Edit tour

Windows Analysis Report
ABG Draft.scr.exe

Overview

General Information

Sample name:	ABG Draft.scr.exe
Analysis ID:	1590632
MD5:	c167bba5692d0b8d8a958f62cb72ffa6
SHA1:	32ee66d6efe2066c7a677becdac18806be8dee05
SHA256:	4d7ae4a600ffeadb38636c294d14612029a0b76313fefb6f27b606b2018b3400
Tags:	exeuser-TeamDreier
Infos:

Detection

MassLogger RAT, PureLog Stealer

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Scheduled temp file as task from temp location

Yara detected AntiVM3

Yara detected MassLogger RAT

Yara detected PureLog Stealer

Yara detected Telegram RAT

AI detected suspicious sample

Adds a directory exclusion to Windows Defender

Injects a PE file into a foreign processes

Loading BitLocker PowerShell Module

Machine Learning detection for dropped file

Machine Learning detection for sample

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Tries to detect the country of the analysis system (by using the IP)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Uses schtasks.exe or at.exe to add and modify task schedules

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

HTTP GET or POST without a user agent

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Powershell Defender Exclusion

Sigma detected: Suspicious Add Scheduled Task Parent

Sigma detected: Suspicious Schtasks From Env Var Folder

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses insecure TLS / SSL version for HTTPS connection

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

ABG Draft.scr.exe (PID: 1632 cmdline: "C:\Users\user\Desktop\ABG Draft.scr.exe" MD5: C167BBA5692D0B8D8A958F62CB72FFA6)

powershell.exe (PID: 4496 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\iREediqoQIKIHt.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 6352 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WmiPrvSE.exe (PID: 4648 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)

schtasks.exe (PID: 1364 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\iREediqoQIKIHt" /XML "C:\Users\user\AppData\Local\Temp\tmpB486.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 5324 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

ABG Draft.scr.exe (PID: 2300 cmdline: "C:\Users\user\Desktop\ABG Draft.scr.exe" MD5: C167BBA5692D0B8D8A958F62CB72FFA6)

iREediqoQIKIHt.exe (PID: 5064 cmdline: C:\Users\user\AppData\Roaming\iREediqoQIKIHt.exe MD5: C167BBA5692D0B8D8A958F62CB72FFA6)

schtasks.exe (PID: 5828 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\iREediqoQIKIHt" /XML "C:\Users\user\AppData\Local\Temp\tmpC1F4.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 736 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

iREediqoQIKIHt.exe (PID: 4620 cmdline: "C:\Users\user\AppData\Roaming\iREediqoQIKIHt.exe" MD5: C167BBA5692D0B8D8A958F62CB72FFA6)

cleanup

Malware Configuration

Threatname: MassLogger

{"EXfil Mode": "SMTP", "From": "serverhar244@gpsamsterdamqroup.com", "Password": "         feXwu@m?K@@L               ", "Server": "fiber13.dnsiaas.com", "To": "benfavour015@gmail.com", "Port": 587}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000007.00000002.2742210284.0000000002E24000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.1523651797.0000000005360000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000000.00000002.1521553796.0000000003C69000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
00000000.00000002.1521553796.0000000003C69000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.1521553796.0000000003C69000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000000.00000002.1521553796.0000000003C69000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000000.00000002.1521553796.0000000003C69000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xfb17:$a1: get_encryptedPassword 0x26937:$a1: get_encryptedPassword 0xfe3f:$a2: get_encryptedUsername 0x26c5f:$a2: get_encryptedUsername 0xf8b2:$a3: get_timePasswordChanged 0x266d2:$a3: get_timePasswordChanged 0xf9d3:$a4: get_passwordField 0x267f3:$a4: get_passwordField 0xfb2d:$a5: set_encryptedPassword 0x2694d:$a5: set_encryptedPassword 0x11489:$a7: get_logins 0x282a9:$a7: get_logins 0x1113a:$a8: GetOutlookPasswords 0x27f5a:$a8: GetOutlookPasswords 0x10f2c:$a9: StartKeylogger 0x27d4c:$a9: StartKeylogger 0x113d9:$a10: KeyLoggerEventArgs 0x281f9:$a10: KeyLoggerEventArgs 0x10f89:$a11: KeyLoggerEventArgsEventHandler 0x27da9:$a11: KeyLoggerEventArgsEventHandler
0000000C.00000002.2740901826.0000000003194000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.1521553796.0000000003CA7000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
00000000.00000002.1521553796.0000000003CA7000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.1521553796.0000000003CA7000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000000.00000002.1521553796.0000000003CA7000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x18bad7:$a1: get_encryptedPassword 0x18bdff:$a2: get_encryptedUsername 0x18b872:$a3: get_timePasswordChanged 0x18b993:$a4: get_passwordField 0x18baed:$a5: set_encryptedPassword 0x18d449:$a7: get_logins 0x18d0fa:$a8: GetOutlookPasswords 0x18ceec:$a9: StartKeylogger 0x18d399:$a10: KeyLoggerEventArgs 0x18cf49:$a11: KeyLoggerEventArgsEventHandler
00000000.00000002.1520502704.0000000002D38000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000008.00000002.1547273899.0000000002FCB000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
Process Memory Space: ABG Draft.scr.exe PID: 1632	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
Process Memory Space: ABG Draft.scr.exe PID: 1632	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: ABG Draft.scr.exe PID: 1632	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: ABG Draft.scr.exe PID: 1632	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: ABG Draft.scr.exe PID: 1632	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x484b1:$a1: get_encryptedPassword 0x8235e:$a1: get_encryptedPassword 0x487ca:$a2: get_encryptedUsername 0x82677:$a2: get_encryptedUsername 0x48260:$a3: get_timePasswordChanged 0x8210d:$a3: get_timePasswordChanged 0x48381:$a4: get_passwordField 0x8222e:$a4: get_passwordField 0x484c7:$a5: set_encryptedPassword 0x82374:$a5: set_encryptedPassword 0x49dca:$a7: get_logins 0x83c77:$a7: get_logins 0x49a7b:$a8: GetOutlookPasswords 0x83928:$a8: GetOutlookPasswords 0x4986d:$a9: StartKeylogger 0x8371a:$a9: StartKeylogger 0x49d1a:$a10: KeyLoggerEventArgs 0x83bc7:$a10: KeyLoggerEventArgs 0x498ca:$a11: KeyLoggerEventArgsEventHandler 0x83777:$a11: KeyLoggerEventArgsEventHandler
Process Memory Space: ABG Draft.scr.exe PID: 2300	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: ABG Draft.scr.exe PID: 2300	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: iREediqoQIKIHt.exe PID: 5064	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: iREediqoQIKIHt.exe PID: 4620	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Click to see the 18 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.ABG Draft.scr.exe.5360000.6.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0.2.ABG Draft.scr.exe.5360000.6.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0.2.ABG Draft.scr.exe.3c80790.4.raw.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
0.2.ABG Draft.scr.exe.3c80790.4.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.ABG Draft.scr.exe.3c80790.4.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0.2.ABG Draft.scr.exe.3c80790.4.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0.2.ABG Draft.scr.exe.3c80790.4.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xf1a7:$a1: get_encryptedPassword 0xf4cf:$a2: get_encryptedUsername 0xef42:$a3: get_timePasswordChanged 0xf063:$a4: get_passwordField 0xf1bd:$a5: set_encryptedPassword 0x10b19:$a7: get_logins 0x107ca:$a8: GetOutlookPasswords 0x105bc:$a9: StartKeylogger 0x10a69:$a10: KeyLoggerEventArgs 0x10619:$a11: KeyLoggerEventArgsEventHandler
0.2.ABG Draft.scr.exe.3c80790.4.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x141c1:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x136bf:$a3: \Google\Chrome\User Data\Default\Login Data 0x139cd:$a4: \Orbitum\User Data\Default\Login Data 0x147c5:$a5: \Kometa\User Data\Default\Login Data
0.2.ABG Draft.scr.exe.3c69970.3.raw.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
0.2.ABG Draft.scr.exe.3c69970.3.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.ABG Draft.scr.exe.3c69970.3.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0.2.ABG Draft.scr.exe.3c69970.3.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0.2.ABG Draft.scr.exe.3c69970.3.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xf1a7:$a1: get_encryptedPassword 0x25fc7:$a1: get_encryptedPassword 0xf4cf:$a2: get_encryptedUsername 0x262ef:$a2: get_encryptedUsername 0xef42:$a3: get_timePasswordChanged 0x25d62:$a3: get_timePasswordChanged 0xf063:$a4: get_passwordField 0x25e83:$a4: get_passwordField 0xf1bd:$a5: set_encryptedPassword 0x25fdd:$a5: set_encryptedPassword 0x10b19:$a7: get_logins 0x27939:$a7: get_logins 0x107ca:$a8: GetOutlookPasswords 0x275ea:$a8: GetOutlookPasswords 0x105bc:$a9: StartKeylogger 0x273dc:$a9: StartKeylogger 0x10a69:$a10: KeyLoggerEventArgs 0x27889:$a10: KeyLoggerEventArgs 0x10619:$a11: KeyLoggerEventArgsEventHandler 0x27439:$a11: KeyLoggerEventArgsEventHandler
0.2.ABG Draft.scr.exe.3c69970.3.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x141c1:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x2afe1:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x136bf:$a3: \Google\Chrome\User Data\Default\Login Data 0x2a4df:$a3: \Google\Chrome\User Data\Default\Login Data 0x139cd:$a4: \Orbitum\User Data\Default\Login Data 0x2a7ed:$a4: \Orbitum\User Data\Default\Login Data 0x147c5:$a5: \Kometa\User Data\Default\Login Data 0x2b5e5:$a5: \Kometa\User Data\Default\Login Data
0.2.ABG Draft.scr.exe.3c69970.3.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
0.2.ABG Draft.scr.exe.3c69970.3.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.ABG Draft.scr.exe.3c69970.3.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0.2.ABG Draft.scr.exe.3c69970.3.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xd3a7:$a1: get_encryptedPassword 0xd6cf:$a2: get_encryptedUsername 0xd142:$a3: get_timePasswordChanged 0xd263:$a4: get_passwordField 0xd3bd:$a5: set_encryptedPassword 0xed19:$a7: get_logins 0xe9ca:$a8: GetOutlookPasswords 0xe7bc:$a9: StartKeylogger 0xec69:$a10: KeyLoggerEventArgs 0xe819:$a11: KeyLoggerEventArgsEventHandler
0.2.ABG Draft.scr.exe.3c69970.3.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x123c1:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x118bf:$a3: \Google\Chrome\User Data\Default\Login Data 0x11bcd:$a4: \Orbitum\User Data\Default\Login Data 0x129c5:$a5: \Kometa\User Data\Default\Login Data
0.2.ABG Draft.scr.exe.3c80790.4.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
0.2.ABG Draft.scr.exe.3c80790.4.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.ABG Draft.scr.exe.3c80790.4.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0.2.ABG Draft.scr.exe.3c80790.4.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0.2.ABG Draft.scr.exe.3c80790.4.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xd3a7:$a1: get_encryptedPassword 0xd6cf:$a2: get_encryptedUsername 0xd142:$a3: get_timePasswordChanged 0xd263:$a4: get_passwordField 0xd3bd:$a5: set_encryptedPassword 0xed19:$a7: get_logins 0xe9ca:$a8: GetOutlookPasswords 0xe7bc:$a9: StartKeylogger 0xec69:$a10: KeyLoggerEventArgs 0xe819:$a11: KeyLoggerEventArgsEventHandler
0.2.ABG Draft.scr.exe.3c80790.4.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x123c1:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x118bf:$a3: \Google\Chrome\User Data\Default\Login Data 0x11bcd:$a4: \Orbitum\User Data\Default\Login Data 0x129c5:$a5: \Kometa\User Data\Default\Login Data
8.2.iREediqoQIKIHt.exe.3029eb0.0.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
8.2.iREediqoQIKIHt.exe.30e281c.1.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0.2.ABG Draft.scr.exe.2d99de8.2.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0.2.ABG Draft.scr.exe.2e52754.1.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0.2.ABG Draft.scr.exe.2d3d8d4.0.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
8.2.iREediqoQIKIHt.exe.2fcd99c.2.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
Click to see the 26 entries

Sigma Signatures

System Summary

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\iREediqoQIKIHt.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\iREediqoQIKIHt.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\ABG Draft.scr.exe", ParentImage: C:\Users\user\Desktop\ABG Draft.scr.exe, ParentProcessId: 1632, ParentProcessName: ABG Draft.scr.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\iREediqoQIKIHt.exe", ProcessId: 4496, ProcessName: powershell.exe

Sigma detected: Powershell Defender Exclusion

Source: Process started

Sigma detected: Suspicious Add Scheduled Task Parent

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\iREediqoQIKIHt" /XML "C:\Users\user\AppData\Local\Temp\tmpC1F4.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\iREediqoQIKIHt" /XML "C:\Users\user\AppData\Local\Temp\tmpC1F4.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: C:\Users\user\AppData\Roaming\iREediqoQIKIHt.exe, ParentImage: C:\Users\user\AppData\Roaming\iREediqoQIKIHt.exe, ParentProcessId: 5064, ParentProcessName: iREediqoQIKIHt.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\iREediqoQIKIHt" /XML "C:\Users\user\AppData\Local\Temp\tmpC1F4.tmp", ProcessId: 5828, ProcessName: schtasks.exe

Sigma detected: Suspicious Schtasks From Env Var Folder

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\iREediqoQIKIHt" /XML "C:\Users\user\AppData\Local\Temp\tmpB486.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\iREediqoQIKIHt" /XML "C:\Users\user\AppData\Local\Temp\tmpB486.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\ABG Draft.scr.exe", ParentImage: C:\Users\user\Desktop\ABG Draft.scr.exe, ParentProcessId: 1632, ParentProcessName: ABG Draft.scr.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\iREediqoQIKIHt" /XML "C:\Users\user\AppData\Local\Temp\tmpB486.tmp", ProcessId: 1364, ProcessName: schtasks.exe

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\iREediqoQIKIHt.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\iREediqoQIKIHt.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\ABG Draft.scr.exe", ParentImage: C:\Users\user\Desktop\ABG Draft.scr.exe, ParentProcessId: 1632, ParentProcessName: ABG Draft.scr.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\iREediqoQIKIHt.exe", ProcessId: 4496, ProcessName: powershell.exe

Persistence and Installation Behavior

Sigma detected: Scheduled temp file as task from temp location

Source: Process started

Author: Joe Security: Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\iREediqoQIKIHt" /XML "C:\Users\user\AppData\Local\Temp\tmpB486.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\iREediqoQIKIHt" /XML "C:\Users\user\AppData\Local\Temp\tmpB486.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\ABG Draft.scr.exe", ParentImage: C:\Users\user\Desktop\ABG Draft.scr.exe, ParentProcessId: 1632, ParentProcessName: ABG Draft.scr.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\iREediqoQIKIHt" /XML "C:\Users\user\AppData\Local\Temp\tmpB486.tmp", ProcessId: 1364, ProcessName: schtasks.exe

Suricata Signatures

ETPRO MALWARE Common Downloader Header Pattern UH

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-14T11:54:25.208969+0100	2803274	2	Potentially Bad Traffic	192.168.2.8	49709	158.101.44.242	80	TCP
2025-01-14T11:54:27.693418+0100	2803274	2	Potentially Bad Traffic	192.168.2.8	49713	158.101.44.242	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 0.2.ABG Draft.scr.exe.3c80790.4.raw.unpack

Malware Configuration Extractor: MassLogger {"EXfil Mode": "SMTP", "From": "serverhar244@gpsamsterdamqroup.com", "Password": " feXwu@m?K@@L ", "Server": "fiber13.dnsiaas.com", "To": "benfavour015@gmail.com", "Port": 587}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\iREediqoQIKIHt.exe	ReversingLabs: Detection: 34%
Source: C:\Users\user\AppData\Roaming\iREediqoQIKIHt.exe	Virustotal: Detection: 27%			Perma Link

Multi AV Scanner detection for submitted file

Source: ABG Draft.scr.exe	Virustotal: Detection: 27%			Perma Link
Source: ABG Draft.scr.exe	ReversingLabs: Detection: 34%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\iREediqoQIKIHt.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: ABG Draft.scr.exe

Joe Sandbox ML: detected

Location Tracking

Tries to detect the country of the analysis system (by using the IP)

Source: unknown

DNS query: name: reallyfreegeoip.org

Source: ABG Draft.scr.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 104.21.64.1:443 -> 192.168.2.8:49711 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 104.21.64.1:443 -> 192.168.2.8:49714 version: TLS 1.0

Source: ABG Draft.scr.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: aDJg.pdbSHA256 source: ABG Draft.scr.exe, iREediqoQIKIHt.exe.0.dr
Source:	Binary string: aDJg.pdb source: ABG Draft.scr.exe, iREediqoQIKIHt.exe.0.dr

Source: C:\Users\user\Desktop\ABG Draft.scr.exe	Code function: 4x nop then jmp 00FE9731h	7_2_00FE9480
Source: C:\Users\user\Desktop\ABG Draft.scr.exe	Code function: 4x nop then jmp 00FE9E5Ah	7_2_00FE9A30
Source: C:\Users\user\Desktop\ABG Draft.scr.exe	Code function: 4x nop then jmp 00FE9E5Ah	7_2_00FE9D87
Source: C:\Users\user\Desktop\ABG Draft.scr.exe	Code function: 4x nop then jmp 052F5E15h	7_2_052F5AD8
Source: C:\Users\user\Desktop\ABG Draft.scr.exe	Code function: 4x nop then jmp 052F47C9h	7_2_052F4520
Source: C:\Users\user\Desktop\ABG Draft.scr.exe	Code function: 4x nop then jmp 052F8830h	7_2_052F8588
Source: C:\Users\user\Desktop\ABG Draft.scr.exe	Code function: 4x nop then jmp 052F76D0h	7_2_052F7428
Source: C:\Users\user\Desktop\ABG Draft.scr.exe	Code function: 4x nop then jmp 052FF700h	7_2_052FF458
Source: C:\Users\user\Desktop\ABG Draft.scr.exe	Code function: 4x nop then jmp 052F76D0h	7_2_052F7428
Source: C:\Users\user\Desktop\ABG Draft.scr.exe	Code function: 4x nop then jmp 052FE9F8h	7_2_052FE750
Source: C:\Users\user\Desktop\ABG Draft.scr.exe	Code function: 4x nop then jmp 052F5929h	7_2_052F5680
Source: C:\Users\user\Desktop\ABG Draft.scr.exe	Code function: 4x nop then jmp 052F83D8h	7_2_052F8130
Source: C:\Users\user\Desktop\ABG Draft.scr.exe	Code function: 4x nop then jmp 052FF2A8h	7_2_052FF000
Source: C:\Users\user\Desktop\ABG Draft.scr.exe	Code function: 4x nop then jmp 052F54D1h	7_2_052F5228
Source: C:\Users\user\Desktop\ABG Draft.scr.exe	Code function: 4x nop then jmp 052FE5A0h	7_2_052FE2F8
Source: C:\Users\user\Desktop\ABG Draft.scr.exe	Code function: 4x nop then jmp 052F5079h	7_2_052F4DD0
Source: C:\Users\user\Desktop\ABG Draft.scr.exe	Code function: 4x nop then jmp 052F7F80h	7_2_052F7CD8
Source: C:\Users\user\Desktop\ABG Draft.scr.exe	Code function: 4x nop then jmp 052F7278h	7_2_052F6FD0
Source: C:\Users\user\Desktop\ABG Draft.scr.exe	Code function: 4x nop then jmp 052F4C21h	7_2_052F4978
Source: C:\Users\user\Desktop\ABG Draft.scr.exe	Code function: 4x nop then jmp 052FFB58h	7_2_052FF8B0
Source: C:\Users\user\Desktop\ABG Draft.scr.exe	Code function: 4x nop then jmp 052F7B28h	7_2_052F7880
Source: C:\Users\user\Desktop\ABG Draft.scr.exe	Code function: 4x nop then jmp 052FEE50h	7_2_052FEBA8
Source: C:\Users\user\AppData\Roaming\iREediqoQIKIHt.exe	Code function: 4x nop then jmp 07552BB3h	8_2_07552197
Source: C:\Users\user\AppData\Roaming\iREediqoQIKIHt.exe	Code function: 4x nop then jmp 07552BB3h	8_2_075520F3
Source: C:\Users\user\AppData\Roaming\iREediqoQIKIHt.exe	Code function: 4x nop then jmp 07552BB3h	8_2_07552391
Source: C:\Users\user\AppData\Roaming\iREediqoQIKIHt.exe	Code function: 4x nop then jmp 07552BB3h	8_2_0755222B
Source: C:\Users\user\AppData\Roaming\iREediqoQIKIHt.exe	Code function: 4x nop then jmp 07552BB3h	8_2_07552114
Source: C:\Users\user\AppData\Roaming\iREediqoQIKIHt.exe	Code function: 4x nop then jmp 07552BB3h	8_2_0755219D
Source: C:\Users\user\AppData\Roaming\iREediqoQIKIHt.exe	Code function: 4x nop then jmp 07552BB3h	8_2_075528BC
Source: C:\Users\user\AppData\Roaming\iREediqoQIKIHt.exe	Code function: 4x nop then jmp 03029731h	12_2_03029480
Source: C:\Users\user\AppData\Roaming\iREediqoQIKIHt.exe	Code function: 4x nop then jmp 03029E5Ah	12_2_03029A40
Source: C:\Users\user\AppData\Roaming\iREediqoQIKIHt.exe	Code function: 4x nop then jmp 03029E5Ah	12_2_03029A30
Source: C:\Users\user\AppData\Roaming\iREediqoQIKIHt.exe	Code function: 4x nop then jmp 03029E5Ah	12_2_03029D87

Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive

Source: Joe Sandbox View	IP Address: 104.21.64.1 104.21.64.1
Source: Joe Sandbox View	IP Address: 104.21.64.1 104.21.64.1
Source: Joe Sandbox View	IP Address: 158.101.44.242 158.101.44.242

Source: Joe Sandbox View

JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad

Source: unknown	DNS query: name: checkip.dyndns.org
Source: unknown	DNS query: name: reallyfreegeoip.org

Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.8:49713 -> 158.101.44.242:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.8:49709 -> 158.101.44.242:80

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org

Source: unknown	HTTPS traffic detected: 104.21.64.1:443 -> 192.168.2.8:49711 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 104.21.64.1:443 -> 192.168.2.8:49714 version: TLS 1.0

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org

Source: global traffic	DNS traffic detected: DNS query: checkip.dyndns.org
Source: global traffic	DNS traffic detected: DNS query: reallyfreegeoip.org

Source: ABG Draft.scr.exe, 00000007.00000002.2742210284.0000000002D4E000.00000004.00000800.00020000.00000000.sdmp, iREediqoQIKIHt.exe, 0000000C.00000002.2740901826.00000000030BE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.com
Source: ABG Draft.scr.exe, 00000007.00000002.2742210284.0000000002D4E000.00000004.00000800.00020000.00000000.sdmp, iREediqoQIKIHt.exe, 0000000C.00000002.2740901826.00000000030BE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.comd
Source: ABG Draft.scr.exe, 00000007.00000002.2742210284.0000000002D3C000.00000004.00000800.00020000.00000000.sdmp, ABG Draft.scr.exe, 00000007.00000002.2742210284.0000000002D4E000.00000004.00000800.00020000.00000000.sdmp, iREediqoQIKIHt.exe, 0000000C.00000002.2740901826.00000000030AC000.00000004.00000800.00020000.00000000.sdmp, iREediqoQIKIHt.exe, 0000000C.00000002.2740901826.00000000030BE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org
Source: ABG Draft.scr.exe, 00000007.00000002.2742210284.0000000002CD1000.00000004.00000800.00020000.00000000.sdmp, iREediqoQIKIHt.exe, 0000000C.00000002.2740901826.0000000003041000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/
Source: ABG Draft.scr.exe, 00000007.00000002.2742210284.0000000002D4E000.00000004.00000800.00020000.00000000.sdmp, iREediqoQIKIHt.exe, 0000000C.00000002.2740901826.00000000030BE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/d
Source: ABG Draft.scr.exe, 00000000.00000002.1521553796.0000000003C69000.00000004.00000800.00020000.00000000.sdmp, ABG Draft.scr.exe, 00000000.00000002.1521553796.0000000003CA7000.00000004.00000800.00020000.00000000.sdmp, ABG Draft.scr.exe, 00000007.00000002.2738823435.0000000000413000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/q
Source: ABG Draft.scr.exe, 00000007.00000002.2742210284.0000000002D4E000.00000004.00000800.00020000.00000000.sdmp, iREediqoQIKIHt.exe, 0000000C.00000002.2740901826.00000000030BE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.orgd
Source: ABG Draft.scr.exe, 00000007.00000002.2742210284.0000000002D6B000.00000004.00000800.00020000.00000000.sdmp, iREediqoQIKIHt.exe, 0000000C.00000002.2740901826.00000000030DB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://reallyfreegeoip.org
Source: ABG Draft.scr.exe, 00000007.00000002.2742210284.0000000002D6B000.00000004.00000800.00020000.00000000.sdmp, iREediqoQIKIHt.exe, 0000000C.00000002.2740901826.00000000030DB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://reallyfreegeoip.orgd
Source: ABG Draft.scr.exe, 00000000.00000002.1520502704.0000000002C61000.00000004.00000800.00020000.00000000.sdmp, ABG Draft.scr.exe, 00000007.00000002.2742210284.0000000002CD1000.00000004.00000800.00020000.00000000.sdmp, iREediqoQIKIHt.exe, 00000008.00000002.1547273899.0000000002F26000.00000004.00000800.00020000.00000000.sdmp, iREediqoQIKIHt.exe, 0000000C.00000002.2740901826.0000000003041000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: ABG Draft.scr.exe, iREediqoQIKIHt.exe.0.dr	String found in binary or memory: http://tempuri.org/DataSet1.xsd
Source: ABG Draft.scr.exe, 00000000.00000002.1521553796.0000000003C69000.00000004.00000800.00020000.00000000.sdmp, ABG Draft.scr.exe, 00000000.00000002.1521553796.0000000003CA7000.00000004.00000800.00020000.00000000.sdmp, ABG Draft.scr.exe, 00000007.00000002.2738823435.0000000000413000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot-/sendDocument?chat_id=
Source: ABG Draft.scr.exe, 00000007.00000002.2742210284.0000000002D4E000.00000004.00000800.00020000.00000000.sdmp, iREediqoQIKIHt.exe, 0000000C.00000002.2740901826.00000000030BE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org
Source: ABG Draft.scr.exe, 00000000.00000002.1521553796.0000000003C69000.00000004.00000800.00020000.00000000.sdmp, ABG Draft.scr.exe, 00000000.00000002.1521553796.0000000003CA7000.00000004.00000800.00020000.00000000.sdmp, ABG Draft.scr.exe, 00000007.00000002.2738823435.0000000000413000.00000040.00000400.00020000.00000000.sdmp, ABG Draft.scr.exe, 00000007.00000002.2742210284.0000000002D4E000.00000004.00000800.00020000.00000000.sdmp, iREediqoQIKIHt.exe, 0000000C.00000002.2740901826.00000000030BE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/
Source: ABG Draft.scr.exe, 00000007.00000002.2742210284.0000000002D4E000.00000004.00000800.00020000.00000000.sdmp, iREediqoQIKIHt.exe, 0000000C.00000002.2740901826.00000000030BE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189d
Source: ABG Draft.scr.exe, 00000007.00000002.2742210284.0000000002D4E000.00000004.00000800.00020000.00000000.sdmp, iREediqoQIKIHt.exe, 0000000C.00000002.2740901826.00000000030BE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189l

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49711
Source: unknown	Network traffic detected: HTTP traffic on port 49711 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49714 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49714

System Summary

Malicious sample detected (through community Yara rule)

Source: 0.2.ABG Draft.scr.exe.3c80790.4.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.ABG Draft.scr.exe.3c80790.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.ABG Draft.scr.exe.3c69970.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.ABG Draft.scr.exe.3c69970.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.ABG Draft.scr.exe.3c69970.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.ABG Draft.scr.exe.3c69970.3.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.ABG Draft.scr.exe.3c80790.4.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.ABG Draft.scr.exe.3c80790.4.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 00000000.00000002.1521553796.0000000003C69000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000000.00000002.1521553796.0000000003CA7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: ABG Draft.scr.exe PID: 1632, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown

Source: C:\Users\user\Desktop\ABG Draft.scr.exe	Code function: 0_2_00F54204	0_2_00F54204
Source: C:\Users\user\Desktop\ABG Draft.scr.exe	Code function: 0_2_00F57018	0_2_00F57018
Source: C:\Users\user\Desktop\ABG Draft.scr.exe	Code function: 0_2_00F5D8EC	0_2_00F5D8EC
Source: C:\Users\user\Desktop\ABG Draft.scr.exe	Code function: 7_2_00FEC530	7_2_00FEC530
Source: C:\Users\user\Desktop\ABG Draft.scr.exe	Code function: 7_2_00FE27B9	7_2_00FE27B9
Source: C:\Users\user\Desktop\ABG Draft.scr.exe	Code function: 7_2_00FE9480	7_2_00FE9480
Source: C:\Users\user\Desktop\ABG Draft.scr.exe	Code function: 7_2_00FEC521	7_2_00FEC521
Source: C:\Users\user\Desktop\ABG Draft.scr.exe	Code function: 7_2_00FE2DD1	7_2_00FE2DD1
Source: C:\Users\user\Desktop\ABG Draft.scr.exe	Code function: 7_2_00FE946F	7_2_00FE946F
Source: C:\Users\user\Desktop\ABG Draft.scr.exe	Code function: 7_2_052F6138	7_2_052F6138
Source: C:\Users\user\Desktop\ABG Draft.scr.exe	Code function: 7_2_052F132E	7_2_052F132E
Source: C:\Users\user\Desktop\ABG Draft.scr.exe	Code function: 7_2_052FBC60	7_2_052FBC60
Source: C:\Users\user\Desktop\ABG Draft.scr.exe	Code function: 7_2_052FAF00	7_2_052FAF00
Source: C:\Users\user\Desktop\ABG Draft.scr.exe	Code function: 7_2_052F89E0	7_2_052F89E0
Source: C:\Users\user\Desktop\ABG Draft.scr.exe	Code function: 7_2_052F0AB8	7_2_052F0AB8
Source: C:\Users\user\Desktop\ABG Draft.scr.exe	Code function: 7_2_052F5AD8	7_2_052F5AD8
Source: C:\Users\user\Desktop\ABG Draft.scr.exe	Code function: 7_2_052F4520	7_2_052F4520
Source: C:\Users\user\Desktop\ABG Draft.scr.exe	Code function: 7_2_052F451F	7_2_052F451F
Source: C:\Users\user\Desktop\ABG Draft.scr.exe	Code function: 7_2_052F8579	7_2_052F8579
Source: C:\Users\user\Desktop\ABG Draft.scr.exe	Code function: 7_2_052F8588	7_2_052F8588
Source: C:\Users\user\Desktop\ABG Draft.scr.exe	Code function: 7_2_052F7428	7_2_052F7428
Source: C:\Users\user\Desktop\ABG Draft.scr.exe	Code function: 7_2_052F7418	7_2_052F7418
Source: C:\Users\user\Desktop\ABG Draft.scr.exe	Code function: 7_2_052FF458	7_2_052FF458
Source: C:\Users\user\Desktop\ABG Draft.scr.exe	Code function: 7_2_052FF457	7_2_052FF457
Source: C:\Users\user\Desktop\ABG Draft.scr.exe	Code function: 7_2_052F7428	7_2_052F7428
Source: C:\Users\user\Desktop\ABG Draft.scr.exe	Code function: 7_2_052FE740	7_2_052FE740
Source: C:\Users\user\Desktop\ABG Draft.scr.exe	Code function: 7_2_052FE750	7_2_052FE750
Source: C:\Users\user\Desktop\ABG Draft.scr.exe	Code function: 7_2_052F567F	7_2_052F567F
Source: C:\Users\user\Desktop\ABG Draft.scr.exe	Code function: 7_2_052F5680	7_2_052F5680
Source: C:\Users\user\Desktop\ABG Draft.scr.exe	Code function: 7_2_052F8120	7_2_052F8120
Source: C:\Users\user\Desktop\ABG Draft.scr.exe	Code function: 7_2_052F8130	7_2_052F8130
Source: C:\Users\user\Desktop\ABG Draft.scr.exe	Code function: 7_2_052FF000	7_2_052FF000
Source: C:\Users\user\Desktop\ABG Draft.scr.exe	Code function: 7_2_052F0320	7_2_052F0320
Source: C:\Users\user\Desktop\ABG Draft.scr.exe	Code function: 7_2_052F0330	7_2_052F0330
Source: C:\Users\user\Desktop\ABG Draft.scr.exe	Code function: 7_2_052F5228	7_2_052F5228
Source: C:\Users\user\Desktop\ABG Draft.scr.exe	Code function: 7_2_052F521A	7_2_052F521A
Source: C:\Users\user\Desktop\ABG Draft.scr.exe	Code function: 7_2_052FE2F8	7_2_052FE2F8
Source: C:\Users\user\Desktop\ABG Draft.scr.exe	Code function: 7_2_052FE2F7	7_2_052FE2F7
Source: C:\Users\user\Desktop\ABG Draft.scr.exe	Code function: 7_2_052F4DC0	7_2_052F4DC0
Source: C:\Users\user\Desktop\ABG Draft.scr.exe	Code function: 7_2_052F4DD0	7_2_052F4DD0
Source: C:\Users\user\Desktop\ABG Draft.scr.exe	Code function: 7_2_052F7CC8	7_2_052F7CC8
Source: C:\Users\user\Desktop\ABG Draft.scr.exe	Code function: 7_2_052F0CD8	7_2_052F0CD8
Source: C:\Users\user\Desktop\ABG Draft.scr.exe	Code function: 7_2_052F7CD8	7_2_052F7CD8
Source: C:\Users\user\Desktop\ABG Draft.scr.exe	Code function: 7_2_052FEFFF	7_2_052FEFFF
Source: C:\Users\user\Desktop\ABG Draft.scr.exe	Code function: 7_2_052F6FC3	7_2_052F6FC3
Source: C:\Users\user\Desktop\ABG Draft.scr.exe	Code function: 7_2_052F6FC1	7_2_052F6FC1
Source: C:\Users\user\Desktop\ABG Draft.scr.exe	Code function: 7_2_052F6FD0	7_2_052F6FD0
Source: C:\Users\user\Desktop\ABG Draft.scr.exe	Code function: 7_2_052F4969	7_2_052F4969
Source: C:\Users\user\Desktop\ABG Draft.scr.exe	Code function: 7_2_052F4978	7_2_052F4978
Source: C:\Users\user\Desktop\ABG Draft.scr.exe	Code function: 7_2_052F7871	7_2_052F7871
Source: C:\Users\user\Desktop\ABG Draft.scr.exe	Code function: 7_2_052FF8A1	7_2_052FF8A1
Source: C:\Users\user\Desktop\ABG Draft.scr.exe	Code function: 7_2_052FF8B0	7_2_052FF8B0
Source: C:\Users\user\Desktop\ABG Draft.scr.exe	Code function: 7_2_052F7880	7_2_052F7880
Source: C:\Users\user\Desktop\ABG Draft.scr.exe	Code function: 7_2_052FEBA8	7_2_052FEBA8
Source: C:\Users\user\Desktop\ABG Draft.scr.exe	Code function: 7_2_052FEB98	7_2_052FEB98
Source: C:\Users\user\Desktop\ABG Draft.scr.exe	Code function: 7_2_052F5ACA	7_2_052F5ACA
Source: C:\Users\user\AppData\Roaming\iREediqoQIKIHt.exe	Code function: 8_2_02D94204	8_2_02D94204
Source: C:\Users\user\AppData\Roaming\iREediqoQIKIHt.exe	Code function: 8_2_02D97018	8_2_02D97018
Source: C:\Users\user\AppData\Roaming\iREediqoQIKIHt.exe	Code function: 8_2_02D9D8EC	8_2_02D9D8EC
Source: C:\Users\user\AppData\Roaming\iREediqoQIKIHt.exe	Code function: 8_2_07555170	8_2_07555170
Source: C:\Users\user\AppData\Roaming\iREediqoQIKIHt.exe	Code function: 8_2_08AFEA80	8_2_08AFEA80
Source: C:\Users\user\AppData\Roaming\iREediqoQIKIHt.exe	Code function: 8_2_08AFCA10	8_2_08AFCA10
Source: C:\Users\user\AppData\Roaming\iREediqoQIKIHt.exe	Code function: 8_2_08AFEEB8	8_2_08AFEEB8
Source: C:\Users\user\AppData\Roaming\iREediqoQIKIHt.exe	Code function: 8_2_08AFCE39	8_2_08AFCE39
Source: C:\Users\user\AppData\Roaming\iREediqoQIKIHt.exe	Code function: 8_2_08AFCE48	8_2_08AFCE48
Source: C:\Users\user\AppData\Roaming\iREediqoQIKIHt.exe	Code function: 8_2_08AF3F70	8_2_08AF3F70
Source: C:\Users\user\AppData\Roaming\iREediqoQIKIHt.exe	Code function: 8_2_08AF5180	8_2_08AF5180
Source: C:\Users\user\AppData\Roaming\iREediqoQIKIHt.exe	Code function: 8_2_08AFE648	8_2_08AFE648
Source: C:\Users\user\AppData\Roaming\iREediqoQIKIHt.exe	Code function: 12_2_030227B9	12_2_030227B9
Source: C:\Users\user\AppData\Roaming\iREediqoQIKIHt.exe	Code function: 12_2_0302C530	12_2_0302C530
Source: C:\Users\user\AppData\Roaming\iREediqoQIKIHt.exe	Code function: 12_2_03029480	12_2_03029480
Source: C:\Users\user\AppData\Roaming\iREediqoQIKIHt.exe	Code function: 12_2_0302C521	12_2_0302C521
Source: C:\Users\user\AppData\Roaming\iREediqoQIKIHt.exe	Code function: 12_2_03022DD1	12_2_03022DD1
Source: C:\Users\user\AppData\Roaming\iREediqoQIKIHt.exe	Code function: 12_2_0302946F	12_2_0302946F

Source: ABG Draft.scr.exe, 00000000.00000002.1519412126.0000000000F8E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs ABG Draft.scr.exe
Source: ABG Draft.scr.exe, 00000000.00000002.1520502704.0000000002D38000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCaptive.dll" vs ABG Draft.scr.exe
Source: ABG Draft.scr.exe, 00000000.00000002.1524144115.00000000057E0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameMontero.dll8 vs ABG Draft.scr.exe
Source: ABG Draft.scr.exe, 00000000.00000002.1523651797.0000000005360000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameCaptive.dll" vs ABG Draft.scr.exe
Source: ABG Draft.scr.exe, 00000000.00000002.1521553796.0000000003C69000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCloudServices.exe< vs ABG Draft.scr.exe
Source: ABG Draft.scr.exe, 00000000.00000002.1521553796.0000000003C69000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCaptive.dll" vs ABG Draft.scr.exe
Source: ABG Draft.scr.exe, 00000000.00000002.1520502704.0000000002C61000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCloudServices.exe< vs ABG Draft.scr.exe
Source: ABG Draft.scr.exe, 00000000.00000000.1495782606.00000000007F2000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameaDJg.exeB vs ABG Draft.scr.exe
Source: ABG Draft.scr.exe, 00000000.00000002.1521553796.0000000003CA7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMontero.dll8 vs ABG Draft.scr.exe
Source: ABG Draft.scr.exe, 00000007.00000002.2739146939.0000000000D57000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameUNKNOWN_FILET vs ABG Draft.scr.exe
Source: ABG Draft.scr.exe, 00000007.00000002.2738823435.000000000041A000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCloudServices.exe< vs ABG Draft.scr.exe
Source: ABG Draft.scr.exe	Binary or memory string: OriginalFilenameaDJg.exeB vs ABG Draft.scr.exe

Source: ABG Draft.scr.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 0.2.ABG Draft.scr.exe.3c80790.4.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.ABG Draft.scr.exe.3c80790.4.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.ABG Draft.scr.exe.3c69970.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.ABG Draft.scr.exe.3c69970.3.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.ABG Draft.scr.exe.3c69970.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.ABG Draft.scr.exe.3c69970.3.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.ABG Draft.scr.exe.3c80790.4.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.ABG Draft.scr.exe.3c80790.4.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000000.00000002.1521553796.0000000003C69000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000000.00000002.1521553796.0000000003CA7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: ABG Draft.scr.exe PID: 1632, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23

Source: ABG Draft.scr.exe	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: iREediqoQIKIHt.exe.0.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@16/11@2/2

Source: C:\Users\user\Desktop\ABG Draft.scr.exe

File created: C:\Users\user\AppData\Roaming\iREediqoQIKIHt.exe

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6352:120:WilError_03
Source: C:\Users\user\AppData\Roaming\iREediqoQIKIHt.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5324:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:736:120:WilError_03

Source: C:\Users\user\Desktop\ABG Draft.scr.exe

File created: C:\Users\user\AppData\Local\Temp\tmpB486.tmp

Jump to behavior

Source: ABG Draft.scr.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: ABG Draft.scr.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Source: C:\Users\user\Desktop\ABG Draft.scr.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\ABG Draft.scr.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: ABG Draft.scr.exe, 00000007.00000002.2742210284.0000000002DCC000.00000004.00000800.00020000.00000000.sdmp, ABG Draft.scr.exe, 00000007.00000002.2742210284.0000000002DBE000.00000004.00000800.00020000.00000000.sdmp, ABG Draft.scr.exe, 00000007.00000002.2742210284.0000000002DAE000.00000004.00000800.00020000.00000000.sdmp, ABG Draft.scr.exe, 00000007.00000002.2742210284.0000000002DE1000.00000004.00000800.00020000.00000000.sdmp, ABG Draft.scr.exe, 00000007.00000002.2742210284.0000000002DED000.00000004.00000800.00020000.00000000.sdmp, iREediqoQIKIHt.exe, 0000000C.00000002.2740901826.000000000313C000.00000004.00000800.00020000.00000000.sdmp, iREediqoQIKIHt.exe, 0000000C.00000002.2740901826.000000000315D000.00000004.00000800.00020000.00000000.sdmp, iREediqoQIKIHt.exe, 0000000C.00000002.2740901826.000000000311E000.00000004.00000800.00020000.00000000.sdmp, iREediqoQIKIHt.exe, 0000000C.00000002.2742820245.000000000406D000.00000004.00000800.00020000.00000000.sdmp, iREediqoQIKIHt.exe, 0000000C.00000002.2740901826.0000000003151000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: ABG Draft.scr.exe, 00000000.00000000.1495782606.00000000007F2000.00000002.00000001.01000000.00000003.sdmp, iREediqoQIKIHt.exe.0.dr	Binary or memory string: INSERT INTO users (first_name, last_name, email, [password]) VALUES (@firstName, @lastName, @email, @password);

Source: ABG Draft.scr.exe	Virustotal: Detection: 27%
Source: ABG Draft.scr.exe	ReversingLabs: Detection: 34%

Source: C:\Users\user\Desktop\ABG Draft.scr.exe

File read: C:\Users\user\Desktop\ABG Draft.scr.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\ABG Draft.scr.exe "C:\Users\user\Desktop\ABG Draft.scr.exe"
Source: C:\Users\user\Desktop\ABG Draft.scr.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\iREediqoQIKIHt.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\ABG Draft.scr.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\iREediqoQIKIHt" /XML "C:\Users\user\AppData\Local\Temp\tmpB486.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\ABG Draft.scr.exe	Process created: C:\Users\user\Desktop\ABG Draft.scr.exe "C:\Users\user\Desktop\ABG Draft.scr.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\iREediqoQIKIHt.exe C:\Users\user\AppData\Roaming\iREediqoQIKIHt.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: C:\Users\user\AppData\Roaming\iREediqoQIKIHt.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\iREediqoQIKIHt" /XML "C:\Users\user\AppData\Local\Temp\tmpC1F4.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\iREediqoQIKIHt.exe	Process created: C:\Users\user\AppData\Roaming\iREediqoQIKIHt.exe "C:\Users\user\AppData\Roaming\iREediqoQIKIHt.exe"
Source: C:\Users\user\Desktop\ABG Draft.scr.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\iREediqoQIKIHt.exe"	Jump to behavior
Source: C:\Users\user\Desktop\ABG Draft.scr.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\iREediqoQIKIHt" /XML "C:\Users\user\AppData\Local\Temp\tmpB486.tmp"	Jump to behavior
Source: C:\Users\user\Desktop\ABG Draft.scr.exe	Process created: C:\Users\user\Desktop\ABG Draft.scr.exe "C:\Users\user\Desktop\ABG Draft.scr.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iREediqoQIKIHt.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\iREediqoQIKIHt" /XML "C:\Users\user\AppData\Local\Temp\tmpC1F4.tmp"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iREediqoQIKIHt.exe	Process created: C:\Users\user\AppData\Roaming\iREediqoQIKIHt.exe "C:\Users\user\AppData\Roaming\iREediqoQIKIHt.exe"	Jump to behavior

Source: C:\Users\user\Desktop\ABG Draft.scr.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\ABG Draft.scr.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\ABG Draft.scr.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\ABG Draft.scr.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\ABG Draft.scr.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\ABG Draft.scr.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\ABG Draft.scr.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\ABG Draft.scr.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\ABG Draft.scr.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\ABG Draft.scr.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\ABG Draft.scr.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\ABG Draft.scr.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\ABG Draft.scr.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\ABG Draft.scr.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\ABG Draft.scr.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\ABG Draft.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\ABG Draft.scr.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\ABG Draft.scr.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\ABG Draft.scr.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\ABG Draft.scr.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\ABG Draft.scr.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\ABG Draft.scr.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\ABG Draft.scr.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\ABG Draft.scr.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\ABG Draft.scr.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\ABG Draft.scr.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\ABG Draft.scr.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\ABG Draft.scr.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\ABG Draft.scr.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\ABG Draft.scr.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\ABG Draft.scr.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\ABG Draft.scr.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\ABG Draft.scr.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\ABG Draft.scr.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\ABG Draft.scr.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\ABG Draft.scr.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\ABG Draft.scr.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\ABG Draft.scr.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\ABG Draft.scr.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\ABG Draft.scr.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\ABG Draft.scr.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\ABG Draft.scr.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\ABG Draft.scr.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\ABG Draft.scr.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\ABG Draft.scr.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\ABG Draft.scr.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\ABG Draft.scr.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\ABG Draft.scr.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\ABG Draft.scr.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\ABG Draft.scr.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\ABG Draft.scr.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\ABG Draft.scr.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\ABG Draft.scr.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\ABG Draft.scr.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\ABG Draft.scr.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\ABG Draft.scr.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\ABG Draft.scr.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\ABG Draft.scr.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\ABG Draft.scr.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\ABG Draft.scr.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\ABG Draft.scr.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\ABG Draft.scr.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\ABG Draft.scr.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\ABG Draft.scr.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\ABG Draft.scr.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\ABG Draft.scr.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\ABG Draft.scr.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\ABG Draft.scr.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\ABG Draft.scr.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\ABG Draft.scr.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\ABG Draft.scr.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\ABG Draft.scr.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\ABG Draft.scr.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iREediqoQIKIHt.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iREediqoQIKIHt.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iREediqoQIKIHt.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iREediqoQIKIHt.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iREediqoQIKIHt.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iREediqoQIKIHt.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iREediqoQIKIHt.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iREediqoQIKIHt.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iREediqoQIKIHt.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iREediqoQIKIHt.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iREediqoQIKIHt.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iREediqoQIKIHt.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iREediqoQIKIHt.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iREediqoQIKIHt.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iREediqoQIKIHt.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iREediqoQIKIHt.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iREediqoQIKIHt.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iREediqoQIKIHt.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iREediqoQIKIHt.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iREediqoQIKIHt.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iREediqoQIKIHt.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iREediqoQIKIHt.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iREediqoQIKIHt.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iREediqoQIKIHt.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iREediqoQIKIHt.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iREediqoQIKIHt.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iREediqoQIKIHt.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iREediqoQIKIHt.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iREediqoQIKIHt.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iREediqoQIKIHt.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iREediqoQIKIHt.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iREediqoQIKIHt.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iREediqoQIKIHt.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iREediqoQIKIHt.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iREediqoQIKIHt.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iREediqoQIKIHt.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: fastprox.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: ncobjapi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mpclient.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wmitomi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iREediqoQIKIHt.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iREediqoQIKIHt.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iREediqoQIKIHt.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iREediqoQIKIHt.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iREediqoQIKIHt.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iREediqoQIKIHt.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iREediqoQIKIHt.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iREediqoQIKIHt.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iREediqoQIKIHt.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iREediqoQIKIHt.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iREediqoQIKIHt.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iREediqoQIKIHt.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iREediqoQIKIHt.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iREediqoQIKIHt.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iREediqoQIKIHt.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iREediqoQIKIHt.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iREediqoQIKIHt.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iREediqoQIKIHt.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iREediqoQIKIHt.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iREediqoQIKIHt.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iREediqoQIKIHt.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iREediqoQIKIHt.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iREediqoQIKIHt.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iREediqoQIKIHt.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iREediqoQIKIHt.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iREediqoQIKIHt.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iREediqoQIKIHt.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iREediqoQIKIHt.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iREediqoQIKIHt.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iREediqoQIKIHt.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iREediqoQIKIHt.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iREediqoQIKIHt.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iREediqoQIKIHt.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iREediqoQIKIHt.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iREediqoQIKIHt.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iREediqoQIKIHt.exe	Section loaded: dpapi.dll	Jump to behavior

Source: C:\Users\user\Desktop\ABG Draft.scr.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\ABG Draft.scr.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Users\user\Desktop\ABG Draft.scr.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: ABG Draft.scr.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: ABG Draft.scr.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: ABG Draft.scr.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: aDJg.pdbSHA256 source: ABG Draft.scr.exe, iREediqoQIKIHt.exe.0.dr
Source:	Binary string: aDJg.pdb source: ABG Draft.scr.exe, iREediqoQIKIHt.exe.0.dr

Source: ABG Draft.scr.exe

Static PE information: 0xB6D9DE95 [Sat Mar 19 03:40:05 2067 UTC]

Source: ABG Draft.scr.exe	Static PE information: section name: .text entropy: 7.633999684579492
Source: iREediqoQIKIHt.exe.0.dr	Static PE information: section name: .text entropy: 7.633999684579492

Source: C:\Users\user\Desktop\ABG Draft.scr.exe

File created: C:\Users\user\AppData\Roaming\iREediqoQIKIHt.exe

Jump to dropped file

Boot Survival

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Users\user\Desktop\ABG Draft.scr.exe

Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\iREediqoQIKIHt" /XML "C:\Users\user\AppData\Local\Temp\tmpB486.tmp"

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior

Source: C:\Users\user\Desktop\ABG Draft.scr.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate	Jump to behavior
Source: C:\Users\user\Desktop\ABG Draft.scr.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iREediqoQIKIHt.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iREediqoQIKIHt.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot	Jump to behavior

Source: C:\Users\user\Desktop\ABG Draft.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ABG Draft.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ABG Draft.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ABG Draft.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ABG Draft.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ABG Draft.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ABG Draft.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ABG Draft.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ABG Draft.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ABG Draft.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ABG Draft.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ABG Draft.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ABG Draft.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ABG Draft.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ABG Draft.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ABG Draft.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ABG Draft.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ABG Draft.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ABG Draft.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ABG Draft.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ABG Draft.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ABG Draft.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ABG Draft.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ABG Draft.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ABG Draft.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ABG Draft.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ABG Draft.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ABG Draft.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ABG Draft.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ABG Draft.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ABG Draft.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ABG Draft.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ABG Draft.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ABG Draft.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ABG Draft.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ABG Draft.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ABG Draft.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ABG Draft.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ABG Draft.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ABG Draft.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ABG Draft.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ABG Draft.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ABG Draft.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ABG Draft.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ABG Draft.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ABG Draft.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ABG Draft.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ABG Draft.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ABG Draft.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ABG Draft.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ABG Draft.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ABG Draft.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ABG Draft.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ABG Draft.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ABG Draft.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ABG Draft.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ABG Draft.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ABG Draft.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ABG Draft.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ABG Draft.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ABG Draft.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ABG Draft.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ABG Draft.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ABG Draft.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ABG Draft.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ABG Draft.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ABG Draft.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ABG Draft.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ABG Draft.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ABG Draft.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ABG Draft.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ABG Draft.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ABG Draft.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ABG Draft.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ABG Draft.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ABG Draft.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ABG Draft.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ABG Draft.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ABG Draft.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ABG Draft.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ABG Draft.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ABG Draft.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ABG Draft.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ABG Draft.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ABG Draft.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ABG Draft.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ABG Draft.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ABG Draft.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ABG Draft.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ABG Draft.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ABG Draft.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ABG Draft.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ABG Draft.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ABG Draft.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ABG Draft.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ABG Draft.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ABG Draft.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ABG Draft.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iREediqoQIKIHt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iREediqoQIKIHt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iREediqoQIKIHt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iREediqoQIKIHt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iREediqoQIKIHt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iREediqoQIKIHt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iREediqoQIKIHt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iREediqoQIKIHt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iREediqoQIKIHt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iREediqoQIKIHt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iREediqoQIKIHt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iREediqoQIKIHt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iREediqoQIKIHt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iREediqoQIKIHt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iREediqoQIKIHt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iREediqoQIKIHt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iREediqoQIKIHt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iREediqoQIKIHt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iREediqoQIKIHt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iREediqoQIKIHt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iREediqoQIKIHt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iREediqoQIKIHt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iREediqoQIKIHt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iREediqoQIKIHt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iREediqoQIKIHt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iREediqoQIKIHt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iREediqoQIKIHt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iREediqoQIKIHt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iREediqoQIKIHt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iREediqoQIKIHt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iREediqoQIKIHt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iREediqoQIKIHt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iREediqoQIKIHt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iREediqoQIKIHt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iREediqoQIKIHt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iREediqoQIKIHt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iREediqoQIKIHt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iREediqoQIKIHt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iREediqoQIKIHt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iREediqoQIKIHt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iREediqoQIKIHt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iREediqoQIKIHt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iREediqoQIKIHt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iREediqoQIKIHt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iREediqoQIKIHt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iREediqoQIKIHt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iREediqoQIKIHt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iREediqoQIKIHt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iREediqoQIKIHt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iREediqoQIKIHt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iREediqoQIKIHt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iREediqoQIKIHt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iREediqoQIKIHt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iREediqoQIKIHt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iREediqoQIKIHt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iREediqoQIKIHt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iREediqoQIKIHt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iREediqoQIKIHt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iREediqoQIKIHt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iREediqoQIKIHt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iREediqoQIKIHt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iREediqoQIKIHt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iREediqoQIKIHt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iREediqoQIKIHt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iREediqoQIKIHt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iREediqoQIKIHt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iREediqoQIKIHt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iREediqoQIKIHt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iREediqoQIKIHt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iREediqoQIKIHt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iREediqoQIKIHt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iREediqoQIKIHt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iREediqoQIKIHt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iREediqoQIKIHt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iREediqoQIKIHt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iREediqoQIKIHt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iREediqoQIKIHt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iREediqoQIKIHt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iREediqoQIKIHt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iREediqoQIKIHt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iREediqoQIKIHt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iREediqoQIKIHt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iREediqoQIKIHt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iREediqoQIKIHt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iREediqoQIKIHt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iREediqoQIKIHt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iREediqoQIKIHt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iREediqoQIKIHt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iREediqoQIKIHt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iREediqoQIKIHt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iREediqoQIKIHt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iREediqoQIKIHt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iREediqoQIKIHt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iREediqoQIKIHt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iREediqoQIKIHt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iREediqoQIKIHt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match	File source: Process Memory Space: ABG Draft.scr.exe PID: 1632, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: iREediqoQIKIHt.exe PID: 5064, type: MEMORYSTR

Source: C:\Users\user\Desktop\ABG Draft.scr.exe	Memory allocated: EF0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\ABG Draft.scr.exe	Memory allocated: 2C60000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\ABG Draft.scr.exe	Memory allocated: 2B60000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\ABG Draft.scr.exe	Memory allocated: 8D30000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\ABG Draft.scr.exe	Memory allocated: 78C0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\ABG Draft.scr.exe	Memory allocated: 9D30000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\ABG Draft.scr.exe	Memory allocated: AD30000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\ABG Draft.scr.exe	Memory allocated: FE0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\ABG Draft.scr.exe	Memory allocated: 2CD0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\ABG Draft.scr.exe	Memory allocated: 2A30000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iREediqoQIKIHt.exe	Memory allocated: 16D0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iREediqoQIKIHt.exe	Memory allocated: 2EF0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iREediqoQIKIHt.exe	Memory allocated: 4EF0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iREediqoQIKIHt.exe	Memory allocated: 8B00000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iREediqoQIKIHt.exe	Memory allocated: 9B00000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iREediqoQIKIHt.exe	Memory allocated: 9CF0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iREediqoQIKIHt.exe	Memory allocated: ACF0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iREediqoQIKIHt.exe	Memory allocated: 2FE0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iREediqoQIKIHt.exe	Memory allocated: 3040000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iREediqoQIKIHt.exe	Memory allocated: 5040000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\ABG Draft.scr.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iREediqoQIKIHt.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6583			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3045			Jump to behavior

Source: C:\Users\user\Desktop\ABG Draft.scr.exe TID: 6512	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4080	Thread sleep time: -6456360425798339s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iREediqoQIKIHt.exe TID: 5432	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\ABG Draft.scr.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iREediqoQIKIHt.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: iREediqoQIKIHt.exe, 00000008.00000002.1545271346.0000000001253000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}M9<
Source: iREediqoQIKIHt.exe, 0000000C.00000002.2739245029.00000000011E9000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllT
Source: ABG Draft.scr.exe, 00000007.00000002.2740413602.00000000010F1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\ABG Draft.scr.exe

Code function: 7_2_052F0AB8 LdrInitializeThunk,LdrInitializeThunk,

7_2_052F0AB8

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Users\user\Desktop\ABG Draft.scr.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Users\user\Desktop\ABG Draft.scr.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Adds a directory exclusion to Windows Defender

Source: C:\Users\user\Desktop\ABG Draft.scr.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\iREediqoQIKIHt.exe"
Source: C:\Users\user\Desktop\ABG Draft.scr.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\iREediqoQIKIHt.exe"			Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\user\AppData\Roaming\iREediqoQIKIHt.exe

Memory written: C:\Users\user\AppData\Roaming\iREediqoQIKIHt.exe base: 400000 value starts with: 4D5A

Jump to behavior

Source: C:\Users\user\Desktop\ABG Draft.scr.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\iREediqoQIKIHt.exe"	Jump to behavior
Source: C:\Users\user\Desktop\ABG Draft.scr.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\iREediqoQIKIHt" /XML "C:\Users\user\AppData\Local\Temp\tmpB486.tmp"	Jump to behavior
Source: C:\Users\user\Desktop\ABG Draft.scr.exe	Process created: C:\Users\user\Desktop\ABG Draft.scr.exe "C:\Users\user\Desktop\ABG Draft.scr.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iREediqoQIKIHt.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\iREediqoQIKIHt" /XML "C:\Users\user\AppData\Local\Temp\tmpC1F4.tmp"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iREediqoQIKIHt.exe	Process created: C:\Users\user\AppData\Roaming\iREediqoQIKIHt.exe "C:\Users\user\AppData\Roaming\iREediqoQIKIHt.exe"	Jump to behavior

Source: C:\Users\user\Desktop\ABG Draft.scr.exe	Queries volume information: C:\Users\user\Desktop\ABG Draft.scr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ABG Draft.scr.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ABG Draft.scr.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ABG Draft.scr.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ABG Draft.scr.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ABG Draft.scr.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ABG Draft.scr.exe	Queries volume information: C:\Users\user\Desktop\ABG Draft.scr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ABG Draft.scr.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ABG Draft.scr.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ABG Draft.scr.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ABG Draft.scr.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ABG Draft.scr.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ABG Draft.scr.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iREediqoQIKIHt.exe	Queries volume information: C:\Users\user\AppData\Roaming\iREediqoQIKIHt.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iREediqoQIKIHt.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iREediqoQIKIHt.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iREediqoQIKIHt.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iREediqoQIKIHt.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iREediqoQIKIHt.exe	Queries volume information: C:\Users\user\AppData\Roaming\iREediqoQIKIHt.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iREediqoQIKIHt.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iREediqoQIKIHt.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iREediqoQIKIHt.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iREediqoQIKIHt.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iREediqoQIKIHt.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iREediqoQIKIHt.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\ABG Draft.scr.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected MassLogger RAT

Source: Yara match	File source: 0.2.ABG Draft.scr.exe.3c80790.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.ABG Draft.scr.exe.3c69970.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.ABG Draft.scr.exe.3c69970.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.ABG Draft.scr.exe.3c80790.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1521553796.0000000003C69000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1521553796.0000000003CA7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: ABG Draft.scr.exe PID: 1632, type: MEMORYSTR

Yara detected PureLog Stealer

Source: Yara match	File source: 0.2.ABG Draft.scr.exe.5360000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.ABG Draft.scr.exe.5360000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.ABG Draft.scr.exe.3c80790.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.ABG Draft.scr.exe.3c69970.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.ABG Draft.scr.exe.3c80790.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.iREediqoQIKIHt.exe.3029eb0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.iREediqoQIKIHt.exe.30e281c.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.ABG Draft.scr.exe.2d99de8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.ABG Draft.scr.exe.2e52754.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.ABG Draft.scr.exe.2d3d8d4.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.iREediqoQIKIHt.exe.2fcd99c.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1523651797.0000000005360000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1521553796.0000000003C69000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1520502704.0000000002D38000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.1547273899.0000000002FCB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Yara detected Telegram RAT

Source: Yara match	File source: 0.2.ABG Draft.scr.exe.3c80790.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.ABG Draft.scr.exe.3c69970.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.ABG Draft.scr.exe.3c69970.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.ABG Draft.scr.exe.3c80790.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1521553796.0000000003C69000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1521553796.0000000003CA7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: ABG Draft.scr.exe PID: 1632, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: ABG Draft.scr.exe PID: 2300, type: MEMORYSTR

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\AppData\Roaming\iREediqoQIKIHt.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data			Jump to behavior
Source: C:\Users\user\AppData\Roaming\iREediqoQIKIHt.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data			Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\Desktop\ABG Draft.scr.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676			Jump to behavior
Source: C:\Users\user\AppData\Roaming\iREediqoQIKIHt.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676			Jump to behavior

Source: Yara match	File source: 0.2.ABG Draft.scr.exe.3c80790.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.ABG Draft.scr.exe.3c69970.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.ABG Draft.scr.exe.3c69970.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.ABG Draft.scr.exe.3c80790.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000007.00000002.2742210284.0000000002E24000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1521553796.0000000003C69000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.2740901826.0000000003194000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1521553796.0000000003CA7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: ABG Draft.scr.exe PID: 1632, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: ABG Draft.scr.exe PID: 2300, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: iREediqoQIKIHt.exe PID: 4620, type: MEMORYSTR

Remote Access Functionality

Yara detected MassLogger RAT

Source: Yara match	File source: 0.2.ABG Draft.scr.exe.3c80790.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.ABG Draft.scr.exe.3c69970.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.ABG Draft.scr.exe.3c69970.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.ABG Draft.scr.exe.3c80790.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1521553796.0000000003C69000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1521553796.0000000003CA7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: ABG Draft.scr.exe PID: 1632, type: MEMORYSTR

Yara detected PureLog Stealer

Source: Yara match	File source: 0.2.ABG Draft.scr.exe.5360000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.ABG Draft.scr.exe.5360000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.ABG Draft.scr.exe.3c80790.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.ABG Draft.scr.exe.3c69970.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.ABG Draft.scr.exe.3c80790.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.iREediqoQIKIHt.exe.3029eb0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.iREediqoQIKIHt.exe.30e281c.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.ABG Draft.scr.exe.2d99de8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.ABG Draft.scr.exe.2e52754.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.ABG Draft.scr.exe.2d3d8d4.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.iREediqoQIKIHt.exe.2fcd99c.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1523651797.0000000005360000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1521553796.0000000003C69000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1520502704.0000000002D38000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.1547273899.0000000002FCB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Yara detected Telegram RAT

Source: Yara match	File source: 0.2.ABG Draft.scr.exe.3c80790.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.ABG Draft.scr.exe.3c69970.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.ABG Draft.scr.exe.3c69970.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.ABG Draft.scr.exe.3c80790.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1521553796.0000000003C69000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1521553796.0000000003CA7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: ABG Draft.scr.exe PID: 1632, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: ABG Draft.scr.exe PID: 2300, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Scheduled Task/Job	1 Scheduled Task/Job	111 Process Injection	1 Masquerading	1 OS Credential Dumping	1 Query Registry	Remote Services	1 Email Collection	11 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 DLL Side-Loading	1 Scheduled Task/Job	11 Disable or Modify Tools	LSASS Memory	11 Security Software Discovery	Remote Desktop Protocol	1 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 DLL Side-Loading	31 Virtualization/Sandbox Evasion	Security Account Manager	1 Process Discovery	SMB/Windows Admin Shares	1 Data from Local System	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	111 Process Injection	NTDS	31 Virtualization/Sandbox Evasion	Distributed Component Object Model	Input Capture	13 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	2 Obfuscated Files or Information	LSA Secrets	1 Application Window Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	2 Software Packing	Cached Domain Credentials	1 System Network Configuration Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 Timestomp	DCSync	1 File and Directory Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 DLL Side-Loading	Proc Filesystem	13 System Information Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
ABG Draft.scr.exe	28%	Virustotal		Browse
ABG Draft.scr.exe	34%	ReversingLabs	Win32.Virus.Virut
ABG Draft.scr.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Roaming\iREediqoQIKIHt.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\iREediqoQIKIHt.exe	34%	ReversingLabs	Win32.Virus.Virut
C:\Users\user\AppData\Roaming\iREediqoQIKIHt.exe	28%	Virustotal		Browse

Name	IP	Active	Malicious	Reputation
reallyfreegeoip.org	104.21.64.1	true	false	high
checkip.dyndns.com	158.101.44.242	true	false	high
checkip.dyndns.org	unknown	unknown	false	high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://checkip.dyndns.org/	false		high
https://reallyfreegeoip.org/xml/8.46.123.189	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Reputation
https://reallyfreegeoip.org/xml/8.46.123.189l	ABG Draft.scr.exe, 00000007.00000002.2742210284.0000000002D4E000.00000004.00000800.00020000.00000000.sdmp, iREediqoQIKIHt.exe, 0000000C.00000002.2740901826.00000000030BE000.00000004.00000800.00020000.00000000.sdmp	false	high
http://checkip.dyndns.comd	ABG Draft.scr.exe, 00000007.00000002.2742210284.0000000002D4E000.00000004.00000800.00020000.00000000.sdmp, iREediqoQIKIHt.exe, 0000000C.00000002.2740901826.00000000030BE000.00000004.00000800.00020000.00000000.sdmp	false	high
http://checkip.dyndns.org/q	ABG Draft.scr.exe, 00000000.00000002.1521553796.0000000003C69000.00000004.00000800.00020000.00000000.sdmp, ABG Draft.scr.exe, 00000000.00000002.1521553796.0000000003CA7000.00000004.00000800.00020000.00000000.sdmp, ABG Draft.scr.exe, 00000007.00000002.2738823435.0000000000413000.00000040.00000400.00020000.00000000.sdmp	false	high
http://reallyfreegeoip.orgd	ABG Draft.scr.exe, 00000007.00000002.2742210284.0000000002D6B000.00000004.00000800.00020000.00000000.sdmp, iREediqoQIKIHt.exe, 0000000C.00000002.2740901826.00000000030DB000.00000004.00000800.00020000.00000000.sdmp	false	high
http://tempuri.org/DataSet1.xsd	ABG Draft.scr.exe, iREediqoQIKIHt.exe.0.dr	false	high
https://reallyfreegeoip.org/xml/8.46.123.189d	ABG Draft.scr.exe, 00000007.00000002.2742210284.0000000002D4E000.00000004.00000800.00020000.00000000.sdmp, iREediqoQIKIHt.exe, 0000000C.00000002.2740901826.00000000030BE000.00000004.00000800.00020000.00000000.sdmp	false	high
http://reallyfreegeoip.org	ABG Draft.scr.exe, 00000007.00000002.2742210284.0000000002D6B000.00000004.00000800.00020000.00000000.sdmp, iREediqoQIKIHt.exe, 0000000C.00000002.2740901826.00000000030DB000.00000004.00000800.00020000.00000000.sdmp	false	high
http://checkip.dyndns.orgd	ABG Draft.scr.exe, 00000007.00000002.2742210284.0000000002D4E000.00000004.00000800.00020000.00000000.sdmp, iREediqoQIKIHt.exe, 0000000C.00000002.2740901826.00000000030BE000.00000004.00000800.00020000.00000000.sdmp	false	high
https://reallyfreegeoip.org	ABG Draft.scr.exe, 00000007.00000002.2742210284.0000000002D4E000.00000004.00000800.00020000.00000000.sdmp, iREediqoQIKIHt.exe, 0000000C.00000002.2740901826.00000000030BE000.00000004.00000800.00020000.00000000.sdmp	false	high
http://checkip.dyndns.org	ABG Draft.scr.exe, 00000007.00000002.2742210284.0000000002D3C000.00000004.00000800.00020000.00000000.sdmp, ABG Draft.scr.exe, 00000007.00000002.2742210284.0000000002D4E000.00000004.00000800.00020000.00000000.sdmp, iREediqoQIKIHt.exe, 0000000C.00000002.2740901826.00000000030AC000.00000004.00000800.00020000.00000000.sdmp, iREediqoQIKIHt.exe, 0000000C.00000002.2740901826.00000000030BE000.00000004.00000800.00020000.00000000.sdmp	false	high
http://checkip.dyndns.com	ABG Draft.scr.exe, 00000007.00000002.2742210284.0000000002D4E000.00000004.00000800.00020000.00000000.sdmp, iREediqoQIKIHt.exe, 0000000C.00000002.2740901826.00000000030BE000.00000004.00000800.00020000.00000000.sdmp	false	high
http://checkip.dyndns.org/d	ABG Draft.scr.exe, 00000007.00000002.2742210284.0000000002D4E000.00000004.00000800.00020000.00000000.sdmp, iREediqoQIKIHt.exe, 0000000C.00000002.2740901826.00000000030BE000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	ABG Draft.scr.exe, 00000000.00000002.1520502704.0000000002C61000.00000004.00000800.00020000.00000000.sdmp, ABG Draft.scr.exe, 00000007.00000002.2742210284.0000000002CD1000.00000004.00000800.00020000.00000000.sdmp, iREediqoQIKIHt.exe, 00000008.00000002.1547273899.0000000002F26000.00000004.00000800.00020000.00000000.sdmp, iREediqoQIKIHt.exe, 0000000C.00000002.2740901826.0000000003041000.00000004.00000800.00020000.00000000.sdmp	false	high
https://api.telegram.org/bot-/sendDocument?chat_id=	ABG Draft.scr.exe, 00000000.00000002.1521553796.0000000003C69000.00000004.00000800.00020000.00000000.sdmp, ABG Draft.scr.exe, 00000000.00000002.1521553796.0000000003CA7000.00000004.00000800.00020000.00000000.sdmp, ABG Draft.scr.exe, 00000007.00000002.2738823435.0000000000413000.00000040.00000400.00020000.00000000.sdmp	false	high
https://reallyfreegeoip.org/xml/	ABG Draft.scr.exe, 00000000.00000002.1521553796.0000000003C69000.00000004.00000800.00020000.00000000.sdmp, ABG Draft.scr.exe, 00000000.00000002.1521553796.0000000003CA7000.00000004.00000800.00020000.00000000.sdmp, ABG Draft.scr.exe, 00000007.00000002.2738823435.0000000000413000.00000040.00000400.00020000.00000000.sdmp, ABG Draft.scr.exe, 00000007.00000002.2742210284.0000000002D4E000.00000004.00000800.00020000.00000000.sdmp, iREediqoQIKIHt.exe, 0000000C.00000002.2740901826.00000000030BE000.00000004.00000800.00020000.00000000.sdmp	false	high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
104.21.64.1	reallyfreegeoip.org	United States		13335	CLOUDFLARENETUS	false
158.101.44.242	checkip.dyndns.com	United States		31898	ORACLE-BMC-31898US	false

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1590632
Start date and time:	2025-01-14 11:53:13 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 42s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	17
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	ABG Draft.scr.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@16/11@2/2
EGA Information:	Successful, ratio: 75%
HCA Information:	Successful, ratio: 99% Number of executed functions: 138 Number of non-executed functions: 18
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 2.23.242.162, 4.175.87.197, 13.107.246.45
Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target iREediqoQIKIHt.exe, PID 4620 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.

Simulations

Behavior and APIs

Time	Type	Description
05:54:21	API Interceptor	1x Sleep call for process: ABG Draft.scr.exe modified
05:54:23	API Interceptor	15x Sleep call for process: powershell.exe modified
05:54:24	API Interceptor	1x Sleep call for process: iREediqoQIKIHt.exe modified
11:54:23	Task Scheduler	Run new task: iREediqoQIKIHt path: C:\Users\user\AppData\Roaming\iREediqoQIKIHt.exe

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
104.21.64.1	NVIDIAShare.exe.bin.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	bibaprog.ru/ProviderEternallineauthmultiTrackwordpressWpDownloads.php
	gem2.exe	Get hash	malicious	Unknown	Browse	securetextweb.cc/STB/c2VjdXJldGV4dHdlYg==M.txt
	SpCuEoekPa.exe	Get hash	malicious	FormBook	Browse	www.mffnow.info/0pqe/
	4sfN3Gx1vO.exe	Get hash	malicious	FormBook	Browse	www.vilakodsiy.sbs/w7eo/
	1162-201.exe	Get hash	malicious	FormBook	Browse	www.mzkd6gp5.top/utww/
	QUOTATION#050125.exe	Get hash	malicious	FormBook	Browse	www.mzkd6gp5.top/3u0p/
	Sales Acknowledgement - HES #982323.pdf	Get hash	malicious	Unknown	Browse	ordrr.statementquo.com/QCbxA/
	SH8ZyOWNi2.exe	Get hash	malicious	CMSBrute	Browse	adsfirm.com/administrator/index.php
	PO2412010.exe	Get hash	malicious	FormBook	Browse	www.bser101pp.buzz/v89f/
158.101.44.242	SOA.scr.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	checkip.dyndns.org/
	FA_35_01_2025_STA_Wz#U00f3r_standard_pdf .scr.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	nfKqna8HuC.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	checkip.dyndns.org/
	aS39AS7b0P.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	sS7Jrsk0Z7.exe	Get hash	malicious	DarkTortilla, Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	3qr7JBuNuX.exe	Get hash	malicious	MassLogger RAT	Browse	checkip.dyndns.org/
	lkETeneRL3.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	5qJ6QQTcRS.exe	Get hash	malicious	DarkTortilla, Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	prlsqnzspl.exe	Get hash	malicious	MassLogger RAT	Browse	checkip.dyndns.org/
	njVvgA8pEB.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	checkip.dyndns.org/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
checkip.dyndns.com	RENH3RE2025QUOTE.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	132.226.247.73
	PI ITS15235.doc	Get hash	malicious	DBatLoader, PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	132.226.8.169
	tN8GsMV1le.exe	Get hash	malicious	MassLogger RAT	Browse	132.226.8.169
	slime crypted.exe	Get hash	malicious	MassLogger RAT	Browse	193.122.130.0
	rOrders.scr.exe	Get hash	malicious	Snake Keylogger	Browse	132.226.247.73
	MB263350411AE.scr.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	193.122.130.0
	QUOTATION REQUIRED_Enatel s.r.l..bat.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	132.226.8.169
	Remittance Advice.exe	Get hash	malicious	MassLogger RAT	Browse	193.122.130.0
	SOA.scr.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	158.101.44.242
	PDF-3093900299039 pdf.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	132.226.8.169
reallyfreegeoip.org	RENH3RE2025QUOTE.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	104.21.80.1
	PI ITS15235.doc	Get hash	malicious	DBatLoader, PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	104.21.16.1
	tN8GsMV1le.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.32.1
	slime crypted.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.48.1
	rOrders.scr.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.32.1
	MB263350411AE.scr.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	104.21.112.1
	QUOTATION REQUIRED_Enatel s.r.l..bat.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	104.21.112.1
	Remittance Advice.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.32.1
	SOA.scr.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	104.21.112.1
	PDF-3093900299039 pdf.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.32.1

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
ORACLE-BMC-31898US	http://ubiquitous-twilight-c9292b.netlify.app/	Get hash	malicious	Unknown	Browse	129.213.176.209
	slime crypted.exe	Get hash	malicious	MassLogger RAT	Browse	193.122.130.0
	MB263350411AE.scr.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	193.122.130.0
	Remittance Advice.exe	Get hash	malicious	MassLogger RAT	Browse	193.122.130.0
	SOA.scr.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	158.101.44.242
	FA_35_01_2025_STA_Wz#U00f3r_standard_pdf .scr.exe	Get hash	malicious	Snake Keylogger	Browse	158.101.44.242
	trow.exe	Get hash	malicious	Unknown	Browse	147.154.3.56
	nfKqna8HuC.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	158.101.44.242
	mnXS9meqtB.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	193.122.6.168
	aS39AS7b0P.exe	Get hash	malicious	Snake Keylogger	Browse	158.101.44.242
CLOUDFLARENETUS	RENH3RE2025QUOTE.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	104.21.80.1
	https://web.oncentrl.com/#/index/action?entityType=PUBLISHEDQUESTIONNAIRE&entityId=134955&actionType=PUBLISH&context=CLIENT_MGMT&recieverUserInfoId=68822	Get hash	malicious	Unknown	Browse	104.17.25.14
	random.exe	Get hash	malicious	LummaC	Browse	104.21.96.1
	https://akirapowered84501.emlnk.com/lt.php?x=3DZy~GDLVnab5KCs-Nu4WOae1qEoiN9xvxk1XaPMVXahD5B9-Uy.xuG-142imNH	Get hash	malicious	Unknown	Browse	104.17.205.31
	https://clients.dedicatedservicesusa.com	Get hash	malicious	Unknown	Browse	1.1.1.1
	Scanned-IMGS_from NomanGroup IDT.scr.exe	Get hash	malicious	FormBook	Browse	104.21.3.193
	Remittance.html	Get hash	malicious	Unknown	Browse	104.16.100.29
	http://binary-acceptance-hotel-difficult.trycloudflare.com	Get hash	malicious	Unknown	Browse	104.16.230.132
	random.exe	Get hash	malicious	LummaC	Browse	188.114.97.3
	Ticketmaster #U00c2#U0156300 Cash2356899.pdf	Get hash	malicious	Unknown	Browse	162.159.61.3

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
54328bd36c14bd82ddaa0c04b25ed9ad	RENH3RE2025QUOTE.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	104.21.64.1
	PI ITS15235.doc	Get hash	malicious	DBatLoader, PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	104.21.64.1
	tN8GsMV1le.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.64.1
	slime crypted.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.64.1
	rOrders.scr.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.64.1
	MB263350411AE.scr.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	104.21.64.1
	QUOTATION REQUIRED_Enatel s.r.l..bat.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	104.21.64.1
	Remittance Advice.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.64.1
	SOA.scr.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	104.21.64.1
	PDF-3093900299039 pdf.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.64.1

Process:	C:\Users\user\Desktop\ABG Draft.scr.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1216
Entropy (8bit):	5.34331486778365
Encrypted:	false
SSDEEP:	24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
MD5:	1330C80CAAC9A0FB172F202485E9B1E8
SHA1:	86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
SHA-256:	B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
SHA-512:	75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
Malicious:	true
Reputation:	high, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\iREediqoQIKIHt.exe.log

Download File

Process:	C:\Users\user\AppData\Roaming\iREediqoQIKIHt.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1216
Entropy (8bit):	5.34331486778365
Encrypted:	false
SSDEEP:	24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
MD5:	1330C80CAAC9A0FB172F202485E9B1E8
SHA1:	86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
SHA-256:	B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
SHA-512:	75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	2232
Entropy (8bit):	5.379552885213346
Encrypted:	false
SSDEEP:	48:fWSU4xympjgZ9tz4RIoUl8NPZHUl7u1iMuge//YM0Uyus:fLHxvCZfIfSKRHmOug81s
MD5:	0EB29A7FC4C8A553D8AC2DF228D97FBF
SHA1:	AF6A65C9D095B89E537E58A3EDCB55377360AFB6
SHA-256:	B537CCAE0FEF3F1A924C837EF4C8336008CB6E1C9A46A53ADFDEB039A3CC9950
SHA-512:	CD4CA822AFAAF1FEF2C9031F73597BBE674DE299C8C1905993E80DE9F2D125FD1150F22E3FCD42E0518D968E07CA5DD641EFBF338CBB9AE659E3BC414CBCAABB
Malicious:	false
Preview:	@...e................................................@..........P................1]...E.....j.....(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..\|f........System.Core.D...............4..7..D.#V.............System.Management.Automation<...............i..VdqF...\|...........System.Configuration4.................%...K... ...........System.Xml..4.....................@.[8]'.\........System.Data.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServicesH................WY..2.M.&..g(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.L.................gQ?O.....x5.......#.Microsoft.Management.Infrastructure.8..................1...L..U;V.<}........System.Numerics.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3svell0f.wp3.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_fybau3r5.ifl.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_iq1ediny.jm3.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xstf0pa4.bn3.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\tmpB486.tmp

Download File

Process:	C:\Users\user\Desktop\ABG Draft.scr.exe
File Type:	XML 1.0 document, ASCII text
Category:	dropped
Size (bytes):	1587
Entropy (8bit):	5.1136007774596495
Encrypted:	false
SSDEEP:	24:2di4+S2qhtJ12iy1mcrUnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtJDxvn:cgeLAYrFdOFzOzN33ODOiDdKrsuTJ9v
MD5:	8DB5948B519189DC9CB36CB213BEC9E9
SHA1:	085DA93228E8ADBAF76A48D6625D61A723951889
SHA-256:	0F098F74DD498B61FAA2E83FB69A76D86ABB2AA88E8E12A717917871E4EB031D
SHA-512:	38B533BEA6F8465E0FAAFA8A5FB1A008AADA7A29285622EFAA7437748A2691E3C938C989193F10007A50671926E39CD45660E4D5D5E97864E8511C58C968ABFE
Malicious:	true
Preview:	<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetwor

C:\Users\user\AppData\Local\Temp\tmpC1F4.tmp

Download File

Process:	C:\Users\user\AppData\Roaming\iREediqoQIKIHt.exe
File Type:	XML 1.0 document, ASCII text
Category:	dropped
Size (bytes):	1587
Entropy (8bit):	5.1136007774596495
Encrypted:	false
SSDEEP:	24:2di4+S2qhtJ12iy1mcrUnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtJDxvn:cgeLAYrFdOFzOzN33ODOiDdKrsuTJ9v
MD5:	8DB5948B519189DC9CB36CB213BEC9E9
SHA1:	085DA93228E8ADBAF76A48D6625D61A723951889
SHA-256:	0F098F74DD498B61FAA2E83FB69A76D86ABB2AA88E8E12A717917871E4EB031D
SHA-512:	38B533BEA6F8465E0FAAFA8A5FB1A008AADA7A29285622EFAA7437748A2691E3C938C989193F10007A50671926E39CD45660E4D5D5E97864E8511C58C968ABFE
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetwor

C:\Users\user\AppData\Roaming\iREediqoQIKIHt.exe

Download File

Process:	C:\Users\user\Desktop\ABG Draft.scr.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	564736
Entropy (8bit):	7.624555847672685
Encrypted:	false
SSDEEP:	12288:lYRxA4Y5lyA/BxSPCbay9Av5nibibCgSkFMqsDdNwOJ:qRQ98ibibCzkFBGNN
MD5:	C167BBA5692D0B8D8A958F62CB72FFA6
SHA1:	32EE66D6EFE2066C7A677BECDAC18806BE8DEE05
SHA-256:	4D7AE4A600FFEADB38636C294D14612029A0B76313FEFB6F27B606B2018B3400
SHA-512:	24BF06B5D749F47EDC20ABB5E4ED3FB4CBACDD908B1958A6175BD300920AF5F49CA428F534133BE37EE26C218F1AAC104B3041CE68195F2C778E3EDF8F1A6FD7
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 34% Antivirus: Virustotal, Detection: 28%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....................0................. ........@.. ....................................@.....................................O......................................p............................................ ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B.......................H.......hK..\=......9...................................................0..L.........}.....(.......(......(............s......(.....o......( ....o!.....(".....0..K.........}........(#........($.....,5...(............s......(.....o......(.....o!....8.....r...p.J...(%...o&...tJ.......('..........9.....s.........s(...s)...o.......o+...(,.......o-...(........o/...(0.......o1...(2.......o3...(4.......o5...(6.........(7.....(......+....s(...s)...(*........(8...........s......(..

C:\Users\user\AppData\Roaming\iREediqoQIKIHt.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\ABG Draft.scr.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Preview:	[ZoneTransfer]....ZoneId=0

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.624555847672685
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	ABG Draft.scr.exe
File size:	564'736 bytes
MD5:	c167bba5692d0b8d8a958f62cb72ffa6
SHA1:	32ee66d6efe2066c7a677becdac18806be8dee05
SHA256:	4d7ae4a600ffeadb38636c294d14612029a0b76313fefb6f27b606b2018b3400
SHA512:	24bf06b5d749f47edc20abb5e4ed3fb4cbacdd908b1958a6175bd300920af5f49ca428f534133be37ee26c218f1aac104b3041ce68195f2c778e3edf8f1a6fd7
SSDEEP:	12288:lYRxA4Y5lyA/BxSPCbay9Av5nibibCgSkFMqsDdNwOJ:qRQ98ibibCzkFBGNN
TLSH:	65C4F1582669EA03C49B0BB40862D3F867759ED9EA11C313DBE53EFFBC3AB461940351
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....................0.................. ........@.. ....................................@................................

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x48b3e6
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0xB6D9DE95 [Sat Mar 19 03:40:05 2067 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
call far 0000h : 003E9999h
aas
int CCh
dec esp
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x8b393	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x8c000	0x5e0	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x8e000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x89bc4	0x70	.text
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x893fc	0x89400	4c1d21731864f3048cc4aede436842e3	False	0.8941274618624773	data	7.633999684579492	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x8c000	0x5e0	0x600	202c36bf2bfee42fd0998fa46593daaf	False	0.4322916666666667	data	4.164236603983435	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x8e000	0xc	0x200	d4e7a4b7a017e8957fe283e263ba3ff2	False	0.044921875	data	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0x8c090	0x350	data			0.4257075471698113
RT_MANIFEST	0x8c3f0	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators			0.5489795918367347

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2025-01-14T11:54:25.208969+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.8	49709	158.101.44.242	80	TCP
2025-01-14T11:54:27.693418+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.8	49713	158.101.44.242	80	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 14, 2025 11:54:24.308660030 CET	49709	80	192.168.2.8	158.101.44.242
Jan 14, 2025 11:54:24.314234018 CET	80	49709	158.101.44.242	192.168.2.8
Jan 14, 2025 11:54:24.314327955 CET	49709	80	192.168.2.8	158.101.44.242
Jan 14, 2025 11:54:24.314596891 CET	49709	80	192.168.2.8	158.101.44.242
Jan 14, 2025 11:54:24.319891930 CET	80	49709	158.101.44.242	192.168.2.8
Jan 14, 2025 11:54:24.981558084 CET	80	49709	158.101.44.242	192.168.2.8
Jan 14, 2025 11:54:25.002294064 CET	49709	80	192.168.2.8	158.101.44.242
Jan 14, 2025 11:54:25.007165909 CET	80	49709	158.101.44.242	192.168.2.8
Jan 14, 2025 11:54:25.159398079 CET	80	49709	158.101.44.242	192.168.2.8
Jan 14, 2025 11:54:25.177263975 CET	49711	443	192.168.2.8	104.21.64.1
Jan 14, 2025 11:54:25.177309036 CET	443	49711	104.21.64.1	192.168.2.8
Jan 14, 2025 11:54:25.177423954 CET	49711	443	192.168.2.8	104.21.64.1
Jan 14, 2025 11:54:25.184967041 CET	49711	443	192.168.2.8	104.21.64.1
Jan 14, 2025 11:54:25.184992075 CET	443	49711	104.21.64.1	192.168.2.8
Jan 14, 2025 11:54:25.208969116 CET	49709	80	192.168.2.8	158.101.44.242
Jan 14, 2025 11:54:25.659466982 CET	443	49711	104.21.64.1	192.168.2.8
Jan 14, 2025 11:54:25.659682989 CET	49711	443	192.168.2.8	104.21.64.1
Jan 14, 2025 11:54:25.664522886 CET	49711	443	192.168.2.8	104.21.64.1
Jan 14, 2025 11:54:25.664541006 CET	443	49711	104.21.64.1	192.168.2.8
Jan 14, 2025 11:54:25.664971113 CET	443	49711	104.21.64.1	192.168.2.8
Jan 14, 2025 11:54:25.711338997 CET	49711	443	192.168.2.8	104.21.64.1
Jan 14, 2025 11:54:25.738092899 CET	49711	443	192.168.2.8	104.21.64.1
Jan 14, 2025 11:54:25.783381939 CET	443	49711	104.21.64.1	192.168.2.8
Jan 14, 2025 11:54:25.844933987 CET	443	49711	104.21.64.1	192.168.2.8
Jan 14, 2025 11:54:25.845088005 CET	443	49711	104.21.64.1	192.168.2.8
Jan 14, 2025 11:54:25.845300913 CET	49711	443	192.168.2.8	104.21.64.1
Jan 14, 2025 11:54:25.851104975 CET	49711	443	192.168.2.8	104.21.64.1
Jan 14, 2025 11:54:26.920028925 CET	49713	80	192.168.2.8	158.101.44.242
Jan 14, 2025 11:54:26.925024033 CET	80	49713	158.101.44.242	192.168.2.8
Jan 14, 2025 11:54:26.925143957 CET	49713	80	192.168.2.8	158.101.44.242
Jan 14, 2025 11:54:26.925420046 CET	49713	80	192.168.2.8	158.101.44.242
Jan 14, 2025 11:54:26.931196928 CET	80	49713	158.101.44.242	192.168.2.8
Jan 14, 2025 11:54:27.485505104 CET	80	49713	158.101.44.242	192.168.2.8
Jan 14, 2025 11:54:27.488853931 CET	49713	80	192.168.2.8	158.101.44.242
Jan 14, 2025 11:54:27.493778944 CET	80	49713	158.101.44.242	192.168.2.8
Jan 14, 2025 11:54:27.641771078 CET	80	49713	158.101.44.242	192.168.2.8
Jan 14, 2025 11:54:27.643770933 CET	49714	443	192.168.2.8	104.21.64.1
Jan 14, 2025 11:54:27.643799067 CET	443	49714	104.21.64.1	192.168.2.8
Jan 14, 2025 11:54:27.643847942 CET	49714	443	192.168.2.8	104.21.64.1
Jan 14, 2025 11:54:27.648272991 CET	49714	443	192.168.2.8	104.21.64.1
Jan 14, 2025 11:54:27.648304939 CET	443	49714	104.21.64.1	192.168.2.8
Jan 14, 2025 11:54:27.693418026 CET	49713	80	192.168.2.8	158.101.44.242
Jan 14, 2025 11:54:28.123198986 CET	443	49714	104.21.64.1	192.168.2.8
Jan 14, 2025 11:54:28.123260975 CET	49714	443	192.168.2.8	104.21.64.1
Jan 14, 2025 11:54:28.124676943 CET	49714	443	192.168.2.8	104.21.64.1
Jan 14, 2025 11:54:28.124686003 CET	443	49714	104.21.64.1	192.168.2.8
Jan 14, 2025 11:54:28.124955893 CET	443	49714	104.21.64.1	192.168.2.8
Jan 14, 2025 11:54:28.175993919 CET	49714	443	192.168.2.8	104.21.64.1
Jan 14, 2025 11:54:28.223334074 CET	443	49714	104.21.64.1	192.168.2.8
Jan 14, 2025 11:54:28.304404020 CET	443	49714	104.21.64.1	192.168.2.8
Jan 14, 2025 11:54:28.304471016 CET	443	49714	104.21.64.1	192.168.2.8
Jan 14, 2025 11:54:28.304670095 CET	49714	443	192.168.2.8	104.21.64.1
Jan 14, 2025 11:54:28.307292938 CET	49714	443	192.168.2.8	104.21.64.1
Jan 14, 2025 11:55:30.163131952 CET	80	49709	158.101.44.242	192.168.2.8
Jan 14, 2025 11:55:30.163357973 CET	49709	80	192.168.2.8	158.101.44.242
Jan 14, 2025 11:55:32.641453981 CET	80	49713	158.101.44.242	192.168.2.8
Jan 14, 2025 11:55:32.641547918 CET	49713	80	192.168.2.8	158.101.44.242
Jan 14, 2025 11:56:05.162612915 CET	49709	80	192.168.2.8	158.101.44.242
Jan 14, 2025 11:56:05.168994904 CET	80	49709	158.101.44.242	192.168.2.8
Jan 14, 2025 11:56:07.647336960 CET	49713	80	192.168.2.8	158.101.44.242
Jan 14, 2025 11:56:07.652301073 CET	80	49713	158.101.44.242	192.168.2.8

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 14, 2025 11:54:24.283154011 CET	62654	53	192.168.2.8	1.1.1.1
Jan 14, 2025 11:54:24.290460110 CET	53	62654	1.1.1.1	192.168.2.8
Jan 14, 2025 11:54:25.162496090 CET	56393	53	192.168.2.8	1.1.1.1
Jan 14, 2025 11:54:25.175626040 CET	53	56393	1.1.1.1	192.168.2.8

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jan 14, 2025 11:54:24.283154011 CET	192.168.2.8	1.1.1.1	0xc4f	Standard query (0)	checkip.dyndns.org	A (IP address)	IN (0x0001)	false
Jan 14, 2025 11:54:25.162496090 CET	192.168.2.8	1.1.1.1	0xb524	Standard query (0)	reallyfreegeoip.org	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jan 14, 2025 11:54:24.290460110 CET	1.1.1.1	192.168.2.8	0xc4f	No error (0)	checkip.dyndns.org	checkip.dyndns.com		CNAME (Canonical name)	IN (0x0001)	false
Jan 14, 2025 11:54:24.290460110 CET	1.1.1.1	192.168.2.8	0xc4f	No error (0)	checkip.dyndns.com		158.101.44.242	A (IP address)	IN (0x0001)	false
Jan 14, 2025 11:54:24.290460110 CET	1.1.1.1	192.168.2.8	0xc4f	No error (0)	checkip.dyndns.com		132.226.8.169	A (IP address)	IN (0x0001)	false
Jan 14, 2025 11:54:24.290460110 CET	1.1.1.1	192.168.2.8	0xc4f	No error (0)	checkip.dyndns.com		193.122.130.0	A (IP address)	IN (0x0001)	false
Jan 14, 2025 11:54:24.290460110 CET	1.1.1.1	192.168.2.8	0xc4f	No error (0)	checkip.dyndns.com		193.122.6.168	A (IP address)	IN (0x0001)	false
Jan 14, 2025 11:54:24.290460110 CET	1.1.1.1	192.168.2.8	0xc4f	No error (0)	checkip.dyndns.com		132.226.247.73	A (IP address)	IN (0x0001)	false
Jan 14, 2025 11:54:25.175626040 CET	1.1.1.1	192.168.2.8	0xb524	No error (0)	reallyfreegeoip.org		104.21.64.1	A (IP address)	IN (0x0001)	false
Jan 14, 2025 11:54:25.175626040 CET	1.1.1.1	192.168.2.8	0xb524	No error (0)	reallyfreegeoip.org		104.21.32.1	A (IP address)	IN (0x0001)	false
Jan 14, 2025 11:54:25.175626040 CET	1.1.1.1	192.168.2.8	0xb524	No error (0)	reallyfreegeoip.org		104.21.80.1	A (IP address)	IN (0x0001)	false
Jan 14, 2025 11:54:25.175626040 CET	1.1.1.1	192.168.2.8	0xb524	No error (0)	reallyfreegeoip.org		104.21.96.1	A (IP address)	IN (0x0001)	false
Jan 14, 2025 11:54:25.175626040 CET	1.1.1.1	192.168.2.8	0xb524	No error (0)	reallyfreegeoip.org		104.21.16.1	A (IP address)	IN (0x0001)	false
Jan 14, 2025 11:54:25.175626040 CET	1.1.1.1	192.168.2.8	0xb524	No error (0)	reallyfreegeoip.org		104.21.48.1	A (IP address)	IN (0x0001)	false
Jan 14, 2025 11:54:25.175626040 CET	1.1.1.1	192.168.2.8	0xb524	No error (0)	reallyfreegeoip.org		104.21.112.1	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

reallyfreegeoip.org

checkip.dyndns.org

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.8	49709	158.101.44.242	80	2300	C:\Users\user\Desktop\ABG Draft.scr.exe

Timestamp	Bytes transferred	Direction	Data
Jan 14, 2025 11:54:24.314596891 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 14, 2025 11:54:24.981558084 CET	321	IN	HTTP/1.1 200 OK Date: Tue, 14 Jan 2025 10:54:24 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 29b54b76447e102811df7c70287a47b6 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
Jan 14, 2025 11:54:25.002294064 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Jan 14, 2025 11:54:25.159398079 CET	321	IN	HTTP/1.1 200 OK Date: Tue, 14 Jan 2025 10:54:25 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: d78680173f2cb1f033b61a60c05f4e14 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.8	49713	158.101.44.242	80	4620	C:\Users\user\AppData\Roaming\iREediqoQIKIHt.exe

Timestamp	Bytes transferred	Direction	Data
Jan 14, 2025 11:54:26.925420046 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 14, 2025 11:54:27.485505104 CET	321	IN	HTTP/1.1 200 OK Date: Tue, 14 Jan 2025 10:54:27 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 9e8c0d801d04ad88c350769a83c67ede Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
Jan 14, 2025 11:54:27.488853931 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Jan 14, 2025 11:54:27.641771078 CET	321	IN	HTTP/1.1 200 OK Date: Tue, 14 Jan 2025 10:54:27 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: a6aa0a99cebd629ba7fd944a874da093 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.8	49711	104.21.64.1	443	2300	C:\Users\user\Desktop\ABG Draft.scr.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-14 10:54:25 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2025-01-14 10:54:25 UTC	855	IN	HTTP/1.1 200 OK Date: Tue, 14 Jan 2025 10:54:25 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 2166854 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=CGA3VDvIvaUjUbBkPRL6pKbPa5AG%2F%2FeuX1xOCMMHI5cvtpRJ39PTmwoTZHj1WVhrwBuMqrulVg1QYVIj1T%2BxB4vwIjegYvYpJSyd8ZolCl6wxlFtR1YGxL0YVV2Gtl8sNm0Ztvxs"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 901d16833eb2c358-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1552&min_rtt=1544&rtt_var=595&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2847&recv_bytes=699&delivery_rate=1814791&cwnd=155&unsent_bytes=0&cid=6d57614d484bb7e5&ts=201&x=0"
2025-01-14 10:54:25 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.8	49714	104.21.64.1	443	4620	C:\Users\user\AppData\Roaming\iREediqoQIKIHt.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-14 10:54:28 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2025-01-14 10:54:28 UTC	861	IN	HTTP/1.1 200 OK Date: Tue, 14 Jan 2025 10:54:28 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 2166857 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=orZSCSNcl%2F1fQGK4SuNBXjzoUI51%2BDKvqlXmRwCo6iq3DRKXzqnvRM%2FN8L5oGrfgjfPk9aj7mq21RIcgR%2BBOA05szbJmM3BBOf%2Fu6QAEnYVsaa9yJSc8f4bh%2FcfleVzdZweLT5yY"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 901d16928dc28ca1-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1989&min_rtt=1986&rtt_var=752&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1449131&cwnd=168&unsent_bytes=0&cid=8092621cde159710&ts=186&x=0"
2025-01-14 10:54:28 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Target ID:	0
Start time:	05:54:20
Start date:	14/01/2025
Path:	C:\Users\user\Desktop\ABG Draft.scr.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\ABG Draft.scr.exe"
Imagebase:	0x7f0000
File size:	564'736 bytes
MD5 hash:	C167BBA5692D0B8D8A958F62CB72FFA6
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000002.1523651797.0000000005360000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MassLogger, Description: Yara detected MassLogger RAT, Source: 00000000.00000002.1521553796.0000000003C69000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.1521553796.0000000003C69000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000000.00000002.1521553796.0000000003C69000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000002.1521553796.0000000003C69000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000000.00000002.1521553796.0000000003C69000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_MassLogger, Description: Yara detected MassLogger RAT, Source: 00000000.00000002.1521553796.0000000003CA7000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.1521553796.0000000003CA7000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000000.00000002.1521553796.0000000003CA7000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000000.00000002.1521553796.0000000003CA7000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000002.1520502704.0000000002D38000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	05:54:21
Start date:	14/01/2025
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\iREediqoQIKIHt.exe"
Imagebase:	0x170000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	05:54:21
Start date:	14/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6ee680000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	05:54:21
Start date:	14/01/2025
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\iREediqoQIKIHt" /XML "C:\Users\user\AppData\Local\Temp\tmpB486.tmp"
Imagebase:	0x140000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	05:54:21
Start date:	14/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6ee680000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	05:54:22
Start date:	14/01/2025
Path:	C:\Users\user\Desktop\ABG Draft.scr.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\ABG Draft.scr.exe"
Imagebase:	0x930000
File size:	564'736 bytes
MD5 hash:	C167BBA5692D0B8D8A958F62CB72FFA6
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000007.00000002.2742210284.0000000002E24000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	8
Start time:	05:54:23
Start date:	14/01/2025
Path:	C:\Users\user\AppData\Roaming\iREediqoQIKIHt.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Roaming\iREediqoQIKIHt.exe
Imagebase:	0xb90000
File size:	564'736 bytes
MD5 hash:	C167BBA5692D0B8D8A958F62CB72FFA6
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000008.00000002.1547273899.0000000002FCB000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Antivirus matches:	Detection: 100%, Joe Sandbox ML Detection: 34%, ReversingLabs Detection: 28%, Virustotal, Browse
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	05:54:24
Start date:	14/01/2025
Path:	C:\Windows\System32\wbem\WmiPrvSE.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Imagebase:	0x7ff605670000
File size:	496'640 bytes
MD5 hash:	60FF40CFD7FB8FE41EE4FE9AE5FE1C51
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	10
Start time:	05:54:25
Start date:	14/01/2025
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\iREediqoQIKIHt" /XML "C:\Users\user\AppData\Local\Temp\tmpC1F4.tmp"
Imagebase:	0x140000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	05:54:25
Start date:	14/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6ee680000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	05:54:25
Start date:	14/01/2025
Path:	C:\Users\user\AppData\Roaming\iREediqoQIKIHt.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\iREediqoQIKIHt.exe"
Imagebase:	0xd30000
File size:	564'736 bytes
MD5 hash:	C167BBA5692D0B8D8A958F62CB72FFA6
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000C.00000002.2740901826.0000000003194000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	8.8%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	33
Total number of Limit Nodes:	5

Executed Functions

Function 00F57018 Relevance: .2, Instructions: 179COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1519274412.0000000000F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_ABG Draft.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e84fe0877758c9f7829e71d80c9bb294f18a786bc4f9a1c5f9deda0e383fc56b
Instruction ID: 37c3b7c6cfc4eec14b7b0575c857f8f73fd9ff4bb5503b55006c2cfc684e0103
Opcode Fuzzy Hash: e84fe0877758c9f7829e71d80c9bb294f18a786bc4f9a1c5f9deda0e383fc56b
Instruction Fuzzy Hash: 4C81A274E002089FDB15DFAAD994A9DBBF2FF88300F20812AE819A7365DB346D45DF50

Function 00F54204 Relevance: .2, Instructions: 176COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1519274412.0000000000F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_ABG Draft.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8e0ebecc95dece947bec2e5a54e63396c44cfed0677a4f76aa896fe50d96f03a
Instruction ID: e69c56fa13ad9d05eb586d501340e8bd0d56e68406ef8ea223330e4fb0177a6d
Opcode Fuzzy Hash: 8e0ebecc95dece947bec2e5a54e63396c44cfed0677a4f76aa896fe50d96f03a
Instruction Fuzzy Hash: 62819074E002189FDB15DFAAD994A9DBBF2FF88301F20812AE819A7365DB306D45DF40

Function 00F5D369 Relevance: 6.1, APIs: 4, Instructions: 129
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 00F5D3F6
GetCurrentThread.KERNEL32 ref: 00F5D433
GetCurrentProcess.KERNEL32 ref: 00F5D470
GetCurrentThreadId.KERNEL32 ref: 00F5D4C9

Memory Dump Source

Source File: 00000000.00000002.1519274412.0000000000F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_ABG Draft.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: a0205a7becd0776aa36f4e16154cb6e0222d0fb2e697001b37c1a5bcad38ee3b
Instruction ID: 513287b0837fbe4ce2c2aacba14e11db69bf317a0833d9ff98cb633a81d23e08
Opcode Fuzzy Hash: a0205a7becd0776aa36f4e16154cb6e0222d0fb2e697001b37c1a5bcad38ee3b
Instruction Fuzzy Hash: B95188B090134A8FEB14DFA9D54879EBBF1BF88315F20805AE408A72A1D7746944CF66

Function 00F5D378 Relevance: 6.1, APIs: 4, Instructions: 128
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 00F5D3F6
GetCurrentThread.KERNEL32 ref: 00F5D433
GetCurrentProcess.KERNEL32 ref: 00F5D470
GetCurrentThreadId.KERNEL32 ref: 00F5D4C9

Memory Dump Source

Source File: 00000000.00000002.1519274412.0000000000F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_ABG Draft.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 1ed0cdfa2da18201fc77a815c8aeeca54c7607925186ab74c9b73584eb33ac45
Instruction ID: a397d287a2bb9faf050ab965febfc609e31c9b3a0c7c1b1b32d0daec1bd15944
Opcode Fuzzy Hash: 1ed0cdfa2da18201fc77a815c8aeeca54c7607925186ab74c9b73584eb33ac45
Instruction Fuzzy Hash: F15157B090134A8FEB14DFAAD548B9EBBF1FF88315F208159E409A7260DB746944CF66

Function 00F5B3B1 Relevance: 1.7, APIs: 1, Instructions: 203
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32(00000000), ref: 00F5B626

Memory Dump Source

Source File: 00000000.00000002.1519274412.0000000000F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_ABG Draft.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: dc7300b3bfcceb98e4852d9b9806fbe7eb659b404a815d137bdd6fd383284035
Instruction ID: 2f81471aeadfb04c9583e2bd4538a67d3de55df6c2cfbcf1c3f9e28ebdacd81d
Opcode Fuzzy Hash: dc7300b3bfcceb98e4852d9b9806fbe7eb659b404a815d137bdd6fd383284035
Instruction Fuzzy Hash: A6817970A00B458FD724DF29D4417AABBF1FF88311F10892EE98ACBA51D774E849CB91

Function 00F5590C Relevance: 1.6, APIs: 1, Instructions: 98
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 00F559C9

Memory Dump Source

Source File: 00000000.00000002.1519274412.0000000000F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_ABG Draft.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: ec923a67326fc6fdec86cdc74d80a0caba61e611ea000cdeb46f63c7d8cfcdfc
Instruction ID: 14b5ff2166d43eea695ae7aee7bcc5f7053d11949cb07e105abcc49ebfca3ecc
Opcode Fuzzy Hash: ec923a67326fc6fdec86cdc74d80a0caba61e611ea000cdeb46f63c7d8cfcdfc
Instruction Fuzzy Hash: 114111B1C00719CFDB24CFA9C8847CEBBB1BF89714F20816AD508AB251DB75594ACF50

Function 00F544F0 Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 00F559C9

Memory Dump Source

Source File: 00000000.00000002.1519274412.0000000000F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_ABG Draft.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 73d63127f8a27ca5b26a21fa95822bf30bbbee1307fc8a5098df9e2c292b4655
Instruction ID: 1406f313675e8bd586c440358a1cd49ddc3fe67b4022fefc94db091831ba8c9e
Opcode Fuzzy Hash: 73d63127f8a27ca5b26a21fa95822bf30bbbee1307fc8a5098df9e2c292b4655
Instruction Fuzzy Hash: 2A41C1B1C00719CFDB24DFAAC88478EBBB5BF89714F20816AD508AB251DB756949CF90

Function 00F5D9C8 Relevance: 1.6, APIs: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00F5DA4F

Memory Dump Source

Source File: 00000000.00000002.1519274412.0000000000F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_ABG Draft.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: ca6e926430cf3fd4027fe3bd23236058e2b41ed155f476711a5ec5029d21b642
Instruction ID: 44dc727936347e493be6ee8c73fcb29c68bbf645633c171b2107e3ebb0dff6f4
Opcode Fuzzy Hash: ca6e926430cf3fd4027fe3bd23236058e2b41ed155f476711a5ec5029d21b642
Instruction Fuzzy Hash: D121E6B5D012499FDB10CFAAD884ADEBBF4FB48310F14801AE914A3350D378A944CF60

Function 00F5D9C1 Relevance: 1.6, APIs: 1, Instructions: 61
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00F5DA4F

Memory Dump Source

Source File: 00000000.00000002.1519274412.0000000000F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_ABG Draft.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 414b5f4b444b3c59dc296a090f0b1dcb4de0318019cd281238e85fd7f0480948
Instruction ID: 667ae81883ba818a5768cf1feedb13e6dfa4c3322e2b3cf54fa3a2fa565454eb
Opcode Fuzzy Hash: 414b5f4b444b3c59dc296a090f0b1dcb4de0318019cd281238e85fd7f0480948
Instruction Fuzzy Hash: 632114B5C012489FDB10CFA9D584ADEBBF4FB48320F14801AE918A3310D378A944CF60

Function 00F5B5C0 Relevance: 1.5, APIs: 1, Instructions: 47
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32(00000000), ref: 00F5B626

Memory Dump Source

Source File: 00000000.00000002.1519274412.0000000000F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_ABG Draft.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 50253ea93e6d8213b842d4be2a04dbebb2e1139baafd83f920e38bb1c264f20c
Instruction ID: e77546b69423d82707e7557da4c8f2dea4cd91430a456280f970839c26b8bbfc
Opcode Fuzzy Hash: 50253ea93e6d8213b842d4be2a04dbebb2e1139baafd83f920e38bb1c264f20c
Instruction Fuzzy Hash: 6C1110B6C003498FDB20DF9AC844BDEFBF4AF88320F10845AD918A7200C379A545CFA1

Function 009ED3D8 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1517755845.00000000009ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 009ED000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9ed000_ABG Draft.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0f955ccfc89124708ee6f774905278643fcfc98ed9580200058924ebb21795a6
Instruction ID: dddb1ee919c36375defc8807dbe4545b1922da127cab7e6cf9cc4deed493702b
Opcode Fuzzy Hash: 0f955ccfc89124708ee6f774905278643fcfc98ed9580200058924ebb21795a6
Instruction Fuzzy Hash: 2C214875104384DFDB02DF00D9C0B16BB65FBA8324F20C569E8090B2E6D33AEC46CBA2

Function 009FD01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1517915983.00000000009FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 009FD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9fd000_ABG Draft.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f7c7e39a07b50d183d0115bd833a8db090e37df8285a7ea5a548295823a70d75
Instruction ID: 6b805e98bc9a1814c123d826c37064a68cf7385c5d618a08cdc889bed3008c99
Opcode Fuzzy Hash: f7c7e39a07b50d183d0115bd833a8db090e37df8285a7ea5a548295823a70d75
Instruction Fuzzy Hash: 6C212575604308DFDB14DF10D884B26BB66FB84314F28C96DDA094B386CB3AD807CB62

Function 009FD1D4 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1517915983.00000000009FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 009FD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9fd000_ABG Draft.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c0bb944c752b5c79f2ebcf2b7983df2e08c8a4f3b18059a6a0bf262968d3bc97
Instruction ID: cf4fa172ca65ad4bd9f37f2e92443564128a6336896a42c72618091f6cd6604d
Opcode Fuzzy Hash: c0bb944c752b5c79f2ebcf2b7983df2e08c8a4f3b18059a6a0bf262968d3bc97
Instruction Fuzzy Hash: FD213771604308DFDB05DF10D9C4B26BB66FB84314F20C96DDA094B282C33AD806CBA1

Function 009FD006 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1517915983.00000000009FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 009FD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9fd000_ABG Draft.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 766777ee6ece6f2d7e8fdec654c9deb42e29ae8b16cdd3d8615ba35cd78edec6
Instruction ID: ff37008ac0d0da6faa63146b517b53c44bb9453dffed03952d9ad917b4a95dda
Opcode Fuzzy Hash: 766777ee6ece6f2d7e8fdec654c9deb42e29ae8b16cdd3d8615ba35cd78edec6
Instruction Fuzzy Hash: F2219F755093C48FCB02CF24D990715BF72EB46314F28C5EAD9498F2A7C33A980ACB62

Function 009ED3D3 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1517755845.00000000009ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 009ED000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9ed000_ABG Draft.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e3062b24f5b0128947100ec6e500ced3c6d63245422b7ec3b5033f72fc324263
Instruction ID: dea5ca5eda1ac3e0555d5ba761075546604c3931bb53577c74ea3363560f0229
Opcode Fuzzy Hash: e3062b24f5b0128947100ec6e500ced3c6d63245422b7ec3b5033f72fc324263
Instruction Fuzzy Hash: 60112676504280DFCB02CF00D5C0B16BF72FBA4324F24C2A9D8090B2A7C33AE856CBA1

Function 009FD1CF Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1517915983.00000000009FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 009FD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9fd000_ABG Draft.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8009cd9747851c6a16484d38da83a80e1112e09f0888f91abd329c0e09305381
Instruction ID: 5793a618827610200e6f29f65f391ef7036bdcac8de7e3ae50244507f6fb40c6
Opcode Fuzzy Hash: 8009cd9747851c6a16484d38da83a80e1112e09f0888f91abd329c0e09305381
Instruction Fuzzy Hash: 6311DD75504284DFDB02CF10C5C0B25FBB2FB84324F24C6AED9494B296C33AD81ACBA1

Function 009ED745 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1517755845.00000000009ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 009ED000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9ed000_ABG Draft.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 938ca0bbb19f5b3e15a4ba93b2681686e73b18a9093a5128fbe072b6d43ab935
Instruction ID: 143daff22fd92287c9243ca4ef3f6f9701257d6cb8c8909f2e8824988bae82c1
Opcode Fuzzy Hash: 938ca0bbb19f5b3e15a4ba93b2681686e73b18a9093a5128fbe072b6d43ab935
Instruction Fuzzy Hash: 3201A7B10053849AE7215B16CDC4B67BF9CDF41725F18C51AED194A286D77E9C40CB71

Function 009ED744 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1517755845.00000000009ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 009ED000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9ed000_ABG Draft.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b1a079f8f8dfb2952c2f038755650da8714ffe3b6114a131bda6428fe24e907d
Instruction ID: 917951e0b8bf4003b5a12f1fb1134a0d74fe7af3115d6a5196e9beaf6eb67bfd
Opcode Fuzzy Hash: b1a079f8f8dfb2952c2f038755650da8714ffe3b6114a131bda6428fe24e907d
Instruction Fuzzy Hash: 0EF062714053849EE7119F16C884B62FF9CEB51734F18C55AED484A286C2799C44CBB1

Non-executed Functions

Function 00F5D8EC Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1519274412.0000000000F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_ABG Draft.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3303c6f0d45b0c28932c626807c598c0ce97f47079b5b2e8821e714360fa9f48
Instruction ID: 92751eb860739a92c0c62ff77f43d6269d20eddc3b8f3e21a750fdc6663f32ea
Opcode Fuzzy Hash: 3303c6f0d45b0c28932c626807c598c0ce97f47079b5b2e8821e714360fa9f48
Instruction Fuzzy Hash: 49A1AE32E002098FCF15DFB4C8405DEBBB2FF85311B2585BAE905AB261DB35E94ADB40

Analysis Process: ABG Draft.scr.exePID: 2300, Parent PID: 1632COMMON

Execution Graph

Execution Coverage:	13.6%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	19.3%
Total number of Nodes:	57
Total number of Limit Nodes:	8

Executed Functions

Function 00FEC530 Relevance: 4.3, Strings: 1, Instructions: 3069COMMON

Download Yara Rule

Strings

N, xrefs: 00FEF910

Memory Dump Source

Source File: 00000007.00000002.2740196058.0000000000FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_fe0000_ABG Draft.jbxd

Similarity

API ID:
String ID: N
API String ID: 0-1130791706
Opcode ID: e82aa4434fe356533ba19eb4fa34171454c667d85019f47e2ebfd0d5f6e29290
Instruction ID: 0f898c3636760e1521bfe9b3deddaea788cb272eb6476a3301b02ccc1677f250
Opcode Fuzzy Hash: e82aa4434fe356533ba19eb4fa34171454c667d85019f47e2ebfd0d5f6e29290
Instruction Fuzzy Hash: 1073D431D1075A8EDB21EF68C854A99F7B1FF99310F11C69AE44877261EB70AAC4CF81

Function 052F0AB8 Relevance: 3.5, APIs: 2, Instructions: 528
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 052F0D70

Memory Dump Source

Source File: 00000007.00000002.2744525262.00000000052F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_52f0000_ABG Draft.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 204224ee1f9bc6594438cf6a3102d341cc4098901c252ad42f785a10efc02ee7
Instruction ID: ee91054269b3bb3380ed241048a6e590b1656c0644a1d8aedb34806ad34f526a
Opcode Fuzzy Hash: 204224ee1f9bc6594438cf6a3102d341cc4098901c252ad42f785a10efc02ee7
Instruction Fuzzy Hash: 23222774E10219CFDB14DFA8D884BAEFBB2BF88304F5481A9D509AB355DB359D82CB50

Function 052F0CD8 Relevance: 1.6, APIs: 1, Instructions: 88
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 052F0D70

Memory Dump Source

Source File: 00000007.00000002.2744525262.00000000052F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_52f0000_ABG Draft.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 3f80052fe1753ad2b94cfac1faee4da1b22198b8a1c2c9dba9a15785e4bbdf22
Instruction ID: f1b71726004bd80b2d6005feab06c74e11d54bc30741b735696ed375f6db6ed7
Opcode Fuzzy Hash: 3f80052fe1753ad2b94cfac1faee4da1b22198b8a1c2c9dba9a15785e4bbdf22
Instruction Fuzzy Hash: 683116B1D11618DBEB18CFAAD8887DDFBF2BF88314F14C16AE419A72A4DB701945CB00

Function 00FE27B9 Relevance: .7, Instructions: 694
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000007.00000002.2740196058.0000000000FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_fe0000_ABG Draft.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bee3a1ce8149a36c01b3816f2d3ce43d8b10b5fdcf62b49cbc3d46c4b6eda289
Instruction ID: 85b3ef58c55b15ab2e20ba54e6ab9d1121d0baef705af793de10387ce70ec12c
Opcode Fuzzy Hash: bee3a1ce8149a36c01b3816f2d3ce43d8b10b5fdcf62b49cbc3d46c4b6eda289
Instruction Fuzzy Hash: 4C224953B5C1C48ED7178B748AA82803FA3EEAB52E7BC10CDD8C36B567E6051987E315

Function 052F5AD8 Relevance: .3, Instructions: 296
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000007.00000002.2744525262.00000000052F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_52f0000_ABG Draft.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6b60d41608ccb9440c9f18480a0e7b78c6eccc40866db5a4cc7b2ce0345b351d
Instruction ID: 44bd4193a592e04cf24e9ebfffdf02cbf2c36bac3dcf01ee3bd5328f36947ad5
Opcode Fuzzy Hash: 6b60d41608ccb9440c9f18480a0e7b78c6eccc40866db5a4cc7b2ce0345b351d
Instruction Fuzzy Hash: 8AE1C174E01218CFEB24DFA5D844B9DBBB2BF89304F2081A9E809A7395DB755E85CF50

Function 00FE9480 Relevance: .3, Instructions: 268
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000007.00000002.2740196058.0000000000FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_fe0000_ABG Draft.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0ad8782bee7b12c470d282fc10bae8633fe6d3aff269e0b1e20055fb3558c5dd
Instruction ID: ef5b54c47df9ab1449b1d3aeb5f8ce8d666f4b29fa3af2b8389507a4f4d241d5
Opcode Fuzzy Hash: 0ad8782bee7b12c470d282fc10bae8633fe6d3aff269e0b1e20055fb3558c5dd
Instruction Fuzzy Hash: D9C1CF78E01218CFDB14DFA5C994B9DBBB2BF88301F2085A9E809A7354DB359E85DF10

Function 00FEC521 Relevance: .2, Instructions: 225COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2740196058.0000000000FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_fe0000_ABG Draft.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d379ed2771c95e37b5c9ab82208077194161f5c221b349e9daeb01940739579c
Instruction ID: 658cce0ca5f61c0e8d24c478190bae9c2a081735d5ccb4174a7a3dc398263ae4
Opcode Fuzzy Hash: d379ed2771c95e37b5c9ab82208077194161f5c221b349e9daeb01940739579c
Instruction Fuzzy Hash: 34A11671D106598FDB14DFA9C8447DDFBB1EF89300F14C6AAE448A7260EB70AA85CF81

Function 00FE9A30 Relevance: .2, Instructions: 225
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000007.00000002.2740196058.0000000000FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_fe0000_ABG Draft.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1a2e65d7ba0592fef6441aa9987829248fc5ec66734c2d687b36b46eb5b8b864
Instruction ID: 6d927da96ab2c8abf6d4082d44067157fba383a43042be53e7cedb6fad02e84b
Opcode Fuzzy Hash: 1a2e65d7ba0592fef6441aa9987829248fc5ec66734c2d687b36b46eb5b8b864
Instruction Fuzzy Hash: 02A1F370D00208CFEB24DFA9C858B9DBBB1FF89314F208269E409A7391DB759985CF65

Function 00FE9D87 Relevance: .2, Instructions: 202COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2740196058.0000000000FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_fe0000_ABG Draft.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b8d06c2b212be10309f30738aedc57eca62005530167127b1f6aa3a4d97b0f6b
Instruction ID: ab7c166a3ce26d6945a1416c8c728069b1d15dbfdb0d7cd1caeb6a5d66aa7ef5
Opcode Fuzzy Hash: b8d06c2b212be10309f30738aedc57eca62005530167127b1f6aa3a4d97b0f6b
Instruction Fuzzy Hash: DB91D470D04258CFEB20DFA9C8487DDBBB1FF49314F208259E509AB291DBB59985CF64

Function 00FE946F Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2740196058.0000000000FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_fe0000_ABG Draft.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f3270c0ac3fba25cc840d0c7bd6b17d1c608d7bca7bbbf1f851e7be5c4710637
Instruction ID: ef12fe71f2bee5b44c08347abb25a0caff3fcb815f044e95ef15de6e6a48d544
Opcode Fuzzy Hash: f3270c0ac3fba25cc840d0c7bd6b17d1c608d7bca7bbbf1f851e7be5c4710637
Instruction Fuzzy Hash: 3B410174D01248CBEB18CFAAD85479EFBF2AF88300F24C12AD815AB368EB754945CF50

Function 00FEAD3D Relevance: 1.8, Strings: 1, Instructions: 505
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

, xrefs: 00FEB065

Memory Dump Source

Source File: 00000007.00000002.2740196058.0000000000FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_fe0000_ABG Draft.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: fc29b554e61832ba95340b8124b22b0aa4b7851098910767effec235e6df0210
Instruction ID: 29cbab119ffc2cc0fcfdc72d78b5411f419fb654d9d1f690f6b9a71b6c191ab6
Opcode Fuzzy Hash: fc29b554e61832ba95340b8124b22b0aa4b7851098910767effec235e6df0210
Instruction Fuzzy Hash: 3081B530F002449FDB1A6F75985836F7B92AF85335F24862AE6269B3D0CF399D01D791

Function 052F10BC Relevance: 1.6, APIs: 1, Instructions: 62
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL(00000000), ref: 052F11FE

Memory Dump Source

Source File: 00000007.00000002.2744525262.00000000052F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_52f0000_ABG Draft.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: aca3863fa27d07a49ff52f655153229c4f328f80994a6e76938793d188d7aa99
Instruction ID: f6ba9dda74fa318e196379f0443ecd4e97869bf497469cbdd8a6658b45af4ed3
Opcode Fuzzy Hash: aca3863fa27d07a49ff52f655153229c4f328f80994a6e76938793d188d7aa99
Instruction Fuzzy Hash: 48114A74E10109DBDB18DBA8E884AAEF7B5FF88304F548164E908E7245D771AC51CB50

Function 00FE19B8 Relevance: .3, Instructions: 321
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000007.00000002.2740196058.0000000000FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_fe0000_ABG Draft.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eabab725e58ee477138efd545e9e06a5219e86dcbb0b79e95c1231ae08e26715
Instruction ID: 70a5dc5f128ebff154ed210eda639b85be657a1ec3b0af71e2ea02ca8c56be8d
Opcode Fuzzy Hash: eabab725e58ee477138efd545e9e06a5219e86dcbb0b79e95c1231ae08e26715
Instruction Fuzzy Hash: 0DB1C232E482D94ECB168B7989803DD7F63FF9B208FA850D9D08667155DB304E87D781

Function 00FE0B20 Relevance: .2, Instructions: 213
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000007.00000002.2740196058.0000000000FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_fe0000_ABG Draft.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a5287c1cb34301da40d4e16d1e0114e51e5926aa3914bd97228148b993912354
Instruction ID: effba851df5793af6ca59e059b2ef7fdd3f35964b078f2daf3b440260cdd7fe7
Opcode Fuzzy Hash: a5287c1cb34301da40d4e16d1e0114e51e5926aa3914bd97228148b993912354
Instruction Fuzzy Hash: 75A1FC74A01359CFCB45EFA8E894A9DBBB2FF88701B104529E405EB369DB306D56CF81

Function 00FE0B30 Relevance: .2, Instructions: 200COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2740196058.0000000000FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_fe0000_ABG Draft.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 35a5b43217e443bbeaa8777344349d454cb5e3ba0eafd47cd8c38a14544ac6f2
Instruction ID: 8c22e1e3d8f50cace654cb69f6005ca316087048de1b789429afeaa3858cb876
Opcode Fuzzy Hash: 35a5b43217e443bbeaa8777344349d454cb5e3ba0eafd47cd8c38a14544ac6f2
Instruction Fuzzy Hash: 22A1FA74A01359CFCB45EFA8E894A9DBBB6FB88701B104529E405EB369DB306D52CF81

Function 00FEBF6F Relevance: .2, Instructions: 174COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2740196058.0000000000FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_fe0000_ABG Draft.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3b858eea1ddf3f23152b23120b2294a486894586aa3cb9211addb0eec77ec64f
Instruction ID: 996353331415adc36a72dfef09d8605220085fbb9b66b4bb256a6d353c052b5e
Opcode Fuzzy Hash: 3b858eea1ddf3f23152b23120b2294a486894586aa3cb9211addb0eec77ec64f
Instruction Fuzzy Hash: 14511576B04245DFC714CA6ADC84A6BBBA9EBC9730F14853EF659C7750D631EC0287A0

Function 00FEB790 Relevance: .2, Instructions: 165COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2740196058.0000000000FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_fe0000_ABG Draft.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d7049b0af87284aa51d6d37f2735eebc4b825ddde895154f1b2e274d93c520f1
Instruction ID: 12e7d6f552bb8ad7507d9bcf410de586b11e1eced672cd41dacb214ea60d981f
Opcode Fuzzy Hash: d7049b0af87284aa51d6d37f2735eebc4b825ddde895154f1b2e274d93c520f1
Instruction Fuzzy Hash: 13514C75A002088FCB05DB69D884E9EBBB6FF89330F194195E501EB361CB71ED41DBA1

Function 00FE3F78 Relevance: .1, Instructions: 125COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2740196058.0000000000FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_fe0000_ABG Draft.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cab10db11c24dc16e3f9ec8754134614879e6e1722aa823f89b36dcd3444b247
Instruction ID: ae9996170acd18e9d419fadb6cffa0ee11e8662950df45ac8a69462834e125e3
Opcode Fuzzy Hash: cab10db11c24dc16e3f9ec8754134614879e6e1722aa823f89b36dcd3444b247
Instruction Fuzzy Hash: EB51FA74E00248DFDB48DFAAD484A9DBBF2BF89310F208429E915BB364DB74A945DF50

Function 00FEBC98 Relevance: .1, Instructions: 112COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2740196058.0000000000FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_fe0000_ABG Draft.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dc91138381f69065f968696e126c61cdc7dc090d491c7eca1fe655a69d3508ec
Instruction ID: d21800738153a7fd849705b7912574f2fddaa7315946a73f31fe9a38eb1833ed
Opcode Fuzzy Hash: dc91138381f69065f968696e126c61cdc7dc090d491c7eca1fe655a69d3508ec
Instruction Fuzzy Hash: 66319E31A002089FCB08EFB9DC556AE7BAAEF89300F544479E509D7351DE399E029BA0

Function 00FE3168 Relevance: .1, Instructions: 109COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2740196058.0000000000FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_fe0000_ABG Draft.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 826e9be0fc03e69eb78f11a1acb1915a856295b9892c4b43ec597fafe6ca28a6
Instruction ID: 2e5ff845f6af3c8f85919f210ac8a528f8199dbc50303e40fa4eb0c8d39cf341
Opcode Fuzzy Hash: 826e9be0fc03e69eb78f11a1acb1915a856295b9892c4b43ec597fafe6ca28a6
Instruction Fuzzy Hash: E341B374E01248DFCB08DFAAD884A9DBBF2BF89310F249529E805BB364DB349941DF14

Function 00FE9249 Relevance: .1, Instructions: 105COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2740196058.0000000000FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_fe0000_ABG Draft.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 89946ecdad630169db055d507ef4e2d81a26627a1b909dbf9f85f6c9e570cdb2
Instruction ID: 74983030e1e3b2db30ee64095d66da0ae974e10b4c1cffb5c00b346854f03c3b
Opcode Fuzzy Hash: 89946ecdad630169db055d507ef4e2d81a26627a1b909dbf9f85f6c9e570cdb2
Instruction Fuzzy Hash: 5631C330CA230B9FDA122B21A5AD33ABBB4FF0F31BF446E00E91E805118B721864CA14

Function 00FEB869 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2740196058.0000000000FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_fe0000_ABG Draft.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 842a1d75030c08ba5974ebf5de310de60abeca04bc8d88d120da8063b5afac33
Instruction ID: 1e9f7da949a2064a1f617b972057130b6219b600d633336b522b5f52a9fa1ed7
Opcode Fuzzy Hash: 842a1d75030c08ba5974ebf5de310de60abeca04bc8d88d120da8063b5afac33
Instruction Fuzzy Hash: 77310735B002098FDB45DBA9C880E9EBBB2BF88730F155155E905AF362CB71ED419BA1

Function 00FEB89D Relevance: .1, Instructions: 100COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2740196058.0000000000FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_fe0000_ABG Draft.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c0fa85f1bf18ae1eeb19e529750b7778dcabedeb1923b3442bb2619cca73d1b7
Instruction ID: 9b5207c505120bdae0428b723f57144fdf626ca4867b00c33e6bb3ab9f907865
Opcode Fuzzy Hash: c0fa85f1bf18ae1eeb19e529750b7778dcabedeb1923b3442bb2619cca73d1b7
Instruction Fuzzy Hash: 49311835B002098FDB45DBA9C880E9EBBB2BFC8730F155155E905AF362CB71EC419BA1

Function 00FEBDD9 Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2740196058.0000000000FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_fe0000_ABG Draft.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: db7a64e0779a5fffec0f6b1eae5de08bb83b84d02d0d08c28a79c30be6ed1084
Instruction ID: 9d0e78db28d488e56265a248ed836d00c35427c0b7dd03a8c8818aa21b928b68
Opcode Fuzzy Hash: db7a64e0779a5fffec0f6b1eae5de08bb83b84d02d0d08c28a79c30be6ed1084
Instruction Fuzzy Hash: F921D131A002489FCB18EF79C8517AFBBB6EF85310F248429E54687391DF359E11D790

Function 00F5D005 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2739894374.0000000000F5D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F5D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_f5d000_ABG Draft.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ed0bec2e4e75ebb3f3962a5fe7623531f45179b49cd1a9e30998369f927e750b
Instruction ID: cce22d41c0a4ff2519eabcea0efe87df649b6aec0354e6654bc45d93469ed9e9
Opcode Fuzzy Hash: ed0bec2e4e75ebb3f3962a5fe7623531f45179b49cd1a9e30998369f927e750b
Instruction Fuzzy Hash: 35317E7550E3C49FC713CB24C890711BF71AF46214F29C5EBD9898F2A7C23A980ACB62

Function 00FE18C8 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2740196058.0000000000FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_fe0000_ABG Draft.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2c932392c21de75410134e7bd53cc928e545a4e69cadae6b1b995243fb529a71
Instruction ID: 4c2bedcd4a2eb328d2197de8eccbf88085b6fb5c3efc90db6eef02f1d665064f
Opcode Fuzzy Hash: 2c932392c21de75410134e7bd53cc928e545a4e69cadae6b1b995243fb529a71
Instruction Fuzzy Hash: D721A176A00146DFCB14DB25C450AAE37A5FB99360B14C519E8099B344EB32EE46DBD1

Function 00F5D030 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2739894374.0000000000F5D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F5D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_f5d000_ABG Draft.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cc154f4ec818e00766a181a3a551663424c23424a1c760da4958abb48a46fc40
Instruction ID: fbba24fdc19c66fa1ebdb28d2c0f792ec7ebfcc830b91cfa43eda8d954660cd6
Opcode Fuzzy Hash: cc154f4ec818e00766a181a3a551663424c23424a1c760da4958abb48a46fc40
Instruction Fuzzy Hash: B3212571605304DFDB20DF10D980B26BB61FB84325F20C56DDE0A4B38AC33AD84BDA62

Function 00FE0EC8 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2740196058.0000000000FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_fe0000_ABG Draft.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 582d9b197facc71d04defbde6eb835a66be0d4e8736ee64eb0b0abb46a90c8b2
Instruction ID: e69984c0635a44d6fce9b1aaf37c5a073b38cf611c8281ac44e87e56c0dd0ea4
Opcode Fuzzy Hash: 582d9b197facc71d04defbde6eb835a66be0d4e8736ee64eb0b0abb46a90c8b2
Instruction Fuzzy Hash: FC218E70E042499FDB09EFBAC4407AEBBB2FF85305F10C46994149B285DB785985DF41

Function 00FE17B8 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2740196058.0000000000FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_fe0000_ABG Draft.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4d74ee6b857a79edcd5edfb4946e4da40410434935e393cd60cc7e1b85beefee
Instruction ID: a4828abcc9c12dd4398df0f0aa2d0938acff79d657f0029fc27bd27c2c97da29
Opcode Fuzzy Hash: 4d74ee6b857a79edcd5edfb4946e4da40410434935e393cd60cc7e1b85beefee
Instruction Fuzzy Hash: 7D2125B0D0524A8FCB45DFA9C8846EEBFB0FF4A310F0445AAD505F7261EB344A95CBA1

Function 00FEBB48 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2740196058.0000000000FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_fe0000_ABG Draft.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6bff3fca8ced2d4925524eb870aa287ee14aa0850842b96556f82113e98a1588
Instruction ID: 3364f83999d5d2c705500229bb503f93263a15cfcc3809636a7f9ac7cecdd8e1
Opcode Fuzzy Hash: 6bff3fca8ced2d4925524eb870aa287ee14aa0850842b96556f82113e98a1588
Instruction Fuzzy Hash: DB1136767002048FD714DB6AD988E57B7E6FFD8721F2084AAE54A8B364CB71EC00DB50

Function 00FEC108 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2740196058.0000000000FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_fe0000_ABG Draft.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f5892cb347a5902c6bfd17e49abb9675391300eee08e35ccccd8e6adbed78410
Instruction ID: a4c9e0300fa9acb67970b8921510640d2b4078a525a46e212dae808fb3dfb7d3
Opcode Fuzzy Hash: f5892cb347a5902c6bfd17e49abb9675391300eee08e35ccccd8e6adbed78410
Instruction Fuzzy Hash: F7117036E003458BCB24EFBA988469EBBF5AF88351B144539E419E3301DB399D0297E1

Function 00FE4850 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2740196058.0000000000FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_fe0000_ABG Draft.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c05adc05313363b81cd46d06207fc47cd1e193fcf023c6bdc70fad4d2dc02adf
Instruction ID: 452b0b10d70e3c38b9a40eba46f72c6d8fd7e53d8a56519a7e6962b6a91793df
Opcode Fuzzy Hash: c05adc05313363b81cd46d06207fc47cd1e193fcf023c6bdc70fad4d2dc02adf
Instruction Fuzzy Hash: E201F132F003458FD714AFB6980452F7BEBAFC8228701883ADA05CB324EE35DC008BA1

Function 00FE4860 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2740196058.0000000000FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_fe0000_ABG Draft.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: af339b83550cf507319a28dc8972435434a17169557d96042985de60d89a742b
Instruction ID: 338751de0c79fbf4d1eb77f282bcfe5cc9d5e765fee10d0567de56c3df5c415e
Opcode Fuzzy Hash: af339b83550cf507319a28dc8972435434a17169557d96042985de60d89a742b
Instruction Fuzzy Hash: DF01D632F002558FD714ABBA985453F76EBAFC8628710883DDA05C7324FE71DC0187A1

Function 00FEBEE9 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2740196058.0000000000FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_fe0000_ABG Draft.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a39c535e3673954cbe5ff923586c8d16c9de55c4e363eecc3c64abd8732d8cf3
Instruction ID: e50a229173ec34ec52089389209c4e6935b72789747de7fd0c2a1c2211aa653a
Opcode Fuzzy Hash: a39c535e3673954cbe5ff923586c8d16c9de55c4e363eecc3c64abd8732d8cf3
Instruction Fuzzy Hash: 67012632B003445BCB152BB8DC0836A7FA6EFC9320F14482AF64BC7381DA39CD128790

Function 00FEA508 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2740196058.0000000000FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_fe0000_ABG Draft.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b858736001420a6e4682f4510e54c388484dbe8021552e730a14f9fbaec6b414
Instruction ID: f3431ecb059adaab501c39b3f0f63123b0a6ef6ce0ba05cfdba8212d9a642c25
Opcode Fuzzy Hash: b858736001420a6e4682f4510e54c388484dbe8021552e730a14f9fbaec6b414
Instruction Fuzzy Hash: AA015E75E002499FDF15DFA9E8586AE7BB5FB88310F00493AED1A93241DB349D20DBA1

Function 00FEA4F9 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2740196058.0000000000FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_fe0000_ABG Draft.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eb1f18a80fe20153754bf4147aa6f754412076491a91436f3466ed85bac26c46
Instruction ID: e0c0c1a42ccf58ed3d21310281b3bf216265e4d40f25bd70d947c8ae6f1c02a1
Opcode Fuzzy Hash: eb1f18a80fe20153754bf4147aa6f754412076491a91436f3466ed85bac26c46
Instruction Fuzzy Hash: A1017176E0028A9FCF15DF69D854AAEBBB5EF88310F04453AE915D3241D7304D20DB92

Function 00FEC1AF Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2740196058.0000000000FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_fe0000_ABG Draft.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e900d61dc9ba9a3845001d371f0350a19ba74cb97d616afbc93b4d69cac1e7ed
Instruction ID: 6b3c0e2a6087dbe38ae19bcee63f1b8d4e2251a5adf3555d1ab9e0a9a593fdc0
Opcode Fuzzy Hash: e900d61dc9ba9a3845001d371f0350a19ba74cb97d616afbc93b4d69cac1e7ed
Instruction Fuzzy Hash: FFF08232B005515FCB1A576AA4559AEB7A6DFC5731724007AF509D7351CF36CC038B90

Function 00FEB9EA Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2740196058.0000000000FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_fe0000_ABG Draft.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0f4c6aef688f35304ae59ac59bc75f38af68c604da8f79d64f14a9af05708910
Instruction ID: 92397ad9f196d8c7c44d2ceb85e02d674eb94bbb24dbbfabd63e464a11794460
Opcode Fuzzy Hash: 0f4c6aef688f35304ae59ac59bc75f38af68c604da8f79d64f14a9af05708910
Instruction Fuzzy Hash: 4BF0B476A00208AFCB50DFAADC41ADFFBF9FF88250B50413AE545E3201D770A9019BE1

Function 00FE46C9 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2740196058.0000000000FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_fe0000_ABG Draft.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5283590bd46df8fc0238dcaeb927e1ab6626d87547f848042eeb634648d2226f
Instruction ID: a737f9ea354406eb13e8f66dd330e7a6c56bcfce08bddbe5bee2cccd4acca333
Opcode Fuzzy Hash: 5283590bd46df8fc0238dcaeb927e1ab6626d87547f848042eeb634648d2226f
Instruction Fuzzy Hash: B1F01571569B8A8FD3022B34ACBD26E7F31EF0B71BB482C45E28A81472CB201406EB11

Function 00FEBE98 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2740196058.0000000000FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_fe0000_ABG Draft.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b6796e64680c3c2384b89a3245005c410de4e36857846756983d91d083006d4a
Instruction ID: 9551ae981e766bd3f69da9ae05411c9b35ca270ecc35bbdb98ddf9ec1efec227
Opcode Fuzzy Hash: b6796e64680c3c2384b89a3245005c410de4e36857846756983d91d083006d4a
Instruction Fuzzy Hash: D5F05E35300205DFC700DF5AD488D6ABBEAFF88724B604169F60987330CB719C11CB80

Function 00FE46D8 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2740196058.0000000000FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_fe0000_ABG Draft.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2da591a5b858dbd6497a61c085433fee60dbc61b8ab9f27320b9639f8e3c8628
Instruction ID: 9f2f5f746028b3faeaed058531384dd05159c76b4cf109b2b565f9b1a11e7558
Opcode Fuzzy Hash: 2da591a5b858dbd6497a61c085433fee60dbc61b8ab9f27320b9639f8e3c8628
Instruction Fuzzy Hash: DEE0B671421B4A8FD3102B60BCBC23E7A75FB0FB2BF842C00A20E800319F706445EE54

Function 00FE1877 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2740196058.0000000000FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_fe0000_ABG Draft.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0c9306808bca1c06bd5d91668f0ee1d909c004a3b5552167a085fbc83c9462ae
Instruction ID: 5ec3731caaba28e8fa959a60d3878a8978ad6c6e734e856c393db9ca740af286
Opcode Fuzzy Hash: 0c9306808bca1c06bd5d91668f0ee1d909c004a3b5552167a085fbc83c9462ae
Instruction Fuzzy Hash: 6EE02632D252A78EC7129FA09C140EEBB30FEA2311B4142A7D0207B150FB30164ECBB1

Function 00FEB78F Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2740196058.0000000000FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_fe0000_ABG Draft.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf74c2be1be89ae3532ae3740c0b63523b50a8298ab41a875948aec3e82553dd
Instruction ID: 38dc8864c4111fa25d27d048d96a4ea69fdf037d82dc9de7f57262be89cfab37
Opcode Fuzzy Hash: bf74c2be1be89ae3532ae3740c0b63523b50a8298ab41a875948aec3e82553dd
Instruction Fuzzy Hash: 41E080327011205FC7144E6DD484C9AFB6AEFC9721315417EF545C7321C671CC01CB90

Function 00FE1888 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2740196058.0000000000FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_fe0000_ABG Draft.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4c3e99fc45289d51e288871e35d0b232ec13f1794602790d590f366f8671c5c7
Instruction ID: 95853cd4a34060b04074003491279439ef00b1d81410583e0b290ca678964f17
Opcode Fuzzy Hash: 4c3e99fc45289d51e288871e35d0b232ec13f1794602790d590f366f8671c5c7
Instruction Fuzzy Hash: 15D05B31D2022B97CB10E7A5DC044EFF738EED5262B504626D51537140FB712659C6E1

Function 00FEBF48 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2740196058.0000000000FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_fe0000_ABG Draft.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 73553d74a4fd45d0ae9ec7d22e19087061665dfacd0e39d9ac8bedfd6da39d2f
Instruction ID: 18bab8b5fd4ddc5a6cb5207a9e71cd46f7e5f33cf59b81fc741c0de4a80e2935
Opcode Fuzzy Hash: 73553d74a4fd45d0ae9ec7d22e19087061665dfacd0e39d9ac8bedfd6da39d2f
Instruction Fuzzy Hash: EDD0C736744114674B061A49A8148AE7B6EE7CD7727048126F91A83340CE714D219BD5

Function 00FE4831 Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2740196058.0000000000FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_fe0000_ABG Draft.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e8c887df81bd31fab69d059a22aed7a0783eb717422f116fb166696659c81c45
Instruction ID: 89d9b0cda51a450a257745bc2543f4a8d920405350b5f5f087e7910fbbd6f6c8
Opcode Fuzzy Hash: e8c887df81bd31fab69d059a22aed7a0783eb717422f116fb166696659c81c45
Instruction Fuzzy Hash: 3DC04C1444D2C54FDF47477454691557FB2DD472047194CCFC6C186457D4059417C717

Non-executed Functions

Function 052F4520 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2744525262.00000000052F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_52f0000_ABG Draft.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 952a2c223c5516a39bab0aa9f3bc98fe9053ed48e7dfce84287e0b9c491e5702
Instruction ID: 0b2a463b98b2fe66d53e867f8f6dee205e3526e6fd639ff979814d0601792d30
Opcode Fuzzy Hash: 952a2c223c5516a39bab0aa9f3bc98fe9053ed48e7dfce84287e0b9c491e5702
Instruction Fuzzy Hash: 77C1C074E01218CFDB14DFA5D994B9DBBB2BF89300F2081A9E909AB355DB359E81CF50

Function 052F8130 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2744525262.00000000052F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_52f0000_ABG Draft.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d1bd5a0da7b2a26621bd867b8ed693fe71c9f5e9186ce56ebee1ea33d90c7c82
Instruction ID: 1f66a8a833ca63b0d896b0c6b236e1ff343cd0b4670bf767d5fceeb372dac230
Opcode Fuzzy Hash: d1bd5a0da7b2a26621bd867b8ed693fe71c9f5e9186ce56ebee1ea33d90c7c82
Instruction Fuzzy Hash: 01C1AD74E11218CFDB14DFA5D994B9DBBB2AF89300F2081A9E809AB355DB359E81CF50

Function 052F4978 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2744525262.00000000052F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_52f0000_ABG Draft.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cb7f09a09eb771bc2ff94da70581dc98125edf6d5a394475dbf1ea357784087d
Instruction ID: 295582142df55a5cc81f1d0b8ebf448cf4c64173ecc469f8e2cb0df3567d76ad
Opcode Fuzzy Hash: cb7f09a09eb771bc2ff94da70581dc98125edf6d5a394475dbf1ea357784087d
Instruction Fuzzy Hash: 38C1C074E01218CFDB14DFA5D994B9DBBB2BF88300F2081A9E909AB355DB359E81CF50

Function 052F8588 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2744525262.00000000052F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_52f0000_ABG Draft.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 366e4b4486e9e2949213af9612bf56304f052febdfe442acee9ecfdd7acce594
Instruction ID: 36cab9da1c2de25d3cceb16271b942ace5039e07376ac0a0868c9b659e769ddd
Opcode Fuzzy Hash: 366e4b4486e9e2949213af9612bf56304f052febdfe442acee9ecfdd7acce594
Instruction Fuzzy Hash: 70C1BC74E11218CFDB14DFA5D994B9DFBB2AF88300F2081A9E909AB354DB359E81CF50

Function 052F4DD0 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2744525262.00000000052F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_52f0000_ABG Draft.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e51bb23710a2e084cdc2bec47eedea150bba3cd37e8989623f3736bcf09c591f
Instruction ID: d0055fc8413f46ce87ecde2ad11b0d0b5b3790559ef5fe231e9ad4e97c94b0b5
Opcode Fuzzy Hash: e51bb23710a2e084cdc2bec47eedea150bba3cd37e8989623f3736bcf09c591f
Instruction Fuzzy Hash: 3EC1CF74E01218CFDB14DFA5D984B9DBBB2BF89300F2081A9E809AB354DB359E85DF50

Function 052F7428 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2744525262.00000000052F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_52f0000_ABG Draft.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 672f4a410a59e46e0d8a89b172e8c9437d05cfb901bf8f8d385f538c6ef2dd41
Instruction ID: 8cfedb6c3c42589e5d05fc4890122c6a1ae32dace96bd3cb58972a959d5b31bb
Opcode Fuzzy Hash: 672f4a410a59e46e0d8a89b172e8c9437d05cfb901bf8f8d385f538c6ef2dd41
Instruction Fuzzy Hash: 57C1BD74E11218CFDB14DFA5D984B9DBBB2BF88300F2481A9E909AB355DB359E81CF50

Function 052FF000 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2744525262.00000000052F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_52f0000_ABG Draft.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aef88d11a5eb41a8f4873882d367a85c8cece6e14a57187d1f3776df39534a0a
Instruction ID: 680dec0427df34d8cb20f16699502651ebc69abefb5fae1d2dddfc31eb005fb3
Opcode Fuzzy Hash: aef88d11a5eb41a8f4873882d367a85c8cece6e14a57187d1f3776df39534a0a
Instruction Fuzzy Hash: 3EC1CF74E11218CFDB14DFA5D984B9DBBB2BF89300F2081A9E909AB355DB359E81CF50

Function 052FF458 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2744525262.00000000052F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_52f0000_ABG Draft.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 18fda9d576604c1dc75e1df32b667b98cfe3f83b09a2b2841a90ceb5acc0abad
Instruction ID: db7a00703ffd6755ad791efb16112a0ff03eb45758b15f188261a8275921fdb4
Opcode Fuzzy Hash: 18fda9d576604c1dc75e1df32b667b98cfe3f83b09a2b2841a90ceb5acc0abad
Instruction Fuzzy Hash: F9C1CD74E11218CFDB14DFA5D984B9DBBB2BF89300F2081A9E909AB355DB359E81CF50

Function 052FF8B0 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2744525262.00000000052F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_52f0000_ABG Draft.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c11c7566216fe8439e9031a5ce0e16187205f8079da4ebe259721b0882f2344b
Instruction ID: b9642ced321b1d3d1c66853c1011946b689ebc5739154adf93c9c5d1016a77c9
Opcode Fuzzy Hash: c11c7566216fe8439e9031a5ce0e16187205f8079da4ebe259721b0882f2344b
Instruction Fuzzy Hash: 88C1CE74E11218CFDB14DFA5D994B9DBBB2BF89300F2081A9E909AB354DB359E81CF50

Function 052F7880 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2744525262.00000000052F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_52f0000_ABG Draft.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b842f7cf0c799694e480e5437cce95d47eeb30f1e40cd1d6890f5287757adeb3
Instruction ID: 0280d469fd1a95b1094e735d0089c6be4fb3b726be58a9cc84a4967f93f64835
Opcode Fuzzy Hash: b842f7cf0c799694e480e5437cce95d47eeb30f1e40cd1d6890f5287757adeb3
Instruction Fuzzy Hash: E7C1CC74E11218CFDB14DFA5D984B9DBBB2BF89300F2481A9E809AB355DB359E81CF50

Function 052F7CD8 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2744525262.00000000052F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_52f0000_ABG Draft.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 830aace6d668a0d26ace9b211c7100dbaaf32fc1e835c235155af9430d8ae672
Instruction ID: ca39851fa5a4dc09af5b31a3c3049339b0bf0ab2852e7bcba6b074c0ae401f8b
Opcode Fuzzy Hash: 830aace6d668a0d26ace9b211c7100dbaaf32fc1e835c235155af9430d8ae672
Instruction Fuzzy Hash: E2C1BD74E11218CFDB14DFA5D884B9DBBB2BF89300F6081A9E909AB354DB359E85CF50

Function 052FE750 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2744525262.00000000052F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_52f0000_ABG Draft.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 45246d9021e92aa446b04a153d9e98a3acb5290ceb7e2591e8857acbb859676d
Instruction ID: d45f30af4b180fdd5d66ea927cd434b4bf7bd4882b19c11646b93bd105e6c5c5
Opcode Fuzzy Hash: 45246d9021e92aa446b04a153d9e98a3acb5290ceb7e2591e8857acbb859676d
Instruction Fuzzy Hash: 69C1CF74E11218CFDB54DFA5D994B9DBBB2BF88300F2081A9D809AB364DB359E85CF50

Function 052FEBA8 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2744525262.00000000052F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_52f0000_ABG Draft.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 094301062c2a73403eaf1f09e814a54d6ad0e429294fcb729ff72b7a9cfc7f9b
Instruction ID: 39fd70e327e22ca71c4fcd8f0464d7b6af612f01bd01d53e5ecdffe833033220
Opcode Fuzzy Hash: 094301062c2a73403eaf1f09e814a54d6ad0e429294fcb729ff72b7a9cfc7f9b
Instruction Fuzzy Hash: 6BC1C374E11218CFDB54DFA5D884B9DBBB2BF88300F1081A9D809AB354DB355E81CF50

Function 052F6FD0 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2744525262.00000000052F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_52f0000_ABG Draft.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 816ace83ba76f20fd5d8e90bed31f7dd5a4c79dc01277e906086366ceecc8d3c
Instruction ID: 5b1776159d34e39fdd23ad927ee2b46c5dd01f93db26925af4a92f651ad44444
Opcode Fuzzy Hash: 816ace83ba76f20fd5d8e90bed31f7dd5a4c79dc01277e906086366ceecc8d3c
Instruction Fuzzy Hash: 37C1BE74E11218CFDB14DFA5D984B9DBBB2BF89300F2481A9E809AB355DB359E81CF50

Function 052F5228 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2744525262.00000000052F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_52f0000_ABG Draft.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f5069cf46a187592e699dfdefacfba6d24aeb3aeaaf4f59d74d5629a6988a44e
Instruction ID: fb047bc9fa7354dc8b19499555004f955932265ea8ecdb1c3f46b02386e23a1f
Opcode Fuzzy Hash: f5069cf46a187592e699dfdefacfba6d24aeb3aeaaf4f59d74d5629a6988a44e
Instruction Fuzzy Hash: 6DC1CF74E01218CFDB14DFA5D984B9DBBB2BF89300F2081A9E909AB355DB359E81CF50

Function 052F5680 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2744525262.00000000052F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_52f0000_ABG Draft.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 88f1f327e4eeff8f3d1da5f137d758fb8837acb0594e7faf2df170cc8ccc2576
Instruction ID: 39a121d38a0302ac1a78ab585e97876352cada320024c644344f1e3f2bb20c4d
Opcode Fuzzy Hash: 88f1f327e4eeff8f3d1da5f137d758fb8837acb0594e7faf2df170cc8ccc2576
Instruction Fuzzy Hash: E3C1BF74E01218CFDB14DFA5D994B9DBBB2BF89300F2081A9E809AB354DB359E85CF50

Function 052FE2F8 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2744525262.00000000052F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_52f0000_ABG Draft.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 261a2ed24269841f3b6234982586059f8596d65e2abea9dcee18b7ed4240f511
Instruction ID: 4de198091d9a94787c20f5d0c64ef497f8e01ef7008e72b82051fc11d68ea9bf
Opcode Fuzzy Hash: 261a2ed24269841f3b6234982586059f8596d65e2abea9dcee18b7ed4240f511
Instruction Fuzzy Hash: D3C1C174E11218CFDB54DFA5D984B9DBBB2BF88300F2081A9D909AB365DB359E81CF50

Analysis Process: iREediqoQIKIHt.exePID: 5064, Parent PID: 660COMMON

Execution Graph

Execution Coverage:	9.7%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	224
Total number of Limit Nodes:	18

Executed Functions

Function 02D9D369 Relevance: 6.1, APIs: 4, Instructions: 130
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 02D9D3F6
GetCurrentThread.KERNEL32 ref: 02D9D433
GetCurrentProcess.KERNEL32 ref: 02D9D470
GetCurrentThreadId.KERNEL32 ref: 02D9D4C9

Memory Dump Source

Source File: 00000008.00000002.1546848169.0000000002D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2d90000_iREediqoQIKIHt.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 397874f1dafdf7d3fe6432a175a378aae7234c9ba1fcb1924ba5f6fc734504f6
Instruction ID: 30e996aafc1e612da9c30d7f25d9b85a9cc35e5b01322331bc0dc5debc70ca72
Opcode Fuzzy Hash: 397874f1dafdf7d3fe6432a175a378aae7234c9ba1fcb1924ba5f6fc734504f6
Instruction Fuzzy Hash: 605159B09003198FDB18DFAAD5487DEBBF2BF88314F208459E409A7390DB745984CF65

Function 02D9D378 Relevance: 6.1, APIs: 4, Instructions: 128
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 02D9D3F6
GetCurrentThread.KERNEL32 ref: 02D9D433
GetCurrentProcess.KERNEL32 ref: 02D9D470
GetCurrentThreadId.KERNEL32 ref: 02D9D4C9

Memory Dump Source

Source File: 00000008.00000002.1546848169.0000000002D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2d90000_iREediqoQIKIHt.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 2ddb640cf74268348a44d942ab34471e6707cc4a721e038e999cb2b6cc17eb69
Instruction ID: 91d8b47fa09ac79b9e2d45407444b360ab048abe7037d9be08a3d3904f9d578d
Opcode Fuzzy Hash: 2ddb640cf74268348a44d942ab34471e6707cc4a721e038e999cb2b6cc17eb69
Instruction Fuzzy Hash: 865138B090031A8FDB18DFAAD5487DEBBF2BF88314F208459E419A7350DB746944CF65

Function 07550006 Relevance: 1.8, APIs: 1, Instructions: 269
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 07550276

Memory Dump Source

Source File: 00000008.00000002.1553677901.0000000007550000.00000040.00000800.00020000.00000000.sdmp, Offset: 07550000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7550000_iREediqoQIKIHt.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 327d052a6c7d700d4f8e0c7c983a605f02de81cfd22e22b3cb4d1d0ed9511966
Instruction ID: 166ad10834753c8149d909ae49e8b1f5b09c58214e8538154ee98de08629a12d
Opcode Fuzzy Hash: 327d052a6c7d700d4f8e0c7c983a605f02de81cfd22e22b3cb4d1d0ed9511966
Instruction Fuzzy Hash: B7A16AB190135ACFDB11CF68CC507EEBBB2BF45310F0585AAE848A7290DB759985CF92

Function 07550040 Relevance: 1.7, APIs: 1, Instructions: 243
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 07550276

Memory Dump Source

Source File: 00000008.00000002.1553677901.0000000007550000.00000040.00000800.00020000.00000000.sdmp, Offset: 07550000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7550000_iREediqoQIKIHt.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: fa34aab75765b747aa88e9a6d5f82bf4d029ce7d521a01077b4fc3fd7d6b002d
Instruction ID: 15cd2e6ee90ac49cf7c3aafff9dbe634ba8e69584f974ea5e82eb79ce756d57f
Opcode Fuzzy Hash: fa34aab75765b747aa88e9a6d5f82bf4d029ce7d521a01077b4fc3fd7d6b002d
Instruction Fuzzy Hash: A6914AB1D0021ACFEF14DFA8CC517DEBBB2BB44710F14856AD808A7290DB759985CF92

Function 02D9B3B1 Relevance: 1.7, APIs: 1, Instructions: 207
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 02D9B626

Memory Dump Source

Source File: 00000008.00000002.1546848169.0000000002D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2d90000_iREediqoQIKIHt.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 00da71eadf42ecf0d8ab18bc7055992c0788cf4bc61ee237542dbd2038b3969d
Instruction ID: 2b75a46c5ac25ad0a7e58d852ed7818048c9664082aaeab0efce94d971dc855f
Opcode Fuzzy Hash: 00da71eadf42ecf0d8ab18bc7055992c0788cf4bc61ee237542dbd2038b3969d
Instruction Fuzzy Hash: 53812570A00B058FDB24DF69E44479ABBF1FF89208F00892EE48ADBB50D774E845CB91

Function 02D9590C Relevance: 1.6, APIs: 1, Instructions: 98
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 02D959C9

Memory Dump Source

Source File: 00000008.00000002.1546848169.0000000002D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2d90000_iREediqoQIKIHt.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: aecde6aecca0f233daef96f4995e4b19f4f24b6ae279c743072da7c251c071e9
Instruction ID: 979be22136163dd1a4b038db27c4c0408b7ead57e983f4e2f306eb6690b6dc64
Opcode Fuzzy Hash: aecde6aecca0f233daef96f4995e4b19f4f24b6ae279c743072da7c251c071e9
Instruction Fuzzy Hash: CC41E2B1C00729CFDB25DFA9C8847CEBBB5BF88714F60816AD408AB251DB756949CF90

Function 02D944F0 Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 02D959C9

Memory Dump Source

Source File: 00000008.00000002.1546848169.0000000002D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2d90000_iREediqoQIKIHt.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 20fe5987897dc82103c7e97ba7a342bc9f0b318eeb8c841ef6cf2567860877df
Instruction ID: 50290850b43782d8c26b4afa8a08a5ea581453f1820886a6cb77c613d8a79372
Opcode Fuzzy Hash: 20fe5987897dc82103c7e97ba7a342bc9f0b318eeb8c841ef6cf2567860877df
Instruction Fuzzy Hash: 9141DF70C0072DCFDB25DFAAC8847CEBBB5BB88704F60806AD408AB251DB756949CF90

Function 08AFF923 Relevance: 1.6, APIs: 1, Instructions: 70
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 08AFF9B8

Memory Dump Source

Source File: 00000008.00000002.1554188343.0000000008AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_8af0000_iREediqoQIKIHt.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 5ee218344418fa933849a5bf5c9301285c3e31edec688d5a122aeb0d4c1f3184
Instruction ID: 92d48aa13893769e2d91207e16bb0d92351f8f6e3b3c6ebc7f0a6949920d1371
Opcode Fuzzy Hash: 5ee218344418fa933849a5bf5c9301285c3e31edec688d5a122aeb0d4c1f3184
Instruction Fuzzy Hash: 062127719003499FDB10DFAAC885BEEBBF5FF48310F50842AE959A7341CB799954CBA0

Function 08AFF928 Relevance: 1.6, APIs: 1, Instructions: 69
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 08AFF9B8

Memory Dump Source

Source File: 00000008.00000002.1554188343.0000000008AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_8af0000_iREediqoQIKIHt.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 8a58b37852111a712cb1889b8e295183974115499262fbc60c34d5735e0f7a66
Instruction ID: a0ef95d61d9a1bda7970d05274ec69adb5f8c0738116e05e70d2267bf863ef23
Opcode Fuzzy Hash: 8a58b37852111a712cb1889b8e295183974115499262fbc60c34d5735e0f7a66
Instruction Fuzzy Hash: 0C2136719003499FDF10DFAAC885BDEBBF5FF88310F10842AE959A7241CB799954CBA0

Function 08AFF788 Relevance: 1.6, APIs: 1, Instructions: 67
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 08AFF80E

Memory Dump Source

Source File: 00000008.00000002.1554188343.0000000008AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_8af0000_iREediqoQIKIHt.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: a741771288930970b6b50b6d8379b7931420fac3ea07bbe7b7338aa2f459f34b
Instruction ID: 990e7f390346c449b746d4c96d2956f1cd48ff7e6bea3cf91396fb4b22841984
Opcode Fuzzy Hash: a741771288930970b6b50b6d8379b7931420fac3ea07bbe7b7338aa2f459f34b
Instruction Fuzzy Hash: 35214A719007098FDB10DFAAC48579EFBF4EF48221F148429E519A7641DB789545CBA0

Function 08AFFA13 Relevance: 1.6, APIs: 1, Instructions: 64
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 08AFFA98

Memory Dump Source

Source File: 00000008.00000002.1554188343.0000000008AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_8af0000_iREediqoQIKIHt.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: f53ab5b736afb5f74a4ffa528eed411623eddcaf37a4e4d044583d517412f722
Instruction ID: 30a329626aca94a167b588cd68a19508a7d3a1cf7fca9fc634c672250182ad6a
Opcode Fuzzy Hash: f53ab5b736afb5f74a4ffa528eed411623eddcaf37a4e4d044583d517412f722
Instruction Fuzzy Hash: A62128718003499FDB10DFAAC881BEEBBF5FF48310F50842AE918A7251CB799954DBA0

Function 08AFFA18 Relevance: 1.6, APIs: 1, Instructions: 63
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 08AFFA98

Memory Dump Source

Source File: 00000008.00000002.1554188343.0000000008AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_8af0000_iREediqoQIKIHt.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 6b9c60b47c60bb919cbe8e74ea98f42b113f747fb5168ffea8772d45905a8b09
Instruction ID: f851543f6a7f22bea85f4a7c6679137343dc10c2e9308f2220279a65c4fe1f06
Opcode Fuzzy Hash: 6b9c60b47c60bb919cbe8e74ea98f42b113f747fb5168ffea8772d45905a8b09
Instruction Fuzzy Hash: 312128718003499FDB10DFAAC880BDEBBF5FF48310F50842AE918A7250CB799954CBA0

Function 08AFF790 Relevance: 1.6, APIs: 1, Instructions: 63
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 08AFF80E

Memory Dump Source

Source File: 00000008.00000002.1554188343.0000000008AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_8af0000_iREediqoQIKIHt.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 7a7c44b7e554bc1e452fa19d9bab03d9e6a3ea1fada0a634a7a1c01e6c0be784
Instruction ID: 3f118da057223936f4370f6579a2323bd6fb15e8fb1cc9e4ac9f29daa51955b6
Opcode Fuzzy Hash: 7a7c44b7e554bc1e452fa19d9bab03d9e6a3ea1fada0a634a7a1c01e6c0be784
Instruction Fuzzy Hash: 442138719003098FDB10DFAAC485BAEBBF4EF88320F14842ED519A7241DB789944CFA0

Function 02D9D9C8 Relevance: 1.6, APIs: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 02D9DA4F

Memory Dump Source

Source File: 00000008.00000002.1546848169.0000000002D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2d90000_iREediqoQIKIHt.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 68d61bdd48ef2461684480a859f021335cc855b89ce6836123100cd6a7efc60e
Instruction ID: 4aa11a7871539447b33136d22e6bd80f2e45603b57655743f81fa8d18dc1f685
Opcode Fuzzy Hash: 68d61bdd48ef2461684480a859f021335cc855b89ce6836123100cd6a7efc60e
Instruction Fuzzy Hash: 0621E4B59002099FDB10CFAAD884ADEBBF9FB48310F14801AE918A3350D378A954CFA0

Function 02D9D9C1 Relevance: 1.6, APIs: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 02D9DA4F

Memory Dump Source

Source File: 00000008.00000002.1546848169.0000000002D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2d90000_iREediqoQIKIHt.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: fbc8805f2afeb4509a9ef1452ba5c6d88d80079a8f76bfa8df1d8274b4f25054
Instruction ID: 84cb9d2c8c374af4469a3ce4aa435f52a6d6da8c989e51d390e012e1e041c2ea
Opcode Fuzzy Hash: fbc8805f2afeb4509a9ef1452ba5c6d88d80079a8f76bfa8df1d8274b4f25054
Instruction Fuzzy Hash: CC21E3B5D002099FDB10CFAAD985ADEBBF5FB48310F14841AE918A3350D378A954CFA5

Function 08AFF860 Relevance: 1.6, APIs: 1, Instructions: 57memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 08AFF8D6

Memory Dump Source

Source File: 00000008.00000002.1554188343.0000000008AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_8af0000_iREediqoQIKIHt.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: eaefc4006986ec8f8bd7d1059d4c9a13fa02687024e1ec31c956df607da4e3b8
Instruction ID: 923e2e1b89814fd5aed815c452e504fe89d3a1ff637d6746409c002d43b43805
Opcode Fuzzy Hash: eaefc4006986ec8f8bd7d1059d4c9a13fa02687024e1ec31c956df607da4e3b8
Instruction Fuzzy Hash: C51167718003499FDB20DFAAC844BDEBFF5EF88320F148829E515A7250CB759900CFA0

Function 08AFF868 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 08AFF8D6

Memory Dump Source

Source File: 00000008.00000002.1554188343.0000000008AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_8af0000_iREediqoQIKIHt.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 689d84fbe8aa6738e9d0c943ff4678adf4b5b30e52c3c18bacf43edebdb8aa31
Instruction ID: 6f9e6239d5e09b111402bbbd2dcd1ce627f8b5384429e0e8129e4814574c6b45
Opcode Fuzzy Hash: 689d84fbe8aa6738e9d0c943ff4678adf4b5b30e52c3c18bacf43edebdb8aa31
Instruction Fuzzy Hash: 8C1137718003499FDB10DFAAC844BDFBBF5EF88320F148419E515A7250CB759954CFA0

Function 08AFF6D8 Relevance: 1.6, APIs: 1, Instructions: 53threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 08AFF742

Memory Dump Source

Source File: 00000008.00000002.1554188343.0000000008AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_8af0000_iREediqoQIKIHt.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: cfe701d4a9a247d2793c833c67dfa037ef3d552859b017fafac9cc4dfba24562
Instruction ID: eb72463a9335f5da9fe26395acdcbe0d30739929eb0a76adfedbfe31b297ae43
Opcode Fuzzy Hash: cfe701d4a9a247d2793c833c67dfa037ef3d552859b017fafac9cc4dfba24562
Instruction Fuzzy Hash: B21188719003898FDB20DFAAC4447DEFBF5EF88220F148429D519A7240CB39A804CFA4

Function 08AFF6E0 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 08AFF742

Memory Dump Source

Source File: 00000008.00000002.1554188343.0000000008AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_8af0000_iREediqoQIKIHt.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 7088c5e71c7990952760366cd225fb0e11c813e7b3784cf3093531a8603fe86a
Instruction ID: 48f158da95f5fb4aee6962a91e8f52038c22aa50e4d217abaecbf7de981ee7dd
Opcode Fuzzy Hash: 7088c5e71c7990952760366cd225fb0e11c813e7b3784cf3093531a8603fe86a
Instruction Fuzzy Hash: C71136719007498FDB20DFAAC44579EFBF9AF88720F24842AD519A7640CB79A944CFA4

Function 02D9B5C0 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 02D9B626

Memory Dump Source

Source File: 00000008.00000002.1546848169.0000000002D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2d90000_iREediqoQIKIHt.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 7e8c7d0fd5daeabd08eaba879df1e162ef34a1fa2d7abcd9e49717dde2819ee4
Instruction ID: 1228c08ceed89b73a9cea91a6739913f50980bb186d9e6f63fafc66cfdee2a43
Opcode Fuzzy Hash: 7e8c7d0fd5daeabd08eaba879df1e162ef34a1fa2d7abcd9e49717dde2819ee4
Instruction Fuzzy Hash: C911DFB5C003498FDB10DF9AD844B9EFBF5AB88224F11841AD819A7710C379A945CFA5

Function 075530E2 Relevance: 1.5, APIs: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 07553145

Memory Dump Source

Source File: 00000008.00000002.1553677901.0000000007550000.00000040.00000800.00020000.00000000.sdmp, Offset: 07550000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7550000_iREediqoQIKIHt.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 314a95cf17e8e89a3191e8a34cdaf3fa2191fd34486834ff850d0b66566b382b
Instruction ID: bd9cc1dc4473907fbacd93b1f62b64c55933bde394ad3c079ca58933f9036061
Opcode Fuzzy Hash: 314a95cf17e8e89a3191e8a34cdaf3fa2191fd34486834ff850d0b66566b382b
Instruction Fuzzy Hash: E51100B58003499FDB10DF9AD884BDEBBF8FB48324F10841AE918A7610D379A944CFE1

Function 075530E8 Relevance: 1.5, APIs: 1, Instructions: 44windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 07553145

Memory Dump Source

Source File: 00000008.00000002.1553677901.0000000007550000.00000040.00000800.00020000.00000000.sdmp, Offset: 07550000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7550000_iREediqoQIKIHt.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 3df36afb2bd2c49615ecc405600c198ff682955fa77828473f3be4d01f2b609f
Instruction ID: 50b33d02cca5cdc474a939e7ad111c07d25c60ea55eb907b4e82e1432396a0f5
Opcode Fuzzy Hash: 3df36afb2bd2c49615ecc405600c198ff682955fa77828473f3be4d01f2b609f
Instruction Fuzzy Hash: 0311D0B58003499FDB10DF9AC885BDEBBF8FB48724F10841AE918A7650C379A944CFA1

Function 011ED3D8 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1545017186.00000000011ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 011ED000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_11ed000_iREediqoQIKIHt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 22a1c16e2c902445e2985dbdbd2fb7ba11b1c3adefe36dd66bd2c1dd6227d793
Instruction ID: e7a97683d5f53a0627477b2735b434ca8b46499bcc0d224158dfc74e38eeb520
Opcode Fuzzy Hash: 22a1c16e2c902445e2985dbdbd2fb7ba11b1c3adefe36dd66bd2c1dd6227d793
Instruction Fuzzy Hash: B62136B5104704DFDF09DF84E9C8B56BBA5FB94324F20C169E8090B646C336E446CBA2

Function 011FD01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1545082152.00000000011FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 011FD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_11fd000_iREediqoQIKIHt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5842c211af4d8540af3c2ec33a695179cb9874ddcf1760dddfb37830e4ff1d9e
Instruction ID: 4d7826d1fac3ff5cd6bf2282930c4c3f6df11ce4f9991dba4325dd0436ec12c8
Opcode Fuzzy Hash: 5842c211af4d8540af3c2ec33a695179cb9874ddcf1760dddfb37830e4ff1d9e
Instruction Fuzzy Hash: A8210075604300DFDF19DF54E884B26BB61FB84214F20C66DEA0A4B286C33AD407CA62

Function 011FD1D4 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1545082152.00000000011FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 011FD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_11fd000_iREediqoQIKIHt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4e837e563beb6671f8db87e48ec20e97e590caf6711f75635d464be57c51f0d6
Instruction ID: e2fd79ac308def5cca77092351382f95dcef3a05809a0a313b1f1d728f8d9297
Opcode Fuzzy Hash: 4e837e563beb6671f8db87e48ec20e97e590caf6711f75635d464be57c51f0d6
Instruction Fuzzy Hash: 4D213779604300DFDF09DF94E9C4B26BB61FB84324F20C56DEA094B242C336D406CBA2

Function 011FD006 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1545082152.00000000011FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 011FD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_11fd000_iREediqoQIKIHt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5aee16799c2ffa9fcbf94517cb783cf8a95b1993048104b26762132473a37c8d
Instruction ID: cfb041dd4b58067b99af2120911ecbadebf56f5ceb882de75086de9d3742c38c
Opcode Fuzzy Hash: 5aee16799c2ffa9fcbf94517cb783cf8a95b1993048104b26762132473a37c8d
Instruction Fuzzy Hash: AC21AE755093808FCB07CF24D990B15BF71EB46214F28C5EED9498F6A7C33A980ACB62

Function 011ED3D3 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1545017186.00000000011ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 011ED000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_11ed000_iREediqoQIKIHt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e3062b24f5b0128947100ec6e500ced3c6d63245422b7ec3b5033f72fc324263
Instruction ID: 2f0391c0cc6948a403b4eab52a84d9ddbcd68583e67853c31af2a5152db15536
Opcode Fuzzy Hash: e3062b24f5b0128947100ec6e500ced3c6d63245422b7ec3b5033f72fc324263
Instruction Fuzzy Hash: FF11CD76504680CFCF06CF84D5C4B56BFA2FB94224F2482A9D8090A657C33AE456CBA2

Function 011FD1CF Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1545082152.00000000011FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 011FD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_11fd000_iREediqoQIKIHt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8009cd9747851c6a16484d38da83a80e1112e09f0888f91abd329c0e09305381
Instruction ID: 14ffd76eb861a946c17b8b09c30f4f849faa549e6110081f4a23043af13bf4cf
Opcode Fuzzy Hash: 8009cd9747851c6a16484d38da83a80e1112e09f0888f91abd329c0e09305381
Instruction Fuzzy Hash: 9211BB79504280DFCB06CF54D5C0B25BBA2FB84224F24C6AED9494B296C33AD40ACBA2

Analysis Process: iREediqoQIKIHt.exePID: 4620, Parent PID: 5064COMMON

Executed Functions

Function 0302C530 Relevance: 4.3, Strings: 1, Instructions: 3069COMMON

Download Yara Rule

Strings

N, xrefs: 0302F910

Memory Dump Source

Source File: 0000000C.00000002.2740796983.0000000003020000.00000040.00000800.00020000.00000000.sdmp, Offset: 03020000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_3020000_iREediqoQIKIHt.jbxd

Similarity

API ID:
String ID: N
API String ID: 0-1130791706
Opcode ID: 630bd080e7168e171907b18983de8230ba2c10521ed546eee34fde46998d78dc
Instruction ID: 3599661376285dfc33d31d1714ae38f829f2655e745c6a1ed925e35dcbeef90f
Opcode Fuzzy Hash: 630bd080e7168e171907b18983de8230ba2c10521ed546eee34fde46998d78dc
Instruction Fuzzy Hash: A673E531D1075A8EDB11EF68C844A9DFBB1FF99300F15C69AE45867261EB70AAC4CF81

Function 030227B9 Relevance: .7, Instructions: 695COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2740796983.0000000003020000.00000040.00000800.00020000.00000000.sdmp, Offset: 03020000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_3020000_iREediqoQIKIHt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6a38370bb54f1b5dc97fe316e9886d59547c196623553435d07b34e43385b40b
Instruction ID: 8a5d88d92ad2a09a618a0e02dcdb1e9e71cb17c96ad11baaa747091bff3971d9
Opcode Fuzzy Hash: 6a38370bb54f1b5dc97fe316e9886d59547c196623553435d07b34e43385b40b
Instruction Fuzzy Hash: 7D42E463A5E2E55BDB074B7888E23E0BF72DE6B20439D04D5D0C08E14BE6A96997C347

Function 03029480 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2740796983.0000000003020000.00000040.00000800.00020000.00000000.sdmp, Offset: 03020000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_3020000_iREediqoQIKIHt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3091ab0f7750894f32b86da59ef5654bca686310f93eeb8f724c47cade94910c
Instruction ID: f842a9132cb7bbe6d5f6a7afe3d49afda362111875d1ea1564a29f04207593ac
Opcode Fuzzy Hash: 3091ab0f7750894f32b86da59ef5654bca686310f93eeb8f724c47cade94910c
Instruction Fuzzy Hash: 19C1AE78E01218CFDB54DFA5D994B9DBBB2FB88301F2481A9E809A7364DB355E85CF10

Function 0302C521 Relevance: .2, Instructions: 223COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2740796983.0000000003020000.00000040.00000800.00020000.00000000.sdmp, Offset: 03020000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_3020000_iREediqoQIKIHt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c2d9aa9892149b19e301ad21442abd38352ff8201cbfda814045edbb64ae308
Instruction ID: a3961b2586c19794508cbdfb8784a3677334a0df0657b72627b7a610cc439d7d
Opcode Fuzzy Hash: 6c2d9aa9892149b19e301ad21442abd38352ff8201cbfda814045edbb64ae308
Instruction Fuzzy Hash: 3CA1F671D116198FDB14DFA9C8447DDFBB1EF89300F14C6AAE458A7260EB709A85CF41

Function 03029A30 Relevance: .2, Instructions: 220COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2740796983.0000000003020000.00000040.00000800.00020000.00000000.sdmp, Offset: 03020000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_3020000_iREediqoQIKIHt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9f322fa29709025bbf84ef016a109d8b777f2d5994a4fc9401986058ea04c98a
Instruction ID: d935bab1ecb6f00b6071c6538dbe7366d93962c51cb27906dd29fbb20d872c21
Opcode Fuzzy Hash: 9f322fa29709025bbf84ef016a109d8b777f2d5994a4fc9401986058ea04c98a
Instruction Fuzzy Hash: AAA1E370D00218CFEB14DFA9C548BDDBBB1FF88304F249269E409A72A1DB759985CF55

Function 03029A40 Relevance: .2, Instructions: 220COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2740796983.0000000003020000.00000040.00000800.00020000.00000000.sdmp, Offset: 03020000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_3020000_iREediqoQIKIHt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3d54338545e5703a26f741167fcbc1855e5faeded0bb1790265290018e9c1789
Instruction ID: 4dad5407f4edfe0fd97aebef45f239fbf0b8c7b4fc43a6532bc218061dfe2e16
Opcode Fuzzy Hash: 3d54338545e5703a26f741167fcbc1855e5faeded0bb1790265290018e9c1789
Instruction Fuzzy Hash: 6EA1E370D00218CFEB24DFA9C948B9DFBB1FF89300F249269E409A72A1DB759985CF55

Function 03029D87 Relevance: .2, Instructions: 202COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2740796983.0000000003020000.00000040.00000800.00020000.00000000.sdmp, Offset: 03020000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_3020000_iREediqoQIKIHt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f60ef74cbc33e956063e8201efbcecedb6bceeb6e9023a83f40e23d9aa989dd7
Instruction ID: a9a99184efb6237e9c96b15625436f7bdf6454bb31dd128d11460ee36660d1a8
Opcode Fuzzy Hash: f60ef74cbc33e956063e8201efbcecedb6bceeb6e9023a83f40e23d9aa989dd7
Instruction Fuzzy Hash: 8291D370D00218CFEB10DFA8C548BDCBBB1FF89314F249269E409AB291DB759985CF54

Function 0302946F Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2740796983.0000000003020000.00000040.00000800.00020000.00000000.sdmp, Offset: 03020000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_3020000_iREediqoQIKIHt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ac6a9ab2564f4c27e59d33e143ea4d49783c246058a192006104adf8dfb346f7
Instruction ID: 28574e409670ff604a7f5bf6322a36aeee04b0c2193537376a5e56e15102293a
Opcode Fuzzy Hash: ac6a9ab2564f4c27e59d33e143ea4d49783c246058a192006104adf8dfb346f7
Instruction Fuzzy Hash: B741E274E01258CBEB18CFAAD4546DDFBF2AF89300F24D12AD819AB364DB395946CF50

Function 0302AD3D Relevance: 1.7, Strings: 1, Instructions: 461COMMON

Download Yara Rule

Strings

, xrefs: 0302B015

Memory Dump Source

Source File: 0000000C.00000002.2740796983.0000000003020000.00000040.00000800.00020000.00000000.sdmp, Offset: 03020000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_3020000_iREediqoQIKIHt.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: f2fbaa7b6c19534060d72d1035457dc354a244781c6214e8571a266c79af35e1
Instruction ID: 345bf5b590513ab08a6c6ff3e3d09298d186b1f379078062cfff52468686ecaa
Opcode Fuzzy Hash: f2fbaa7b6c19534060d72d1035457dc354a244781c6214e8571a266c79af35e1
Instruction Fuzzy Hash: BB61D430B143148BDB15EF78A85926D7FA6EFC9320F54852AE916CB3D0DE388D02C791

Function 0302AF78 Relevance: 1.5, Strings: 1, Instructions: 224COMMON

Download Yara Rule

Strings

, xrefs: 0302B065

Memory Dump Source

Source File: 0000000C.00000002.2740796983.0000000003020000.00000040.00000800.00020000.00000000.sdmp, Offset: 03020000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_3020000_iREediqoQIKIHt.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: bb35e86a28c69a793a5fb004d221dd5e931ec83b93f5575f0aaadc94dcec76c4
Instruction ID: 07959111644a49090acda1eff2d638af110b12db58dd43364fe9fb9cba68c476
Opcode Fuzzy Hash: bb35e86a28c69a793a5fb004d221dd5e931ec83b93f5575f0aaadc94dcec76c4
Instruction Fuzzy Hash: D171B330B052149BDF25AF78A89926D7FA6EF85320F58861AF926873D0CF358D41C791

Function 0302B500 Relevance: .4, Instructions: 377COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2740796983.0000000003020000.00000040.00000800.00020000.00000000.sdmp, Offset: 03020000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_3020000_iREediqoQIKIHt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6dbdc7414ae30cc5a539cdf43929a518178274b66ddf7f9f172b4ffadba17fd8
Instruction ID: 3f287a70d85595799cedb12d834f3d5fd5fc2de5c2174b8d3b157b1405326a6d
Opcode Fuzzy Hash: 6dbdc7414ae30cc5a539cdf43929a518178274b66ddf7f9f172b4ffadba17fd8
Instruction Fuzzy Hash: 70D1E271B012148FDB15DB68D495BADBFF6EF89320F184466E406EB3A1CA35DC41CBA1

Function 030219B8 Relevance: .3, Instructions: 318COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2740796983.0000000003020000.00000040.00000800.00020000.00000000.sdmp, Offset: 03020000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_3020000_iREediqoQIKIHt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f254f144098c6d7f469ecacbfcab8aa51898b0a73329e0287b2bfa43bdc7d0e7
Instruction ID: 589eb5e262e9db1b2db5e8854d56c8469b79f20adfabb05976a06455c328cd45
Opcode Fuzzy Hash: f254f144098c6d7f469ecacbfcab8aa51898b0a73329e0287b2bfa43bdc7d0e7
Instruction Fuzzy Hash: F9B18373E452A95FCF598B7888D03E97FB7EF6A200F9844D5D0C456209EB704A87C742

Function 0302BF80 Relevance: .2, Instructions: 223COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2740796983.0000000003020000.00000040.00000800.00020000.00000000.sdmp, Offset: 03020000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_3020000_iREediqoQIKIHt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 08a51d0f5065ab362334d43a5532f93b45817f2f55b099503f56940a8d6168ce
Instruction ID: d1d86340912910f89207784eece1a769d6bc5f3d22dab2cdae580f32e9199fed
Opcode Fuzzy Hash: 08a51d0f5065ab362334d43a5532f93b45817f2f55b099503f56940a8d6168ce
Instruction Fuzzy Hash: 5361E576B013159FE728DABCD884AAEFFF9EBC8320B14852AE419D7740D631DC0187A0

Function 03020B29 Relevance: .2, Instructions: 203COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2740796983.0000000003020000.00000040.00000800.00020000.00000000.sdmp, Offset: 03020000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_3020000_iREediqoQIKIHt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8ca482c30ffe9c2c9a5fa81555c5328afa89f2a9c11d94ed41ffcd91222e67f6
Instruction ID: eb0837f72605048d7df393fb5a7f2c93c30c99a76b946f447c915db103f319b2
Opcode Fuzzy Hash: 8ca482c30ffe9c2c9a5fa81555c5328afa89f2a9c11d94ed41ffcd91222e67f6
Instruction Fuzzy Hash: F5A1CAB8A00319CFCB04EFA8E98599DBBB1FBC8701B105569E805BB365DB386D45CF91

Function 03020B30 Relevance: .2, Instructions: 200COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2740796983.0000000003020000.00000040.00000800.00020000.00000000.sdmp, Offset: 03020000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_3020000_iREediqoQIKIHt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9db0afeb8887e457616ba2c8634f30bdead34eb483bc953dbadc753a602da0ba
Instruction ID: 516853c305c94cc47420bbd9446a45daf14a83c5b01ae291d001e0381976bf05
Opcode Fuzzy Hash: 9db0afeb8887e457616ba2c8634f30bdead34eb483bc953dbadc753a602da0ba
Instruction Fuzzy Hash: FDA1CAB8A00319CFCB04EFA8E98599DBBB1FBC8701B105569E805AB365DB386D45CF91

Function 03023F78 Relevance: .1, Instructions: 127COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2740796983.0000000003020000.00000040.00000800.00020000.00000000.sdmp, Offset: 03020000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_3020000_iREediqoQIKIHt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c6a40c0ded411c9e284b52763c18c489ac9e3776555813cdaf832f0af6147a3
Instruction ID: 7e6e9c142e5d61aeef6a338c1ba2204e54ce9fb88aa6fb91ec7f118b5c2d88e3
Opcode Fuzzy Hash: 6c6a40c0ded411c9e284b52763c18c489ac9e3776555813cdaf832f0af6147a3
Instruction Fuzzy Hash: F751E274E01218CFDB48DFAAD484A9DBBF2BF89301F24846AE815BB324DB349845CF10

Function 03023168 Relevance: .1, Instructions: 109COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2740796983.0000000003020000.00000040.00000800.00020000.00000000.sdmp, Offset: 03020000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_3020000_iREediqoQIKIHt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b823e96c2b2a3a52237cd41b66b40e46cf6d7e4af68495e71fd06bd744946e04
Instruction ID: da3a7d788b4beadeade8a8b6d3f4a001528b238925cc16edfe128321fe4baac5
Opcode Fuzzy Hash: b823e96c2b2a3a52237cd41b66b40e46cf6d7e4af68495e71fd06bd744946e04
Instruction Fuzzy Hash: FF41A2B8E012189FDB08DFAAD58499DBBF2BF89300F249169E805BB364DB355845CF14

Function 03029249 Relevance: .1, Instructions: 107COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2740796983.0000000003020000.00000040.00000800.00020000.00000000.sdmp, Offset: 03020000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_3020000_iREediqoQIKIHt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ce0b3356c428e2dbaced6e54ea9be6d15be2e3afda009bcf8a9860fe7fa818f7
Instruction ID: a03e30d4877aec641e55ad91845972ae099d781dfba17414d811c600338f9fbe
Opcode Fuzzy Hash: ce0b3356c428e2dbaced6e54ea9be6d15be2e3afda009bcf8a9860fe7fa818f7
Instruction Fuzzy Hash: D63198744B630F9FD390AB21A5AE2BAFFA4FB4B323F047D05F00B815659F7505848A50

Function 0302B869 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2740796983.0000000003020000.00000040.00000800.00020000.00000000.sdmp, Offset: 03020000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_3020000_iREediqoQIKIHt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b89b12aa97493a9291ae29b1f605da252c01ce7c1ea7a08f61119d9aa7677c09
Instruction ID: 48b81673072fce633c402cdf73391de57a51977c31b8c11a70ae7e5676588850
Opcode Fuzzy Hash: b89b12aa97493a9291ae29b1f605da252c01ce7c1ea7a08f61119d9aa7677c09
Instruction Fuzzy Hash: C2312835B002198FDB45DFA9C480EDDBBF2BF88620F195495E905AB361CB71EC81CBA1

Function 0302B89D Relevance: .1, Instructions: 100COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2740796983.0000000003020000.00000040.00000800.00020000.00000000.sdmp, Offset: 03020000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_3020000_iREediqoQIKIHt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ffc3f4e55ce6aed36742ab03f7d79417267a967952a2431815d92ceb149857e8
Instruction ID: 5a96a7825afb38e85db4df8cebce822f94c7bdff8552f1d3b0dc30e574302cb9
Opcode Fuzzy Hash: ffc3f4e55ce6aed36742ab03f7d79417267a967952a2431815d92ceb149857e8
Instruction Fuzzy Hash: 6B312835B002198FDB45DFA9C480EDDBBB2BFC8620F195055E905AB361CB71EC41CBA1

Function 0302BDE8 Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2740796983.0000000003020000.00000040.00000800.00020000.00000000.sdmp, Offset: 03020000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_3020000_iREediqoQIKIHt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bad990d90ffd81733f6752d0667e40dcef4df3371e72ddf3f8e6b5b30b6dcab7
Instruction ID: bcb30c958eb31593cc797f1388e21ac0cc9a45f38ff0d12bcd2d075a1329b139
Opcode Fuzzy Hash: bad990d90ffd81733f6752d0667e40dcef4df3371e72ddf3f8e6b5b30b6dcab7
Instruction Fuzzy Hash: 783191347052089FDB08EF69D491AAEBFB6FFC9200F5484A9E9068B361DE319D11D791

Function 030218C8 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2740796983.0000000003020000.00000040.00000800.00020000.00000000.sdmp, Offset: 03020000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_3020000_iREediqoQIKIHt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e72a1fab938ff8a0e447b00ff51d55143a65b5d04b441238bc8448ebee4770d7
Instruction ID: 4a03f28ba9cbc594be9d1c7bb6fa6ac8dbd739319e2ac01898523818eb1e3ad3
Opcode Fuzzy Hash: e72a1fab938ff8a0e447b00ff51d55143a65b5d04b441238bc8448ebee4770d7
Instruction Fuzzy Hash: 6921C475A00116EFCB58DF24C4409AE7BB5EBD9360B54C15DE80AAB344EB36EE46CBC1

Function 0302BC28 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2740796983.0000000003020000.00000040.00000800.00020000.00000000.sdmp, Offset: 03020000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_3020000_iREediqoQIKIHt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b9e2028054208fcc845d9d8652a446ab450b2a005bd2d0b5cad8bf2e8a7a4a19
Instruction ID: 09159fb543271e80e46c6b7b1e2e422722e3d67c7edf465843bcef41e7ddbc01
Opcode Fuzzy Hash: b9e2028054208fcc845d9d8652a446ab450b2a005bd2d0b5cad8bf2e8a7a4a19
Instruction Fuzzy Hash: 2721F2357063944FCB16E77498252AD7FB69FC6241B1944BBD50ACF692CC34DC06C360

Function 0148D030 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2740278062.000000000148D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0148D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_148d000_iREediqoQIKIHt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 63ab20ef625c5c0455143d4ed580177d009f58c5a4974ea0d0dac31cb8590920
Instruction ID: 4d274cf51898d2c8552a87fa93cd3742466d1a70908405ebea105b3e1fbf0542
Opcode Fuzzy Hash: 63ab20ef625c5c0455143d4ed580177d009f58c5a4974ea0d0dac31cb8590920
Instruction Fuzzy Hash: 512125B1A04304DFDB15EF54D980B1ABB61FB85318F20C66ED80A4B3A2C336D447CB62

Function 0148D006 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2740278062.000000000148D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0148D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_148d000_iREediqoQIKIHt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 028bc899224710fdedf9fad05e5c0687f2a139e6490b794a2ba748cb974e2015
Instruction ID: f2656d92aa64f5a968cc2c9daee89252ea9d0b03b239696aa50a05795e167e66
Opcode Fuzzy Hash: 028bc899224710fdedf9fad05e5c0687f2a139e6490b794a2ba748cb974e2015
Instruction Fuzzy Hash: 12216B715093C49FC703DB64D990715BF71AB47214F29C5DBD8898F2A3C23A980ACB62

Function 0302BD01 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2740796983.0000000003020000.00000040.00000800.00020000.00000000.sdmp, Offset: 03020000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_3020000_iREediqoQIKIHt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 27192be720f006988c57f7fa56a40163efcb93bd9e5c8cad91c215897b57155c
Instruction ID: 4b240e2fbd2f4949ea34998643904f4cc56a4db49499f9e416ff4bf819bf190f
Opcode Fuzzy Hash: 27192be720f006988c57f7fa56a40163efcb93bd9e5c8cad91c215897b57155c
Instruction Fuzzy Hash: E1216F71A00208AFDB44EFB9D855AEEBBB6EF88300F54846AE115D7255DF349E02DB90

Function 03020EC8 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2740796983.0000000003020000.00000040.00000800.00020000.00000000.sdmp, Offset: 03020000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_3020000_iREediqoQIKIHt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fe16a2f866ea15074a4db8ce98a51360802d7886a1a8368a0e4593e19b6fd1f7
Instruction ID: d98b267d85f69b7a1772b1a76ca89cf9fafe1130e5eadf62484b50ea06939e33
Opcode Fuzzy Hash: fe16a2f866ea15074a4db8ce98a51360802d7886a1a8368a0e4593e19b6fd1f7
Instruction Fuzzy Hash: 04215074E0131ADBDB48EFA9D44479EBBB2FFC4304F14846A8818AB394DB795945CF41

Function 030217B8 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2740796983.0000000003020000.00000040.00000800.00020000.00000000.sdmp, Offset: 03020000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_3020000_iREediqoQIKIHt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3b2ce081ae9619dd090377a8ed6055c3f1dd52adfe0adf3abb15172d525c6a28
Instruction ID: 467f4f3a5ba52ff96f54e438e9fe6b99e93d35abd395817885f01cb440c11a2f
Opcode Fuzzy Hash: 3b2ce081ae9619dd090377a8ed6055c3f1dd52adfe0adf3abb15172d525c6a28
Instruction Fuzzy Hash: 36213774D057498FCB05EFA8D8555EEBFF0FF4A200F0441AAE805B7261EB345A89CBA1

Function 0302BB48 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2740796983.0000000003020000.00000040.00000800.00020000.00000000.sdmp, Offset: 03020000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_3020000_iREediqoQIKIHt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2c0bfe8c86aa650a80fcc6e8f29e5b3fd360c47e0cf0f57442a98926d33ada49
Instruction ID: 535edf1a669de72c24c37470b9ad49a7f3ae07b12908e7b3b3950931eb83b545
Opcode Fuzzy Hash: 2c0bfe8c86aa650a80fcc6e8f29e5b3fd360c47e0cf0f57442a98926d33ada49
Instruction Fuzzy Hash: 3D116A32301214CFD715DB69D984E56BBE6FFC8621F1484AAE64A8B364CAB1EC04CB50

Function 0302BB22 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2740796983.0000000003020000.00000040.00000800.00020000.00000000.sdmp, Offset: 03020000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_3020000_iREediqoQIKIHt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 049a6450a142dda62685df6ab0dc61021c5152c24d17ea5a333b70b38b6eb5fb
Instruction ID: eae54468d12023cd2b74a4f4e93b8536b4738612a817b5ff95e7e84f8dec4d33
Opcode Fuzzy Hash: 049a6450a142dda62685df6ab0dc61021c5152c24d17ea5a333b70b38b6eb5fb
Instruction Fuzzy Hash: 3611EF757052108FD716DB25C944B957BF1EF89610F1980AAE149CB2A2C670DC08C711

Function 03024850 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2740796983.0000000003020000.00000040.00000800.00020000.00000000.sdmp, Offset: 03020000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_3020000_iREediqoQIKIHt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 85d7020f4ad2875c9caf96c9151ee5b14e1af2561bf70db1e3b0fd7387130f14
Instruction ID: d54c3e9def9b19917d39419784aa90b84f593a72b2ee491e69063d503903bca7
Opcode Fuzzy Hash: 85d7020f4ad2875c9caf96c9151ee5b14e1af2561bf70db1e3b0fd7387130f14
Instruction Fuzzy Hash: 0C012432B003198FDB14AA7AAC5462F7BEBAFC4625319847ADD05CB364FE71CC018791

Function 0302C1F9 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2740796983.0000000003020000.00000040.00000800.00020000.00000000.sdmp, Offset: 03020000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_3020000_iREediqoQIKIHt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bdaa6dff27fc1f0858b2a123dc7dd5af13345d2a6bc5809cfa8521a4acd7f567
Instruction ID: e3799e70075157fdcaa7997c120798536740cf43ded544aecdb165da1f391bce
Opcode Fuzzy Hash: bdaa6dff27fc1f0858b2a123dc7dd5af13345d2a6bc5809cfa8521a4acd7f567
Instruction Fuzzy Hash: E8117C79701A108FE768DFAAD45496AFBF1EF8971170981ADE44ACB731CB30E805CB40

Function 03024860 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2740796983.0000000003020000.00000040.00000800.00020000.00000000.sdmp, Offset: 03020000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_3020000_iREediqoQIKIHt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fe5efcb3c4d1b9a980b3912798e6b20cb957e095026ee27a9123de6ff971257d
Instruction ID: 3e4fa31a889454af68b12b827f13a7696ed822ea7cb39dae9e4e47b9e083eab6
Opcode Fuzzy Hash: fe5efcb3c4d1b9a980b3912798e6b20cb957e095026ee27a9123de6ff971257d
Instruction Fuzzy Hash: 86018632B012158FDB14AB7A985453F7AEBAFC4565354847ADD05C7364FE71C8048791

Function 0302A508 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2740796983.0000000003020000.00000040.00000800.00020000.00000000.sdmp, Offset: 03020000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_3020000_iREediqoQIKIHt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c4e1665aea2e39d8fb5c9b49068f9563f859d0970139e6fd1c153cb9c833f83
Instruction ID: e6c850a8cb18dc654a1abdfce61241359a5296e3b3f6c367609ac3783a5bf3ae
Opcode Fuzzy Hash: 6c4e1665aea2e39d8fb5c9b49068f9563f859d0970139e6fd1c153cb9c833f83
Instruction Fuzzy Hash: 57018C71E103199FCB14DF69E8585AEBFB9EB88350F40443AF91A93240DE348D10CBA1

Function 0302A4F9 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2740796983.0000000003020000.00000040.00000800.00020000.00000000.sdmp, Offset: 03020000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_3020000_iREediqoQIKIHt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 36f09f74e56f2db733c2c1159c9c4661eca50255e4883bea0aeedfe14f59b21a
Instruction ID: ef9084058c563c77317248fff804898f2bc44de76315f2ea3a6ce4277cfd059e
Opcode Fuzzy Hash: 36f09f74e56f2db733c2c1159c9c4661eca50255e4883bea0aeedfe14f59b21a
Instruction Fuzzy Hash: B6012CB6E1022E9FCB14EF68E9455EEBFB5EB48350F444436E91AD3251DF348910CB91

Function 0302BEF8 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2740796983.0000000003020000.00000040.00000800.00020000.00000000.sdmp, Offset: 03020000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_3020000_iREediqoQIKIHt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 71700ed5e1cfcc4afdc7be986ea32cb05f281bb3364ba8a034feb8d94e8e537d
Instruction ID: 0f6c0367d0649ed9e84bc5a9f4af730aabd368abb5abbeb6667f98559586fea2
Opcode Fuzzy Hash: 71700ed5e1cfcc4afdc7be986ea32cb05f281bb3364ba8a034feb8d94e8e537d
Instruction Fuzzy Hash: A9F02B367103188BCB4567B4E80A26C7FEAEBC9211F18486BF60AC7381DE35CD42D751

Function 0302BD78 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2740796983.0000000003020000.00000040.00000800.00020000.00000000.sdmp, Offset: 03020000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_3020000_iREediqoQIKIHt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 42bafe47a5ac80b2e2782a99c4d77c55deb354d8e84b2db01556e411a994c8a4
Instruction ID: b63a33d02c4ca78b6499c9e42db3a1a2ff652102d063d490ef154f638b209ded
Opcode Fuzzy Hash: 42bafe47a5ac80b2e2782a99c4d77c55deb354d8e84b2db01556e411a994c8a4
Instruction Fuzzy Hash: 81F04F72A00218AFCB40EF69DC449BFBFF9EF88210B504066F519D7211DA3199118BA0

Function 0302C1B0 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2740796983.0000000003020000.00000040.00000800.00020000.00000000.sdmp, Offset: 03020000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_3020000_iREediqoQIKIHt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1f8921e3bc4a801c695eca06b65aaefe1a41b17d7e8efd0cf8690dd1d8caf913
Instruction ID: 9bb43c7c5617278ba3472a183d0d5fe189c3efe75b2b04071938c61eda441a39
Opcode Fuzzy Hash: 1f8921e3bc4a801c695eca06b65aaefe1a41b17d7e8efd0cf8690dd1d8caf913
Instruction Fuzzy Hash: ABF0A032B417259BDB19D66EE4259AEBBEADFC5631B1400BAF509DB350CE32DC028790

Function 0302B9EA Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2740796983.0000000003020000.00000040.00000800.00020000.00000000.sdmp, Offset: 03020000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_3020000_iREediqoQIKIHt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a00d56944bedffc7ce360e9658b531c87d671827a66a847699f8732128f6a399
Instruction ID: 004408d67808ecc007e3e7c0f9ef95d0571633ee34a6576c924ab7ffb989b8fe
Opcode Fuzzy Hash: a00d56944bedffc7ce360e9658b531c87d671827a66a847699f8732128f6a399
Instruction Fuzzy Hash: 7BF090BAE012099FDB50EEA9D845AEFBBF5FB98250F004536D609E3201E77055028BA1

Function 030246C9 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2740796983.0000000003020000.00000040.00000800.00020000.00000000.sdmp, Offset: 03020000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_3020000_iREediqoQIKIHt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 363c926e6379c82444b36e62ae8527efa112a03649a558155545a6c2681a8417
Instruction ID: c981c1c34f88eadc8404c382eb5c2e1e2d3f5a35ec34cf0e546fcc119a94bede
Opcode Fuzzy Hash: 363c926e6379c82444b36e62ae8527efa112a03649a558155545a6c2681a8417
Instruction Fuzzy Hash: 0CF0A5350693428FD3212B20B4AC72EBF74EB0B327B486D5AE00DD947ADB744444CB26

Function 0302B9F8 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2740796983.0000000003020000.00000040.00000800.00020000.00000000.sdmp, Offset: 03020000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_3020000_iREediqoQIKIHt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 971930e105d9c586665bd4cf611360d7dbc03564214f92d3afd85094e2c27ea2
Instruction ID: 3c44a88577355e851938c1f6ab3f4b0973f34fddb67980cbed380e4fcf68797d
Opcode Fuzzy Hash: 971930e105d9c586665bd4cf611360d7dbc03564214f92d3afd85094e2c27ea2
Instruction Fuzzy Hash: 1FF08275E012089F8B50DFADD84099FFFF5FB88650B50453AE509D3200E77099118BE1

Function 030246D8 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2740796983.0000000003020000.00000040.00000800.00020000.00000000.sdmp, Offset: 03020000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_3020000_iREediqoQIKIHt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 90067405e5eb97fb44901410ba2b73499a7a96d959b3c07edc4ef734a4f9a399
Instruction ID: bc3373e4fe72f2f9ad88aa28f4af5f1beda0fe6bad0d8de4590ae609b605e422
Opcode Fuzzy Hash: 90067405e5eb97fb44901410ba2b73499a7a96d959b3c07edc4ef734a4f9a399
Instruction Fuzzy Hash: 84E00975426307CBE2702B65B5AC73EBBB5EB0B327B846D18A40EE94399F7048448B65

Function 03021877 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2740796983.0000000003020000.00000040.00000800.00020000.00000000.sdmp, Offset: 03020000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_3020000_iREediqoQIKIHt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b55727938710cd91470af8b3895ba8f27aa478a15d8500e49ab9fb31aa0c2b77
Instruction ID: f5d5edb82430d9ac7f8b108507faca8fce330e5fc4631b83c20c659e35a111ec
Opcode Fuzzy Hash: b55727938710cd91470af8b3895ba8f27aa478a15d8500e49ab9fb31aa0c2b77
Instruction Fuzzy Hash: 83E02633D9022B87CB00AAD0EC016DEB778EF81232F904623D010B2140EB74228986E0

Function 03021888 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2740796983.0000000003020000.00000040.00000800.00020000.00000000.sdmp, Offset: 03020000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_3020000_iREediqoQIKIHt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 91d431ec3eb72ccafd2697e23b86d7ee21a4311ac51bdd0ac8acd4f6dc137729
Instruction ID: 95853cd4a34060b04074003491279439ef00b1d81410583e0b290ca678964f17
Opcode Fuzzy Hash: 91d431ec3eb72ccafd2697e23b86d7ee21a4311ac51bdd0ac8acd4f6dc137729
Instruction Fuzzy Hash: 15D05B31D2022B97CB10E7A5DC044EFF738EED5262B504626D51537140FB712659C6E1

Function 0302C208 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2740796983.0000000003020000.00000040.00000800.00020000.00000000.sdmp, Offset: 03020000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_3020000_iREediqoQIKIHt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a79ebb6defaa8a6493ecdbf9e5f619e180c90a5ddfaaa55f82be96a9f111f1ae
Instruction ID: 11a25c83ce4e8c69e7bd45661febb1454f3660a2fd7253c1476b7b971191b3f0
Opcode Fuzzy Hash: a79ebb6defaa8a6493ecdbf9e5f619e180c90a5ddfaaa55f82be96a9f111f1ae
Instruction Fuzzy Hash: 92D0A9313512248FC758EFA9E008869FBF8EF0862130840AEF90ACB321CF60EC008B80

Function 03024831 Relevance: .0, Instructions: 7COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2740796983.0000000003020000.00000040.00000800.00020000.00000000.sdmp, Offset: 03020000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_3020000_iREediqoQIKIHt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: acc47cbf9560c0d1d938bbce19a3ede99c79b7aa6988c06e202f88c021a2227a
Instruction ID: 2bd67cd5aebb5c537aa8693a3da1e7d3fa3c864533033b1c5f95bc6d3f3316f6
Opcode Fuzzy Hash: acc47cbf9560c0d1d938bbce19a3ede99c79b7aa6988c06e202f88c021a2227a
Instruction Fuzzy Hash: 3DB092B2A1028843DF291620F55B3996B60BB52320F98889AAC46C02A5FD1880108600

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Container: Container Creation, File: File Creation, File: File Modification, Process: Process Creation, Scheduled Job: Scheduled Job Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata, File: File Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report ABG Draft.scr.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: MassLogger

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Persistence and Installation Behavior

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Location Tracking

Compliance

Software Vulnerabilities

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\ABG Draft.scr.exe.log

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\iREediqoQIKIHt.exe.log

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3svell0f.wp3.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_fybau3r5.ifl.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_iq1ediny.jm3.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xstf0pa4.bn3.ps1

C:\Users\user\AppData\Local\Temp\tmpB486.tmp

C:\Users\user\AppData\Local\Temp\tmpC1F4.tmp

C:\Users\user\AppData\Roaming\iREediqoQIKIHt.exe

C:\Users\user\AppData\Roaming\iREediqoQIKIHt.exe:Zone.Identifier

Static File Info

General

Windows Analysis Report
ABG Draft.scr.exe

Function 00F5D369 Relevance: 6.1, APIs: 4, Instructions: 129
threadCOMMON

Function 00F5D378 Relevance: 6.1, APIs: 4, Instructions: 128
threadCOMMON

Function 00F5B3B1 Relevance: 1.7, APIs: 1, Instructions: 203
COMMON

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre