Edit tour

Windows Analysis Report
dZMT94YYwO.exe

Overview

General Information

Sample name:	dZMT94YYwO.exe renamed because original name is a hash value
Original sample name:	96dc67ac15ce042c3b2d1d85120ce2431444ad619035b22ddf2dadacb644009c.exe
Analysis ID:	1588754
MD5:	f448b6c0c3a101b79cc91f9c87770574
SHA1:	da82ce0445bb85cb54f0f901771c2f8d3a4f9988
SHA256:	96dc67ac15ce042c3b2d1d85120ce2431444ad619035b22ddf2dadacb644009c
Tags:	exeuser-adrian__luca
Infos:

Detection

MassLogger RAT

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected AntiVM3

Yara detected MassLogger RAT

Yara detected Telegram RAT

AI detected suspicious sample

Adds a directory exclusion to Windows Defender

Injects a PE file into a foreign processes

Loading BitLocker PowerShell Module

Machine Learning detection for sample

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Tries to detect the country of the analysis system (by using the IP)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected non-DNS traffic on DNS port

Detected potential crypto function

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

HTTP GET or POST without a user agent

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

PE / OLE file has an invalid certificate

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Sigma detected: Powershell Defender Exclusion

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Uses insecure TLS / SSL version for HTTPS connection

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

dZMT94YYwO.exe (PID: 7400 cmdline: "C:\Users\user\Desktop\dZMT94YYwO.exe" MD5: F448B6C0C3A101B79CC91F9C87770574)

powershell.exe (PID: 6252 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\dZMT94YYwO.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 2376 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WmiPrvSE.exe (PID: 1636 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)

dZMT94YYwO.exe (PID: 1468 cmdline: "C:\Users\user\Desktop\dZMT94YYwO.exe" MD5: F448B6C0C3A101B79CC91F9C87770574)

cleanup

Malware Configuration

Threatname: MassLogger

{"EXfil Mode": "SMTP", "From": "sungito1@surewaz.com", "Password": "Mo!+w_%5sxDB", "Server": "surewaz.com", "To": "sungito@surewaz.com", "Port": 587}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000008.00000002.2533219595.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
00000008.00000002.2533219595.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000008.00000002.2533219595.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000008.00000002.2533219595.0000000000402000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xefa7:$a1: get_encryptedPassword 0xf2cf:$a2: get_encryptedUsername 0xed42:$a3: get_timePasswordChanged 0xee63:$a4: get_passwordField 0xefbd:$a5: set_encryptedPassword 0x10919:$a7: get_logins 0x105ca:$a8: GetOutlookPasswords 0x103bc:$a9: StartKeylogger 0x10869:$a10: KeyLoggerEventArgs 0x10419:$a11: KeyLoggerEventArgsEventHandler
00000004.00000002.1341709118.00000000037F9000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
00000004.00000002.1341709118.00000000037F9000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000004.00000002.1341709118.00000000037F9000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000004.00000002.1341709118.00000000037F9000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x27f07:$a1: get_encryptedPassword 0x2822f:$a2: get_encryptedUsername 0x27ca2:$a3: get_timePasswordChanged 0x27dc3:$a4: get_passwordField 0x27f1d:$a5: set_encryptedPassword 0x29879:$a7: get_logins 0x2952a:$a8: GetOutlookPasswords 0x2931c:$a9: StartKeylogger 0x297c9:$a10: KeyLoggerEventArgs 0x29379:$a11: KeyLoggerEventArgsEventHandler
00000008.00000002.2536234764.0000000002DE4000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000004.00000002.1341709118.0000000003831000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
00000004.00000002.1341709118.0000000003831000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000004.00000002.1341709118.0000000003831000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000004.00000002.1341709118.0000000003831000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x72a67:$a1: get_encryptedPassword 0x89687:$a1: get_encryptedPassword 0x72d8f:$a2: get_encryptedUsername 0x899af:$a2: get_encryptedUsername 0x72802:$a3: get_timePasswordChanged 0x89422:$a3: get_timePasswordChanged 0x72923:$a4: get_passwordField 0x89543:$a4: get_passwordField 0x72a7d:$a5: set_encryptedPassword 0x8969d:$a5: set_encryptedPassword 0x743d9:$a7: get_logins 0x8aff9:$a7: get_logins 0x7408a:$a8: GetOutlookPasswords 0x8acaa:$a8: GetOutlookPasswords 0x73e7c:$a9: StartKeylogger 0x8aa9c:$a9: StartKeylogger 0x74329:$a10: KeyLoggerEventArgs 0x8af49:$a10: KeyLoggerEventArgs 0x73ed9:$a11: KeyLoggerEventArgsEventHandler 0x8aaf9:$a11: KeyLoggerEventArgsEventHandler
Process Memory Space: dZMT94YYwO.exe PID: 7400	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
Process Memory Space: dZMT94YYwO.exe PID: 7400	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: dZMT94YYwO.exe PID: 7400	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: dZMT94YYwO.exe PID: 7400	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: dZMT94YYwO.exe PID: 7400	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xda0b:$a1: get_encryptedPassword 0x1cbe7:$a1: get_encryptedPassword 0xdd24:$a2: get_encryptedUsername 0x1cf00:$a2: get_encryptedUsername 0xd7ba:$a3: get_timePasswordChanged 0x1c996:$a3: get_timePasswordChanged 0xd8db:$a4: get_passwordField 0x1cab7:$a4: get_passwordField 0xda21:$a5: set_encryptedPassword 0x1cbfd:$a5: set_encryptedPassword 0xf324:$a7: get_logins 0x1e500:$a7: get_logins 0xefd5:$a8: GetOutlookPasswords 0x1e1b1:$a8: GetOutlookPasswords 0xedc7:$a9: StartKeylogger 0x1dfa3:$a9: StartKeylogger 0xf274:$a10: KeyLoggerEventArgs 0x1e450:$a10: KeyLoggerEventArgs 0xee24:$a11: KeyLoggerEventArgsEventHandler 0x1e000:$a11: KeyLoggerEventArgsEventHandler
Process Memory Space: dZMT94YYwO.exe PID: 1468	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
Process Memory Space: dZMT94YYwO.exe PID: 1468	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: dZMT94YYwO.exe PID: 1468	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: dZMT94YYwO.exe PID: 1468	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x5f9f:$a1: get_encryptedPassword 0x62b8:$a2: get_encryptedUsername 0x5d4e:$a3: get_timePasswordChanged 0x5e6f:$a4: get_passwordField 0x5fb5:$a5: set_encryptedPassword 0x78b8:$a7: get_logins 0x7569:$a8: GetOutlookPasswords 0x735b:$a9: StartKeylogger 0x7808:$a10: KeyLoggerEventArgs 0x73b8:$a11: KeyLoggerEventArgsEventHandler
Click to see the 17 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
4.2.dZMT94YYwO.exe.38948c0.1.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
4.2.dZMT94YYwO.exe.38948c0.1.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
4.2.dZMT94YYwO.exe.38948c0.1.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
4.2.dZMT94YYwO.exe.38948c0.1.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xd3a7:$a1: get_encryptedPassword 0xd6cf:$a2: get_encryptedUsername 0xd142:$a3: get_timePasswordChanged 0xd263:$a4: get_passwordField 0xd3bd:$a5: set_encryptedPassword 0xed19:$a7: get_logins 0xe9ca:$a8: GetOutlookPasswords 0xe7bc:$a9: StartKeylogger 0xec69:$a10: KeyLoggerEventArgs 0xe819:$a11: KeyLoggerEventArgsEventHandler
4.2.dZMT94YYwO.exe.38948c0.1.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1233d:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x1183b:$a3: \Google\Chrome\User Data\Default\Login Data 0x11b49:$a4: \Orbitum\User Data\Default\Login Data 0x12941:$a5: \Kometa\User Data\Default\Login Data
8.2.dZMT94YYwO.exe.400000.0.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
8.2.dZMT94YYwO.exe.400000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
8.2.dZMT94YYwO.exe.400000.0.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
8.2.dZMT94YYwO.exe.400000.0.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xf1a7:$a1: get_encryptedPassword 0xf4cf:$a2: get_encryptedUsername 0xef42:$a3: get_timePasswordChanged 0xf063:$a4: get_passwordField 0xf1bd:$a5: set_encryptedPassword 0x10b19:$a7: get_logins 0x107ca:$a8: GetOutlookPasswords 0x105bc:$a9: StartKeylogger 0x10a69:$a10: KeyLoggerEventArgs 0x10619:$a11: KeyLoggerEventArgsEventHandler
8.2.dZMT94YYwO.exe.400000.0.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1413d:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x1363b:$a3: \Google\Chrome\User Data\Default\Login Data 0x13949:$a4: \Orbitum\User Data\Default\Login Data 0x14741:$a5: \Kometa\User Data\Default\Login Data
4.2.dZMT94YYwO.exe.3811d60.0.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
4.2.dZMT94YYwO.exe.3811d60.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
4.2.dZMT94YYwO.exe.3811d60.0.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
4.2.dZMT94YYwO.exe.3811d60.0.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xd3a7:$a1: get_encryptedPassword 0xd6cf:$a2: get_encryptedUsername 0xd142:$a3: get_timePasswordChanged 0xd263:$a4: get_passwordField 0xd3bd:$a5: set_encryptedPassword 0xed19:$a7: get_logins 0xe9ca:$a8: GetOutlookPasswords 0xe7bc:$a9: StartKeylogger 0xec69:$a10: KeyLoggerEventArgs 0xe819:$a11: KeyLoggerEventArgsEventHandler
4.2.dZMT94YYwO.exe.3811d60.0.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1233d:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x1183b:$a3: \Google\Chrome\User Data\Default\Login Data 0x11b49:$a4: \Orbitum\User Data\Default\Login Data 0x12941:$a5: \Kometa\User Data\Default\Login Data
4.2.dZMT94YYwO.exe.3811d60.0.raw.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
4.2.dZMT94YYwO.exe.3811d60.0.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
4.2.dZMT94YYwO.exe.3811d60.0.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
4.2.dZMT94YYwO.exe.3811d60.0.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xf1a7:$a1: get_encryptedPassword 0xf4cf:$a2: get_encryptedUsername 0xef42:$a3: get_timePasswordChanged 0xf063:$a4: get_passwordField 0xf1bd:$a5: set_encryptedPassword 0x10b19:$a7: get_logins 0x107ca:$a8: GetOutlookPasswords 0x105bc:$a9: StartKeylogger 0x10a69:$a10: KeyLoggerEventArgs 0x10619:$a11: KeyLoggerEventArgsEventHandler
4.2.dZMT94YYwO.exe.3811d60.0.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1413d:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x1363b:$a3: \Google\Chrome\User Data\Default\Login Data 0x13949:$a4: \Orbitum\User Data\Default\Login Data 0x14741:$a5: \Kometa\User Data\Default\Login Data
4.2.dZMT94YYwO.exe.38948c0.1.raw.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
4.2.dZMT94YYwO.exe.38948c0.1.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
4.2.dZMT94YYwO.exe.38948c0.1.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
4.2.dZMT94YYwO.exe.38948c0.1.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xf1a7:$a1: get_encryptedPassword 0x25dc7:$a1: get_encryptedPassword 0xf4cf:$a2: get_encryptedUsername 0x260ef:$a2: get_encryptedUsername 0xef42:$a3: get_timePasswordChanged 0x25b62:$a3: get_timePasswordChanged 0xf063:$a4: get_passwordField 0x25c83:$a4: get_passwordField 0xf1bd:$a5: set_encryptedPassword 0x25ddd:$a5: set_encryptedPassword 0x10b19:$a7: get_logins 0x27739:$a7: get_logins 0x107ca:$a8: GetOutlookPasswords 0x273ea:$a8: GetOutlookPasswords 0x105bc:$a9: StartKeylogger 0x271dc:$a9: StartKeylogger 0x10a69:$a10: KeyLoggerEventArgs 0x27689:$a10: KeyLoggerEventArgs 0x10619:$a11: KeyLoggerEventArgsEventHandler 0x27239:$a11: KeyLoggerEventArgsEventHandler
Click to see the 19 entries

Sigma Signatures

System Summary

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\dZMT94YYwO.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\dZMT94YYwO.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\dZMT94YYwO.exe", ParentImage: C:\Users\user\Desktop\dZMT94YYwO.exe, ParentProcessId: 7400, ParentProcessName: dZMT94YYwO.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\dZMT94YYwO.exe", ProcessId: 6252, ProcessName: powershell.exe

Sigma detected: Powershell Defender Exclusion

Source: Process started

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\dZMT94YYwO.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\dZMT94YYwO.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\dZMT94YYwO.exe", ParentImage: C:\Users\user\Desktop\dZMT94YYwO.exe, ParentProcessId: 7400, ParentProcessName: dZMT94YYwO.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\dZMT94YYwO.exe", ProcessId: 6252, ProcessName: powershell.exe

Suricata Signatures

ETPRO MALWARE Common Downloader Header Pattern UH

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-11T05:04:59.442966+0100	2803274	2	Potentially Bad Traffic	192.168.2.10	49729	193.122.130.0	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 4.2.dZMT94YYwO.exe.3811d60.0.raw.unpack

Malware Configuration Extractor: MassLogger {"EXfil Mode": "SMTP", "From": "sungito1@surewaz.com", "Password": "Mo!+w_%5sxDB", "Server": "surewaz.com", "To": "sungito@surewaz.com", "Port": 587}

Multi AV Scanner detection for submitted file

Source: dZMT94YYwO.exe

ReversingLabs: Detection: 71%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 98.7% probability

Machine Learning detection for sample

Source: dZMT94YYwO.exe

Joe Sandbox ML: detected

Location Tracking

Tries to detect the country of the analysis system (by using the IP)

Source: unknown

DNS query: name: reallyfreegeoip.org

Source: dZMT94YYwO.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown

HTTPS traffic detected: 104.21.16.1:443 -> 192.168.2.10:49741 version: TLS 1.0

Source: dZMT94YYwO.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: BVvw.pdbSHA256 source: dZMT94YYwO.exe
Source:	Binary string: BVvw.pdb source: dZMT94YYwO.exe

Source: C:\Users\user\Desktop\dZMT94YYwO.exe	Code function: 4x nop then jmp 06DCDB74h	4_2_06DCD0BE
Source: C:\Users\user\Desktop\dZMT94YYwO.exe	Code function: 4x nop then jmp 011E9731h	8_2_011E9480
Source: C:\Users\user\Desktop\dZMT94YYwO.exe	Code function: 4x nop then jmp 011E9E5Ah	8_2_011E9A40
Source: C:\Users\user\Desktop\dZMT94YYwO.exe	Code function: 4x nop then jmp 011E9E5Ah	8_2_011E9A30
Source: C:\Users\user\Desktop\dZMT94YYwO.exe	Code function: 4x nop then jmp 011E9E5Ah	8_2_011E9D87
Source: C:\Users\user\Desktop\dZMT94YYwO.exe	Code function: 4x nop then jmp 057147C9h	8_2_05714520
Source: C:\Users\user\Desktop\dZMT94YYwO.exe	Code function: 4x nop then jmp 05718830h	8_2_05718588
Source: C:\Users\user\Desktop\dZMT94YYwO.exe	Code function: 4x nop then jmp 0571F700h	8_2_0571F458
Source: C:\Users\user\Desktop\dZMT94YYwO.exe	Code function: 4x nop then jmp 057176D0h	8_2_05717428
Source: C:\Users\user\Desktop\dZMT94YYwO.exe	Code function: 4x nop then jmp 0571E9F8h	8_2_0571E750
Source: C:\Users\user\Desktop\dZMT94YYwO.exe	Code function: 4x nop then jmp 05715929h	8_2_05715680
Source: C:\Users\user\Desktop\dZMT94YYwO.exe	Code function: 4x nop then jmp 057183D8h	8_2_05718130
Source: C:\Users\user\Desktop\dZMT94YYwO.exe	Code function: 4x nop then jmp 0571E5A0h	8_2_0571E180
Source: C:\Users\user\Desktop\dZMT94YYwO.exe	Code function: 4x nop then jmp 0571F2A8h	8_2_0571F000
Source: C:\Users\user\Desktop\dZMT94YYwO.exe	Code function: 4x nop then jmp 057154D1h	8_2_05715228
Source: C:\Users\user\Desktop\dZMT94YYwO.exe	Code function: 4x nop then jmp 05715079h	8_2_05714DD0
Source: C:\Users\user\Desktop\dZMT94YYwO.exe	Code function: 4x nop then jmp 05717F80h	8_2_05717CD8
Source: C:\Users\user\Desktop\dZMT94YYwO.exe	Code function: 4x nop then jmp 05717278h	8_2_05716FD0
Source: C:\Users\user\Desktop\dZMT94YYwO.exe	Code function: 4x nop then jmp 05714C21h	8_2_05714978
Source: C:\Users\user\Desktop\dZMT94YYwO.exe	Code function: 4x nop then jmp 0571FB58h	8_2_0571F8B0
Source: C:\Users\user\Desktop\dZMT94YYwO.exe	Code function: 4x nop then jmp 05717B28h	8_2_05717880
Source: C:\Users\user\Desktop\dZMT94YYwO.exe	Code function: 4x nop then jmp 0571EE50h	8_2_0571EBA8
Source: C:\Users\user\Desktop\dZMT94YYwO.exe	Code function: 4x nop then jmp 05715E15h	8_2_05715AD8

Source: global traffic

TCP traffic: 192.168.2.10:49268 -> 162.159.36.2:53

Source: global traffic

HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive

Source: Joe Sandbox View	IP Address: 104.21.16.1 104.21.16.1
Source: Joe Sandbox View	IP Address: 193.122.130.0 193.122.130.0

Source: Joe Sandbox View

JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad

Source: unknown	DNS query: name: checkip.dyndns.org
Source: unknown	DNS query: name: reallyfreegeoip.org

Source: Network traffic

Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.10:49729 -> 193.122.130.0:80

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org

Source: unknown

HTTPS traffic detected: 104.21.16.1:443 -> 192.168.2.10:49741 version: TLS 1.0

Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org

Source: global traffic	DNS traffic detected: DNS query: checkip.dyndns.org
Source: global traffic	DNS traffic detected: DNS query: reallyfreegeoip.org
Source: global traffic	DNS traffic detected: DNS query: 241.42.69.40.in-addr.arpa
Source: global traffic	DNS traffic detected: DNS query: 53.210.109.20.in-addr.arpa

Source: dZMT94YYwO.exe, 00000008.00000002.2536234764.0000000002D0E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.com
Source: dZMT94YYwO.exe, 00000008.00000002.2536234764.0000000002D0E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.comd
Source: dZMT94YYwO.exe, 00000008.00000002.2536234764.0000000002D0E000.00000004.00000800.00020000.00000000.sdmp, dZMT94YYwO.exe, 00000008.00000002.2536234764.0000000002D02000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org
Source: dZMT94YYwO.exe, 00000008.00000002.2536234764.0000000002C91000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/
Source: dZMT94YYwO.exe, 00000008.00000002.2536234764.0000000002D0E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/d
Source: dZMT94YYwO.exe, 00000004.00000002.1341709118.00000000037F9000.00000004.00000800.00020000.00000000.sdmp, dZMT94YYwO.exe, 00000004.00000002.1341709118.0000000003831000.00000004.00000800.00020000.00000000.sdmp, dZMT94YYwO.exe, 00000008.00000002.2533219595.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/q
Source: dZMT94YYwO.exe, 00000008.00000002.2536234764.0000000002D0E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.orgd
Source: dZMT94YYwO.exe	String found in binary or memory: http://crl.comodoca.com/COMODORSACertificationAuthority.crl0q
Source: dZMT94YYwO.exe	String found in binary or memory: http://crl.comodoca.com/COMODORSACodeSigningCA.crl0t
Source: dZMT94YYwO.exe	String found in binary or memory: http://ocsp.comodoca.com0
Source: dZMT94YYwO.exe, 00000008.00000002.2536234764.0000000002D2B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://reallyfreegeoip.org
Source: dZMT94YYwO.exe, 00000008.00000002.2536234764.0000000002D2B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://reallyfreegeoip.orgd
Source: dZMT94YYwO.exe, 00000004.00000002.1340741246.0000000002823000.00000004.00000800.00020000.00000000.sdmp, dZMT94YYwO.exe, 00000008.00000002.2536234764.0000000002C91000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: dZMT94YYwO.exe, 00000004.00000002.1341709118.00000000037F9000.00000004.00000800.00020000.00000000.sdmp, dZMT94YYwO.exe, 00000004.00000002.1341709118.0000000003831000.00000004.00000800.00020000.00000000.sdmp, dZMT94YYwO.exe, 00000008.00000002.2533219595.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot-/sendDocument?chat_id=
Source: dZMT94YYwO.exe, 00000008.00000002.2536234764.0000000002D0E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org
Source: dZMT94YYwO.exe, 00000004.00000002.1341709118.00000000037F9000.00000004.00000800.00020000.00000000.sdmp, dZMT94YYwO.exe, 00000004.00000002.1341709118.0000000003831000.00000004.00000800.00020000.00000000.sdmp, dZMT94YYwO.exe, 00000008.00000002.2536234764.0000000002D0E000.00000004.00000800.00020000.00000000.sdmp, dZMT94YYwO.exe, 00000008.00000002.2533219595.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/
Source: dZMT94YYwO.exe, 00000008.00000002.2536234764.0000000002D0E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189d
Source: dZMT94YYwO.exe, 00000008.00000002.2536234764.0000000002D0E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189l
Source: dZMT94YYwO.exe	String found in binary or memory: https://www.chiark.greenend.org.uk/~sgtatham/putty/0

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49741
Source: unknown	Network traffic detected: HTTP traffic on port 49741 -> 443

System Summary

Malicious sample detected (through community Yara rule)

Source: 4.2.dZMT94YYwO.exe.38948c0.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 4.2.dZMT94YYwO.exe.38948c0.1.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 8.2.dZMT94YYwO.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 8.2.dZMT94YYwO.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 4.2.dZMT94YYwO.exe.3811d60.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 4.2.dZMT94YYwO.exe.3811d60.0.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 4.2.dZMT94YYwO.exe.3811d60.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 4.2.dZMT94YYwO.exe.3811d60.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 4.2.dZMT94YYwO.exe.38948c0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000008.00000002.2533219595.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000004.00000002.1341709118.00000000037F9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000004.00000002.1341709118.0000000003831000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: dZMT94YYwO.exe PID: 7400, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: dZMT94YYwO.exe PID: 1468, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown

Source: C:\Users\user\Desktop\dZMT94YYwO.exe	Code function: 4_2_025ED3A4	4_2_025ED3A4
Source: C:\Users\user\Desktop\dZMT94YYwO.exe	Code function: 4_2_06DC86D9	4_2_06DC86D9
Source: C:\Users\user\Desktop\dZMT94YYwO.exe	Code function: 4_2_06DC86E8	4_2_06DC86E8
Source: C:\Users\user\Desktop\dZMT94YYwO.exe	Code function: 4_2_06DCB108	4_2_06DCB108
Source: C:\Users\user\Desktop\dZMT94YYwO.exe	Code function: 4_2_06DC8F58	4_2_06DC8F58
Source: C:\Users\user\Desktop\dZMT94YYwO.exe	Code function: 4_2_06DCABF8	4_2_06DCABF8
Source: C:\Users\user\Desktop\dZMT94YYwO.exe	Code function: 4_2_06DC8B20	4_2_06DC8B20
Source: C:\Users\user\Desktop\dZMT94YYwO.exe	Code function: 8_2_011EC530	8_2_011EC530
Source: C:\Users\user\Desktop\dZMT94YYwO.exe	Code function: 8_2_011E9480	8_2_011E9480
Source: C:\Users\user\Desktop\dZMT94YYwO.exe	Code function: 8_2_011EC521	8_2_011EC521
Source: C:\Users\user\Desktop\dZMT94YYwO.exe	Code function: 8_2_011E2DD1	8_2_011E2DD1
Source: C:\Users\user\Desktop\dZMT94YYwO.exe	Code function: 8_2_011E946F	8_2_011E946F
Source: C:\Users\user\Desktop\dZMT94YYwO.exe	Code function: 8_2_05716138	8_2_05716138
Source: C:\Users\user\Desktop\dZMT94YYwO.exe	Code function: 8_2_0571BC60	8_2_0571BC60
Source: C:\Users\user\Desktop\dZMT94YYwO.exe	Code function: 8_2_0571AF00	8_2_0571AF00
Source: C:\Users\user\Desktop\dZMT94YYwO.exe	Code function: 8_2_057189E0	8_2_057189E0
Source: C:\Users\user\Desktop\dZMT94YYwO.exe	Code function: 8_2_05718579	8_2_05718579
Source: C:\Users\user\Desktop\dZMT94YYwO.exe	Code function: 8_2_05714520	8_2_05714520
Source: C:\Users\user\Desktop\dZMT94YYwO.exe	Code function: 8_2_0571450F	8_2_0571450F
Source: C:\Users\user\Desktop\dZMT94YYwO.exe	Code function: 8_2_05718588	8_2_05718588
Source: C:\Users\user\Desktop\dZMT94YYwO.exe	Code function: 8_2_0571F458	8_2_0571F458
Source: C:\Users\user\Desktop\dZMT94YYwO.exe	Code function: 8_2_0571F448	8_2_0571F448
Source: C:\Users\user\Desktop\dZMT94YYwO.exe	Code function: 8_2_05717428	8_2_05717428
Source: C:\Users\user\Desktop\dZMT94YYwO.exe	Code function: 8_2_05717418	8_2_05717418
Source: C:\Users\user\Desktop\dZMT94YYwO.exe	Code function: 8_2_0571E750	8_2_0571E750
Source: C:\Users\user\Desktop\dZMT94YYwO.exe	Code function: 8_2_0571E740	8_2_0571E740
Source: C:\Users\user\Desktop\dZMT94YYwO.exe	Code function: 8_2_0571566F	8_2_0571566F
Source: C:\Users\user\Desktop\dZMT94YYwO.exe	Code function: 8_2_05715680	8_2_05715680
Source: C:\Users\user\Desktop\dZMT94YYwO.exe	Code function: 8_2_05718130	8_2_05718130
Source: C:\Users\user\Desktop\dZMT94YYwO.exe	Code function: 8_2_05716133	8_2_05716133
Source: C:\Users\user\Desktop\dZMT94YYwO.exe	Code function: 8_2_05718120	8_2_05718120
Source: C:\Users\user\Desktop\dZMT94YYwO.exe	Code function: 8_2_0571E180	8_2_0571E180
Source: C:\Users\user\Desktop\dZMT94YYwO.exe	Code function: 8_2_0571F000	8_2_0571F000
Source: C:\Users\user\Desktop\dZMT94YYwO.exe	Code function: 8_2_05710330	8_2_05710330
Source: C:\Users\user\Desktop\dZMT94YYwO.exe	Code function: 8_2_05710320	8_2_05710320
Source: C:\Users\user\Desktop\dZMT94YYwO.exe	Code function: 8_2_057113A8	8_2_057113A8
Source: C:\Users\user\Desktop\dZMT94YYwO.exe	Code function: 8_2_05715228	8_2_05715228
Source: C:\Users\user\Desktop\dZMT94YYwO.exe	Code function: 8_2_0571521B	8_2_0571521B
Source: C:\Users\user\Desktop\dZMT94YYwO.exe	Code function: 8_2_05714DD0	8_2_05714DD0
Source: C:\Users\user\Desktop\dZMT94YYwO.exe	Code function: 8_2_05714DC0	8_2_05714DC0
Source: C:\Users\user\Desktop\dZMT94YYwO.exe	Code function: 8_2_05710CD8	8_2_05710CD8
Source: C:\Users\user\Desktop\dZMT94YYwO.exe	Code function: 8_2_05717CD8	8_2_05717CD8
Source: C:\Users\user\Desktop\dZMT94YYwO.exe	Code function: 8_2_05717CC8	8_2_05717CC8
Source: C:\Users\user\Desktop\dZMT94YYwO.exe	Code function: 8_2_0571EFF0	8_2_0571EFF0
Source: C:\Users\user\Desktop\dZMT94YYwO.exe	Code function: 8_2_05716FD0	8_2_05716FD0
Source: C:\Users\user\Desktop\dZMT94YYwO.exe	Code function: 8_2_05716FC3	8_2_05716FC3
Source: C:\Users\user\Desktop\dZMT94YYwO.exe	Code function: 8_2_05714978	8_2_05714978
Source: C:\Users\user\Desktop\dZMT94YYwO.exe	Code function: 8_2_05714969	8_2_05714969
Source: C:\Users\user\Desktop\dZMT94YYwO.exe	Code function: 8_2_057189D0	8_2_057189D0
Source: C:\Users\user\Desktop\dZMT94YYwO.exe	Code function: 8_2_05717871	8_2_05717871
Source: C:\Users\user\Desktop\dZMT94YYwO.exe	Code function: 8_2_0571F8B0	8_2_0571F8B0
Source: C:\Users\user\Desktop\dZMT94YYwO.exe	Code function: 8_2_0571F8A0	8_2_0571F8A0
Source: C:\Users\user\Desktop\dZMT94YYwO.exe	Code function: 8_2_05717880	8_2_05717880
Source: C:\Users\user\Desktop\dZMT94YYwO.exe	Code function: 8_2_0571EBA8	8_2_0571EBA8
Source: C:\Users\user\Desktop\dZMT94YYwO.exe	Code function: 8_2_0571EB98	8_2_0571EB98
Source: C:\Users\user\Desktop\dZMT94YYwO.exe	Code function: 8_2_05715AD8	8_2_05715AD8
Source: C:\Users\user\Desktop\dZMT94YYwO.exe	Code function: 8_2_05715ACB	8_2_05715ACB
Source: C:\Users\user\Desktop\dZMT94YYwO.exe	Code function: 8_2_05710AB8	8_2_05710AB8

Source: dZMT94YYwO.exe

Static PE information: invalid certificate

Source: dZMT94YYwO.exe, 00000004.00000002.1341709118.00000000037F9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCloudServices.exe< vs dZMT94YYwO.exe
Source: dZMT94YYwO.exe, 00000004.00000002.1341709118.0000000003831000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCloudServices.exe< vs dZMT94YYwO.exe
Source: dZMT94YYwO.exe, 00000004.00000002.1341709118.0000000003831000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMontero.dll8 vs dZMT94YYwO.exe
Source: dZMT94YYwO.exe, 00000004.00000002.1343636869.0000000005000000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameArthur.dll" vs dZMT94YYwO.exe
Source: dZMT94YYwO.exe, 00000004.00000002.1340741246.000000000282E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameArthur.dll" vs dZMT94YYwO.exe
Source: dZMT94YYwO.exe, 00000004.00000000.1276450062.000000000046D000.00000002.00000001.01000000.00000004.sdmp	Binary or memory string: OriginalFilenameBVvw.exe6 vs dZMT94YYwO.exe
Source: dZMT94YYwO.exe, 00000004.00000002.1344726496.0000000006DD0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameMontero.dll8 vs dZMT94YYwO.exe
Source: dZMT94YYwO.exe, 00000004.00000002.1336081288.0000000000A6E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs dZMT94YYwO.exe
Source: dZMT94YYwO.exe, 00000004.00000002.1340741246.0000000002823000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCloudServices.exe< vs dZMT94YYwO.exe
Source: dZMT94YYwO.exe, 00000008.00000002.2533824639.0000000000CF7000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameUNKNOWN_FILET vs dZMT94YYwO.exe
Source: dZMT94YYwO.exe, 00000008.00000002.2533219595.000000000041A000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCloudServices.exe< vs dZMT94YYwO.exe
Source: dZMT94YYwO.exe	Binary or memory string: OriginalFilenameBVvw.exe6 vs dZMT94YYwO.exe

Source: dZMT94YYwO.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 4.2.dZMT94YYwO.exe.38948c0.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 4.2.dZMT94YYwO.exe.38948c0.1.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 8.2.dZMT94YYwO.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 8.2.dZMT94YYwO.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 4.2.dZMT94YYwO.exe.3811d60.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 4.2.dZMT94YYwO.exe.3811d60.0.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 4.2.dZMT94YYwO.exe.3811d60.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 4.2.dZMT94YYwO.exe.3811d60.0.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 4.2.dZMT94YYwO.exe.38948c0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000008.00000002.2533219595.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000004.00000002.1341709118.00000000037F9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000004.00000002.1341709118.0000000003831000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: dZMT94YYwO.exe PID: 7400, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: dZMT94YYwO.exe PID: 1468, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23

Source: dZMT94YYwO.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@7/6@4/2

Source: C:\Users\user\Desktop\dZMT94YYwO.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\dZMT94YYwO.exe.log

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2376:120:WilError_03
Source: C:\Users\user\Desktop\dZMT94YYwO.exe	Mutant created: NULL

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_2z2avrm5.yj4.ps1

Jump to behavior

Source: dZMT94YYwO.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: dZMT94YYwO.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 50.01%

Source: C:\Users\user\Desktop\dZMT94YYwO.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\dZMT94YYwO.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: dZMT94YYwO.exe, 00000008.00000002.2536234764.0000000002D6E000.00000004.00000800.00020000.00000000.sdmp, dZMT94YYwO.exe, 00000008.00000002.2536234764.0000000002D7E000.00000004.00000800.00020000.00000000.sdmp, dZMT94YYwO.exe, 00000008.00000002.2536234764.0000000002DA0000.00000004.00000800.00020000.00000000.sdmp, dZMT94YYwO.exe, 00000008.00000002.2536234764.0000000002D8C000.00000004.00000800.00020000.00000000.sdmp, dZMT94YYwO.exe, 00000008.00000002.2536234764.0000000002DAD000.00000004.00000800.00020000.00000000.sdmp, dZMT94YYwO.exe, 00000008.00000002.2537313320.0000000003CBD000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: dZMT94YYwO.exe

ReversingLabs: Detection: 71%

Source: unknown	Process created: C:\Users\user\Desktop\dZMT94YYwO.exe "C:\Users\user\Desktop\dZMT94YYwO.exe"
Source: C:\Users\user\Desktop\dZMT94YYwO.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\dZMT94YYwO.exe"
Source: C:\Users\user\Desktop\dZMT94YYwO.exe	Process created: C:\Users\user\Desktop\dZMT94YYwO.exe "C:\Users\user\Desktop\dZMT94YYwO.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: C:\Users\user\Desktop\dZMT94YYwO.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\dZMT94YYwO.exe"	Jump to behavior
Source: C:\Users\user\Desktop\dZMT94YYwO.exe	Process created: C:\Users\user\Desktop\dZMT94YYwO.exe "C:\Users\user\Desktop\dZMT94YYwO.exe"	Jump to behavior

Source: C:\Users\user\Desktop\dZMT94YYwO.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\dZMT94YYwO.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\dZMT94YYwO.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\dZMT94YYwO.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\dZMT94YYwO.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\dZMT94YYwO.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\dZMT94YYwO.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\dZMT94YYwO.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\dZMT94YYwO.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\dZMT94YYwO.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\dZMT94YYwO.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\dZMT94YYwO.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\dZMT94YYwO.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\dZMT94YYwO.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\dZMT94YYwO.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\dZMT94YYwO.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\dZMT94YYwO.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\dZMT94YYwO.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\dZMT94YYwO.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\dZMT94YYwO.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\dZMT94YYwO.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\dZMT94YYwO.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\dZMT94YYwO.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\dZMT94YYwO.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\dZMT94YYwO.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\dZMT94YYwO.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\dZMT94YYwO.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\dZMT94YYwO.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\dZMT94YYwO.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\dZMT94YYwO.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\dZMT94YYwO.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\dZMT94YYwO.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\dZMT94YYwO.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\dZMT94YYwO.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\dZMT94YYwO.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\dZMT94YYwO.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\dZMT94YYwO.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\dZMT94YYwO.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\dZMT94YYwO.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\dZMT94YYwO.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\dZMT94YYwO.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\dZMT94YYwO.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\dZMT94YYwO.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\dZMT94YYwO.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\dZMT94YYwO.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\dZMT94YYwO.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\dZMT94YYwO.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\dZMT94YYwO.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\dZMT94YYwO.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\dZMT94YYwO.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\dZMT94YYwO.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\dZMT94YYwO.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\dZMT94YYwO.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\dZMT94YYwO.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\dZMT94YYwO.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\dZMT94YYwO.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\dZMT94YYwO.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\dZMT94YYwO.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\dZMT94YYwO.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\dZMT94YYwO.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\dZMT94YYwO.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\dZMT94YYwO.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\dZMT94YYwO.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\dZMT94YYwO.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\dZMT94YYwO.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\dZMT94YYwO.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\dZMT94YYwO.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\dZMT94YYwO.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\dZMT94YYwO.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\dZMT94YYwO.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: fastprox.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: ncobjapi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mpclient.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wmitomi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: gpapi.dll	Jump to behavior

Source: C:\Users\user\Desktop\dZMT94YYwO.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: C:\Users\user\Desktop\dZMT94YYwO.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Users\user\Desktop\dZMT94YYwO.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: dZMT94YYwO.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: dZMT94YYwO.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: dZMT94YYwO.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: BVvw.pdbSHA256 source: dZMT94YYwO.exe
Source:	Binary string: BVvw.pdb source: dZMT94YYwO.exe

Source: dZMT94YYwO.exe

Static PE information: 0xD746965E [Tue Jun 13 09:37:34 2084 UTC]

Source: C:\Users\user\Desktop\dZMT94YYwO.exe

Code function: 8_2_011EB3A8 push eax; iretd

8_2_011EB445

Source: dZMT94YYwO.exe

Static PE information: section name: .text entropy: 7.6605208212456795

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior

Source: C:\Users\user\Desktop\dZMT94YYwO.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate			Jump to behavior
Source: C:\Users\user\Desktop\dZMT94YYwO.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot			Jump to behavior

Source: C:\Users\user\Desktop\dZMT94YYwO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dZMT94YYwO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dZMT94YYwO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dZMT94YYwO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dZMT94YYwO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dZMT94YYwO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dZMT94YYwO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dZMT94YYwO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dZMT94YYwO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dZMT94YYwO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dZMT94YYwO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dZMT94YYwO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dZMT94YYwO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dZMT94YYwO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dZMT94YYwO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dZMT94YYwO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dZMT94YYwO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dZMT94YYwO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dZMT94YYwO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dZMT94YYwO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dZMT94YYwO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dZMT94YYwO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dZMT94YYwO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dZMT94YYwO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dZMT94YYwO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dZMT94YYwO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dZMT94YYwO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dZMT94YYwO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dZMT94YYwO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dZMT94YYwO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dZMT94YYwO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dZMT94YYwO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dZMT94YYwO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dZMT94YYwO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dZMT94YYwO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dZMT94YYwO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dZMT94YYwO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dZMT94YYwO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dZMT94YYwO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dZMT94YYwO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dZMT94YYwO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dZMT94YYwO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dZMT94YYwO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dZMT94YYwO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dZMT94YYwO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dZMT94YYwO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dZMT94YYwO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dZMT94YYwO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dZMT94YYwO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dZMT94YYwO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dZMT94YYwO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dZMT94YYwO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dZMT94YYwO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dZMT94YYwO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dZMT94YYwO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dZMT94YYwO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dZMT94YYwO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dZMT94YYwO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dZMT94YYwO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dZMT94YYwO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dZMT94YYwO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dZMT94YYwO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dZMT94YYwO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dZMT94YYwO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dZMT94YYwO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dZMT94YYwO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dZMT94YYwO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dZMT94YYwO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dZMT94YYwO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dZMT94YYwO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dZMT94YYwO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dZMT94YYwO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dZMT94YYwO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dZMT94YYwO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dZMT94YYwO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dZMT94YYwO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dZMT94YYwO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dZMT94YYwO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dZMT94YYwO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dZMT94YYwO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dZMT94YYwO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dZMT94YYwO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dZMT94YYwO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dZMT94YYwO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dZMT94YYwO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dZMT94YYwO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dZMT94YYwO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dZMT94YYwO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dZMT94YYwO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dZMT94YYwO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dZMT94YYwO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dZMT94YYwO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dZMT94YYwO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dZMT94YYwO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dZMT94YYwO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dZMT94YYwO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dZMT94YYwO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match

File source: Process Memory Space: dZMT94YYwO.exe PID: 7400, type: MEMORYSTR

Source: C:\Users\user\Desktop\dZMT94YYwO.exe	Memory allocated: 25A0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\dZMT94YYwO.exe	Memory allocated: 27F0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\dZMT94YYwO.exe	Memory allocated: 2610000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\dZMT94YYwO.exe	Memory allocated: 7670000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\dZMT94YYwO.exe	Memory allocated: 8670000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\dZMT94YYwO.exe	Memory allocated: 8820000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\dZMT94YYwO.exe	Memory allocated: 9820000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\dZMT94YYwO.exe	Memory allocated: 11C0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\dZMT94YYwO.exe	Memory allocated: 2C90000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\dZMT94YYwO.exe	Memory allocated: 4C90000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\dZMT94YYwO.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 7902			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1735			Jump to behavior

Source: C:\Users\user\Desktop\dZMT94YYwO.exe TID: 7448	Thread sleep time: -922337203685477s >= -30000s			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7988	Thread sleep time: -3689348814741908s >= -30000s			Jump to behavior

Source: C:\Users\user\Desktop\dZMT94YYwO.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: dZMT94YYwO.exe, 00000004.00000002.1336081288.0000000000AE2000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\%
Source: dZMT94YYwO.exe, 00000008.00000002.2534715530.0000000000F86000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Users\user\Desktop\dZMT94YYwO.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Users\user\Desktop\dZMT94YYwO.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Adds a directory exclusion to Windows Defender

Source: C:\Users\user\Desktop\dZMT94YYwO.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\dZMT94YYwO.exe"
Source: C:\Users\user\Desktop\dZMT94YYwO.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\dZMT94YYwO.exe"			Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\dZMT94YYwO.exe

Memory written: C:\Users\user\Desktop\dZMT94YYwO.exe base: 400000 value starts with: 4D5A

Jump to behavior

Source: C:\Users\user\Desktop\dZMT94YYwO.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\dZMT94YYwO.exe"			Jump to behavior
Source: C:\Users\user\Desktop\dZMT94YYwO.exe	Process created: C:\Users\user\Desktop\dZMT94YYwO.exe "C:\Users\user\Desktop\dZMT94YYwO.exe"			Jump to behavior

Source: C:\Users\user\Desktop\dZMT94YYwO.exe	Queries volume information: C:\Users\user\Desktop\dZMT94YYwO.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dZMT94YYwO.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dZMT94YYwO.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dZMT94YYwO.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dZMT94YYwO.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dZMT94YYwO.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dZMT94YYwO.exe	Queries volume information: C:\Users\user\Desktop\dZMT94YYwO.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dZMT94YYwO.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dZMT94YYwO.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dZMT94YYwO.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dZMT94YYwO.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dZMT94YYwO.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dZMT94YYwO.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\dZMT94YYwO.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected MassLogger RAT

Source: Yara match	File source: 4.2.dZMT94YYwO.exe.38948c0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.dZMT94YYwO.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.dZMT94YYwO.exe.3811d60.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.dZMT94YYwO.exe.3811d60.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.dZMT94YYwO.exe.38948c0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000008.00000002.2533219595.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.1341709118.00000000037F9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.1341709118.0000000003831000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: dZMT94YYwO.exe PID: 7400, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: dZMT94YYwO.exe PID: 1468, type: MEMORYSTR

Yara detected Telegram RAT

Source: Yara match	File source: 4.2.dZMT94YYwO.exe.38948c0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.dZMT94YYwO.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.dZMT94YYwO.exe.3811d60.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.dZMT94YYwO.exe.3811d60.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.dZMT94YYwO.exe.38948c0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000008.00000002.2533219595.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.1341709118.00000000037F9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.1341709118.0000000003831000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: dZMT94YYwO.exe PID: 7400, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: dZMT94YYwO.exe PID: 1468, type: MEMORYSTR

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\dZMT94YYwO.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data			Jump to behavior
Source: C:\Users\user\Desktop\dZMT94YYwO.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data			Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\Desktop\dZMT94YYwO.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: Yara match	File source: 4.2.dZMT94YYwO.exe.38948c0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.dZMT94YYwO.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.dZMT94YYwO.exe.3811d60.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.dZMT94YYwO.exe.3811d60.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.dZMT94YYwO.exe.38948c0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000008.00000002.2533219595.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.1341709118.00000000037F9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2536234764.0000000002DE4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.1341709118.0000000003831000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: dZMT94YYwO.exe PID: 7400, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: dZMT94YYwO.exe PID: 1468, type: MEMORYSTR

Remote Access Functionality

Yara detected MassLogger RAT

Source: Yara match	File source: 4.2.dZMT94YYwO.exe.38948c0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.dZMT94YYwO.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.dZMT94YYwO.exe.3811d60.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.dZMT94YYwO.exe.3811d60.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.dZMT94YYwO.exe.38948c0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000008.00000002.2533219595.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.1341709118.00000000037F9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.1341709118.0000000003831000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: dZMT94YYwO.exe PID: 7400, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: dZMT94YYwO.exe PID: 1468, type: MEMORYSTR

Yara detected Telegram RAT

Source: Yara match	File source: 4.2.dZMT94YYwO.exe.38948c0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.dZMT94YYwO.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.dZMT94YYwO.exe.3811d60.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.dZMT94YYwO.exe.3811d60.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.dZMT94YYwO.exe.38948c0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000008.00000002.2533219595.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.1341709118.00000000037F9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.1341709118.0000000003831000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: dZMT94YYwO.exe PID: 7400, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: dZMT94YYwO.exe PID: 1468, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	1 DLL Side-Loading	111 Process Injection	1 Masquerading	1 OS Credential Dumping	1 Query Registry	Remote Services	1 Email Collection	11 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	11 Disable or Modify Tools	LSASS Memory	1 Security Software Discovery	Remote Desktop Protocol	1 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	31 Virtualization/Sandbox Evasion	Security Account Manager	1 Process Discovery	SMB/Windows Admin Shares	1 Data from Local System	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	111 Process Injection	NTDS	31 Virtualization/Sandbox Evasion	Distributed Component Object Model	Input Capture	13 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	3 Obfuscated Files or Information	LSA Secrets	1 Application Window Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	2 Software Packing	Cached Domain Credentials	1 System Network Configuration Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 Timestomp	DCSync	1 File and Directory Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 DLL Side-Loading	Proc Filesystem	13 System Information Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
dZMT94YYwO.exe	71%	ReversingLabs	ByteCode-MSIL.Backdoor.njRAT
dZMT94YYwO.exe	100%	Joe Sandbox ML

Name	IP	Active	Malicious	Reputation
reallyfreegeoip.org	104.21.16.1	true	false	high
checkip.dyndns.com	193.122.130.0	true	false	high
53.210.109.20.in-addr.arpa	unknown	unknown	true	unknown
241.42.69.40.in-addr.arpa	unknown	unknown	false	high
checkip.dyndns.org	unknown	unknown	false	high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://checkip.dyndns.org/	false		high
https://reallyfreegeoip.org/xml/8.46.123.189	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Reputation
https://reallyfreegeoip.org/xml/8.46.123.189l	dZMT94YYwO.exe, 00000008.00000002.2536234764.0000000002D0E000.00000004.00000800.00020000.00000000.sdmp	false	high
http://checkip.dyndns.comd	dZMT94YYwO.exe, 00000008.00000002.2536234764.0000000002D0E000.00000004.00000800.00020000.00000000.sdmp	false	high
http://checkip.dyndns.org/q	dZMT94YYwO.exe, 00000004.00000002.1341709118.00000000037F9000.00000004.00000800.00020000.00000000.sdmp, dZMT94YYwO.exe, 00000004.00000002.1341709118.0000000003831000.00000004.00000800.00020000.00000000.sdmp, dZMT94YYwO.exe, 00000008.00000002.2533219595.0000000000402000.00000040.00000400.00020000.00000000.sdmp	false	high
http://reallyfreegeoip.orgd	dZMT94YYwO.exe, 00000008.00000002.2536234764.0000000002D2B000.00000004.00000800.00020000.00000000.sdmp	false	high
https://reallyfreegeoip.org/xml/8.46.123.189d	dZMT94YYwO.exe, 00000008.00000002.2536234764.0000000002D0E000.00000004.00000800.00020000.00000000.sdmp	false	high
http://reallyfreegeoip.org	dZMT94YYwO.exe, 00000008.00000002.2536234764.0000000002D2B000.00000004.00000800.00020000.00000000.sdmp	false	high
http://checkip.dyndns.orgd	dZMT94YYwO.exe, 00000008.00000002.2536234764.0000000002D0E000.00000004.00000800.00020000.00000000.sdmp	false	high
https://reallyfreegeoip.org	dZMT94YYwO.exe, 00000008.00000002.2536234764.0000000002D0E000.00000004.00000800.00020000.00000000.sdmp	false	high
http://checkip.dyndns.org	dZMT94YYwO.exe, 00000008.00000002.2536234764.0000000002D0E000.00000004.00000800.00020000.00000000.sdmp, dZMT94YYwO.exe, 00000008.00000002.2536234764.0000000002D02000.00000004.00000800.00020000.00000000.sdmp	false	high
http://checkip.dyndns.com	dZMT94YYwO.exe, 00000008.00000002.2536234764.0000000002D0E000.00000004.00000800.00020000.00000000.sdmp	false	high
http://checkip.dyndns.org/d	dZMT94YYwO.exe, 00000008.00000002.2536234764.0000000002D0E000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	dZMT94YYwO.exe, 00000004.00000002.1340741246.0000000002823000.00000004.00000800.00020000.00000000.sdmp, dZMT94YYwO.exe, 00000008.00000002.2536234764.0000000002C91000.00000004.00000800.00020000.00000000.sdmp	false	high
https://www.chiark.greenend.org.uk/~sgtatham/putty/0	dZMT94YYwO.exe	false	high
https://api.telegram.org/bot-/sendDocument?chat_id=	dZMT94YYwO.exe, 00000004.00000002.1341709118.00000000037F9000.00000004.00000800.00020000.00000000.sdmp, dZMT94YYwO.exe, 00000004.00000002.1341709118.0000000003831000.00000004.00000800.00020000.00000000.sdmp, dZMT94YYwO.exe, 00000008.00000002.2533219595.0000000000402000.00000040.00000400.00020000.00000000.sdmp	false	high
https://reallyfreegeoip.org/xml/	dZMT94YYwO.exe, 00000004.00000002.1341709118.00000000037F9000.00000004.00000800.00020000.00000000.sdmp, dZMT94YYwO.exe, 00000004.00000002.1341709118.0000000003831000.00000004.00000800.00020000.00000000.sdmp, dZMT94YYwO.exe, 00000008.00000002.2536234764.0000000002D0E000.00000004.00000800.00020000.00000000.sdmp, dZMT94YYwO.exe, 00000008.00000002.2533219595.0000000000402000.00000040.00000400.00020000.00000000.sdmp	false	high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
104.21.16.1	reallyfreegeoip.org	United States		13335	CLOUDFLARENETUS	false
193.122.130.0	checkip.dyndns.com	United States		31898	ORACLE-BMC-31898US	false

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1588754
Start date and time:	2025-01-11 05:03:57 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 49s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	15
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	dZMT94YYwO.exe renamed because original name is a hash value
Original Sample Name:	96dc67ac15ce042c3b2d1d85120ce2431444ad619035b22ddf2dadacb644009c.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@7/6@4/2
EGA Information:	Successful, ratio: 50%
HCA Information:	Successful, ratio: 100% Number of executed functions: 99 Number of non-executed functions: 10
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, Sgrmuserer.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 13.107.246.45, 2.23.242.162, 172.202.163.200, 40.69.42.241, 20.109.210.53
Excluded domains from analysis (whitelisted): fs.microsoft.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target dZMT94YYwO.exe, PID 1468 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
VT rate limit hit for: dZMT94YYwO.exe

Simulations

Behavior and APIs

Time	Type	Description
23:04:56	API Interceptor	2x Sleep call for process: dZMT94YYwO.exe modified
23:04:57	API Interceptor	13x Sleep call for process: powershell.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
104.21.16.1	NFhRxwbegd.exe	Get hash	malicious	FormBook	Browse	www.kkpmoneysocial.top/86am/
104.21.16.1	JNKHlxGvw4.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	188387cm.n9shteam.in/videolinePipeHttplowProcessorgamelocalTemp.php
193.122.130.0	n0nsAzvYNd.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	rwlPT9YJt0.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	YDg44STseR.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	VCU262Y2QB.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	h1HIe1rt4D.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	4AMVusDMPP.exe	Get hash	malicious	GuLoader	Browse	checkip.dyndns.org/
	tVuAoupHhZ.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	WGi85dsMNp.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	checkip.dyndns.org/
	wymvwQ4mC4.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	C5JLkBS1CX.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
checkip.dyndns.com	tNXl4XhgmV.exe	Get hash	malicious	MassLogger RAT	Browse	132.226.247.73
	MBOaS3GRtF.exe	Get hash	malicious	Snake Keylogger	Browse	132.226.8.169
	fpIGwanLZi.exe	Get hash	malicious	Snake Keylogger	Browse	132.226.8.169
	fpIGwanLZi.exe	Get hash	malicious	Snake Keylogger	Browse	193.122.6.168
	4NG0guPiKA.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	132.226.8.169
	n0nsAzvYNd.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	193.122.130.0
	njVvgA8pEB.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	158.101.44.242
	rwlPT9YJt0.exe	Get hash	malicious	Snake Keylogger	Browse	193.122.130.0
	YDg44STseR.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	193.122.130.0
	ZoRLXzC5qF.exe	Get hash	malicious	GuLoader, Snake Keylogger, VIP Keylogger	Browse	193.122.6.168
reallyfreegeoip.org	tNXl4XhgmV.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.48.1
	MBOaS3GRtF.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.64.1
	fpIGwanLZi.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.48.1
	fpIGwanLZi.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.48.1
	4NG0guPiKA.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	104.21.80.1
	n0nsAzvYNd.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	104.21.80.1
	njVvgA8pEB.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	104.21.16.1
	rwlPT9YJt0.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.80.1
	YDg44STseR.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.112.1
	ZoRLXzC5qF.exe	Get hash	malicious	GuLoader, Snake Keylogger, VIP Keylogger	Browse	104.21.16.1

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	ZeAX5i7cGB.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	104.26.13.205
	jKqPSehspS.exe	Get hash	malicious	AgentTesla	Browse	104.26.12.205
	BalphRTkPS.exe	Get hash	malicious	FormBook	Browse	104.21.32.1
	A6AHI7Uk18.exe	Get hash	malicious	AgentTesla	Browse	172.67.74.152
	Wru9ycO2MJ.exe	Get hash	malicious	AgentTesla	Browse	104.26.13.205
	iNFGd6bDZX.exe	Get hash	malicious	AgentTesla	Browse	104.26.12.205
	n2pGr8w21V.exe	Get hash	malicious	FormBook	Browse	104.18.73.116
	tNXl4XhgmV.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.48.1
	MyzWeEOlqb.exe	Get hash	malicious	AgentTesla	Browse	104.26.12.205
	02Eh1ah35H.exe	Get hash	malicious	FormBook, GuLoader	Browse	172.67.167.146
ORACLE-BMC-31898US	fpIGwanLZi.exe	Get hash	malicious	Snake Keylogger	Browse	193.122.6.168
	n0nsAzvYNd.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	193.122.130.0
	njVvgA8pEB.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	158.101.44.242
	rwlPT9YJt0.exe	Get hash	malicious	Snake Keylogger	Browse	193.122.130.0
	YDg44STseR.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	193.122.130.0
	ZoRLXzC5qF.exe	Get hash	malicious	GuLoader, Snake Keylogger, VIP Keylogger	Browse	193.122.6.168
	6BRa130JDj.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	193.122.6.168
	VCU262Y2QB.exe	Get hash	malicious	Snake Keylogger	Browse	193.122.130.0
	h1HIe1rt4D.exe	Get hash	malicious	Snake Keylogger	Browse	193.122.130.0
	yqfze5TKW7.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	158.101.44.242

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
54328bd36c14bd82ddaa0c04b25ed9ad	tNXl4XhgmV.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.16.1
	MBOaS3GRtF.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.16.1
	fpIGwanLZi.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.16.1
	fpIGwanLZi.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.16.1
	4NG0guPiKA.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	104.21.16.1
	n0nsAzvYNd.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	104.21.16.1
	njVvgA8pEB.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	104.21.16.1
	rwlPT9YJt0.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.16.1
	YDg44STseR.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.16.1
	ZoRLXzC5qF.exe	Get hash	malicious	GuLoader, Snake Keylogger, VIP Keylogger	Browse	104.21.16.1

Process:	C:\Users\user\Desktop\dZMT94YYwO.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1216
Entropy (8bit):	5.34331486778365
Encrypted:	false
SSDEEP:	24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
MD5:	1330C80CAAC9A0FB172F202485E9B1E8
SHA1:	86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
SHA-256:	B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
SHA-512:	75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
Malicious:	true
Reputation:	high, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	2232
Entropy (8bit):	5.380747059108785
Encrypted:	false
SSDEEP:	48:lylWSU4y4RY5mFoUeW+gZ9tK8NPZHUxL7u1iMugeC/ZPUyus:lGLHyIYgKLgZ2KRHWLOug8s
MD5:	7FB1FD1C665C18ECE942DA9E36B59EE7
SHA1:	09B353EC1822B9E023592614E5134413DE62F289
SHA-256:	1261B7A47707253232D5D43CC306DFB3A5FCBF6831E86519B7BC75A980497D04
SHA-512:	2C509915AB765E24650BBECD60645F072D0AD3360C217A66AD1158BB7B875C74E1FDFF06D1C41DD04D0361389A23EF02D0D6B6025495C894931567D4957A12B8
Malicious:	false
Reputation:	low
Preview:	@...e.................................^..............@..........P................1]...E.....j.....(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..\|f........System.Core.D...............4..7..D.#V.............System.Management.AutomationL.................gQ?O.....x5.......#.Microsoft.Management.Infrastructure.<...............i..VdqF...\|...........System.Configuration<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServices4.................%...K... ...........System.Xml..8..................1...L..U;V.<}........System.Numerics.4.....................@.[8]'.\........System.Data.H................WY..2.M.&..g(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_2z2avrm5.yj4.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	high, very likely benign file
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_dwzdnhqs.hmh.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_fhlki3av.xdu.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ykuti2o3.3ke.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	6.78018158199994
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 50.01% Win32 Executable (generic) a (10002005/4) 49.97% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	dZMT94YYwO.exe
File size:	776'712 bytes
MD5:	f448b6c0c3a101b79cc91f9c87770574
SHA1:	da82ce0445bb85cb54f0f901771c2f8d3a4f9988
SHA256:	96dc67ac15ce042c3b2d1d85120ce2431444ad619035b22ddf2dadacb644009c
SHA512:	b3cef74c03da316955935879704216c1695716a86f92dc3a4193244e022b581d56ddb5147a7281b4d33b18e10a016818431b5988a53580156604de2903f1f317
SSDEEP:	12288:z3YhlE4ivnlQZ0dxx12PSdxtKiVY5usx+XthkR:zYnDivnE0d0+LVYxH
TLSH:	4EF4F1912245DA03ED2913721972E9FD17712EAEDA60E50A1EEEFCF7B733702290441B
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...^.F...............0..d...>......J.... ........@.. ....................................@................................

File Icon


Icon Hash:	98e2a3b29b9ba181

Static PE Info

General

Entrypoint:	0x48834a
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0xD746965E [Tue Jun 13 09:37:34 2084 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Authenticode Signature

Signature Valid:	false
Signature Issuer:	CN=COMODO RSA Code Signing CA, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB
Signature Validation Error:	The digital signature of the object did not verify
Error Number:	-2146869232
Not Before, Not After	13/11/2018 01:00:00 09/11/2021 00:59:59
Subject Chain	CN=Simon Tatham, O=Simon Tatham, L=Cambridge, S=Cambridgeshire, C=GB
Version:	3
Thumbprint MD5:	DABD77E44EF6B3BB91740FA46696B779
Thumbprint SHA-1:	5B9E273CF11941FD8C6BE3F038C4797BBE884268
Thumbprint SHA-256:	4CD3325617EBB63319BA6E8F2A74B0B8CCA58920B48D8026EBCA2C756630D570
Serial:	7C1118CBBADC95DA3752C46E47A27438

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x882f5	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x8a000	0x33a6c	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0xba400	0x3608	.rsrc
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xbe000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x86694	0x70	.text
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x86350	0x86400	1cd2b4f2dc06f33538ecca5790232a0b	False	0.8894884049115456	data	7.6605208212456795	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x8a000	0x33a6c	0x33c00	0c2dc8179e62eb877e8c993301c8232e	False	0.13753019323671498	data	3.044444013806165	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xbe000	0xc	0x200	7d6f2eb84d07e205e930f86267f63d19	False	0.044921875	data	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	ZLIB Complexity
RT_ICON	0x8a130	0x33428	Device independent bitmap graphic, 198 x 512 x 32, image size 202752, resolution 7874 x 7874 px/m	0.13495903981710802
RT_GROUP_ICON	0xbd558	0x14	data	1.05
RT_VERSION	0xbd56c	0x314	data	0.4352791878172589
RT_MANIFEST	0xbd880	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators	0.5489795918367347

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2025-01-11T05:04:59.442966+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.10	49729	193.122.130.0	80	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 11, 2025 05:04:57.948139906 CET	49729	80	192.168.2.10	193.122.130.0
Jan 11, 2025 05:04:57.953021049 CET	80	49729	193.122.130.0	192.168.2.10
Jan 11, 2025 05:04:57.953460932 CET	49729	80	192.168.2.10	193.122.130.0
Jan 11, 2025 05:04:57.953460932 CET	49729	80	192.168.2.10	193.122.130.0
Jan 11, 2025 05:04:57.958303928 CET	80	49729	193.122.130.0	192.168.2.10
Jan 11, 2025 05:04:59.117069960 CET	80	49729	193.122.130.0	192.168.2.10
Jan 11, 2025 05:04:59.161552906 CET	49729	80	192.168.2.10	193.122.130.0
Jan 11, 2025 05:04:59.303272963 CET	49729	80	192.168.2.10	193.122.130.0
Jan 11, 2025 05:04:59.308060884 CET	80	49729	193.122.130.0	192.168.2.10
Jan 11, 2025 05:04:59.402517080 CET	80	49729	193.122.130.0	192.168.2.10
Jan 11, 2025 05:04:59.412656069 CET	49741	443	192.168.2.10	104.21.16.1
Jan 11, 2025 05:04:59.412693024 CET	443	49741	104.21.16.1	192.168.2.10
Jan 11, 2025 05:04:59.412758112 CET	49741	443	192.168.2.10	104.21.16.1
Jan 11, 2025 05:04:59.417604923 CET	49741	443	192.168.2.10	104.21.16.1
Jan 11, 2025 05:04:59.417618990 CET	443	49741	104.21.16.1	192.168.2.10
Jan 11, 2025 05:04:59.442965984 CET	49729	80	192.168.2.10	193.122.130.0
Jan 11, 2025 05:04:59.905580044 CET	443	49741	104.21.16.1	192.168.2.10
Jan 11, 2025 05:04:59.905656099 CET	49741	443	192.168.2.10	104.21.16.1
Jan 11, 2025 05:04:59.911861897 CET	49741	443	192.168.2.10	104.21.16.1
Jan 11, 2025 05:04:59.911881924 CET	443	49741	104.21.16.1	192.168.2.10
Jan 11, 2025 05:04:59.912246943 CET	443	49741	104.21.16.1	192.168.2.10
Jan 11, 2025 05:04:59.958372116 CET	49741	443	192.168.2.10	104.21.16.1
Jan 11, 2025 05:04:59.979161978 CET	49741	443	192.168.2.10	104.21.16.1
Jan 11, 2025 05:05:00.019332886 CET	443	49741	104.21.16.1	192.168.2.10
Jan 11, 2025 05:05:00.098351002 CET	443	49741	104.21.16.1	192.168.2.10
Jan 11, 2025 05:05:00.098488092 CET	443	49741	104.21.16.1	192.168.2.10
Jan 11, 2025 05:05:00.098534107 CET	49741	443	192.168.2.10	104.21.16.1
Jan 11, 2025 05:05:00.104624033 CET	49741	443	192.168.2.10	104.21.16.1
Jan 11, 2025 05:05:22.075485945 CET	49268	53	192.168.2.10	162.159.36.2
Jan 11, 2025 05:05:22.080347061 CET	53	49268	162.159.36.2	192.168.2.10
Jan 11, 2025 05:05:22.080419064 CET	49268	53	192.168.2.10	162.159.36.2
Jan 11, 2025 05:05:22.085249901 CET	53	49268	162.159.36.2	192.168.2.10
Jan 11, 2025 05:05:22.540808916 CET	49268	53	192.168.2.10	162.159.36.2
Jan 11, 2025 05:05:22.545789957 CET	53	49268	162.159.36.2	192.168.2.10
Jan 11, 2025 05:05:22.545846939 CET	49268	53	192.168.2.10	162.159.36.2
Jan 11, 2025 05:06:04.402132034 CET	80	49729	193.122.130.0	192.168.2.10
Jan 11, 2025 05:06:04.402267933 CET	49729	80	192.168.2.10	193.122.130.0
Jan 11, 2025 05:06:39.411823988 CET	49729	80	192.168.2.10	193.122.130.0
Jan 11, 2025 05:06:39.416692972 CET	80	49729	193.122.130.0	192.168.2.10

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 11, 2025 05:04:57.915530920 CET	54441	53	192.168.2.10	1.1.1.1
Jan 11, 2025 05:04:57.922261953 CET	53	54441	1.1.1.1	192.168.2.10
Jan 11, 2025 05:04:59.404819965 CET	52535	53	192.168.2.10	1.1.1.1
Jan 11, 2025 05:04:59.412003040 CET	53	52535	1.1.1.1	192.168.2.10
Jan 11, 2025 05:05:22.074830055 CET	53	59470	162.159.36.2	192.168.2.10
Jan 11, 2025 05:05:22.555831909 CET	62137	53	192.168.2.10	1.1.1.1
Jan 11, 2025 05:05:22.563679934 CET	53	62137	1.1.1.1	192.168.2.10
Jan 11, 2025 05:05:27.250608921 CET	56618	53	192.168.2.10	1.1.1.1
Jan 11, 2025 05:05:27.257754087 CET	53	56618	1.1.1.1	192.168.2.10

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jan 11, 2025 05:04:57.915530920 CET	192.168.2.10	1.1.1.1	0xd41f	Standard query (0)	checkip.dyndns.org	A (IP address)	IN (0x0001)	false
Jan 11, 2025 05:04:59.404819965 CET	192.168.2.10	1.1.1.1	0x3dad	Standard query (0)	reallyfreegeoip.org	A (IP address)	IN (0x0001)	false
Jan 11, 2025 05:05:22.555831909 CET	192.168.2.10	1.1.1.1	0x4fab	Standard query (0)	241.42.69.40.in-addr.arpa	PTR (Pointer record)	IN (0x0001)	false
Jan 11, 2025 05:05:27.250608921 CET	192.168.2.10	1.1.1.1	0x6398	Standard query (0)	53.210.109.20.in-addr.arpa	PTR (Pointer record)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jan 11, 2025 05:04:57.922261953 CET	1.1.1.1	192.168.2.10	0xd41f	No error (0)	checkip.dyndns.org	checkip.dyndns.com		CNAME (Canonical name)	IN (0x0001)	false
Jan 11, 2025 05:04:57.922261953 CET	1.1.1.1	192.168.2.10	0xd41f	No error (0)	checkip.dyndns.com		193.122.130.0	A (IP address)	IN (0x0001)	false
Jan 11, 2025 05:04:57.922261953 CET	1.1.1.1	192.168.2.10	0xd41f	No error (0)	checkip.dyndns.com		132.226.247.73	A (IP address)	IN (0x0001)	false
Jan 11, 2025 05:04:57.922261953 CET	1.1.1.1	192.168.2.10	0xd41f	No error (0)	checkip.dyndns.com		132.226.8.169	A (IP address)	IN (0x0001)	false
Jan 11, 2025 05:04:57.922261953 CET	1.1.1.1	192.168.2.10	0xd41f	No error (0)	checkip.dyndns.com		193.122.6.168	A (IP address)	IN (0x0001)	false
Jan 11, 2025 05:04:57.922261953 CET	1.1.1.1	192.168.2.10	0xd41f	No error (0)	checkip.dyndns.com		158.101.44.242	A (IP address)	IN (0x0001)	false
Jan 11, 2025 05:04:59.412003040 CET	1.1.1.1	192.168.2.10	0x3dad	No error (0)	reallyfreegeoip.org		104.21.16.1	A (IP address)	IN (0x0001)	false
Jan 11, 2025 05:04:59.412003040 CET	1.1.1.1	192.168.2.10	0x3dad	No error (0)	reallyfreegeoip.org		104.21.48.1	A (IP address)	IN (0x0001)	false
Jan 11, 2025 05:04:59.412003040 CET	1.1.1.1	192.168.2.10	0x3dad	No error (0)	reallyfreegeoip.org		104.21.96.1	A (IP address)	IN (0x0001)	false
Jan 11, 2025 05:04:59.412003040 CET	1.1.1.1	192.168.2.10	0x3dad	No error (0)	reallyfreegeoip.org		104.21.112.1	A (IP address)	IN (0x0001)	false
Jan 11, 2025 05:04:59.412003040 CET	1.1.1.1	192.168.2.10	0x3dad	No error (0)	reallyfreegeoip.org		104.21.80.1	A (IP address)	IN (0x0001)	false
Jan 11, 2025 05:04:59.412003040 CET	1.1.1.1	192.168.2.10	0x3dad	No error (0)	reallyfreegeoip.org		104.21.64.1	A (IP address)	IN (0x0001)	false
Jan 11, 2025 05:04:59.412003040 CET	1.1.1.1	192.168.2.10	0x3dad	No error (0)	reallyfreegeoip.org		104.21.32.1	A (IP address)	IN (0x0001)	false
Jan 11, 2025 05:05:22.563679934 CET	1.1.1.1	192.168.2.10	0x4fab	Name error (3)	241.42.69.40.in-addr.arpa	none	none	PTR (Pointer record)	IN (0x0001)	false
Jan 11, 2025 05:05:27.257754087 CET	1.1.1.1	192.168.2.10	0x6398	Name error (3)	53.210.109.20.in-addr.arpa	none	none	PTR (Pointer record)	IN (0x0001)	false

HTTP Request Dependency Graph

reallyfreegeoip.org

checkip.dyndns.org

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.10	49729	193.122.130.0	80	1468	C:\Users\user\Desktop\dZMT94YYwO.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 05:04:57.953460932 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 11, 2025 05:04:59.117069960 CET	321	IN	HTTP/1.1 200 OK Date: Sat, 11 Jan 2025 04:04:59 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 2fe92123992d083e1b4e8ea03f0acbcf Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
Jan 11, 2025 05:04:59.303272963 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Jan 11, 2025 05:04:59.402517080 CET	321	IN	HTTP/1.1 200 OK Date: Sat, 11 Jan 2025 04:04:59 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: c254f79fed577acf1fafe23891b2f2bb Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.10	49741	104.21.16.1	443	1468	C:\Users\user\Desktop\dZMT94YYwO.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-11 04:04:59 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2025-01-11 04:05:00 UTC	861	IN	HTTP/1.1 200 OK Date: Sat, 11 Jan 2025 04:05:00 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1883089 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=5k0WS6WyuEf6DSZdbjgiStaE7I%2F55fdfNbw%2F3L90O0Zi36sAHC4m4E5%2BYM7Dj0RNK%2FSXYeQ1Dm9KUG2Yk2andasIg%2Bg1DqL9Tzc5aJZ2J8554Mn3bAg5W4D5D0sNCefOnpHsSZN%2B"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 900206a338b68ce0-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1775&min_rtt=1772&rtt_var=671&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2849&recv_bytes=699&delivery_rate=1624026&cwnd=215&unsent_bytes=0&cid=99fabbabd48fa487&ts=211&x=0"
2025-01-11 04:05:00 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Target ID:	4
Start time:	23:04:50
Start date:	10/01/2025
Path:	C:\Users\user\Desktop\dZMT94YYwO.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\dZMT94YYwO.exe"
Imagebase:	0x3b0000
File size:	776'712 bytes
MD5 hash:	F448B6C0C3A101B79CC91F9C87770574
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_MassLogger, Description: Yara detected MassLogger RAT, Source: 00000004.00000002.1341709118.00000000037F9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000004.00000002.1341709118.00000000037F9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000004.00000002.1341709118.00000000037F9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000004.00000002.1341709118.00000000037F9000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_MassLogger, Description: Yara detected MassLogger RAT, Source: 00000004.00000002.1341709118.0000000003831000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000004.00000002.1341709118.0000000003831000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000004.00000002.1341709118.0000000003831000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000004.00000002.1341709118.0000000003831000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	23:04:56
Start date:	10/01/2025
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\dZMT94YYwO.exe"
Imagebase:	0xc80000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	23:04:56
Start date:	10/01/2025
Path:	C:\Users\user\Desktop\dZMT94YYwO.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\dZMT94YYwO.exe"
Imagebase:	0x8b0000
File size:	776'712 bytes
MD5 hash:	F448B6C0C3A101B79CC91F9C87770574
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_MassLogger, Description: Yara detected MassLogger RAT, Source: 00000008.00000002.2533219595.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000008.00000002.2533219595.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000008.00000002.2533219595.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000008.00000002.2533219595.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000008.00000002.2536234764.0000000002DE4000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	9
Start time:	23:04:56
Start date:	10/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff620390000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	23:04:58
Start date:	10/01/2025
Path:	C:\Windows\System32\wbem\WmiPrvSE.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Imagebase:	0x7ff6616b0000
File size:	496'640 bytes
MD5 hash:	60FF40CFD7FB8FE41EE4FE9AE5FE1C51
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	9.5%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	140
Total number of Limit Nodes:	10

Executed Functions

Function 025ED468 Relevance: 6.1, APIs: 4, Instructions: 133
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 025ED4F6
GetCurrentThread.KERNEL32 ref: 025ED533
GetCurrentProcess.KERNEL32 ref: 025ED570
GetCurrentThreadId.KERNEL32 ref: 025ED5C9

Memory Dump Source

Source File: 00000004.00000002.1338645335.00000000025E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 025E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_25e0000_dZMT94YYwO.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: f542635868a255f2dad0abc9e1f82f15a40817297613447f3ddd81f827341d7c
Instruction ID: 5eea8f44a375f4925a194a09654d2b2975b662bb0b7f982ed42756d1fca01349
Opcode Fuzzy Hash: f542635868a255f2dad0abc9e1f82f15a40817297613447f3ddd81f827341d7c
Instruction Fuzzy Hash: 8B5166B09013498FEB15CFA9D548BEEBBF1FF48308F20815AD419A7260D774A945CB66

Function 025ED478 Relevance: 6.1, APIs: 4, Instructions: 128
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 025ED4F6
GetCurrentThread.KERNEL32 ref: 025ED533
GetCurrentProcess.KERNEL32 ref: 025ED570
GetCurrentThreadId.KERNEL32 ref: 025ED5C9

Memory Dump Source

Source File: 00000004.00000002.1338645335.00000000025E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 025E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_25e0000_dZMT94YYwO.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 2fc84a05360b99fdc33f8fa393917716713e927b5bc2fd5592936f02b577996b
Instruction ID: a51fd01b7273cfa14d18d96570ae42fc35dcff2893f27564796607aa0cbd92f6
Opcode Fuzzy Hash: 2fc84a05360b99fdc33f8fa393917716713e927b5bc2fd5592936f02b577996b
Instruction Fuzzy Hash: CA5146B09013498FEB14DFA9D548BEEBBF5FF48308F208159D419A7260D774A944CF69

Function 06DCB87C Relevance: 1.7, APIs: 1, Instructions: 249
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 06DCBABE

Memory Dump Source

Source File: 00000004.00000002.1344666004.0000000006DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6dc0000_dZMT94YYwO.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 65b3618b648b8b745a6cce9c0e10721b0e1ac3a7eb55afb1757ee85e62601609
Instruction ID: 427a2437f1dd2f93d48f9948be86b480a22de82d3e3e09855c4b6ecd95a5109d
Opcode Fuzzy Hash: 65b3618b648b8b745a6cce9c0e10721b0e1ac3a7eb55afb1757ee85e62601609
Instruction Fuzzy Hash: 12A16B71D0031E9FEB64CF68C842BEDBBB2BF44320F1485AAD849A7244DB749985CF91

Function 06DCB888 Relevance: 1.7, APIs: 1, Instructions: 243
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 06DCBABE

Memory Dump Source

Source File: 00000004.00000002.1344666004.0000000006DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6dc0000_dZMT94YYwO.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: a2b46c119e0849024bb1acb7adac49a0e5c1f34e4a0c9a375051208026f1c671
Instruction ID: 8a18d1e37ec0dc67a3f7aa702a325630eb5e924c9ae94cbf3bd9e3934c4190f0
Opcode Fuzzy Hash: a2b46c119e0849024bb1acb7adac49a0e5c1f34e4a0c9a375051208026f1c671
Instruction Fuzzy Hash: 3C914971D0031E9FEB64CF68C881BEDBBB2BF44320F1485AAD849A7254DB749985CF91

Function 025EADE8 Relevance: 1.7, APIs: 1, Instructions: 197
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 025EB03E

Memory Dump Source

Source File: 00000004.00000002.1338645335.00000000025E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 025E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_25e0000_dZMT94YYwO.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 6cae3994df187ca541c659eb55dd75da3d0114ca861534ef2f7c9ad4bf3cae2c
Instruction ID: 910f9e62fec4554ec98930ce598102992491f7ffa3fd87d23658564f5415ac12
Opcode Fuzzy Hash: 6cae3994df187ca541c659eb55dd75da3d0114ca861534ef2f7c9ad4bf3cae2c
Instruction Fuzzy Hash: 31712270A00B458FDB28DF29D4457AABBF2FF88304F008A2DD49A97A50D775E845CB99

Function 025E44B4 Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 025E59C9

Memory Dump Source

Source File: 00000004.00000002.1338645335.00000000025E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 025E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_25e0000_dZMT94YYwO.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 43a74064014bc19370b749df99806c601624f13051d0c83836fb8e9e0c32385f
Instruction ID: a099da47bcf0266a78042775603a6c2e8d55b86b22216f5228653a4d0146334d
Opcode Fuzzy Hash: 43a74064014bc19370b749df99806c601624f13051d0c83836fb8e9e0c32385f
Instruction Fuzzy Hash: 6A41D2B0D00718CBEB24DFA9C844BDEBBF5BF48318F60816AD409AB251EB756945CF90

Function 025E590C Relevance: 1.6, APIs: 1, Instructions: 95
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 025E59C9

Memory Dump Source

Source File: 00000004.00000002.1338645335.00000000025E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 025E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_25e0000_dZMT94YYwO.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: e68b347dcb263f805b1cc1dd2183246bac67c10defbfaf4bb49d6d3e69047b9e
Instruction ID: 126ba96ec5f5157e0e992ab35847709fb143412dfc192a1853f86617847e5bbf
Opcode Fuzzy Hash: e68b347dcb263f805b1cc1dd2183246bac67c10defbfaf4bb49d6d3e69047b9e
Instruction Fuzzy Hash: 9241D0B0D00718CBEF24DFA9C8847DDBBB5BF48318F60816AD419AB251EB75694ACF50

Function 06DCB5F8 Relevance: 1.6, APIs: 1, Instructions: 74
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 06DCB690

Memory Dump Source

Source File: 00000004.00000002.1344666004.0000000006DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6dc0000_dZMT94YYwO.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: cee6f3d9b6aa3b67da562550e28789bfc254f4090306a398f5e26f47667b63da
Instruction ID: 2709f3315cb3f14be24577c6a85265e3e9831d4eacc65ed61c8cb3b2708f2ab8
Opcode Fuzzy Hash: cee6f3d9b6aa3b67da562550e28789bfc254f4090306a398f5e26f47667b63da
Instruction Fuzzy Hash: EF212471D103499FDF50CFAAC885BEEBBF4FB48320F10842AE959A7240C7799955CBA4

Function 06DCB600 Relevance: 1.6, APIs: 1, Instructions: 69
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 06DCB690

Memory Dump Source

Source File: 00000004.00000002.1344666004.0000000006DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6dc0000_dZMT94YYwO.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 6b938fb1b9c1c453015cc0f1f0485542f2ada66b91e179116eb43a0cf56ae258
Instruction ID: 630e056873091eb3d427e3f19c84877659b06dcb3eef582cf8c31c3e0d4276c4
Opcode Fuzzy Hash: 6b938fb1b9c1c453015cc0f1f0485542f2ada66b91e179116eb43a0cf56ae258
Instruction Fuzzy Hash: F0211571D003499FDB10CFA9C885BEEBBF5FF48324F10842AE959A7240C7799955CBA4

Function 06DCB6E9 Relevance: 1.6, APIs: 1, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 06DCB770

Memory Dump Source

Source File: 00000004.00000002.1344666004.0000000006DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6dc0000_dZMT94YYwO.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 4ac779405ffe57a8d38052a32e9a728f14b61d30e808def96c8b282c1b7c870d
Instruction ID: fe5beb5acb122f750e2e89b22a41dd767620c9337326195af269ba20a65cbda9
Opcode Fuzzy Hash: 4ac779405ffe57a8d38052a32e9a728f14b61d30e808def96c8b282c1b7c870d
Instruction Fuzzy Hash: 71212571C003499FDB10CFAAC881BEEBBF4FF48320F10852AE959A7240C7799941CBA4

Function 025ED6B9 Relevance: 1.6, APIs: 1, Instructions: 64COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 025ED747

Memory Dump Source

Source File: 00000004.00000002.1338645335.00000000025E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 025E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_25e0000_dZMT94YYwO.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 22f104d0e834a478aeccb5b98a34dff282ab898f0388051500b02e334e6bbdb3
Instruction ID: cb4d74a041767ebd96477a177eed2d5d71358b29a5db61a950ace557e4dbf90f
Opcode Fuzzy Hash: 22f104d0e834a478aeccb5b98a34dff282ab898f0388051500b02e334e6bbdb3
Instruction Fuzzy Hash: B72103B59002489FDB10CFAAD985AEEBBF4FB48314F10801AE918A3310C378A940CFA4

Function 06DCB029 Relevance: 1.6, APIs: 1, Instructions: 64threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 06DCB0AE

Memory Dump Source

Source File: 00000004.00000002.1344666004.0000000006DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6dc0000_dZMT94YYwO.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 4e3bb3111970622a89119263cbb0edc4b6121601bc7e96f1a52cb1e8f9c8dad0
Instruction ID: aa7e481b145ebfe7f2e3e16ff0d15452378cbde24ac7212ef09e3a2e9f873b3c
Opcode Fuzzy Hash: 4e3bb3111970622a89119263cbb0edc4b6121601bc7e96f1a52cb1e8f9c8dad0
Instruction Fuzzy Hash: AE212571D003098FDB60CFAAC5857EEBBF4EF88324F14842AD459A7240CB799945CFA5

Function 06DCB6F0 Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 06DCB770

Memory Dump Source

Source File: 00000004.00000002.1344666004.0000000006DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6dc0000_dZMT94YYwO.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 871c83dcd613afd51b62f0f047b2315108db86762918b6b022b373119097e38f
Instruction ID: 9d25c027989c32639fa59c2f941283846c5d65675db788df4c953701252a31ff
Opcode Fuzzy Hash: 871c83dcd613afd51b62f0f047b2315108db86762918b6b022b373119097e38f
Instruction Fuzzy Hash: 21211671C003499FDB10CFAAC881BEEBBF5FF48320F10852AE959A7250C7799945CBA4

Function 06DCB030 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 06DCB0AE

Memory Dump Source

Source File: 00000004.00000002.1344666004.0000000006DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6dc0000_dZMT94YYwO.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 5c45f84a1e3bd10af9d7eee6991f536824fb9dc311f07439224b66d43978c2af
Instruction ID: d45f7c9b7c2dac60897fda5ff7f11350de0500f9868efe88da96d15ac4fb8e4f
Opcode Fuzzy Hash: 5c45f84a1e3bd10af9d7eee6991f536824fb9dc311f07439224b66d43978c2af
Instruction Fuzzy Hash: 23213571D003098FDB20CFAAC5857EEBBF4EF48324F14842AD559A7240CB79A945CFA5

Function 025ED6C0 Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 025ED747

Memory Dump Source

Source File: 00000004.00000002.1338645335.00000000025E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 025E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_25e0000_dZMT94YYwO.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: a9872049e39782f3121de044497a690e620d7aee396260630abe793965e14d69
Instruction ID: 0c059d3afc270100f1a6a9e9d0524a5230e09e92e50baa163ae6a23a9d9d9b2a
Opcode Fuzzy Hash: a9872049e39782f3121de044497a690e620d7aee396260630abe793965e14d69
Instruction Fuzzy Hash: F121E4B59003489FDB10CFAAD985AEEBBF8FB48314F14801AE954A3310C374A944CFA5

Function 06DCB539 Relevance: 1.6, APIs: 1, Instructions: 55memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 06DCB5AE

Memory Dump Source

Source File: 00000004.00000002.1344666004.0000000006DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6dc0000_dZMT94YYwO.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: f37cea0357fd169c62bcc6dce02d2881960b6a83c5a0a8591f40eb7e50484e25
Instruction ID: 13e3ff47b7369d88e87c9fb05cd271373f778bf51aba76a2ddd95d0e1f7398dc
Opcode Fuzzy Hash: f37cea0357fd169c62bcc6dce02d2881960b6a83c5a0a8591f40eb7e50484e25
Instruction Fuzzy Hash: 701144729003499FDB20CFA9C845BEEBBF5EF88324F14881AE959A7250C7359951CFA4

Function 06DCAB40 Relevance: 1.6, APIs: 1, Instructions: 54threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 06DCABAA

Memory Dump Source

Source File: 00000004.00000002.1344666004.0000000006DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6dc0000_dZMT94YYwO.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 432a31e43958787cefa07689a5cc898fcc6b682d943328d715d4ccf05db8427b
Instruction ID: d760a70349a580b9a04901dd023e8b538fc285b93fc3e0121f4e83182f07d6f9
Opcode Fuzzy Hash: 432a31e43958787cefa07689a5cc898fcc6b682d943328d715d4ccf05db8427b
Instruction Fuzzy Hash: A5115B71D0034D8BDB20DFAAC4457EEFBF5EB88324F24841DD559A7240C675A945CF94

Function 06DCB540 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 06DCB5AE

Memory Dump Source

Source File: 00000004.00000002.1344666004.0000000006DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6dc0000_dZMT94YYwO.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 79e521122327155f6b4e073c253cc4a4c3f4f7f1165a6d3ff368a1e370b86107
Instruction ID: 1596b641744ec6e67d057cf9f82f39069ef5a856e0287b9e89c58296113bab52
Opcode Fuzzy Hash: 79e521122327155f6b4e073c253cc4a4c3f4f7f1165a6d3ff368a1e370b86107
Instruction Fuzzy Hash: 7D1156728003499FDB20CFAAC845BEEBBF5EF48324F14841AE515A7250CB75A940CFA4

Function 06DCAB48 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 06DCABAA

Memory Dump Source

Source File: 00000004.00000002.1344666004.0000000006DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6dc0000_dZMT94YYwO.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: f21be5030d6cf30e11d480d91518cb1914ae86c98be63b8107b6e33ebf1f6001
Instruction ID: e691581025561378543839d78a56537a56dc7b48cb8c3d11acf061cd449d0d59
Opcode Fuzzy Hash: f21be5030d6cf30e11d480d91518cb1914ae86c98be63b8107b6e33ebf1f6001
Instruction Fuzzy Hash: 76112871D003498BDB20DFAAC4457AEFBF5EB88324F24841AD459A7240CA79A945CB94

Function 025EAFD8 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 025EB03E

Memory Dump Source

Source File: 00000004.00000002.1338645335.00000000025E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 025E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_25e0000_dZMT94YYwO.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 8b3db6125eef006004be669a99c5725fc0e7d0b90d6cdf75de3460f1a8f6e5cb
Instruction ID: 7791fee6ccf489953f60fc053caf2f525562ea631500d034bb7026dcc7843ef9
Opcode Fuzzy Hash: 8b3db6125eef006004be669a99c5725fc0e7d0b90d6cdf75de3460f1a8f6e5cb
Instruction Fuzzy Hash: BB1102B5C003498FDB24CF9AC444BEEFBF4FB88218F10841AD829A7210D379A545CFA5

Function 06DCE010 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 06DCE075

Memory Dump Source

Source File: 00000004.00000002.1344666004.0000000006DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6dc0000_dZMT94YYwO.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 93d7e0bcc217007e5912b5a9ec947f704f556ab70aee4d26529117c8fccc782a
Instruction ID: fd533945be098034c20e103a0fc2e11c50d5bc97c94963239ca4f83e206fdbea
Opcode Fuzzy Hash: 93d7e0bcc217007e5912b5a9ec947f704f556ab70aee4d26529117c8fccc782a
Instruction Fuzzy Hash: 6711F2B5800349DFDB60CF9AD885BEEBBF8EB48324F10851AE458A7310C375A944CFA4

Function 06DC9E34 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 06DCE075

Memory Dump Source

Source File: 00000004.00000002.1344666004.0000000006DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6dc0000_dZMT94YYwO.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: a80691e5176734a7c2fd8d7bf47f2417d9f0a0d7af6c2f33766d0d301db5b8b6
Instruction ID: 719c81f1b79f979d4a9eb7d22c84edea5a6dc4477cdca0bd7d045f61fdb5f68d
Opcode Fuzzy Hash: a80691e5176734a7c2fd8d7bf47f2417d9f0a0d7af6c2f33766d0d301db5b8b6
Instruction Fuzzy Hash: 9B11F5B5800349DFDB20CF9AC845BEEBBF8EB48324F108419E958A7211C375A944CFA5

Function 0251D1D4 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1337026923.000000000251D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0251D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_251d000_dZMT94YYwO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 62540d43d1ff356a651c32e3d536e3af69109d792ca064acce02c8324a96d789
Instruction ID: 1748226f1d2446f64adb86e2a758bac040046e201a364f722bec7ee3dfcb9aee
Opcode Fuzzy Hash: 62540d43d1ff356a651c32e3d536e3af69109d792ca064acce02c8324a96d789
Instruction Fuzzy Hash: EF210771504340DFEB09DF10D5C0B26BBB5FB84314F20CA6DD8294B252C33AD446CA65

Function 0251D01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1337026923.000000000251D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0251D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_251d000_dZMT94YYwO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e20f51653888c49227e2929f620d4c416a47bc93458a89e3640703dad8b4c68c
Instruction ID: 8be5ddb75add24d0ae1ca6385437101aea393a6ab47a4e84b3ed71256a1e638c
Opcode Fuzzy Hash: e20f51653888c49227e2929f620d4c416a47bc93458a89e3640703dad8b4c68c
Instruction Fuzzy Hash: 34210075604240DFEB14DF10D980B26BBB5FB84314F20CAA9D80A4B242D33AD847CA66

Function 0251D006 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1337026923.000000000251D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0251D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_251d000_dZMT94YYwO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f17698ce33d1e3f7f9f0978f1d2d3b1aa5d4f2795774478c9c7831e76c108601
Instruction ID: f39c3a416b1314cc6827fe399ca01aa4aba8a85bb772f12d709012264e1ce153
Opcode Fuzzy Hash: f17698ce33d1e3f7f9f0978f1d2d3b1aa5d4f2795774478c9c7831e76c108601
Instruction Fuzzy Hash: 11219F755093C08FDB06CF24D990B15BF71FB46214F28C5EAD8498F2A7C33A984ACB62

Function 0251D1CF Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1337026923.000000000251D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0251D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_251d000_dZMT94YYwO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a47fca32086eb944179ff56ca27c2d6481e14b1a347c3870bd5c92e07928962c
Instruction ID: f029a7181b15cd7637d2ce1a944e6298ed7beb745b1c9beeb6443125a3f3e782
Opcode Fuzzy Hash: a47fca32086eb944179ff56ca27c2d6481e14b1a347c3870bd5c92e07928962c
Instruction Fuzzy Hash: D711BB75504280DFDB0ACF10C5C0B15BFB1FB84218F24C6A9D8594B696C33AD40ACB61

Non-executed Functions

Function 06DC86E8 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1344666004.0000000006DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6dc0000_dZMT94YYwO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f6fb89f4b4e8da58e6b78205df5d3eee3cbbfd11d7a0a1e9b0e1f443f98d13d7
Instruction ID: 2bd6dbf70a26c94e84a8d49b0dad6dfc07f39ac0e672504b95095653d5713622
Opcode Fuzzy Hash: f6fb89f4b4e8da58e6b78205df5d3eee3cbbfd11d7a0a1e9b0e1f443f98d13d7
Instruction Fuzzy Hash: 91E11774E1025A8FDB14DFA8C580AAEFBF2FF89314F248169D405AB356D730A941DFA1

Function 06DCB108 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1344666004.0000000006DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6dc0000_dZMT94YYwO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1c3d24c6f9481c7c1ac82c5d1db5e183f8c3a1f7398112eab48fc543a7e189eb
Instruction ID: d2c816399a44443341f387064eb4342722d5e32c10f7db7ecc6d1028abd12995
Opcode Fuzzy Hash: 1c3d24c6f9481c7c1ac82c5d1db5e183f8c3a1f7398112eab48fc543a7e189eb
Instruction Fuzzy Hash: EAE13A74E102198FDB14DFA8C581AAEFBF2FF89314F24816AD404AB356D730A941CFA0

Function 06DC8F58 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1344666004.0000000006DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6dc0000_dZMT94YYwO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c7ed7211e5675d230c437bde3b909210a9c49ffd4d52f3123f397ca6ac5101ab
Instruction ID: 61c5a5c10145c8ed53609b1eb0ae9f7060c9df9bb3c4483f9669b43e8d9d4495
Opcode Fuzzy Hash: c7ed7211e5675d230c437bde3b909210a9c49ffd4d52f3123f397ca6ac5101ab
Instruction Fuzzy Hash: C4E12874E0025A8FDB14DFA9C590AAEFBF2FF89314F248169D445AB356D730A941CFA0

Function 06DCABF8 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1344666004.0000000006DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6dc0000_dZMT94YYwO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6aa8797b33bd3eb815b78198025972fc2ed14e8c99dcee5fbc11206da3b9b0a3
Instruction ID: e601ae30c2db1ef2362f470b71eb993c7801964c1afc8dcc1e74b1e6fa1814e7
Opcode Fuzzy Hash: 6aa8797b33bd3eb815b78198025972fc2ed14e8c99dcee5fbc11206da3b9b0a3
Instruction Fuzzy Hash: B9E11874E0025A8FDB14DFA9C580AAEFBF2FF89314F248169D415AB356D730A941CFA0

Function 06DC8B20 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1344666004.0000000006DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6dc0000_dZMT94YYwO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 595f2eb0110876c8cc426df84bc93e3bfc6fc5f06369d2de37235cd6ad38d2ea
Instruction ID: 45b10e8a729bc83f9d86de67917a86a55952c5f583499962b363d87a4a38dbdf
Opcode Fuzzy Hash: 595f2eb0110876c8cc426df84bc93e3bfc6fc5f06369d2de37235cd6ad38d2ea
Instruction Fuzzy Hash: E8E11874E102598FDB14DFA8C580AAEFBF2FF89314F248169D415AB356D730A941CFA4

Function 025ED3A4 Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1338645335.00000000025E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 025E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_25e0000_dZMT94YYwO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 08a96535341e64c6382c83300e63f5a2f3ffe8ef81af2d6f7f873b269336b671
Instruction ID: 5fecf4fd319af9a68e1a12665a2f734ac49808aa5c26c6450c498a5848a37185
Opcode Fuzzy Hash: 08a96535341e64c6382c83300e63f5a2f3ffe8ef81af2d6f7f873b269336b671
Instruction Fuzzy Hash: 30A13B36E002198FCF09DFA4C8445AEBBB2FF85304B15856AE906AB265DF71E956CB40

Function 06DC86D9 Relevance: .1, Instructions: 134COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1344666004.0000000006DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6dc0000_dZMT94YYwO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8491e0902929e61e909ee8b48408a0867ddf1d81bbfbb2eeff01947faf3ceac3
Instruction ID: cb583abe1d36c65cbdda9aef77b18cdd9bb7a81c842e5141c2fe03d936d629a3
Opcode Fuzzy Hash: 8491e0902929e61e909ee8b48408a0867ddf1d81bbfbb2eeff01947faf3ceac3
Instruction Fuzzy Hash: 59511974E002598FDB14DFA9C980AAEBBF2FF89314F248169D418AB356D7309941DFA1

Function 06DCD0BE Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1344666004.0000000006DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6dc0000_dZMT94YYwO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 993461018b22d475bd5309eac683714b35cc6aecc5a8905188cb45dfea8fc04c
Instruction ID: 80faf98be2cd86bd79241962de42d3501e803710333b6dddd48f4908efd9127b
Opcode Fuzzy Hash: 993461018b22d475bd5309eac683714b35cc6aecc5a8905188cb45dfea8fc04c
Instruction Fuzzy Hash: 18C01222D4D019CFD6408D94AC414F4F37EDECB132B057065854ED3111C110D225D594

Analysis Process: dZMT94YYwO.exePID: 1468, Parent PID: 7400COMMON

Executed Functions

Function 0571BC60 Relevance: 12.1, Strings: 9, Instructions: 885COMMON

Download Yara Rule

Strings

(oq, xrefs: 0571BD75
,q, xrefs: 0571C0F0
(oq, xrefs: 0571C16F
,q, xrefs: 0571C100
(oq, xrefs: 0571BC8E
(oq, xrefs: 0571C221
(oq, xrefs: 0571C15F
(oq, xrefs: 0571BE12
(oq, xrefs: 0571BD49

Memory Dump Source

Source File: 00000008.00000002.2538146733.0000000005710000.00000040.00000800.00020000.00000000.sdmp, Offset: 05710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5710000_dZMT94YYwO.jbxd

Similarity

API ID:
String ID: (oq$(oq$(oq$(oq$(oq$(oq$(oq$,q$,q
API String ID: 0-746337618
Opcode ID: 803811cf92cd27469b578f6ab813a08a21ed95a2c04d726658700b9e7a3a3252
Instruction ID: d8a6cce1b3695c33567ddf26d4883bb2729b019def15cb9b6e7d8ff0771db8ca
Opcode Fuzzy Hash: 803811cf92cd27469b578f6ab813a08a21ed95a2c04d726658700b9e7a3a3252
Instruction Fuzzy Hash: 76826E34A40209DFCB15CFA8C984EAEBBF6BF48310F158559E90AAB261D770ED40DF59

Function 0571AF00 Relevance: 9.7, Strings: 7, Instructions: 924COMMON

Download Yara Rule

Strings

,q, xrefs: 0571B7EA
(oq, xrefs: 0571BA9D
(oq, xrefs: 0571B436
(oq, xrefs: 0571B780
(oq, xrefs: 0571B772
,q, xrefs: 0571B7F8
Hq, xrefs: 0571B302

Memory Dump Source

Source File: 00000008.00000002.2538146733.0000000005710000.00000040.00000800.00020000.00000000.sdmp, Offset: 05710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5710000_dZMT94YYwO.jbxd

Similarity

API ID:
String ID: (oq$(oq$(oq$(oq$,q$,q$Hq
API String ID: 0-2858405300
Opcode ID: 9403a8cb5d1bee16f93f6e477372b8e4b4dc67b2082d04558d8f20ecc804a01d
Instruction ID: dddda905c8c0912b0e1bf508fcf27e21e83b80932925b0e480c55b279ed5df74
Opcode Fuzzy Hash: 9403a8cb5d1bee16f93f6e477372b8e4b4dc67b2082d04558d8f20ecc804a01d
Instruction Fuzzy Hash: 69727070A00219DFDB14DF69C884AAEBBB6FF88340F148159E81AEB365DB34DD41DB94

Function 011EC530 Relevance: 4.3, Strings: 1, Instructions: 3069COMMON

Download Yara Rule

Strings

N, xrefs: 011EF910

Memory Dump Source

Source File: 00000008.00000002.2535433708.00000000011E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_11e0000_dZMT94YYwO.jbxd

Similarity

API ID:
String ID: N
API String ID: 0-1130791706
Opcode ID: f417cc79f022c38410cec01f5b7bcddaf699d5b819077bc335a1e69584824644
Instruction ID: 7dcf7b116dc1844a9a5cccf81eef05a96e2459b9e3f9551ff52387157f4f1810
Opcode Fuzzy Hash: f417cc79f022c38410cec01f5b7bcddaf699d5b819077bc335a1e69584824644
Instruction Fuzzy Hash: B973E831D10B5A8EDB15EFA8C844A99FBB1FF95300F11D69AE44877261EB70AAC4CF41

Function 05716138 Relevance: 2.7, Strings: 2, Instructions: 182COMMON

Download Yara Rule

Strings

PHq, xrefs: 05716383
PHq, xrefs: 05716372

Memory Dump Source

Source File: 00000008.00000002.2538146733.0000000005710000.00000040.00000800.00020000.00000000.sdmp, Offset: 05710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5710000_dZMT94YYwO.jbxd

Similarity

API ID:
String ID: PHq$PHq
API String ID: 0-1274609152
Opcode ID: 2e934d9a36c29961574599f589774c2a60fe1011abac556baa5a9b1f6eedf168
Instruction ID: 15d91e5c1ddda84280c73b81d34df8ebed9715fdb1a8e0e627d66a7007fb8ce9
Opcode Fuzzy Hash: 2e934d9a36c29961574599f589774c2a60fe1011abac556baa5a9b1f6eedf168
Instruction Fuzzy Hash: 0C81D274E00218CFDB58DFAAD954BADBBF2BF89300F20816AD819AB394DB345945DF44

Function 057189E0 Relevance: .7, Instructions: 745COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2538146733.0000000005710000.00000040.00000800.00020000.00000000.sdmp, Offset: 05710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5710000_dZMT94YYwO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b24d3b477713a75d0021e1239ea512a398862d1ed9970b33066afbee93d7ecfc
Instruction ID: 8a1fd8e430bbe3238dbf42b27f9d46686c94c9f77a77dd400aa55e230b5d39ce
Opcode Fuzzy Hash: b24d3b477713a75d0021e1239ea512a398862d1ed9970b33066afbee93d7ecfc
Instruction Fuzzy Hash: F9827D74E012289FDB64DF69C898BDDBBB2BF88300F1481EA980DA7255DB715E81DF41

Function 011E9480 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2535433708.00000000011E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_11e0000_dZMT94YYwO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f9b52f282d70729a7a391e69530dd9fb335ca30e78d6f9245bbd54222c341833
Instruction ID: 8f4d089213e7653ef3b22ad7bfb8ecd0b2e197009b90bc53fdde4e56b0b52768
Opcode Fuzzy Hash: f9b52f282d70729a7a391e69530dd9fb335ca30e78d6f9245bbd54222c341833
Instruction Fuzzy Hash: 7BC1A274E00218CFDB14DFA5D958B9DBBB2BF88304F2081AAD809A7365DB759E85CF50

Function 011EC521 Relevance: .2, Instructions: 228COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2535433708.00000000011E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_11e0000_dZMT94YYwO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 51ee95e50820f2a86adbb385e794836ec0e9c72d6fcdb5d57437bee7e224970b
Instruction ID: b4bb17ec97108f9cf6adda0eb546bdc4d5da42a21fa4ac73a1c2ebd9e8b66a9f
Opcode Fuzzy Hash: 51ee95e50820f2a86adbb385e794836ec0e9c72d6fcdb5d57437bee7e224970b
Instruction Fuzzy Hash: 35A10671D106198EDB14DFA9C848BDDFBF1EF89300F14C2AAD45867261EB709A85CF81

Function 011E9A30 Relevance: .2, Instructions: 225COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2535433708.00000000011E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_11e0000_dZMT94YYwO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0aa70e5c6d903c952c3691cb85b758289491fd1b91a146702646444e49c1c150
Instruction ID: 52ab70eb37c45bbd1c5781b47e2c4a171534ac55e4718f6e90681b5c234bf993
Opcode Fuzzy Hash: 0aa70e5c6d903c952c3691cb85b758289491fd1b91a146702646444e49c1c150
Instruction Fuzzy Hash: ADA11670D00608CFEB14DFA8C848B9DBBF1BF89304F249269E509AB3A1DB749985CF55

Function 011E9A40 Relevance: .2, Instructions: 220COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2535433708.00000000011E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_11e0000_dZMT94YYwO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 830a5d19adb596bbb00c163f5ef7aca2c261db3c8f0916fdc7065333737c8f9e
Instruction ID: e686d2081ee2a8afdc190f526bffeddaef101e93692477305f45d13c620de546
Opcode Fuzzy Hash: 830a5d19adb596bbb00c163f5ef7aca2c261db3c8f0916fdc7065333737c8f9e
Instruction Fuzzy Hash: 81A11470D00608CFEB14DFA9C948B9DBBB1FF88304F249269E509AB3A1DB749985CF55

Function 011E9D87 Relevance: .2, Instructions: 202COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2535433708.00000000011E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_11e0000_dZMT94YYwO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5ef85633dbfcb432ef649423b6c09589764dee9ff06b2cf6fa8902b3238da135
Instruction ID: ebb18d569f06f560d1f09a9545b0f16ed0dbf196a141ceb3fe32b965c7c14816
Opcode Fuzzy Hash: 5ef85633dbfcb432ef649423b6c09589764dee9ff06b2cf6fa8902b3238da135
Instruction Fuzzy Hash: AA910170D00618CFEB14DFA8C888B9CBBF1FF49304F249269E509AB2A1DB759981CF55

Function 057189D0 Relevance: .2, Instructions: 180COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2538146733.0000000005710000.00000040.00000800.00020000.00000000.sdmp, Offset: 05710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5710000_dZMT94YYwO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 62712c88febc1d00a6d70f6c1db0952570243ccc4066a65338edf2d3893b5552
Instruction ID: 6c1ea97090fb0064c9e541b9d198c02e4c7cf838aeb66a3bb3573d71523eca4b
Opcode Fuzzy Hash: 62712c88febc1d00a6d70f6c1db0952570243ccc4066a65338edf2d3893b5552
Instruction Fuzzy Hash: 7881C074E012289FDB64DF29D854BEDBBB2BF89300F1080EAD849A7254DB315E81CF44

Function 011E946F Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2535433708.00000000011E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_11e0000_dZMT94YYwO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d0879746144b762a69bb52265522f060012853330d5b054291f2f991048cccc6
Instruction ID: 0f856b794b7255e9aaff21d6b59224617d010adb03ba2cbc415bbe4668ea7481
Opcode Fuzzy Hash: d0879746144b762a69bb52265522f060012853330d5b054291f2f991048cccc6
Instruction Fuzzy Hash: FA41D474D00648CBEB18CFEAD85869DFBF2AF89300F24D12AD815AB269DB385945CF54

Function 011E19B8 Relevance: 5.8, Strings: 4, Instructions: 839COMMON

Download Yara Rule

Strings

Xq, xrefs: 011E1B2F
Xq, xrefs: 011E1B7C
Xq, xrefs: 011E1AB0
Xq, xrefs: 011E1A76

Memory Dump Source

Source File: 00000008.00000002.2535433708.00000000011E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_11e0000_dZMT94YYwO.jbxd

Similarity

API ID:
String ID: Xq$Xq$Xq$Xq
API String ID: 0-3965792415
Opcode ID: 0108a7a9fa52052843fb649eb71515f48b1822c86961854a5ea575a033922c17
Instruction ID: b340e47bd4643606c59be10b38601ede43a454520582a7bba78819c04ca5e9b5
Opcode Fuzzy Hash: 0108a7a9fa52052843fb649eb71515f48b1822c86961854a5ea575a033922c17
Instruction Fuzzy Hash: 81624731556392ABC7B68F61CC69AD6BFF0EFD53207A80A5CE4C041922D37E5BA4CB11

Function 011EAD3D Relevance: 5.5, Strings: 4, Instructions: 521COMMON

Download Yara Rule

Strings

Hq, xrefs: 011EB239
Hq, xrefs: 011EB1D3
, xrefs: 011EB015
Hq, xrefs: 011EB206

Memory Dump Source

Source File: 00000008.00000002.2535433708.00000000011E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_11e0000_dZMT94YYwO.jbxd

Similarity

API ID:
String ID: $Hq$Hq$Hq
API String ID: 0-1373062214
Opcode ID: 3fd88e2a5969d768f74c44f456bac1fbd17540ab649d949cc29d362d951336e5
Instruction ID: 5fda3a2d6ad4e6742c5a1682a4770b67ba333960bbad325932074e16290331ac
Opcode Fuzzy Hash: 3fd88e2a5969d768f74c44f456bac1fbd17540ab649d949cc29d362d951336e5
Instruction Fuzzy Hash: 3C81E330B086049FDB1D9FB8A85D66D7FF2AF85360B144529E516CB3A1DF349C01CB59

Function 011EAF78 Relevance: 5.3, Strings: 4, Instructions: 326COMMON

Download Yara Rule

Strings

Hq, xrefs: 011EB239
Hq, xrefs: 011EB1D3
, xrefs: 011EB065
Hq, xrefs: 011EB206

Memory Dump Source

Source File: 00000008.00000002.2535433708.00000000011E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_11e0000_dZMT94YYwO.jbxd

Similarity

API ID:
String ID: $Hq$Hq$Hq
API String ID: 0-1373062214
Opcode ID: e85e490f50c22e76fdb60a566eaf0b53c88b4d32dbc6fc0c9bafe41426ee4b1d
Instruction ID: 2191b88443a92d4d2fbf5eef8ba263d55aaf326a8ddf5ba4b8082381dd5296e0
Opcode Fuzzy Hash: e85e490f50c22e76fdb60a566eaf0b53c88b4d32dbc6fc0c9bafe41426ee4b1d
Instruction Fuzzy Hash: 3DB10630B086149FDB19AFB8A85C66D7BF2EF85320B15462AEA15CB3D1DF349C01C759

Function 011EB500 Relevance: 4.2, Strings: 3, Instructions: 404COMMON

Download Yara Rule

Strings

Hq, xrefs: 011EB749
Hq, xrefs: 011EB54E
Hq, xrefs: 011EB6EA

Memory Dump Source

Source File: 00000008.00000002.2535433708.00000000011E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_11e0000_dZMT94YYwO.jbxd

Similarity

API ID:
String ID: Hq$Hq$Hq
API String ID: 0-2505839570
Opcode ID: c346b3f72e03b2534c9dacb619b8a93e066cfb51c10f7d27b7db898262e4ff7c
Instruction ID: e5e223711988be9e4a94b4aa996f7fa9a14e8722bd95a3f72847c57b1d901c87
Opcode Fuzzy Hash: c346b3f72e03b2534c9dacb619b8a93e066cfb51c10f7d27b7db898262e4ff7c
Instruction Fuzzy Hash: 25D11670B086048FDB19DBA8C858BAD7BF2EF89320F184569E505EB3A1CB75DC41CB95

Function 0571CD28 Relevance: 3.3, Strings: 2, Instructions: 799COMMON

Download Yara Rule

Strings

$q, xrefs: 0571D84C
$q, xrefs: 0571D86F

Memory Dump Source

Source File: 00000008.00000002.2538146733.0000000005710000.00000040.00000800.00020000.00000000.sdmp, Offset: 05710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5710000_dZMT94YYwO.jbxd

Similarity

API ID:
String ID: $q$$q
API String ID: 0-3126353813
Opcode ID: 19436e55fffc7a32ca044ffd15a7c74a31471bc051652319241a10232cebee16
Instruction ID: 13856cf0ae8f56376f52efd4839c5f1845920bb7bedc5dbfb09dd5b1b6ca5ed1
Opcode Fuzzy Hash: 19436e55fffc7a32ca044ffd15a7c74a31471bc051652319241a10232cebee16
Instruction Fuzzy Hash: 60626670A00218CFEB65DBA4C854BAE7BB6FF89300F1081A9D506AB395CF399D81DF51

Function 0571A620 Relevance: 2.8, Strings: 2, Instructions: 346COMMON

Download Yara Rule

Strings

Hq, xrefs: 0571A73E
Hq, xrefs: 0571A70B

Memory Dump Source

Source File: 00000008.00000002.2538146733.0000000005710000.00000040.00000800.00020000.00000000.sdmp, Offset: 05710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5710000_dZMT94YYwO.jbxd

Similarity

API ID:
String ID: Hq$Hq
API String ID: 0-925789375
Opcode ID: 94a6f50511b471945e7e2c55c2dd9947fbd4a24838752307b564f146f4afb032
Instruction ID: 5a561873f1dd1cc2998415b503ccc0fb824a69e6b6df4038eb150127a027ac21
Opcode Fuzzy Hash: 94a6f50511b471945e7e2c55c2dd9947fbd4a24838752307b564f146f4afb032
Instruction Fuzzy Hash: C2C1BB307052159FDB1A9F28D858A6E7BA3BB88340F048569E906CB395DB34CD42DBE4

Function 0571AAE0 Relevance: 2.7, Strings: 2, Instructions: 236COMMON

Download Yara Rule

Strings

,q, xrefs: 0571ABC0
,q, xrefs: 0571ABB6

Memory Dump Source

Source File: 00000008.00000002.2538146733.0000000005710000.00000040.00000800.00020000.00000000.sdmp, Offset: 05710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5710000_dZMT94YYwO.jbxd

Similarity

API ID:
String ID: ,q$,q
API String ID: 0-1667412543
Opcode ID: 3924b388321f53e4953df36ad9bbbe6178bf4af3cd9fa5f1bddbea29547f2520
Instruction ID: ab78117e8a26777423ecde348119d55ea1b35365f4a68fbb6127b9faf73126b4
Opcode Fuzzy Hash: 3924b388321f53e4953df36ad9bbbe6178bf4af3cd9fa5f1bddbea29547f2520
Instruction Fuzzy Hash: F091EF30B055158FCB14CF6DC984A6AB7B2FF89350B288169D806EB3A5DB31EC41DBD4

Function 057169E8 Relevance: 2.7, Strings: 2, Instructions: 211COMMON

Download Yara Rule

Strings

(q, xrefs: 05716BC2
(&q, xrefs: 05716B03

Memory Dump Source

Source File: 00000008.00000002.2538146733.0000000005710000.00000040.00000800.00020000.00000000.sdmp, Offset: 05710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5710000_dZMT94YYwO.jbxd

Similarity

API ID:
String ID: (&q$(q
API String ID: 0-2464455664
Opcode ID: c1c7bf21591269e487264ff13c6c332b8aaa78932556527960bf27e6794226da
Instruction ID: 7260c1e49eb4d3a5a37510550e6bc8b0b96b810c8be31a0b0c562182719b5a42
Opcode Fuzzy Hash: c1c7bf21591269e487264ff13c6c332b8aaa78932556527960bf27e6794226da
Instruction Fuzzy Hash: 62718131F042189BDB19DFB8D8506AE7BB6AFC4740F248529E406A7290DF34AD41D7A9

Function 011E3F78 Relevance: 2.6, Strings: 2, Instructions: 126COMMON

Download Yara Rule

Strings

PHq, xrefs: 011E40F2
PHq, xrefs: 011E40E1

Memory Dump Source

Source File: 00000008.00000002.2535433708.00000000011E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_11e0000_dZMT94YYwO.jbxd

Similarity

API ID:
String ID: PHq$PHq
API String ID: 0-1274609152
Opcode ID: 9764fd54f5794e61843d8d674a7b602498937bccbd9efc3e8288e47b92c04200
Instruction ID: 65045539d4a5654510da3ef7107286aa82c4243d716a6d99fd88c1a563f84dcf
Opcode Fuzzy Hash: 9764fd54f5794e61843d8d674a7b602498937bccbd9efc3e8288e47b92c04200
Instruction Fuzzy Hash: F551B374E006489FDB58DFE9D888A9DBBF2BF89310F148529E815BB364DB74A841CF50

Function 011E2C6F Relevance: 2.6, Strings: 2, Instructions: 120COMMON

Download Yara Rule

Strings

Xq, xrefs: 011E2CBE
Xq, xrefs: 011E2C95

Memory Dump Source

Source File: 00000008.00000002.2535433708.00000000011E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_11e0000_dZMT94YYwO.jbxd

Similarity

API ID:
String ID: Xq$Xq
API String ID: 0-1556399337
Opcode ID: fc4cd7667b789eb104538523789c60f095254e6641722c86794067cd57b59253
Instruction ID: 7b9a1a77f740eb15a46c264468a801434a2b0ec5cf9819b0d1db848f225752f3
Opcode Fuzzy Hash: fc4cd7667b789eb104538523789c60f095254e6641722c86794067cd57b59253
Instruction Fuzzy Hash: 6131B331B047554BEB2D46E998AC37E6AEEBBC5250F19402EDA07C7285DBB5C8848352

Function 011E0B20 Relevance: 1.5, Strings: 1, Instructions: 205COMMON

Download Yara Rule

Strings

LRq, xrefs: 011E0B62

Memory Dump Source

Source File: 00000008.00000002.2535433708.00000000011E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_11e0000_dZMT94YYwO.jbxd

Similarity

API ID:
String ID: LRq
API String ID: 0-3187445251
Opcode ID: 0ac21864b8eceb0a32f3f8c98a89f1fe0744ebcdb5c6186073ebbef8f3e39e85
Instruction ID: 08fe56047985a248fe01a2fa8c7d263dd6d149c64f4ccf8f87ebc6cdefe4e83c
Opcode Fuzzy Hash: 0ac21864b8eceb0a32f3f8c98a89f1fe0744ebcdb5c6186073ebbef8f3e39e85
Instruction Fuzzy Hash: 8BA1D974A00249DFCF05EFA4E888B9DBBB2FB48704B11862AD545E7359DB70AD45CF81

Function 011E0B30 Relevance: 1.4, Strings: 1, Instructions: 200COMMON

Download Yara Rule

Strings

LRq, xrefs: 011E0B62

Memory Dump Source

Source File: 00000008.00000002.2535433708.00000000011E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_11e0000_dZMT94YYwO.jbxd

Similarity

API ID:
String ID: LRq
API String ID: 0-3187445251
Opcode ID: 937a6b1caa130bfbb975e5784ce20235cecb422fabb573b1be7ecb009c1ba48e
Instruction ID: 1272c84f1407f9ca884a1c4af2072cb8c08a49fc05e31b9c105c271f059b106f
Opcode Fuzzy Hash: 937a6b1caa130bfbb975e5784ce20235cecb422fabb573b1be7ecb009c1ba48e
Instruction Fuzzy Hash: 34A1B874A00249DFCB05EFA4E888B9DBBB6FB4C704B11862AD505E7359DB70AD45CF81

Function 011EBC28 Relevance: 1.4, Strings: 1, Instructions: 153COMMON

Download Yara Rule

Strings

Hq, xrefs: 011EBD2D

Memory Dump Source

Source File: 00000008.00000002.2535433708.00000000011E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_11e0000_dZMT94YYwO.jbxd

Similarity

API ID:
String ID: Hq
API String ID: 0-1594803414
Opcode ID: 7ca61c6fa3261b4711ad0c3ef28c6b796a74b18c58a51e498fa49730d9a46dc6
Instruction ID: 2c07fd30eed0cb0186d0d2374830258cc18c186780c4cea7e9aeaea4e4eaa948
Opcode Fuzzy Hash: 7ca61c6fa3261b4711ad0c3ef28c6b796a74b18c58a51e498fa49730d9a46dc6
Instruction Fuzzy Hash: 67411731B082499FDB09ABF8D819AAD3FF6AF89240B0944BAE509CB391DE308C01C754

Function 0571C7E8 Relevance: 1.4, Strings: 1, Instructions: 110COMMON

Download Yara Rule

Strings

4'q, xrefs: 0571C863

Memory Dump Source

Source File: 00000008.00000002.2538146733.0000000005710000.00000040.00000800.00020000.00000000.sdmp, Offset: 05710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5710000_dZMT94YYwO.jbxd

Similarity

API ID:
String ID: 4'q
API String ID: 0-1807707664
Opcode ID: 096f8ef2551c7711f88c6df8e311b44561dffd6c4f0f5ccd94682729149b28b6
Instruction ID: 16c02f11cf0fe148a388109155f655c9be337f5c78f2dd7c3c9d2f40570c8bc2
Opcode Fuzzy Hash: 096f8ef2551c7711f88c6df8e311b44561dffd6c4f0f5ccd94682729149b28b6
Instruction Fuzzy Hash: B2416A746401159FCB16DFA9C888BAA3BBAFF88710F100069F906DB3A0CB70DD41DBA4

Function 0571CB20 Relevance: 1.3, Strings: 1, Instructions: 86COMMON

Download Yara Rule

Strings

4'q, xrefs: 0571CB9A

Memory Dump Source

Source File: 00000008.00000002.2538146733.0000000005710000.00000040.00000800.00020000.00000000.sdmp, Offset: 05710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5710000_dZMT94YYwO.jbxd

Similarity

API ID:
String ID: 4'q
API String ID: 0-1807707664
Opcode ID: 058b453a9784a0490825dd824cb5f1329eb18a8b0e4c01d145639503c16531ad
Instruction ID: ce48031573e1781eff8064b61b6a46a4717925711a398660a8511b65d26e1d35
Opcode Fuzzy Hash: 058b453a9784a0490825dd824cb5f1329eb18a8b0e4c01d145639503c16531ad
Instruction Fuzzy Hash: 542176317482558BD726DEEE9D807BB7BEFBB85600B044436EC12CB244D6B0DD40E7A4

Function 0571DA68 Relevance: .4, Instructions: 411COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2538146733.0000000005710000.00000040.00000800.00020000.00000000.sdmp, Offset: 05710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5710000_dZMT94YYwO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be0108f38cd9cd6f52e6f8c6e48daaa66f13c78159ae5ec7f3d1241261590dca
Instruction ID: 905a8eee45ffc7cc152fef2a60e2b8538876066956cd804887f7ba124d8a28be
Opcode Fuzzy Hash: be0108f38cd9cd6f52e6f8c6e48daaa66f13c78159ae5ec7f3d1241261590dca
Instruction Fuzzy Hash: C2F12D71A006159FCB14CF6DC988AADB7F6BF89311B1A8099E905EB361CB70EC41DF58

Function 011EBF80 Relevance: .2, Instructions: 227COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2535433708.00000000011E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_11e0000_dZMT94YYwO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 66e86dbd36c75f38ce30f2cbd591d9f6b126c1da265142cf9ec5adee0f0a2e83
Instruction ID: 8b8b80724a5eab2dcb955946f9419661255e00926b3d229d92fc41b8166772cb
Opcode Fuzzy Hash: 66e86dbd36c75f38ce30f2cbd591d9f6b126c1da265142cf9ec5adee0f0a2e83
Instruction Fuzzy Hash: 4361C376A04A059FDB18DBBCDC48BABBFF9EBC9224B14852AE519D7740D731D80187A0

Function 0571C9D9 Relevance: .2, Instructions: 184COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2538146733.0000000005710000.00000040.00000800.00020000.00000000.sdmp, Offset: 05710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5710000_dZMT94YYwO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9e74395ad4282b63439516a0dacdeb0b86503f819df40242806215569d34593f
Instruction ID: b2ca112c8508eb05f4d4277a0c1db2d59e378816944a7f4cec8cd9cf98dde389
Opcode Fuzzy Hash: 9e74395ad4282b63439516a0dacdeb0b86503f819df40242806215569d34593f
Instruction Fuzzy Hash: E551A2313981559FCB26DFBDC98496A7BEEBF4960030544BAE916DB361EB30DC00DB54

Function 057169D8 Relevance: .1, Instructions: 124COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2538146733.0000000005710000.00000040.00000800.00020000.00000000.sdmp, Offset: 05710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5710000_dZMT94YYwO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 607366a0b725457b7622671a2f91be66b263cd257ddaa7d05ac496ac59844f70
Instruction ID: 55a1921aae6fb4c89d817994d29ea420c5f341d26f420b6535e424009ed527a9
Opcode Fuzzy Hash: 607366a0b725457b7622671a2f91be66b263cd257ddaa7d05ac496ac59844f70
Instruction Fuzzy Hash: E9417471E002199BDB14DFA9C990BDEBBF6BF84740F248129E801B7240EB70A945DB94

Function 011E3168 Relevance: .1, Instructions: 109COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2535433708.00000000011E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_11e0000_dZMT94YYwO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c45abf241b5cfbbede1f52c336a0e8d5ca45869acf035197738f5bb265e61ae2
Instruction ID: d22215402ed73d2039a4a414a80d2c2e57c956362bd37311ef3a2023fb4baf65
Opcode Fuzzy Hash: c45abf241b5cfbbede1f52c336a0e8d5ca45869acf035197738f5bb265e61ae2
Instruction Fuzzy Hash: 05419274E016099FDB08DFAAD888A9DBBF2BF89300F249529E815B7364DB309845CF14

Function 011E9249 Relevance: .1, Instructions: 108COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2535433708.00000000011E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_11e0000_dZMT94YYwO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 716bfcccb446dcb878d05d975add40d026fab9f65d94cd08acdcf52129ee6272
Instruction ID: 203773ea1647b82b5598f1e0235f16e03cef0844b42f6ff533c8e93896e40ffc
Opcode Fuzzy Hash: 716bfcccb446dcb878d05d975add40d026fab9f65d94cd08acdcf52129ee6272
Instruction Fuzzy Hash: 4931D97083624E8FC3802B61F5AE13ABFB5FB8F363748BC01F12A818659F3045848B25

Function 011EB869 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2535433708.00000000011E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_11e0000_dZMT94YYwO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e95a4d1d566c95f785c21de571240428930eb3b674b3fd5fdde607c8e9ce80ad
Instruction ID: 9617856b56fdf8bb0f59dcbccc142bb3fa5ec0590bc6ea08a522c146a9eac7f7
Opcode Fuzzy Hash: e95a4d1d566c95f785c21de571240428930eb3b674b3fd5fdde607c8e9ce80ad
Instruction Fuzzy Hash: 53311775B002098FDB49DFA8C484F9DBBF2AF88224F195554E501AB361DBB1EC81CBA5

Function 05719D48 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2538146733.0000000005710000.00000040.00000800.00020000.00000000.sdmp, Offset: 05710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5710000_dZMT94YYwO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ed457f2d2fdb701906214132f7e90049efd5c40c7fa254db9ab28ca7c3c50802
Instruction ID: 310095e9b200e0e1225c19ef2784ad2beefea1650671f4b94da5de2c0abaef97
Opcode Fuzzy Hash: ed457f2d2fdb701906214132f7e90049efd5c40c7fa254db9ab28ca7c3c50802
Instruction Fuzzy Hash: 7C3183316041199FCF05AF68D854AAE3BA3FB48350F004019FE1687294DB39DE66EBA5

Function 011EB89D Relevance: .1, Instructions: 100COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2535433708.00000000011E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_11e0000_dZMT94YYwO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e1400dbce8653cabf19bd30663c7f06b68497a497c57ca5d4bc892f819884a32
Instruction ID: 45afb7a54c24e677dd09f008556e443e146ec78ee415aaef32f8382dd57b1621
Opcode Fuzzy Hash: e1400dbce8653cabf19bd30663c7f06b68497a497c57ca5d4bc892f819884a32
Instruction Fuzzy Hash: 5B312A71B002098FDB45DFA8C884F9DBBF2AF88324F195554E501AB361DBB1EC81CB95

Function 05719CB7 Relevance: .1, Instructions: 99COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2538146733.0000000005710000.00000040.00000800.00020000.00000000.sdmp, Offset: 05710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5710000_dZMT94YYwO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 99f0fae1a785b446551d639099cab570a40d42aaff628c80f3574ded540f16e2
Instruction ID: 85b363d3ef3db4ca036b6f9c6427975e66444d3cb0c82a23083cccbb6beb4adf
Opcode Fuzzy Hash: 99f0fae1a785b446551d639099cab570a40d42aaff628c80f3574ded540f16e2
Instruction Fuzzy Hash: 32315F315092A45FCB06AF24D82467B3FA2EB42350F05409AF945CB292D639CE16E7B5

Function 0571CC09 Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2538146733.0000000005710000.00000040.00000800.00020000.00000000.sdmp, Offset: 05710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5710000_dZMT94YYwO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 56838ec54333a7e30e6e5cf14b9ef3f3dfb416faa319c9a6db71a48d53b87651
Instruction ID: 8475de4d2c8f6268f5ca60ef8897d146056ce8be540827504dd20e871fcb4e45
Opcode Fuzzy Hash: 56838ec54333a7e30e6e5cf14b9ef3f3dfb416faa319c9a6db71a48d53b87651
Instruction Fuzzy Hash: 3C216A313802204BDB266BBD9855A3E3B9FBFC5254B144079DD02CB395EE25CC42B799

Function 0571DA58 Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2538146733.0000000005710000.00000040.00000800.00020000.00000000.sdmp, Offset: 05710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5710000_dZMT94YYwO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e61bf2add904c198ccdd6821205dfb1770411f60288d0137e3771fbc16a3f422
Instruction ID: e58a162735ea70137135c46081c0776d279b0c8255e8a242b2738e0467b92d9b
Opcode Fuzzy Hash: e61bf2add904c198ccdd6821205dfb1770411f60288d0137e3771fbc16a3f422
Instruction Fuzzy Hash: 5A317770B046158FCB24CF6CC988AAEBBB6FF85310B198159E916973A1CB34DC41DFA4

Function 0571CC18 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2538146733.0000000005710000.00000040.00000800.00020000.00000000.sdmp, Offset: 05710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5710000_dZMT94YYwO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c5feaa6140de7f138c5b8c37c450fb5eda7480a48447cb5e55e1c15fb6b5ff55
Instruction ID: 5282fd20b7335f2386cf5f25ab20046ca06da98e9d9beb26288aef52e516bc6f
Opcode Fuzzy Hash: c5feaa6140de7f138c5b8c37c450fb5eda7480a48447cb5e55e1c15fb6b5ff55
Instruction Fuzzy Hash: 3D210A313802204BEB265A6D945573E369FBFC4754F148079DD02CB798EE79CC82B788

Function 011E18C8 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2535433708.00000000011E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_11e0000_dZMT94YYwO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c38ddb57d196c72c973ae15eec8325824e591fca59ddc42f9ee75ebdd55adc61
Instruction ID: fad9872bdb3d1a79446465e2f9cf3c7e2cf0e4a7df789539141ec8f13c7070ef
Opcode Fuzzy Hash: c38ddb57d196c72c973ae15eec8325824e591fca59ddc42f9ee75ebdd55adc61
Instruction Fuzzy Hash: 9121C435A00605BFCB18DB68C444ABE3BA5EB8D350B51C119D94ADB388EB31EE05CBD1

Function 00F3D030 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2534503458.0000000000F3D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F3D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_f3d000_dZMT94YYwO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 99843a4538bed9668507ecb439b89c2590a7c9ad8f20ba92561cd8c4deac30ab
Instruction ID: 8223c357b99a77854e8ee8fa7f3bfbe0c1a561ad75a6c70f0dc4cd2874e298d0
Opcode Fuzzy Hash: 99843a4538bed9668507ecb439b89c2590a7c9ad8f20ba92561cd8c4deac30ab
Instruction Fuzzy Hash: 3621C5B1904344DFDB18DF14E980B26BB65FB84724F24C669D80A4B25AC376D847DA62

Function 00F3D005 Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2534503458.0000000000F3D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F3D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_f3d000_dZMT94YYwO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 36570f4ee7ba9e078c0f4c5e08fdb81ef5571331a4719e97ff8c452d42f43384
Instruction ID: 819e604f4265284c808429cb49258a9db7150c851cace1994b7bfa5d8918dcf6
Opcode Fuzzy Hash: 36570f4ee7ba9e078c0f4c5e08fdb81ef5571331a4719e97ff8c452d42f43384
Instruction Fuzzy Hash: 5721517150D3C09FC707CB24D990711BF71AB46224F29C5DBD8858F2A7C23A984ADB62

Function 05716BC8 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2538146733.0000000005710000.00000040.00000800.00020000.00000000.sdmp, Offset: 05710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5710000_dZMT94YYwO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 73d27adda81abb99ced82dce528ec4bcf118307944f4f3a675b6d992400c7a36
Instruction ID: 65807f35f5dba4b82a8381b707d7ae3e4994670123e006cfb52e5466d6af72eb
Opcode Fuzzy Hash: 73d27adda81abb99ced82dce528ec4bcf118307944f4f3a675b6d992400c7a36
Instruction Fuzzy Hash: 8F1103327083945FDB0A6F7858146AE7FA7AFC5240714446EE506CB292CE358D06D3BA

Function 011E0EC8 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2535433708.00000000011E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_11e0000_dZMT94YYwO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 42465fef4a3fba747f545d6348e3aa5184b80ef93ccfa9f5757a10b4e689d6f1
Instruction ID: e957cb8a9f98800e3b3a88ad2be7937c4bd7edc13dfe6b3dd83e510355ca1782
Opcode Fuzzy Hash: 42465fef4a3fba747f545d6348e3aa5184b80ef93ccfa9f5757a10b4e689d6f1
Instruction Fuzzy Hash: 1D217F70E006199FDB09EFB9D4547AEBBB2EF89304F10C5A9E404AB285DBB49A41CF51

Function 0571B518 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2538146733.0000000005710000.00000040.00000800.00020000.00000000.sdmp, Offset: 05710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5710000_dZMT94YYwO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8a7704d91e19c3788217420733c3c729534a138156a780e2e795211a7eaddf5b
Instruction ID: c58b0e7765cc623ff809dfb09b83c4f6d4df322f474c579cbea8ad4084a23c58
Opcode Fuzzy Hash: 8a7704d91e19c3788217420733c3c729534a138156a780e2e795211a7eaddf5b
Instruction Fuzzy Hash: E9219D719002089FCB20CF59C948FAABBF6FB44314F00816AE95E9B251D772D954DBA4

Function 011EBB23 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2535433708.00000000011E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_11e0000_dZMT94YYwO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8254b9b6f7934027ce4b1e30d8ccdfcd9aff8973769943469b555bbbd711648e
Instruction ID: 129dfb45ab5d13eaed5fc242b940687ee8fc2289fc50e36d4bb99d56bd5d3b02
Opcode Fuzzy Hash: 8254b9b6f7934027ce4b1e30d8ccdfcd9aff8973769943469b555bbbd711648e
Instruction Fuzzy Hash: 7711DD317096008FDB2ACB79C958B167BF5EF86210F1980AAD145CF276CB60DC04CB62

Function 011E17B8 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2535433708.00000000011E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_11e0000_dZMT94YYwO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a4ab405346930b0c163620e049a75abfe375a9b85acb682a20a73f4e3863e0ee
Instruction ID: ce1c641ba8e8e2bf2c2da68967107d741f6b2218e4822ee3e4752d8b4fe84512
Opcode Fuzzy Hash: a4ab405346930b0c163620e049a75abfe375a9b85acb682a20a73f4e3863e0ee
Instruction Fuzzy Hash: 412103B0D0464A8FCF45DFA8D8485EEBFF4BF4A300F0441AAD445B7265EB305A84CBA5

Function 011EBB48 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2535433708.00000000011E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_11e0000_dZMT94YYwO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0e18710e548641403c136ca3b84bfc68b68f701c78437943f25ecd2ee92677cf
Instruction ID: 52d7d731c709fa73799362619729701209444c03530c3e72e83d93c7b7784c1e
Opcode Fuzzy Hash: 0e18710e548641403c136ca3b84bfc68b68f701c78437943f25ecd2ee92677cf
Instruction Fuzzy Hash: 9E118F317046148FDB28DB69D988E16B7F6EF88721F148169E24A8B365CB71EC40CB50

Function 05716E70 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2538146733.0000000005710000.00000040.00000800.00020000.00000000.sdmp, Offset: 05710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5710000_dZMT94YYwO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 320a45d658677bc1b3e767d327c857b68027b5ca37c39ee1c1bcc1de1e17339c
Instruction ID: 087508eea7be8e17d65b7f1e75e7abc75876ff21556f9d79dd3854fb40eb98c2
Opcode Fuzzy Hash: 320a45d658677bc1b3e767d327c857b68027b5ca37c39ee1c1bcc1de1e17339c
Instruction Fuzzy Hash: BE115676800249AFDB20CF99C805BDEBBF5FB48320F148419E954A7610C739A994DFA9

Function 057167A0 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2538146733.0000000005710000.00000040.00000800.00020000.00000000.sdmp, Offset: 05710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5710000_dZMT94YYwO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb3e591e22e75296b24743026f62bd5fbe19ada220706edc037adac0f616f359
Instruction ID: 738702078ca9d3e47721e1c912718ce2aa9682d845f640aea3942b4204158781
Opcode Fuzzy Hash: fb3e591e22e75296b24743026f62bd5fbe19ada220706edc037adac0f616f359
Instruction Fuzzy Hash: 25115672800249DFDB10CF99C805BEEBBF4FB48320F148419E914A7610C335A954DFA4

Function 011E4850 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2535433708.00000000011E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_11e0000_dZMT94YYwO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 41562ec7418ea1db339c032dff29ad1df4b9616925997cae88cd5479834f2590
Instruction ID: d8cd8c9d02c75b334931bcd22fda722142293b48f4f1899019579a87c48a3790
Opcode Fuzzy Hash: 41562ec7418ea1db339c032dff29ad1df4b9616925997cae88cd5479834f2590
Instruction Fuzzy Hash: 2101F132B007040FDB299AF99848B3B7AEAAFC82A1715453ADA05C7759FE34CC008791

Function 05716399 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2538146733.0000000005710000.00000040.00000800.00020000.00000000.sdmp, Offset: 05710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5710000_dZMT94YYwO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 11c05978dda7f7d54d10adb76615937e5123687e73a9b32c041d4c5b095df1f2
Instruction ID: efb97d1c58594d4f422825a35b6531a7c3c6def01aae1255adfe105f707002c8
Opcode Fuzzy Hash: 11c05978dda7f7d54d10adb76615937e5123687e73a9b32c041d4c5b095df1f2
Instruction Fuzzy Hash: F7113079F00648CFDB04DFFCD850BAEBBB2EB45310F009065E908E7748DA309A418B54

Function 011E4860 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2535433708.00000000011E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_11e0000_dZMT94YYwO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93c2063a02703f08799f83e7c30d427e648e794d4d55246e9c60cc150dde5fbf
Instruction ID: 391608989da62e5d3694ab3b5f24b343eb922b3d7de95c19a37c9b406be77695
Opcode Fuzzy Hash: 93c2063a02703f08799f83e7c30d427e648e794d4d55246e9c60cc150dde5fbf
Instruction Fuzzy Hash: 9F01A231B003144FD728AAFD9858A3E7ADBAFC86A1710453ADA05C7758FF71CC008791

Function 0571A580 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2538146733.0000000005710000.00000040.00000800.00020000.00000000.sdmp, Offset: 05710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5710000_dZMT94YYwO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2deb5328a9637ce23c07a073c57c1fc14e3c3f9b3c23aa0b753ebf24fc85c149
Instruction ID: 5f2b0acce39aac8aa57dd5699b24750c10b74e000d94d19092fec8052ddad450
Opcode Fuzzy Hash: 2deb5328a9637ce23c07a073c57c1fc14e3c3f9b3c23aa0b753ebf24fc85c149
Instruction Fuzzy Hash: 430126326092096FCB02CE55AC00AEF3FA7EB89390F048026F906C7240D636C915A7E4

Function 011EA508 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2535433708.00000000011E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_11e0000_dZMT94YYwO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7b753278f0bcc6075de23a45e507dea1180deddedaa9221cc7ff82253c32ca78
Instruction ID: 2bff9edd67072713428d2db2c2d764483a4b255d8d32de4209cb6f817a505b0a
Opcode Fuzzy Hash: 7b753278f0bcc6075de23a45e507dea1180deddedaa9221cc7ff82253c32ca78
Instruction Fuzzy Hash: F8010C75E1020D9FDB189FA9E8596AE7FB5EF88350B404429F91A93250DB309D10CBA5

Function 011EA4F9 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2535433708.00000000011E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_11e0000_dZMT94YYwO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7cc861a721c8e4bfdfd6d29988fad396d42663ea58ead292a2179ef35f9b9040
Instruction ID: 056d612f36ef54855cd67f4da9b819e011d0eefd1cd1df6a17f0227e7756b8a4
Opcode Fuzzy Hash: 7cc861a721c8e4bfdfd6d29988fad396d42663ea58ead292a2179ef35f9b9040
Instruction Fuzzy Hash: C4015E71D4060A9FCB18DFA8E8595AE7FF5EF98350B01453AFA1993650DB308D10CBA1

Function 0571A590 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2538146733.0000000005710000.00000040.00000800.00020000.00000000.sdmp, Offset: 05710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5710000_dZMT94YYwO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c97982b488d5a071a1d708fd1e1b16fd9fb2e0b1cac81c147261885d86ffa7d3
Instruction ID: 4614357ccc449d05693f555edd8f38169a8e454ff96d1679b1181a2142062063
Opcode Fuzzy Hash: c97982b488d5a071a1d708fd1e1b16fd9fb2e0b1cac81c147261885d86ffa7d3
Instruction Fuzzy Hash: 6B01F9327081196BCF15DE599C00AAF3BABEBC9750F14802AF916D7340DE75CD11A7E8

Function 011EBB46 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2535433708.00000000011E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_11e0000_dZMT94YYwO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 49b729aace667f43d1ddd1b2126cc1d2406e23bb9113958d757fcba865c67441
Instruction ID: e0c5c4f455050a7c4edc29f1cdc440515294266383e5bfaeab68e0d59ed391c1
Opcode Fuzzy Hash: 49b729aace667f43d1ddd1b2126cc1d2406e23bb9113958d757fcba865c67441
Instruction Fuzzy Hash: 7201B171704A10CFDB28CBA9DA98B16B3E5BF88711F148469E10A8B365CB70EC00CB10

Function 011EBEF8 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2535433708.00000000011E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_11e0000_dZMT94YYwO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be267798d116f16ea08966a060210bec27977b0d2855e1a5e5e00062834a2826
Instruction ID: 8321f068b1870f2aa471d43d4e83e30dab4b08b7f829aa43e453cb0a0989a6c2
Opcode Fuzzy Hash: be267798d116f16ea08966a060210bec27977b0d2855e1a5e5e00062834a2826
Instruction Fuzzy Hash: 0AF028327042085FC71917B4A80D56D3FEAEBCA610B04442AF60AC7391DF35CC51CBC5

Function 011EC1B0 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2535433708.00000000011E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_11e0000_dZMT94YYwO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f3335b8f447b64b0a99461f06a285540a1308a58d1aaf97308391b3cb5602492
Instruction ID: 56e40a0300f843b41e80eb586cd4179ffe1d7161d196914daa92a3f3886f4dfb
Opcode Fuzzy Hash: f3335b8f447b64b0a99461f06a285540a1308a58d1aaf97308391b3cb5602492
Instruction Fuzzy Hash: 18F0A732B049159BCB1E57ADE81895EB7E9DFC5631714007AE509D7350DF31DC028794

Function 011EB9EB Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2535433708.00000000011E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_11e0000_dZMT94YYwO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8677528250d86296bf47bef325baeebeaa21c05a5c845d3df87e7894653e82b2
Instruction ID: 8d1cc8198a2a3524d42a85bdae7e13443221181c32b8467820ff0bf34ff4278b
Opcode Fuzzy Hash: 8677528250d86296bf47bef325baeebeaa21c05a5c845d3df87e7894653e82b2
Instruction Fuzzy Hash: E1F09076A046049FCB50DFA9D945ADFFBF5BF58250B148126D509E3201E77095028BE6

Function 011EBE98 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2535433708.00000000011E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_11e0000_dZMT94YYwO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 812433465cc14bb52b3c9c517de0c5056ffe61f8f78777b50f2c2c828451d699
Instruction ID: 11d0fa18d4f220348a2a8c3d36e420670ea68f4e56f7cec6bdf274c56527692e
Opcode Fuzzy Hash: 812433465cc14bb52b3c9c517de0c5056ffe61f8f78777b50f2c2c828451d699
Instruction Fuzzy Hash: 1FF05E35304615DFC704CF59D488D6ABBEAFF887207514069FA0987331CB71AC11CB94

Function 011EB9F8 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2535433708.00000000011E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_11e0000_dZMT94YYwO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 753873ae22e94ec63e884cf8fe593de485a47b77a93c18421b2a311ecc8c5e18
Instruction ID: 68c438ba863d95292ddb8c06f2917573f7e5e2614254f80a10b6c52c1c735159
Opcode Fuzzy Hash: 753873ae22e94ec63e884cf8fe593de485a47b77a93c18421b2a311ecc8c5e18
Instruction Fuzzy Hash: 44F0A771E046089F8B54DFA9D840A9FFBF9FF9C250B10413AD509D3200E7B0A915CBE1

Function 011E46C9 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2535433708.00000000011E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_11e0000_dZMT94YYwO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: babbf9a9af89e04b5c4b3ab9988ac524b97316b1b62e8323580049eb69332376
Instruction ID: 8699fa4ecc88f0626af2c6794cefd3264b61220aa891b5b3e216beb553a6f1ef
Opcode Fuzzy Hash: babbf9a9af89e04b5c4b3ab9988ac524b97316b1b62e8323580049eb69332376
Instruction Fuzzy Hash: E0E0C975465F4A8FD3502B60FCAD32A7BA6EB8BB37F882D44E50982071CB706114EB14

Function 011EBE93 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2535433708.00000000011E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_11e0000_dZMT94YYwO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 97629d584d3e3e214b6a52de5a54767cc034b4eb8ead3d2953bdb6660d129af4
Instruction ID: a55ba5196e267a137a3f19ae207d1154418348bff3296b3b9c08a1e84f58fd63
Opcode Fuzzy Hash: 97629d584d3e3e214b6a52de5a54767cc034b4eb8ead3d2953bdb6660d129af4
Instruction Fuzzy Hash: B0E09232304519AFC7159F5AD888E5EBFFAEF89360B544039F60987230CB719C10CB94

Function 011E46D8 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2535433708.00000000011E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_11e0000_dZMT94YYwO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 80fea084dae2d78f0e8840edc844aa2381418fcfcb193848c67f760c15e3310e
Instruction ID: b7780adbdbf433b29480d6b4d13c38b8edd3dbd7cc084b81714c1c493a492564
Opcode Fuzzy Hash: 80fea084dae2d78f0e8840edc844aa2381418fcfcb193848c67f760c15e3310e
Instruction Fuzzy Hash: EBE09271421B0A8FE3502B60B8AD23E7AA6EB8BB27B842C00A50E810718F706044EB14

Function 011E1877 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2535433708.00000000011E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_11e0000_dZMT94YYwO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ee6a010d2d51c22f6dc249175b921d417eac63680da5ed8f53ad1cbe4cd407d7
Instruction ID: db0715a02a49cc40abc06cd982605adf14680fcc1af30e3309c082953f07e6ba
Opcode Fuzzy Hash: ee6a010d2d51c22f6dc249175b921d417eac63680da5ed8f53ad1cbe4cd407d7
Instruction Fuzzy Hash: 41E08672D203265BCB119FB8D8446EEBF74EFE1311F91436AD55473044FBB0555A8B90

Function 0571AD81 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2538146733.0000000005710000.00000040.00000800.00020000.00000000.sdmp, Offset: 05710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5710000_dZMT94YYwO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 71cd4ab39455f3a69e84f82cd75b2dd7224ec3f0e7fcb6c9e715b0ca90237e61
Instruction ID: 206dd6ea0168d432f3d219db25096fd3e18c982d810793404348c630c929ce2d
Opcode Fuzzy Hash: 71cd4ab39455f3a69e84f82cd75b2dd7224ec3f0e7fcb6c9e715b0ca90237e61
Instruction Fuzzy Hash: EBE0CD3404A3950FC702F771FC15A923F2AD6410107424557F044491D79DE95D9547B2

Function 011E1888 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2535433708.00000000011E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_11e0000_dZMT94YYwO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bb9aa1685b3562d6abc0479bdc479424fac7cd975c31890add4444ed7f03f1af
Instruction ID: ac98e7625b2ebce1ec81c06edea230603dc0bd49fb265d9c92e8d628263e3ddd
Opcode Fuzzy Hash: bb9aa1685b3562d6abc0479bdc479424fac7cd975c31890add4444ed7f03f1af
Instruction Fuzzy Hash: 70D05B31D2032A57CB10E7A5DC044DFFB38EED5321B514626D55437144FB706659C6E5

Function 0571D95D Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2538146733.0000000005710000.00000040.00000800.00020000.00000000.sdmp, Offset: 05710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5710000_dZMT94YYwO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: af18a889a1a8f8d041568304b5112e1bd67ca563933630f785a2586e16ede537
Instruction ID: 3a34b9d43032fc3b846f7d3c238025e43926bf1a1927c93b2a200fbca704eb0b
Opcode Fuzzy Hash: af18a889a1a8f8d041568304b5112e1bd67ca563933630f785a2586e16ede537
Instruction Fuzzy Hash: A2D0673AB40008DFCF04DF98E8509DDF776FB98221B448116FA25A3260C6319965DB64

Function 0571AD90 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2538146733.0000000005710000.00000040.00000800.00020000.00000000.sdmp, Offset: 05710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5710000_dZMT94YYwO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c7635d8af5bbe30fd55742d1d0eb13c599f025df729849bf1471f7fb5ffdc0e7
Instruction ID: b22bf3a74a2d873149778ced8d60cc82beffbd6deb75abdfbe8323379442e040
Opcode Fuzzy Hash: c7635d8af5bbe30fd55742d1d0eb13c599f025df729849bf1471f7fb5ffdc0e7
Instruction Fuzzy Hash: 92C012304003154FD741F761FC59715732BA7C0510740D611A1054A28E9EF89DA55AA1

Function 011E4831 Relevance: .0, Instructions: 7COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2535433708.00000000011E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_11e0000_dZMT94YYwO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f25a958fe98ff99704d50444abed3df85d38dd53e5020c5e7aa6b48d5925e950
Instruction ID: 8191bd1c6c08c34ac2aab8eed512e75060963c06d2aae579c0803cd91ba04802
Opcode Fuzzy Hash: f25a958fe98ff99704d50444abed3df85d38dd53e5020c5e7aa6b48d5925e950
Instruction Fuzzy Hash: 6BB012B3D103840BDF760630D91F3543B60EB52240F4804DD9E43C518AF918D000C300

Non-executed Functions

Function 0571BC50 Relevance: 5.3, Strings: 4, Instructions: 273COMMON

Download Yara Rule

Strings

(oq, xrefs: 0571BD75
(oq, xrefs: 0571BC8E
(oq, xrefs: 0571BE12
(oq, xrefs: 0571BD49

Memory Dump Source

Source File: 00000008.00000002.2538146733.0000000005710000.00000040.00000800.00020000.00000000.sdmp, Offset: 05710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5710000_dZMT94YYwO.jbxd

Similarity

API ID:
String ID: (oq$(oq$(oq$(oq
API String ID: 0-3853041632
Opcode ID: c8cad6d6618fae5eaa154d4b4f7be25ff7774f0e2caece3cdaae10114d3034b6
Instruction ID: 8d10d1467c88e1ba3153a4f217091bad1bf012d8b6f57a07c23d0041a2fc396d
Opcode Fuzzy Hash: c8cad6d6618fae5eaa154d4b4f7be25ff7774f0e2caece3cdaae10114d3034b6
Instruction Fuzzy Hash: AFC17B30A002099FCB15CFA9C884EAEBBF6BF48314F148599E959AB361D771ED40DF58

Function 011E1A40 Relevance: 5.1, Strings: 4, Instructions: 94COMMON

Download Yara Rule

Strings

Xq, xrefs: 011E1B2F
Xq, xrefs: 011E1B7C
Xq, xrefs: 011E1AB0
Xq, xrefs: 011E1A76

Memory Dump Source

Source File: 00000008.00000002.2535433708.00000000011E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_11e0000_dZMT94YYwO.jbxd

Similarity

API ID:
String ID: Xq$Xq$Xq$Xq
API String ID: 0-3965792415
Opcode ID: 77118a82e8015b03f350983c2e6b558a9c6e716ae5947ecfeac22957ee5ffe17
Instruction ID: 0858b6643e11b881a5bb3e39b3d3a84b30093afe92f6f2cae1174bb2cf9746ae
Opcode Fuzzy Hash: 77118a82e8015b03f350983c2e6b558a9c6e716ae5947ecfeac22957ee5ffe17
Instruction Fuzzy Hash: 0331A670E0071E9BEF6D8BE885593BEF6F6BB84210F154569C859A7241EB70C9C0CB92

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata, File: File Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report dZMT94YYwO.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: MassLogger

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Location Tracking

Compliance

Software Vulnerabilities

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\dZMT94YYwO.exe.log

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_2z2avrm5.yj4.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_dwzdnhqs.hmh.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_fhlki3av.xdu.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ykuti2o3.3ke.ps1

Static File Info

General

File Icon

Static PE Info

General

Authenticode Signature

Entrypoint Preview

Data Directories

Sections

Resources

Windows Analysis Report
dZMT94YYwO.exe

Function 025ED468 Relevance: 6.1, APIs: 4, Instructions: 133
threadCOMMON

Function 025ED478 Relevance: 6.1, APIs: 4, Instructions: 128
threadCOMMON

Function 06DCB87C Relevance: 1.7, APIs: 1, Instructions: 249
processCOMMON

Function 06DCB888 Relevance: 1.7, APIs: 1, Instructions: 243
processCOMMON

Function 025EADE8 Relevance: 1.7, APIs: 1, Instructions: 197
COMMON

Function 025E44B4 Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Function 025E590C Relevance: 1.6, APIs: 1, Instructions: 95
COMMON

Function 06DCB5F8 Relevance: 1.6, APIs: 1, Instructions: 74
injectionCOMMON

Function 06DCB600 Relevance: 1.6, APIs: 1, Instructions: 69
injectionCOMMON

Function 06DCB6E9 Relevance: 1.6, APIs: 1, Instructions: 65
COMMON

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre