Edit tour

Windows Analysis Report
zIpa.exe

Overview

General Information

Sample name:	zIpa.exe
Analysis ID:	1501600
MD5:	1498dac596521e58327c2a3adf097c99
SHA1:	c52325ad976cf3020fba6c2107676e0aaf03e143
SHA256:	61e5404eafb1cd95fbeb3e3408a95ee888cfaa3ee1af913490f74fb9badd25ec
Tags:	agentteslaexe
Infos:

Detection

AgentTesla

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected AgentTesla

Yara detected AntiVM3

.NET source code contains potential unpacker

AI detected suspicious sample

Adds a directory exclusion to Windows Defender

Contains functionality to log keystrokes (.Net Source)

Loading BitLocker PowerShell Module

Machine Learning detection for sample

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Mail credentials (via file / registry access)

Yara detected Generic Downloader

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

PE / OLE file has an invalid certificate

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Sigma detected: Powershell Defender Exclusion

Sigma detected: Suspicious Outbound SMTP Connections

Uses 32bit PE files

Uses SMTP (mail sending)

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

zIpa.exe (PID: 7736 cmdline: "C:\Users\user\Desktop\zIpa.exe" MD5: 1498DAC596521E58327C2A3ADF097C99)

powershell.exe (PID: 7904 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\zIpa.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 7912 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WmiPrvSE.exe (PID: 8136 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)

zIpa.exe (PID: 7920 cmdline: "C:\Users\user\Desktop\zIpa.exe" MD5: 1498DAC596521E58327C2A3ADF097C99)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Agent Tesla, AgentTesla	A .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.	SWEED	http://blog.nsfocus.net/sweed-611/ http://l1v1ngc0d3.wordpress.com/2021/11/12/agenttesla-dropped-via-nsis-installer/ http://ropgadget.com/posts/originlogger.html http://www.secureworks.com/research/threat-profiles/gold-galleon https://0xmrmagnezi.github.io/malware%20analysis/AgentTesla/	https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Port": "587", "Host": "cp8nl.hyperhost.ua", "Username": "specificationlog@mideaholdings.top", "Password": " 7213575aceACE@#$  "}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
00000004.00000002.2915654403.00000000027FE000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000004.00000002.2915654403.0000000002829000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000004.00000002.2913652248.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000004.00000002.2913652248.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000004.00000002.2915654403.00000000027B1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000004.00000002.2915654403.00000000027B1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000000.00000002.1695231282.0000000004289000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.1695231282.0000000004289000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: zIpa.exe PID: 7736	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: zIpa.exe PID: 7736	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: zIpa.exe PID: 7736	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: zIpa.exe PID: 7920	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: zIpa.exe PID: 7920	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Click to see the 8 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
4.2.zIpa.exe.400000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
4.2.zIpa.exe.400000.0.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
4.2.zIpa.exe.400000.0.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x33513:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x33585:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x3360f:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x336a1:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x3370b:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x3377d:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x33813:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x338a3:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
0.2.zIpa.exe.42c4390.2.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.zIpa.exe.42c4390.2.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.zIpa.exe.42c4390.2.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x31713:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x31785:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x3180f:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x318a1:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x3190b:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x3197d:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x31a13:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x31aa3:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
0.2.zIpa.exe.4289970.1.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.zIpa.exe.4289970.1.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.zIpa.exe.4289970.1.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x31713:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x31785:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x3180f:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x318a1:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x3190b:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x3197d:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x31a13:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x31aa3:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
0.2.zIpa.exe.42c4390.2.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.zIpa.exe.42c4390.2.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.2.zIpa.exe.42c4390.2.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.zIpa.exe.42c4390.2.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x33513:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x6dd33:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x33585:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x6dda5:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x3360f:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x6de2f:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x336a1:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x6dec1:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x3370b:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x6df2b:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x3377d:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x6df9d:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x33813:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x6e033:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x338a3:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548 0x6e0c3:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
0.2.zIpa.exe.4289970.1.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.zIpa.exe.4289970.1.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.2.zIpa.exe.4289970.1.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.zIpa.exe.4289970.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x33513:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x6df33:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0xa8753:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x33585:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x6dfa5:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0xa87c5:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x3360f:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x6e02f:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0xa884f:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x336a1:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x6e0c1:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0xa88e1:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x3370b:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x6e12b:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0xa894b:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x3377d:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x6e19d:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0xa89bd:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x33813:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x6e233:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0xa8a53:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B
Click to see the 12 entries

Sigma Signatures

System Summary

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\zIpa.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\zIpa.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\zIpa.exe", ParentImage: C:\Users\user\Desktop\zIpa.exe, ParentProcessId: 7736, ParentProcessName: zIpa.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\zIpa.exe", ProcessId: 7904, ProcessName: powershell.exe

Sigma detected: Powershell Defender Exclusion

Source: Process started

Sigma detected: Suspicious Outbound SMTP Connections

Source: Network Connection

Author: frack113: Data: DestinationIp: 185.174.175.187, DestinationIsIpv6: false, DestinationPort: 587, EventID: 3, Image: C:\Users\user\Desktop\zIpa.exe, Initiated: true, ProcessId: 7920, Protocol: tcp, SourceIp: 192.168.2.4, SourceIsIpv6: false, SourcePort: 49735

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\zIpa.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\zIpa.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\zIpa.exe", ParentImage: C:\Users\user\Desktop\zIpa.exe, ParentProcessId: 7736, ParentProcessName: zIpa.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\zIpa.exe", ProcessId: 7904, ProcessName: powershell.exe

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 0.2.zIpa.exe.42c4390.2.raw.unpack

Malware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Port": "587", "Host": "cp8nl.hyperhost.ua", "Username": "specificationlog@mideaholdings.top", "Password": " 7213575aceACE@#$ "}

Multi AV Scanner detection for submitted file

Source: zIpa.exe

ReversingLabs: Detection: 52%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: zIpa.exe

Joe Sandbox ML: detected

Source: zIpa.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: zIpa.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: zIpa.pdb source: zIpa.exe
Source:	Binary string: zIpa.pdbSHA256: source: zIpa.exe

Networking

Yara detected Generic Downloader

Source: Yara match	File source: 0.2.zIpa.exe.42c4390.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.zIpa.exe.4289970.1.raw.unpack, type: UNPACKEDPE

Source: global traffic

TCP traffic: 192.168.2.4:49735 -> 185.174.175.187:587

Source: Joe Sandbox View

IP Address: 185.174.175.187 185.174.175.187

Source: Joe Sandbox View

ASN Name: ITLDC-NLUA ITLDC-NLUA

Source: global traffic

TCP traffic: 192.168.2.4:49735 -> 185.174.175.187:587

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

DNS traffic detected: DNS query: cp8nl.hyperhost.ua

Source: zIpa.exe, 00000004.00000002.2915654403.0000000002806000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cp8nl.hyperhost.ua
Source: zIpa.exe, 00000004.00000002.2914071750.0000000000B0E000.00000004.00000020.00020000.00000000.sdmp, zIpa.exe, 00000004.00000002.2919046582.0000000006062000.00000004.00000020.00020000.00000000.sdmp, zIpa.exe, 00000004.00000002.2914071750.0000000000B76000.00000004.00000020.00020000.00000000.sdmp, zIpa.exe, 00000004.00000002.2915654403.0000000002806000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
Source: zIpa.exe, 00000004.00000002.2919046582.0000000006062000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: zIpa.exe	String found in binary or memory: http://crl.comodoca.com/COMODORSACertificationAuthority.crl0q
Source: zIpa.exe	String found in binary or memory: http://crl.comodoca.com/COMODORSACodeSigningCA.crl0t
Source: zIpa.exe, 00000004.00000002.2919046582.0000000006062000.00000004.00000020.00020000.00000000.sdmp, zIpa.exe, 00000004.00000002.2914071750.0000000000B76000.00000004.00000020.00020000.00000000.sdmp, zIpa.exe, 00000004.00000002.2915654403.0000000002806000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#
Source: zIpa.exe	String found in binary or memory: http://ocsp.comodoca.com0
Source: zIpa.exe, 00000004.00000002.2919046582.0000000006062000.00000004.00000020.00020000.00000000.sdmp, zIpa.exe, 00000004.00000002.2914071750.0000000000B76000.00000004.00000020.00020000.00000000.sdmp, zIpa.exe, 00000004.00000002.2915654403.0000000002806000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.sectigo.com0
Source: zIpa.exe, 00000000.00000002.1694123489.00000000032E8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: zIpa.exe, 00000000.00000002.1701404773.00000000074B2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: zIpa.exe, 00000000.00000002.1701404773.00000000074B2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: zIpa.exe, 00000000.00000002.1701404773.00000000074B2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: zIpa.exe, 00000000.00000002.1701404773.00000000074B2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: zIpa.exe, 00000000.00000002.1701404773.00000000074B2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: zIpa.exe, 00000000.00000002.1701404773.00000000074B2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: zIpa.exe, 00000000.00000002.1701404773.00000000074B2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
Source: zIpa.exe, 00000000.00000002.1701404773.00000000074B2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: zIpa.exe, 00000000.00000002.1701404773.00000000074B2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: zIpa.exe, 00000000.00000002.1701404773.00000000074B2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: zIpa.exe, 00000000.00000002.1701404773.00000000074B2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fonts.com
Source: zIpa.exe, 00000000.00000002.1701404773.00000000074B2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: zIpa.exe, 00000000.00000002.1701404773.00000000074B2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: zIpa.exe, 00000000.00000002.1701404773.00000000074B2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: zIpa.exe, 00000000.00000002.1701404773.00000000074B2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: zIpa.exe, 00000000.00000002.1701404773.00000000074B2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: zIpa.exe, 00000000.00000002.1701404773.00000000074B2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: zIpa.exe, 00000000.00000002.1701404773.00000000074B2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: zIpa.exe, 00000000.00000002.1701404773.00000000074B2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: zIpa.exe, 00000000.00000002.1701404773.00000000074B2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sakkal.com
Source: zIpa.exe, 00000000.00000002.1701404773.00000000074B2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: zIpa.exe, 00000000.00000002.1701404773.00000000074B2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.tiro.com
Source: zIpa.exe, 00000000.00000002.1701404773.00000000074B2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.typography.netD
Source: zIpa.exe, 00000000.00000002.1701404773.00000000074B2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: zIpa.exe, 00000000.00000002.1701404773.00000000074B2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: zIpa.exe, 00000000.00000002.1695231282.0000000004289000.00000004.00000800.00020000.00000000.sdmp, zIpa.exe, 00000004.00000002.2913652248.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://account.dyn.com/
Source: zIpa.exe, 00000004.00000002.2919046582.0000000006062000.00000004.00000020.00020000.00000000.sdmp, zIpa.exe, 00000004.00000002.2914071750.0000000000B76000.00000004.00000020.00020000.00000000.sdmp, zIpa.exe, 00000004.00000002.2915654403.0000000002806000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://sectigo.com/CPS0
Source: zIpa.exe	String found in binary or memory: https://www.chiark.greenend.org.uk/~sgtatham/putty/0

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality to log keystrokes (.Net Source)

Source: 0.2.zIpa.exe.42c4390.2.raw.unpack, 8WWn.cs	.Net Code: uhcY
Source: 0.2.zIpa.exe.4289970.1.raw.unpack, 8WWn.cs	.Net Code: uhcY

System Summary

Malicious sample detected (through community Yara rule)

Source: 4.2.zIpa.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.zIpa.exe.42c4390.2.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.zIpa.exe.4289970.1.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.zIpa.exe.42c4390.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.zIpa.exe.4289970.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen

Source: C:\Users\user\Desktop\zIpa.exe	Code function: 0_2_0170DE4C	0_2_0170DE4C
Source: C:\Users\user\Desktop\zIpa.exe	Code function: 4_2_00D84A98	4_2_00D84A98
Source: C:\Users\user\Desktop\zIpa.exe	Code function: 4_2_00D89BFB	4_2_00D89BFB
Source: C:\Users\user\Desktop\zIpa.exe	Code function: 4_2_00D83E80	4_2_00D83E80
Source: C:\Users\user\Desktop\zIpa.exe	Code function: 4_2_00D841C8	4_2_00D841C8
Source: C:\Users\user\Desktop\zIpa.exe	Code function: 4_2_00D8D24B	4_2_00D8D24B
Source: C:\Users\user\Desktop\zIpa.exe	Code function: 4_2_05D305B8	4_2_05D305B8
Source: C:\Users\user\Desktop\zIpa.exe	Code function: 4_2_05D3DCC8	4_2_05D3DCC8
Source: C:\Users\user\Desktop\zIpa.exe	Code function: 4_2_05D3BCA8	4_2_05D3BCA8
Source: C:\Users\user\Desktop\zIpa.exe	Code function: 4_2_05D33EF8	4_2_05D33EF8
Source: C:\Users\user\Desktop\zIpa.exe	Code function: 4_2_05D32EE8	4_2_05D32EE8
Source: C:\Users\user\Desktop\zIpa.exe	Code function: 4_2_05D35680	4_2_05D35680
Source: C:\Users\user\Desktop\zIpa.exe	Code function: 4_2_05D38B33	4_2_05D38B33
Source: C:\Users\user\Desktop\zIpa.exe	Code function: 4_2_05D39A88	4_2_05D39A88
Source: C:\Users\user\Desktop\zIpa.exe	Code function: 4_2_05D335EF	4_2_05D335EF
Source: C:\Users\user\Desktop\zIpa.exe	Code function: 4_2_05D34FA0	4_2_05D34FA0

Source: zIpa.exe

Static PE information: invalid certificate

Source: zIpa.exe, 00000000.00000002.1694123489.00000000032F3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameGB-lesson-forms.dll@ vs zIpa.exe
Source: zIpa.exe, 00000000.00000002.1695231282.0000000004289000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename6a37924e-3615-49a6-8854-210337854d42.exe4 vs zIpa.exe
Source: zIpa.exe, 00000000.00000002.1695231282.0000000004289000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameTyrone.dll8 vs zIpa.exe
Source: zIpa.exe, 00000000.00000002.1692802292.00000000014EE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs zIpa.exe
Source: zIpa.exe, 00000000.00000002.1694123489.0000000003281000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameGB-lesson-forms.dll@ vs zIpa.exe
Source: zIpa.exe, 00000000.00000002.1706519155.0000000009480000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameGB-lesson-forms.dll@ vs zIpa.exe
Source: zIpa.exe, 00000000.00000002.1703768484.0000000007BC0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameTyrone.dll8 vs zIpa.exe
Source: zIpa.exe, 00000000.00000002.1694123489.00000000032E8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename6a37924e-3615-49a6-8854-210337854d42.exe4 vs zIpa.exe
Source: zIpa.exe, 00000004.00000002.2913943284.00000000008F9000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameUNKNOWN_FILET vs zIpa.exe
Source: zIpa.exe, 00000004.00000002.2913652248.0000000000402000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: OriginalFilename6a37924e-3615-49a6-8854-210337854d42.exe4 vs zIpa.exe

Source: zIpa.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 4.2.zIpa.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.zIpa.exe.42c4390.2.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.zIpa.exe.4289970.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.zIpa.exe.42c4390.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.zIpa.exe.4289970.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers

Source: zIpa.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 0.2.zIpa.exe.42c4390.2.raw.unpack, G39cBQ.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.zIpa.exe.42c4390.2.raw.unpack, G39cBQ.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.zIpa.exe.42c4390.2.raw.unpack, sDtvQjPGfa.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.zIpa.exe.42c4390.2.raw.unpack, sDtvQjPGfa.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.zIpa.exe.42c4390.2.raw.unpack, sDtvQjPGfa.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.zIpa.exe.42c4390.2.raw.unpack, sDtvQjPGfa.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.zIpa.exe.42c4390.2.raw.unpack, b1PPCKov2KZ.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.zIpa.exe.42c4390.2.raw.unpack, b1PPCKov2KZ.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'

Source: 0.2.zIpa.exe.7bc0000.3.raw.unpack, HxlrlCNmyiPjid08vs.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.zIpa.exe.7bc0000.3.raw.unpack, hNLuaXukMEaK5TXU3r.cs	Security API names: _0020.SetAccessControl
Source: 0.2.zIpa.exe.7bc0000.3.raw.unpack, hNLuaXukMEaK5TXU3r.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.zIpa.exe.7bc0000.3.raw.unpack, hNLuaXukMEaK5TXU3r.cs	Security API names: _0020.AddAccessRule

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@7/6@1/1

Source: C:\Users\user\Desktop\zIpa.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\zIpa.exe.log

Jump to behavior

Source: C:\Users\user\Desktop\zIpa.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7912:120:WilError_03

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_qw4jqknp.3pk.ps1

Jump to behavior

Source: zIpa.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: zIpa.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.98%

Source: C:\Users\user\Desktop\zIpa.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\zIpa.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\zIpa.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\zIpa.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: zIpa.exe

ReversingLabs: Detection: 52%

Source: unknown	Process created: C:\Users\user\Desktop\zIpa.exe "C:\Users\user\Desktop\zIpa.exe"
Source: C:\Users\user\Desktop\zIpa.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\zIpa.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\zIpa.exe	Process created: C:\Users\user\Desktop\zIpa.exe "C:\Users\user\Desktop\zIpa.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: C:\Users\user\Desktop\zIpa.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\zIpa.exe"	Jump to behavior
Source: C:\Users\user\Desktop\zIpa.exe	Process created: C:\Users\user\Desktop\zIpa.exe "C:\Users\user\Desktop\zIpa.exe"	Jump to behavior

Source: C:\Users\user\Desktop\zIpa.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\zIpa.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\zIpa.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\zIpa.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\zIpa.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\zIpa.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\zIpa.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\zIpa.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\zIpa.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\zIpa.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\zIpa.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\zIpa.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\zIpa.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\zIpa.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\zIpa.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\zIpa.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\zIpa.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\zIpa.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\zIpa.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\zIpa.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\zIpa.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\zIpa.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\zIpa.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\zIpa.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\zIpa.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\zIpa.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\zIpa.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\zIpa.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\zIpa.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\zIpa.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\zIpa.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\zIpa.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\zIpa.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\zIpa.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\zIpa.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\zIpa.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\zIpa.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\zIpa.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\zIpa.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\zIpa.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\zIpa.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\zIpa.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\zIpa.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\zIpa.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\zIpa.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\zIpa.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\zIpa.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\zIpa.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\zIpa.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\zIpa.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\zIpa.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\zIpa.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\zIpa.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\zIpa.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\zIpa.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\zIpa.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\zIpa.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\zIpa.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\zIpa.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\zIpa.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\zIpa.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\zIpa.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\zIpa.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\zIpa.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\zIpa.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\zIpa.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\zIpa.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\zIpa.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\zIpa.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: fastprox.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: ncobjapi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mpclient.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wmitomi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: gpapi.dll	Jump to behavior

Source: C:\Users\user\Desktop\zIpa.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\zIpa.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Users\user\Desktop\zIpa.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\Profiles

Jump to behavior

Source: zIpa.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: zIpa.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: zIpa.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: zIpa.pdb source: zIpa.exe
Source:	Binary string: zIpa.pdbSHA256: source: zIpa.exe

Data Obfuscation

.NET source code contains potential unpacker

Source: 0.2.zIpa.exe.9480000.4.raw.unpack, .cs	.Net Code: System.Reflection.Assembly.Load(byte[])
Source: 0.2.zIpa.exe.32b5f28.0.raw.unpack, .cs	.Net Code: System.Reflection.Assembly.Load(byte[])
Source: 0.2.zIpa.exe.7bc0000.3.raw.unpack, hNLuaXukMEaK5TXU3r.cs	.Net Code: ld5QsnmlNU System.Reflection.Assembly.Load(byte[])

Source: zIpa.exe

Static PE information: 0xDDD7FB8F [Wed Dec 10 18:29:35 2087 UTC]

Source: C:\Users\user\Desktop\zIpa.exe

Code function: 0_2_0C1C0DF5 push FFFFFF8Bh; iretd

0_2_0C1C0DF7

Source: zIpa.exe

Static PE information: section name: .text entropy: 7.850969982598096

Source: 0.2.zIpa.exe.7bc0000.3.raw.unpack, hlGaWn4UiLp1kRLxoQY.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'HClFUv3tXF', 'F2uF1QcuIv', 'ig0Fd8rYTS', 'UCeFTWYLWO', 'uZmFDIum8T', 'a8tFeIcFJG', 'dHMFHLcPQ0'
Source: 0.2.zIpa.exe.7bc0000.3.raw.unpack, Bmt4c3zBZSx25HueFG.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'vKo4gjOqcw', 'i6y4vZHSYF', 'KfN45nitsT', 'QMA4btQsiy', 'Mbm4fb5Yi5', 'zQc44qTdav', 'oWw4F7jl4s'
Source: 0.2.zIpa.exe.7bc0000.3.raw.unpack, rjHxmOwBuDOnWYl1vl.cs	High entropy of concatenated method names: 'xj4onn59QL', 'Q0Jo7019aA', 'FfAoq1QCdx', 'JGsqAbj7Oa', 'kQvqzyBkTk', 's4soKvhhb1', 'AZ3oMsj5PE', 'IqwoYwCH6k', 'Sbgot1mYWB', 'hdJoQKBxIK'
Source: 0.2.zIpa.exe.7bc0000.3.raw.unpack, vOPoaKIYVrR4KYuJmM.cs	High entropy of concatenated method names: 'ToString', 'a8L5SwrvNI', 'iZY5ijY6jh', 'jNp5EmgxNS', 'ovQ5JuugyQ', 'gMO5GWY1Mw', 'AWK5WU7MDV', 'M085kcB4mB', 'naw5X8sV8Q', 'k0k5yBWqbS'
Source: 0.2.zIpa.exe.7bc0000.3.raw.unpack, hNLuaXukMEaK5TXU3r.cs	High entropy of concatenated method names: 'Hoct8gaDL1', 'ElntnMhsKU', 'aCEtI1ZLhH', 'OhAt7vjOOJ', 'JLptNhSqN5', 'd96tq6bPC0', 'P7KtoFLBfW', 'NdWtBT9cgl', 'nQntcSEu1G', 'SG1tjSWA6D'
Source: 0.2.zIpa.exe.7bc0000.3.raw.unpack, hXwcwKsBNlHnMMNiEr.cs	High entropy of concatenated method names: 'yuaNZN0QWR', 'Sn1Na5TLL2', 'UKi7EajRDI', 'Ij47J4eWly', 'rFZ7GDvmld', 'U1T7WimYHk', 'RKm7kGZFm5', 'G6i7XcWZgM', 'Vb87yRRs02', 'tlX738W3bB'
Source: 0.2.zIpa.exe.7bc0000.3.raw.unpack, fgajisW65tNtVRPEWq.cs	High entropy of concatenated method names: 'zsjq8OHMlg', 'VBQqI3EGxB', 'XD7qNfJL4J', 'xaEqof7gaE', 'fJcqBhd5Mg', 'UAsNDmWZib', 'WqPNe1pPuu', 'NofNHO0nNE', 'sdLN0jusmU', 'XchNu3jw9t'
Source: 0.2.zIpa.exe.7bc0000.3.raw.unpack, fuFSaWfPepDuoCSxGp.cs	High entropy of concatenated method names: 'JepoLUCER3', 'XEGompLRFx', 'WHhosEVVxs', 'k4yohp2dAh', 'krwoZZN1Je', 'DJno2LCff2', 'Kc3oaS6U2B', 'qL5owTYXY4', 'kGMolqo94C', 'donop4YEuJ'
Source: 0.2.zIpa.exe.7bc0000.3.raw.unpack, w7cDA0eelrcqpvYNte.cs	High entropy of concatenated method names: 'QGnfnlwlLX', 'l22fIhiVLU', 'WGnf7xFJdl', 'hKvfNWkd0j', 'kdSfq437Xo', 'BGRfo54ZUJ', 'Ax7fBoeZ8w', 'WagfcFIoMA', 'dj4fjwOq59', 'JTEfrFw8SR'
Source: 0.2.zIpa.exe.7bc0000.3.raw.unpack, kvfK6svae6rojd1tt4.cs	High entropy of concatenated method names: 'CcEMocrDaC', 'unZMBs9S2U', 'WhEMjDDa2M', 'kTRMrJ9uqU', 'hCjMvVQNmi', 'pXkM5E1PKG', 'eBoZnnitPu28Vjfpqc', 'vtIXElv2PqyPb1egoU', 'H2fMMWlLkk', 'XAqMtq189k'
Source: 0.2.zIpa.exe.7bc0000.3.raw.unpack, bMyiq2K0xySh3PaVLd.cs	High entropy of concatenated method names: 'KaE7hRSM4A', 'gcs72PGg3L', 'nNW7weMrNc', 'j6f7l4qHIS', 'tBx7vaggBE', 'f0w75spihm', 'Qwb7brLT7E', 'QvD7fj3JfQ', 'LdQ746efcM', 'm957FtkcNs'
Source: 0.2.zIpa.exe.7bc0000.3.raw.unpack, pUU4lj84B8x8POeqpI.cs	High entropy of concatenated method names: 'Jcbv3pKdFH', 'qK7v9Jult7', 'BNcvU65FaT', 'AbPv1b4QFL', 'cKwviwexWf', 'YcsvEkyqNF', 'Y18vJcc7Cj', 'cb4vGYUNMG', 'm65vWOJEJ7', 'JW9vkkwSIb'
Source: 0.2.zIpa.exe.7bc0000.3.raw.unpack, HxlrlCNmyiPjid08vs.cs	High entropy of concatenated method names: 'G6hIUtfIrH', 'zf1I1dtOur', 'dS6IdYqB3n', 's8oIT8lr6F', 'SlVIDIMTyZ', 'qXSIeHfqY5', 'KkdIH6PnWJ', 'GExI0cZl7p', 'zaQIulLheP', 'MWVIAEKtQA'
Source: 0.2.zIpa.exe.7bc0000.3.raw.unpack, ov6ZKdASXAOA8RgFvK.cs	High entropy of concatenated method names: 'WPlgw9WZoO', 'yYogl2m8WT', 'UGfgRRCI3K', 'vMFgih9igc', 'E6bgJvAdZM', 'sLcgGW3Ksa', 'o9Ogkp7LLf', 'Io3gXfSBRQ', 'TTdg3ihwVI', 'n9YgSxHkLT'
Source: 0.2.zIpa.exe.7bc0000.3.raw.unpack, wRA76uogtTN6P734fM.cs	High entropy of concatenated method names: 'UvOskqkBF', 'FF3hSyJNw', 'HKs2Y6K4w', 'hfCahU7Vy', 'ELal4WVU9', 'fccptn5MU', 'IolkqFJtKQqSV79rIn', 'Po3OTGeVmNK1MD7fdf', 'h53fFANbY', 'JPnFvSHac'
Source: 0.2.zIpa.exe.7bc0000.3.raw.unpack, CC3rq1F242Z3qf6kAC.cs	High entropy of concatenated method names: 'AtN4Ms9N8f', 'gxD4tLEDnD', 'Pwb4QRUtqa', 'iYH4nTgMJr', 'iMl4ImAECs', 'uJB4NceVAE', 'Ju74qaYlvc', 'HKhfHPYp0S', 'oatf0j4v0O', 'xEJfulRQmp'
Source: 0.2.zIpa.exe.7bc0000.3.raw.unpack, RLodU5jB8FAwgqRYfx.cs	High entropy of concatenated method names: 'UDDb0kjXp5', 'dBDbAhhBCS', 'pX2fKxwa0q', 'wI3fMDHZvt', 'Sn9bSwpMra', 'fjdb9UENyI', 'PvMbP4lnDN', 'zgGbU7YBXV', 'koDb1T5f0M', 'Ge4bdH4uC3'
Source: 0.2.zIpa.exe.7bc0000.3.raw.unpack, sryyyS4oeEOBeY5To7w.cs	High entropy of concatenated method names: 'L09FLnsOQW', 'xONFmY08hT', 'MZgFsW1vJd', 'mOpncJrLkFoYdAZU4Av', 'P6xHMervBLN5YowoJKN', 'KEwhmmrynsjNcEbPuhZ', 'Y9nsfOrZav684qlJRJl', 'B8GFQnrb2FXBeAsNb0y', 'RY51TkrqaAyEIGTHVU9'
Source: 0.2.zIpa.exe.7bc0000.3.raw.unpack, tOk1WK4bo3fRylkBQQk.cs	High entropy of concatenated method names: 'cMv4LHNPN7', 'XOX4mNmee1', 'FnH4sxqDVT', 'wfe4hXbReV', 'vxC4ZsFPsS', 'naw42KrC3B', 'JSp4aWu56X', 'IEJ4wnJ6pm', 'xPk4l6K5J7', 'GWk4p6naqx'
Source: 0.2.zIpa.exe.7bc0000.3.raw.unpack, nNKEtRakFheZIKdyO2.cs	High entropy of concatenated method names: 'Dispose', 'EcRMuigMyo', 'BCZYifq92H', 'vRYxxhOEIB', 'oMDMAxZmJf', 'FOfMzg6doc', 'ProcessDialogKey', 'ErGYK2E1b2', 'GrBYMMnetm', 'STYYY0SxDl'
Source: 0.2.zIpa.exe.7bc0000.3.raw.unpack, YiTCvsl7A22HKHATMU.cs	High entropy of concatenated method names: 'wIWfRNhelk', 'Lqqfi3QjIH', 'cnKfECqdAL', 'o1pfJcy1hF', 'JF5fUlAFma', 'uZbfGwCkR9', 'Next', 'Next', 'Next', 'NextBytes'

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior

Source: C:\Users\user\Desktop\zIpa.exe

Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate

Jump to behavior

Source: C:\Users\user\Desktop\zIpa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\zIpa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\zIpa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\zIpa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\zIpa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\zIpa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\zIpa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\zIpa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\zIpa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\zIpa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\zIpa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\zIpa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\zIpa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\zIpa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\zIpa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\zIpa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\zIpa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\zIpa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\zIpa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\zIpa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\zIpa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\zIpa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\zIpa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\zIpa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\zIpa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\zIpa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\zIpa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\zIpa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\zIpa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\zIpa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\zIpa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\zIpa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\zIpa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\zIpa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\zIpa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\zIpa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\zIpa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\zIpa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\zIpa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\zIpa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\zIpa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\zIpa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\zIpa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\zIpa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\zIpa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\zIpa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\zIpa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\zIpa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\zIpa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\zIpa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\zIpa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\zIpa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\zIpa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\zIpa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\zIpa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\zIpa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\zIpa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\zIpa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\zIpa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\zIpa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\zIpa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\zIpa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\zIpa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\zIpa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\zIpa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\zIpa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\zIpa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\zIpa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\zIpa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\zIpa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\zIpa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\zIpa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\zIpa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\zIpa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\zIpa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\zIpa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\zIpa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\zIpa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\zIpa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\zIpa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\zIpa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\zIpa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\zIpa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\zIpa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\zIpa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\zIpa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\zIpa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\zIpa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\zIpa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\zIpa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\zIpa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\zIpa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\zIpa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\zIpa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\zIpa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\zIpa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\zIpa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\zIpa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\zIpa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\zIpa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\zIpa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\zIpa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match

File source: Process Memory Space: zIpa.exe PID: 7736, type: MEMORYSTR

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Source: C:\Users\user\Desktop\zIpa.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration

Source: C:\Users\user\Desktop\zIpa.exe	Memory allocated: 1700000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\zIpa.exe	Memory allocated: 3280000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\zIpa.exe	Memory allocated: 5280000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\zIpa.exe	Memory allocated: 94B0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\zIpa.exe	Memory allocated: A4B0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\zIpa.exe	Memory allocated: A6C0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\zIpa.exe	Memory allocated: B6C0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\zIpa.exe	Memory allocated: D40000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\zIpa.exe	Memory allocated: 27B0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\zIpa.exe	Memory allocated: 2670000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\zIpa.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\zIpa.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\zIpa.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 7417	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2186	Jump to behavior
Source: C:\Users\user\Desktop\zIpa.exe	Window / User API: threadDelayed 2242	Jump to behavior
Source: C:\Users\user\Desktop\zIpa.exe	Window / User API: threadDelayed 2872	Jump to behavior

Source: C:\Users\user\Desktop\zIpa.exe TID: 7756	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8100	Thread sleep time: -5534023222112862s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\zIpa.exe TID: 8116	Thread sleep time: -15679732462653109s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\zIpa.exe TID: 8116	Thread sleep time: -100000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\zIpa.exe TID: 8124	Thread sleep count: 2242 > 30	Jump to behavior
Source: C:\Users\user\Desktop\zIpa.exe TID: 8116	Thread sleep time: -99859s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\zIpa.exe TID: 8124	Thread sleep count: 2872 > 30	Jump to behavior
Source: C:\Users\user\Desktop\zIpa.exe TID: 8116	Thread sleep time: -99749s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\zIpa.exe TID: 8116	Thread sleep time: -99640s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\zIpa.exe TID: 8116	Thread sleep time: -99531s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\zIpa.exe TID: 8116	Thread sleep time: -99421s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\zIpa.exe TID: 8116	Thread sleep time: -99312s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\zIpa.exe TID: 8116	Thread sleep time: -99203s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\zIpa.exe TID: 8116	Thread sleep time: -99092s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\zIpa.exe TID: 8116	Thread sleep time: -98983s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\zIpa.exe TID: 8116	Thread sleep time: -98874s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\zIpa.exe TID: 8116	Thread sleep time: -98546s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\zIpa.exe TID: 8116	Thread sleep time: -98281s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\zIpa.exe TID: 8116	Thread sleep time: -98140s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\zIpa.exe TID: 8116	Thread sleep time: -98031s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\zIpa.exe TID: 8116	Thread sleep time: -97921s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\zIpa.exe TID: 8116	Thread sleep time: -97812s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\zIpa.exe TID: 8116	Thread sleep time: -97702s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\zIpa.exe TID: 8116	Thread sleep time: -97593s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\zIpa.exe TID: 8116	Thread sleep time: -97484s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\zIpa.exe TID: 8116	Thread sleep time: -97374s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\zIpa.exe TID: 8116	Thread sleep time: -97265s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\zIpa.exe TID: 8116	Thread sleep time: -97156s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\zIpa.exe TID: 8116	Thread sleep time: -97044s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\zIpa.exe TID: 8116	Thread sleep time: -96921s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\zIpa.exe TID: 8116	Thread sleep time: -96812s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\zIpa.exe TID: 8116	Thread sleep time: -96702s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\zIpa.exe TID: 8116	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior

Source: C:\Users\user\Desktop\zIpa.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard

Source: C:\Users\user\Desktop\zIpa.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\zIpa.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\zIpa.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\zIpa.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\zIpa.exe	Thread delayed: delay time: 100000	Jump to behavior
Source: C:\Users\user\Desktop\zIpa.exe	Thread delayed: delay time: 99859	Jump to behavior
Source: C:\Users\user\Desktop\zIpa.exe	Thread delayed: delay time: 99749	Jump to behavior
Source: C:\Users\user\Desktop\zIpa.exe	Thread delayed: delay time: 99640	Jump to behavior
Source: C:\Users\user\Desktop\zIpa.exe	Thread delayed: delay time: 99531	Jump to behavior
Source: C:\Users\user\Desktop\zIpa.exe	Thread delayed: delay time: 99421	Jump to behavior
Source: C:\Users\user\Desktop\zIpa.exe	Thread delayed: delay time: 99312	Jump to behavior
Source: C:\Users\user\Desktop\zIpa.exe	Thread delayed: delay time: 99203	Jump to behavior
Source: C:\Users\user\Desktop\zIpa.exe	Thread delayed: delay time: 99092	Jump to behavior
Source: C:\Users\user\Desktop\zIpa.exe	Thread delayed: delay time: 98983	Jump to behavior
Source: C:\Users\user\Desktop\zIpa.exe	Thread delayed: delay time: 98874	Jump to behavior
Source: C:\Users\user\Desktop\zIpa.exe	Thread delayed: delay time: 98546	Jump to behavior
Source: C:\Users\user\Desktop\zIpa.exe	Thread delayed: delay time: 98281	Jump to behavior
Source: C:\Users\user\Desktop\zIpa.exe	Thread delayed: delay time: 98140	Jump to behavior
Source: C:\Users\user\Desktop\zIpa.exe	Thread delayed: delay time: 98031	Jump to behavior
Source: C:\Users\user\Desktop\zIpa.exe	Thread delayed: delay time: 97921	Jump to behavior
Source: C:\Users\user\Desktop\zIpa.exe	Thread delayed: delay time: 97812	Jump to behavior
Source: C:\Users\user\Desktop\zIpa.exe	Thread delayed: delay time: 97702	Jump to behavior
Source: C:\Users\user\Desktop\zIpa.exe	Thread delayed: delay time: 97593	Jump to behavior
Source: C:\Users\user\Desktop\zIpa.exe	Thread delayed: delay time: 97484	Jump to behavior
Source: C:\Users\user\Desktop\zIpa.exe	Thread delayed: delay time: 97374	Jump to behavior
Source: C:\Users\user\Desktop\zIpa.exe	Thread delayed: delay time: 97265	Jump to behavior
Source: C:\Users\user\Desktop\zIpa.exe	Thread delayed: delay time: 97156	Jump to behavior
Source: C:\Users\user\Desktop\zIpa.exe	Thread delayed: delay time: 97044	Jump to behavior
Source: C:\Users\user\Desktop\zIpa.exe	Thread delayed: delay time: 96921	Jump to behavior
Source: C:\Users\user\Desktop\zIpa.exe	Thread delayed: delay time: 96812	Jump to behavior
Source: C:\Users\user\Desktop\zIpa.exe	Thread delayed: delay time: 96702	Jump to behavior
Source: C:\Users\user\Desktop\zIpa.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: zIpa.exe, 00000000.00000002.1692909840.0000000001522000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: zIpa.exe, 00000004.00000002.2914071750.0000000000B4E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllE

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Users\user\Desktop\zIpa.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Users\user\Desktop\zIpa.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Adds a directory exclusion to Windows Defender

Source: C:\Users\user\Desktop\zIpa.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\zIpa.exe"
Source: C:\Users\user\Desktop\zIpa.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\zIpa.exe"			Jump to behavior

Source: C:\Users\user\Desktop\zIpa.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\zIpa.exe"			Jump to behavior
Source: C:\Users\user\Desktop\zIpa.exe	Process created: C:\Users\user\Desktop\zIpa.exe "C:\Users\user\Desktop\zIpa.exe"			Jump to behavior

Source: C:\Users\user\Desktop\zIpa.exe	Queries volume information: C:\Users\user\Desktop\zIpa.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zIpa.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zIpa.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zIpa.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zIpa.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zIpa.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zIpa.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zIpa.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zIpa.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zIpa.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zIpa.exe	Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zIpa.exe	Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zIpa.exe	Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zIpa.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zIpa.exe	Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zIpa.exe	Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zIpa.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zIpa.exe	Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zIpa.exe	Queries volume information: C:\Windows\Fonts\Candaral.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zIpa.exe	Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zIpa.exe	Queries volume information: C:\Windows\Fonts\Candarali.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zIpa.exe	Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zIpa.exe	Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zIpa.exe	Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zIpa.exe	Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zIpa.exe	Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zIpa.exe	Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zIpa.exe	Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zIpa.exe	Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zIpa.exe	Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zIpa.exe	Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zIpa.exe	Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zIpa.exe	Queries volume information: C:\Windows\Fonts\corbell.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zIpa.exe	Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zIpa.exe	Queries volume information: C:\Windows\Fonts\corbelli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zIpa.exe	Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zIpa.exe	Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zIpa.exe	Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zIpa.exe	Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zIpa.exe	Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zIpa.exe	Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zIpa.exe	Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zIpa.exe	Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zIpa.exe	Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zIpa.exe	Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zIpa.exe	Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zIpa.exe	Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zIpa.exe	Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zIpa.exe	Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zIpa.exe	Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zIpa.exe	Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zIpa.exe	Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zIpa.exe	Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zIpa.exe	Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zIpa.exe	Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zIpa.exe	Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zIpa.exe	Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zIpa.exe	Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zIpa.exe	Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zIpa.exe	Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zIpa.exe	Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zIpa.exe	Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zIpa.exe	Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zIpa.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zIpa.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zIpa.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zIpa.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zIpa.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zIpa.exe	Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zIpa.exe	Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zIpa.exe	Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zIpa.exe	Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zIpa.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zIpa.exe	Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zIpa.exe	Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zIpa.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zIpa.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zIpa.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zIpa.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zIpa.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zIpa.exe	Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zIpa.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zIpa.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zIpa.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zIpa.exe	Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zIpa.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zIpa.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zIpa.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zIpa.exe	Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zIpa.exe	Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zIpa.exe	Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zIpa.exe	Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zIpa.exe	Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zIpa.exe	Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zIpa.exe	Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zIpa.exe	Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zIpa.exe	Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zIpa.exe	Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zIpa.exe	Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zIpa.exe	Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zIpa.exe	Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zIpa.exe	Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zIpa.exe	Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zIpa.exe	Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zIpa.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zIpa.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zIpa.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zIpa.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zIpa.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zIpa.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zIpa.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zIpa.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zIpa.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zIpa.exe	Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zIpa.exe	Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zIpa.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zIpa.exe	Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zIpa.exe	Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zIpa.exe	Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zIpa.exe	Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zIpa.exe	Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zIpa.exe	Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zIpa.exe	Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zIpa.exe	Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zIpa.exe	Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zIpa.exe	Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zIpa.exe	Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zIpa.exe	Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zIpa.exe	Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zIpa.exe	Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zIpa.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zIpa.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zIpa.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zIpa.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zIpa.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zIpa.exe	Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zIpa.exe	Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zIpa.exe	Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zIpa.exe	Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zIpa.exe	Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zIpa.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zIpa.exe	Queries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zIpa.exe	Queries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zIpa.exe	Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zIpa.exe	Queries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zIpa.exe	Queries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zIpa.exe	Queries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zIpa.exe	Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zIpa.exe	Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zIpa.exe	Queries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zIpa.exe	Queries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zIpa.exe	Queries volume information: C:\Windows\Fonts\DUBAI-MEDIUM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zIpa.exe	Queries volume information: C:\Windows\Fonts\DUBAI-LIGHT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zIpa.exe	Queries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zIpa.exe	Queries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zIpa.exe	Queries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zIpa.exe	Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zIpa.exe	Queries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zIpa.exe	Queries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zIpa.exe	Queries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zIpa.exe	Queries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zIpa.exe	Queries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zIpa.exe	Queries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zIpa.exe	Queries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zIpa.exe	Queries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zIpa.exe	Queries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zIpa.exe	Queries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zIpa.exe	Queries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zIpa.exe	Queries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zIpa.exe	Queries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zIpa.exe	Queries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zIpa.exe	Queries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zIpa.exe	Queries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zIpa.exe	Queries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zIpa.exe	Queries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zIpa.exe	Queries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zIpa.exe	Queries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zIpa.exe	Queries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zIpa.exe	Queries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zIpa.exe	Queries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zIpa.exe	Queries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zIpa.exe	Queries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zIpa.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zIpa.exe	Queries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zIpa.exe	Queries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zIpa.exe	Queries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zIpa.exe	Queries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zIpa.exe	Queries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zIpa.exe	Queries volume information: C:\Windows\Fonts\OFFSYM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zIpa.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zIpa.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zIpa.exe	Queries volume information: C:\Users\user\Desktop\zIpa.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zIpa.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zIpa.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zIpa.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zIpa.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zIpa.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\zIpa.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected AgentTesla

Source: Yara match	File source: 4.2.zIpa.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.zIpa.exe.42c4390.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.zIpa.exe.4289970.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.zIpa.exe.42c4390.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.zIpa.exe.4289970.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000002.2915654403.00000000027FE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2915654403.0000000002829000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2913652248.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2915654403.00000000027B1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1695231282.0000000004289000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: zIpa.exe PID: 7736, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: zIpa.exe PID: 7920, type: MEMORYSTR

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Source: C:\Users\user\Desktop\zIpa.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions

Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\zIpa.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\zIpa.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\zIpa.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\zIpa.exe	File opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\zIpa.exe	File opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini	Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Users\user\Desktop\zIpa.exe

File opened: C:\FTP Navigator\Ftplist.txt

Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\Desktop\zIpa.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\zIpa.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\zIpa.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles	Jump to behavior
Source: C:\Users\user\Desktop\zIpa.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities	Jump to behavior

Source: Yara match	File source: 4.2.zIpa.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.zIpa.exe.42c4390.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.zIpa.exe.4289970.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.zIpa.exe.42c4390.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.zIpa.exe.4289970.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000002.2913652248.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2915654403.00000000027B1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1695231282.0000000004289000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: zIpa.exe PID: 7736, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: zIpa.exe PID: 7920, type: MEMORYSTR

Remote Access Functionality

Yara detected AgentTesla

Source: Yara match	File source: 4.2.zIpa.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.zIpa.exe.42c4390.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.zIpa.exe.4289970.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.zIpa.exe.42c4390.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.zIpa.exe.4289970.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000002.2915654403.00000000027FE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2915654403.0000000002829000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2913652248.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2915654403.00000000027B1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1695231282.0000000004289000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: zIpa.exe PID: 7736, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: zIpa.exe PID: 7920, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	121 Windows Management Instrumentation	1 DLL Side-Loading	1 DLL Side-Loading	11 Disable or Modify Tools	2 OS Credential Dumping	1 File and Directory Discovery	Remote Services	11 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	11 Process Injection	1 Deobfuscate/Decode Files or Information	1 Input Capture	24 System Information Discovery	Remote Desktop Protocol	2 Data from Local System	1 Non-Standard Port	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	2 Obfuscated Files or Information	1 Credentials in Registry	1 Query Registry	SMB/Windows Admin Shares	1 Email Collection	1 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	12 Software Packing	NTDS	111 Security Software Discovery	Distributed Component Object Model	1 Input Capture	11 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Timestomp	LSA Secrets	1 Process Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	141 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 Masquerading	DCSync	1 Application Window Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	141 Virtualization/Sandbox Evasion	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	11 Process Injection	/etc/passwd and /etc/shadow	Network Sniffing	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
zIpa.exe	53%	ReversingLabs	ByteCode-MSIL.Trojan.SnakeKeyLogger
zIpa.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label
http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#	0%	URL Reputation	safe
http://www.fontbureau.com	0%	URL Reputation	safe
http://www.fontbureau.com/designersG	0%	URL Reputation	safe
https://sectigo.com/CPS0	0%	URL Reputation	safe
http://www.fontbureau.com/designers/?	0%	URL Reputation	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
https://account.dyn.com/	0%	URL Reputation	safe
http://ocsp.sectigo.com0	0%	URL Reputation	safe
http://www.fontbureau.com/designers?	0%	URL Reputation	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.fontbureau.com/designers	0%	URL Reputation	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
https://www.chiark.greenend.org.uk/~sgtatham/putty/0	0%	URL Reputation	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.fontbureau.com/designers/cabarga.htmlN	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://www.founder.com.cn/cn	0%	URL Reputation	safe
http://www.fontbureau.com/designers/frere-user.html	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.fontbureau.com/designers8	0%	URL Reputation	safe
http://www.fonts.com	0%	URL Reputation	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe
http://www.apache.org/licenses/LICENSE-2.0	0%	Avira URL Cloud	safe
http://cp8nl.hyperhost.ua	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
cp8nl.hyperhost.ua	185.174.175.187	true	true		unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#	zIpa.exe, 00000004.00000002.2919046582.0000000006062000.00000004.00000020.00020000.00000000.sdmp, zIpa.exe, 00000004.00000002.2914071750.0000000000B76000.00000004.00000020.00020000.00000000.sdmp, zIpa.exe, 00000004.00000002.2915654403.0000000002806000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.apache.org/licenses/LICENSE-2.0	zIpa.exe, 00000000.00000002.1701404773.00000000074B2000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.com	zIpa.exe, 00000000.00000002.1701404773.00000000074B2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designersG	zIpa.exe, 00000000.00000002.1701404773.00000000074B2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://sectigo.com/CPS0	zIpa.exe, 00000004.00000002.2919046582.0000000006062000.00000004.00000020.00020000.00000000.sdmp, zIpa.exe, 00000004.00000002.2914071750.0000000000B76000.00000004.00000020.00020000.00000000.sdmp, zIpa.exe, 00000004.00000002.2915654403.0000000002806000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers/?	zIpa.exe, 00000000.00000002.1701404773.00000000074B2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.founder.com.cn/cn/bThe	zIpa.exe, 00000000.00000002.1701404773.00000000074B2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://account.dyn.com/	zIpa.exe, 00000000.00000002.1695231282.0000000004289000.00000004.00000800.00020000.00000000.sdmp, zIpa.exe, 00000004.00000002.2913652248.0000000000402000.00000040.00000400.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://ocsp.sectigo.com0	zIpa.exe, 00000004.00000002.2919046582.0000000006062000.00000004.00000020.00020000.00000000.sdmp, zIpa.exe, 00000004.00000002.2914071750.0000000000B76000.00000004.00000020.00020000.00000000.sdmp, zIpa.exe, 00000004.00000002.2915654403.0000000002806000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers?	zIpa.exe, 00000000.00000002.1701404773.00000000074B2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.tiro.com	zIpa.exe, 00000000.00000002.1701404773.00000000074B2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers	zIpa.exe, 00000000.00000002.1701404773.00000000074B2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.goodfont.co.kr	zIpa.exe, 00000000.00000002.1701404773.00000000074B2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.chiark.greenend.org.uk/~sgtatham/putty/0	zIpa.exe	false	URL Reputation: safe	unknown
http://www.carterandcone.coml	zIpa.exe, 00000000.00000002.1701404773.00000000074B2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.sajatypeworks.com	zIpa.exe, 00000000.00000002.1701404773.00000000074B2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.typography.netD	zIpa.exe, 00000000.00000002.1701404773.00000000074B2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers/cabarga.htmlN	zIpa.exe, 00000000.00000002.1701404773.00000000074B2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.founder.com.cn/cn/cThe	zIpa.exe, 00000000.00000002.1701404773.00000000074B2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.galapagosdesign.com/staff/dennis.htm	zIpa.exe, 00000000.00000002.1701404773.00000000074B2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.founder.com.cn/cn	zIpa.exe, 00000000.00000002.1701404773.00000000074B2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers/frere-user.html	zIpa.exe, 00000000.00000002.1701404773.00000000074B2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.jiyu-kobo.co.jp/	zIpa.exe, 00000000.00000002.1701404773.00000000074B2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.galapagosdesign.com/DPlease	zIpa.exe, 00000000.00000002.1701404773.00000000074B2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers8	zIpa.exe, 00000000.00000002.1701404773.00000000074B2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fonts.com	zIpa.exe, 00000000.00000002.1701404773.00000000074B2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.sandoll.co.kr	zIpa.exe, 00000000.00000002.1701404773.00000000074B2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.urwpp.deDPlease	zIpa.exe, 00000000.00000002.1701404773.00000000074B2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.zhongyicts.com.cn	zIpa.exe, 00000000.00000002.1701404773.00000000074B2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	zIpa.exe, 00000000.00000002.1694123489.00000000032E8000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.sakkal.com	zIpa.exe, 00000000.00000002.1701404773.00000000074B2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://cp8nl.hyperhost.ua	zIpa.exe, 00000004.00000002.2915654403.0000000002806000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
185.174.175.187	cp8nl.hyperhost.ua	Ukraine		21100	ITLDC-NLUA	true

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1501600
Start date and time:	2024-08-30 07:22:06 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 15s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	10
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	zIpa.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@7/6@1/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 72 Number of non-executed functions: 1
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
VT rate limit hit for: zIpa.exe

Simulations

Behavior and APIs

Time	Type	Description
01:22:57	API Interceptor	28x Sleep call for process: zIpa.exe modified
01:23:00	API Interceptor	17x Sleep call for process: powershell.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
185.174.175.187	172491216448f4bc8ff309136c7e986bb20f1bf12028c8fb2faf6b3c0f8bd116ab9d41ffb9335.dat-decoded.exe	Get hash	malicious	AgentTesla	Browse
	INQUIRY#46789-AUG24.js	Get hash	malicious	AgentTesla	Browse
	PROFORMA INVOICEPI-RY93849HT.bat.exe	Get hash	malicious	AgentTesla	Browse
	PROFORMA INVOICEPI-RY93849HT.pif.exe	Get hash	malicious	AgentTesla	Browse
	TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlxs.exe	Get hash	malicious	AgentTesla	Browse
	e-dekont_html.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse
	TNT Express Arrival Notice AWB 8013580_xlsx.exe	Get hash	malicious	AgentTesla	Browse
	RDE890246U87-DCH9095490-BVF00088898U78.exe	Get hash	malicious	AgentTesla	Browse
	VHT548009889-WNY0890088R4678-DFV588890900.exe	Get hash	malicious	AgentTesla	Browse
	DGH99702I90-HY899239000YHG-PLV90-0090.exe	Get hash	malicious	AgentTesla	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
cp8nl.hyperhost.ua	172491216448f4bc8ff309136c7e986bb20f1bf12028c8fb2faf6b3c0f8bd116ab9d41ffb9335.dat-decoded.exe	Get hash	malicious	AgentTesla	Browse	185.174.175.187
	INQUIRY#46789-AUG24.js	Get hash	malicious	AgentTesla	Browse	185.174.175.187
	PROFORMA INVOICEPI-RY93849HT.bat.exe	Get hash	malicious	AgentTesla	Browse	185.174.175.187
	PROFORMA INVOICEPI-RY93849HT.pif.exe	Get hash	malicious	AgentTesla	Browse	185.174.175.187
	TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlxs.exe	Get hash	malicious	AgentTesla	Browse	185.174.175.187
	e-dekont_html.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	185.174.175.187
	TNT Express Arrival Notice AWB 8013580_xlsx.exe	Get hash	malicious	AgentTesla	Browse	185.174.175.187
	RDE890246U87-DCH9095490-BVF00088898U78.exe	Get hash	malicious	AgentTesla	Browse	185.174.175.187
	VHT548009889-WNY0890088R4678-DFV588890900.exe	Get hash	malicious	AgentTesla	Browse	185.174.175.187
	DGH99702I90-HY899239000YHG-PLV90-0090.exe	Get hash	malicious	AgentTesla	Browse	185.174.175.187

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
ITLDC-NLUA	172491216448f4bc8ff309136c7e986bb20f1bf12028c8fb2faf6b3c0f8bd116ab9d41ffb9335.dat-decoded.exe	Get hash	malicious	AgentTesla	Browse	185.174.175.187
	INQUIRY#46789-AUG24.js	Get hash	malicious	AgentTesla	Browse	185.174.175.187
	PROFORMA INVOICEPI-RY93849HT.bat.exe	Get hash	malicious	AgentTesla	Browse	185.174.175.187
	PROFORMA INVOICEPI-RY93849HT.pif.exe	Get hash	malicious	AgentTesla	Browse	185.174.175.187
	TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlxs.exe	Get hash	malicious	AgentTesla	Browse	185.174.175.187
	e-dekont_html.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	185.174.175.187
	TNT Express Arrival Notice AWB 8013580_xlsx.exe	Get hash	malicious	AgentTesla	Browse	185.174.175.187
	RDE890246U87-DCH9095490-BVF00088898U78.exe	Get hash	malicious	AgentTesla	Browse	185.174.175.187
	VHT548009889-WNY0890088R4678-DFV588890900.exe	Get hash	malicious	AgentTesla	Browse	185.174.175.187
	DGH99702I90-HY899239000YHG-PLV90-0090.exe	Get hash	malicious	AgentTesla	Browse	185.174.175.187

Process:	C:\Users\user\Desktop\zIpa.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1216
Entropy (8bit):	5.34331486778365
Encrypted:	false
SSDEEP:	24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
MD5:	1330C80CAAC9A0FB172F202485E9B1E8
SHA1:	86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
SHA-256:	B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
SHA-512:	75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
Malicious:	true
Reputation:	high, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	2232
Entropy (8bit):	5.379736180876081
Encrypted:	false
SSDEEP:	48:tWSU4y4RQmFoUeWmfgZ9tK8NPZHUm7u1iMuge//ZeUyus:tLHyIFKL3IZ2KRH9Ougos
MD5:	9D384A9EBEABB083763926A2E63505A6
SHA1:	3AB2DD8F7518A36D7E22EFD76FF25F3DFA25D889
SHA-256:	801BC488523F40135A2F58EE86844AD3AFD2EFD0AF5DD0F7DE40978E7EDE92DD
SHA-512:	03941519E7F748E7A151CDEFC2E6D98A19B2E077AB09C48822B3882D8BA39C8427A9766C26B3F28DB419385FD7F030C3A7D5FE5ADE4F796AE876921042F5FED9
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	@...e.................................,..............@..........P................1]...E.....j.....(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..\|f........System.Core.D...............4..7..D.#V.............System.Management.AutomationL.................gQ?O.....x5.......#.Microsoft.Management.Infrastructure.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServices4.................%...K... ...........System.Xml..8..................1...L..U;V.<}........System.Numerics.4.....................@.[8]'.\........System.Data.<...............i..VdqF...\|...........System.ConfigurationH................WY..2.M.&..g(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_24dg2lof.tgz.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	high, very likely benign file
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_nyrpu4ve.rqs.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	high, very likely benign file
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_qw4jqknp.3pk.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_rxwpmznj.opy.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.843225159168028
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.98% Win32 Executable (generic) a (10002005/4) 49.93% Windows Screen Saver (13104/52) 0.07% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	zIpa.exe
File size:	763'400 bytes
MD5:	1498dac596521e58327c2a3adf097c99
SHA1:	c52325ad976cf3020fba6c2107676e0aaf03e143
SHA256:	61e5404eafb1cd95fbeb3e3408a95ee888cfaa3ee1af913490f74fb9badd25ec
SHA512:	502aa2951a99208d0e63f98e50f7ad9b08809dbcc40db2024d0d0666141d68397b3fc43380dd933b38428201e1a6cff920afc2972e2a9d0bf483a132bd356938
SSDEEP:	12288:+0O1pVVEe3TBFLaGfOyd+kt7aYercRUNCAqaeZm8+2AzRv6P7AyOwkR:ArfjuG7+MbercuC08Oztu7AT3
TLSH:	78F4F1213AF82F9AD27AC7F91154500957B2B90B64AEE68A4ED771DF39F1F400B60E43
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....................0..d..........v.... ........@.. ....................................@................................

File Icon


Icon Hash:	90cececece8e8eb0

Static PE Info

General

Entrypoint:	0x4b8276
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0xDDD7FB8F [Wed Dec 10 18:29:35 2087 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Authenticode Signature

Signature Valid:	false
Signature Issuer:	CN=COMODO RSA Code Signing CA, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB
Signature Validation Error:	The digital signature of the object did not verify
Error Number:	-2146869232
Not Before, Not After	13/11/2018 00:00:00 08/11/2021 23:59:59
Subject Chain	CN=Simon Tatham, O=Simon Tatham, L=Cambridge, S=Cambridgeshire, C=GB
Version:	3
Thumbprint MD5:	DABD77E44EF6B3BB91740FA46696B779
Thumbprint SHA-1:	5B9E273CF11941FD8C6BE3F038C4797BBE884268
Thumbprint SHA-256:	4CD3325617EBB63319BA6E8F2A74B0B8CCA58920B48D8026EBCA2C756630D570
Serial:	7C1118CBBADC95DA3752C46E47A27438

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xb8222	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xba000	0x6a0	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0xb7000	0x3608
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xbc000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0xb489c	0x70	.text
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0xb627c	0xb6400	c2c7c7f0799f7e1ff3320f4786bf6bbe	False	0.9021615655006858	data	7.850969982598096	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0xba000	0x6a0	0x800	29d32cb2ae8a759958b1e0f04256a961	False	0.3564453125	data	3.658521413541081	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xbc000	0xc	0x200	e9e5f92fb3e2709c00226ba09b5bde75	False	0.044921875	data	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0xba090	0x410	data			0.40384615384615385
RT_MANIFEST	0xba4b0	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators			0.5489795918367347

Imports

DLL	Import
mscoree.dll	_CorExeMain

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Aug 30, 2024 07:23:01.196084976 CEST	49735	587	192.168.2.4	185.174.175.187
Aug 30, 2024 07:23:01.202121019 CEST	587	49735	185.174.175.187	192.168.2.4
Aug 30, 2024 07:23:01.203417063 CEST	49735	587	192.168.2.4	185.174.175.187
Aug 30, 2024 07:23:02.069264889 CEST	587	49735	185.174.175.187	192.168.2.4
Aug 30, 2024 07:23:02.070235014 CEST	49735	587	192.168.2.4	185.174.175.187
Aug 30, 2024 07:23:02.075038910 CEST	587	49735	185.174.175.187	192.168.2.4
Aug 30, 2024 07:23:02.245950937 CEST	587	49735	185.174.175.187	192.168.2.4
Aug 30, 2024 07:23:02.246382952 CEST	49735	587	192.168.2.4	185.174.175.187
Aug 30, 2024 07:23:02.251205921 CEST	587	49735	185.174.175.187	192.168.2.4
Aug 30, 2024 07:23:02.422585964 CEST	587	49735	185.174.175.187	192.168.2.4
Aug 30, 2024 07:23:02.524401903 CEST	49735	587	192.168.2.4	185.174.175.187
Aug 30, 2024 07:23:02.529455900 CEST	587	49735	185.174.175.187	192.168.2.4
Aug 30, 2024 07:23:02.713897943 CEST	587	49735	185.174.175.187	192.168.2.4
Aug 30, 2024 07:23:02.713917971 CEST	587	49735	185.174.175.187	192.168.2.4
Aug 30, 2024 07:23:02.713928938 CEST	587	49735	185.174.175.187	192.168.2.4
Aug 30, 2024 07:23:02.713943005 CEST	587	49735	185.174.175.187	192.168.2.4
Aug 30, 2024 07:23:02.713996887 CEST	49735	587	192.168.2.4	185.174.175.187
Aug 30, 2024 07:23:02.714040041 CEST	49735	587	192.168.2.4	185.174.175.187
Aug 30, 2024 07:23:02.801024914 CEST	587	49735	185.174.175.187	192.168.2.4
Aug 30, 2024 07:23:02.866174936 CEST	49735	587	192.168.2.4	185.174.175.187
Aug 30, 2024 07:23:02.871089935 CEST	587	49735	185.174.175.187	192.168.2.4
Aug 30, 2024 07:23:03.041347027 CEST	587	49735	185.174.175.187	192.168.2.4
Aug 30, 2024 07:23:03.071043015 CEST	49735	587	192.168.2.4	185.174.175.187
Aug 30, 2024 07:23:03.076096058 CEST	587	49735	185.174.175.187	192.168.2.4
Aug 30, 2024 07:23:03.249638081 CEST	587	49735	185.174.175.187	192.168.2.4
Aug 30, 2024 07:23:03.250957966 CEST	49735	587	192.168.2.4	185.174.175.187
Aug 30, 2024 07:23:03.255911112 CEST	587	49735	185.174.175.187	192.168.2.4
Aug 30, 2024 07:23:03.427061081 CEST	587	49735	185.174.175.187	192.168.2.4
Aug 30, 2024 07:23:03.427369118 CEST	49735	587	192.168.2.4	185.174.175.187
Aug 30, 2024 07:23:03.432305098 CEST	587	49735	185.174.175.187	192.168.2.4
Aug 30, 2024 07:23:03.620934010 CEST	587	49735	185.174.175.187	192.168.2.4
Aug 30, 2024 07:23:03.621356964 CEST	49735	587	192.168.2.4	185.174.175.187
Aug 30, 2024 07:23:03.626244068 CEST	587	49735	185.174.175.187	192.168.2.4
Aug 30, 2024 07:23:03.796710968 CEST	587	49735	185.174.175.187	192.168.2.4
Aug 30, 2024 07:23:03.796971083 CEST	49735	587	192.168.2.4	185.174.175.187
Aug 30, 2024 07:23:03.801752090 CEST	587	49735	185.174.175.187	192.168.2.4
Aug 30, 2024 07:23:03.976389885 CEST	587	49735	185.174.175.187	192.168.2.4
Aug 30, 2024 07:23:03.976633072 CEST	49735	587	192.168.2.4	185.174.175.187
Aug 30, 2024 07:23:03.981417894 CEST	587	49735	185.174.175.187	192.168.2.4
Aug 30, 2024 07:23:04.158782005 CEST	587	49735	185.174.175.187	192.168.2.4
Aug 30, 2024 07:23:04.159409046 CEST	49735	587	192.168.2.4	185.174.175.187
Aug 30, 2024 07:23:04.159483910 CEST	49735	587	192.168.2.4	185.174.175.187
Aug 30, 2024 07:23:04.159483910 CEST	49735	587	192.168.2.4	185.174.175.187
Aug 30, 2024 07:23:04.159607887 CEST	49735	587	192.168.2.4	185.174.175.187
Aug 30, 2024 07:23:04.164222002 CEST	587	49735	185.174.175.187	192.168.2.4
Aug 30, 2024 07:23:04.164232016 CEST	587	49735	185.174.175.187	192.168.2.4
Aug 30, 2024 07:23:04.164375067 CEST	587	49735	185.174.175.187	192.168.2.4
Aug 30, 2024 07:23:04.465797901 CEST	587	49735	185.174.175.187	192.168.2.4
Aug 30, 2024 07:23:04.506035089 CEST	49735	587	192.168.2.4	185.174.175.187
Aug 30, 2024 07:24:41.181843042 CEST	49735	587	192.168.2.4	185.174.175.187
Aug 30, 2024 07:24:41.186781883 CEST	587	49735	185.174.175.187	192.168.2.4
Aug 30, 2024 07:24:41.357422113 CEST	587	49735	185.174.175.187	192.168.2.4
Aug 30, 2024 07:24:41.361079931 CEST	49735	587	192.168.2.4	185.174.175.187

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Aug 30, 2024 07:23:01.159944057 CEST	54534	53	192.168.2.4	1.1.1.1
Aug 30, 2024 07:23:01.173067093 CEST	53	54534	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Aug 30, 2024 07:23:01.159944057 CEST	192.168.2.4	1.1.1.1	0xda6e	Standard query (0)	cp8nl.hyperhost.ua	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Aug 30, 2024 07:23:01.173067093 CEST	1.1.1.1	192.168.2.4	0xda6e	No error (0)	cp8nl.hyperhost.ua		185.174.175.187	A (IP address)	IN (0x0001)	false

SMTP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP	Commands
Aug 30, 2024 07:23:02.069264889 CEST	587	49735	185.174.175.187	192.168.2.4	220-cp8nl.hyperhost.ua ESMTP Exim 4.97.1 #2 Fri, 30 Aug 2024 08:23:01 +0300 220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail.
Aug 30, 2024 07:23:02.070235014 CEST	49735	587	192.168.2.4	185.174.175.187	EHLO 965543
Aug 30, 2024 07:23:02.245950937 CEST	587	49735	185.174.175.187	192.168.2.4	250-cp8nl.hyperhost.ua Hello 965543 [8.46.123.33] 250-SIZE 52428800 250-8BITMIME 250-PIPELINING 250-PIPECONNECT 250-STARTTLS 250 HELP
Aug 30, 2024 07:23:02.246382952 CEST	49735	587	192.168.2.4	185.174.175.187	STARTTLS
Aug 30, 2024 07:23:02.422585964 CEST	587	49735	185.174.175.187	192.168.2.4	220 TLS go ahead

Target ID:	0
Start time:	01:22:56
Start date:	30/08/2024
Path:	C:\Users\user\Desktop\zIpa.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\zIpa.exe"
Imagebase:	0xf10000
File size:	763'400 bytes
MD5 hash:	1498DAC596521E58327C2A3ADF097C99
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.1695231282.0000000004289000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.1695231282.0000000004289000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	01:22:58
Start date:	30/08/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\zIpa.exe"
Imagebase:	0x5c0000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	01:22:58
Start date:	30/08/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	01:22:58
Start date:	30/08/2024
Path:	C:\Users\user\Desktop\zIpa.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\zIpa.exe"
Imagebase:	0x440000
File size:	763'400 bytes
MD5 hash:	1498DAC596521E58327C2A3ADF097C99
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000004.00000002.2915654403.00000000027FE000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000004.00000002.2915654403.0000000002829000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000004.00000002.2913652248.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000004.00000002.2913652248.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000004.00000002.2915654403.00000000027B1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000004.00000002.2915654403.00000000027B1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	5
Start time:	01:23:01
Start date:	30/08/2024
Path:	C:\Windows\System32\wbem\WmiPrvSE.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Imagebase:	0x7ff693ab0000
File size:	496'640 bytes
MD5 hash:	60FF40CFD7FB8FE41EE4FE9AE5FE1C51
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	7.9%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	45
Total number of Limit Nodes:	6

Executed Functions

Function 0170D553 Relevance: 6.1, APIs: 4, Instructions: 128
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 0170D5D6
GetCurrentThread.KERNEL32 ref: 0170D613
GetCurrentProcess.KERNEL32 ref: 0170D650
GetCurrentThreadId.KERNEL32 ref: 0170D6A9

Memory Dump Source

Source File: 00000000.00000002.1693806533.0000000001700000.00000040.00000800.00020000.00000000.sdmp, Offset: 01700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1700000_zIpa.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 4ce1b694455ee49150dee2114b60e03f2091f855f6aa0e7bf9b7a47a5ed55ab4
Instruction ID: aa09ab17f76c085e569504a10e2258eccc694d287f424f64e899e6d28f7a1063
Opcode Fuzzy Hash: 4ce1b694455ee49150dee2114b60e03f2091f855f6aa0e7bf9b7a47a5ed55ab4
Instruction Fuzzy Hash: B65127B0901709CFDB14DFA9D948BEEFBF1AB88314F208469D459A73A0D7345984CF69

Function 0170D558 Relevance: 6.1, APIs: 4, Instructions: 128
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 0170D5D6
GetCurrentThread.KERNEL32 ref: 0170D613
GetCurrentProcess.KERNEL32 ref: 0170D650
GetCurrentThreadId.KERNEL32 ref: 0170D6A9

Memory Dump Source

Source File: 00000000.00000002.1693806533.0000000001700000.00000040.00000800.00020000.00000000.sdmp, Offset: 01700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1700000_zIpa.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 1e1cb60a0fc168961492da88dfb66a122000bdd43b4c507732b3ce781f77e05c
Instruction ID: 5f83d0adcf485186841163e8fc581d6af254898e44cab8303966aab7227e84a8
Opcode Fuzzy Hash: 1e1cb60a0fc168961492da88dfb66a122000bdd43b4c507732b3ce781f77e05c
Instruction Fuzzy Hash: 915136B0901309DFDB14DFAAD948B9EFBF1AB48314F208469D459A73A0DB349984CF69

Function 0170B190 Relevance: 1.7, APIs: 1, Instructions: 200
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 0170B3F6

Memory Dump Source

Source File: 00000000.00000002.1693806533.0000000001700000.00000040.00000800.00020000.00000000.sdmp, Offset: 01700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1700000_zIpa.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: b112599a93aa024b3e8de325a3729644f2fb85a55af2cfeb4ecd3329baced18a
Instruction ID: 774169a999a4bf7fa20f157dc6d0364f4fb42061533e32f348f5f95acaa707ad
Opcode Fuzzy Hash: b112599a93aa024b3e8de325a3729644f2fb85a55af2cfeb4ecd3329baced18a
Instruction Fuzzy Hash: 2F812270A04B05CFDB26DF69D45479ABBF1FF88200F108A29D48ADBA91D774E945CB90

Function 0170590C Relevance: 1.6, APIs: 1, Instructions: 98
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 017059C9

Memory Dump Source

Source File: 00000000.00000002.1693806533.0000000001700000.00000040.00000800.00020000.00000000.sdmp, Offset: 01700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1700000_zIpa.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: bbdb8b06aaac43750fe04c08541b3f90e33b6f6549c860c27e18dda7e19b303c
Instruction ID: 5718100c6e9641f0e2e20a2f99c3bff371bc6d5880032335c35ac2aa64de4a74
Opcode Fuzzy Hash: bbdb8b06aaac43750fe04c08541b3f90e33b6f6549c860c27e18dda7e19b303c
Instruction Fuzzy Hash: 1941ADB0C00719CFDB25CFA9C88479DBBF5BF49304F2484AAD408AB255DB756986CF91

Function 0170449C Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 017059C9

Memory Dump Source

Source File: 00000000.00000002.1693806533.0000000001700000.00000040.00000800.00020000.00000000.sdmp, Offset: 01700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1700000_zIpa.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: e88bcb079ef01ff6c3f1a5a7fc66d459b1c2525c01a430cacc92f8bff43ffdab
Instruction ID: 3ea29579c12ef93c466a9558e572fc40ba0c20f117e91479af144ef71639da88
Opcode Fuzzy Hash: e88bcb079ef01ff6c3f1a5a7fc66d459b1c2525c01a430cacc92f8bff43ffdab
Instruction Fuzzy Hash: 0241B1B0C0071DCFDB24DFA9C94469DBBF5BF49304F24846AD408AB295DBB56985CF90

Function 0170D798 Relevance: 1.6, APIs: 1, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0170D827

Memory Dump Source

Source File: 00000000.00000002.1693806533.0000000001700000.00000040.00000800.00020000.00000000.sdmp, Offset: 01700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1700000_zIpa.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 6b44e21fa86301074c75eff6ca35ef54912bba82b1ce2723d01f2da498edb569
Instruction ID: f8a7ddb68e07f6b06b263781e4ec0c984c9553b8be0642ef96b92b973c10d4d6
Opcode Fuzzy Hash: 6b44e21fa86301074c75eff6ca35ef54912bba82b1ce2723d01f2da498edb569
Instruction Fuzzy Hash: 3D21D4B5900358DFDB10CF9AD584ADEFBF4EB48320F14801AE918A7250D374A940CFA5

Function 0170D7A0 Relevance: 1.6, APIs: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0170D827

Memory Dump Source

Source File: 00000000.00000002.1693806533.0000000001700000.00000040.00000800.00020000.00000000.sdmp, Offset: 01700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1700000_zIpa.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: e3198880c0906d488dc7417bc5e931cb8b211953fd7b05308b1b0e027accf062
Instruction ID: bba4d09b297304fd5883b36fb143b17929a0f7c0cd14646bc83d5eafb7082efc
Opcode Fuzzy Hash: e3198880c0906d488dc7417bc5e931cb8b211953fd7b05308b1b0e027accf062
Instruction Fuzzy Hash: 0B21B3B5D00358DFDB10CF9AD584ADEFBF5EB48310F14841AE958A7250D374A944CFA5

Function 0170B428 Relevance: 1.6, APIs: 1, Instructions: 55
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,0170B871,00000800,00000000,00000000), ref: 0170BA82

Memory Dump Source

Source File: 00000000.00000002.1693806533.0000000001700000.00000040.00000800.00020000.00000000.sdmp, Offset: 01700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1700000_zIpa.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: dc3394f163342d7a76f94e4834504eecbe5d361043eb6612246a19048abe4b22
Instruction ID: 726f76459307206ff17744c86b0e0f46f45d66fc213ff6dddd3e9ca37779efec
Opcode Fuzzy Hash: dc3394f163342d7a76f94e4834504eecbe5d361043eb6612246a19048abe4b22
Instruction Fuzzy Hash: 751114B6D00349CFDB20CF9AD444ADEFBF4EB48310F10842AD519A7250C375A684CFA5

Function 0170BA10 Relevance: 1.6, APIs: 1, Instructions: 54
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,0170B871,00000800,00000000,00000000), ref: 0170BA82

Memory Dump Source

Source File: 00000000.00000002.1693806533.0000000001700000.00000040.00000800.00020000.00000000.sdmp, Offset: 01700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1700000_zIpa.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 9cbc10fbe478e616fe889b49d401f6b3f1fafaa0a65590ec51eb18d557f55c97
Instruction ID: 43a5fe68737869efa3a3914d040c1ecd03a482035c2ca59c321c84fb8afe76ee
Opcode Fuzzy Hash: 9cbc10fbe478e616fe889b49d401f6b3f1fafaa0a65590ec51eb18d557f55c97
Instruction Fuzzy Hash: 9A1114B6C00349CFDB10CF9AD884ADEFBF5EB88314F14842AD519A7650C775A645CFA4

Function 0170B390 Relevance: 1.5, APIs: 1, Instructions: 47
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 0170B3F6

Memory Dump Source

Source File: 00000000.00000002.1693806533.0000000001700000.00000040.00000800.00020000.00000000.sdmp, Offset: 01700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1700000_zIpa.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 88d4d6e63ad1fccbdef4b9b4bf8cda12da5dd28dd3e6c13f50f748feef917d2e
Instruction ID: c36acbf41b95329841cab5da6bff132a60af7947c29239e88659c0aca9110e53
Opcode Fuzzy Hash: 88d4d6e63ad1fccbdef4b9b4bf8cda12da5dd28dd3e6c13f50f748feef917d2e
Instruction Fuzzy Hash: DB110FB5C00349CFDB10CF9AD444ADEFBF4EB88220F10842AD928B7250C375A645CFA5

Function 016AD4C4 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1693506947.00000000016AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 016AD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16ad000_zIpa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 306c31b478208ecf0ef9e6def2aca098b4b7d33384d5e4a231e86e9a71fe0a71
Instruction ID: 7da685c72549d0b6111dc592e1571159958bb060aecfb57dcb2f88f75596366b
Opcode Fuzzy Hash: 306c31b478208ecf0ef9e6def2aca098b4b7d33384d5e4a231e86e9a71fe0a71
Instruction Fuzzy Hash: D92122B1500240EFDB05DF58DDC0B2ABFA5FB88318F64C569E9890B756C336D856CBA2

Function 016BD01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1693540480.00000000016BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 016BD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16bd000_zIpa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93be28bfa2718bfe7da1ae2df3645baed5178cfaedbe9fb68b65cf88904db6e8
Instruction ID: 1496f4d87fbc462180e58ff6b9ecc379f6f46ada7ac89b19fd32465b0c82825f
Opcode Fuzzy Hash: 93be28bfa2718bfe7da1ae2df3645baed5178cfaedbe9fb68b65cf88904db6e8
Instruction Fuzzy Hash: 74210071604200DFCB15DF58D9C4B66BFA5EB88318F20C569D80A4F396C33AD487CB61

Function 016BD1D4 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1693540480.00000000016BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 016BD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16bd000_zIpa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f6c5ecb814c84869cf02fb0b005d1e908869d35d37d6411c7201116d6b19aa5f
Instruction ID: 2182f61187b23870f3e62a13ddff45ff221cd31ce779dcc38721ac46c0da5bf6
Opcode Fuzzy Hash: f6c5ecb814c84869cf02fb0b005d1e908869d35d37d6411c7201116d6b19aa5f
Instruction Fuzzy Hash: 9F210471504280EFDB05DF98D9C0B66BBA5FB84328F20C66DEA094F356C336D886CB61

Function 016BD006 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1693540480.00000000016BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 016BD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16bd000_zIpa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 24bdc433ac8278ff1e89f5b3c054c06b055fac3efa8beb40134c3425a00efd82
Instruction ID: 1578be7c9c6c173a547eb4efb14d824f45b83957e86804f8fbdf35ef2d352f8f
Opcode Fuzzy Hash: 24bdc433ac8278ff1e89f5b3c054c06b055fac3efa8beb40134c3425a00efd82
Instruction Fuzzy Hash: 22219F755093808FDB03CF24D9D4B15BF71EB46218F28C5DAD8498F2A7C33A984ACB62

Function 016AD4BF Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1693506947.00000000016AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 016AD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16ad000_zIpa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
Instruction ID: 22de7bd28a39bcaf8e965b827c170b7da790423848aa136a37f9e88ddb1da3a7
Opcode Fuzzy Hash: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
Instruction Fuzzy Hash: 5411E172404280CFCB02CF54D9C4B1ABF71FB84318F24C6A9D8490B656C336D85ACFA1

Function 016BD1CF Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1693540480.00000000016BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 016BD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16bd000_zIpa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
Instruction ID: 74ec0d93d110fcaeed9e16f6e06e9dfb8e9964beae129877a939767243879480
Opcode Fuzzy Hash: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
Instruction Fuzzy Hash: DE11BB75504280DFDB02CF54C9C4B55BFA1FB84228F24C6AAD9494F396C33AD44ACB61

Function 0C1C09CA Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1707377996.000000000C1C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0C1C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c1c0000_zIpa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 627955dd70faeafb573bb0b7a3fe9ae144790af55b29abd9cca7e4e55e900226
Instruction ID: 7083d748723cd3ece9787f220a7298149df219204836f031073dcc38904ab809
Opcode Fuzzy Hash: 627955dd70faeafb573bb0b7a3fe9ae144790af55b29abd9cca7e4e55e900226
Instruction Fuzzy Hash: 53016934E05258EFCB109FB4D8887FDBBB0AB0A301F0494AAE459A3282C3748A40DF50

Function 016AD759 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1693506947.00000000016AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 016AD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16ad000_zIpa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3a301f080fb780cbd22d1acc4470ab0eb17640173565bd5478ce4087493e5a16
Instruction ID: a31bfe3c09a03dcff7588e82c52c42ed016ee1751dad7e7b21b62f48bc44780f
Opcode Fuzzy Hash: 3a301f080fb780cbd22d1acc4470ab0eb17640173565bd5478ce4087493e5a16
Instruction Fuzzy Hash: EA01A7710083809AE7154A6ADD84777BFE8EF41324F58C56AED094A796C779DC40CA71

Function 0C1C09D8 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1707377996.000000000C1C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0C1C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c1c0000_zIpa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 89d96049fe6ea08c9f2839f4766f5a95800afed6f71e5f94330391f09508086b
Instruction ID: c36ba8b08473b9c9c479aa0d2cacc4fedc7efe38ebace6473850362ce18b6f09
Opcode Fuzzy Hash: 89d96049fe6ea08c9f2839f4766f5a95800afed6f71e5f94330391f09508086b
Instruction Fuzzy Hash: 45015A30E01219EFCB14DFA5C8487BEFBF0AB0A301F1494AAE429A3291D7788A40DF54

Function 016AD758 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1693506947.00000000016AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 016AD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16ad000_zIpa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3153b9775f0057f37bdf299916576f15e1fa1b74c1ae97b39dac85182634f5d9
Instruction ID: 5afa04638fdc0df1d408790012ce4612006c8a3241980db695db7a2ffb4f5da2
Opcode Fuzzy Hash: 3153b9775f0057f37bdf299916576f15e1fa1b74c1ae97b39dac85182634f5d9
Instruction Fuzzy Hash: 1FF062714043849EE7158A1ADC84B66FFE8EF51624F18C45AED094A787C379AC44CAB1

Non-executed Functions

Function 0170DE4C Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1693806533.0000000001700000.00000040.00000800.00020000.00000000.sdmp, Offset: 01700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1700000_zIpa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6f1550b868ee01306580437ac87c83ea3531902d360fd3bf6d9ec6227ba13f57
Instruction ID: 37c48df6c56ea5d5b859db71deff39e0c71318b0441f2e1b75957f70db1973a7
Opcode Fuzzy Hash: 6f1550b868ee01306580437ac87c83ea3531902d360fd3bf6d9ec6227ba13f57
Instruction Fuzzy Hash: C4A15D36A00315CFCF26DFA8C88459EFBF2FF98300B15456AE905AB299DB71E945CB40

Analysis Process: zIpa.exePID: 7920, Parent PID: 7736COMMON

Execution Graph

Execution Coverage:	13%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	23
Total number of Limit Nodes:	5

Executed Functions

Function 00D89BFB Relevance: 2.8, Instructions: 2753COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2915110019.0000000000D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_d80000_zIpa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 757b59f6a97237072d7853885c231f6fbde1f2dafc548b657ecb573df465bb59
Instruction ID: 2af2b1197f38b94aa71aa2b4e2c0d12a244c10b05d2a0e07b68705197572a60a
Opcode Fuzzy Hash: 757b59f6a97237072d7853885c231f6fbde1f2dafc548b657ecb573df465bb59
Instruction Fuzzy Hash: AA53E831D10B1A8ADB11EF68C8945A9F7B1FF99300F15D79AE45877221EB70AAC4CF81

Function 00D83E80 Relevance: 1.5, Strings: 1, Instructions: 238COMMON

Download Yara Rule

Strings

\Vel, xrefs: 00D840CB

Memory Dump Source

Source File: 00000004.00000002.2915110019.0000000000D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_d80000_zIpa.jbxd

Similarity

API ID:
String ID: \Vel
API String ID: 0-2485161877
Opcode ID: 9b8aa3bd6ed219c2301831df5042baec6b4133a1c820c6c15e1bf3463f983f42
Instruction ID: 85ca0acd13de0bdcfcf2569b6e700d0f60ae836555a872d468a6469ad1046997
Opcode Fuzzy Hash: 9b8aa3bd6ed219c2301831df5042baec6b4133a1c820c6c15e1bf3463f983f42
Instruction Fuzzy Hash: AD917F70E0030A8FDF14DFA8C9957DEBBF2AF48704F188129E408A7254EB749985CBA1

Function 00D84A98 Relevance: .3, Instructions: 266COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2915110019.0000000000D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_d80000_zIpa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5a372496b95b8a49367f96203c27e18c5291bd60d78044b923fe83d96e28eee5
Instruction ID: 2449ce047564224b6a2d19f51e4672e9e4356b15b659b0ac979ee0e573218956
Opcode Fuzzy Hash: 5a372496b95b8a49367f96203c27e18c5291bd60d78044b923fe83d96e28eee5
Instruction Fuzzy Hash: DAB15E70E0020A8FDF10DFA9D8957ADBBF2AF88314F188529D819E7294EB74D845CB91

Function 00D84804 Relevance: 2.7, Strings: 2, Instructions: 184
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

\Vel, xrefs: 00D8487F
\Vel, xrefs: 00D849D2

Memory Dump Source

Source File: 00000004.00000002.2915110019.0000000000D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_d80000_zIpa.jbxd

Similarity

API ID:
String ID: \Vel$\Vel
API String ID: 0-3334154659
Opcode ID: 7bfb990844196a0ef100f659ef24b86d385ab3b536a6f3062536fa9aa107edb7
Instruction ID: c7d0e212c2d3664798f23a89dd4f8596d3bce4eebf8408b135547515d5af2054
Opcode Fuzzy Hash: 7bfb990844196a0ef100f659ef24b86d385ab3b536a6f3062536fa9aa107edb7
Instruction Fuzzy Hash: 5D716D70E0024ADFDF14EFA9C9857DEBBF1AF48314F188129E414AB254EB749845CFA5

Function 00D84810 Relevance: 2.7, Strings: 2, Instructions: 180
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

\Vel, xrefs: 00D8487F
\Vel, xrefs: 00D849D2

Memory Dump Source

Source File: 00000004.00000002.2915110019.0000000000D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_d80000_zIpa.jbxd

Similarity

API ID:
String ID: \Vel$\Vel
API String ID: 0-3334154659
Opcode ID: a3dc508e7ca859b6722f6ede1134748d2465c60552bb6da8855540a4e04a265a
Instruction ID: 177d929bc9c90d4df340ae699bdc1074c8ba9c383441d59bda5a1f8e5ae02a54
Opcode Fuzzy Hash: a3dc508e7ca859b6722f6ede1134748d2465c60552bb6da8855540a4e04a265a
Instruction Fuzzy Hash: F3718E70E0024ACFDB14EFA9C88579EBBF2BF48314F188129E415AB254EB749845CFA5

Function 05D3E161 Relevance: 1.6, APIs: 1, Instructions: 133
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000004.00000002.2918694977.0000000005D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5d30000_zIpa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b6585c3ed838b71eb3cb92fbf17f1cffd10637ca4acf582d6cdbf2fefab59b24
Instruction ID: 2f03f82af29ff28e4e1fb7376c7c903ca686a226312a5781f2f6aaf3511d6abb
Opcode Fuzzy Hash: b6585c3ed838b71eb3cb92fbf17f1cffd10637ca4acf582d6cdbf2fefab59b24
Instruction Fuzzy Hash: 8C411272E043959FDB14DFA9D8042AEBBF5EF89210F14856BD405F7391DB78A840CB90

Function 05D3E248 Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

GlobalMemoryStatusEx.KERNELBASE(8B5504D9), ref: 05D3E2AF

Memory Dump Source

Source File: 00000004.00000002.2918694977.0000000005D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5d30000_zIpa.jbxd

Similarity

API ID: GlobalMemoryStatus
String ID:
API String ID: 1890195054-0
Opcode ID: 2eb363089afbefd9d5fc8b933af03ec06b574b4f4dec421df2a99d7a00621994
Instruction ID: 42f8b1f8e757b9c3f83bbe7aa421385059d91b97a91b87c77c46eca433954ab6
Opcode Fuzzy Hash: 2eb363089afbefd9d5fc8b933af03ec06b574b4f4dec421df2a99d7a00621994
Instruction Fuzzy Hash: BF11D0B1C0065A9BDB10DF9AC545BDEFBB4AB48320F14816AD818A7250D378A944CFA5

Function 00D8CF58 Relevance: 1.5, Strings: 1, Instructions: 262COMMON

Download Yara Rule

Strings

,buq, xrefs: 00D8D1C7

Memory Dump Source

Source File: 00000004.00000002.2915110019.0000000000D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_d80000_zIpa.jbxd

Similarity

API ID:
String ID: ,buq
API String ID: 0-4122549453
Opcode ID: eb2ec748d0bd4cdc7c1c6df91e233c49ffdae0bd4266b650e9f57df72606e3dc
Instruction ID: b5524fc62bcb1af9b80a3815df5c1ba479407d733d07318f8cd31ea76d4a8fb5
Opcode Fuzzy Hash: eb2ec748d0bd4cdc7c1c6df91e233c49ffdae0bd4266b650e9f57df72606e3dc
Instruction Fuzzy Hash: 7D91C170B002159FDB14EF78C880A2EBBB6EF84710F258569E549DB2E5DB31EC42C7A5

Function 00D83E75 Relevance: 1.5, Strings: 1, Instructions: 236COMMON

Download Yara Rule

Strings

\Vel, xrefs: 00D840CB

Memory Dump Source

Source File: 00000004.00000002.2915110019.0000000000D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_d80000_zIpa.jbxd

Similarity

API ID:
String ID: \Vel
API String ID: 0-2485161877
Opcode ID: 1f0b45f45ee4654897105a17718a2706965d3df4e9e3efa98564b67b7898d16f
Instruction ID: dad10fcde6879d14f227411441b78de4976b6edc27ea63d38848e89ff7d74a7b
Opcode Fuzzy Hash: 1f0b45f45ee4654897105a17718a2706965d3df4e9e3efa98564b67b7898d16f
Instruction Fuzzy Hash: 80916070E0030ADFDF10DFA8C9857DEBBF2AF58714F188129E419A7254DB749986CBA1

Function 00D8D06F Relevance: 1.4, Strings: 1, Instructions: 151COMMON

Download Yara Rule

Strings

,buq, xrefs: 00D8D1C7

Memory Dump Source

Source File: 00000004.00000002.2915110019.0000000000D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_d80000_zIpa.jbxd

Similarity

API ID:
String ID: ,buq
API String ID: 0-4122549453
Opcode ID: baa6c572847e0c06bf9c8ea114e351a21102d96bbacfb30faa67dcaff21657a1
Instruction ID: cdef3e8dea16ccb0d73c618dd58a37b1740827775f19b1d207056a2412848d84
Opcode Fuzzy Hash: baa6c572847e0c06bf9c8ea114e351a21102d96bbacfb30faa67dcaff21657a1
Instruction Fuzzy Hash: B9517071B00615AFD704DF28C880F2ABBB6BF84714F15C659E4459B2E9CB32EC42C7A5

Function 00D8F3B5 Relevance: 1.4, Strings: 1, Instructions: 115COMMON

Download Yara Rule

Strings

PH^q, xrefs: 00D8F503

Memory Dump Source

Source File: 00000004.00000002.2915110019.0000000000D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_d80000_zIpa.jbxd

Similarity

API ID:
String ID: PH^q
API String ID: 0-2549759414
Opcode ID: 9389a0c94a6627a022a73a014e1b434b52a410e08e793f80abb704463fe80755
Instruction ID: 6623857eda688ca5d15865eb153cab88a2ceca3e215eca0fa74ba5504b27ef60
Opcode Fuzzy Hash: 9389a0c94a6627a022a73a014e1b434b52a410e08e793f80abb704463fe80755
Instruction Fuzzy Hash: DB31EE307002058FDB05BB78D5942AF7BE2AB89300F244579D006DB395EE39DD46CBA1

Function 00D86F78 Relevance: 1.3, Strings: 1, Instructions: 95COMMON

Download Yara Rule

Strings

LR^q, xrefs: 00D86FA6

Memory Dump Source

Source File: 00000004.00000002.2915110019.0000000000D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_d80000_zIpa.jbxd

Similarity

API ID:
String ID: LR^q
API String ID: 0-2625958711
Opcode ID: f865f09fce86507ea5b1209e1d925b4a35c83f7ce1a483ebb0ff0d61eae8f820
Instruction ID: 3fdb9ef6fd5f2b13c4f23649f82c8616271c42220ae8d4ca572639cd95d544a1
Opcode Fuzzy Hash: f865f09fce86507ea5b1209e1d925b4a35c83f7ce1a483ebb0ff0d61eae8f820
Instruction Fuzzy Hash: 0B31AF31E102099BDF14DFA8D44079EB7B2FF85314F24852AE905EB240EB71EC46CBA1

Function 00D86F73 Relevance: 1.3, Strings: 1, Instructions: 91COMMON

Download Yara Rule

Strings

LR^q, xrefs: 00D86FA6

Memory Dump Source

Source File: 00000004.00000002.2915110019.0000000000D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_d80000_zIpa.jbxd

Similarity

API ID:
String ID: LR^q
API String ID: 0-2625958711
Opcode ID: 16c5b28ca263956fb079497e457856a8120d6d113a71bbde5e844150d7e6cfa4
Instruction ID: d494bc5fa1487f8d312bf5c39f814eacf1e21788040af3d90f49655de7aba985
Opcode Fuzzy Hash: 16c5b28ca263956fb079497e457856a8120d6d113a71bbde5e844150d7e6cfa4
Instruction Fuzzy Hash: 7E318B30E102099BDF14DFA9D854B9EB7B2FF85314F248429E905EB240EB71EC46CB61

Function 00D86BAB Relevance: 1.3, Strings: 1, Instructions: 55COMMON

Download Yara Rule

Strings

LR^q, xrefs: 00D86BD7

Memory Dump Source

Source File: 00000004.00000002.2915110019.0000000000D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_d80000_zIpa.jbxd

Similarity

API ID:
String ID: LR^q
API String ID: 0-2625958711
Opcode ID: e8052e660f80c5cec20fbde2cfc717e3ceb3a148f3af834b94cf3abc4f29c9c6
Instruction ID: dc02191956ed485fb1c79ff1c97a14c59ac241b0965dfc32f8582e0032b8a37a
Opcode Fuzzy Hash: e8052e660f80c5cec20fbde2cfc717e3ceb3a148f3af834b94cf3abc4f29c9c6
Instruction Fuzzy Hash: FD110830705240AFC706AB78905565E7FE6EFC6714F1488AED149CB353DA3598468396

Function 00D8790B Relevance: .6, Instructions: 556COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2915110019.0000000000D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_d80000_zIpa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: df604b7c568a7249a3b121bcc0210dc19dfe471cda9d946dbeb0abebedea7f13
Instruction ID: b2e8ec2a2eddda0880ce2f6b1ba9003a6e701c8621a34fa1cc35aa4526073b42
Opcode Fuzzy Hash: df604b7c568a7249a3b121bcc0210dc19dfe471cda9d946dbeb0abebedea7f13
Instruction Fuzzy Hash: 0F126B31B012028FDF16AB38E44572D73A2EBC9354B248D39E005CB765DF76ECA69B91

Function 00D89364 Relevance: .3, Instructions: 293COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2915110019.0000000000D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_d80000_zIpa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: effe20ac7fa10bb01bac4e7291583644a13d1ac6306bcf62e151ce3e18686782
Instruction ID: 5e954559842791163001ba00d3a548ef74e72b1a186eb54b1284db5b807cd916
Opcode Fuzzy Hash: effe20ac7fa10bb01bac4e7291583644a13d1ac6306bcf62e151ce3e18686782
Instruction Fuzzy Hash: 12B16F34B002049FCB14EFA8D5A4AADB7F6EF88310F288565E946E7365DB35DD42CB50

Function 00D896E0 Relevance: .3, Instructions: 282COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2915110019.0000000000D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_d80000_zIpa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d51531e523a80fa312796d1ac73cd4d9ad320f584578c5353d0bf140680b1d57
Instruction ID: f4c7894d8eb5a82586109b0679b7eed2f3041eca57eb70cfd79da5bcd917e4bd
Opcode Fuzzy Hash: d51531e523a80fa312796d1ac73cd4d9ad320f584578c5353d0bf140680b1d57
Instruction Fuzzy Hash: 45A1CF70A002058FDF14EF68D8907AEFBB6EB85310F28856AE949DB395D734DC45CBA1

Function 00D84A8D Relevance: .3, Instructions: 265COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2915110019.0000000000D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_d80000_zIpa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ef2d45e4bc4c43cf295380c617879c4f7191e8222a5a35d2228f7a83ba1bc0c0
Instruction ID: e49c2402cf29ca376c5031448da33986b6d5a9e7096c864249ff095d02ae565b
Opcode Fuzzy Hash: ef2d45e4bc4c43cf295380c617879c4f7191e8222a5a35d2228f7a83ba1bc0c0
Instruction Fuzzy Hash: 46B14D70E0021A8FDF10EFA9D9957DDBBF1BF48314F288529D818E7254EB749885CBA1

Function 00D86CE3 Relevance: .1, Instructions: 135COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2915110019.0000000000D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_d80000_zIpa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8fd0ab21036e8d1e0721deb3b4ad9b9bb39d3e4d7e2d901534b6197d98bc4bcf
Instruction ID: 957747be914577e392b155bc3e0ce4e0ab083e9a89a2aeacbc73b2427eb405f0
Opcode Fuzzy Hash: 8fd0ab21036e8d1e0721deb3b4ad9b9bb39d3e4d7e2d901534b6197d98bc4bcf
Instruction Fuzzy Hash: 85510374E002188FDB14DFA9C884BADBBB1BF48714F148129E819BB391D774A845CFA5

Function 00D86CE8 Relevance: .1, Instructions: 132COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2915110019.0000000000D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_d80000_zIpa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 24f0d95b910319b25f325809e15ec7a6aa383579818fe76b63f4eea5ad3b13af
Instruction ID: 1afbcf0a0fab419d6daacfbbf5970a0fbaf8dcde84d89bd661985dccd200c8f4
Opcode Fuzzy Hash: 24f0d95b910319b25f325809e15ec7a6aa383579818fe76b63f4eea5ad3b13af
Instruction Fuzzy Hash: DE512574E002188FDB14DFA9C884B9DBBF1BF48714F188519E819BB391D774A845CFA5

Function 00D81128 Relevance: .1, Instructions: 117COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2915110019.0000000000D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_d80000_zIpa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8677891dc559831990352a4be806f2842122e7fe983ca6ee250d0ed14750bd1e
Instruction ID: 966fb9048208e103070e3a0c1a8e7fe800424ee44cf836c2fcf0c16f46a24bfe
Opcode Fuzzy Hash: 8677891dc559831990352a4be806f2842122e7fe983ca6ee250d0ed14750bd1e
Instruction Fuzzy Hash: CC51DC312461418FC70AFB78FD90F5A7BB6EB9A304344CA69D0144B33EF7686989CB60

Function 00D81138 Relevance: .1, Instructions: 112COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2915110019.0000000000D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_d80000_zIpa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7ef91f938a4cb9904ab2dd2410aede377a14e80c3d5f5b722ee7175acbe8b306
Instruction ID: 7b9c66a07a968afc9c2e5b7c6ff80aa9656458ecdfada26ef3717ad2caf04331
Opcode Fuzzy Hash: 7ef91f938a4cb9904ab2dd2410aede377a14e80c3d5f5b722ee7175acbe8b306
Instruction Fuzzy Hash: 2F51AB312521418FC70AFB78FD90F4A7BB6EB9A304745C969D0144733EEB686989CBA0

Function 00D817C3 Relevance: .1, Instructions: 102COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2915110019.0000000000D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_d80000_zIpa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 85ce933889b65fe533e35a0386fe11573322fb1cce7decf7f6957c3c1d452793
Instruction ID: 9ea03436ceb3fb98f13cc76261b216d15aefbac8cbed818e1ba34bf5a299d484
Opcode Fuzzy Hash: 85ce933889b65fe533e35a0386fe11573322fb1cce7decf7f6957c3c1d452793
Instruction Fuzzy Hash: CA31B579A012118FDF11BB78EC48B5E77B9EB49310F148A65E40AC7355EB34CC4B87A2

Function 00D82844 Relevance: .1, Instructions: 97COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2915110019.0000000000D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_d80000_zIpa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c148d7556edd8d1b0311a70a7c90d4316469cc8e9f429fb5e511724b5fb2b130
Instruction ID: 8e667ca4a71bd71b5fc0eab6aff6b8ed082ac0d49e3d61963cd6eb6d304a6041
Opcode Fuzzy Hash: c148d7556edd8d1b0311a70a7c90d4316469cc8e9f429fb5e511724b5fb2b130
Instruction Fuzzy Hash: E331BCB490024DEFDF11EFA9D884AEDBFB0EF05314F148159E455AB264DB31584ACBA1

Function 00D826DF Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2915110019.0000000000D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_d80000_zIpa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 41166cb86e2f8720b0cab82a017ec3216a545a7f99db31d7bb93ed7423c660e6
Instruction ID: f9cc508fead4e2b0657c32c7fe5949a00e717c3f77b7bc0a0debf521c50c8afe
Opcode Fuzzy Hash: 41166cb86e2f8720b0cab82a017ec3216a545a7f99db31d7bb93ed7423c660e6
Instruction Fuzzy Hash: 9241E3B0D00249DFDB10DFA9C984AEEBFB5FF48314F148429E409AB254DB75A945CB90

Function 00D8F288 Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2915110019.0000000000D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_d80000_zIpa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 19b4217c1d7eb072abf18cd49dcb954d5d31b9a72be35c2dff6cbce1e9328774
Instruction ID: 01d4d12f192b26bcafc8c96e7cc82be74affbbb0f9d6842ba732fa891d7dd2ce
Opcode Fuzzy Hash: 19b4217c1d7eb072abf18cd49dcb954d5d31b9a72be35c2dff6cbce1e9328774
Instruction Fuzzy Hash: 04312935E0060A9BDB19DFA5D854A9EB7F2EF89304F148929E80AE7354DB70AC46CB50

Function 00D8F284 Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2915110019.0000000000D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_d80000_zIpa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 934aa5362572bc13f792585cb76da5ac1eb779f92a5a26452571b5400ba673ef
Instruction ID: 71d61e155a39eafa41af5a2344babe05e6ce8f8ae047665a68b27007468c0694
Opcode Fuzzy Hash: 934aa5362572bc13f792585cb76da5ac1eb779f92a5a26452571b5400ba673ef
Instruction Fuzzy Hash: 53312935E0060A9BDB19DFA5D454A9EB7F2EF89304F148929E80AE7354DB70EC46CB90

Function 00D826E8 Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2915110019.0000000000D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_d80000_zIpa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4a752deb57ba64e198f0499f3a1ec092a4c0e6607dc857f93011c30ae66a01af
Instruction ID: 67a5040541f79bd9175010d23d2892c2f04bb965688178130546125097bbc90a
Opcode Fuzzy Hash: 4a752deb57ba64e198f0499f3a1ec092a4c0e6607dc857f93011c30ae66a01af
Instruction Fuzzy Hash: 2741C0B0D002499FDB10DFA9C984ADEBFB5FF48314F14842AE419AB254DB75A945CB90

Function 00D8137F Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2915110019.0000000000D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_d80000_zIpa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b3b3149d364759ae04dc0e95305d31613061ba0d6eacd32ed2f1953e37455bf5
Instruction ID: 1c3e80c617bf7c7df6ff72e2b533f11160076dffd56f1e673958916c49358039
Opcode Fuzzy Hash: b3b3149d364759ae04dc0e95305d31613061ba0d6eacd32ed2f1953e37455bf5
Instruction Fuzzy Hash: 35319178A412108FEF25B638E488B6D3769EB57314F188929E10AC7355D629DC8F8762

Function 00D8924F Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2915110019.0000000000D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_d80000_zIpa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a3d7e56e0213092b137fff5c9d65613a61101383bf3f8c63f4fec19cb7979f0c
Instruction ID: a2789668233a302aa29531447ee81591ad5036ce1fe07e60db04eafd8b52c09c
Opcode Fuzzy Hash: a3d7e56e0213092b137fff5c9d65613a61101383bf3f8c63f4fec19cb7979f0c
Instruction Fuzzy Hash: C2314D71E1020AABDB05DFA4D8A47EEF7B6FF89300F588615E409AB354DB709D46CB90

Function 00D816A3 Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2915110019.0000000000D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_d80000_zIpa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: efbb6fdce22de9b53c22233896a64cd3ac21bc3fedce80acccd299704313929c
Instruction ID: d1c4fd66218a039f64467c87befb4eec107ad55b793194b1f8e9a863a11112c6
Opcode Fuzzy Hash: efbb6fdce22de9b53c22233896a64cd3ac21bc3fedce80acccd299704313929c
Instruction Fuzzy Hash: F0319678A001019FEB12FB34E885B993779EB55314F198A65D04AC7259F734DC8B8BB2

Function 00D89260 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2915110019.0000000000D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_d80000_zIpa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2667baf354003aa096b1d281949e1a8b7c651ef11b2065c53f924fb96dc56c59
Instruction ID: 350b0417daa4cf0c626ba3e0037d2f1f3a6a7b2b115ef6ffcfc13a1a44d7de85
Opcode Fuzzy Hash: 2667baf354003aa096b1d281949e1a8b7c651ef11b2065c53f924fb96dc56c59
Instruction Fuzzy Hash: EA213C31E0020AABDF05DFA5D8546AEF7B6FF89304F588619E805EB354DB70AC46CB90

Function 00CAD005 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2914851299.0000000000CAD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CAD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_cad000_zIpa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9770765758996f24bbfad1e70fc89070e3f2c4d8faa654440ed442ea86d290f3
Instruction ID: 4554dc45a5048d54c63ca3a152876d1473ce0678c733115a5ad65ec5b8123c97
Opcode Fuzzy Hash: 9770765758996f24bbfad1e70fc89070e3f2c4d8faa654440ed442ea86d290f3
Instruction Fuzzy Hash: 07315E7550D3C49FC7138B24C990711BF71AB57218F29C5DBD98A8F6A3C23A980ACB62

Function 00D89150 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2915110019.0000000000D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_d80000_zIpa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6a1b2052b0c94a6f1584af65d8ba7e19e79e80195089d6bfdde5ce240f244409
Instruction ID: 54d239c487f0c208b5fb12d7e7c415f31201e8c2c191c1fe5da2ac03875a17db
Opcode Fuzzy Hash: 6a1b2052b0c94a6f1584af65d8ba7e19e79e80195089d6bfdde5ce240f244409
Instruction Fuzzy Hash: 3721A931E0420A9BDB04DFA4D4546EEF7B2AF49304F18851AE855FB340DB70ED46CB60

Function 00D89A3B Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2915110019.0000000000D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_d80000_zIpa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 999c0319803840a5578eaf8a349d7a5727eeb58241ea88b81716c93246066c4a
Instruction ID: 70f4abb5c0bfe07a38c629b316fb548a8c32b4e87534c2437b363f66ffaa6ffd
Opcode Fuzzy Hash: 999c0319803840a5578eaf8a349d7a5727eeb58241ea88b81716c93246066c4a
Instruction Fuzzy Hash: 4521C871B002048FDB18EF69C9A4BBEBBF5EF88710F288125E545EB3A4DA71DD048760

Function 00D84F89 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2915110019.0000000000D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_d80000_zIpa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f39417d921deb163ecbbc1b3d2a9f2bd3eb2a6029f643c40931d43ecd885bbef
Instruction ID: c1a7a036095140f34832bf2e9912b937b0865a98ac2022d3ffbbbb1cf5864942
Opcode Fuzzy Hash: f39417d921deb163ecbbc1b3d2a9f2bd3eb2a6029f643c40931d43ecd885bbef
Instruction Fuzzy Hash: 8B212834600205CFDB14EB68D959B9E77F1EF89314F204468E506EB365EB76DD02CBA0

Function 00CAD030 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2914851299.0000000000CAD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CAD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_cad000_zIpa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fd44c8aec1485f0f3bd7d01a8f48eec7d2e00e7a47131b91dcd5fcc8fbae9613
Instruction ID: 0550860e328399ad4bc3878d842f17b92c759d6477e4f25b9e4a2cf708c143f1
Opcode Fuzzy Hash: fd44c8aec1485f0f3bd7d01a8f48eec7d2e00e7a47131b91dcd5fcc8fbae9613
Instruction Fuzzy Hash: 4B213471504201DFCB10DF14D9C0B26BBA5FB85318F20C56DD84B4B696C33AD847CA62

Function 00D8148B Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2915110019.0000000000D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_d80000_zIpa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aa212f55b252f39b18cd81463d5101fa5e123bf5a03f7d95c7689b25d65f82e2
Instruction ID: ae4a1bf5b56535c93a6b9107fc4e162598a50cd534560067cda10b19afeb1513
Opcode Fuzzy Hash: aa212f55b252f39b18cd81463d5101fa5e123bf5a03f7d95c7689b25d65f82e2
Instruction Fuzzy Hash: AE21A275A012148FDF31FFBC94913AD7BA8EB45311F2944BAD445E7202D635D88B87B1

Function 00D89160 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2915110019.0000000000D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_d80000_zIpa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f6df3e0844f72f9907da3b94b01524d0b81edd889664b7b35556f6653481b464
Instruction ID: 3f8e5dc4be3a079642bf7f4b45872998ae09a2590b5f655b29fec63b65c69b58
Opcode Fuzzy Hash: f6df3e0844f72f9907da3b94b01524d0b81edd889664b7b35556f6653481b464
Instruction Fuzzy Hash: B6215331E0420A9BDB09DFA4D854AAEF7B2AF89304F18851AE855F7340DB70AD46CB60

Function 00D81888 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2915110019.0000000000D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_d80000_zIpa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c5ea54d163b35e1b327fd3ad3ea504ad6787e2b6b77623dcb007f8ebaa7ec230
Instruction ID: e3ce5757735c30e3b74190bf501a32a834646b1d69c0f943ebd91150f962b02e
Opcode Fuzzy Hash: c5ea54d163b35e1b327fd3ad3ea504ad6787e2b6b77623dcb007f8ebaa7ec230
Instruction Fuzzy Hash: 28212A34B00205CFDB14FB64C5657AE77FAAB49300F240468D506EB364EB369D4ACBB5

Function 00D8187B Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2915110019.0000000000D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_d80000_zIpa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c00fa05c6e3e07a010570089615b7c3194addacba53b389e08f4488df57f42b
Instruction ID: 19978f85d1fe75a345136ca1a787a21801e0061864a282e760c1c45318ab6e49
Opcode Fuzzy Hash: 6c00fa05c6e3e07a010570089615b7c3194addacba53b389e08f4488df57f42b
Instruction Fuzzy Hash: 0A215C34B00205CFDB24FB64C565BAE37B5AF49304F2404A8D106EB391EB368D4ACB75

Function 00D816B0 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2915110019.0000000000D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_d80000_zIpa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 61d68c5c6e6a04a98134d253699f91f4ce8d6254704ef885554d4d366441f3df
Instruction ID: 1f513ce52746a62f6e48bdbca7a13a2e53b6234bd1c9b38c3f7c746690955fa6
Opcode Fuzzy Hash: 61d68c5c6e6a04a98134d253699f91f4ce8d6254704ef885554d4d366441f3df
Instruction Fuzzy Hash: ED2133386401019FEB12FB38E884F597779EB55314F148A25D00AC7369FB78DCCA8BA2

Function 00D84F98 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2915110019.0000000000D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_d80000_zIpa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 53edcbdfc570cfff6bb36c8820ec1b032e27188e6b5c5425d42dc4b68b99b26f
Instruction ID: c98bfbe4049c02cbe9d6bac437ac913f9c4b1951354dca76b1ebac5db16942f5
Opcode Fuzzy Hash: 53edcbdfc570cfff6bb36c8820ec1b032e27188e6b5c5425d42dc4b68b99b26f
Instruction Fuzzy Hash: 6321E434600205CFDB54EB78E959BAE77F1AF89304F204568E506EB3A5EB369D00CBA1

Function 00D80848 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2915110019.0000000000D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_d80000_zIpa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a697e71625e10e4c7db793072b840208f4c982b6350c24e8a013eb883a45b961
Instruction ID: 92ea2899d2bf8b6a4463689eb1b759729203fe1a143a229cb437cfec5b5b1d37
Opcode Fuzzy Hash: a697e71625e10e4c7db793072b840208f4c982b6350c24e8a013eb883a45b961
Instruction Fuzzy Hash: F7119130B012049FEFA47A79D41472E7AB5EB86314F24893AE006CB355EA65DDC98BE1

Function 00D80847 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2915110019.0000000000D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_d80000_zIpa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d08db8c444384b698910a0977ceecbf3029ebc58d60e12d6f4225e29aeccb176
Instruction ID: 51d9401a6631553caba6e92e2f63dd9126333923dbff934a539e2549d7783963
Opcode Fuzzy Hash: d08db8c444384b698910a0977ceecbf3029ebc58d60e12d6f4225e29aeccb176
Instruction Fuzzy Hash: C8110430B012009FEFA57674941077E3AB1EB86310F288A3AD002CB341EA64CDC98FE1

Function 00D81498 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2915110019.0000000000D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_d80000_zIpa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cf607d51ddb3b25263a28a3d650fc6368916f24f5a556de118844141973ce425
Instruction ID: f1a9a9291f97b12ffcbb9e476cde6d47444228e0070ab305ca1b59c2a62a0bd1
Opcode Fuzzy Hash: cf607d51ddb3b25263a28a3d650fc6368916f24f5a556de118844141973ce425
Instruction Fuzzy Hash: 0A018035A012158FCF21FFB884511AEBBF9EF48310B2544BAE805E7301E735E8468BB1

Function 00D89898 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2915110019.0000000000D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_d80000_zIpa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b0e9efa649d74bb3d842fa6e8de00dc45d5b0971ec5ced97f8aa98e4778f9310
Instruction ID: b1fda6f529192344cd3efaf78fc3e90a849749dae76862eff7b651c85086caac
Opcode Fuzzy Hash: b0e9efa649d74bb3d842fa6e8de00dc45d5b0971ec5ced97f8aa98e4778f9310
Instruction Fuzzy Hash: 3211C431A002048FDB05EF64D98435DBBA2FF84310F6881B5C98C5F2AADB70DD49CBA0

Function 00D840FF Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2915110019.0000000000D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_d80000_zIpa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f27961e055a97411304a1242f1a9c5e53b664dbb7e15955482df6be6e15ae1a
Instruction ID: 721336c9e67a9b25793c53da1349801b91095d9d2e1c535f0cebbfb8530d7ca8
Opcode Fuzzy Hash: 4f27961e055a97411304a1242f1a9c5e53b664dbb7e15955482df6be6e15ae1a
Instruction Fuzzy Hash: 2911B730E1030ADEDF24EB94E99E7ECB7B2AF65319F18142AD011A21959B3448C9CB21

Function 00D880F1 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2915110019.0000000000D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_d80000_zIpa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1b1888449a5e2e716f85e42f051ed227e91f11ea8ed816b4aa40b32764ed274b
Instruction ID: 2664caeb8d7b39f5e64388c22a4bd7493761282bb82e9d606eaf2378b0725f19
Opcode Fuzzy Hash: 1b1888449a5e2e716f85e42f051ed227e91f11ea8ed816b4aa40b32764ed274b
Instruction Fuzzy Hash: 9F016730940249AFEF06FBB8E951E9DBBB5EF40304F108679C508DB259EF356E4A8791

Function 00D81524 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2915110019.0000000000D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_d80000_zIpa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 85438f237f8722b0d6eb073ba96d433d46ebc7dbbef95070c4bbf92004081320
Instruction ID: c2c130c981d2c6e5566a6f81e37e90a4862eb6c3f3a9b2f81dc7cc9b7a0b5678
Opcode Fuzzy Hash: 85438f237f8722b0d6eb073ba96d433d46ebc7dbbef95070c4bbf92004081320
Instruction Fuzzy Hash: 2EF02B7BA04110CFDB22ABA894911ACBF78EE9432171D40E7D846DB252D231D84BC731

Function 00D87090 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2915110019.0000000000D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_d80000_zIpa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1a8a028617784568e51b92f9cb1c1dc16a4a9830e5aa667f71655f7d366ec538
Instruction ID: 075cd5ae1b429b15ade60fa1636ecd0a46d6682adda3f7b62e9c4116f10c3fa5
Opcode Fuzzy Hash: 1a8a028617784568e51b92f9cb1c1dc16a4a9830e5aa667f71655f7d366ec538
Instruction Fuzzy Hash: D7F01435B402188FC714EB64D598B6D77B2EF88315F1084A8E50ACB3A0DB35AD02CB41

Function 00D88100 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2915110019.0000000000D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_d80000_zIpa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f619981fc418b2bb64fa6a66bc4bb1a841d5b2680a8fde8c0c5b3937d35adabf
Instruction ID: f105374685dd13483c5b9e690d9fada7bd7c85a82eea6cf109d51e2563c706e5
Opcode Fuzzy Hash: f619981fc418b2bb64fa6a66bc4bb1a841d5b2680a8fde8c0c5b3937d35adabf
Instruction Fuzzy Hash: 57F03134900109AFEB05FFB8E941E9DB7B5EF40304F108679C00897259EB356E498B91

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata, File: File Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search the Registry on compromised systems for insecurely stored credentials. The Windows Registry stores configuration information that can be used by the system or other programs. Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services. Sometimes these credentials are used for automatic logons.
Tactics:	Credential Access
Data Sources:	Command: Command Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report zIpa.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Agenttesla

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\zIpa.exe.log

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_24dg2lof.tgz.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_nyrpu4ve.rqs.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_qw4jqknp.3pk.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_rxwpmznj.opy.ps1

Static File Info

General

File Icon

Static PE Info

General

Authenticode Signature

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Windows Analysis Report
zIpa.exe

Function 0170D553 Relevance: 6.1, APIs: 4, Instructions: 128
threadCOMMON

Function 0170D558 Relevance: 6.1, APIs: 4, Instructions: 128
threadCOMMON

Function 0170B190 Relevance: 1.7, APIs: 1, Instructions: 200
COMMON

Function 0170590C Relevance: 1.6, APIs: 1, Instructions: 98
COMMON

Function 0170449C Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Function 0170D798 Relevance: 1.6, APIs: 1, Instructions: 65
COMMON

Function 0170D7A0 Relevance: 1.6, APIs: 1, Instructions: 62
COMMON

Function 0170B428 Relevance: 1.6, APIs: 1, Instructions: 55
libraryCOMMON

Function 0170BA10 Relevance: 1.6, APIs: 1, Instructions: 54
libraryCOMMON

Function 0170B390 Relevance: 1.5, APIs: 1, Instructions: 47
COMMON

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre