB50

Memory Dump Source

Source File: 00000007.00000002.2612312989.0000000007260000.00000040.00000800.00020000.00000000.sdmp, Offset: 07260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7260000_UNK_.jbxd

Similarity

API ID: MessagePeek
String ID:
API String ID: 2222842502-0
Opcode ID: bcfb0396e1a1c0fec6cc0c8970c33e37ea6ac24b8a8ae8c9f343bc8bee974061
Instruction ID: fd2b27756de2969203edb27eb32e01ee34e7bc63b980419e8c65b983e0aae6f5
Opcode Fuzzy Hash: bcfb0396e1a1c0fec6cc0c8970c33e37ea6ac24b8a8ae8c9f343bc8bee974061
Instruction Fuzzy Hash: D12157B5C003499FDB10CF9AC844ADEBBF4FB09324F10806AE964A7251C379A545CF61

Function 014BD679 Relevance: 1.6, APIs: 1, Instructions: 61
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,014BD646,?,?,?,?,?), ref: 014BD707

Memory Dump Source

Source File: 00000007.00000002.2592482539.00000000014B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_14b0000_UNK_.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: e1a36d890c5824e8533278f7166704c74483db61d82e75164853ab44132b14e2
Instruction ID: d77f4dae95e4951de9d2b0ded72e4dfa9c455592dd6870fffd6b73d8f72dcc59
Opcode Fuzzy Hash: e1a36d890c5824e8533278f7166704c74483db61d82e75164853ab44132b14e2
Instruction Fuzzy Hash: E721E0B5D002499FDB10CFAAD584AEEBBF5EB48324F14846AE918A3350D378A950CF60

Function 0726C890 Relevance: 1.6, APIs: 1, Instructions: 55
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PeekMessageW.USER32(?,?,00000000,00000000,00000000,?,?,?,?,0726E702,00000000,00000000,03D141AC,02D305D0), ref: 0726EB50

Memory Dump Source

Source File: 00000007.00000002.2612312989.0000000007260000.00000040.00000800.00020000.00000000.sdmp, Offset: 07260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7260000_UNK_.jbxd

Similarity

API ID: MessagePeek
String ID:
API String ID: 2222842502-0
Opcode ID: 89c5b8b4fbc729c8047fba1979d1cd437aaf606f8f448bf1ac8b0ba6b4dc957e
Instruction ID: 98ae6a4dfd29090ff72332cd58dd9f64f9f174eb47770779b5b61dd8fc46c28c
Opcode Fuzzy Hash: 89c5b8b4fbc729c8047fba1979d1cd437aaf606f8f448bf1ac8b0ba6b4dc957e
Instruction Fuzzy Hash: 3711E4B5C102499FDB10CF9AD584BDEBBF8FB48320F11842AE959A3251D378A944CFA5

Function 072619D8 Relevance: 1.6, APIs: 1, Instructions: 53
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetWindowTextW.USER32(?,00000000), ref: 07261A42

Memory Dump Source

Source File: 00000007.00000002.2612312989.0000000007260000.00000040.00000800.00020000.00000000.sdmp, Offset: 07260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7260000_UNK_.jbxd

Similarity

API ID: TextWindow
String ID:
API String ID: 530164218-0
Opcode ID: 3196eacb39019b904bfe14e34d1d3efd19859b541d19119df4b139a0d66b63c9
Instruction ID: df91895cf4f389fe1addeffdf279a2213731263bd8bec15b27f78d6f76d90817
Opcode Fuzzy Hash: 3196eacb39019b904bfe14e34d1d3efd19859b541d19119df4b139a0d66b63c9
Instruction Fuzzy Hash: 8511F6B6C1064A8FDB14CF9AC444BDEFBF4EF48320F14842AD859A7650D378A545CFA5

Function 07265318 Relevance: 1.5, APIs: 1, Instructions: 49
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PostMessageW.USER32(?,?,?,?), ref: 0726537D

Memory Dump Source

Source File: 00000007.00000002.2612312989.0000000007260000.00000040.00000800.00020000.00000000.sdmp, Offset: 07260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7260000_UNK_.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: f8f6bda805f95b7bcdb0c70c1e109097ebf10504e2da3168808c1bd07418ea3b
Instruction ID: a8c330e4243dfc0fc00036dc6d6830d3d19d3d3f3dab6514bf58128a39b75882
Opcode Fuzzy Hash: f8f6bda805f95b7bcdb0c70c1e109097ebf10504e2da3168808c1bd07418ea3b
Instruction Fuzzy Hash: 6F1128B580030A9FDB10CF9AC545BDEFBF8FB48320F10841AE558A7650D378A554CFA1

Function 07265320 Relevance: 1.5, APIs: 1, Instructions: 48
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PostMessageW.USER32(?,?,?,?), ref: 0726537D

Memory Dump Source

Source File: 00000007.00000002.2612312989.0000000007260000.00000040.00000800.00020000.00000000.sdmp, Offset: 07260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7260000_UNK_.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: e57268f888d01ef69d1af7099b0b24b89d6951caf94db709efddee8fbad10df6
Instruction ID: 12a3a36d463db4efff8afff7b5639d2674a7368e15507d7adc0cca3860d0c2f5
Opcode Fuzzy Hash: e57268f888d01ef69d1af7099b0b24b89d6951caf94db709efddee8fbad10df6
Instruction Fuzzy Hash: 8D1106B58003499FDB10CF9AC845BDEFBF8EB48320F10841AE958A3650D378A594CFA5

Function 014BAF98 Relevance: 1.5, APIs: 1, Instructions: 47
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 014BAFFE

Memory Dump Source

Source File: 00000007.00000002.2592482539.00000000014B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_14b0000_UNK_.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 93d948d0d9aca124aae7c5b007684add32c8cc7babcd2f0543b7b99f7054bed5
Instruction ID: b3b5ab576a8b369f620a8d5b2ceb1d892c0e7925c06ef2e5571e7d7bb1f8dedc
Opcode Fuzzy Hash: 93d948d0d9aca124aae7c5b007684add32c8cc7babcd2f0543b7b99f7054bed5
Instruction Fuzzy Hash: CD11DFB6C006498FDB14CF9AC444BDEFBF4EB88224F10842AD529A7750D379A545CFA1

Function 07265670 Relevance: 1.5, APIs: 1, Instructions: 46
comCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

OleInitialize.OLE32(00000000), ref: 07266CBD

Memory Dump Source

Source File: 00000007.00000002.2612312989.0000000007260000.00000040.00000800.00020000.00000000.sdmp, Offset: 07260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7260000_UNK_.jbxd

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: 23ee5e5537b7b65c2c88191819916012e4c63f8e838f7162385d200d3dc20192
Instruction ID: c33dec3d2acde4b1127af4b9d1b98e8cdc1a56f24d60b4ca519e5f6993c83e01
Opcode Fuzzy Hash: 23ee5e5537b7b65c2c88191819916012e4c63f8e838f7162385d200d3dc20192
Instruction Fuzzy Hash: 801130B58107099FCB20DF9AD588BDEFBF8EB48220F20845AD518A3300C378A940CFA4

Function 0726C8DC Relevance: 1.5, APIs: 1, Instructions: 46
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DispatchMessageW.USER32(?,?,?,?,?,?,00000000,-00000018,?,0726E847), ref: 0726F2E5

Memory Dump Source

Source File: 00000007.00000002.2612312989.0000000007260000.00000040.00000800.00020000.00000000.sdmp, Offset: 07260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7260000_UNK_.jbxd

Similarity

API ID: DispatchMessage
String ID:
API String ID: 2061451462-0
Opcode ID: 27448d3efe3670fb38ba4a2351c549ef1aa8a41b0992c8a4957e8b021341806a
Instruction ID: b1698d8ba79aa7b0bd573b31d907c9822a67493f4c26cbfe48fc5f63f33cc9a8
Opcode Fuzzy Hash: 27448d3efe3670fb38ba4a2351c549ef1aa8a41b0992c8a4957e8b021341806a
Instruction Fuzzy Hash: 3A11EDB5C1464A8FCB10CF9AD548B9EFBF4EB48224F10852AE529A3610D378A544CFA5

Function 07261FB1 Relevance: 1.5, APIs: 1, Instructions: 45windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,?,?,?), ref: 07262015

Memory Dump Source

Source File: 00000007.00000002.2612312989.0000000007260000.00000040.00000800.00020000.00000000.sdmp, Offset: 07260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7260000_UNK_.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: e4fa6ec65c9f76e61bd904bd3c26f50145e309418aaea251eff62309e39c15ac
Instruction ID: 30cf976fe01355289c47e4859a689edfce1b0f60f1892c972f418c5dd8af7a23
Opcode Fuzzy Hash: e4fa6ec65c9f76e61bd904bd3c26f50145e309418aaea251eff62309e39c15ac
Instruction Fuzzy Hash: 5B11E3B58002499FDB10DF99C485BDEFBF8FB48324F10841AD558A7250C375A544CFA1

Function 0726F280 Relevance: 1.5, APIs: 1, Instructions: 45windowCOMMON

Download Yara Rule

APIs

DispatchMessageW.USER32(?,?,?,?,?,?,00000000,-00000018,?,0726E847), ref: 0726F2E5

Memory Dump Source

Source File: 00000007.00000002.2612312989.0000000007260000.00000040.00000800.00020000.00000000.sdmp, Offset: 07260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7260000_UNK_.jbxd

Similarity

API ID: DispatchMessage
String ID:
API String ID: 2061451462-0
Opcode ID: 275444e0c4c5ae84b9afe61fb5660ebb4e52a2019be7e09ab29cec1c25871d37
Instruction ID: 1dd4c4fdee2aba6f8408f461e2d33fcf7ca6b4a4a50b6321893e5a73c710973b
Opcode Fuzzy Hash: 275444e0c4c5ae84b9afe61fb5660ebb4e52a2019be7e09ab29cec1c25871d37
Instruction Fuzzy Hash: E6112EB5C003498FCB20CFAAD448BDEFBF4AB48324F20842AD469A3210C378A540CFA5

Function 07261FB8 Relevance: 1.5, APIs: 1, Instructions: 44windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,?,?,?), ref: 07262015

Memory Dump Source

Source File: 00000007.00000002.2612312989.0000000007260000.00000040.00000800.00020000.00000000.sdmp, Offset: 07260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7260000_UNK_.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: a84d378f769e6182b1fd83212a3067f77b2f41a971b21e47084b924a7340e8a1
Instruction ID: 259f8716ef99abdac1279baf189fc202abaaa30f5fa15df92c4a72a818353258
Opcode Fuzzy Hash: a84d378f769e6182b1fd83212a3067f77b2f41a971b21e47084b924a7340e8a1
Instruction Fuzzy Hash: 4A11C2B58003499FDB10DF9AC489BDEBBF8EB48324F10841AD558A7650D379A944CFA1

Function 07266C60 Relevance: 1.5, APIs: 1, Instructions: 44comCOMMON

Download Yara Rule

APIs

OleInitialize.OLE32(00000000), ref: 07266CBD

Memory Dump Source

Source File: 00000007.00000002.2612312989.0000000007260000.00000040.00000800.00020000.00000000.sdmp, Offset: 07260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7260000_UNK_.jbxd

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: 6aeb87476f4eb69a3359155c82f0b07a270ab2bbfde80154876b9b3d2227fdc3
Instruction ID: 8e1caf4e8545a3f957ab3427931e207a1c3fc6fe3b8d76d921cfcbfd7d78f9ee
Opcode Fuzzy Hash: 6aeb87476f4eb69a3359155c82f0b07a270ab2bbfde80154876b9b3d2227fdc3
Instruction Fuzzy Hash: 621103B58007498FDB20DF9AD549BDEFBF4EB48324F20845AD518A7750C378A644CFA1

Function 00F9D3D8 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2589597449.0000000000F9D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F9D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_f9d000_UNK_.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f02d9c158d39a1ba36e24fc6b59720afdaeb1c2266e081bcea23d12beaf20c2b
Instruction ID: 5bbf7a0746f5d2f990bc2eb2e0a0f0f483cee09aac2a2af395e7f7ce59d23d88
Opcode Fuzzy Hash: f02d9c158d39a1ba36e24fc6b59720afdaeb1c2266e081bcea23d12beaf20c2b
Instruction Fuzzy Hash: 1E212872900344DFEF04DF18D9C0B26BB65FB94324F34C169D9090B256C336E856DBA2

Function 00FAD01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2590104644.0000000000FAD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FAD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_fad000_UNK_.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1029337ecc62d240224b6bcbaed3115584e83164cd40e9bdf4c785abf07d7d84
Instruction ID: f3f4553a68442ed9f0b4841df8fbb91a0fcc5e5377629999b0274d94a099e9ed
Opcode Fuzzy Hash: 1029337ecc62d240224b6bcbaed3115584e83164cd40e9bdf4c785abf07d7d84
Instruction Fuzzy Hash: 922134B2A04340DFDB14DF20D9C0B26BB65FB89324F24C56DD80B4B68AC336D807DA62

Function 00FAD2BC Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2590104644.0000000000FAD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FAD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_fad000_UNK_.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1ac926a74dd10a86a8020c363fc8774fcdc3478fa3c1d1fc3fe4f341fc58edab
Instruction ID: a4da6536f962ad956039d213ec21204bc3c118f2b2909021fe71c75dc8842b18
Opcode Fuzzy Hash: 1ac926a74dd10a86a8020c363fc8774fcdc3478fa3c1d1fc3fe4f341fc58edab
Instruction Fuzzy Hash: DC2108F2904344DFDF00DF10D9C0B2ABBA5FB85324F24C569D84A4BA82C376D846DAA3

Function 00FAD005 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2590104644.0000000000FAD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FAD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_fad000_UNK_.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c024dd47bd427963920d6a02971977a2ff9e530c8019411af2308b26ba6ea9f5
Instruction ID: 20e9ed7ddedf7ad13a1558e93ae026bc40b2f18deb6e1feadc37d515a3eff2c5
Opcode Fuzzy Hash: c024dd47bd427963920d6a02971977a2ff9e530c8019411af2308b26ba6ea9f5
Instruction Fuzzy Hash: D72150755093808FCB12CF24D994715BF71EB46314F28C5EAD8498F6A7C33A984ADB62

Function 00F9D3D3 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2589597449.0000000000F9D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F9D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_f9d000_UNK_.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f4ddf6aab7a4ec5fdcafc4d9db3305c30ac7726daeb53e4266b93089bec5e780
Instruction ID: 38684addf60086dc3141612225153f89637e4542ed4ad716e5702fcfd3b2c1dd
Opcode Fuzzy Hash: f4ddf6aab7a4ec5fdcafc4d9db3305c30ac7726daeb53e4266b93089bec5e780
Instruction Fuzzy Hash: 5A11CD72804240CFDF05CF04D5C0B16BF61FB94324F2482A9D8090B656C33AE856DBA1

Function 00FAD2B7 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2590104644.0000000000FAD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FAD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_fad000_UNK_.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d692a0047d57c856fe9c281bc03ca2a8a9bd8913fa11d24a2e87d76695bbbe94
Instruction ID: 0e347753a3dcd4973ee6f7ea32d9e80717b60e1dad59b69e864ab6e6fc560138
Opcode Fuzzy Hash: d692a0047d57c856fe9c281bc03ca2a8a9bd8913fa11d24a2e87d76695bbbe94
Instruction Fuzzy Hash: 3311B2B5904684CFDF11CF10D5C4B5AFB61FB85324F28C6AAD8494BA56C33AD846CB92

Analysis Process: powershell.exePID: 7504, Parent PID: 7472COMMON

Executed Functions

Function 075C1810 Relevance: .6, Instructions: 580COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1564583316.00000000075C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_75c0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 82bd5517ef002f6ae70b69702790db92ca257f97aaa5749f8c580d02fef3ad30
Instruction ID: 716601003cfe2036c741dd1d6a92ae713b0a5983d595b885fe02857b65ad052e
Opcode Fuzzy Hash: 82bd5517ef002f6ae70b69702790db92ca257f97aaa5749f8c580d02fef3ad30
Instruction Fuzzy Hash: 601236F17047098FDB15DBA8D8117FABBA2AF86211F14C4AFD506CB242DA75C841C7A2

Function 047029F0 Relevance: .2, Instructions: 207COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1541311591.0000000004700000.00000040.00000800.00020000.00000000.sdmp, Offset: 04700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4700000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0dcdbe0eebb5961120546268ca39e11c75af9f9ba049ffe7ce32ca1c9d6e2dda
Instruction ID: 26b16b99d001cc52b350df0da1a89e30e40dfd24453495b45bb4ea222fc919a6
Opcode Fuzzy Hash: 0dcdbe0eebb5961120546268ca39e11c75af9f9ba049ffe7ce32ca1c9d6e2dda
Instruction Fuzzy Hash: 88916D75A01605CFDB15CF58C498AAAFBF1FF48310B2485A9D815AB3A6C735FC51CBA0

Function 04706BA8 Relevance: .2, Instructions: 207COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1541311591.0000000004700000.00000040.00000800.00020000.00000000.sdmp, Offset: 04700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4700000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: effc0993df393776c461e2b2ee6b05e39d6977e763cc6579d5204d75568515d1
Instruction ID: 983ddab823a8e8aaa73c266409d30534b7e7250549ce68ca3728bf61048e8371
Opcode Fuzzy Hash: effc0993df393776c461e2b2ee6b05e39d6977e763cc6579d5204d75568515d1
Instruction Fuzzy Hash: 9481C034A05248CFCB05CFA9D4909AEBBF1FF89310B1480AAE455AB3A2C735ED55DF60

Function 075C17F4 Relevance: .1, Instructions: 128COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1564583316.00000000075C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_75c0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 77befa03ee7764f88f654700de26454d32e9e6831a8eecebe7b3f29df743a90f
Instruction ID: c96dcad577c20c97dc0c048a1e9ff74b022da8509bb7d08cb58d61c27d7679eb
Opcode Fuzzy Hash: 77befa03ee7764f88f654700de26454d32e9e6831a8eecebe7b3f29df743a90f
Instruction Fuzzy Hash: 3341D4F5A0460A8FEB10DEA98541BFA77B2FF81250F14809FD8049B257D779C981CBA7

Function 04702B00 Relevance: .1, Instructions: 108COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1541311591.0000000004700000.00000040.00000800.00020000.00000000.sdmp, Offset: 04700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4700000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6898f45cc7f41c5c1839298830f5a09a408420480191b8b82d38dcabb7f0748c
Instruction ID: b36993177c504a8983a5dc121e133c4f529d7067b45f405d9ef259f40115c6a9
Opcode Fuzzy Hash: 6898f45cc7f41c5c1839298830f5a09a408420480191b8b82d38dcabb7f0748c
Instruction Fuzzy Hash: 70415B75A01605CFCB06CF58C098AAAFBF1FF48310B1585A9D815AB3A5C732FC91CBA0

Function 04707660 Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1541311591.0000000004700000.00000040.00000800.00020000.00000000.sdmp, Offset: 04700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4700000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ff257d549b23854702494f8f4ca5557c719463b8728ef49cecf821cb3e0fbbe8
Instruction ID: e7f148d93eb83ddfbb9661bceb0567527b81ee6521629afa703e738c65f3201c
Opcode Fuzzy Hash: ff257d549b23854702494f8f4ca5557c719463b8728ef49cecf821cb3e0fbbe8
Instruction Fuzzy Hash: EA315074A05386CFCB0ADF69C89099ABBB4FF4A25070544D6D449DB353C734F855CBA1

Function 04707650 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1541311591.0000000004700000.00000040.00000800.00020000.00000000.sdmp, Offset: 04700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4700000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9a95c76ec102de13c57721e79e5c22f1a164fe64b139c302230ba71d2cc648b5
Instruction ID: 07718faae1362f7341ad2a957b15d512f567bffb60612268d4af89840d20d1b3
Opcode Fuzzy Hash: 9a95c76ec102de13c57721e79e5c22f1a164fe64b139c302230ba71d2cc648b5
Instruction Fuzzy Hash: 28211774A05249CFCB04DF98D4909AABBF4FF89310B1580A9E809EB352D331FC41CBA1

Function 00C8D005 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1536228633.0000000000C8D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C8D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_c8d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d8c6a9dc2f0f49d4b7e4ddbb3236277e3fb1aac66c80aa46d45d35e08d497307
Instruction ID: a251ece267ed689da6f9856f5f8208e05569c27d14c47c3aba5b03c660423b58
Opcode Fuzzy Hash: d8c6a9dc2f0f49d4b7e4ddbb3236277e3fb1aac66c80aa46d45d35e08d497307
Instruction Fuzzy Hash: 7E01296200E3C05FD7128B258D94B52BFB49F53224F1980DBD8998F1E3C2699849C772

Function 00C8D01D Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1536228633.0000000000C8D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C8D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_c8d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 409beb5fd3ab675816b8754b3a681dc02b57b3e10778d6f587d89b5e699a6aab
Instruction ID: 3ba577881ea42f68e8a2032490b2eddbf455b9ca6a34fa6a0b9dae43dabb7155
Opcode Fuzzy Hash: 409beb5fd3ab675816b8754b3a681dc02b57b3e10778d6f587d89b5e699a6aab
Instruction Fuzzy Hash: 9B01F2325043449FE710AA26CDC0B67BB98DF41328F18C01AEC1A4B2C2C7799D41CBBA

Function 04702C5C Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1541311591.0000000004700000.00000040.00000800.00020000.00000000.sdmp, Offset: 04700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4700000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7b585da437ceb9f1975e01f630665feca9a418b864a7323a18a273e242b4c567
Instruction ID: 564b115852d1d50aa596e4b0cfb6fa118e04443131c2544f9e344e14de5e5032
Opcode Fuzzy Hash: 7b585da437ceb9f1975e01f630665feca9a418b864a7323a18a273e242b4c567
Instruction Fuzzy Hash: E801A23550D3918FE702DBBCD8A07D9BBF59F8A224F1584C3C0948B193C625A85ACB6A

Function 047091A2 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1541311591.0000000004700000.00000040.00000800.00020000.00000000.sdmp, Offset: 04700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4700000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0fb70a9115c171d141adb7d36a82b6caadde99f110ba98a7e16a37a373c1a3d2
Instruction ID: eace49feb1c709e0975cf22d4a3a24c09329ecf5ac81c2bdf422dbaa4da1d9c3
Opcode Fuzzy Hash: 0fb70a9115c171d141adb7d36a82b6caadde99f110ba98a7e16a37a373c1a3d2
Instruction Fuzzy Hash: 62F09674A00204DFCB04CB99C8546A9F7B6FF88310735C159D95AA7751CB36AC52CB91

Analysis Process: .exePID: 7624, Parent PID: 7472COMMON

Executed Functions

Function 01373578 Relevance: .4, Instructions: 435COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1796641855.0000000001370000.00000040.00000800.00020000.00000000.sdmp, Offset: 01370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1370000_UNK_.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7f5937cab3da4dacda43602b4a232fe8595225a98a20db7c3e1bb975f530ee87
Instruction ID: 169c7c1a5687444cf559d41119bc443a00557028ea11fdadc515d6c982be4729
Opcode Fuzzy Hash: 7f5937cab3da4dacda43602b4a232fe8595225a98a20db7c3e1bb975f530ee87
Instruction Fuzzy Hash: 4CF17F74E01319DFDB18DFB8D8546AEBBB6BF88310B148529E806EB344DF359846CB51

Function 01370C8F Relevance: .4, Instructions: 401COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1796641855.0000000001370000.00000040.00000800.00020000.00000000.sdmp, Offset: 01370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1370000_UNK_.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7680b2adcffef2b920f2967ef29483881cf75d15b259556d1db1c8abb5cf1c44
Instruction ID: 2792b8a54c2477f0e1d89700f768e903e043038a267918b0ce4512a158ff3cc7
Opcode Fuzzy Hash: 7680b2adcffef2b920f2967ef29483881cf75d15b259556d1db1c8abb5cf1c44
Instruction Fuzzy Hash: EC22FEB890121EDFCB64EF64E994A9DB7B6FF48304F1085AAD819AB358DB305D85CF40

Function 01370CA0 Relevance: .4, Instructions: 395COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1796641855.0000000001370000.00000040.00000800.00020000.00000000.sdmp, Offset: 01370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1370000_UNK_.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c7610332d035a705b9e25e9a3bf07938f398ae5bcb28e29cb9acfd0197325af
Instruction ID: b8d5ad149af180cce61be91f2998988c9ed193b834423a2608f3a76a6982abfd
Opcode Fuzzy Hash: 6c7610332d035a705b9e25e9a3bf07938f398ae5bcb28e29cb9acfd0197325af
Instruction Fuzzy Hash: F422FDB890121EDFCB64EF64E994A9DB7B6FF48304F1085AAD819AB358DB305D85CF40

Function 01373418 Relevance: .1, Instructions: 122COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1796641855.0000000001370000.00000040.00000800.00020000.00000000.sdmp, Offset: 01370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1370000_UNK_.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7cd46d0a427b21c517ef933e98da0e32011e29e668807d990474548f53cbef18
Instruction ID: 1223783df138afbda40a4446e7b4eb231fcf38e7354fd7d0344a5c21efdcc477
Opcode Fuzzy Hash: 7cd46d0a427b21c517ef933e98da0e32011e29e668807d990474548f53cbef18
Instruction Fuzzy Hash: 9B312875704318CBEF3E89BA489427E67E9BFC5228F044039D846E7281DB7CCC05A761

Function 01372060 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1796641855.0000000001370000.00000040.00000800.00020000.00000000.sdmp, Offset: 01370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1370000_UNK_.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7ee5d25fe609cc02f1fc763f3a38dc640694076878e11cdb3e55f0c87d924dbc
Instruction ID: 30bca57658de457e245f574ced2bd7609351c132c96e30cec7eb8de6c76a94f3
Opcode Fuzzy Hash: 7ee5d25fe609cc02f1fc763f3a38dc640694076878e11cdb3e55f0c87d924dbc
Instruction Fuzzy Hash: 8D21B235A00109EFDB25EB68D4909AF77AAEF98354F10C469E8098B250DB35EE45CBE1

Function 0116D404 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1796137640.000000000116D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0116D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_116d000_UNK_.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 65a9a7494ea446a9f0ef2455fb3facc608023f5bac1acb3384efd463ced1f68b
Instruction ID: df8a77e034a368d8c345465a4814575daa2968fbe960b19ed605e7b39b30b0cc
Opcode Fuzzy Hash: 65a9a7494ea446a9f0ef2455fb3facc608023f5bac1acb3384efd463ced1f68b
Instruction Fuzzy Hash: 94210671604244DFDF19DF94E8C0B66BB69FB84314F24C169D9490BA46C337E866C7A2

Function 0137215C Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1796641855.0000000001370000.00000040.00000800.00020000.00000000.sdmp, Offset: 01370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1370000_UNK_.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ed895162081e0aba8a3053ff47e5a6504f8f00068c4bc01e9bbd4ba489a28c96
Instruction ID: fe7073930081e11275c775026f0f8192771c652c83e67762144059c7ca7f5b43
Opcode Fuzzy Hash: ed895162081e0aba8a3053ff47e5a6504f8f00068c4bc01e9bbd4ba489a28c96
Instruction Fuzzy Hash: D711AB35E0834E9FCB029BB8AC104DEBB34FF8A2107248797D626B70A2E9251805C361

Function 013739ED Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1796641855.0000000001370000.00000040.00000800.00020000.00000000.sdmp, Offset: 01370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1370000_UNK_.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c8395c91886ab52de32de5516ba4d805a3d969e708461c0a1cec09364955da0a
Instruction ID: 309bf1ff56706bec212c5f8d51a948a8581d6f6b7cc3ccf7e8b064f72e54718d
Opcode Fuzzy Hash: c8395c91886ab52de32de5516ba4d805a3d969e708461c0a1cec09364955da0a
Instruction Fuzzy Hash: 7C319F78E01208DFCB54EFA8E59489DBBB6FF49305B20446AE819AB324D731AD05CF40

Function 0116D3FF Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1796137640.000000000116D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0116D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_116d000_UNK_.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f4ddf6aab7a4ec5fdcafc4d9db3305c30ac7726daeb53e4266b93089bec5e780
Instruction ID: e4767294b9fcd6806f845968b1d387d2defc97ee62e0dcc41f288a3a0c4fdcf6
Opcode Fuzzy Hash: f4ddf6aab7a4ec5fdcafc4d9db3305c30ac7726daeb53e4266b93089bec5e780
Instruction Fuzzy Hash: 5711CD72504280CFCF16CF44D5C4B56BF61FB84224F28C1A9D8490AA56C33AE866CBA2

Function 01371F61 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1796641855.0000000001370000.00000040.00000800.00020000.00000000.sdmp, Offset: 01370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1370000_UNK_.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 49f8835bb4ee93e6353ce469a7243427966cc828df4db0c27170d395694c5d53
Instruction ID: f198e5bf24b2e290ada0c53dc5b6956a4f3f8b3a16277925b430c5a70f91a529
Opcode Fuzzy Hash: 49f8835bb4ee93e6353ce469a7243427966cc828df4db0c27170d395694c5d53
Instruction Fuzzy Hash: 5A21BFB4C052098FCB65EFA8D8555EEBFF0FF09310F10426AD815B6224EB341A89CBA1

Function 01371F08 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1796641855.0000000001370000.00000040.00000800.00020000.00000000.sdmp, Offset: 01370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1370000_UNK_.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e9a695aa83eba7b7a12203a801184e7d6257ba71ff814a131e749a6744282dc5
Instruction ID: a0fca764ba8ecf77bfd06ef877d03420d36783bf5371bdb5b3128715613c21ac
Opcode Fuzzy Hash: e9a695aa83eba7b7a12203a801184e7d6257ba71ff814a131e749a6744282dc5
Instruction Fuzzy Hash: 6721FFB5D0520D8FDB21EFA8D4445EEBFB0BF49304F10426AD855BA264EB301A89CBA1

Function 01372010 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1796641855.0000000001370000.00000040.00000800.00020000.00000000.sdmp, Offset: 01370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1370000_UNK_.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bca4b776ff7152ca9f891a0f552f9a3729e7cb1b33195419d70489719048c7f1
Instruction ID: a19e8b08a63a22eab77e52e868b6b530aebfed391fdfd6c3d8a4550c563a12ab
Opcode Fuzzy Hash: bca4b776ff7152ca9f891a0f552f9a3729e7cb1b33195419d70489719048c7f1
Instruction Fuzzy Hash: 1CE09231D243668FC711ABA8A8540EEBF70AE92724B11456BD0906A041EB70199AC7A1

Function 01372020 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1796641855.0000000001370000.00000040.00000800.00020000.00000000.sdmp, Offset: 01370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1370000_UNK_.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1e79c57c5d01ac9d3e9d96db6961b36e2ac6cc6cb78478e8abede24c81c3417f
Instruction ID: a7925a47f84833d748cca345b0d4b124d72dd65a835aba162b19291c4699523a
Opcode Fuzzy Hash: 1e79c57c5d01ac9d3e9d96db6961b36e2ac6cc6cb78478e8abede24c81c3417f
Instruction Fuzzy Hash: D8D01732D2022A979B10AAA9DC048EEBB38EE96621B908626D52437140EB70265986B1

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata, File: File Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary (ex: Ingress Tool Transfer ) may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Deletion
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report upXUt2jZ0S.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Snake Keylogger

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Persistence and Installation Behavior

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Location Tracking

Compliance

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Network\Downloader\edb.log

C:\ProgramData\Microsoft\Network\Downloader\qmgr.db

C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_.exe_4fd875b65d5c828f378f9ce7d8dd6c3315c4c3_2cfaa02b_cc41215d-848b-4d3c-a40a-a0d2245250a7\Report.wer

C:\ProgramData\Microsoft\Windows\WER\Temp\WER65D3.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WER672C.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER677B.tmp.xml

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\upXUt2jZ0S.exe.log

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4oc1j4jg.cbj.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5eyc0nol.gd3.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_crluqciu.vvk.psm1

Windows Analysis Report
upXUt2jZ0S.exe

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre