Edit tour

Windows Analysis Report
Catalina - Particulars.pdf.scr.exe

Overview

General Information

Sample name:	Catalina - Particulars.pdf.scr.exe
Analysis ID:	1500931
MD5:	316329f616d991c23b6718ba353a6b3a
SHA1:	01afaeed5a260c3909b2e14041cee23923c2d6d3
SHA256:	eec4404be651d77865707efa282ec7899a97550ad25351a70a926679f6b34bdf
Tags:	exe
Infos:

Detection

AgentTesla

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected AgentTesla

Yara detected AntiVM3

.NET source code contains potential unpacker

AI detected suspicious sample

Adds a directory exclusion to Windows Defender

Contains functionality to log keystrokes (.Net Source)

Initial sample is a PE file and has a suspicious name

Injects a PE file into a foreign processes

Loading BitLocker PowerShell Module

Machine Learning detection for sample

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Mail credentials (via file / registry access)

Uses an obfuscated file name to hide its real file extension (double extension)

Yara detected Generic Downloader

Allocates memory with a write watch (potentially for evading sandboxes)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Sigma detected: Powershell Defender Exclusion

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

Catalina - Particulars.pdf.scr.exe (PID: 6636 cmdline: "C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe" MD5: 316329F616D991C23B6718BA353A6B3A)

powershell.exe (PID: 2120 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 648 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

Catalina - Particulars.pdf.scr.exe (PID: 8 cmdline: "C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe" MD5: 316329F616D991C23B6718BA353A6B3A)

Catalina - Particulars.pdf.scr.exe (PID: 5856 cmdline: "C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe" MD5: 316329F616D991C23B6718BA353A6B3A)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Agent Tesla, AgentTesla	A .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.	SWEED	http://blog.nsfocus.net/sweed-611/ http://l1v1ngc0d3.wordpress.com/2021/11/12/agenttesla-dropped-via-nsis-installer/ http://ropgadget.com/posts/originlogger.html http://www.secureworks.com/research/threat-profiles/gold-galleon https://0xmrmagnezi.github.io/malware%20analysis/AgentTesla/	https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "FTP", "Host": "ftp://beirutrest.com", "Username": "belogs@beirutrest.com", "Password": "9yXQ39wz(uL+"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
00000005.00000002.4098954296.00000000029C7000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000005.00000002.4097386384.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000005.00000002.4097386384.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000005.00000002.4098954296.00000000029A1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000005.00000002.4098954296.00000000029A1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000000.00000002.1669471296.00000000036A9000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.1669471296.00000000036A9000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: Catalina - Particulars.pdf.scr.exe PID: 6636	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: Catalina - Particulars.pdf.scr.exe PID: 6636	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: Catalina - Particulars.pdf.scr.exe PID: 6636	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: Catalina - Particulars.pdf.scr.exe PID: 5856	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: Catalina - Particulars.pdf.scr.exe PID: 5856	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Click to see the 7 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.Catalina - Particulars.pdf.scr.exe.36e3f90.3.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.Catalina - Particulars.pdf.scr.exe.36e3f90.3.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.Catalina - Particulars.pdf.scr.exe.36e3f90.3.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x312d3:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x31345:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x313cf:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x31461:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x314cb:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x3153d:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x315d3:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x31663:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
0.2.Catalina - Particulars.pdf.scr.exe.36e3f90.3.unpack	MALWARE_Win_AgentTeslaV2	AgenetTesla Type 2 Keylogger payload	ditekSHen	0x2e6c6:$s2: GetPrivateProfileString 0x2ddc5:$s3: get_OSFullName 0x2f403:$s5: remove_Key 0x2f592:$s5: remove_Key 0x30473:$s6: FtpWebRequest 0x312b5:$s7: logins 0x31827:$s7: logins 0x3450a:$s7: logins 0x345ea:$s7: logins 0x35ee6:$s7: logins 0x35184:$s9: 1.85 (Hash, version 2, native byte-order)
0.2.Catalina - Particulars.pdf.scr.exe.36a9970.1.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.Catalina - Particulars.pdf.scr.exe.36a9970.1.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.Catalina - Particulars.pdf.scr.exe.36a9970.1.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x312d3:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x31345:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x313cf:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x31461:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x314cb:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x3153d:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x315d3:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x31663:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
0.2.Catalina - Particulars.pdf.scr.exe.36a9970.1.unpack	MALWARE_Win_AgentTeslaV2	AgenetTesla Type 2 Keylogger payload	ditekSHen	0x2e6c6:$s2: GetPrivateProfileString 0x2ddc5:$s3: get_OSFullName 0x2f403:$s5: remove_Key 0x2f592:$s5: remove_Key 0x30473:$s6: FtpWebRequest 0x312b5:$s7: logins 0x31827:$s7: logins 0x3450a:$s7: logins 0x345ea:$s7: logins 0x35ee6:$s7: logins 0x35184:$s9: 1.85 (Hash, version 2, native byte-order)
5.2.Catalina - Particulars.pdf.scr.exe.400000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
5.2.Catalina - Particulars.pdf.scr.exe.400000.0.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
5.2.Catalina - Particulars.pdf.scr.exe.400000.0.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x330d3:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x33145:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x331cf:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x33261:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x332cb:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x3333d:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x333d3:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x33463:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
5.2.Catalina - Particulars.pdf.scr.exe.400000.0.unpack	MALWARE_Win_AgentTeslaV2	AgenetTesla Type 2 Keylogger payload	ditekSHen	0x304c6:$s2: GetPrivateProfileString 0x2fbc5:$s3: get_OSFullName 0x31203:$s5: remove_Key 0x31392:$s5: remove_Key 0x32273:$s6: FtpWebRequest 0x330b5:$s7: logins 0x33627:$s7: logins 0x3630a:$s7: logins 0x363ea:$s7: logins 0x37ce6:$s7: logins 0x36f84:$s9: 1.85 (Hash, version 2, native byte-order)
0.2.Catalina - Particulars.pdf.scr.exe.36e3f90.3.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.Catalina - Particulars.pdf.scr.exe.36e3f90.3.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.2.Catalina - Particulars.pdf.scr.exe.36e3f90.3.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.Catalina - Particulars.pdf.scr.exe.36e3f90.3.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x330d3:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x6d4f3:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x33145:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x6d565:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x331cf:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x6d5ef:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x33261:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x6d681:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x332cb:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x6d6eb:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x3333d:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x6d75d:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x333d3:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x6d7f3:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x33463:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548 0x6d883:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
0.2.Catalina - Particulars.pdf.scr.exe.36e3f90.3.raw.unpack	MALWARE_Win_AgentTeslaV2	AgenetTesla Type 2 Keylogger payload	ditekSHen	0x304c6:$s2: GetPrivateProfileString 0x6a8e6:$s2: GetPrivateProfileString 0x2fbc5:$s3: get_OSFullName 0x69fe5:$s3: get_OSFullName 0x31203:$s5: remove_Key 0x31392:$s5: remove_Key 0x6b623:$s5: remove_Key 0x6b7b2:$s5: remove_Key 0x32273:$s6: FtpWebRequest 0x6c693:$s6: FtpWebRequest 0x330b5:$s7: logins 0x33627:$s7: logins 0x3630a:$s7: logins 0x363ea:$s7: logins 0x37ce6:$s7: logins 0x6d4d5:$s7: logins 0x6da47:$s7: logins 0x7072a:$s7: logins 0x7080a:$s7: logins 0x72106:$s7: logins 0x36f84:$s9: 1.85 (Hash, version 2, native byte-order)
0.2.Catalina - Particulars.pdf.scr.exe.36a9970.1.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.Catalina - Particulars.pdf.scr.exe.36a9970.1.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.2.Catalina - Particulars.pdf.scr.exe.36a9970.1.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.Catalina - Particulars.pdf.scr.exe.36a9970.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x330d3:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x6d6f3:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0xa7b13:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x33145:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x6d765:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0xa7b85:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x331cf:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x6d7ef:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0xa7c0f:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x33261:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x6d881:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0xa7ca1:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x332cb:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x6d8eb:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0xa7d0b:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x3333d:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x6d95d:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0xa7d7d:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x333d3:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x6d9f3:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0xa7e13:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B
0.2.Catalina - Particulars.pdf.scr.exe.36a9970.1.raw.unpack	MALWARE_Win_AgentTeslaV2	AgenetTesla Type 2 Keylogger payload	ditekSHen	0x304c6:$s2: GetPrivateProfileString 0x6aae6:$s2: GetPrivateProfileString 0xa4f06:$s2: GetPrivateProfileString 0x2fbc5:$s3: get_OSFullName 0x6a1e5:$s3: get_OSFullName 0xa4605:$s3: get_OSFullName 0x31203:$s5: remove_Key 0x31392:$s5: remove_Key 0x6b823:$s5: remove_Key 0x6b9b2:$s5: remove_Key 0xa5c43:$s5: remove_Key 0xa5dd2:$s5: remove_Key 0x32273:$s6: FtpWebRequest 0x6c893:$s6: FtpWebRequest 0xa6cb3:$s6: FtpWebRequest 0x330b5:$s7: logins 0x33627:$s7: logins 0x3630a:$s7: logins 0x363ea:$s7: logins 0x37ce6:$s7: logins 0x6d6d5:$s7: logins
Click to see the 17 entries

Sigma Signatures

System Summary

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe", ParentImage: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe, ParentProcessId: 6636, ParentProcessName: Catalina - Particulars.pdf.scr.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe", ProcessId: 2120, ProcessName: powershell.exe

Sigma detected: Powershell Defender Exclusion

Source: Process started

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe", ParentImage: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe, ParentProcessId: 6636, ParentProcessName: Catalina - Particulars.pdf.scr.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe", ProcessId: 2120, ProcessName: powershell.exe

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: Catalina - Particulars.pdf.scr.exe

Avira: detected

Found malware configuration

Source: 0.2.Catalina - Particulars.pdf.scr.exe.36a9970.1.raw.unpack

Malware Configuration Extractor: Agenttesla {"Exfil Mode": "FTP", "Host": "ftp://beirutrest.com", "Username": "belogs@beirutrest.com", "Password": "9yXQ39wz(uL+"}

Multi AV Scanner detection for submitted file

Source: Catalina - Particulars.pdf.scr.exe	ReversingLabs: Detection: 28%
Source: Catalina - Particulars.pdf.scr.exe	Virustotal: Detection: 35%			Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: Catalina - Particulars.pdf.scr.exe

Joe Sandbox ML: detected

Source: Catalina - Particulars.pdf.scr.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown

HTTPS traffic detected: 172.67.74.152:443 -> 192.168.2.4:49732 version: TLS 1.2

Source: Catalina - Particulars.pdf.scr.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Code function: 4x nop then jmp 06E2412Fh	0_2_06E24256
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Code function: 4x nop then jmp 06E2412Fh	0_2_06E2429B
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Code function: 4x nop then jmp 06E2412Fh	0_2_06E247E9

Networking

Yara detected Generic Downloader

Source: Yara match	File source: 0.2.Catalina - Particulars.pdf.scr.exe.36e3f90.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Catalina - Particulars.pdf.scr.exe.36a9970.1.raw.unpack, type: UNPACKEDPE

Source: Joe Sandbox View	IP Address: 50.87.144.157 50.87.144.157
Source: Joe Sandbox View	IP Address: 172.67.74.152 172.67.74.152
Source: Joe Sandbox View	IP Address: 172.67.74.152 172.67.74.152

Source: Joe Sandbox View

ASN Name: UNIFIEDLAYER-AS-1US UNIFIEDLAYER-AS-1US

Source: Joe Sandbox View

JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: unknown	DNS query: name: api.ipify.org
Source: unknown	DNS query: name: api.ipify.org

Source: global traffic

HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: api.ipify.org
Source: global traffic	DNS traffic detected: DNS query: beirutrest.com

Source: Catalina - Particulars.pdf.scr.exe, 00000005.00000002.4098954296.00000000029C7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://beirutrest.com
Source: Catalina - Particulars.pdf.scr.exe, 00000000.00000002.1668490592.000000000270E000.00000004.00000800.00020000.00000000.sdmp, Catalina - Particulars.pdf.scr.exe, 00000005.00000002.4098954296.0000000002951000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: Catalina - Particulars.pdf.scr.exe, 00000000.00000002.1673451733.0000000006862000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: Catalina - Particulars.pdf.scr.exe, 00000000.00000002.1673451733.0000000006862000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: Catalina - Particulars.pdf.scr.exe, 00000000.00000002.1673451733.0000000006862000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: Catalina - Particulars.pdf.scr.exe, 00000000.00000002.1673451733.0000000006862000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: Catalina - Particulars.pdf.scr.exe, 00000000.00000002.1673451733.0000000006862000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: Catalina - Particulars.pdf.scr.exe, 00000000.00000002.1673451733.0000000006862000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: Catalina - Particulars.pdf.scr.exe, 00000000.00000002.1673451733.0000000006862000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
Source: Catalina - Particulars.pdf.scr.exe, 00000000.00000002.1673451733.0000000006862000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: Catalina - Particulars.pdf.scr.exe, 00000000.00000002.1673451733.0000000006862000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: Catalina - Particulars.pdf.scr.exe, 00000000.00000002.1673451733.0000000006862000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: Catalina - Particulars.pdf.scr.exe, 00000000.00000002.1673451733.0000000006862000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fonts.com
Source: Catalina - Particulars.pdf.scr.exe, 00000000.00000002.1673451733.0000000006862000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: Catalina - Particulars.pdf.scr.exe, 00000000.00000002.1673451733.0000000006862000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: Catalina - Particulars.pdf.scr.exe, 00000000.00000002.1673451733.0000000006862000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: Catalina - Particulars.pdf.scr.exe, 00000000.00000002.1673451733.0000000006862000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: Catalina - Particulars.pdf.scr.exe, 00000000.00000002.1673451733.0000000006862000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: Catalina - Particulars.pdf.scr.exe, 00000000.00000002.1673451733.0000000006862000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: Catalina - Particulars.pdf.scr.exe, 00000000.00000002.1673451733.0000000006862000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: Catalina - Particulars.pdf.scr.exe, 00000005.00000002.4102529284.0000000006263000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.microsoft.c
Source: Catalina - Particulars.pdf.scr.exe, 00000000.00000002.1673451733.0000000006862000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: Catalina - Particulars.pdf.scr.exe, 00000000.00000002.1673451733.0000000006862000.00000004.00000800.00020000.00000000.sdmp, Catalina - Particulars.pdf.scr.exe, 00000000.00000002.1673312818.0000000005054000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.sakkal.com
Source: Catalina - Particulars.pdf.scr.exe, 00000000.00000002.1673451733.0000000006862000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: Catalina - Particulars.pdf.scr.exe, 00000000.00000002.1673451733.0000000006862000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.tiro.com
Source: Catalina - Particulars.pdf.scr.exe, 00000000.00000002.1673451733.0000000006862000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.typography.netD
Source: Catalina - Particulars.pdf.scr.exe, 00000000.00000002.1673451733.0000000006862000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: Catalina - Particulars.pdf.scr.exe, 00000000.00000002.1673451733.0000000006862000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: Catalina - Particulars.pdf.scr.exe, 00000000.00000002.1669471296.00000000036A9000.00000004.00000800.00020000.00000000.sdmp, Catalina - Particulars.pdf.scr.exe, 00000005.00000002.4097386384.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://account.dyn.com/
Source: Catalina - Particulars.pdf.scr.exe, 00000000.00000002.1669471296.00000000036A9000.00000004.00000800.00020000.00000000.sdmp, Catalina - Particulars.pdf.scr.exe, 00000005.00000002.4097386384.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Catalina - Particulars.pdf.scr.exe, 00000005.00000002.4098954296.0000000002951000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org
Source: Catalina - Particulars.pdf.scr.exe, 00000005.00000002.4098954296.0000000002951000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org/
Source: Catalina - Particulars.pdf.scr.exe, 00000005.00000002.4098954296.0000000002951000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org/t

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49732
Source: unknown	Network traffic detected: HTTP traffic on port 49732 -> 443

Source: unknown

HTTPS traffic detected: 172.67.74.152:443 -> 192.168.2.4:49732 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality to log keystrokes (.Net Source)

Source: 0.2.Catalina - Particulars.pdf.scr.exe.36a9970.1.raw.unpack, n00.cs	.Net Code: lGCzgIzdr
Source: 0.2.Catalina - Particulars.pdf.scr.exe.36e3f90.3.raw.unpack, n00.cs	.Net Code: lGCzgIzdr

System Summary

Malicious sample detected (through community Yara rule)

Source: 0.2.Catalina - Particulars.pdf.scr.exe.36e3f90.3.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.Catalina - Particulars.pdf.scr.exe.36e3f90.3.unpack, type: UNPACKEDPE	Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 0.2.Catalina - Particulars.pdf.scr.exe.36a9970.1.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.Catalina - Particulars.pdf.scr.exe.36a9970.1.unpack, type: UNPACKEDPE	Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 5.2.Catalina - Particulars.pdf.scr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 5.2.Catalina - Particulars.pdf.scr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 0.2.Catalina - Particulars.pdf.scr.exe.36e3f90.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.Catalina - Particulars.pdf.scr.exe.36e3f90.3.raw.unpack, type: UNPACKEDPE	Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 0.2.Catalina - Particulars.pdf.scr.exe.36a9970.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.Catalina - Particulars.pdf.scr.exe.36a9970.1.raw.unpack, type: UNPACKEDPE	Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen

Initial sample is a PE file and has a suspicious name

Source: initial sample

Static PE information: Filename: Catalina - Particulars.pdf.scr.exe

Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Code function: 0_2_04BBDFB8	0_2_04BBDFB8
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Code function: 0_2_04BB6C80	0_2_04BB6C80
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Code function: 0_2_04BB6C71	0_2_04BB6C71
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Code function: 0_2_04BBDFA8	0_2_04BBDFA8
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Code function: 0_2_04BB48C4	0_2_04BB48C4
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Code function: 0_2_06C4C598	0_2_06C4C598
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Code function: 0_2_06C4C589	0_2_06C4C589
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Code function: 0_2_06C40040	0_2_06C40040
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Code function: 0_2_06C4FA68	0_2_06C4FA68
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Code function: 0_2_06E23FA0	0_2_06E23FA0
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Code function: 0_2_06E216E8	0_2_06E216E8
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Code function: 0_2_06E216D7	0_2_06E216D7
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Code function: 0_2_06E23FD0	0_2_06E23FD0
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Code function: 0_2_06E20040	0_2_06E20040
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Code function: 0_2_06E20007	0_2_06E20007
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Code function: 0_2_07226014	0_2_07226014
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Code function: 5_2_027CE5B8	5_2_027CE5B8
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Code function: 5_2_027C4A58	5_2_027C4A58
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Code function: 5_2_027C3E40	5_2_027C3E40
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Code function: 5_2_027CDD38	5_2_027CDD38
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Code function: 5_2_027C4188	5_2_027C4188
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Code function: 5_2_027CA9E0	5_2_027CA9E0
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Code function: 5_2_0662A4EC	5_2_0662A4EC
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Code function: 5_2_06628970	5_2_06628970
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Code function: 5_2_0662B5F8	5_2_0662B5F8
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Code function: 5_2_0662D3F0	5_2_0662D3F0
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Code function: 5_2_066365F0	5_2_066365F0
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Code function: 5_2_066355A0	5_2_066355A0
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Code function: 5_2_06637D80	5_2_06637D80
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Code function: 5_2_0663B238	5_2_0663B238
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Code function: 5_2_06633060	5_2_06633060
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Code function: 5_2_0663C190	5_2_0663C190
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Code function: 5_2_066376A0	5_2_066376A0
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Code function: 5_2_06635CE3	5_2_06635CE3
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Code function: 5_2_066302B7	5_2_066302B7
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Code function: 5_2_06632340	5_2_06632340
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Code function: 5_2_0663E3A8	5_2_0663E3A8

Source: Catalina - Particulars.pdf.scr.exe, 00000000.00000002.1668490592.000000000270E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename2ee75d06-d489-4537-90fc-92fe0f559436.exe4 vs Catalina - Particulars.pdf.scr.exe
Source: Catalina - Particulars.pdf.scr.exe, 00000000.00000002.1674158208.0000000006DD0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameGB-lesson-forms.dll@ vs Catalina - Particulars.pdf.scr.exe
Source: Catalina - Particulars.pdf.scr.exe, 00000000.00000000.1648044295.0000000000306000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameiGIh.exeB vs Catalina - Particulars.pdf.scr.exe
Source: Catalina - Particulars.pdf.scr.exe, 00000000.00000002.1668490592.00000000026A1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameGB-lesson-forms.dll@ vs Catalina - Particulars.pdf.scr.exe
Source: Catalina - Particulars.pdf.scr.exe, 00000000.00000002.1667141653.00000000007AE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs Catalina - Particulars.pdf.scr.exe
Source: Catalina - Particulars.pdf.scr.exe, 00000000.00000002.1674884092.0000000008590000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameTyrone.dll8 vs Catalina - Particulars.pdf.scr.exe
Source: Catalina - Particulars.pdf.scr.exe, 00000000.00000002.1669471296.00000000036A9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename2ee75d06-d489-4537-90fc-92fe0f559436.exe4 vs Catalina - Particulars.pdf.scr.exe
Source: Catalina - Particulars.pdf.scr.exe, 00000000.00000002.1669471296.00000000036A9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameTyrone.dll8 vs Catalina - Particulars.pdf.scr.exe
Source: Catalina - Particulars.pdf.scr.exe, 00000005.00000002.4097857547.0000000000C28000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs Catalina - Particulars.pdf.scr.exe
Source: Catalina - Particulars.pdf.scr.exe, 00000005.00000002.4097386384.0000000000402000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: OriginalFilename2ee75d06-d489-4537-90fc-92fe0f559436.exe4 vs Catalina - Particulars.pdf.scr.exe
Source: Catalina - Particulars.pdf.scr.exe, 00000005.00000002.4097603804.00000000007D9000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameUNKNOWN_FILET vs Catalina - Particulars.pdf.scr.exe
Source: Catalina - Particulars.pdf.scr.exe	Binary or memory string: OriginalFilenameiGIh.exeB vs Catalina - Particulars.pdf.scr.exe

Source: Catalina - Particulars.pdf.scr.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 0.2.Catalina - Particulars.pdf.scr.exe.36e3f90.3.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.Catalina - Particulars.pdf.scr.exe.36e3f90.3.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 0.2.Catalina - Particulars.pdf.scr.exe.36a9970.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.Catalina - Particulars.pdf.scr.exe.36a9970.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 5.2.Catalina - Particulars.pdf.scr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 5.2.Catalina - Particulars.pdf.scr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 0.2.Catalina - Particulars.pdf.scr.exe.36e3f90.3.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.Catalina - Particulars.pdf.scr.exe.36e3f90.3.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 0.2.Catalina - Particulars.pdf.scr.exe.36a9970.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.Catalina - Particulars.pdf.scr.exe.36a9970.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload

Source: Catalina - Particulars.pdf.scr.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 0.2.Catalina - Particulars.pdf.scr.exe.36a9970.1.raw.unpack, NpXw3kw.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Catalina - Particulars.pdf.scr.exe.36a9970.1.raw.unpack, NpXw3kw.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 0.2.Catalina - Particulars.pdf.scr.exe.36a9970.1.raw.unpack, gyfrCFT5x9I.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Catalina - Particulars.pdf.scr.exe.36a9970.1.raw.unpack, gyfrCFT5x9I.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Catalina - Particulars.pdf.scr.exe.36a9970.1.raw.unpack, gyfrCFT5x9I.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Catalina - Particulars.pdf.scr.exe.36a9970.1.raw.unpack, gyfrCFT5x9I.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Catalina - Particulars.pdf.scr.exe.36a9970.1.raw.unpack, fpnV0Qjz.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Catalina - Particulars.pdf.scr.exe.36a9970.1.raw.unpack, fpnV0Qjz.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: 0.2.Catalina - Particulars.pdf.scr.exe.38ae4c0.2.raw.unpack, B2L5aEjRXysgRIZRuW.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 0.2.Catalina - Particulars.pdf.scr.exe.38ae4c0.2.raw.unpack, B2L5aEjRXysgRIZRuW.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.Catalina - Particulars.pdf.scr.exe.38ae4c0.2.raw.unpack, nYi8BSaNnGjlIS3QtT.cs	Security API names: _0020.SetAccessControl
Source: 0.2.Catalina - Particulars.pdf.scr.exe.38ae4c0.2.raw.unpack, nYi8BSaNnGjlIS3QtT.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.Catalina - Particulars.pdf.scr.exe.38ae4c0.2.raw.unpack, nYi8BSaNnGjlIS3QtT.cs	Security API names: _0020.AddAccessRule
Source: 0.2.Catalina - Particulars.pdf.scr.exe.8590000.5.raw.unpack, B2L5aEjRXysgRIZRuW.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 0.2.Catalina - Particulars.pdf.scr.exe.8590000.5.raw.unpack, B2L5aEjRXysgRIZRuW.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.Catalina - Particulars.pdf.scr.exe.8590000.5.raw.unpack, nYi8BSaNnGjlIS3QtT.cs	Security API names: _0020.SetAccessControl
Source: 0.2.Catalina - Particulars.pdf.scr.exe.8590000.5.raw.unpack, nYi8BSaNnGjlIS3QtT.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.Catalina - Particulars.pdf.scr.exe.8590000.5.raw.unpack, nYi8BSaNnGjlIS3QtT.cs	Security API names: _0020.AddAccessRule

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@8/6@2/2

Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Catalina - Particulars.pdf.scr.exe.log

Jump to behavior

Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:648:120:WilError_03

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_rq405u4c.ocl.ps1

Jump to behavior

Source: Catalina - Particulars.pdf.scr.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: Catalina - Particulars.pdf.scr.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: Catalina - Particulars.pdf.scr.exe	ReversingLabs: Detection: 28%
Source: Catalina - Particulars.pdf.scr.exe	Virustotal: Detection: 35%

Source: unknown	Process created: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe "C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe"
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe"
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Process created: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe "C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Process created: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe "C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe"
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe"	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Process created: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe "C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe"	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Process created: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe "C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe"	Jump to behavior

Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Section loaded: wintypes.dll	Jump to behavior

Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\Profiles

Jump to behavior

Source: Catalina - Particulars.pdf.scr.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: Catalina - Particulars.pdf.scr.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Data Obfuscation

.NET source code contains potential unpacker

Source: 0.2.Catalina - Particulars.pdf.scr.exe.26d950c.0.raw.unpack, .cs	.Net Code: System.Reflection.Assembly.Load(byte[])
Source: 0.2.Catalina - Particulars.pdf.scr.exe.38ae4c0.2.raw.unpack, nYi8BSaNnGjlIS3QtT.cs	.Net Code: KeWhwfxWg3 System.Reflection.Assembly.Load(byte[])
Source: 0.2.Catalina - Particulars.pdf.scr.exe.8590000.5.raw.unpack, nYi8BSaNnGjlIS3QtT.cs	.Net Code: KeWhwfxWg3 System.Reflection.Assembly.Load(byte[])
Source: 0.2.Catalina - Particulars.pdf.scr.exe.6dd0000.4.raw.unpack, .cs	.Net Code: System.Reflection.Assembly.Load(byte[])

Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Code function: 0_2_04BB2208 push 18418B02h; ret	0_2_04BB2463
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Code function: 0_2_04BBC970 push C0335002h; mov dword ptr [esp], eax	0_2_04BBC9A3
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Code function: 0_2_04BB8AEE push 8B5004BBh; iretd	0_2_04BB8AF3
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Code function: 0_2_06C485DE push edx; iretd	0_2_06C485DF
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Code function: 0_2_06E27C0A push dword ptr [ebx+ebp-75h]; iretd	0_2_06E27C15
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Code function: 0_2_06E27D05 push FFFFFF8Bh; iretd	0_2_06E27D07
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Code function: 0_2_0722051A push FFFFFF8Bh; iretd	0_2_07220532
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Code function: 5_2_027C0C55 push edi; retf	5_2_027C0C7A

Source: Catalina - Particulars.pdf.scr.exe

Static PE information: section name: .text entropy: 7.976543607556141

Source: 0.2.Catalina - Particulars.pdf.scr.exe.38ae4c0.2.raw.unpack, SV8ANt0wonSLuisvxS.cs	High entropy of concatenated method names: 'wl3RuyJngo', 'wP6R3U90XX', 'OL7RQruLNu', 'zW6RGnxHve', 'hfCRfjFxpy', 'U7ERkKIs0F', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.Catalina - Particulars.pdf.scr.exe.38ae4c0.2.raw.unpack, bNrLNsXJefjX0OEBeq.cs	High entropy of concatenated method names: 'WrBwU4ABY', 'e4xTTIg86', 'cE91bX4hH', 'BJVtZCAPD', 'wQbI8oTRj', 'dv8n47KQf', 'EOyptK3VHQoRFEu2hd', 'uYfV58i55YMnxmqUgX', 'HpPRA6VAq', 'Aj5duPKkO'
Source: 0.2.Catalina - Particulars.pdf.scr.exe.38ae4c0.2.raw.unpack, bVCVi0Cowk2d0DhiSK6.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'a2ydfVRn8p', 'aRsdBPjpgC', 'M2Ldr1As15', 'eb3dcciw5L', 'KKMdmkE59C', 'mfNder4iLM', 'WvndKTEyOQ'
Source: 0.2.Catalina - Particulars.pdf.scr.exe.38ae4c0.2.raw.unpack, zA0pYrs0iP2yVuupk9.cs	High entropy of concatenated method names: 'UfBACBy7Tp', 'EdNAoJvL17', 'qkUAhJWoD5', 'CZaAO3slN1', 'XtdAFHHYtM', 't19APq7q8q', 'F2eAMS14AU', 'WF7RKBTDIA', 'YowRZOAOxl', 'QtjR0TgZbk'
Source: 0.2.Catalina - Particulars.pdf.scr.exe.38ae4c0.2.raw.unpack, B2L5aEjRXysgRIZRuW.cs	High entropy of concatenated method names: 'x0oFfx6XVH', 'r8xFBqGLrT', 'oJ6FrgogOw', 'kaiFcrVjqT', 'udSFm77oJT', 'n9nFeJpvh9', 'PuJFKy6gDy', 'mfqFZc1HCL', 'E74F0Cga1a', 'i10FsCxLB3'
Source: 0.2.Catalina - Particulars.pdf.scr.exe.38ae4c0.2.raw.unpack, SpQ6yTpEUGYePwvqpE.cs	High entropy of concatenated method names: 'hUjvOW7kWI', 'VD7v64uQBR', 'VPIvMp3kub', 'o6lMspM26j', 'qwWMzkwvMN', 'qULvEs2iri', 'uB1vCUJwID', 'xFsvX6dH0q', 'sRHvoeQi2y', 'SJwvhfI0JN'
Source: 0.2.Catalina - Particulars.pdf.scr.exe.38ae4c0.2.raw.unpack, HhjDVKzjmJsIdajAeY.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'imkAyhPRG9', 'fTkASUNGRb', 'ijuALdmDlY', 'mttAH4w0jy', 'f2LARD5T2T', 'QvQAACJWF4', 't8xAdnxMec'
Source: 0.2.Catalina - Particulars.pdf.scr.exe.38ae4c0.2.raw.unpack, vcj5BQINYp1945GiEM.cs	High entropy of concatenated method names: 'Rxv6TVcciw', 'Urd61EdWTq', 'kCe6jqLcw7', 'QN96IItR3a', 'yNo6SDRBZF', 'qGx6LoFote', 'niW6HSCgUO', 'jA26R6caRg', 'wNt6AT8WxZ', 'zff6djT2Qm'
Source: 0.2.Catalina - Particulars.pdf.scr.exe.38ae4c0.2.raw.unpack, FenasDCE6e4gGUpOoCX.cs	High entropy of concatenated method names: 'zEWAbTMmNd', 'mPKANfGPuW', 'tf1Aw2A0MU', 'nM8ATsF6SG', 'xmFAY6ra2G', 'qmQA15GgxV', 'TX7Ato7M87', 'LUuAjwfK1C', 'zixAI3Usgs', 'rgcAnTmu1M'
Source: 0.2.Catalina - Particulars.pdf.scr.exe.38ae4c0.2.raw.unpack, BHYXdseLAfHAZxY0Cf.cs	High entropy of concatenated method names: 'jbaHZYckcP', 'I2wHsK6FX7', 'Qa9REFDg6L', 'POZRCO6uvl', 'I1qH824PZk', 'byeH49Baj1', 'zy3Hib8Jsv', 'hlGHfZdGtu', 'IQVHB6Wbii', 'nxiHrLIvjB'
Source: 0.2.Catalina - Particulars.pdf.scr.exe.38ae4c0.2.raw.unpack, Lc7ZWBr63vE8ZV0QGZ.cs	High entropy of concatenated method names: 'ToString', 'xJXL8PeNHv', 'seNL36dMSR', 'e9rLQhrvKX', 'UqGLGMLRv2', 'dxaLkIpst5', 'CxOL2Unp4f', 'z8iLp0xxVS', 'wQeLDaJ8SV', 'bB3LqEbvMs'
Source: 0.2.Catalina - Particulars.pdf.scr.exe.38ae4c0.2.raw.unpack, yd5lVYZaW1XkY2Gjwn.cs	High entropy of concatenated method names: 'yPuRO74lZ4', 'qfhRFBkb5B', 'WtMR6eDmkx', 'JC3RP6U2av', 'gDWRMo8Iws', 'mgTRvtXG5H', 'IxyRaSwp1w', 'e8SRJaPDmj', 'BPiR9XmmeC', 'QfiRWiabgo'
Source: 0.2.Catalina - Particulars.pdf.scr.exe.38ae4c0.2.raw.unpack, R8KxRyfHXE6S7906P5.cs	High entropy of concatenated method names: 'F0dSVdI78s', 'ppsS4l0gKi', 'HhESfw6HeV', 'gOZSBXpYUD', 'qe3S3iHC6L', 'mcOSQwDFfH', 'cnXSGVlr2F', 'tNiSkn3VjH', 'jCHS2P1uow', 'jx0SpcH6KQ'
Source: 0.2.Catalina - Particulars.pdf.scr.exe.38ae4c0.2.raw.unpack, nYi8BSaNnGjlIS3QtT.cs	High entropy of concatenated method names: 'eFgogDRgm3', 'seDoOx6JaC', 'oHQoFLbEFg', 'm25o6sU6Wg', 'T7yoPTC5Bx', 'M1PoMClTr4', 'D1BovoRm1M', 'sDtoawmkta', 'dyuoJwfRxI', 'kcto9xXrwq'
Source: 0.2.Catalina - Particulars.pdf.scr.exe.38ae4c0.2.raw.unpack, Y54GlDujCA6OvrPjFG.cs	High entropy of concatenated method names: 'A7CMgoR6ad', 'WW5MFUt4IB', 'qaqMP6bKY8', 'O6qMvV75Uv', 'BCSMaEMLlv', 'fglPmMXVGg', 'RiaPeSl2OI', 'b9UPKIgaqB', 'WwuPZkwEVc', 'kArP0fQikC'
Source: 0.2.Catalina - Particulars.pdf.scr.exe.38ae4c0.2.raw.unpack, O482BBhOkBYacs8xH4.cs	High entropy of concatenated method names: 'rMYCv2L5aE', 'rXyCasgRIZ', 'HNYC9p1945', 'JiECWMAwGZ', 'k4ICSaDs54', 'IlDCLjCA6O', 'nRmWRvEqqEEvTBkBiL', 'VekLimW4etVac9O1UT', 'CQbCCAwwR2', 'bSPCopDexV'
Source: 0.2.Catalina - Particulars.pdf.scr.exe.38ae4c0.2.raw.unpack, k5gTp86BiWpSvW8eCv.cs	High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'sIjX0V18Dx', 'frTXswRPpa', 'P2IXzgq53N', 'M3doEQ7bMw', 'AFgoC9TqK5', 'M9MoXprUdm', 'Lwuoo4XdN8', 'VQtnGssLtRkTC2yh6a7'
Source: 0.2.Catalina - Particulars.pdf.scr.exe.38ae4c0.2.raw.unpack, TUkuLYF4h06tlXn81T.cs	High entropy of concatenated method names: 'Dispose', 'TigC0CB6Wh', 'tYAX3mwS3G', 'HpAjj4C0D9', 'PNdCs5lVYa', 'n1XCzkY2Gj', 'ProcessDialogKey', 'znrXEV8ANt', 'zonXCSLuis', 'jxSXXTA0pY'
Source: 0.2.Catalina - Particulars.pdf.scr.exe.38ae4c0.2.raw.unpack, hXZ1F3c6OFljhIYkDZ.cs	High entropy of concatenated method names: 'YO7H9pdiAi', 'EomHWi2CyC', 'ToString', 'jl3HOXup4t', 'PhRHF4jKWS', 'gD0H6fN2VF', 'XxdHP95FGS', 'zyoHMmsdTd', 'eVdHvBa6yH', 'WtBHaXc3jx'
Source: 0.2.Catalina - Particulars.pdf.scr.exe.38ae4c0.2.raw.unpack, TvlOHjq6SalyevWevC.cs	High entropy of concatenated method names: 'CMBvbqqu8S', 'XX1vNqdlcg', 'xkFvwkUx4w', 'if3vTrOVxq', 'I0FvYxdyAd', 'VpJv1OOBHS', 'Qt9vtElPRD', 'lSxvjA41jh', 'XjavIAG7fB', 'sYPvnDMJX1'
Source: 0.2.Catalina - Particulars.pdf.scr.exe.38ae4c0.2.raw.unpack, rwGZyKnjlyPv9a4IaD.cs	High entropy of concatenated method names: 'JpAPYoclqB', 'oYUPtjOouK', 'D006Q8C9lp', 'EIA6Gveg6D', 'G4B6krb1d8', 'SIa62A887X', 'EKJ6pdnpHk', 'MfU6D6XXyL', 'Wmi6qyMk5V', 'eJU6Vb2qI8'
Source: 0.2.Catalina - Particulars.pdf.scr.exe.38ae4c0.2.raw.unpack, tnv0d5ijxj1clMoWoD.cs	High entropy of concatenated method names: 'P3wyjj4k0b', 'phZyIZfqIt', 'JbEyup4yCD', 'Yaay3WucYm', 'N0hyGHYmft', 'o1mykiPGPI', 'Jcbyp61yWC', 'o6QyDm73Xl', 'qXvyV3bmA4', 'XKyy8eCOmu'
Source: 0.2.Catalina - Particulars.pdf.scr.exe.8590000.5.raw.unpack, SV8ANt0wonSLuisvxS.cs	High entropy of concatenated method names: 'wl3RuyJngo', 'wP6R3U90XX', 'OL7RQruLNu', 'zW6RGnxHve', 'hfCRfjFxpy', 'U7ERkKIs0F', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.Catalina - Particulars.pdf.scr.exe.8590000.5.raw.unpack, bNrLNsXJefjX0OEBeq.cs	High entropy of concatenated method names: 'WrBwU4ABY', 'e4xTTIg86', 'cE91bX4hH', 'BJVtZCAPD', 'wQbI8oTRj', 'dv8n47KQf', 'EOyptK3VHQoRFEu2hd', 'uYfV58i55YMnxmqUgX', 'HpPRA6VAq', 'Aj5duPKkO'
Source: 0.2.Catalina - Particulars.pdf.scr.exe.8590000.5.raw.unpack, bVCVi0Cowk2d0DhiSK6.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'a2ydfVRn8p', 'aRsdBPjpgC', 'M2Ldr1As15', 'eb3dcciw5L', 'KKMdmkE59C', 'mfNder4iLM', 'WvndKTEyOQ'
Source: 0.2.Catalina - Particulars.pdf.scr.exe.8590000.5.raw.unpack, zA0pYrs0iP2yVuupk9.cs	High entropy of concatenated method names: 'UfBACBy7Tp', 'EdNAoJvL17', 'qkUAhJWoD5', 'CZaAO3slN1', 'XtdAFHHYtM', 't19APq7q8q', 'F2eAMS14AU', 'WF7RKBTDIA', 'YowRZOAOxl', 'QtjR0TgZbk'
Source: 0.2.Catalina - Particulars.pdf.scr.exe.8590000.5.raw.unpack, B2L5aEjRXysgRIZRuW.cs	High entropy of concatenated method names: 'x0oFfx6XVH', 'r8xFBqGLrT', 'oJ6FrgogOw', 'kaiFcrVjqT', 'udSFm77oJT', 'n9nFeJpvh9', 'PuJFKy6gDy', 'mfqFZc1HCL', 'E74F0Cga1a', 'i10FsCxLB3'
Source: 0.2.Catalina - Particulars.pdf.scr.exe.8590000.5.raw.unpack, SpQ6yTpEUGYePwvqpE.cs	High entropy of concatenated method names: 'hUjvOW7kWI', 'VD7v64uQBR', 'VPIvMp3kub', 'o6lMspM26j', 'qwWMzkwvMN', 'qULvEs2iri', 'uB1vCUJwID', 'xFsvX6dH0q', 'sRHvoeQi2y', 'SJwvhfI0JN'
Source: 0.2.Catalina - Particulars.pdf.scr.exe.8590000.5.raw.unpack, HhjDVKzjmJsIdajAeY.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'imkAyhPRG9', 'fTkASUNGRb', 'ijuALdmDlY', 'mttAH4w0jy', 'f2LARD5T2T', 'QvQAACJWF4', 't8xAdnxMec'
Source: 0.2.Catalina - Particulars.pdf.scr.exe.8590000.5.raw.unpack, vcj5BQINYp1945GiEM.cs	High entropy of concatenated method names: 'Rxv6TVcciw', 'Urd61EdWTq', 'kCe6jqLcw7', 'QN96IItR3a', 'yNo6SDRBZF', 'qGx6LoFote', 'niW6HSCgUO', 'jA26R6caRg', 'wNt6AT8WxZ', 'zff6djT2Qm'
Source: 0.2.Catalina - Particulars.pdf.scr.exe.8590000.5.raw.unpack, FenasDCE6e4gGUpOoCX.cs	High entropy of concatenated method names: 'zEWAbTMmNd', 'mPKANfGPuW', 'tf1Aw2A0MU', 'nM8ATsF6SG', 'xmFAY6ra2G', 'qmQA15GgxV', 'TX7Ato7M87', 'LUuAjwfK1C', 'zixAI3Usgs', 'rgcAnTmu1M'
Source: 0.2.Catalina - Particulars.pdf.scr.exe.8590000.5.raw.unpack, BHYXdseLAfHAZxY0Cf.cs	High entropy of concatenated method names: 'jbaHZYckcP', 'I2wHsK6FX7', 'Qa9REFDg6L', 'POZRCO6uvl', 'I1qH824PZk', 'byeH49Baj1', 'zy3Hib8Jsv', 'hlGHfZdGtu', 'IQVHB6Wbii', 'nxiHrLIvjB'
Source: 0.2.Catalina - Particulars.pdf.scr.exe.8590000.5.raw.unpack, Lc7ZWBr63vE8ZV0QGZ.cs	High entropy of concatenated method names: 'ToString', 'xJXL8PeNHv', 'seNL36dMSR', 'e9rLQhrvKX', 'UqGLGMLRv2', 'dxaLkIpst5', 'CxOL2Unp4f', 'z8iLp0xxVS', 'wQeLDaJ8SV', 'bB3LqEbvMs'
Source: 0.2.Catalina - Particulars.pdf.scr.exe.8590000.5.raw.unpack, yd5lVYZaW1XkY2Gjwn.cs	High entropy of concatenated method names: 'yPuRO74lZ4', 'qfhRFBkb5B', 'WtMR6eDmkx', 'JC3RP6U2av', 'gDWRMo8Iws', 'mgTRvtXG5H', 'IxyRaSwp1w', 'e8SRJaPDmj', 'BPiR9XmmeC', 'QfiRWiabgo'
Source: 0.2.Catalina - Particulars.pdf.scr.exe.8590000.5.raw.unpack, R8KxRyfHXE6S7906P5.cs	High entropy of concatenated method names: 'F0dSVdI78s', 'ppsS4l0gKi', 'HhESfw6HeV', 'gOZSBXpYUD', 'qe3S3iHC6L', 'mcOSQwDFfH', 'cnXSGVlr2F', 'tNiSkn3VjH', 'jCHS2P1uow', 'jx0SpcH6KQ'
Source: 0.2.Catalina - Particulars.pdf.scr.exe.8590000.5.raw.unpack, nYi8BSaNnGjlIS3QtT.cs	High entropy of concatenated method names: 'eFgogDRgm3', 'seDoOx6JaC', 'oHQoFLbEFg', 'm25o6sU6Wg', 'T7yoPTC5Bx', 'M1PoMClTr4', 'D1BovoRm1M', 'sDtoawmkta', 'dyuoJwfRxI', 'kcto9xXrwq'
Source: 0.2.Catalina - Particulars.pdf.scr.exe.8590000.5.raw.unpack, Y54GlDujCA6OvrPjFG.cs	High entropy of concatenated method names: 'A7CMgoR6ad', 'WW5MFUt4IB', 'qaqMP6bKY8', 'O6qMvV75Uv', 'BCSMaEMLlv', 'fglPmMXVGg', 'RiaPeSl2OI', 'b9UPKIgaqB', 'WwuPZkwEVc', 'kArP0fQikC'
Source: 0.2.Catalina - Particulars.pdf.scr.exe.8590000.5.raw.unpack, O482BBhOkBYacs8xH4.cs	High entropy of concatenated method names: 'rMYCv2L5aE', 'rXyCasgRIZ', 'HNYC9p1945', 'JiECWMAwGZ', 'k4ICSaDs54', 'IlDCLjCA6O', 'nRmWRvEqqEEvTBkBiL', 'VekLimW4etVac9O1UT', 'CQbCCAwwR2', 'bSPCopDexV'
Source: 0.2.Catalina - Particulars.pdf.scr.exe.8590000.5.raw.unpack, k5gTp86BiWpSvW8eCv.cs	High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'sIjX0V18Dx', 'frTXswRPpa', 'P2IXzgq53N', 'M3doEQ7bMw', 'AFgoC9TqK5', 'M9MoXprUdm', 'Lwuoo4XdN8', 'VQtnGssLtRkTC2yh6a7'
Source: 0.2.Catalina - Particulars.pdf.scr.exe.8590000.5.raw.unpack, TUkuLYF4h06tlXn81T.cs	High entropy of concatenated method names: 'Dispose', 'TigC0CB6Wh', 'tYAX3mwS3G', 'HpAjj4C0D9', 'PNdCs5lVYa', 'n1XCzkY2Gj', 'ProcessDialogKey', 'znrXEV8ANt', 'zonXCSLuis', 'jxSXXTA0pY'
Source: 0.2.Catalina - Particulars.pdf.scr.exe.8590000.5.raw.unpack, hXZ1F3c6OFljhIYkDZ.cs	High entropy of concatenated method names: 'YO7H9pdiAi', 'EomHWi2CyC', 'ToString', 'jl3HOXup4t', 'PhRHF4jKWS', 'gD0H6fN2VF', 'XxdHP95FGS', 'zyoHMmsdTd', 'eVdHvBa6yH', 'WtBHaXc3jx'
Source: 0.2.Catalina - Particulars.pdf.scr.exe.8590000.5.raw.unpack, TvlOHjq6SalyevWevC.cs	High entropy of concatenated method names: 'CMBvbqqu8S', 'XX1vNqdlcg', 'xkFvwkUx4w', 'if3vTrOVxq', 'I0FvYxdyAd', 'VpJv1OOBHS', 'Qt9vtElPRD', 'lSxvjA41jh', 'XjavIAG7fB', 'sYPvnDMJX1'
Source: 0.2.Catalina - Particulars.pdf.scr.exe.8590000.5.raw.unpack, rwGZyKnjlyPv9a4IaD.cs	High entropy of concatenated method names: 'JpAPYoclqB', 'oYUPtjOouK', 'D006Q8C9lp', 'EIA6Gveg6D', 'G4B6krb1d8', 'SIa62A887X', 'EKJ6pdnpHk', 'MfU6D6XXyL', 'Wmi6qyMk5V', 'eJU6Vb2qI8'
Source: 0.2.Catalina - Particulars.pdf.scr.exe.8590000.5.raw.unpack, tnv0d5ijxj1clMoWoD.cs	High entropy of concatenated method names: 'P3wyjj4k0b', 'phZyIZfqIt', 'JbEyup4yCD', 'Yaay3WucYm', 'N0hyGHYmft', 'o1mykiPGPI', 'Jcbyp61yWC', 'o6QyDm73Xl', 'qXvyV3bmA4', 'XKyy8eCOmu'

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior

Uses an obfuscated file name to hide its real file extension (double extension)

Source: Possible double extension: pdf.scr

Static PE information: Catalina - Particulars.pdf.scr.exe

Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate			Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot			Jump to behavior

Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match

File source: Process Memory Space: Catalina - Particulars.pdf.scr.exe PID: 6636, type: MEMORYSTR

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration

Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Memory allocated: C50000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Memory allocated: 26A0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Memory allocated: CB0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Memory allocated: 8610000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Memory allocated: 9610000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Memory allocated: 9810000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Memory allocated: A810000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Memory allocated: 2780000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Memory allocated: 2950000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Memory allocated: 4950000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Thread delayed: delay time: 599875	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Thread delayed: delay time: 599766	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Thread delayed: delay time: 599641	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Thread delayed: delay time: 599516	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Thread delayed: delay time: 599407	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Thread delayed: delay time: 599282	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Thread delayed: delay time: 599157	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Thread delayed: delay time: 599047	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Thread delayed: delay time: 598937	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Thread delayed: delay time: 598828	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Thread delayed: delay time: 598719	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Thread delayed: delay time: 598610	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Thread delayed: delay time: 598485	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Thread delayed: delay time: 598360	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Thread delayed: delay time: 598235	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Thread delayed: delay time: 598110	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Thread delayed: delay time: 597896	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Thread delayed: delay time: 597719	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Thread delayed: delay time: 597547	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Thread delayed: delay time: 597411	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Thread delayed: delay time: 597289	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Thread delayed: delay time: 597121	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Thread delayed: delay time: 596995	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Thread delayed: delay time: 596891	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Thread delayed: delay time: 596782	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Thread delayed: delay time: 596657	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Thread delayed: delay time: 596532	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Thread delayed: delay time: 596407	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Thread delayed: delay time: 596282	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Thread delayed: delay time: 596157	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Thread delayed: delay time: 596047	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Thread delayed: delay time: 595938	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Thread delayed: delay time: 595813	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Thread delayed: delay time: 595688	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Thread delayed: delay time: 595563	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Thread delayed: delay time: 595438	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Thread delayed: delay time: 595328	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Thread delayed: delay time: 595219	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Thread delayed: delay time: 595094	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Thread delayed: delay time: 594984	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Thread delayed: delay time: 594875	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Thread delayed: delay time: 594766	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Thread delayed: delay time: 594644	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Thread delayed: delay time: 594529	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Thread delayed: delay time: 594410	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Thread delayed: delay time: 594290	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Thread delayed: delay time: 594187	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Thread delayed: delay time: 594078	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Thread delayed: delay time: 593969	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Thread delayed: delay time: 593844	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Thread delayed: delay time: 593735	Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3927	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2836	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Window / User API: threadDelayed 2147	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Window / User API: threadDelayed 7677	Jump to behavior

Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe TID: 6516	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7232	Thread sleep time: -2767011611056431s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7192	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe TID: 7256	Thread sleep count: 33 > 30	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe TID: 7256	Thread sleep time: -30437127721620741s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe TID: 7256	Thread sleep time: -600000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe TID: 7256	Thread sleep time: -599875s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe TID: 7260	Thread sleep count: 2147 > 30	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe TID: 7260	Thread sleep count: 7677 > 30	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe TID: 7256	Thread sleep time: -599766s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe TID: 7256	Thread sleep time: -599641s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe TID: 7256	Thread sleep time: -599516s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe TID: 7256	Thread sleep time: -599407s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe TID: 7256	Thread sleep time: -599282s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe TID: 7256	Thread sleep time: -599157s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe TID: 7256	Thread sleep time: -599047s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe TID: 7256	Thread sleep time: -598937s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe TID: 7256	Thread sleep time: -598828s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe TID: 7256	Thread sleep time: -598719s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe TID: 7256	Thread sleep time: -598610s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe TID: 7256	Thread sleep time: -598485s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe TID: 7256	Thread sleep time: -598360s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe TID: 7256	Thread sleep time: -598235s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe TID: 7256	Thread sleep time: -598110s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe TID: 7256	Thread sleep time: -597896s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe TID: 7256	Thread sleep time: -597719s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe TID: 7256	Thread sleep time: -597547s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe TID: 7256	Thread sleep time: -597411s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe TID: 7256	Thread sleep time: -597289s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe TID: 7256	Thread sleep time: -597121s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe TID: 7256	Thread sleep time: -596995s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe TID: 7256	Thread sleep time: -596891s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe TID: 7256	Thread sleep time: -596782s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe TID: 7256	Thread sleep time: -596657s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe TID: 7256	Thread sleep time: -596532s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe TID: 7256	Thread sleep time: -596407s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe TID: 7256	Thread sleep time: -596282s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe TID: 7256	Thread sleep time: -596157s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe TID: 7256	Thread sleep time: -596047s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe TID: 7256	Thread sleep time: -595938s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe TID: 7256	Thread sleep time: -595813s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe TID: 7256	Thread sleep time: -595688s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe TID: 7256	Thread sleep time: -595563s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe TID: 7256	Thread sleep time: -595438s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe TID: 7256	Thread sleep time: -595328s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe TID: 7256	Thread sleep time: -595219s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe TID: 7256	Thread sleep time: -595094s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe TID: 7256	Thread sleep time: -594984s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe TID: 7256	Thread sleep time: -594875s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe TID: 7256	Thread sleep time: -594766s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe TID: 7256	Thread sleep time: -594644s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe TID: 7256	Thread sleep time: -594529s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe TID: 7256	Thread sleep time: -594410s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe TID: 7256	Thread sleep time: -594290s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe TID: 7256	Thread sleep time: -594187s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe TID: 7256	Thread sleep time: -594078s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe TID: 7256	Thread sleep time: -593969s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe TID: 7256	Thread sleep time: -593844s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe TID: 7256	Thread sleep time: -593735s >= -30000s	Jump to behavior

Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard

Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Thread delayed: delay time: 599875	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Thread delayed: delay time: 599766	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Thread delayed: delay time: 599641	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Thread delayed: delay time: 599516	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Thread delayed: delay time: 599407	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Thread delayed: delay time: 599282	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Thread delayed: delay time: 599157	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Thread delayed: delay time: 599047	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Thread delayed: delay time: 598937	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Thread delayed: delay time: 598828	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Thread delayed: delay time: 598719	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Thread delayed: delay time: 598610	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Thread delayed: delay time: 598485	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Thread delayed: delay time: 598360	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Thread delayed: delay time: 598235	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Thread delayed: delay time: 598110	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Thread delayed: delay time: 597896	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Thread delayed: delay time: 597719	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Thread delayed: delay time: 597547	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Thread delayed: delay time: 597411	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Thread delayed: delay time: 597289	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Thread delayed: delay time: 597121	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Thread delayed: delay time: 596995	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Thread delayed: delay time: 596891	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Thread delayed: delay time: 596782	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Thread delayed: delay time: 596657	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Thread delayed: delay time: 596532	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Thread delayed: delay time: 596407	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Thread delayed: delay time: 596282	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Thread delayed: delay time: 596157	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Thread delayed: delay time: 596047	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Thread delayed: delay time: 595938	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Thread delayed: delay time: 595813	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Thread delayed: delay time: 595688	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Thread delayed: delay time: 595563	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Thread delayed: delay time: 595438	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Thread delayed: delay time: 595328	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Thread delayed: delay time: 595219	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Thread delayed: delay time: 595094	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Thread delayed: delay time: 594984	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Thread delayed: delay time: 594875	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Thread delayed: delay time: 594766	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Thread delayed: delay time: 594644	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Thread delayed: delay time: 594529	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Thread delayed: delay time: 594410	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Thread delayed: delay time: 594290	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Thread delayed: delay time: 594187	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Thread delayed: delay time: 594078	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Thread delayed: delay time: 593969	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Thread delayed: delay time: 593844	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Thread delayed: delay time: 593735	Jump to behavior

Source: Catalina - Particulars.pdf.scr.exe, 00000005.00000002.4097857547.0000000000CB5000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllU

Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Adds a directory exclusion to Windows Defender

Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe"
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe"			Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe

Memory written: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe base: 400000 value starts with: 4D5A

Jump to behavior

Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe"	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Process created: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe "C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe"	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Process created: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe "C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe"	Jump to behavior

Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Queries volume information: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\Candarali.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\corbell.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\corbelli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\DUBAI-LIGHT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\DUBAI-BOLD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Queries volume information: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected AgentTesla

Source: Yara match	File source: 0.2.Catalina - Particulars.pdf.scr.exe.36e3f90.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Catalina - Particulars.pdf.scr.exe.36a9970.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.Catalina - Particulars.pdf.scr.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Catalina - Particulars.pdf.scr.exe.36e3f90.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Catalina - Particulars.pdf.scr.exe.36a9970.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000002.4098954296.00000000029C7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.4097386384.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.4098954296.00000000029A1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1669471296.00000000036A9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Catalina - Particulars.pdf.scr.exe PID: 6636, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Catalina - Particulars.pdf.scr.exe PID: 5856, type: MEMORYSTR

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions

Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	File opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	File opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini	Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe

File opened: C:\FTP Navigator\Ftplist.txt

Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles	Jump to behavior
Source: C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities	Jump to behavior

Source: Yara match	File source: 0.2.Catalina - Particulars.pdf.scr.exe.36e3f90.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Catalina - Particulars.pdf.scr.exe.36a9970.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.Catalina - Particulars.pdf.scr.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Catalina - Particulars.pdf.scr.exe.36e3f90.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Catalina - Particulars.pdf.scr.exe.36a9970.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000002.4097386384.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.4098954296.00000000029A1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1669471296.00000000036A9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Catalina - Particulars.pdf.scr.exe PID: 6636, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Catalina - Particulars.pdf.scr.exe PID: 5856, type: MEMORYSTR

Remote Access Functionality

Yara detected AgentTesla

Source: Yara match	File source: 0.2.Catalina - Particulars.pdf.scr.exe.36e3f90.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Catalina - Particulars.pdf.scr.exe.36a9970.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.Catalina - Particulars.pdf.scr.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Catalina - Particulars.pdf.scr.exe.36e3f90.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Catalina - Particulars.pdf.scr.exe.36a9970.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000002.4098954296.00000000029C7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.4097386384.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.4098954296.00000000029A1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1669471296.00000000036A9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Catalina - Particulars.pdf.scr.exe PID: 6636, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Catalina - Particulars.pdf.scr.exe PID: 5856, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	121 Windows Management Instrumentation	1 DLL Side-Loading	1 DLL Side-Loading	11 Disable or Modify Tools	2 OS Credential Dumping	1 File and Directory Discovery	Remote Services	11 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	111 Process Injection	1 Deobfuscate/Decode Files or Information	1 Input Capture	24 System Information Discovery	Remote Desktop Protocol	2 Data from Local System	11 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	13 Obfuscated Files or Information	1 Credentials in Registry	1 Query Registry	SMB/Windows Admin Shares	1 Email Collection	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	12 Software Packing	NTDS	111 Security Software Discovery	Distributed Component Object Model	1 Input Capture	13 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	1 Process Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	11 Masquerading	Cached Domain Credentials	141 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	141 Virtualization/Sandbox Evasion	DCSync	1 Application Window Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	111 Process Injection	Proc Filesystem	1 System Network Configuration Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
Catalina - Particulars.pdf.scr.exe	29%	ReversingLabs	ByteCode-MSIL.Trojan.Generic
Catalina - Particulars.pdf.scr.exe	35%	Virustotal		Browse
Catalina - Particulars.pdf.scr.exe	100%	Avira	HEUR/AGEN.1306920
Catalina - Particulars.pdf.scr.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label	Link
beirutrest.com	4%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label
https://api.ipify.org/	0%	URL Reputation	safe
http://www.fontbureau.com	0%	URL Reputation	safe
http://www.fontbureau.com/designersG	0%	URL Reputation	safe
http://www.fontbureau.com/designers/?	0%	URL Reputation	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
https://account.dyn.com/	0%	URL Reputation	safe
http://www.fontbureau.com/designers?	0%	URL Reputation	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.fontbureau.com/designers	0%	URL Reputation	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
https://api.ipify.org/t	0%	URL Reputation	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.fontbureau.com/designers/cabarga.htmlN	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
https://api.ipify.org	0%	URL Reputation	safe
http://www.founder.com.cn/cn	0%	URL Reputation	safe
http://www.fontbureau.com/designers/frere-user.html	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.fontbureau.com/designers8	0%	URL Reputation	safe
http://www.fonts.com	0%	URL Reputation	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.microsoft.c	0%	URL Reputation	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe
http://www.apache.org/licenses/LICENSE-2.0	0%	Avira URL Cloud	safe
http://beirutrest.com	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
beirutrest.com	50.87.144.157	true	true	4%, Virustotal, Browse	unknown
api.ipify.org	172.67.74.152	true	false		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://api.ipify.org/	false	URL Reputation: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.apache.org/licenses/LICENSE-2.0	Catalina - Particulars.pdf.scr.exe, 00000000.00000002.1673451733.0000000006862000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.com	Catalina - Particulars.pdf.scr.exe, 00000000.00000002.1673451733.0000000006862000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designersG	Catalina - Particulars.pdf.scr.exe, 00000000.00000002.1673451733.0000000006862000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers/?	Catalina - Particulars.pdf.scr.exe, 00000000.00000002.1673451733.0000000006862000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.founder.com.cn/cn/bThe	Catalina - Particulars.pdf.scr.exe, 00000000.00000002.1673451733.0000000006862000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://account.dyn.com/	Catalina - Particulars.pdf.scr.exe, 00000000.00000002.1669471296.00000000036A9000.00000004.00000800.00020000.00000000.sdmp, Catalina - Particulars.pdf.scr.exe, 00000005.00000002.4097386384.0000000000402000.00000040.00000400.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers?	Catalina - Particulars.pdf.scr.exe, 00000000.00000002.1673451733.0000000006862000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.tiro.com	Catalina - Particulars.pdf.scr.exe, 00000000.00000002.1673451733.0000000006862000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers	Catalina - Particulars.pdf.scr.exe, 00000000.00000002.1673451733.0000000006862000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.goodfont.co.kr	Catalina - Particulars.pdf.scr.exe, 00000000.00000002.1673451733.0000000006862000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://api.ipify.org/t	Catalina - Particulars.pdf.scr.exe, 00000005.00000002.4098954296.0000000002951000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.carterandcone.coml	Catalina - Particulars.pdf.scr.exe, 00000000.00000002.1673451733.0000000006862000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.sajatypeworks.com	Catalina - Particulars.pdf.scr.exe, 00000000.00000002.1673451733.0000000006862000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.typography.netD	Catalina - Particulars.pdf.scr.exe, 00000000.00000002.1673451733.0000000006862000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers/cabarga.htmlN	Catalina - Particulars.pdf.scr.exe, 00000000.00000002.1673451733.0000000006862000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.founder.com.cn/cn/cThe	Catalina - Particulars.pdf.scr.exe, 00000000.00000002.1673451733.0000000006862000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.galapagosdesign.com/staff/dennis.htm	Catalina - Particulars.pdf.scr.exe, 00000000.00000002.1673451733.0000000006862000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://api.ipify.org	Catalina - Particulars.pdf.scr.exe, 00000000.00000002.1669471296.00000000036A9000.00000004.00000800.00020000.00000000.sdmp, Catalina - Particulars.pdf.scr.exe, 00000005.00000002.4097386384.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Catalina - Particulars.pdf.scr.exe, 00000005.00000002.4098954296.0000000002951000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.founder.com.cn/cn	Catalina - Particulars.pdf.scr.exe, 00000000.00000002.1673451733.0000000006862000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers/frere-user.html	Catalina - Particulars.pdf.scr.exe, 00000000.00000002.1673451733.0000000006862000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.jiyu-kobo.co.jp/	Catalina - Particulars.pdf.scr.exe, 00000000.00000002.1673451733.0000000006862000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.galapagosdesign.com/DPlease	Catalina - Particulars.pdf.scr.exe, 00000000.00000002.1673451733.0000000006862000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers8	Catalina - Particulars.pdf.scr.exe, 00000000.00000002.1673451733.0000000006862000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fonts.com	Catalina - Particulars.pdf.scr.exe, 00000000.00000002.1673451733.0000000006862000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.sandoll.co.kr	Catalina - Particulars.pdf.scr.exe, 00000000.00000002.1673451733.0000000006862000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.microsoft.c	Catalina - Particulars.pdf.scr.exe, 00000005.00000002.4102529284.0000000006263000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.urwpp.deDPlease	Catalina - Particulars.pdf.scr.exe, 00000000.00000002.1673451733.0000000006862000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.zhongyicts.com.cn	Catalina - Particulars.pdf.scr.exe, 00000000.00000002.1673451733.0000000006862000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	Catalina - Particulars.pdf.scr.exe, 00000000.00000002.1668490592.000000000270E000.00000004.00000800.00020000.00000000.sdmp, Catalina - Particulars.pdf.scr.exe, 00000005.00000002.4098954296.0000000002951000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.sakkal.com	Catalina - Particulars.pdf.scr.exe, 00000000.00000002.1673451733.0000000006862000.00000004.00000800.00020000.00000000.sdmp, Catalina - Particulars.pdf.scr.exe, 00000000.00000002.1673312818.0000000005054000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://beirutrest.com	Catalina - Particulars.pdf.scr.exe, 00000005.00000002.4098954296.00000000029C7000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
50.87.144.157	beirutrest.com	United States		46606	UNIFIEDLAYER-AS-1US	true
172.67.74.152	api.ipify.org	United States		13335	CLOUDFLARENETUS	false

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1500931
Start date and time:	2024-08-29 06:22:06 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 8m 9s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	10
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	Catalina - Particulars.pdf.scr.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@8/6@2/2
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 97% Number of executed functions: 165 Number of non-executed functions: 16
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
00:22:55	API Interceptor	8977759x Sleep call for process: Catalina - Particulars.pdf.scr.exe modified
00:22:56	API Interceptor	10x Sleep call for process: powershell.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
50.87.144.157	Port Agency Appointment - VELOS ONYX.pdf.scr.exe	Get hash	malicious	AgentTesla	Browse
	UNITY SAKURA - VESSEL'S_PARTICULARS.pdf.scr.exe	Get hash	malicious	AgentTesla	Browse
	BGC-2024-EST-001 & BGC-2024-DST-003.xlsx.scr.exe	Get hash	malicious	AgentTesla	Browse
	V022.20.pdf.scr.exe	Get hash	malicious	AgentTesla, PureLog Stealer, zgRAT	Browse
	E_QUOT_XLS_45-ELC205049A_P930M.xls.scr.exe	Get hash	malicious	AgentTesla, PureLog Stealer, zgRAT	Browse
	D121-D122-D123-D127-D128-D130-23-8-2024.xls.scr.exe	Get hash	malicious	AgentTesla, PureLog Stealer, zgRAT	Browse
	MT.Hunter - Vessel's Details.doc.scr.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse
	MV Catalina Particulars.pdf.scr.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse
	AQUAVITA AIM - VSL's PARTICULARS.docx.scr.exe	Get hash	malicious	AgentTesla	Browse
	MV KAI RUI - TC PARTICULARS.docx.scr.exe	Get hash	malicious	AgentTesla	Browse
172.67.74.152	zE7Ken4cFt.dll	Get hash	malicious	Quasar	Browse	api.ipify.org/
	FormPlayer.exe	Get hash	malicious	Unknown	Browse	api.ipify.org/
	PandaClient.exe	Get hash	malicious	Unknown	Browse	api.ipify.org/
	golang-modules.exe	Get hash	malicious	Unknown	Browse	api.ipify.org/
	SecuriteInfo.com.Trojan.Win64.Agent.14415.19839.exe	Get hash	malicious	Unknown	Browse	api.ipify.org/
	242764.exe	Get hash	malicious	Ficker Stealer, Rusty Stealer	Browse	api.ipify.org/?format=wef
	K8mzlntJVN.msi	Get hash	malicious	Unknown	Browse	api.ipify.org/
	stub.exe	Get hash	malicious	Unknown	Browse	api.ipify.org/
	stub.exe	Get hash	malicious	Unknown	Browse	api.ipify.org/
	Sonic-Glyder.exe	Get hash	malicious	Stealit	Browse	api.ipify.org/?format=json

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
beirutrest.com	Port Agency Appointment - VELOS ONYX.pdf.scr.exe	Get hash	malicious	AgentTesla	Browse	50.87.144.157
	UNITY SAKURA - VESSEL'S_PARTICULARS.pdf.scr.exe	Get hash	malicious	AgentTesla	Browse	50.87.144.157
	BGC-2024-EST-001 & BGC-2024-DST-003.xlsx.scr.exe	Get hash	malicious	AgentTesla	Browse	50.87.144.157
	V022.20.pdf.scr.exe	Get hash	malicious	AgentTesla, PureLog Stealer, zgRAT	Browse	50.87.144.157
	E_QUOT_XLS_45-ELC205049A_P930M.xls.scr.exe	Get hash	malicious	AgentTesla, PureLog Stealer, zgRAT	Browse	50.87.144.157
	D121-D122-D123-D127-D128-D130-23-8-2024.xls.scr.exe	Get hash	malicious	AgentTesla, PureLog Stealer, zgRAT	Browse	50.87.144.157
	MT.Hunter - Vessel's Details.doc.scr.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	50.87.144.157
	MV Catalina Particulars.pdf.scr.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	50.87.144.157
	AQUAVITA AIM - VSL's PARTICULARS.docx.scr.exe	Get hash	malicious	AgentTesla	Browse	50.87.144.157
	MV KAI RUI - TC PARTICULARS.docx.scr.exe	Get hash	malicious	AgentTesla	Browse	50.87.144.157
api.ipify.org	SecuriteInfo.com.BackDoor.SpyBotNET.62.13095.12836.exe	Get hash	malicious	AgentTesla	Browse	104.26.12.205
	rARKMONEY.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	172.67.74.152
	z55enyioma.exe	Get hash	malicious	AgentTesla	Browse	104.26.12.205
	https://request-label-13956753.pages.dev/help/contact/135346556695032	Get hash	malicious	Unknown	Browse	104.26.13.205
	file.exe	Get hash	malicious	Meduza Stealer	Browse	104.26.12.205
	file.exe	Get hash	malicious	Meduza Stealer	Browse	104.26.12.205
	1C24TDH_00017388.pdf.exe	Get hash	malicious	AgentTesla	Browse	104.26.12.205
	Revised PI 28 08 2024.exe	Get hash	malicious	AgentTesla	Browse	172.67.74.152
	Port Agency Appointment - VELOS ONYX.pdf.scr.exe	Get hash	malicious	AgentTesla	Browse	104.26.12.205
	UNITY SAKURA - VESSEL'S_PARTICULARS.pdf.scr.exe	Get hash	malicious	AgentTesla	Browse	104.26.13.205

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
UNIFIEDLAYER-AS-1US	rRFQ.bat.exe	Get hash	malicious	FormBook	Browse	162.241.226.190
	http://pxe.wvs.mybluehost.me/wise/number-account-854630/pages/login.php	Get hash	malicious	Unknown	Browse	50.87.253.221
	28082024.html	Get hash	malicious	HTMLPhisher	Browse	69.49.245.172
	https://shorturl.at/1l4Xw	Get hash	malicious	HTMLPhisher	Browse	69.49.230.198
	https://assets-usa.mkt.dynamics.com/c9f731e3-0864-ef11-a66d-6045bd003021/digitalassets/standaloneforms/0424cf3e-7364-ef11-bfe2-6045bd055762	Get hash	malicious	HTMLPhisher	Browse	162.241.61.243
	REQUEST FOR QUOTATION.exe	Get hash	malicious	FormBook, GuLoader	Browse	162.240.81.18
	mbda-us.comAudiowav012.html	Get hash	malicious	HTMLPhisher	Browse	69.49.245.172
	mbda-us.comAudiowav012.html	Get hash	malicious	HTMLPhisher	Browse	69.49.245.172
	factura-630.900.exe	Get hash	malicious	FormBook	Browse	162.241.226.190
	External VM-Transcript Caller Left 3 CALLMSGS 000047Secs 2808.eml.msg	Get hash	malicious	HTMLPhisher	Browse	192.185.155.179
CLOUDFLARENETUS	file.exe	Get hash	malicious	Unknown	Browse	188.114.96.3
	SecuriteInfo.com.BackDoor.SpyBotNET.62.13095.12836.exe	Get hash	malicious	AgentTesla	Browse	104.26.12.205
	file.exe	Get hash	malicious	Unknown	Browse	172.64.41.3
	Payment Advice.exe	Get hash	malicious	FormBook	Browse	172.67.210.102
	SecuriteInfo.com.W32.MSIL_Kryptik.KTU.gen.Eldorado.3036.13101.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.97.3
	Spec sheet.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.96.3
	file.exe	Get hash	malicious	Unknown	Browse	172.64.41.3
	file.exe	Get hash	malicious	Unknown	Browse	172.64.41.3
	vYhaKbJF08.exe	Get hash	malicious	LummaC	Browse	104.21.16.74
	file.exe	Get hash	malicious	LummaC, Vidar	Browse	172.67.146.35

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
3b5074b1b5d032e5620f69f9f700ff0e	SecuriteInfo.com.BackDoor.SpyBotNET.62.13095.12836.exe	Get hash	malicious	AgentTesla	Browse	172.67.74.152
	SecuriteInfo.com.W32.MSIL_Kryptik.KTU.gen.Eldorado.3036.13101.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	172.67.74.152
	pop.vbs	Get hash	malicious	Remcos	Browse	172.67.74.152
	rVAKIFBANK-#U00d6demeonaymakbuzu20240826.pdf.exe	Get hash	malicious	Quasar	Browse	172.67.74.152
	rARKMONEY.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	172.67.74.152
	z55enyioma.exe	Get hash	malicious	AgentTesla	Browse	172.67.74.152
	http://identifier-vous456.wixsite.com/my-site/	Get hash	malicious	Unknown	Browse	172.67.74.152
	https://1113a6f.netsolhost.com/	Get hash	malicious	Unknown	Browse	172.67.74.152
	http://pub-0c5198abed8c43b8a5e3815e602f4134.r2.dev/index.html	Get hash	malicious	Unknown	Browse	172.67.74.152
	https://allegro-2000.com/	Get hash	malicious	HTMLPhisher	Browse	172.67.74.152

Process:	C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1216
Entropy (8bit):	5.34331486778365
Encrypted:	false
SSDEEP:	24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
MD5:	1330C80CAAC9A0FB172F202485E9B1E8
SHA1:	86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
SHA-256:	B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
SHA-512:	75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
Malicious:	true
Reputation:	high, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	1172
Entropy (8bit):	5.357042452875322
Encrypted:	false
SSDEEP:	24:3CytZWSKco4KmBs4RPT6BmFoUvjKTIKo+mZ9t7J0gt/NKIl9r+q:yyjWSU4y4RQmFoULF+mZ9tK8ND3
MD5:	BC894E0E69EAD6F64CC0BFF166F83F23
SHA1:	65063E8805372A43257A83D40C6E7930455C90DC
SHA-256:	3B679E4D4B2EFDA38EE03812504F85E8EAF16282EFA53A244744ECF73E7F72BA
SHA-512:	A536B90221FF9C74FA83A52E7617D7D352B88EA164B3ABF92BBCAFA08AE62836A9D5A759B1610E16F97305C0128E97E0EE282DACFD424ACB34CE1F9186008869
Malicious:	false
Reputation:	low
Preview:	@...e.................................^..............@..........P................1]...E...........(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..\|f........System.Core.D...............4..7..D.#V.............System.Management.AutomationL.................gQ?O.....x5.......#.Microsoft.Management.Infrastructure.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServices4.................%...K... ...........System.Xml..8..................1...L..U;V.<}........System.Numerics.<...............i..VdqF...\|...........System.Configuration4.....................@.[8]'.\........System.Data.H................WY..2.M.&..g(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1q2qy225.5mf.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	high, very likely benign file
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_c3ffuu2e.sqc.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	high, very likely benign file
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_rq405u4c.ocl.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xnf1nayc.yfe.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.969919090949514
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	Catalina - Particulars.pdf.scr.exe
File size:	671'744 bytes
MD5:	316329f616d991c23b6718ba353a6b3a
SHA1:	01afaeed5a260c3909b2e14041cee23923c2d6d3
SHA256:	eec4404be651d77865707efa282ec7899a97550ad25351a70a926679f6b34bdf
SHA512:	11b6b1f028d0599c0e331a0f555a8d17535e059e02182408783608cc2591c9743695421c665ffdcc0ac762b4b1ac42922c398aedfa56e69a41b5164a43505480
SSDEEP:	12288:2VV01VtaNZppBYZ7PtuNfBwEExso1I5FSL3G4YTdO:4mVtozp2Z7PMNeEExsj58L24U
TLSH:	ABE423A04188EF60DAFD26F8F18A88A09732209F6954D3592CDEA1DD4D977600F7376F
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......f..............0.."..........zA... ...`....@.. ....................................@................................

File Icon


Icon Hash:	cd4c022d219a9901

Static PE Info

General

Entrypoint:	0x4a417a
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x66CFE184 [Thu Aug 29 02:48:36 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xa4128	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xa6000	0x1924	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xa8000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0xa2180	0xa2200	ed70c45ed531d21df076019f659e374e	False	0.9734664128758674	data	7.976543607556141	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0xa6000	0x1924	0x1a00	6f56c9fed9bb02427f3adb99281a929b	False	0.8198617788461539	data	7.124100577179178	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xa8000	0xc	0x200	cde0779d2bc9453439e592afce82f51f	False	0.044921875	data	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	ZLIB Complexity
RT_ICON	0xa6100	0x12c4	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	0.9708576186511241
RT_GROUP_ICON	0xa73d4	0x14	data	1.05
RT_VERSION	0xa73f8	0x32c	data	0.42857142857142855
RT_MANIFEST	0xa7734	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators	0.5489795918367347

Imports

DLL	Import
mscoree.dll	_CorExeMain

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Aug 29, 2024 06:22:57.570513964 CEST	49732	443	192.168.2.4	172.67.74.152
Aug 29, 2024 06:22:57.570563078 CEST	443	49732	172.67.74.152	192.168.2.4
Aug 29, 2024 06:22:57.570631981 CEST	49732	443	192.168.2.4	172.67.74.152
Aug 29, 2024 06:22:57.577034950 CEST	49732	443	192.168.2.4	172.67.74.152
Aug 29, 2024 06:22:57.577050924 CEST	443	49732	172.67.74.152	192.168.2.4
Aug 29, 2024 06:22:58.062398911 CEST	443	49732	172.67.74.152	192.168.2.4
Aug 29, 2024 06:22:58.062473059 CEST	49732	443	192.168.2.4	172.67.74.152
Aug 29, 2024 06:22:58.095783949 CEST	49732	443	192.168.2.4	172.67.74.152
Aug 29, 2024 06:22:58.095834970 CEST	443	49732	172.67.74.152	192.168.2.4
Aug 29, 2024 06:22:58.096220970 CEST	443	49732	172.67.74.152	192.168.2.4
Aug 29, 2024 06:22:58.137485981 CEST	49732	443	192.168.2.4	172.67.74.152
Aug 29, 2024 06:22:58.177282095 CEST	49732	443	192.168.2.4	172.67.74.152
Aug 29, 2024 06:22:58.224529982 CEST	443	49732	172.67.74.152	192.168.2.4
Aug 29, 2024 06:22:58.283926010 CEST	443	49732	172.67.74.152	192.168.2.4
Aug 29, 2024 06:22:58.283987999 CEST	443	49732	172.67.74.152	192.168.2.4
Aug 29, 2024 06:22:58.284055948 CEST	49732	443	192.168.2.4	172.67.74.152
Aug 29, 2024 06:22:58.290056944 CEST	49732	443	192.168.2.4	172.67.74.152
Aug 29, 2024 06:22:59.068094969 CEST	49734	21	192.168.2.4	50.87.144.157
Aug 29, 2024 06:22:59.073075056 CEST	21	49734	50.87.144.157	192.168.2.4
Aug 29, 2024 06:22:59.073188066 CEST	49734	21	192.168.2.4	50.87.144.157
Aug 29, 2024 06:22:59.077178955 CEST	49734	21	192.168.2.4	50.87.144.157
Aug 29, 2024 06:22:59.284342051 CEST	21	49734	50.87.144.157	192.168.2.4
Aug 29, 2024 06:22:59.284358978 CEST	21	49734	50.87.144.157	192.168.2.4
Aug 29, 2024 06:22:59.284431934 CEST	49734	21	192.168.2.4	50.87.144.157

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Aug 29, 2024 06:22:57.558995962 CEST	52396	53	192.168.2.4	1.1.1.1
Aug 29, 2024 06:22:57.566107035 CEST	53	52396	1.1.1.1	192.168.2.4
Aug 29, 2024 06:22:58.904083014 CEST	56651	53	192.168.2.4	1.1.1.1
Aug 29, 2024 06:22:59.067236900 CEST	53	56651	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Aug 29, 2024 06:22:57.558995962 CEST	192.168.2.4	1.1.1.1	0xbe2c	Standard query (0)	api.ipify.org	A (IP address)	IN (0x0001)	false
Aug 29, 2024 06:22:58.904083014 CEST	192.168.2.4	1.1.1.1	0x753f	Standard query (0)	beirutrest.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Aug 29, 2024 06:22:57.566107035 CEST	1.1.1.1	192.168.2.4	0xbe2c	No error (0)	api.ipify.org	172.67.74.152	A (IP address)	IN (0x0001)	false
Aug 29, 2024 06:22:57.566107035 CEST	1.1.1.1	192.168.2.4	0xbe2c	No error (0)	api.ipify.org	104.26.12.205	A (IP address)	IN (0x0001)	false
Aug 29, 2024 06:22:57.566107035 CEST	1.1.1.1	192.168.2.4	0xbe2c	No error (0)	api.ipify.org	104.26.13.205	A (IP address)	IN (0x0001)	false
Aug 29, 2024 06:22:59.067236900 CEST	1.1.1.1	192.168.2.4	0x753f	No error (0)	beirutrest.com	50.87.144.157	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

api.ipify.org

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49732	172.67.74.152	443	5856	C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe

Timestamp	Bytes transferred	Direction	Data
2024-08-29 04:22:58 UTC	155	OUT	GET / HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0 Host: api.ipify.org Connection: Keep-Alive
2024-08-29 04:22:58 UTC	211	IN	HTTP/1.1 200 OK Date: Thu, 29 Aug 2024 04:22:58 GMT Content-Type: text/plain Content-Length: 11 Connection: close Vary: Origin CF-Cache-Status: DYNAMIC Server: cloudflare CF-RAY: 8ba9c355edbb19ef-EWR
2024-08-29 04:22:58 UTC	11	IN	Data Raw: 38 2e 34 36 2e 31 32 33 2e 33 33 Data Ascii: 8.46.123.33

Target ID:	0
Start time:	00:22:54
Start date:	29/08/2024
Path:	C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe"
Imagebase:	0x260000
File size:	671'744 bytes
MD5 hash:	316329F616D991C23B6718BA353A6B3A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.1669471296.00000000036A9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.1669471296.00000000036A9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	00:22:55
Start date:	29/08/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe"
Imagebase:	0x2c0000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	00:22:55
Start date:	29/08/2024
Path:	C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe"
Imagebase:	0x2d0000
File size:	671'744 bytes
MD5 hash:	316329F616D991C23B6718BA353A6B3A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	00:22:55
Start date:	29/08/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	00:22:55
Start date:	29/08/2024
Path:	C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Catalina - Particulars.pdf.scr.exe"
Imagebase:	0x5a0000
File size:	671'744 bytes
MD5 hash:	316329F616D991C23B6718BA353A6B3A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000005.00000002.4098954296.00000000029C7000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000005.00000002.4097386384.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000005.00000002.4097386384.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000005.00000002.4098954296.00000000029A1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000005.00000002.4098954296.00000000029A1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	11.4%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	12.3%
Total number of Nodes:	285
Total number of Limit Nodes:	23

Executed Functions

Function 04BBDFB8 Relevance: 2.8, Strings: 1, Instructions: 1567
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$^q, xrefs: 04BBEAC3

Memory Dump Source

Source File: 00000000.00000002.1672148447.0000000004BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4bb0000_Catalina - Particulars.jbxd

Similarity

API ID:
String ID: $^q
API String ID: 0-388095546
Opcode ID: d2e67e044c2889eb61bf517155dcee0c9cc866972a978e56996d7c4153e8deeb
Instruction ID: 5408f4a4b5e0f12a03bc805ac1ebb8fd47422816927f171350c855989fe4a626
Opcode Fuzzy Hash: d2e67e044c2889eb61bf517155dcee0c9cc866972a978e56996d7c4153e8deeb
Instruction Fuzzy Hash: DBF2C834A01619CFDB54DF68C884AE9B7B1FF89300F1186E9E449AB365DB74AE85CF40

Function 04BBDFA8 Relevance: 2.6, Strings: 1, Instructions: 1364COMMON

Download Yara Rule

Strings

$^q, xrefs: 04BBEAC3

Memory Dump Source

Source File: 00000000.00000002.1672148447.0000000004BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4bb0000_Catalina - Particulars.jbxd

Similarity

API ID:
String ID: $^q
API String ID: 0-388095546
Opcode ID: 47679f79a2ff220e06a408839d77ad53cc711e898a9ebd3eb9f6dc09043848d2
Instruction ID: bd01eac66a3ae590538bd79a2ccbdc4e984dea95f3e54f85513e28d754c5f695
Opcode Fuzzy Hash: 47679f79a2ff220e06a408839d77ad53cc711e898a9ebd3eb9f6dc09043848d2
Instruction Fuzzy Hash: C2E2C534A01619CFDB54DF68C888AE9B7B1FF89300F1186E9E4496B361DB74AE85CF40

Function 06E23FA0 Relevance: 1.5, Strings: 1, Instructions: 211COMMON

Download Yara Rule

Strings

$, xrefs: 06E23FCD

Memory Dump Source

Source File: 00000000.00000002.1674343674.0000000006E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e20000_Catalina - Particulars.jbxd

Similarity

API ID:
String ID: $
API String ID: 0-3993045852
Opcode ID: 9bafab3317627280b485258c2662fe24a359f6df6cdba896b8ba1df6e1ba3378
Instruction ID: 4cb20bca8b06eda07357f33947cf954680c4cafd4de5ba308083c27440737a2b
Opcode Fuzzy Hash: 9bafab3317627280b485258c2662fe24a359f6df6cdba896b8ba1df6e1ba3378
Instruction Fuzzy Hash: 0D814971D0532ACFEB64CF66CC047E9BBB6AF89300F1491AAD509A7291DB705A85CF80

Function 07226014 Relevance: .9, Instructions: 931COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1674541036.0000000007220000.00000040.00000800.00020000.00000000.sdmp, Offset: 07220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7220000_Catalina - Particulars.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b5265432097df14208c1dfd6f744f8785ec3b76db66f71e2e07085d3a790c500
Instruction ID: a5882a046b40ff7ca481cde78bbee3f6f41bc0e351c3bab504dc3974d096f546
Opcode Fuzzy Hash: b5265432097df14208c1dfd6f744f8785ec3b76db66f71e2e07085d3a790c500
Instruction Fuzzy Hash: D3A21775A102198FDB15DF68C8546EDB7B2FF89300F1482A9D90AA7351EB74AE81CF60

Function 06E24256 Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1674343674.0000000006E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e20000_Catalina - Particulars.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d1cedc4dea1a112115f923006f7e4968fa600f19254003a5e17f34c5fefd5fb0
Instruction ID: 58cd6b4532ccbfb145349483922a0ccd5155aed09f8a2a1d952f7a6e351f38be
Opcode Fuzzy Hash: d1cedc4dea1a112115f923006f7e4968fa600f19254003a5e17f34c5fefd5fb0
Instruction Fuzzy Hash: E431F87480532ACFEBA4DF55D8447E8B7FABB09315F0461D9850EA3295C7715AC9CF40

Function 06C4C589 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1674009540.0000000006C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c40000_Catalina - Particulars.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 659e1e1e54e2e94a2ee2fe574c8398800a017769ca20de3612eea75c927c1fbe
Instruction ID: 5f010e12d4305ffd29350e5f3f4cf8b1c606e4fce55c13f0a4b8efb193358249
Opcode Fuzzy Hash: 659e1e1e54e2e94a2ee2fe574c8398800a017769ca20de3612eea75c927c1fbe
Instruction Fuzzy Hash: 09211DB0D062589FEB58DFA7C8453EEBFB6AFC9300F04C06AD50966264DB750945CF90

Function 06C4C598 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1674009540.0000000006C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c40000_Catalina - Particulars.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 10f73d096f24703bab513142d2c86505f2902f8b8c756b076492f370c491958f
Instruction ID: cf9b19e5c801f8162013e1a85eb61225d9689d7f36ad2f03941f7788268e4661
Opcode Fuzzy Hash: 10f73d096f24703bab513142d2c86505f2902f8b8c756b076492f370c491958f
Instruction Fuzzy Hash: F121F7B0D066188BEB58DFABC9443EEFAF7AFC8300F04C02AD50966264DB7509498F90

Function 06E2429B Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1674343674.0000000006E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e20000_Catalina - Particulars.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 44fc2e20017219314db387a5a125d0193a05153b749904d3b6b109793b83e5ba
Instruction ID: 9120efa00947b28c7a4ab55bd7cce6d159ba667c952bb55b2ef7ba7b3e3192a0
Opcode Fuzzy Hash: 44fc2e20017219314db387a5a125d0193a05153b749904d3b6b109793b83e5ba
Instruction Fuzzy Hash: 2911E634805329CFEBA4DF65D9887E8BBF6AB09311F04719A840AA2295DB719EC5CF40

Function 06E247E9 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1674343674.0000000006E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e20000_Catalina - Particulars.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 02a5fd3b43d582402d9f35d7827b96922bf66fe0611bcb2adea6a01b6ee57771
Instruction ID: f35a14058b18259ed6c9ae4d01329b72258109c9d3f561c38fbb27241cbefbd8
Opcode Fuzzy Hash: 02a5fd3b43d582402d9f35d7827b96922bf66fe0611bcb2adea6a01b6ee57771
Instruction Fuzzy Hash: 7C111834809326CFEB94DF51D9847F8B7FAAB0A311F04719A840AA32D5CB719AC5CF40

Function 06C467B0 Relevance: 10.1, Strings: 8, Instructions: 91
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$^q, xrefs: 06C46E7D
$^q, xrefs: 06C46A0D
$^q, xrefs: 06C46CF5
8bq, xrefs: 06C4681F
LR^q, xrefs: 06C46BCE
8bq, xrefs: 06C4686C
$^q, xrefs: 06C46CE7
LR^q, xrefs: 06C46CB4

Memory Dump Source

Source File: 00000000.00000002.1674009540.0000000006C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c40000_Catalina - Particulars.jbxd

Similarity

API ID:
String ID: 8bq$8bq$LR^q$LR^q$$^q$$^q$$^q$$^q
API String ID: 0-471625051
Opcode ID: b624a6801d0bbe2c1e3867f78c2addb2213c175eb2aa4fbca01e7171cc78e46b
Instruction ID: b5ed53494c2e498a7270504469a94001894dc8f869c9537ed243aac1a60cb1ff
Opcode Fuzzy Hash: b624a6801d0bbe2c1e3867f78c2addb2213c175eb2aa4fbca01e7171cc78e46b
Instruction Fuzzy Hash: 17317070F00209DFEB44EBAAD455A6EBBB5EF8A311F10442AE206A7394DB709D458B91

Function 04BB3D68 Relevance: 6.1, APIs: 4, Instructions: 133
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 04BB3DF6
GetCurrentThread.KERNEL32 ref: 04BB3E33
GetCurrentProcess.KERNEL32 ref: 04BB3E70
GetCurrentThreadId.KERNEL32 ref: 04BB3EC9

Memory Dump Source

Source File: 00000000.00000002.1672148447.0000000004BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4bb0000_Catalina - Particulars.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 3fa93e578321415c958354eac7c567ac1d62eff3fca7b8d9f88896125012116a
Instruction ID: 670bb4f058edb7ff4ee4fc6e5821053f63cf22bca9aee64d1cd74e8b356795b6
Opcode Fuzzy Hash: 3fa93e578321415c958354eac7c567ac1d62eff3fca7b8d9f88896125012116a
Instruction Fuzzy Hash: 125179B0900249DFDB04DFA9D948BEEBBF1EF48304F208559E449A7361D774A984CF65

Function 04BB3D78 Relevance: 6.1, APIs: 4, Instructions: 128
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 04BB3DF6
GetCurrentThread.KERNEL32 ref: 04BB3E33
GetCurrentProcess.KERNEL32 ref: 04BB3E70
GetCurrentThreadId.KERNEL32 ref: 04BB3EC9

Memory Dump Source

Source File: 00000000.00000002.1672148447.0000000004BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4bb0000_Catalina - Particulars.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 1dccded5554f2c985107d1ebb40cc77678d3f4370a9488e8e1f422a5566552d9
Instruction ID: 435bb6f5a62c72289b25c39b5095fffba4a12cafbe7b16c6d6e257ab1259ce7d
Opcode Fuzzy Hash: 1dccded5554f2c985107d1ebb40cc77678d3f4370a9488e8e1f422a5566552d9
Instruction Fuzzy Hash: 7F5179B0900209DFDB14DFAAD948BEEBBF1EF48304F208559D449A7360C774A984CF65

Function 06C45D41 Relevance: 3.9, Strings: 3, Instructions: 148
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$^q, xrefs: 06C45E52
LR^q, xrefs: 06C45DB1
$^q, xrefs: 06C45F7A

Memory Dump Source

Source File: 00000000.00000002.1674009540.0000000006C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c40000_Catalina - Particulars.jbxd

Similarity

API ID:
String ID: LR^q$$^q$$^q
API String ID: 0-3333519130
Opcode ID: 93055dccf991218a6b25dd0772c69c993fe583f341fab245b7c2c45603e23416
Instruction ID: 6a650aa411cf980a96b0c1abfc8fccdba979da40f195980bcb5bfdb26aa38068
Opcode Fuzzy Hash: 93055dccf991218a6b25dd0772c69c993fe583f341fab245b7c2c45603e23416
Instruction Fuzzy Hash: B651BD70E01605CFEB94EF69C949BAEB7F2FF45700F94846AE105EB2A5D7709940CB42

Function 06C45A8F Relevance: 3.9, Strings: 3, Instructions: 129
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$^q, xrefs: 06C45E52
LR^q, xrefs: 06C45DB1
$^q, xrefs: 06C45F7A

Memory Dump Source

Source File: 00000000.00000002.1674009540.0000000006C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c40000_Catalina - Particulars.jbxd

Similarity

API ID:
String ID: LR^q$$^q$$^q
API String ID: 0-3333519130
Opcode ID: bab36629c5b91b93b37e54697065d26bbe880e07bd20545e1a3cb0c1cdb98fec
Instruction ID: 6fd0b05c9e62edbfb2714a5f7af783e44422dbb6db1f8c0af77a8f6661d93f0c
Opcode Fuzzy Hash: bab36629c5b91b93b37e54697065d26bbe880e07bd20545e1a3cb0c1cdb98fec
Instruction Fuzzy Hash: 4B41AC70F02605CFFB94EB59C948B6D77F2EF45701F9484AAE105AB2A1D734D980CB42

Function 06E2242D Relevance: 1.7, APIs: 1, Instructions: 248
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 06E2266E

Memory Dump Source

Source File: 00000000.00000002.1674343674.0000000006E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e20000_Catalina - Particulars.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 2bfeaa7edab1d8bb13b47b9169c979134f317775f8568711e813590fda235af3
Instruction ID: 35cd347ca898d1e25893750ec4753801dd771f561e85cd647bc5a7d8d387d2be
Opcode Fuzzy Hash: 2bfeaa7edab1d8bb13b47b9169c979134f317775f8568711e813590fda235af3
Instruction Fuzzy Hash: F5A19C70D0032ACFDB50CF68C8417EDBBB2BF48314F0481A9E908A7294DB749A85CF92

Function 06E22438 Relevance: 1.7, APIs: 1, Instructions: 243
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 06E2266E

Memory Dump Source

Source File: 00000000.00000002.1674343674.0000000006E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e20000_Catalina - Particulars.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: bfdefdc37628fafe224ff3a0226987f289ac67be0c0cd8f7bf38f577fa941b27
Instruction ID: 369933e44441df4f5e0593c00193016649de857380dde4fd5855084d8e169f7b
Opcode Fuzzy Hash: bfdefdc37628fafe224ff3a0226987f289ac67be0c0cd8f7bf38f577fa941b27
Instruction Fuzzy Hash: B9918C71D0032ADFDB54CF68C8417EDBBB2BF48314F1481A9E908A7294DB749A85CF92

Function 04BB8524 Relevance: 1.6, APIs: 1, Instructions: 118
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 04BB8642

Memory Dump Source

Source File: 00000000.00000002.1672148447.0000000004BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4bb0000_Catalina - Particulars.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: c4e1cf8564b301daee0731d118ca816d959ee61a499e2b649ffa4023c1bd5cd6
Instruction ID: e8e2dbfc01a50ca3639bbe4c9946dda759284512a2a469fac635e197d40db015
Opcode Fuzzy Hash: c4e1cf8564b301daee0731d118ca816d959ee61a499e2b649ffa4023c1bd5cd6
Instruction Fuzzy Hash: 3B51E0B1D00309EFDB14DFA9C884ADEBBB5FF48314F24852AE819AB210D775A841CF91

Function 04BB8530 Relevance: 1.6, APIs: 1, Instructions: 113
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 04BB8642

Memory Dump Source

Source File: 00000000.00000002.1672148447.0000000004BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4bb0000_Catalina - Particulars.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 7a3fe1722fba0fb5f5a76c076a2d83bcc9d5a23032cfd0909602699665906045
Instruction ID: 772c73efd0877759308ec90152558d209a97038abb726adf7ac9ea1bbbf94710
Opcode Fuzzy Hash: 7a3fe1722fba0fb5f5a76c076a2d83bcc9d5a23032cfd0909602699665906045
Instruction Fuzzy Hash: E641B0B1D103099FDB14DF99C984ADEBBB5FF48314F24852AE819AB210D771A845CF91

Function 04BB69E4 Relevance: 1.6, APIs: 1, Instructions: 97COMMON

Download Yara Rule

APIs

CallWindowProcW.USER32(?,?,?,?,?), ref: 04BBABC1

Memory Dump Source

Source File: 00000000.00000002.1672148447.0000000004BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4bb0000_Catalina - Particulars.jbxd

Similarity

API ID: CallProcWindow
String ID:
API String ID: 2714655100-0
Opcode ID: b3dd4884f4a1b29ba75800c638fce5c573f7827fe106db9f286dc44de489584b
Instruction ID: 6cbb715900fbdcc80d7b0a49174dc94533a890e01b9e1d454ce164bbd1162aa9
Opcode Fuzzy Hash: b3dd4884f4a1b29ba75800c638fce5c573f7827fe106db9f286dc44de489584b
Instruction Fuzzy Hash: 57412BB4A00305DFDB14CF59C888AAAFBF5FB88314F14C599D559A7321D771A841CFA0

Function 00C5449C Relevance: 1.6, APIs: 1, Instructions: 96COMMON

Download Yara Rule

APIs

CreateActCtxA.KERNEL32(?), ref: 00C559C9

Memory Dump Source

Source File: 00000000.00000002.1668080147.0000000000C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c50000_Catalina - Particulars.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 858270f9966abcd081f73ec42e420e0bdc0bec419d1c5d4170e66264782d19fe
Instruction ID: d56b1d518366461b3734f9c3c7fdd1900e4eeb89cebc1f800ea6e83fe631f6cd
Opcode Fuzzy Hash: 858270f9966abcd081f73ec42e420e0bdc0bec419d1c5d4170e66264782d19fe
Instruction Fuzzy Hash: 1241D4B0C00619CBDB24DFA9C84479DBBB5BF48304F24816AD408AB255DB756989CF90

Function 00C5590C Relevance: 1.6, APIs: 1, Instructions: 96COMMON

Download Yara Rule

APIs

CreateActCtxA.KERNEL32(?), ref: 00C559C9

Memory Dump Source

Source File: 00000000.00000002.1668080147.0000000000C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c50000_Catalina - Particulars.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 0d978b34f149653f537006d8d7758c7aa2d6fa4e05f2d879e7a23380b10a96a5
Instruction ID: 0300b00708e63ab54c8f9f6635de5588cce347eadb7dc71a9defa8f0e09e3ea0
Opcode Fuzzy Hash: 0d978b34f149653f537006d8d7758c7aa2d6fa4e05f2d879e7a23380b10a96a5
Instruction Fuzzy Hash: 564104B0C00619CFDB24DFA9C984BDDBBB5BF48304F24815AD408AB255DB75698ACF90

Function 06E221A8 Relevance: 1.6, APIs: 1, Instructions: 74injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 06E22240

Memory Dump Source

Source File: 00000000.00000002.1674343674.0000000006E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e20000_Catalina - Particulars.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: d2efc68eed41b622786478167339008d6994501cea9c6de64b3e10a64e4385e7
Instruction ID: 7c1f2840216d172dc99af5d8414e34c3856ce06d6661dcd5f448e3c2c077e596
Opcode Fuzzy Hash: d2efc68eed41b622786478167339008d6994501cea9c6de64b3e10a64e4385e7
Instruction Fuzzy Hash: C7216BB1D103599FCB10CFA9C841BEEBBF1FF48314F108429EA59A7251C7759644CBA4

Function 072299D4 Relevance: 1.6, APIs: 1, Instructions: 72COMMON

Download Yara Rule

APIs

DrawTextExW.USER32(?,?,?,?,?,?,?,?,?,?,?,?,?,0722AF4D,?,?), ref: 0722AFFF

Memory Dump Source

Source File: 00000000.00000002.1674541036.0000000007220000.00000040.00000800.00020000.00000000.sdmp, Offset: 07220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7220000_Catalina - Particulars.jbxd

Similarity

API ID: DrawText
String ID:
API String ID: 2175133113-0
Opcode ID: 0348941af35fb4059215d6b1e5cb239e786e987a2707ecd6ddaa13dd2ca93a22
Instruction ID: 9b64136d6d90453d05b857736294af37972f810167f135c9bee4b6fdcbef3f98
Opcode Fuzzy Hash: 0348941af35fb4059215d6b1e5cb239e786e987a2707ecd6ddaa13dd2ca93a22
Instruction Fuzzy Hash: 8131E4B5910319AFDB10CF99D884A9EFBF5EB48310F14842AE915A7210D375A941CFA0

Function 0722AF62 Relevance: 1.6, APIs: 1, Instructions: 71COMMON

Download Yara Rule

APIs

DrawTextExW.USER32(?,?,?,?,?,?,?,?,?,?,?,?,?,0722AF4D,?,?), ref: 0722AFFF

Memory Dump Source

Source File: 00000000.00000002.1674541036.0000000007220000.00000040.00000800.00020000.00000000.sdmp, Offset: 07220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7220000_Catalina - Particulars.jbxd

Similarity

API ID: DrawText
String ID:
API String ID: 2175133113-0
Opcode ID: 9157cb509b1d0cc02bb7437be7f275f96492faba35eb48988d3dde5f89254b2c
Instruction ID: 003d006fa82ceb52301df6596ddeb0fbbc38c376e6f1fa8ef32ca01ceef7c509
Opcode Fuzzy Hash: 9157cb509b1d0cc02bb7437be7f275f96492faba35eb48988d3dde5f89254b2c
Instruction Fuzzy Hash: 5A31E0B5D1021AAFDB10CF99D884ADEFBF5FB48320F14842AE818A7310D375A945CFA0

Function 06E221B0 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 06E22240

Memory Dump Source

Source File: 00000000.00000002.1674343674.0000000006E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e20000_Catalina - Particulars.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: fd8ebc14f6cb8023db7979c1e7c70d1d61fdeb0d5eb3ccc48908932ef46a72f2
Instruction ID: cd8080f0dd108237c2dbd5376b2d9b0e20a68447f4533782c9366a4999156646
Opcode Fuzzy Hash: fd8ebc14f6cb8023db7979c1e7c70d1d61fdeb0d5eb3ccc48908932ef46a72f2
Instruction Fuzzy Hash: 162157B2D003599FCB10CFA9C881BEEBBF5FF48314F10842AE958A7250C7799944CBA4

Function 06E22298 Relevance: 1.6, APIs: 1, Instructions: 65COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 06E22320

Memory Dump Source

Source File: 00000000.00000002.1674343674.0000000006E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e20000_Catalina - Particulars.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 34c26518600b93982bc9fe96bf15a728b8f733c385679228096735776fe24d4b
Instruction ID: bcb4971e9f8c838fdf7fa158251f8f914dbb8f63773588791ee59491904ae914
Opcode Fuzzy Hash: 34c26518600b93982bc9fe96bf15a728b8f733c385679228096735776fe24d4b
Instruction Fuzzy Hash: C02114B18002599FCB10DFAAC885AEEBBF1FF48310F10882AE559A7250C7799944CBA4

Function 06E22010 Relevance: 1.6, APIs: 1, Instructions: 65threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 06E22096

Memory Dump Source

Source File: 00000000.00000002.1674343674.0000000006E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e20000_Catalina - Particulars.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 744aa66adf953d4e1594cca07cbd99bb1a666afc2db0f6ede1a4c6f4e4bafe1d
Instruction ID: 87af229b4606b232d922fcf1adeb8c1fec52b1dc87070099ed84ea818af56d4c
Opcode Fuzzy Hash: 744aa66adf953d4e1594cca07cbd99bb1a666afc2db0f6ede1a4c6f4e4bafe1d
Instruction Fuzzy Hash: 5F2138B1D003198FDB10DFAAC485BEEBBF5EF88324F14842AD559A7241D7789A44CFA4

Function 06E2229F Relevance: 1.6, APIs: 1, Instructions: 64COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 06E22320

Memory Dump Source

Source File: 00000000.00000002.1674343674.0000000006E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e20000_Catalina - Particulars.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 537f610ab1cc30df414a2bb489ffd18fcc3761296be16d53fe27c815b22fa303
Instruction ID: 721923039f69d494c965f3261d47976c6d91ee42a2ce7f7082bbfc9a1a03b792
Opcode Fuzzy Hash: 537f610ab1cc30df414a2bb489ffd18fcc3761296be16d53fe27c815b22fa303
Instruction Fuzzy Hash: 482114B18003599FCB10DFAAC885AEEFBF5FF48320F10842AE558A7250C7789944CBA5

Function 04BB3FB8 Relevance: 1.6, APIs: 1, Instructions: 64COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 04BB4047

Memory Dump Source

Source File: 00000000.00000002.1672148447.0000000004BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4bb0000_Catalina - Particulars.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 4176ac6e3b9aed7c6aa27adc4fd8edf83b9740445fc7c07a8ba3bd5c5c0b2c71
Instruction ID: bb18fe81cda337a0ae46316983938844670233bc418e228ec79e33bef11c0143
Opcode Fuzzy Hash: 4176ac6e3b9aed7c6aa27adc4fd8edf83b9740445fc7c07a8ba3bd5c5c0b2c71
Instruction Fuzzy Hash: 522103B59002489FDB10CFAAD584AEEFFF4FB48310F14845AE958A3211D375A940CFA0

Function 06E222A0 Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 06E22320

Memory Dump Source

Source File: 00000000.00000002.1674343674.0000000006E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e20000_Catalina - Particulars.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 1f510f749e83a2c71dbe3b41a9b2371a54610e0a3c121fba4c77f1d48ad47272
Instruction ID: 303c2fcd0c7607aad4d2fc4b664a625aa4bc5fac2e34aebc64e06a10887809f8
Opcode Fuzzy Hash: 1f510f749e83a2c71dbe3b41a9b2371a54610e0a3c121fba4c77f1d48ad47272
Instruction Fuzzy Hash: DE2114B18003599FCB10DFAAC885AEEFBF5FF48320F10842AE558A7250C7789944CBA4

Function 06E22018 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 06E22096

Memory Dump Source

Source File: 00000000.00000002.1674343674.0000000006E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e20000_Catalina - Particulars.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: ffbac6e28252914acbf5bca5625dac7b3fa73b52ede7903dcea97efe9183c31c
Instruction ID: 0228f5bad618cae106cecb8d220d9afb4c27fa11b6433fd156d57f0a349df7df
Opcode Fuzzy Hash: ffbac6e28252914acbf5bca5625dac7b3fa73b52ede7903dcea97efe9183c31c
Instruction Fuzzy Hash: C72138B1D003198FDB10DFAAC485BEEBBF5EF48324F10842AD559A7241D7789944CFA4

Function 04BB3FC0 Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 04BB4047

Memory Dump Source

Source File: 00000000.00000002.1672148447.0000000004BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4bb0000_Catalina - Particulars.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 9117ea28c8cb2c9c11fad6d4146cfc03af336cda58dc0bd93a691224065a2216
Instruction ID: 74404fe0ceab8a0c1667c72150993649d7331a8002430695ba897cd3e8c3d172
Opcode Fuzzy Hash: 9117ea28c8cb2c9c11fad6d4146cfc03af336cda58dc0bd93a691224065a2216
Instruction Fuzzy Hash: 4521E4B59002089FDB10CFAAD984AEEFBF4FB48310F14841AE954A3351C375A940CFA5

Function 06E220E9 Relevance: 1.6, APIs: 1, Instructions: 54memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 06E2215E

Memory Dump Source

Source File: 00000000.00000002.1674343674.0000000006E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e20000_Catalina - Particulars.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 81ebc01d090fbe6d897c75ddc90fd90de387c6ab12878a797c7c739fd9e60e35
Instruction ID: 3467f6f8f349e31e8af7228fb8e22e19ba9a73bb206e063446fddc8ae5443db2
Opcode Fuzzy Hash: 81ebc01d090fbe6d897c75ddc90fd90de387c6ab12878a797c7c739fd9e60e35
Instruction Fuzzy Hash: A71167B19002499FCB20DFA9C845BEFBFF5EF88324F208419E559A7250C7369584CFA0

Function 06E220F0 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 06E2215E

Memory Dump Source

Source File: 00000000.00000002.1674343674.0000000006E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e20000_Catalina - Particulars.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: ee2b71bb9156b1947e6f818af3f9bc0797ff82caacd9dc02bfa35f0c874d93c0
Instruction ID: 3979b1725023bdf20a86eff691d3d45e2a6fe667fe4e971d51ec8a59e75851f8
Opcode Fuzzy Hash: ee2b71bb9156b1947e6f818af3f9bc0797ff82caacd9dc02bfa35f0c874d93c0
Instruction Fuzzy Hash: 341126B19002499FCB10DFAAC845AEEBBF5EB88324F108419E559A7250C775A544CFA4

Function 06E21F61 Relevance: 1.6, APIs: 1, Instructions: 51threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 06E21FCA

Memory Dump Source

Source File: 00000000.00000002.1674343674.0000000006E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e20000_Catalina - Particulars.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: e239295f41d1e0c0f0e90af27a30e0de41db3603107c05159025f677dacef722
Instruction ID: bc1469dd5be0b1e6506a23669d04c5c333c1469d42e941c84df53c2e79d52a69
Opcode Fuzzy Hash: e239295f41d1e0c0f0e90af27a30e0de41db3603107c05159025f677dacef722
Instruction Fuzzy Hash: 131176B19043598FDB20DFAAC8457EFFBF5AF88324F20841AD519A7240C734A940CB94

Function 06E21F68 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 06E21FCA

Memory Dump Source

Source File: 00000000.00000002.1674343674.0000000006E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e20000_Catalina - Particulars.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 5534c1e75518b3740ef467bfd2afac6c61ae3709545e7d0053fc6bc60e494a6a
Instruction ID: ea0262f8938f05d1421be0fd8bfa838a6b1edbf9f494e15523985ba513d756f2
Opcode Fuzzy Hash: 5534c1e75518b3740ef467bfd2afac6c61ae3709545e7d0053fc6bc60e494a6a
Instruction Fuzzy Hash: 471158B19043498FDB10DFAAC8457DEFBF5AF88324F208419D559A7250C735A544CF94

Function 06E25168 Relevance: 1.5, APIs: 1, Instructions: 49windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 06E251CD

Memory Dump Source

Source File: 00000000.00000002.1674343674.0000000006E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e20000_Catalina - Particulars.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: e3981c9d8eb4cc92a2c1b7fb9d6d530d6d43df2b225066362b5451d8e3c6e937
Instruction ID: ab1792807d8fd8cc426808160ba79182429d13ca09a6926dd1836ecbd6e2ea43
Opcode Fuzzy Hash: e3981c9d8eb4cc92a2c1b7fb9d6d530d6d43df2b225066362b5451d8e3c6e937
Instruction Fuzzy Hash: 711133B58007199FCB10DF9AD945BEEFFF8EB48320F20851AE559A3250C375A984CFA5

Function 06E233FC Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 06E251CD

Memory Dump Source

Source File: 00000000.00000002.1674343674.0000000006E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e20000_Catalina - Particulars.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: c8c3b0a12ee9a21b3440243f8fa2d26e18377cb7e4d2305224ed6488eb699536
Instruction ID: 740f55aa82ec286983e276de60e43daa25d8a3c7174c4340a893d5f640c31716
Opcode Fuzzy Hash: c8c3b0a12ee9a21b3440243f8fa2d26e18377cb7e4d2305224ed6488eb699536
Instruction Fuzzy Hash: 5B1103B5800759DFDB10DF9AC945BEEFBF8EB48324F10841AE558A7200C375A984CFA5

Function 06C413C0 Relevance: 1.4, Strings: 1, Instructions: 182COMMON

Download Yara Rule

Strings

(bq, xrefs: 06C414AF

Memory Dump Source

Source File: 00000000.00000002.1674009540.0000000006C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c40000_Catalina - Particulars.jbxd

Similarity

API ID:
String ID: (bq
API String ID: 0-149360118
Opcode ID: e45d824b6871b66dca43b0f283bb0b6420da0b15ed9dbdced5461bc14aa6487c
Instruction ID: f34967de821b982c7d621c15635249607023b3896e387e658e46453cf7349660
Opcode Fuzzy Hash: e45d824b6871b66dca43b0f283bb0b6420da0b15ed9dbdced5461bc14aa6487c
Instruction Fuzzy Hash: CE71D1B5E10219AFCF45DFA9D980AEEBBF6FF48310F14852AE919A3210D7319951CF90

Function 06C47C36 Relevance: 1.4, Strings: 1, Instructions: 163COMMON

Download Yara Rule

Strings

Q, xrefs: 06C47DA0

Memory Dump Source

Source File: 00000000.00000002.1674009540.0000000006C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c40000_Catalina - Particulars.jbxd

Similarity

API ID:
String ID: Q
API String ID: 0-3463352047
Opcode ID: fc573d4b7979de973cf06341709c065fc60e54a3ae01fde2630bcec43433eb4e
Instruction ID: d53b531bbe417b1dc2a94f0975f602f44a55cbc9e7472bf9cfc213e2b8df36ac
Opcode Fuzzy Hash: fc573d4b7979de973cf06341709c065fc60e54a3ae01fde2630bcec43433eb4e
Instruction Fuzzy Hash: A7517330E002049FEB54EFAAD8817AE7BB2FF84710F148466F5459B395DB3489458BA1

Function 06C43030 Relevance: 1.3, Strings: 1, Instructions: 58COMMON

Download Yara Rule

Strings

Te^q, xrefs: 06C4309B

Memory Dump Source

Source File: 00000000.00000002.1674009540.0000000006C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c40000_Catalina - Particulars.jbxd

Similarity

API ID:
String ID: Te^q
API String ID: 0-671973202
Opcode ID: fd9b4519b39956b950fc60539c8145a8c748da845a27bba3834e3c86e1478e92
Instruction ID: 8b81c4eda7bc2db89bba9b6e1642b2a704786ff992997c3d22a45b3342090070
Opcode Fuzzy Hash: fd9b4519b39956b950fc60539c8145a8c748da845a27bba3834e3c86e1478e92
Instruction Fuzzy Hash: 8B112E31F0024A8BDB54EBB999115EEB7F6BFC4310B20417AC909E7344EB329E16CB91

Function 06C4B636 Relevance: 1.3, Strings: 1, Instructions: 44COMMON

Download Yara Rule

Strings

Te^q, xrefs: 06C4B646

Memory Dump Source

Source File: 00000000.00000002.1674009540.0000000006C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c40000_Catalina - Particulars.jbxd

Similarity

API ID:
String ID: Te^q
API String ID: 0-671973202
Opcode ID: 339a2965bca8bff9029a2483c81164dc9322a4b72ed41b62fd5b327e4aabc02e
Instruction ID: 6abd3c11d654b70fb8ee2060b2e7742c9cffe9530b2a5f9e66610c96ea1d1988
Opcode Fuzzy Hash: 339a2965bca8bff9029a2483c81164dc9322a4b72ed41b62fd5b327e4aabc02e
Instruction Fuzzy Hash: 64118375E00209DFCB08DFE9C4849ADFBB2FB88314F208129E918AB355C6316946CF50

Function 06C405F0 Relevance: .2, Instructions: 213COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1674009540.0000000006C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c40000_Catalina - Particulars.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a0221e33484e6489c3804577927de9695b537147a4895fb319c7b51d3d5a0923
Instruction ID: 5639ed4606259504ef753392d7773e35746f6f01fa84e1896e50c4122a4e0c02
Opcode Fuzzy Hash: a0221e33484e6489c3804577927de9695b537147a4895fb319c7b51d3d5a0923
Instruction Fuzzy Hash: 93912C34A10758DFDB14DF64C850BAEBBB5FF89300F10819AE949A7251EB319E86CF91

Function 06C405E0 Relevance: .2, Instructions: 193COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1674009540.0000000006C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c40000_Catalina - Particulars.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 908826952140722dfe2f090bb53994b96da53c1345a19adc818dd84284e5be71
Instruction ID: d5886f9e4e7d28d66b2cefe162865a605fa9d34bcb3813cfcb57ec84eb8cfe10
Opcode Fuzzy Hash: 908826952140722dfe2f090bb53994b96da53c1345a19adc818dd84284e5be71
Instruction Fuzzy Hash: 52912B74910719DBDB14DF64C840BEEBBB5FF89300F10819AE949A7211EB71AA86CF91

Function 06C41FC0 Relevance: .2, Instructions: 192COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1674009540.0000000006C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c40000_Catalina - Particulars.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 85d862a40db8c519e2516aa1a3f2dd350f9c8454d4374540ce1c137448d61ed5
Instruction ID: f1ffe7c8df19f0978215db10b9d0c43e3144142d44fdb42486436fdf85b0d09a
Opcode Fuzzy Hash: 85d862a40db8c519e2516aa1a3f2dd350f9c8454d4374540ce1c137448d61ed5
Instruction Fuzzy Hash: 8591E93591061ACFDB10EF68C884A99F7B1FF89304F11C6D9E5497B225EB30AA85CF91

Function 06C43692 Relevance: .2, Instructions: 162COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1674009540.0000000006C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c40000_Catalina - Particulars.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 16fe7186df7df61d7bbdc3d5e0254f973ba63f3a0ac5b250e8d965a9bbaa1d87
Instruction ID: 49316f9e742918c3f547e5a376ec1cc83deee0efb9813ef633a36f01c537783a
Opcode Fuzzy Hash: 16fe7186df7df61d7bbdc3d5e0254f973ba63f3a0ac5b250e8d965a9bbaa1d87
Instruction Fuzzy Hash: 34713E35D10759DECF00DFA5C8405AEFBB5FF88304B14C55AE958AB221E731E996CB41

Function 06C436A0 Relevance: .2, Instructions: 158COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1674009540.0000000006C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c40000_Catalina - Particulars.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d162a35cd251908e09718af379daccd9bec557056b20bc89ab56c591937b07c5
Instruction ID: 2877007eed333737f2777234f80aa9d852b3eb38254bc073a3b2f2e664a54f98
Opcode Fuzzy Hash: d162a35cd251908e09718af379daccd9bec557056b20bc89ab56c591937b07c5
Instruction Fuzzy Hash: 7D711C35D10B59DACF00DFA5C8405AEFBB5FF88304B10C55AED58AB221EB31E996CB81

Function 06C4548C Relevance: .2, Instructions: 158COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1674009540.0000000006C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c40000_Catalina - Particulars.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 20d02b4ac309303d3e7c4e4aee2a9267d29a6b7a75aa5b567916c5ed0fccb78e
Instruction ID: 941d90726c29f42cda91602181b667dae4447a4edc70ea28ae46fff27548d1c7
Opcode Fuzzy Hash: 20d02b4ac309303d3e7c4e4aee2a9267d29a6b7a75aa5b567916c5ed0fccb78e
Instruction Fuzzy Hash: E351232681E3E06FD703AB3898B41D63FB49D6325435A90D7C0D0CF0A3D298994EC7AA

Function 06C4B530 Relevance: .1, Instructions: 135COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1674009540.0000000006C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c40000_Catalina - Particulars.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 386cdd4610bd7a3cfa4da55f7edce764be20a2292a53464815d1cb12569706a8
Instruction ID: 9b0e2e87a8e8956f4f72d50f74f631a433bbc2c18578d3445836e7cc62972a1c
Opcode Fuzzy Hash: 386cdd4610bd7a3cfa4da55f7edce764be20a2292a53464815d1cb12569706a8
Instruction Fuzzy Hash: FF51D274E09218CFEB48DFAAC9446EDFBF6AF89300F10902AD419AB355DB709945CF50

Function 06C4BD70 Relevance: .1, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1674009540.0000000006C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c40000_Catalina - Particulars.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 07bafd224bf3e450dc598ac4c99923647f6cd52d324639fb2308355c16e30f75
Instruction ID: 0c1dc3d8f6cf5f33991b15083330e63e8a2c6fed694da76417d6bdff41eb75a3
Opcode Fuzzy Hash: 07bafd224bf3e450dc598ac4c99923647f6cd52d324639fb2308355c16e30f75
Instruction Fuzzy Hash: 59411974D09209CFEB48DFAAC4806EEBBF6AF8D300F14D0AAD519A7255D7309D41CBA4

Function 06C47155 Relevance: .1, Instructions: 132COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1674009540.0000000006C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c40000_Catalina - Particulars.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f44f244cb09e6813e0257646521714daf4049674cdda27894726f929e9fe1f55
Instruction ID: c89efd9b0b09855b9c607f0efbdd4584819a17a7cd8c67327c16d40008c3bce8
Opcode Fuzzy Hash: f44f244cb09e6813e0257646521714daf4049674cdda27894726f929e9fe1f55
Instruction Fuzzy Hash: 1A41C730B01305DFE751DF99C848BAEBBB2EF44301F14806AF511AB295DB36D845CBA5

Function 06C4B520 Relevance: .1, Instructions: 118COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1674009540.0000000006C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c40000_Catalina - Particulars.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dbae4a6d34f4ee3eb8802b9f7311ee428776f02628ad0f95455a73f1394228b9
Instruction ID: f26ac6124ed1cbcff0efdb6eb23437a1d49e7c4d935d0b46e43dd97ff2322ab9
Opcode Fuzzy Hash: dbae4a6d34f4ee3eb8802b9f7311ee428776f02628ad0f95455a73f1394228b9
Instruction Fuzzy Hash: 1441D274D09208CFEB48DFAAC9446EEBBF6AF89300F14942AD409AB355DB749946CF50

Function 06C4B5BC Relevance: .1, Instructions: 103COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1674009540.0000000006C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c40000_Catalina - Particulars.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b72136730f5f005523f6aed6e97a7fa5fc89ffedd80ad4801f9bc0c942a7df6f
Instruction ID: cc257b8aad968ba7a1fa0ecafa138c9a5138856123b71fbbcbfaf69db104e0d3
Opcode Fuzzy Hash: b72136730f5f005523f6aed6e97a7fa5fc89ffedd80ad4801f9bc0c942a7df6f
Instruction Fuzzy Hash: 8E41C174D09218CFEB48DFAAD9846EDFBB6BF89300F10942AD40AAB255D7349946CF50

Function 06C438D8 Relevance: .1, Instructions: 103COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1674009540.0000000006C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c40000_Catalina - Particulars.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 01651eabc551e05f5db2da9946e8fb123eb3a18743a15bdf2a66fac551b45dc3
Instruction ID: 03ca01c78cd5ba2922e14ea74e27d3e98dcf562c6cffb11351cbab0923d7c377
Opcode Fuzzy Hash: 01651eabc551e05f5db2da9946e8fb123eb3a18743a15bdf2a66fac551b45dc3
Instruction Fuzzy Hash: E4414C31E0068A8BDF10EFE6C4546DDFBB1FF88310F108629D419BB255DB71AA85CB90

Function 06C40D80 Relevance: .1, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1674009540.0000000006C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c40000_Catalina - Particulars.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f34fc58b09aa4bd8651cd85d3dad9a76261c34a1c5e807f7d244a1faba79ab3b
Instruction ID: ebd19802d0eb3bbcd3b975fe9200562a655c801731d2611fe75c0091c3cf69d9
Opcode Fuzzy Hash: f34fc58b09aa4bd8651cd85d3dad9a76261c34a1c5e807f7d244a1faba79ab3b
Instruction Fuzzy Hash: D3418BB1904248AFDF01DFA9C840AEEBFF1FF49314F04805AE859A7261D335D954CBA1

Function 06C4DE68 Relevance: .1, Instructions: 97COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1674009540.0000000006C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c40000_Catalina - Particulars.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 47fa785495b0ba12261bbcef49652f7f6822469a6777fe4d1ed32416fe07d56b
Instruction ID: 090b297e64a0db26fb54e990c43535e4cf434a09bfd713a708a8194d751ae94f
Opcode Fuzzy Hash: 47fa785495b0ba12261bbcef49652f7f6822469a6777fe4d1ed32416fe07d56b
Instruction Fuzzy Hash: 2841E374E15209DFDB44EF9AD884AEDFBB5FF58310F109169E916A7201D730AA84CF90

Function 06C45B27 Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1674009540.0000000006C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c40000_Catalina - Particulars.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bc4363a5e43d3f63ceacb8c7e47f0ba3ea1694f3c9c226e5eddcc0de495b5d4e
Instruction ID: fac841540cecd8ad9ee36a1970d14d40bb1951ed55701bef1b6dbceb43f53a71
Opcode Fuzzy Hash: bc4363a5e43d3f63ceacb8c7e47f0ba3ea1694f3c9c226e5eddcc0de495b5d4e
Instruction Fuzzy Hash: FA217F30B142188FD758EBBDA45D62A7BE2EF89311F14846AF406CB3D5DE348C058791

Function 06C4C7D1 Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1674009540.0000000006C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c40000_Catalina - Particulars.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1937b8806f0b0b8e3d45e2cf44b6ca10b5a5df55c1dfcba3063f98357891a28f
Instruction ID: 0f7334fd0bd8573f33c031aff81507dbdedc8076131598e551de3af46944d690
Opcode Fuzzy Hash: 1937b8806f0b0b8e3d45e2cf44b6ca10b5a5df55c1dfcba3063f98357891a28f
Instruction Fuzzy Hash: F331E274E06218CFEB94DF59C980BECBBB6BB49304F1091A9D50AE7361D7309A81CF51

Function 06C413BF Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1674009540.0000000006C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c40000_Catalina - Particulars.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ae99dffca000db248599840dc1e6e591da6bb3b4f7e019f1f62c1758bc09650d
Instruction ID: b0714677fa208f483c3a679d99f5068b19bf2d5a223fa4f7e993645695827d81
Opcode Fuzzy Hash: ae99dffca000db248599840dc1e6e591da6bb3b4f7e019f1f62c1758bc09650d
Instruction Fuzzy Hash: 7C31B172E10219AF8F41DFA8D8808EEBBF6FF8C310B14412AFA14B3210D73199559F90

Function 06C45B40 Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1674009540.0000000006C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c40000_Catalina - Particulars.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05d10dee3f7028a5eaa403d770599cc57295433b22cb7b0237b4d7a60f588b64
Instruction ID: a6ab925d626f38f7e99d3ab810918c86155b832d161771c55505a2ce8f200686
Opcode Fuzzy Hash: 05d10dee3f7028a5eaa403d770599cc57295433b22cb7b0237b4d7a60f588b64
Instruction Fuzzy Hash: A2216D30B142088FD748EBBDA45D62A7AD6EB88311F24882AF50AC73C5DE758C418B91

Function 06C4C6A6 Relevance: .1, Instructions: 80COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1674009540.0000000006C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c40000_Catalina - Particulars.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4d2e85ea11560cd0c864eb4ec374f7980a91b7e0a5ed86b066ef216620e4397c
Instruction ID: 8a00ae802368def4dc32ee7a0d48a64694e1cd6ef11d8b8d96f2534c5706b0af
Opcode Fuzzy Hash: 4d2e85ea11560cd0c864eb4ec374f7980a91b7e0a5ed86b066ef216620e4397c
Instruction Fuzzy Hash: 2F41B374906368CFDBA0DF59C980BACB7B6BB49300F5094DAD509A7361D7319E84CF51

Function 06C40FF0 Relevance: .1, Instructions: 80COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1674009540.0000000006C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c40000_Catalina - Particulars.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ed4c322045e98abaff564ba598e94da614c3286d7a9fc5a94760b7926dc29528
Instruction ID: dae6c47daa25bc997b493f797ca68a0e4f9e69d590d2b41bf9d114e6c4fb67dd
Opcode Fuzzy Hash: ed4c322045e98abaff564ba598e94da614c3286d7a9fc5a94760b7926dc29528
Instruction Fuzzy Hash: 3D21DE74B006549FCB55FB7A884847FBBBBEFC8250724892AD825D3340EE30CD0142A1

Function 06C40D9C Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1674009540.0000000006C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c40000_Catalina - Particulars.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 003d5c5542e4cf402662494c64da9fe3ecea0eda481fd33acd8944d52dbd6f8a
Instruction ID: 71c87c64471014d0158b056a233337ea88bd6f53c92e2c1239c4493c4a6d1957
Opcode Fuzzy Hash: 003d5c5542e4cf402662494c64da9fe3ecea0eda481fd33acd8944d52dbd6f8a
Instruction Fuzzy Hash: B73112B1900248AFDF51DF99C844AEEBBF6FB48314F148419F959A7220C775A990CFA0

Function 009ED450 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1667741886.00000000009ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 009ED000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9ed000_Catalina - Particulars.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b1398e10fa2c9dd2563d37a2e619f5935bfdbc67eb41bbd6314a68c226738d5c
Instruction ID: b9d5183b5aac7d2415e16f1533513f92580ebef516ca3cb78b4b6d157662249b
Opcode Fuzzy Hash: b1398e10fa2c9dd2563d37a2e619f5935bfdbc67eb41bbd6314a68c226738d5c
Instruction Fuzzy Hash: A6210371504280DFDB06DF14D9C0B27BF65FBA8314F20C569E9094B2AAC33AEC56CAA1

Function 009ED53C Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1667741886.00000000009ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 009ED000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9ed000_Catalina - Particulars.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 08108e657befd6ed43105aa9dbf1b880dcc36ba9096b996da49b606cd5777b85
Instruction ID: 25415a3e1613f2cbb92a507c2ac675736b6a155ba2719fd5c6d61721267ed49b
Opcode Fuzzy Hash: 08108e657befd6ed43105aa9dbf1b880dcc36ba9096b996da49b606cd5777b85
Instruction Fuzzy Hash: 33212571500280EFCB06DF14D9C0B2BBF65FB94318F20C569E8094B25AC73ADC56DBA1

Function 06C4CA3F Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1674009540.0000000006C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c40000_Catalina - Particulars.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3656295a68ff468e38a2fd07c32661dc6433c793073e72cb849d654db20cf3e0
Instruction ID: cf97d15fe56b19f9a9feccee6d3d459af6fce236cd5888dfd0efa657190cb0eb
Opcode Fuzzy Hash: 3656295a68ff468e38a2fd07c32661dc6433c793073e72cb849d654db20cf3e0
Instruction Fuzzy Hash: 8731E174E06318CFEB94DF59C980BECB7B6BB49300F5090A9D40AAB321D7319A80CF51

Function 009FD0EC Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1667799344.00000000009FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 009FD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9fd000_Catalina - Particulars.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1bbd9bb4ceb937731530f6573d1c8cca5f8aedb22945bdc0eca43271c2967a1f
Instruction ID: eb390add4c79889eee39c3ad4ee835901565be66e4c37e135b3fd3ab6f263548
Opcode Fuzzy Hash: 1bbd9bb4ceb937731530f6573d1c8cca5f8aedb22945bdc0eca43271c2967a1f
Instruction Fuzzy Hash: 30212971649208DFDB08DF14D9C4B36BB66FB84314F20C96DDA094B356C33AD846CBA1

Function 009FD1D4 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1667799344.00000000009FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 009FD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9fd000_Catalina - Particulars.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4510b28daea36bfc1f66e645a4d71f53a39cc9fd91f0ab4a462e591c5b4ecd96
Instruction ID: 93d079ebfbef79fa7d81a5e2e39be8f52714cd8e8eb4cb04b2e3a35a66a9c64f
Opcode Fuzzy Hash: 4510b28daea36bfc1f66e645a4d71f53a39cc9fd91f0ab4a462e591c5b4ecd96
Instruction Fuzzy Hash: 47213B71504208DFDB05DF14D5C4B76BBA6FB84314F20C96DDA194B355C33AD846CBA1

Function 06C40AE0 Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1674009540.0000000006C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c40000_Catalina - Particulars.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 33bd8c49a2be348d367d2725a2b5ff557bd877528024ad1e3bf3e28151cd1d71
Instruction ID: 906b7209f3e1afc823e76b4ab6988c098d17acf25e9a4c1e61250cf5171fcdf8
Opcode Fuzzy Hash: 33bd8c49a2be348d367d2725a2b5ff557bd877528024ad1e3bf3e28151cd1d71
Instruction Fuzzy Hash: 0C112371B18248AFDF09DF74C8598AE7FFAEF45200B1484ABE804C7262EA30DE019725

Function 06C4BEF0 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1674009540.0000000006C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c40000_Catalina - Particulars.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 320d53aa8b0b8452b5b3aab43d38a40be532efef62d96ca64f9b50fb08744f77
Instruction ID: fea518b730469e3a5223ccc12e1f2490914a51e107b34942bfafdd1ae9e80963
Opcode Fuzzy Hash: 320d53aa8b0b8452b5b3aab43d38a40be532efef62d96ca64f9b50fb08744f77
Instruction Fuzzy Hash: 1F21DF7CE0A209DFD784DFA6D5505AEBBF5AF49300F619099D809A7311D7309E41CFA1

Function 06C48BB8 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1674009540.0000000006C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c40000_Catalina - Particulars.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 94df9feadeeb33e80d352a0082502995720a6f290aa9642ca940d6a1199bb5ed
Instruction ID: 062c10843a11c5f3570062033e3e7ff9ca3375a44a018be24baa011c4c0af307
Opcode Fuzzy Hash: 94df9feadeeb33e80d352a0082502995720a6f290aa9642ca940d6a1199bb5ed
Instruction Fuzzy Hash: AA110B30B463149FEBA4FA2A4C08B2A7B97ABC5B50F25846AD102DF2D5DE71CC458751

Function 06C4C635 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1674009540.0000000006C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c40000_Catalina - Particulars.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 164982c085a94b8cf1442bcda8d11425c3de787e51e7682fe1a116bcf01a9cb5
Instruction ID: 7cfb77e0380e7fe54a54549dab644f3474fbcfb28e30208f66845217de7b874a
Opcode Fuzzy Hash: 164982c085a94b8cf1442bcda8d11425c3de787e51e7682fe1a116bcf01a9cb5
Instruction Fuzzy Hash: A331E47490A258CFDB90DF59C980BECB7B6BF4A340F509595D40ABB321D330AA80CF95

Function 06C4C86D Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1674009540.0000000006C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c40000_Catalina - Particulars.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 152b2bc85826a8c16b89eb59323196d084fd44831cc44fc95a3998f10c4c4b92
Instruction ID: a12159b8d6a81e60cf803368acd4c928bb6c3665d83a0d2d25e61e3107a66efb
Opcode Fuzzy Hash: 152b2bc85826a8c16b89eb59323196d084fd44831cc44fc95a3998f10c4c4b92
Instruction Fuzzy Hash: B921F934A06218CFEB54EF95C6C0AEDB7B6BB4D311F645199D40ABB265C331AD81CF90

Function 06C412E5 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1674009540.0000000006C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c40000_Catalina - Particulars.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ef2f6ec01c66db43344a1b650bf6c7744f4c4b040928ccf9b2dd2d0ec443abc7
Instruction ID: 6a5b3fa10d6cf10c429e6ebf2698e2f86249e50044a57a207430087652ec9ff8
Opcode Fuzzy Hash: ef2f6ec01c66db43344a1b650bf6c7744f4c4b040928ccf9b2dd2d0ec443abc7
Instruction Fuzzy Hash: CC01A176D042188FDB60EFE9E4083EEFBE0DF45324F18885AD195E7920C6749585CFA1

Function 06C48BA8 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1674009540.0000000006C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c40000_Catalina - Particulars.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fec32e23cf4bcc3d7b166d9882c7135d8b130e5f2f12064b98c7496c9a585634
Instruction ID: 0c9403eb5758202a69fa2fa830474178311c58c25a286f7a3ead014fa627b5b6
Opcode Fuzzy Hash: fec32e23cf4bcc3d7b166d9882c7135d8b130e5f2f12064b98c7496c9a585634
Instruction Fuzzy Hash: 56110A71F47300DFEBA4FA168C04B2A7752EB85B51F65846AE101AF191DB71CC40C755

Function 06C4BF00 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1674009540.0000000006C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c40000_Catalina - Particulars.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40f62e6faa2012bf572f181b0a3e8a3219716325d5282f87cf8a5f7e0a02fe9f
Instruction ID: e404c880b7d5b1a5005d7f9d69fb5825f6b2bfa3ac2e8b131f108eb8a8ceaab1
Opcode Fuzzy Hash: 40f62e6faa2012bf572f181b0a3e8a3219716325d5282f87cf8a5f7e0a02fe9f
Instruction Fuzzy Hash: 4F21A9BCE06209DFDB84DF9AD1809EEBBF5AB48300F609059D919A7711D7319E41CF91

Function 06C4BFE8 Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1674009540.0000000006C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c40000_Catalina - Particulars.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 83fb693024470ef4ef857d54b477f9033043498c9648e4d8f5a3bdee448f28c3
Instruction ID: 86b3cbe597eaffbae62b4e9ea05bc408f4286608da3456a5cc4bf9cb1e91f188
Opcode Fuzzy Hash: 83fb693024470ef4ef857d54b477f9033043498c9648e4d8f5a3bdee448f28c3
Instruction Fuzzy Hash: C5115EB4D0A248DFDB54EFAAC5405ADBBF5FF49300F5095DAD45897222D3309A45CF80

Function 009ED44B Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1667741886.00000000009ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 009ED000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9ed000_Catalina - Particulars.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
Instruction ID: 119434cf497c6cb57b8b9e752e9a3a9fff9592b44b66dc6f1c25dcf21bfe6a11
Opcode Fuzzy Hash: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
Instruction Fuzzy Hash: 7C11D376504280CFDB16CF14D5C4B16BF71FB98314F24C5A9EC090B25AC336D85ACBA1

Function 009ED537 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1667741886.00000000009ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 009ED000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9ed000_Catalina - Particulars.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
Instruction ID: 418e4edf8d71f5236b7668fe47a18e8a0b7d852d70dc1667ebdc4876af3c5c31
Opcode Fuzzy Hash: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
Instruction Fuzzy Hash: 1A11D376504280CFCB16CF10D5C4B16BF72FB94314F24C5A9EC094B25AC336D85ACBA1

Function 06C4310E Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1674009540.0000000006C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c40000_Catalina - Particulars.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a1da5ae6375cbc6850d45d006f5cb92b0c4d13097d8630a407b567d7893e9eaa
Instruction ID: e36098182bac7585d04a658fb99181dafce842ab56ffddada368bbdc68125458
Opcode Fuzzy Hash: a1da5ae6375cbc6850d45d006f5cb92b0c4d13097d8630a407b567d7893e9eaa
Instruction Fuzzy Hash: AB01ADB5A006559B8B65EA7A9C405BFBAB7EFC42607254929D828E7340EF30CA028761

Function 06C40B8A Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1674009540.0000000006C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c40000_Catalina - Particulars.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 39b646b97871fe43ed69bab196a35a1b275d0bdd1684b1f78a92de174516434e
Instruction ID: 3f8465ed0da88728b1e8523b19d9f883087a3b252fb2223b86fb9d5f98e9b63d
Opcode Fuzzy Hash: 39b646b97871fe43ed69bab196a35a1b275d0bdd1684b1f78a92de174516434e
Instruction Fuzzy Hash: 792123B6D00309DFCB10DF9AC984ADEBBF4FB48324F10841AE919A7211C339A544CFA5

Function 06C40B90 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1674009540.0000000006C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c40000_Catalina - Particulars.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b44b7fa37f1910297556d6ec368175ac410010c0f054f10f5a3b81e4c18c81f8
Instruction ID: abc07b69053181a784fa72ce7227d6c80fd7a1bbdf4e41ec0a361c3cbeaecfab
Opcode Fuzzy Hash: b44b7fa37f1910297556d6ec368175ac410010c0f054f10f5a3b81e4c18c81f8
Instruction Fuzzy Hash: 7211EFB5900249DFCB10DF9AD984ADEBBF4FB48324F10842AE958A7211C375A944CFA5

Function 009FD1CF Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1667799344.00000000009FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 009FD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9fd000_Catalina - Particulars.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
Instruction ID: 64d45473f29b0a9c251c975f4f97296cb3d5fa775218de9289067d50321d70fa
Opcode Fuzzy Hash: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
Instruction Fuzzy Hash: C811BB75504284DFDB02CF10C5C4B65BBA2FB84324F24C6AAD9494B296C33AD81ACBA1

Function 009FD0E7 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1667799344.00000000009FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 009FD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9fd000_Catalina - Particulars.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
Instruction ID: bdc219768b00134d0532cfb261aa38ed44efabc2236dbdc78dac7534bc1d4ad4
Opcode Fuzzy Hash: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
Instruction Fuzzy Hash: 1A11D075608244DFDB05CF10D9C4B25BF72FB44314F24C6A9D9094B256C33AD80ACB91

Function 06C4C7F4 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1674009540.0000000006C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c40000_Catalina - Particulars.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 808c9046adec2c680b4fc3e6b1624456beb775a5fcc89306bd80819fe3490df9
Instruction ID: 7711a20ec12fe71e6e248defc7b17f57e27f7188f64ac4f86e3020d3523a6f4c
Opcode Fuzzy Hash: 808c9046adec2c680b4fc3e6b1624456beb775a5fcc89306bd80819fe3490df9
Instruction Fuzzy Hash: 60115B3090A258CFE790EB55C584EECB7BABF4A341F509595E40AAB221C731E984CF94

Function 06C4D3C0 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1674009540.0000000006C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c40000_Catalina - Particulars.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 84c83c8091d251112263579654084b2d4f65c88ecab9fd232969a0477997df9c
Instruction ID: 05cf3b435e7719d0489f7b21c68ba9446db2a40d5d3ea4189f0c9b629ae60a4c
Opcode Fuzzy Hash: 84c83c8091d251112263579654084b2d4f65c88ecab9fd232969a0477997df9c
Instruction Fuzzy Hash: 86F03C7090A208DFE744FF96D544ABDBBB9EF8A340F04A1A5D40A5B215D770BA45DB80

Function 06C41339 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1674009540.0000000006C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c40000_Catalina - Particulars.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 795064cec619c71c3dfd97cff3845bbf37f98331f56661c5f3550f9cbbedcb55
Instruction ID: c8987d2ba754462cef9845b730b485313b308a9993515123c591894b0504ec88
Opcode Fuzzy Hash: 795064cec619c71c3dfd97cff3845bbf37f98331f56661c5f3550f9cbbedcb55
Instruction Fuzzy Hash: CF016DB6800209DFDB10DF99D844BDEBBF4EF48324F14C41AE559A7660C379A984DFA0

Function 06C40B1A Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1674009540.0000000006C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c40000_Catalina - Particulars.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: af515b422b9fa4c3e77976e51f61b87470d0146c81360745845c907ce5cb7845
Instruction ID: 3344244c3735cb27092cbd1771aa4db86095640f8564b6d4dd9c308f488e328f
Opcode Fuzzy Hash: af515b422b9fa4c3e77976e51f61b87470d0146c81360745845c907ce5cb7845
Instruction Fuzzy Hash: 3EF0E2B2A24119AFEF09DB54DC829EE7FBAEF04204B0880ABE404D7265E230E901C759

Function 06C4C879 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1674009540.0000000006C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c40000_Catalina - Particulars.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7416e6715ce869312fe0e51da75b9604395b8faa33857e613f94759593210d50
Instruction ID: 9af1b56c7845794fee7bf2e1f59b0d6b7850e1432e1c56bdd77b0bdf7f413046
Opcode Fuzzy Hash: 7416e6715ce869312fe0e51da75b9604395b8faa33857e613f94759593210d50
Instruction Fuzzy Hash: 9A0192B8D0A219CFDB94DF69D881AEDBBB4FB1A300F106095D51AE7311D6319E82CF80

Function 06C4CC4D Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1674009540.0000000006C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c40000_Catalina - Particulars.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ba0591e631599f557a7b7c19917d63da1dafa0651a59bf075b1ab1a6c92b3c11
Instruction ID: 95feff5d12ed541a5ec379498c421aa8462c238a684b8e9729a1283e1f0aed8e
Opcode Fuzzy Hash: ba0591e631599f557a7b7c19917d63da1dafa0651a59bf075b1ab1a6c92b3c11
Instruction Fuzzy Hash: 5EF0EC30E06218CFE748EB55C5C0AECB7B6BB4D341F945569D40AAB221C7729D80CF94

Function 06C4C841 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1674009540.0000000006C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c40000_Catalina - Particulars.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2dca436c6b2a3904e36df2e728bf1707409b1beffc17224303f1944618566b0f
Instruction ID: aec4ec086a182694dc24230bf2d9fe59323e73bedcc324d75abfb291bde0d013
Opcode Fuzzy Hash: 2dca436c6b2a3904e36df2e728bf1707409b1beffc17224303f1944618566b0f
Instruction Fuzzy Hash: 0D018130D0A244CFD744DF15C5C59ECBBB6BF59301F544499D00AAB226C7319884CF84

Function 06C4C96E Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1674009540.0000000006C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c40000_Catalina - Particulars.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c518e4b678a64122dd3d7e5645ddc89dbaf84749df1c1470b042b909475ae050
Instruction ID: 32fdc5d2a9723370f8cdb83a2df514f2b25a652d354ae773f8a4955d09148d32
Opcode Fuzzy Hash: c518e4b678a64122dd3d7e5645ddc89dbaf84749df1c1470b042b909475ae050
Instruction Fuzzy Hash: D6015F78D4A219CFDBA4DF65D581AEDBBB8AB09300F106095D50AE7311D7319E828F80

Function 06C417A0 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1674009540.0000000006C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c40000_Catalina - Particulars.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dfb283ddb7a2e8f6a4843d1831b1da9eb162871867317d6a76fb516501845de0
Instruction ID: c181483fc38818041e6c7e5168efad64b5811dab0c62546d238334ff7a4f279c
Opcode Fuzzy Hash: dfb283ddb7a2e8f6a4843d1831b1da9eb162871867317d6a76fb516501845de0
Instruction Fuzzy Hash: 3BF0DAB4D0420A9FDB84DFA9C841ABEBBF4FB48300F1545AAD518E7601E77496458BD1

Function 06C4179C Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1674009540.0000000006C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c40000_Catalina - Particulars.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5a7284e3525f80a0c81b3b0a42509004faa7f7b85241d8a2361ce989cdcfe5cd
Instruction ID: ed0db54a3bd7303c852ddc55f6db850eda5eea5335cc876e6c98ff3e436b8d30
Opcode Fuzzy Hash: 5a7284e3525f80a0c81b3b0a42509004faa7f7b85241d8a2361ce989cdcfe5cd
Instruction Fuzzy Hash: E8F0DAB4E0020A9FDB44DFA9C441ABEBBF0BB48300F15446AD514E7241D77486458B90

Function 06C4C080 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1674009540.0000000006C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c40000_Catalina - Particulars.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 88d1ddaa0fe3e65f278848ddcaa64c39532f424456b937a3ad15d8756a1d3654
Instruction ID: 28692f66613dc48e0b2c588fe18db77d79c62c77740c3a23713cdd816cd1cad3
Opcode Fuzzy Hash: 88d1ddaa0fe3e65f278848ddcaa64c39532f424456b937a3ad15d8756a1d3654
Instruction Fuzzy Hash: 6FF030B1D05105DFCB60EF7DC555A9ABBF0BF08310F208A6AD064E72A5E7704605CB90

Function 06C4C766 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1674009540.0000000006C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c40000_Catalina - Particulars.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: df7ef95c0af35d35c28a0f43a7a7f73c3c00cdcf35ebf534f344e5d26d7d1ef7
Instruction ID: 3c679c13bba542b56a7cb37fc85dd9b058b17b6635de3b4050fe6d96753369ac
Opcode Fuzzy Hash: df7ef95c0af35d35c28a0f43a7a7f73c3c00cdcf35ebf534f344e5d26d7d1ef7
Instruction Fuzzy Hash: A3F0B774907358CFDB64DF25D841BD8BBB5AB0A310F1055D9D919A7391DB319E81CF80

Function 06C48A94 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1674009540.0000000006C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c40000_Catalina - Particulars.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5a5274117dff7da8ced81809048e84052fedb21c30e5152b1e4ec24a06d9669c
Instruction ID: 4fa2ed7e1e087ad020a47245f8bbc09d1ebc4d16658bd435ad02cc9df94af2f2
Opcode Fuzzy Hash: 5a5274117dff7da8ced81809048e84052fedb21c30e5152b1e4ec24a06d9669c
Instruction Fuzzy Hash: 40E0CDA0C2611ECFDB90FF75C45D2946B51FF19310FD8096DD155C62C1DAB4C649C963

Function 06C48A18 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1674009540.0000000006C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c40000_Catalina - Particulars.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 249838d950519a0d9a77d68832eb06207652a2b053d78a5b67de4d2166ab772a
Instruction ID: 837573179258a2a55a8c2e7270173a1c02158b73b5ff6fc4fe9eaaca98a0321d
Opcode Fuzzy Hash: 249838d950519a0d9a77d68832eb06207652a2b053d78a5b67de4d2166ab772a
Instruction Fuzzy Hash: EBE0C29091D3A8DFCB61AFB2842D1417FA4FF42710B684DEEC0D48A1C2EA658649DF23

Function 06C4C090 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1674009540.0000000006C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c40000_Catalina - Particulars.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ab482deda608d8c4c684702ba2fd4bc4faf8b4197ee3e07234ae5184c6b2389f
Instruction ID: 78193616c91ac4f01dfe500ca72a3b4aa46c057333a7373bc1419f66fff870f6
Opcode Fuzzy Hash: ab482deda608d8c4c684702ba2fd4bc4faf8b4197ee3e07234ae5184c6b2389f
Instruction Fuzzy Hash: CAE0B6B1D40209DFD790EFB9C905A9EBBF0BF08200F1185B9D019E7261E7B496048F91

Function 06C4AB30 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1674009540.0000000006C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c40000_Catalina - Particulars.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e5a9bad37d91499e83f22fb049791b1fd4d9b890a04acb5981c5f2a7aa7699b7
Instruction ID: 149debc5ad9f17805a9d5c0880af62b4b4479aff8719019fafb4c19827220591
Opcode Fuzzy Hash: e5a9bad37d91499e83f22fb049791b1fd4d9b890a04acb5981c5f2a7aa7699b7
Instruction Fuzzy Hash: 75D02E3048F304CFE3213BE6E8283863FB3AF02346B058043D4C885069DA2202C9CB02

Function 06C47470 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1674009540.0000000006C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c40000_Catalina - Particulars.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 75c84f080428a6c092e78321d6bbff87d5b36bde089127c5e31f59734e6ee573
Instruction ID: a938227eadee760118fb91d9d796e0b00241abfb258916f98e0e17f788a81d5b
Opcode Fuzzy Hash: 75c84f080428a6c092e78321d6bbff87d5b36bde089127c5e31f59734e6ee573
Instruction Fuzzy Hash: 15C08C8922C380DAD322AF208A22442BEB4BFA270136944C7CED885173DA205739D333

Function 06C42FF8 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1674009540.0000000006C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c40000_Catalina - Particulars.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b354ad8cf3c50a28aaa0293240ed29ee9e772ffe52d1c1e5f7862b30da961680
Instruction ID: 5091ed910901e8324923f29a8f8566572e0a7606319b9055fa88740b552c6942
Opcode Fuzzy Hash: b354ad8cf3c50a28aaa0293240ed29ee9e772ffe52d1c1e5f7862b30da961680
Instruction Fuzzy Hash: 64D0126E50A1801FF343B7208C52CC17F65EA5324434AC0C2D4509A437D801841E9793

Function 06C4AF1D Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1674009540.0000000006C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c40000_Catalina - Particulars.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4c98442e7d7472a21c11e13ad11d0503f1f64795b09addcf497365ec21f53d81
Instruction ID: 49c96ce3bed6b06f64304c4342073109e5c1f2a5edb45fe89f70d9e9fda3679d
Opcode Fuzzy Hash: 4c98442e7d7472a21c11e13ad11d0503f1f64795b09addcf497365ec21f53d81
Instruction Fuzzy Hash: 6DD01C38A42208CFEB10DB98EC40BD8BB38FB88310F0022A2C00D93214C7306AA88E40

Function 06C41840 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1674009540.0000000006C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c40000_Catalina - Particulars.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7b31e2086482e1e8964d5b17bc78fa3b3e323f7fb04d50a0c7f9aa9868e94d0b
Instruction ID: 794382981cbc367e7ebc125fdcc4a30d9dc5c7873cf3be572996e054ce9a18d7
Opcode Fuzzy Hash: 7b31e2086482e1e8964d5b17bc78fa3b3e323f7fb04d50a0c7f9aa9868e94d0b
Instruction Fuzzy Hash: 5BD0123625020C9E4BC0FFD4EC40C5277DDBB246107048436E548CB621E721F574E7A1

Function 06C4AB40 Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1674009540.0000000006C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c40000_Catalina - Particulars.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6797fb70ccbb563f81e49cd764f8e5c617324f670ff9913fb3593c86e4e6bb2d
Instruction ID: 67c1cf30ead5617cff35f36dbe4faeff47487a2846dd2848caf206f7f051f7bd
Opcode Fuzzy Hash: 6797fb70ccbb563f81e49cd764f8e5c617324f670ff9913fb3593c86e4e6bb2d
Instruction Fuzzy Hash: 51C08C304437098BE744B7E6B40C3683A6BA74032AF400010E20D020108F6240C8CE91

Function 06C40FD0 Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1674009540.0000000006C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c40000_Catalina - Particulars.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6ef504a71aec703b7d634ee8470391bb5f18e3dda2abeb247d19549ae62d1284
Instruction ID: 9922086384c3b5909db568f0518ee87f8210aa9f26e475224d1c39b3b9493d3b
Opcode Fuzzy Hash: 6ef504a71aec703b7d634ee8470391bb5f18e3dda2abeb247d19549ae62d1284
Instruction Fuzzy Hash: ACC04C36155144AF9B81F7558984C19FAB1FF95300B408861A24985034CA21C558EB86

Function 06C455AC Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1674009540.0000000006C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c40000_Catalina - Particulars.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 06a07a8c881bbee26cb34d2e2fb599b41d3d05c82f7addb5c4b75c9f39e8a018
Instruction ID: a54e8bdb37a1ea100c53a67a8fb3c8f63d3bfdd76fc46bd9e4bbec26af521760
Opcode Fuzzy Hash: 06a07a8c881bbee26cb34d2e2fb599b41d3d05c82f7addb5c4b75c9f39e8a018
Instruction Fuzzy Hash: DEB012792B4504F69600F364498493EEC11EFE5740FD1DC11B34580024C570C469FA3F

Non-executed Functions

Function 06E216E8 Relevance: 1.6, Strings: 1, Instructions: 312COMMON

Download Yara Rule

Strings

Nf, xrefs: 06E21743

Memory Dump Source

Source File: 00000000.00000002.1674343674.0000000006E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e20000_Catalina - Particulars.jbxd

Similarity

API ID:
String ID: Nf
API String ID: 0-3311990345
Opcode ID: 63099e1ca75b09e664aa70f9b284c873f666ca5d4a4ec26f21a167b7938ea844
Instruction ID: 4d09ba5b5dd83697e76d06791fc67846548b5cb4260fe21646472dc428ed3f1d
Opcode Fuzzy Hash: 63099e1ca75b09e664aa70f9b284c873f666ca5d4a4ec26f21a167b7938ea844
Instruction Fuzzy Hash: 20E10C74E002198FDB14DFA9C580AAEFBF2FF89304F249169D515AB359D731AA41CFA0

Function 06E216D7 Relevance: 1.4, Strings: 1, Instructions: 133COMMON

Download Yara Rule

Strings

Nf, xrefs: 06E21743

Memory Dump Source

Source File: 00000000.00000002.1674343674.0000000006E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e20000_Catalina - Particulars.jbxd

Similarity

API ID:
String ID: Nf
API String ID: 0-3311990345
Opcode ID: fde87d99f8d33685c25cbd7e2890d0ee4a9de77de7ed213f1540693b047782ac
Instruction ID: 235218145894aa94b8612a91cc1a81b527354b3d90101a2d1020e8b62f445ddc
Opcode Fuzzy Hash: fde87d99f8d33685c25cbd7e2890d0ee4a9de77de7ed213f1540693b047782ac
Instruction Fuzzy Hash: A5512C74E0022A8FDB14CFA9C5845AEFBF2BF89304F24D16AD518A7355D731AA41CFA1

Function 04BB6C80 Relevance: .3, Instructions: 315COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1672148447.0000000004BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4bb0000_Catalina - Particulars.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 94cbe2f798945d667084b7df2317a8b031d35b8ae2ddd5daded282de55c9a665
Instruction ID: 365f996b6ba3fa8e6296c9fb5b9da9d597946c50c34208b9e6e1da2759618ee1
Opcode Fuzzy Hash: 94cbe2f798945d667084b7df2317a8b031d35b8ae2ddd5daded282de55c9a665
Instruction Fuzzy Hash: 501271B0401F468AD710CF65FD4C2897BA1BB81328F914209D2A5AA3F9DBF915DACF74

Function 06C4FA68 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1674009540.0000000006C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c40000_Catalina - Particulars.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9947bdb5a7721f712fdd847736e2b822250fe900917d72ead3e05c3bc908d727
Instruction ID: 40a23f09d8c0399cc6815d2edeab431e457279be316d19330604efdbbba03f62
Opcode Fuzzy Hash: 9947bdb5a7721f712fdd847736e2b822250fe900917d72ead3e05c3bc908d727
Instruction Fuzzy Hash: FCE10B74E001198FDB54DFA9C580AAEFBF2FF89304F249169D414AB35AD731A941CFA1

Function 06E20040 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1674343674.0000000006E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e20000_Catalina - Particulars.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ec9991042063cde9b4abdd6535fe9bb22a9e423f1fa662f8d67ad3e1500ceafd
Instruction ID: f379fbe4932686e05bb1861558514e21ea3bb8b6e5dbc2c974aa8eab0ecd7e1c
Opcode Fuzzy Hash: ec9991042063cde9b4abdd6535fe9bb22a9e423f1fa662f8d67ad3e1500ceafd
Instruction Fuzzy Hash: 54E1FA74E002298FDB54DFA9C5849AEFBF2BF89304F249169D414AB35ADB30A941CF61

Function 06C40040 Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1674009540.0000000006C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c40000_Catalina - Particulars.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6117583cb6d13aa0f4ef86be282de218b4e47729eb6bec48dceda8b4f84b41cd
Instruction ID: 6285e36ccfd2cc8c4723f3b4fc664e445b279e92a58200ceb1283064bcfee460
Opcode Fuzzy Hash: 6117583cb6d13aa0f4ef86be282de218b4e47729eb6bec48dceda8b4f84b41cd
Instruction Fuzzy Hash: E4D12931920A5A8ACB01EBB4D994A9DF7B1FF95300F60D79AE00937255EB70BAC4CF41

Function 04BB48C4 Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1672148447.0000000004BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4bb0000_Catalina - Particulars.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 47228c20bb701e838c4e07e877351f3b6ba01a5212e96d43313b0c06ca01282b
Instruction ID: 939fccf1262531216e8d49ebf03a7a0505cfee1d0e38fa4f99c63ad090b8d32a
Opcode Fuzzy Hash: 47228c20bb701e838c4e07e877351f3b6ba01a5212e96d43313b0c06ca01282b
Instruction Fuzzy Hash: BAA1AF32E00209DFCF15DFB4C8805EEB7B2FF85304B1545AAE845AB265DBB1E955CB90

Function 04BB6C71 Relevance: .2, Instructions: 238COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1672148447.0000000004BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4bb0000_Catalina - Particulars.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 191b9f6ec3985622808492541cb287592ce4c68748549fecec0bf6acb3de5162
Instruction ID: f81ef4b9185e1b9f04f9e0e9422fedecaafc10f89a836c01e74af04a84375961
Opcode Fuzzy Hash: 191b9f6ec3985622808492541cb287592ce4c68748549fecec0bf6acb3de5162
Instruction Fuzzy Hash: F2C1D4B0801B468AD710CF65FC482897BB1BB85328F554219D2A1AB3F9DBF855CACF74

Function 06E20007 Relevance: .2, Instructions: 160COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1674343674.0000000006E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e20000_Catalina - Particulars.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8f5591d1574cb88e938b60d1ca6ac110fcf3b19af8cb393c45330d24b3915b3c
Instruction ID: a65b3da34a5fb37536bd2a42f2c403c531264a9f901c102906db48c57f882522
Opcode Fuzzy Hash: 8f5591d1574cb88e938b60d1ca6ac110fcf3b19af8cb393c45330d24b3915b3c
Instruction Fuzzy Hash: 4461AF70D003698FCB55CFA9C9845AEBBF2FF89304F1491AAD408AB256D7309D46CFA1

Function 06E23FD0 Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1674343674.0000000006E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e20000_Catalina - Particulars.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 78d3a74b55d3ffec5d2f617da8bebdf2792082c45858f59838b8f39aa85de3b2
Instruction ID: 7386bb0576e54c2b36ac215354b6f8f37f88f713a53bf3e1994f4eb852c745c6
Opcode Fuzzy Hash: 78d3a74b55d3ffec5d2f617da8bebdf2792082c45858f59838b8f39aa85de3b2
Instruction Fuzzy Hash: 7331D8B1D05728CAEB68CF57DC047DAFAF7ABC9300F04D0AAC40D66255DB740A898F51

Function 06C46908 Relevance: 5.2, Strings: 4, Instructions: 217COMMON

Download Yara Rule

Strings

$^q, xrefs: 06C46A0D
LR^q, xrefs: 06C46BCE
$^q, xrefs: 06C46CE7
LR^q, xrefs: 06C46CB4

Memory Dump Source

Source File: 00000000.00000002.1674009540.0000000006C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c40000_Catalina - Particulars.jbxd

Similarity

API ID:
String ID: LR^q$LR^q$$^q$$^q
API String ID: 0-2454687669
Opcode ID: aafdb72aae8d44009770d67b2ff904a3962ee8216ba0092af444a3b89dd4aea6
Instruction ID: f818eecf78a5bafccfe36bd9f1faa96f742019e9ad676b5b6a7e6c3a14bfcbd2
Opcode Fuzzy Hash: aafdb72aae8d44009770d67b2ff904a3962ee8216ba0092af444a3b89dd4aea6
Instruction Fuzzy Hash: C0913A70E00118CFCB54DFAAC584AADB7F2BF49310F298559E856AB669C730ED81CF94

Analysis Process: Catalina - Particulars.pdf.scr.exePID: 5856, Parent PID: 6636COMMON

Execution Graph

Execution Coverage:	11.5%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	166
Total number of Limit Nodes:	18

Executed Functions

Function 06633060 Relevance: 8.0, Strings: 6, Instructions: 545
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$^q, xrefs: 0663376B
$^q, xrefs: 06633794
$^q, xrefs: 066337B8
$^q, xrefs: 06633788
$^q, xrefs: 066337AC
$^q, xrefs: 0663375F

Memory Dump Source

Source File: 00000005.00000002.4103212532.0000000006630000.00000040.00000800.00020000.00000000.sdmp, Offset: 06630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6630000_Catalina - Particulars.jbxd

Similarity

API ID:
String ID: $^q$$^q$$^q$$^q$$^q$$^q
API String ID: 0-2392861976
Opcode ID: 3d9e700449595ea3c41f6097370080ae147225f0abbc7a58be569213acc166f5
Instruction ID: fe3e3896d85e3565ccdb750d857e776a87f7e5ab7cc86470a849244e21e4d1c3
Opcode Fuzzy Hash: 3d9e700449595ea3c41f6097370080ae147225f0abbc7a58be569213acc166f5
Instruction Fuzzy Hash: DF322D31E1075ACFCB54EF75C99459DB7B6BF89300F20C6A9D409AB364EB30A985CB81

Function 06637D80 Relevance: 3.0, Strings: 2, Instructions: 477
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$^q, xrefs: 06638327
$^q, xrefs: 0663831B

Memory Dump Source

Source File: 00000005.00000002.4103212532.0000000006630000.00000040.00000800.00020000.00000000.sdmp, Offset: 06630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6630000_Catalina - Particulars.jbxd

Similarity

API ID:
String ID: $^q$$^q
API String ID: 0-355816377
Opcode ID: a4c0dd7c9cf7501812a5accd9b7a40972ce085e0a400c0c94f703ab660dbf259
Instruction ID: 48c0c4d7d3b82f49ee9e17cd55bd61478532101c934a64a0c3ba463e3e48f673
Opcode Fuzzy Hash: a4c0dd7c9cf7501812a5accd9b7a40972ce085e0a400c0c94f703ab660dbf259
Instruction Fuzzy Hash: 4E029E30B002159FDB54DB64D980AAEB7E2FF84304F148569E90ADB394EB75EC86CB91

Function 066355A0 Relevance: 1.9, Strings: 1, Instructions: 606
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$, xrefs: 0663597B

Memory Dump Source

Source File: 00000005.00000002.4103212532.0000000006630000.00000040.00000800.00020000.00000000.sdmp, Offset: 06630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6630000_Catalina - Particulars.jbxd

Similarity

API ID:
String ID: $
API String ID: 0-3993045852
Opcode ID: 374b52f9cd1b54efd9c1a99ea6902c5ff40d6999ed5f90df288eb95497bef876
Instruction ID: 5067853fa3a8a0c6e52abab93612cdbbe648fa689658cb071ac2f0d4f7ca2ff2
Opcode Fuzzy Hash: 374b52f9cd1b54efd9c1a99ea6902c5ff40d6999ed5f90df288eb95497bef876
Instruction Fuzzy Hash: E422E375E102259FDF60DBA4C4906AEB7F2EF85324F24846AD44AEB394DB31DC42CB91

Function 06632340 Relevance: 1.0, Instructions: 1023COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.4103212532.0000000006630000.00000040.00000800.00020000.00000000.sdmp, Offset: 06630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6630000_Catalina - Particulars.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 92ffc4bdba644111c0148c7831acf6d9f15d5e18fd91ecb24313ee2c17d414ba
Instruction ID: 77048f52830822ffadf1afbb07c4f9644b65c85516a0853c5b4a47aa66e854b4
Opcode Fuzzy Hash: 92ffc4bdba644111c0148c7831acf6d9f15d5e18fd91ecb24313ee2c17d414ba
Instruction Fuzzy Hash: 2B925634E002148FDB64CB68C594A6DBBF6FF49314F5484A9D84AAB361DB35ED86CF80

Function 066365F0 Relevance: .8, Instructions: 832COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.4103212532.0000000006630000.00000040.00000800.00020000.00000000.sdmp, Offset: 06630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6630000_Catalina - Particulars.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dc5336dc4d38dc33466f0a30da21d0736293cfdc512bfdcfdf8b9558bf79b9e1
Instruction ID: c8b36bce6250f2b6db33784a3c2b989ef231c0cd55b3a2334d93fcaecaca47b6
Opcode Fuzzy Hash: dc5336dc4d38dc33466f0a30da21d0736293cfdc512bfdcfdf8b9558bf79b9e1
Instruction Fuzzy Hash: CC62B034B00214AFDB54DF68D584AADB7F2EF89314F248469E90ADB394DB35EC46CB90

Function 0663C190 Relevance: .6, Instructions: 644COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.4103212532.0000000006630000.00000040.00000800.00020000.00000000.sdmp, Offset: 06630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6630000_Catalina - Particulars.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f2409ae44e70e92c59e6c1e4f030bbfedc337b80978542dea485f78b84bfd970
Instruction ID: bd6ba59c630cab812523fefb9e201dd7155391befe4a5bb0b5019ce9625ddb57
Opcode Fuzzy Hash: f2409ae44e70e92c59e6c1e4f030bbfedc337b80978542dea485f78b84bfd970
Instruction Fuzzy Hash: 84326F34F102199FDF54DB68D980AAEB7B2FB88314F108529E505EB395DB31EC86CB91

Function 0663B238 Relevance: .6, Instructions: 574COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.4103212532.0000000006630000.00000040.00000800.00020000.00000000.sdmp, Offset: 06630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6630000_Catalina - Particulars.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 373c8cf81016de6ac56d344f27c734d848986c96fbe7d0054ee2dd265b312788
Instruction ID: c0b3f6df50122a272edb309dad838b0085b49caf3880de6a5b0cca8d37802d45
Opcode Fuzzy Hash: 373c8cf81016de6ac56d344f27c734d848986c96fbe7d0054ee2dd265b312788
Instruction Fuzzy Hash: D9227130E102199FEF64CF68D5807ADB7B6FB99310F208926E449DB395DA35DC81CB91

Function 0663B658 Relevance: 8.0, Strings: 6, Instructions: 472
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$^q, xrefs: 0663BBA9
$^q, xrefs: 0663BBE9
$^q, xrefs: 0663BBB5
$^q, xrefs: 0663BBDD
$^q, xrefs: 0663BC1D
$^q, xrefs: 0663BC11

Memory Dump Source

Source File: 00000005.00000002.4103212532.0000000006630000.00000040.00000800.00020000.00000000.sdmp, Offset: 06630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6630000_Catalina - Particulars.jbxd

Similarity

API ID:
String ID: $^q$$^q$$^q$$^q$$^q$$^q
API String ID: 0-2392861976
Opcode ID: 606b1add7e6ed2930589fa83b0594db90941252de0e684e101d6bb0363ba455b
Instruction ID: 1d59a0260109abe7629dbdde995ef051f50045c0cec0c7affeca7a8e73de6b93
Opcode Fuzzy Hash: 606b1add7e6ed2930589fa83b0594db90941252de0e684e101d6bb0363ba455b
Instruction Fuzzy Hash: D9026B30E002299FDBA4CF68D5807ADB7B2FB95310F10856AD409DB395DB74E986CB91

Function 06622873 Relevance: 6.1, APIs: 4, Instructions: 130
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 066228F6
GetCurrentThread.KERNEL32 ref: 06622933
GetCurrentProcess.KERNEL32 ref: 06622970
GetCurrentThreadId.KERNEL32 ref: 066229C9

Memory Dump Source

Source File: 00000005.00000002.4103158817.0000000006620000.00000040.00000800.00020000.00000000.sdmp, Offset: 06620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6620000_Catalina - Particulars.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 621bf3f63a6b8e09d7b932a16e217bdb5c1fdbc981e11aee0670bd34f122ad4c
Instruction ID: cafd9d13806b871f80e001c7004824fc0b6955fdd0bde6970a08492e2b573f12
Opcode Fuzzy Hash: 621bf3f63a6b8e09d7b932a16e217bdb5c1fdbc981e11aee0670bd34f122ad4c
Instruction Fuzzy Hash: 045166B0D00649CFDB84CFAAD548BEEBBF1AB48304F24C559E419AB360C7359984CF65

Function 06622878 Relevance: 6.1, APIs: 4, Instructions: 128
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 066228F6
GetCurrentThread.KERNEL32 ref: 06622933
GetCurrentProcess.KERNEL32 ref: 06622970
GetCurrentThreadId.KERNEL32 ref: 066229C9

Memory Dump Source

Source File: 00000005.00000002.4103158817.0000000006620000.00000040.00000800.00020000.00000000.sdmp, Offset: 06620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6620000_Catalina - Particulars.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 70d1449d991e953f3a9ff3b34569a605b9a8bbb75f71b52002c878eb5d67e902
Instruction ID: 556ffb08816ca6d7b196db2d168a83c596d8750e702943674151af10651188a4
Opcode Fuzzy Hash: 70d1449d991e953f3a9ff3b34569a605b9a8bbb75f71b52002c878eb5d67e902
Instruction Fuzzy Hash: 0F5166B0D00649CFDB84CFAAD948BDEBBF5AB48304F24C519E419AB360C7359984CF65

Function 06639158 Relevance: 5.2, Strings: 4, Instructions: 231
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$^q, xrefs: 066391C8
$^q, xrefs: 0663920F
$^q, xrefs: 06639203
$^q, xrefs: 066391D4

Memory Dump Source

Source File: 00000005.00000002.4103212532.0000000006630000.00000040.00000800.00020000.00000000.sdmp, Offset: 06630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6630000_Catalina - Particulars.jbxd

Similarity

API ID:
String ID: $^q$$^q$$^q$$^q
API String ID: 0-2125118731
Opcode ID: 4769cd85a9de455296c1c566320431bbd66d0e913b70b5cce8c19cf539edcbb6
Instruction ID: a3b80de4dcbb86355d5ddb4925e3a22b172478c86a482cc19e336ed242a28656
Opcode Fuzzy Hash: 4769cd85a9de455296c1c566320431bbd66d0e913b70b5cce8c19cf539edcbb6
Instruction Fuzzy Hash: 32914C30F1021A9FDB54DB65D9507AFB3F6ABC9304F108669C50AEB348EB709C468F91

Function 0663CF48 Relevance: 4.6, Strings: 3, Instructions: 801
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$^q, xrefs: 0663D33F
$^q, xrefs: 0663D347
$^q, xrefs: 0663D353

Memory Dump Source

Source File: 00000005.00000002.4103212532.0000000006630000.00000040.00000800.00020000.00000000.sdmp, Offset: 06630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6630000_Catalina - Particulars.jbxd

Similarity

API ID:
String ID: $^q$$^q$$^q
API String ID: 0-831282457
Opcode ID: e65c766f62007b47221b324e5d761162e0661c531646214011a7b40003c92d80
Instruction ID: 9903e5226c5650fac9d269e5903d9a7f3394fef7d55e68993ffefce830f0cfe2
Opcode Fuzzy Hash: e65c766f62007b47221b324e5d761162e0661c531646214011a7b40003c92d80
Instruction Fuzzy Hash: 70623D30A00215CFDB55EF68D590A5EB7B2FF84304F248A69D4099F369DB71ED8ACB81

Function 06634B70 Relevance: 3.9, Strings: 3, Instructions: 186
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

fcq, xrefs: 0663527D
\Ocq, xrefs: 06634D27
XPcq, xrefs: 06634C9D

Memory Dump Source

Source File: 00000005.00000002.4103212532.0000000006630000.00000040.00000800.00020000.00000000.sdmp, Offset: 06630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6630000_Catalina - Particulars.jbxd

Similarity

API ID:
String ID: fcq$XPcq$\Ocq
API String ID: 0-3575482020
Opcode ID: fd6f94e864d29253667b71dd494519a6f50924d25f6d4f38d5e56928da0028a6
Instruction ID: b59f9697531d2ef8b70226b9500953704cc29be622e36c127e2b933b0920f7aa
Opcode Fuzzy Hash: fd6f94e864d29253667b71dd494519a6f50924d25f6d4f38d5e56928da0028a6
Instruction Fuzzy Hash: 84614B30E002189FEB549FA9C9547AEBAF6EF88700F208469D50AEB394DE758C458B95

Function 06639149 Relevance: 2.7, Strings: 2, Instructions: 175
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$^q, xrefs: 066391C8
$^q, xrefs: 06639203

Memory Dump Source

Source File: 00000005.00000002.4103212532.0000000006630000.00000040.00000800.00020000.00000000.sdmp, Offset: 06630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6630000_Catalina - Particulars.jbxd

Similarity

API ID:
String ID: $^q$$^q
API String ID: 0-355816377
Opcode ID: b165cb84d534d9f38115a5db727c2e22b06f901ac2654911de2d8b2d1a6e8e4d
Instruction ID: 51534cd6e821af4cd354de78c162e46973256c9f4b490242e6eadd9cf264e0fa
Opcode Fuzzy Hash: b165cb84d534d9f38115a5db727c2e22b06f901ac2654911de2d8b2d1a6e8e4d
Instruction Fuzzy Hash: B1514F30B142169FDB54DB74D990B6FB3FAEBC9304F108569C50AEB388EA70DC428B95

Function 0662AF10 Relevance: 1.7, APIs: 1, Instructions: 204COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 0662B176

Memory Dump Source

Source File: 00000005.00000002.4103158817.0000000006620000.00000040.00000800.00020000.00000000.sdmp, Offset: 06620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6620000_Catalina - Particulars.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 94189ed7886f23c4d930943845d7d22f1c167548088a8f1b60aad383850cd091
Instruction ID: ed615276ff9788b1bcbdc1ee4c28131e7e9403380a44fe0b52958101afef5abc
Opcode Fuzzy Hash: 94189ed7886f23c4d930943845d7d22f1c167548088a8f1b60aad383850cd091
Instruction Fuzzy Hash: 75813270A00B168FD7A4DF69D54075ABBF1FB88204F008A2ED49ADBB50D775E849CF94

Function 027CEA50 Relevance: 1.6, APIs: 1, Instructions: 135COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.4098709556.00000000027C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 027C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_27c0000_Catalina - Particulars.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e402983478a3326140081c95e691ec4a8776897957272a4efbd820df5cf32c3f
Instruction ID: d0a04d1b426cad6766b58bc542d46fd681799cb6cc82cbae5ff25c65cb598db0
Opcode Fuzzy Hash: e402983478a3326140081c95e691ec4a8776897957272a4efbd820df5cf32c3f
Instruction Fuzzy Hash: AF412272E003958FCB14DF79D8046EEBBF2AF89320F1485AED845A7250DB349885CBE1

Function 0662D0E4 Relevance: 1.6, APIs: 1, Instructions: 120COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 0662D202

Memory Dump Source

Source File: 00000005.00000002.4103158817.0000000006620000.00000040.00000800.00020000.00000000.sdmp, Offset: 06620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6620000_Catalina - Particulars.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 5a8f038ad0fb796342c2ba520b4bcb5b9444affb3166cce8bdc8769819075dfe
Instruction ID: 8e1c2984ad38796a8f0fd7d695a1ca9886c199825d3657d313143a802c66f52c
Opcode Fuzzy Hash: 5a8f038ad0fb796342c2ba520b4bcb5b9444affb3166cce8bdc8769819075dfe
Instruction Fuzzy Hash: 6751D3B1D00759DFDB14CFA9C884ADEBFB5BF48310F24812AE818AB211D775A885CF91

Function 0662D0F0 Relevance: 1.6, APIs: 1, Instructions: 113COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 0662D202

Memory Dump Source

Source File: 00000005.00000002.4103158817.0000000006620000.00000040.00000800.00020000.00000000.sdmp, Offset: 06620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6620000_Catalina - Particulars.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 839650a77c8ad0e867be77ef1d12ff9daba30bf9a5047ffb9b2335b85a6351b3
Instruction ID: 9c0ae4cee509e33741944cb07429899d8575a83750ddef856ae0802d74f959f2
Opcode Fuzzy Hash: 839650a77c8ad0e867be77ef1d12ff9daba30bf9a5047ffb9b2335b85a6351b3
Instruction Fuzzy Hash: 3741B1B1D00359DFDB14CFA9C984ADEBBB5FF48310F24812AE818AB211D775A885CF91

Function 0662A5EC Relevance: 1.6, APIs: 1, Instructions: 97COMMON

Download Yara Rule

APIs

CallWindowProcW.USER32(?,?,?,?,?), ref: 0662F8F1

Memory Dump Source

Source File: 00000005.00000002.4103158817.0000000006620000.00000040.00000800.00020000.00000000.sdmp, Offset: 06620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6620000_Catalina - Particulars.jbxd

Similarity

API ID: CallProcWindow
String ID:
API String ID: 2714655100-0
Opcode ID: a935c6b0e4859bff1e22bb3481aab00bc1019a3668cf2afab1a3fab29ce5e085
Instruction ID: 94bf5019ded348746c10b4c07da6f7da6e79a1f399863dd0ad6c46a1e3208288
Opcode Fuzzy Hash: a935c6b0e4859bff1e22bb3481aab00bc1019a3668cf2afab1a3fab29ce5e085
Instruction Fuzzy Hash: F14126B4A00719DFDB54CF99C488AAAFBF5FB88314F24C459D519AB321D774A841CFA0

Function 06622AB8 Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 06622B47

Memory Dump Source

Source File: 00000005.00000002.4103158817.0000000006620000.00000040.00000800.00020000.00000000.sdmp, Offset: 06620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6620000_Catalina - Particulars.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: e79321a5ea7ebcaeac6bd05d5d971ec008cf25fcbc82345394998698f91bddc8
Instruction ID: 6a1c22c5ab3ac62832328c3842713e4f20a0a081aa62dc4d795edba3474eeae3
Opcode Fuzzy Hash: e79321a5ea7ebcaeac6bd05d5d971ec008cf25fcbc82345394998698f91bddc8
Instruction Fuzzy Hash: 9D21E4B5D00259DFDB10CFAAD984ADEBBF5FB48310F14801AE914A7310D374A954CFA1

Function 06622AC0 Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 06622B47

Memory Dump Source

Source File: 00000005.00000002.4103158817.0000000006620000.00000040.00000800.00020000.00000000.sdmp, Offset: 06620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6620000_Catalina - Particulars.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: b3978eddc5da0a659368ad0bd939dfaa3aae64d1efa59b6f24e854d8e320a028
Instruction ID: 5b3dfd2880cc53188a22db9410219f34862c3ed9ca03b6812ab42da00249e5e3
Opcode Fuzzy Hash: b3978eddc5da0a659368ad0bd939dfaa3aae64d1efa59b6f24e854d8e320a028
Instruction Fuzzy Hash: F521E4B5900219DFDB10CFAAD984ADEFBF8FB48310F14801AE914A7310D374A944CFA5

Function 0662B373 Relevance: 1.6, APIs: 1, Instructions: 56libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,0662B1F1,00000800,00000000,00000000), ref: 0662B3E2

Memory Dump Source

Source File: 00000005.00000002.4103158817.0000000006620000.00000040.00000800.00020000.00000000.sdmp, Offset: 06620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6620000_Catalina - Particulars.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: e1d604e5e8e2003db09d71fd0510935bb081c5008b8afe1bfe1ddc3d12ced04d
Instruction ID: 3937dbfdedeaf38ce9cbbdfdc0b7e09e2d5316061c90cd5644281094762da413
Opcode Fuzzy Hash: e1d604e5e8e2003db09d71fd0510935bb081c5008b8afe1bfe1ddc3d12ced04d
Instruction Fuzzy Hash: 961123B6D003599FCB10CFAAC844ADEFBF8FB48324F14842AE419A7210C375A945CFA5

Function 0662A328 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,0662B1F1,00000800,00000000,00000000), ref: 0662B3E2

Memory Dump Source

Source File: 00000005.00000002.4103158817.0000000006620000.00000040.00000800.00020000.00000000.sdmp, Offset: 06620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6620000_Catalina - Particulars.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: a0303657d753b56d8a4eed0591d44455cac12212a685303164de0db653df50b5
Instruction ID: 86baccf9e7b98a7b6d66404e455e1759d7f49a01cf176c58158ebf68e1a966e7
Opcode Fuzzy Hash: a0303657d753b56d8a4eed0591d44455cac12212a685303164de0db653df50b5
Instruction Fuzzy Hash: 981100B6900359DFDB10CFAAC444AEEFBF4FB48324F10842AE919A7210C375A945CFA5

Function 027CEB38 Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

GlobalMemoryStatusEx.KERNELBASE ref: 027CEB9F

Memory Dump Source

Source File: 00000005.00000002.4098709556.00000000027C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 027C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_27c0000_Catalina - Particulars.jbxd

Similarity

API ID: GlobalMemoryStatus
String ID:
API String ID: 1890195054-0
Opcode ID: b811ecced08c7b74155e123e1fa55c1c2822bd090458502cba281e5345ce21e5
Instruction ID: aec9ce12380eb560e783d9e99b15d3c91ed2e1e3c59d63a1b388e6be051d1310
Opcode Fuzzy Hash: b811ecced08c7b74155e123e1fa55c1c2822bd090458502cba281e5345ce21e5
Instruction Fuzzy Hash: 571123B1C002699FCB10DFAAC544BDEFBF4BF48320F20816AD818A7251D378A944CFA5

Function 0662B110 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 0662B176

Memory Dump Source

Source File: 00000005.00000002.4103158817.0000000006620000.00000040.00000800.00020000.00000000.sdmp, Offset: 06620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6620000_Catalina - Particulars.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 2643dcc246f2b8cb9f1a7a1d12cf2a96d920d4051ef6cc67c4bfb0d41b0021e1
Instruction ID: b877699d0b2ef4cd75bf4bb6118f95e0c1f6514917e3eca41bbc8f38129b49f0
Opcode Fuzzy Hash: 2643dcc246f2b8cb9f1a7a1d12cf2a96d920d4051ef6cc67c4bfb0d41b0021e1
Instruction Fuzzy Hash: B91102B5C006598FCB10DF9AC844ADEFBF4EB48214F10842AD418A7210C375A585CFA5

Function 06634B60 Relevance: 1.4, Strings: 1, Instructions: 137COMMON

Download Yara Rule

Strings

XPcq, xrefs: 06634C9D

Memory Dump Source

Source File: 00000005.00000002.4103212532.0000000006630000.00000040.00000800.00020000.00000000.sdmp, Offset: 06630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6630000_Catalina - Particulars.jbxd

Similarity

API ID:
String ID: XPcq
API String ID: 0-714321711
Opcode ID: d041c577c797b1cce3574b5e1e610ad99369db7888dfe100ed3199041c345b7d
Instruction ID: cf6d7180260e915df8de2f29621f0216d6b298635acdcdfb4f046992ba9ae6d2
Opcode Fuzzy Hash: d041c577c797b1cce3574b5e1e610ad99369db7888dfe100ed3199041c345b7d
Instruction Fuzzy Hash: DC517C30E102589FDB459FA9C854BAEBBF7EF88700F20856AD146EB395DA708C458F91

Function 0663DABD Relevance: 1.4, Strings: 1, Instructions: 124COMMON

Download Yara Rule

Strings

PH^q, xrefs: 0663DC19

Memory Dump Source

Source File: 00000005.00000002.4103212532.0000000006630000.00000040.00000800.00020000.00000000.sdmp, Offset: 06630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6630000_Catalina - Particulars.jbxd

Similarity

API ID:
String ID: PH^q
API String ID: 0-2549759414
Opcode ID: aedc15aa3afb1447f9aa43dcf68e2875fd260d626eca8ad532b2e0c6483f808e
Instruction ID: cf48f15da138f9ba5136a820db43a9a9829820941ba2721489f68e72c63c7565
Opcode Fuzzy Hash: aedc15aa3afb1447f9aa43dcf68e2875fd260d626eca8ad532b2e0c6483f808e
Instruction Fuzzy Hash: 1641BD70E00319DFDB65DFA5C4946AEBBB6BF85300F208929D406EB344DB70E946CB91

Function 066321C8 Relevance: 1.4, Strings: 1, Instructions: 105COMMON

Download Yara Rule

Strings

PH^q, xrefs: 06632303

Memory Dump Source

Source File: 00000005.00000002.4103212532.0000000006630000.00000040.00000800.00020000.00000000.sdmp, Offset: 06630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6630000_Catalina - Particulars.jbxd

Similarity

API ID:
String ID: PH^q
API String ID: 0-2549759414
Opcode ID: f73eb3b7c1a6094945a5b166ed9f3fb4452154ee27a0916f6159693964bdd399
Instruction ID: 67819351688d567f3879cb25b71b18e7dea4c29ff1e80d5d01ad259c12df019a
Opcode Fuzzy Hash: f73eb3b7c1a6094945a5b166ed9f3fb4452154ee27a0916f6159693964bdd399
Instruction Fuzzy Hash: 6131E330B042158FDB59AB74DA6466F7BE7AF89300F20852CD406DB398EE35DD46CBA1

Function 066382D0 Relevance: 1.3, Strings: 1, Instructions: 40COMMON

Download Yara Rule

Strings

$^q, xrefs: 0663831B

Memory Dump Source

Source File: 00000005.00000002.4103212532.0000000006630000.00000040.00000800.00020000.00000000.sdmp, Offset: 06630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6630000_Catalina - Particulars.jbxd

Similarity

API ID:
String ID: $^q
API String ID: 0-388095546
Opcode ID: 3f9d16dfb9aa4265b8c81ccb3dd69e236013c3fb76d8afba8a199fb968306f0c
Instruction ID: 897d8258f6b572a1804da3ae035bbc932f34b20747afc7391abd8978a3e9b841
Opcode Fuzzy Hash: 3f9d16dfb9aa4265b8c81ccb3dd69e236013c3fb76d8afba8a199fb968306f0c
Instruction Fuzzy Hash: D7F0AF31A08221CFEFA89A94EA806FC73A5EB80310F14446DE909CB345D731DE46C791

Function 066361F0 Relevance: .2, Instructions: 229COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.4103212532.0000000006630000.00000040.00000800.00020000.00000000.sdmp, Offset: 06630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6630000_Catalina - Particulars.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5f598c459120f918910080589fed402f8cd1b378db1f7185a69d47c127ceb095
Instruction ID: d3454cd4b86626a528b31fb4c69b9092cde03b4fa708faf3e3244125b4e52686
Opcode Fuzzy Hash: 5f598c459120f918910080589fed402f8cd1b378db1f7185a69d47c127ceb095
Instruction Fuzzy Hash: 7D61BF71F000215FCF509A7EC88466FAAD7AFC4620B26443AD80EDB364EEA5DD0287D2

Function 066342A1 Relevance: .2, Instructions: 223COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.4103212532.0000000006630000.00000040.00000800.00020000.00000000.sdmp, Offset: 06630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6630000_Catalina - Particulars.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 87e996ec73de2e7cff3d093756f698ad6804bbf814e1720e3aafba118fbee3eb
Instruction ID: 6a57fc14a6914eb20b0d9d16a21656a51c34d91b6cbdfc770d8e87dc9a7a545d
Opcode Fuzzy Hash: 87e996ec73de2e7cff3d093756f698ad6804bbf814e1720e3aafba118fbee3eb
Instruction Fuzzy Hash: 1C815A30B002199FDF54DFA9D5906AEB7F2AF89304F148529D50AEB395EF30EC468B91

Function 066345C4 Relevance: .2, Instructions: 220COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.4103212532.0000000006630000.00000040.00000800.00020000.00000000.sdmp, Offset: 06630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6630000_Catalina - Particulars.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 621f4325a1a508a297e29c2e97e4b7e3aa7ea176ed7ab49e7df64e23181b901a
Instruction ID: 660c39153e1de572ede3c892386e2eef5541931e81d9e22ffbc9de0bb9094d71
Opcode Fuzzy Hash: 621f4325a1a508a297e29c2e97e4b7e3aa7ea176ed7ab49e7df64e23181b901a
Instruction Fuzzy Hash: 23914C30E102198BDF60DF68C890B9DF7B1FF89300F208599D549AB355DB71A985CF91

Function 0663AF30 Relevance: .2, Instructions: 215COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.4103212532.0000000006630000.00000040.00000800.00020000.00000000.sdmp, Offset: 06630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6630000_Catalina - Particulars.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf1464177badd5ea5c1f4efea11cd5f0958cd5230cc5a1a2e686a8e6ab64742d
Instruction ID: 208fc71b25ae2d13f3a50ca94975a73e61e01b96024a7599a6c25c0f302f8304
Opcode Fuzzy Hash: bf1464177badd5ea5c1f4efea11cd5f0958cd5230cc5a1a2e686a8e6ab64742d
Instruction Fuzzy Hash: 31715B31E1021A8FCF55DFA8D5806AEB7B2FFC5304F108529D90AAB354EB75D84A8B91

Function 066345D8 Relevance: .2, Instructions: 210COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.4103212532.0000000006630000.00000040.00000800.00020000.00000000.sdmp, Offset: 06630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6630000_Catalina - Particulars.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c4b69e7bb92ca7bfdd8d1c6f17ce868451bc43b8743762d1dd4fb964acbc43ea
Instruction ID: 584db4676c5e1b3cf8f254f27c8e6c8c147b8806eed84e1b02d8106bf435b317
Opcode Fuzzy Hash: c4b69e7bb92ca7bfdd8d1c6f17ce868451bc43b8743762d1dd4fb964acbc43ea
Instruction Fuzzy Hash: 47914E34E102198BDF60DF68C890B9DF7B2FF89300F208599D549AB355EB71AA85CF91

Function 0663FBB8 Relevance: .2, Instructions: 206COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.4103212532.0000000006630000.00000040.00000800.00020000.00000000.sdmp, Offset: 06630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6630000_Catalina - Particulars.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b6e4ccc307a4e8a21131d757a3bc5f9e4f158835c7367b687c8de1d9a9d631bd
Instruction ID: 062afd538b679e5ed49e29e9de4633cba7dbc7588b75bc48b8714e0f5f5f1fea
Opcode Fuzzy Hash: b6e4ccc307a4e8a21131d757a3bc5f9e4f158835c7367b687c8de1d9a9d631bd
Instruction Fuzzy Hash: 3F61E331E01219DFDF54AF78E8546AEBBB2EB84315F10887AE50ADB350DB358855CB90

Function 0663EB1A Relevance: .2, Instructions: 205COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.4103212532.0000000006630000.00000040.00000800.00020000.00000000.sdmp, Offset: 06630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6630000_Catalina - Particulars.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b7352f78370b29db4e8992b44d126a2bebb843c2c60412f07df6db0b080e509f
Instruction ID: a34c3dc69440f3a5a60d46fca3ddde3af58b1d9643e5b231b0d665f336707f59
Opcode Fuzzy Hash: b7352f78370b29db4e8992b44d126a2bebb843c2c60412f07df6db0b080e509f
Instruction Fuzzy Hash: E4713F30A012189FDB55DBA9D980AAEFBF6FF84310F24846AD016EB354DB31EC46CB50

Function 0663EB28 Relevance: .2, Instructions: 201COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.4103212532.0000000006630000.00000040.00000800.00020000.00000000.sdmp, Offset: 06630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6630000_Catalina - Particulars.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d9788347c0e73c719e6cc4999b4f14ed92938b1764e34c345fd6f768a7ed8c6c
Instruction ID: 31079e2a6f35febea81a0b5a2a4c1fd92880192de30ea576befc54f9f38b3b02
Opcode Fuzzy Hash: d9788347c0e73c719e6cc4999b4f14ed92938b1764e34c345fd6f768a7ed8c6c
Instruction Fuzzy Hash: 08711C30A012189FDB55DFA9D980AAEFBF6EF84300F24846AD016EB354DB31EC46CB54

Function 0663F968 Relevance: .2, Instructions: 172COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.4103212532.0000000006630000.00000040.00000800.00020000.00000000.sdmp, Offset: 06630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6630000_Catalina - Particulars.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 226f60a285d357e588dd1901466b0bea631f1878a0fbbe609e91d2ae2e313a9b
Instruction ID: 8f5a92446cf3ffe3bf795b701368d1fab066f8082f5f0a43f44afb48f7eaefac
Opcode Fuzzy Hash: 226f60a285d357e588dd1901466b0bea631f1878a0fbbe609e91d2ae2e313a9b
Instruction Fuzzy Hash: EA51A770F11324DFEF646A6CD95476F369ED789310F20482AE10ADB3D5CA79CC8987A2

Function 0663F978 Relevance: .2, Instructions: 163COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.4103212532.0000000006630000.00000040.00000800.00020000.00000000.sdmp, Offset: 06630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6630000_Catalina - Particulars.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5ab922c1a9581a11f8087121989e9471dc8df67d2f5fcb036f58068ed4c5d716
Instruction ID: 6292b298dcee0af0b6efc88da9d93fbf38e2f41592c03adc1c5a1ce8324623cf
Opcode Fuzzy Hash: 5ab922c1a9581a11f8087121989e9471dc8df67d2f5fcb036f58068ed4c5d716
Instruction Fuzzy Hash: 13519670F11224DFEF646A6CD95472F369ED789310F20482AE10BDB3D9CA79CC8587A2

Function 06635419 Relevance: .1, Instructions: 132COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.4103212532.0000000006630000.00000040.00000800.00020000.00000000.sdmp, Offset: 06630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6630000_Catalina - Particulars.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cf720f539674fd7d990ac617f74c8e542e808b0a645b35e48bd2fc72befee494
Instruction ID: eb1ea30f7f4cdfc7ac991df4a606b71aac62f24be23055870e8c68026210550e
Opcode Fuzzy Hash: cf720f539674fd7d990ac617f74c8e542e808b0a645b35e48bd2fc72befee494
Instruction Fuzzy Hash: F8417C71E002199FCF70CFA9D8C0AAFFBB2EB84310F10492AE15AD7251D330E8598B91

Function 0663D970 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.4103212532.0000000006630000.00000040.00000800.00020000.00000000.sdmp, Offset: 06630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6630000_Catalina - Particulars.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c3e1e82999cbe411bb10117f79fea29a4d43536d1d87072ce2069346e8367e79
Instruction ID: 48782d2168e6eca75d61937f948a86b3eeb1b427cc2859e0223e6384aa120f26
Opcode Fuzzy Hash: c3e1e82999cbe411bb10117f79fea29a4d43536d1d87072ce2069346e8367e79
Instruction Fuzzy Hash: 0231E431E1431A9FCF11DF69D98069EFBB6FF85304F148529E805AB344EB70E8468B91

Function 0663207B Relevance: .1, Instructions: 97COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.4103212532.0000000006630000.00000040.00000800.00020000.00000000.sdmp, Offset: 06630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6630000_Catalina - Particulars.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 95647e62318db0f0504394ddd9483f1d420839cbb27513c173cd75bbeb52580e
Instruction ID: e53d8df1dbadf08f4a6e4c71be6ffb1fbff775fe7c2ced2f49bb10c1a835d8eb
Opcode Fuzzy Hash: 95647e62318db0f0504394ddd9483f1d420839cbb27513c173cd75bbeb52580e
Instruction Fuzzy Hash: A7319230E102169FCB55CF68D8646AEB7F6FF89300F148529EA06E7350DB71AD86CB50

Function 06632088 Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.4103212532.0000000006630000.00000040.00000800.00020000.00000000.sdmp, Offset: 06630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6630000_Catalina - Particulars.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1f5a51cc4c534ad9ab0d5303a11d93456870069c6cfdecac7e47d6284521de42
Instruction ID: 1bc17c4b01d12b0459b20c01f8c18726a2266d85b59430c42195c7d8f95deec0
Opcode Fuzzy Hash: 1f5a51cc4c534ad9ab0d5303a11d93456870069c6cfdecac7e47d6284521de42
Instruction Fuzzy Hash: DA318F30E102169FCB55CF64D8A46AEB7B6FF89300F14C529E906EB350DB71AD86CB50

Function 06633AB0 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.4103212532.0000000006630000.00000040.00000800.00020000.00000000.sdmp, Offset: 06630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6630000_Catalina - Particulars.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d79865e1dd5a72cf776782c0cb213fd816d854e5e0fd8f4179f6ef44f4c44e6a
Instruction ID: 86be5c4f208cd75c4b614bfa9129212236da2d43719e34bd6f978f69f0af07ec
Opcode Fuzzy Hash: d79865e1dd5a72cf776782c0cb213fd816d854e5e0fd8f4179f6ef44f4c44e6a
Instruction Fuzzy Hash: 94219D75F056659FDB40DFB9D980AAEBBF6EB48710F108029E905EB384E730D9018B94

Function 06633AAF Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.4103212532.0000000006630000.00000040.00000800.00020000.00000000.sdmp, Offset: 06630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6630000_Catalina - Particulars.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 06335159e49cfbc4ba56566360477c2937cc6c6cf1d68eef5c1ae40e4a4093b5
Instruction ID: a7b8870e49b207678af5282039cced5f81ca5ee5b236eacddd6ff60178262fbd
Opcode Fuzzy Hash: 06335159e49cfbc4ba56566360477c2937cc6c6cf1d68eef5c1ae40e4a4093b5
Instruction Fuzzy Hash: 62218071F146659FDB50DF79D980AAEBBF6EB4C710F108029E905EB385E730D9028B94

Function 026FD030 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.4098486530.00000000026FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 026FD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_26fd000_Catalina - Particulars.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 07424ff6bf171332834ae51a6214f1b536826cb76310b82bd5652c12602bdef1
Instruction ID: 5b3e0bc8b219980636d6d7efe20eb2817fc7c13d5e3d33284de3e6736c283c6c
Opcode Fuzzy Hash: 07424ff6bf171332834ae51a6214f1b536826cb76310b82bd5652c12602bdef1
Instruction Fuzzy Hash: D6213471504280DFDF54DF14D9C0B26BBA5FB84314F20C56DDA0A4B796C33AE447CA62

Function 026FD006 Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.4098486530.00000000026FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 026FD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_26fd000_Catalina - Particulars.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b04810cc87487e7f090394aa1035f8efb6029ac7fa1327d424cac4252407c721
Instruction ID: 77965a4151891d5f35127dfff0cf45733951e0df1e210e101fef6af2211ede9c
Opcode Fuzzy Hash: b04810cc87487e7f090394aa1035f8efb6029ac7fa1327d424cac4252407c721
Instruction Fuzzy Hash: D52128715093C09FCB03CF24D994711BF71AB46214F29C5DBD9898F6A7C33A985ACB62

Function 06634200 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.4103212532.0000000006630000.00000040.00000800.00020000.00000000.sdmp, Offset: 06630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6630000_Catalina - Particulars.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5a26f2391b0ba7063d25f471ec7a2130686bc28dfb156ea93f4813d16f175345
Instruction ID: e05cccc93daa982ba0f5dd46332abd0ae1e5b1c8cf0658f47f2d781db33d90ee
Opcode Fuzzy Hash: 5a26f2391b0ba7063d25f471ec7a2130686bc28dfb156ea93f4813d16f175345
Instruction Fuzzy Hash: 2511D231B041601FDB5186BDD950B2BFBDBDBCA610F18847AE50ADB381DD51DC4243A6

Function 06633BC0 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.4103212532.0000000006630000.00000040.00000800.00020000.00000000.sdmp, Offset: 06630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6630000_Catalina - Particulars.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 78a43eb13b4c982a990035fd53236c4e10bd854ce465ebe6a4c343665de279f9
Instruction ID: 7dc639c85bb84076226dd2c8256e1faecc1da4705246e8e99392ae673dbf5aba
Opcode Fuzzy Hash: 78a43eb13b4c982a990035fd53236c4e10bd854ce465ebe6a4c343665de279f9
Instruction Fuzzy Hash: 2411A131B141285FDB549A68D8146AF73AAABC8710F00853AC90AEB340EF34DC028B91

Function 06633878 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.4103212532.0000000006630000.00000040.00000800.00020000.00000000.sdmp, Offset: 06630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6630000_Catalina - Particulars.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5eea01f1e144addc7f548193c2c5bfd2f729a2b5f46dd333abb85b3cdb8cff4b
Instruction ID: 2f423ff2362d30bdfbd64a164b02a1192af7d8e3c54f39485d62c746db6609c0
Opcode Fuzzy Hash: 5eea01f1e144addc7f548193c2c5bfd2f729a2b5f46dd333abb85b3cdb8cff4b
Instruction Fuzzy Hash: F421BFB5D01259AFCB10DF9AD884ADEFFB4FB48320F10852AE918A7241D374A954CFA5

Function 0663A311 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.4103212532.0000000006630000.00000040.00000800.00020000.00000000.sdmp, Offset: 06630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6630000_Catalina - Particulars.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1bc18b5245472f93c970d4c789d242ff68bac86b5500254625ad718c5698ba20
Instruction ID: 79892119500806605360068e6441b96eecfb92d04b1354128b48bc1f3192e39b
Opcode Fuzzy Hash: 1bc18b5245472f93c970d4c789d242ff68bac86b5500254625ad718c5698ba20
Instruction Fuzzy Hash: C3014C30B046601FEB11D6B8E850B3FB7DAEB8B710F10443EE14ACB391DA11DD018395

Function 0663ED99 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.4103212532.0000000006630000.00000040.00000800.00020000.00000000.sdmp, Offset: 06630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6630000_Catalina - Particulars.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aa6c79fbd0eab8fe4d13afd4c4f41bbe810b71ddfd71b4bd8d9f7da64e6cfc48
Instruction ID: 4f3527f9f276237698174dd384c3f1363a7f91c9af64ab92b6a46923e8bc089c
Opcode Fuzzy Hash: aa6c79fbd0eab8fe4d13afd4c4f41bbe810b71ddfd71b4bd8d9f7da64e6cfc48
Instruction Fuzzy Hash: 6801B531B142115FCB61D67CE450B3BB7DADBC9614F14883AE50AC7341D952EC0247A6

Function 06633BAF Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.4103212532.0000000006630000.00000040.00000800.00020000.00000000.sdmp, Offset: 06630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6630000_Catalina - Particulars.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a0bec4da402239be4ab9221acc8b850a237ba0a42e18f219638ac3e8551bc3e9
Instruction ID: 3fd0ea588fbb0a3f192f12033fa8ba3d91f27f9788c35e811007d7c813a58a9e
Opcode Fuzzy Hash: a0bec4da402239be4ab9221acc8b850a237ba0a42e18f219638ac3e8551bc3e9
Instruction Fuzzy Hash: 18018432B141685FDB549669DD506EF77AA9BC8614F00413BD50AE7380EF65DC0247D2

Function 06633880 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.4103212532.0000000006630000.00000040.00000800.00020000.00000000.sdmp, Offset: 06630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6630000_Catalina - Particulars.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ac487f052c022a42901a4e9312fc8e2cbba5778bb2f0855d8e17346939c15740
Instruction ID: 446e1498e8ed1fef29d536298dd82167965a1ef31221b5739d4b6d94e6c30b84
Opcode Fuzzy Hash: ac487f052c022a42901a4e9312fc8e2cbba5778bb2f0855d8e17346939c15740
Instruction Fuzzy Hash: 8811C0B1D01259AFCB00DF9AD884ACEFBB4FB48310F10812AE518A7240D374A954CFA5

Function 06634210 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.4103212532.0000000006630000.00000040.00000800.00020000.00000000.sdmp, Offset: 06630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6630000_Catalina - Particulars.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1a90f5b98b2346d9313e075f3b49ef7fdd145760da545e8de479d6840d739f11
Instruction ID: 95a72f5f8f0a49511ed916003c8b4dba6eaf999615f9e7998ac0402b16161203
Opcode Fuzzy Hash: 1a90f5b98b2346d9313e075f3b49ef7fdd145760da545e8de479d6840d739f11
Instruction Fuzzy Hash: DA01AD31B100200BDB6095AED500B2FF3DBDBC9710F108439E50EDB380DD61DC424395

Function 0663EDA8 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.4103212532.0000000006630000.00000040.00000800.00020000.00000000.sdmp, Offset: 06630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6630000_Catalina - Particulars.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0a08537956de551a735cc0ac1f7aaf1be15fb6bcc49c78064ed6491189e20312
Instruction ID: 488fd5c243a0dd2e5a5a4f8784cca57ba75a88fa368b275ce161640a1b09f008
Opcode Fuzzy Hash: 0a08537956de551a735cc0ac1f7aaf1be15fb6bcc49c78064ed6491189e20312
Instruction Fuzzy Hash: 10016931B101215BCA64967DE45073EB2DADBC9614F10883AE60ACB380EA66EC0247A6

Function 0663A320 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.4103212532.0000000006630000.00000040.00000800.00020000.00000000.sdmp, Offset: 06630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6630000_Catalina - Particulars.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b576674ca849556b4f663a056a680f2cfe74d09022f597c416155996f15ece5b
Instruction ID: e1be535bc1c14baeab0aad8e0560ba8ad6ea24f9f9e1487434ed5131b73fa66e
Opcode Fuzzy Hash: b576674ca849556b4f663a056a680f2cfe74d09022f597c416155996f15ece5b
Instruction Fuzzy Hash: 0E013130B105205BDB64D6B8E45473FB3DAEB8A754F108839E54ACB394EA21DC019795

Function 06636470 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.4103212532.0000000006630000.00000040.00000800.00020000.00000000.sdmp, Offset: 06630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6630000_Catalina - Particulars.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ab1712de3f506d39cfb0144f184ae9db2bc5b5de08cee5ec63099a6cbc9046ed
Instruction ID: 1507487e22311a1ade49f362696441ae86efa97fa405cd76d9a185ebefe8abf9
Opcode Fuzzy Hash: ab1712de3f506d39cfb0144f184ae9db2bc5b5de08cee5ec63099a6cbc9046ed
Instruction Fuzzy Hash: F2E09271E553987FDB50DEB4CE1565ABBAD9B02208F1488A6D405DB283E176CE018380

Non-executed Functions

Function 066376A0 Relevance: 13.0, Strings: 10, Instructions: 468COMMON

Download Yara Rule

Strings

$^q, xrefs: 06637B9D
$^q, xrefs: 06637C30
$^q, xrefs: 06637B91
$^q, xrefs: 066377E0
$^q, xrefs: 066377D4
$^q, xrefs: 06637C46
$^q, xrefs: 06637805
$^q, xrefs: 06637C3C
$^q, xrefs: 06637C52
$^q, xrefs: 06637811

Memory Dump Source

Source File: 00000005.00000002.4103212532.0000000006630000.00000040.00000800.00020000.00000000.sdmp, Offset: 06630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6630000_Catalina - Particulars.jbxd

Similarity

API ID:
String ID: $^q$$^q$$^q$$^q$$^q$$^q$$^q$$^q$$^q$$^q
API String ID: 0-2222239885
Opcode ID: 86aa3da845cea42153c82bb0c2f942589f8d2d40c3ba1f302b76c3c281586b2c
Instruction ID: ff62ea725b4014f00315418d2f6de9c8347f2689af14a34673d1cd810636722b
Opcode Fuzzy Hash: 86aa3da845cea42153c82bb0c2f942589f8d2d40c3ba1f302b76c3c281586b2c
Instruction Fuzzy Hash: 7C120E70E00229CFDB65DF69C954A9DBBF2BF88304F208569D40AAB354DB309D86CF95

Function 0663A948 Relevance: 10.2, Strings: 8, Instructions: 229COMMON

Download Yara Rule

Strings

$^q, xrefs: 0663AB06
$^q, xrefs: 0663AAD0
$^q, xrefs: 0663AAC4
$^q, xrefs: 0663AA99
$^q, xrefs: 0663AA4A
$^q, xrefs: 0663AA3E
$^q, xrefs: 0663AAFA
$^q, xrefs: 0663AAA5

Memory Dump Source

Source File: 00000005.00000002.4103212532.0000000006630000.00000040.00000800.00020000.00000000.sdmp, Offset: 06630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6630000_Catalina - Particulars.jbxd

Similarity

API ID:
String ID: $^q$$^q$$^q$$^q$$^q$$^q$$^q$$^q
API String ID: 0-3823777903
Opcode ID: b107b592dc932042b112a1bcc709ec95f62ebfb2b8dfae9e004d1c38fd98c8d4
Instruction ID: bf2e83ea381247bfd4d08cefa024e36d941abd3f274e60186df8f8fc2ce13bfb
Opcode Fuzzy Hash: b107b592dc932042b112a1bcc709ec95f62ebfb2b8dfae9e004d1c38fd98c8d4
Instruction Fuzzy Hash: 78918F30E10219DFDB68DFA5DA84B6EB7F6BF84304F108529D482AB394DB359C45DB90

Function 066370A0 Relevance: 9.2, Strings: 7, Instructions: 405COMMON

Download Yara Rule

Strings

$^q, xrefs: 066375B4
$^q, xrefs: 066373DC
$^q, xrefs: 0663753C
$^q, xrefs: 066375A8
$^q, xrefs: 066373E8
.5vq, xrefs: 066370FB
$^q, xrefs: 06637382

Memory Dump Source

Source File: 00000005.00000002.4103212532.0000000006630000.00000040.00000800.00020000.00000000.sdmp, Offset: 06630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6630000_Catalina - Particulars.jbxd

Similarity

API ID:
String ID: .5vq$$^q$$^q$$^q$$^q$$^q$$^q
API String ID: 0-390881366
Opcode ID: 5e64532d60f2b40260dbbdb764272434ad87bbf3d37b6756142e28956ac18b9c
Instruction ID: 9f028615459785c7200c7d5f1344ac45bca9ca58dced4a0e981cdbc90106f861
Opcode Fuzzy Hash: 5e64532d60f2b40260dbbdb764272434ad87bbf3d37b6756142e28956ac18b9c
Instruction Fuzzy Hash: 3FF13B70A04218CFDB59EB69D594A6EBBB3BF84304F248568D4069B358DB31EC86CB94

Function 066383D8 Relevance: 5.3, Strings: 4, Instructions: 282COMMON

Download Yara Rule

Strings

$^q, xrefs: 06638632
$^q, xrefs: 0663863E
$^q, xrefs: 066386A3
$^q, xrefs: 06638697

Memory Dump Source

Source File: 00000005.00000002.4103212532.0000000006630000.00000040.00000800.00020000.00000000.sdmp, Offset: 06630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6630000_Catalina - Particulars.jbxd

Similarity

API ID:
String ID: $^q$$^q$$^q$$^q
API String ID: 0-2125118731
Opcode ID: 508de1c62e8802a765ae5f6ddb356a0124973b71e381f90e1f8c4f6d09798659
Instruction ID: 683ae962a76d043bad1fa0008da4d0c6dd52c6bf591f2932443b826478178663
Opcode Fuzzy Hash: 508de1c62e8802a765ae5f6ddb356a0124973b71e381f90e1f8c4f6d09798659
Instruction Fuzzy Hash: 2EB14A30A10218CFDB54EB79D5946AEB7B3EF84304F24886DE0069B399DB75DC86CB90

Function 066387F0 Relevance: 5.2, Strings: 4, Instructions: 168COMMON

Download Yara Rule

Strings

LR^q, xrefs: 066388E3
$^q, xrefs: 0663886F
LR^q, xrefs: 06638932
$^q, xrefs: 0663887B

Memory Dump Source

Source File: 00000005.00000002.4103212532.0000000006630000.00000040.00000800.00020000.00000000.sdmp, Offset: 06630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6630000_Catalina - Particulars.jbxd

Similarity

API ID:
String ID: LR^q$LR^q$$^q$$^q
API String ID: 0-2454687669
Opcode ID: d37ada0642d8596b00a3d74b43823cd47350be85cf64d073d558fe6563761705
Instruction ID: 956297aafd32b8825629d520c0ec03fd7d7813b0410f36f4ca97c44033f79a46
Opcode Fuzzy Hash: d37ada0642d8596b00a3d74b43823cd47350be85cf64d073d558fe6563761705
Instruction Fuzzy Hash: 8651C030B002119FDB58EF68D944AAAB7E6FF88304F1485ACE4069F3A5DB30EC45CB95

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search the Registry on compromised systems for insecurely stored credentials. The Windows Registry stores configuration information that can be used by the system or other programs. Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services. Sometimes these credentials are used for automatic logons.
Tactics:	Credential Access
Data Sources:	Command: Command Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Catalina - Particulars.pdf.scr.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Agenttesla

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Catalina - Particulars.pdf.scr.exe.log

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1q2qy225.5mf.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_c3ffuu2e.sqc.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_rq405u4c.ocl.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xnf1nayc.yfe.psm1

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Windows Analysis Report
Catalina - Particulars.pdf.scr.exe

Function 04BBDFB8 Relevance: 2.8, Strings: 1, Instructions: 1567
COMMON

Function 06C467B0 Relevance: 10.1, Strings: 8, Instructions: 91
COMMON

Function 04BB3D68 Relevance: 6.1, APIs: 4, Instructions: 133
threadCOMMON

Function 04BB3D78 Relevance: 6.1, APIs: 4, Instructions: 128
threadCOMMON

Function 06C45D41 Relevance: 3.9, Strings: 3, Instructions: 148
COMMON

Function 06C45A8F Relevance: 3.9, Strings: 3, Instructions: 129
COMMON

Function 06E2242D Relevance: 1.7, APIs: 1, Instructions: 248
processCOMMON

Function 06E22438 Relevance: 1.7, APIs: 1, Instructions: 243
processCOMMON

Function 04BB8524 Relevance: 1.6, APIs: 1, Instructions: 118
COMMON

Function 04BB8530 Relevance: 1.6, APIs: 1, Instructions: 113
COMMON

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre